[Senate Hearing 106-1147]
[From the U.S. Government Publishing Office]
S. Hrg. 106-1147
S. 2928, S. 2606, AND S. 809--INTERNET PRIVACY CONCERNS
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
OCTOBER 3, 2000
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
85-657 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South Carolina
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
SLADE GORTON, Washington JOHN D. ROCKEFELLER IV, West
TRENT LOTT, Mississippi Virginia
KAY BAILEY HUTCHISON, Texas JOHN F. KERRY, Massachusetts
OLYMPIA J. SNOWE, Maine JOHN B. BREAUX, Louisiana
JOHN ASHCROFT, Missouri RICHARD H. BRYAN, Nevada
BILL FRIST, Tennessee BYRON L. DORGAN, North Dakota
SPENCER ABRAHAM, Michigan RON WYDEN, Oregon
SAM BROWNBACK, Kansas MAX CLELAND, Georgia
Mark Buse, Republican Staff Director
Ann Choiniere, Republican General Counsel
Kevin D. Kayes, Democratic Staff Director
Moses Boyd, Democratic Chief Counsel
C O N T E N T S
----------
Page
Hearing held on October 3, 2000.................................. 1
Statement of Senator Breaux...................................... 7
Statement of Senator Bryan....................................... 5
Statement of Senator Burns....................................... 3
Statement of Senator Cleland..................................... 53
Statement of Senator Gorton...................................... 5
Statement of Senator Hollings.................................... 2
Statement of Senator Kerry....................................... 63
Statement of Senator McCain...................................... 1
Statement of Senator Rockefeller................................. 50
Statement of Senator Wyden....................................... 4
Witnesses
Cooper, Scott, Manager, Technology Policy, Hewlett-Packard
Company........................................................ 7
Prepared statement........................................... 10
Garfinkel, Simson, Cambridge, MA................................. 20
Prepared statement........................................... 21
Rotenberg, Marc, President, Electronic Privacy Information Center 30
Prepared statement........................................... 33
Rubin, Paul H., Professor of Economics and Law, Emory University. 56
Prepared statement........................................... 57
Vradenburg, George III, Senior Vice President for Global and
Strategic Policy, America Online............................... 14
Prepared statement........................................... 16
Appendix
Cleland, Hon. Max, U.S. Senator from Georgia, prepared statement. 71
Cooper, Scott, Hewlett-Packard Company, Manager, Technology
Policy, prepared statement..................................... 71
Response to written questions submitted by Hon. Ernest F.
Hollings to:
George Vradenburg............................................ 75
Garfinkel, Simson L., letter dated October 3, 2000, to Hon. John
McCain......................................................... 77
S. 2928, S. 2606, AND S. 809--INTERNET PRIVACY CONCERNS
----------
TUESDAY, OCTOBER 3, 2000
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 9:30 a.m., in
room SR-253, Russell Senate Office Building, Hon. John McCain,
Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN MCCAIN,
U.S. SENATOR FROM ARIZONA
The Chairman. Good morning. I want to thank the witnesses
for participating in today's hearing. As evidence of the
importance of this issue, this is the third hearing the
Committee has held since this summer on Internet privacy.
Today the Committee will hear testimony on the legislative
proposals before the Committee dealing with Internet privacy.
The purpose of this hearing is to begin the process of moving
toward the enactment of legislation which would enable
consumers to protect their privacy online.
The Federal Trade Commission in its recent report on online
privacy recommended legislation to require the implementation
of the four fair information practices of notice, choice,
access, and security. The FTC found that, while voluntary
efforts had advanced the issue of privacy, those efforts were
failing to adequately protect privacy. Specifically, the
Commission found that nearly 41 percent of random sites and 60
percent of the top 100 sites provided consumers with notice
about their information practices and offered a choice about
how that information is used. I agree we must work to enact
legislation to enable consumers to protect their privacy. I am
not convinced that we must mandate all of the four information
practices to protect privacy.
Last July, Senators Kerry, Abraham, Boxer and I introduced
the Consumer Internet Privacy Enforcement Act. The bill is
focused around the two fundamental principles of notice and
choice. It would ensure that consumers are informed of a
website's information practices in a clear and conspicuous
manner. It would also require websites to give consumers a
simple method of exercising meaningful choices about how that
information is used. By focusing on these two fundamental
principles, I believe we strike the delicate balance between
protecting privacy and imposing burdensome rules that do little
to help consumers.
We may not all agree about the specific details of the
legislative proposals, but we all agree that the time has come
to enact legislation to protect consumers' privacy. Some of the
proposals before the Committee go further than the bill my
colleagues and I introduced. Some of the bills currently before
Congress propose far less, such as a simple commission to
merely study the issue. Regardless of the proposal, I think
it's important we move forward through the difficult process of
reaching compromise and forging legislation.
I look forward to engaging in this process as we move
toward the next Congress, and I believe that next year we can
report legislation from the Committee and work for its passage
on the floor.
Again, I want to thank the witnesses for their testimony
today.
Senator Hollings.
STATEMENT OF HON. ERNEST F. HOLLINGS,
U.S. SENATOR FROM SOUTH CAROLINA
Senator Hollings. Mr. Chairman, we have fiddle-faddled with
this problem now for 5 years, and like you, I would have wished
that they could have voluntarily regulated themselves. But as
Newsweek, the business magazine--this is not Consumer Reports
or the Consumer Federation--cites, and I read: ``In short,
self-regulation is a sham. The policies that companies have
posted under pressure from the government are as vague and
confusing as anything Lewis Carroll could have dreamed up.
Again, if a business wants to collect information about a
consumer's health, financials, or sexual orientation, it should
ask them for permission first. This allows a Web surfer to opt-
in.''
That is why myself and the other cosponsors have introduced
our bill after a complete study and 5 years of the FTC trying
to get self-regulation. There is no doubt in a comprehensive
field as the Internet that you are going to have to try to
protect the privacy if you are going to protect the users of
the Internet. This is not a government restriction against
business. This is a government restriction to propagate the
business in a proper fashion.
So, any bill that does not have the opt-in is just
whistling Dixie. All these studies going back and looking and
wondering and everything else of that kind. Mind you me, this
is not asking those about your personal information that are
not making it a business or not making a profit from it. On the
contrary, this is those who really are making a business and a
profit and money out of your own private information. I think
we are going to have the opt-in, the opt-out, the security, and
the availability of it if we are going to have a good bill.
We came back here last week and we were all in a heat over
the proposition of advertising violence and not doing something
about the violence itself after 30 years.
Now after 5 years, there are some that want to still study
and everything else after the Federal Trade Commission has
tried over the 5-year period. Their in-house studies, working
with the industry, and everything else have found that you are
going to have to have an opt-in provision.
Thank you.
The Chairman. Senator Burns.
Senator Burns. I think Senator Wyden was before me.
Senator Wyden. Go ahead.
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. Well, thank you, Mr. Chairman, I appreciate
that, and I appreciate you holding this third hearing on
privacy in a new digital economy.
While the Internet has offered us some amazing things, we
have seen a lot of things happen, and it offers a lot of
commercial opportunities to millions of Americans, the new
information technologies have allowed the collection of
personal information on an unprecedented scale. Many times this
information is collected without the knowledge of consumers,
but we also face that in our grocery stores and wherever we go
to restaurants. And every time we do business with a credit
card and even sometimes with cash, we are confronted with the
same thing.
But what is particularly concerning to most of us is that
information is collected without the knowledge of consumers.
Online profiling poses particular concerns, especially those
profiles that are merged with offline information to create
massive, individualized data bases on consumers.
Given the continuing erosion of Americans' privacy, I am
more convinced than ever that legislation is necessary to
protect and empower consumers in the online world. Privacy is a
bipartisan issue. The number of bills before this Committee is
evidence of the high level of member interest in this important
topic. Recently Senator Hollings and Senator McCain have
introduced legislation in this area, and I look forward to
working with them.
I would also like to thank my colleague, Senator Wyden of
Oregon, for his hard work on the privacy issues. Well over a
year ago, Senator Wyden and I introduced the Online Privacy
Protection Act which was based on our shared view that while
self-regulation should be encouraged, we need also to provide a
strong enforcement mechanism to punish those people who would
act in bad faith.
I have grown increasingly frustrated with the industry's
continuing stance that no legislation is necessary, even in the
face of overwhelming public concern. Many in the industry have
claimed that our bill, the Burns-Wyden bill, goes way too far
and that the time still is not right for privacy legislation. I
want to reiterate my commitment to moving strong privacy
legislation to protect consumers, whether industry agrees with
it or not.
I commend the Federal Trade Commission for recognizing the
industry has failed to produce progress and finally calling for
legislation. The Commission's recent report to Congress reveals
the extent of a stunning lack of consumer privacy on the
Internet. Even among the 100 most popular websites, only 42
percent have implemented fair information practices to ensure
consumer privacy, and among a broader random sample of all
commercial websites, the number drops dramatically to 20
percent in compliance.
So, I remain open in working with you, Mr. Chairman, and
Senator Hollings and Senator Wyden, and all of my colleagues on
this Committee and the rest of the Senate and the Congress as
we work on this vital issue. I look forward to the testimony of
the witnesses today, and I thank you very much.
The Chairman. Thank you.
Senator Wyden.
STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. Thank you, Mr. Chairman. I want to thank my
friend from Montana for his kind words. He and I did, a year a
half ago, introduce legislation. We note your bill, Mr.
Chairman, Senator Hollings' bill. We have got a variety of good
bills now before the Committee, and I would just make a couple
of points at this time.
First, I just do not think it is right for the Congress to
wait until there is an Exxon Valdez of privacy, and I am very
concerned, given the fact that we have some who are certainly
not rushing to embrace these voluntary programs that that is
going to happen.
The reason that I feel so strongly about it is when you
look at this Committee's work--and I am very proud of what we
have done on a bipartisan basis, the Internet Tax Freedom bill,
for example, the law that went into effect yesterday, the
Digital Signatures law. What we have been able to do in the
last couple of years is to begin to write the ground rules for
the new economy, and we have done it in a way that has made
sense for business and made sense for consumers and helped to
inspire confidence in these new economic opportunities that
revolve around the Internet. You have an Exxon Valdez of
privacy and that will, to a great extent, drain much of the
confidence out of the exciting things that are taking place in
our country. So, it is critically important that we move
forward, do it in a bipartisan way.
I would wrap up with just a couple of additional comments.
First, Mr. Chairman, I do feel strongly that on a bipartisan
basis we ought to figure out a way to embrace these four key
principles that the Federal Trade Commission has called for in
their proposal. They have said that it is important to include
notice and choice and access and security. We do have
differences of opinion in this Committee with respect to these
four principles. I would hope that we would work with industry
on a bipartisan basis and consumer groups and develop a plan
that does incorporate those four key principles.
Finally, with respect to the nature of the information, it
does seem to me that the American people, when you are talking
about their health and their financial information, sensitive,
personal information, want in some way to give explicit
permission before it is used. You can walk into any coffee shop
in this country and that is what people think ought to be done.
At the same time, there are scenarios that seem almost
absurd if you carry this to absolutes. For example, if somebody
subscribes to Newsweek for 20 years, it seems kind of
preposterous to require that the Newsweek company send them a
notice asking them permission to send them another notice to
sign up for the 21st year. So, the nature of this information
is very key, and I hope that with respect to the financial and
health information that we can develop a plan that is in line
with the expectations of the American people.
Mr. Chairman, again I thank you. I think this is an
important week. That Digital Signatures bill that this
Committee led the effort on is going to be a revolution in the
private sector economy. Now it is time for us to join forces
again in the privacy arena, and I look forward to working with
you and our colleagues to do that.
The Chairman. Senator Gorton.
STATEMENT OF HON. SLADE GORTON,
U.S. SENATOR FROM WASHINGTON
Senator Gorton. Mr. Chairman, as others have said, this is
your third hearing on a vitally important subject. You have
introduced a bill yourself that seems to me to have great
merit, as have two other Senators or groups of Senators here,
including the bipartisan approach that Senator Wyden and
Senator Burns have.
I think each of those show how important this issue is. I
think each shows the absolute necessity for us to do something
here. The other approaches have not worked.
I want to echo Senator Wyden in saying that it seems to me
that this is a field in which we do need to be working
together. There are four basic elements that we must consider.
The degree to which we have got to legislate on each of them is
certainly a matter for negotiation. But as is the case with so
many other issues in this Committee, it is not going to break
down on partisan lines by any stretch of the imagination.
Whether we are going to finish something in the next 2 weeks I
think is questionable, highly questionable, but that we should
be working, at the very least, toward doing something early in
the next Congress in my view is very important.
You have helped give us the ground for that. You have
helped us focus on the proposition that we should not have
significant information about people being used without their
knowledge and without their consent, which is exactly the
situation we find ourselves in today. Solving that problem as
promptly and as justly as possible, both taking advantage of
the tremendous opportunities given us by the Internet, but
protecting people against things that they do not want and do
not know is very, very important. It seems to me that we are
moving toward a consensus on this Committee and that you are
helping us through this hearing in doing so.
The Chairman. Thank you, Senator Gorton.
Senator Bryan?
STATEMENT OF HON. RICHARD H. BRYAN,
U.S. SENATOR FROM NEVADA
Senator Bryan. Mr. Chairman, I would like to thank you for
calling today's hearing on this important issue of Internet
privacy.
The right to privacy is constitutionally recognized by the
Supreme Court and is a reflection of our citizenry's long-held
expectation that they should be able to engage in a wide range
of day-to-day activities with a significant degree of autonomy
and independence.
The Internet presents new challenges, as well as
opportunities, for the protection of privacy. The sheer volume
of personal information that is exchanged on a daily basis
between individuals and businesses on the Internet, coupled
with the ability of other entities to track the flow of this
information with relative ease, poses serious privacy concerns
for many consumers.
By way of example, the recent revelation involving the
dynamic pricing strategy employed by Amazon.com is further
evidence of how consumer privacy is threatened on the Internet.
A recent survey showed that 92 percent of consumers are
concerned about the misuse of their personal information
online. Only 15 percent of those polled by Business Week
earlier this year believe that the government should defer to
voluntary industry-developed privacy standards, and as recently
as August, the Pew Research Foundation reported that 86 percent
of those surveyed supported an opt-in requirement as a
necessary component of any company's privacy policy.
I agree with the recommendations contained in the Federal
Trade Commission's latest report on online privacy, but the
time has come for Congress to establish a baseline standard for
the protection of consumer privacy on the Internet.
Earlier this year, I joined with our distinguished ranking
member, Senator Hollings, in introducing privacy legislation
that largely tracks the recommendations contained in the FTC
report. This legislation builds upon the framework established
by the Children's Online Privacy Protection Act, which I was
privileged to sponsor and which enjoyed the unanimous approval
of all Members of this Committee. As you know, it went into
effect earlier this year in April. It embodies the four widely
accepted fair information practices of notice, choice, access,
and security for the collection of personally identifiable
information about consumers online.
It is important to note that the Children's Online Privacy
Protection Act, which as I said, enjoyed the unanimous support
of Members of this Committee in the last Congress, contains an
opt-in requirement in the form of verifiable parental consent.
This requirement means that a website operator must make
reasonable efforts to ensure that before personal information
is collected from a child, a parent of the child receives
notice of the operator's information practices and consents to
those practices. This legislation also had the near unanimous
support of the Internet industry, including the industry
representatives that are testifying before the Committee today.
The architecture of the Internet provides an opportunity
for technology to enhance online privacy. Many innovative
companies are focusing more and more resources on the
development of privacy enhancing tools that will enable
consumers to have more control over the use of their personal
information.
But technological advancement should not be viewed as a
substitute for strong legal protections. I understand the
industry's concern with the regulatory approach to protecting
privacy on the Internet, but I am hopeful, however, that they
will come to view this effort as an opportunity to enhance
consumer confidence in e-commerce, much like that that occurred
in the offline world with the credit card industry in the
1970's. And I am hopeful, Mr. Chairman, that this Committee
will continue to endeavor to enact a responsible bipartisan
piece of legislation that adequately protects consumer privacy
online in a manner that does not unduly burden the growing e-
commerce market in America.
The Chairman. Senator Breaux.
STATEMENT OF HON. JOHN B. BREAUX,
U.S. SENATOR FROM LOUISIANA
Senator Breaux. Well, thank you, Mr. Chairman. I am sure
everything has been said that needs to be said except from our
panel of witnesses.
Let me just add my congratulations to you for focusing in
on what many consumers feel is one of the most important
concerns that they have in today's modern society; that is,
what happens to their personal information when they sit down
in front of the Internet and use it for legitimate purposes. I
think that there has been a growing fear of even using the
Internet because of the possibility that personal information
will be disseminated to those who seek to use it for purposes
that the owner of that information has not agreed to.
I think a solution to this problem is a win-win, both from
the business community who seeks to take advantage of the
services allowed by the Internet operations, as well as a win
for those who are concerned about their own personal
information being disseminated, in some cases sold to others,
third parties in particular.
Time is running out but I think that we have laid the
groundwork for what needs to be done in the next Congress, and
I look forward to working with the Chairman in order to do
that.
The Chairman. Thank you.
Mr. Scott Cooper, Mr. George Vradenburg, Mr. Simson
Garfinkel, and Mr. Rotenberg. Mr. Cooper, Manager of Technology
Policy of the Hewlett-Packard Company, welcome.
STATEMENT OF SCOTT COOPER, MANAGER, TECHNOLOGY POLICY, HEWLETT-
PACKARD COMPANY
Mr. Cooper. Mr. Chairman and Members of the Committee,
Hewlett-Packard appreciates this opportunity to testify today
at this important hearing on privacy. My name is Scott Cooper
and I am Manager of Technology Policy for HP.
We at HP believe that the Information Age will provide
numerous tools that will empower consumers and allow them to
participate with confidence in the global electronic
marketplace. Consumers already have access to a tremendous
amount of information to help them negotiate prices, terms and
conditions. They are no longer limited in where they shop, when
they shop, or with whom they do business.
But these benefits cannot be realized if consumers are
concerned about how their personal information is treated
online.
While industry self-regulation is not the complete
solution, we believe the private sector has done a pretty good
job of responding to privacy concerns during the seminal period
of the growth of electronic commerce. It is sometimes easy to
forget how recent a phenomenon Internet commerce is. Five years
ago, almost nothing was bought or sold online. So, we are still
finding our way in this new environment. From that perspective,
the efforts to date by businesses to meet consumer privacy
concerns have been impressive. HP believes that self-regulation
and credible third party enforcement, such as the Better
Business Privacy Seal program, are the single most important
steps that businesses can take to ensure that consumer privacy
will be respected and protected online.
As an example of our concern on this issue, HP is making an
offer we hope will encourage many other companies to join HP as
members of the Better Business Bureau Privacy Seal program. For
the past four months, HP has paid the application fees of
start-up companies identified by the Better Business Bureau to
join the BBBOnLine Privacy Seal program.
This offer reflects, we believe, a commitment to address
consumer privacy concerns and, in fact, the BBB program has
been singled out by the European Commission as the kind of
privacy program that gives them confidence that an American
safe harbor will meet European adequacy standards on privacy.
And just two weeks ago, HP's CEO, Carly Fiorina, joined
with Michael Dell of Dell Computer to send a joint letter to
their fellow Fortune 500 CEO's requesting that they also join
the BBB Privacy Seal program.
But even with all these self-regulatory efforts by HP and
other companies, it is unlikely that the majority of commercial
websites will post consumer-friendly, easily readable privacy
policies or join privacy programs such as the BBB, at least in
the short run.
And unfortunately, there is a perverse legal incentive for
commercial websites not to post a clear and conspicuous privacy
notice. Currently if a website posts a privacy policy or posts
a third party privacy seal and then fails to live up to that
policy, it is then liable for enforcement by the FTC for having
committed a deceptive act. If the website does not state a
policy or couches that policy in so many disclaimers and other
confusing legalese in order to limit liability, then consumers
will not have the material information they need to decide
whether they wish to do business with that site.
Hewlett-Packard has argued for some time now that consumers
deserve to have the necessary material information about a
website's privacy policy in order for them to make an informed
choice whether they want to do business with that site. We have
advocated that key consumer right is that of disclosure, that
is requiring that all commercial websites clearly and
conspicuously state what that website does with personal
information. Consumers can then decide whether they want to
continue a transaction with that website or go to another that
has a privacy disclosure more to their liking.
HP believes that clear and conspicuous privacy disclosure
is not only the right thing to do for consumers; it is also the
right thing to do for businesses if they want to grow and serve
their customers in the Internet environment. If consumers in
the marketplace decided that privacy is important to them--and
they have--then the competitive advantage will be with those
sites that have a more consumer-friendly privacy policy.
Hewlett-Packard, therefore, strongly commends the original
cosponsors of S. 2928, Senators McCain, Kerry, Abraham, and
Boxer, for their leadership in protecting the privacy of
consumers who use the Internet. We look forward to substantive
legislative hearings in the next Congress to flesh out the
details of this proposal, but for the most part, we think the
authors have it just about right:
1. Clear, conspicuous and easily understood disclosure
requirements are key. We also commend the authors for including
a safe harbor section that recognizes the importance of self-
regulatory third party seal programs that have been approved by
the FTC.
2. Recognizing the importance of empowering state
attorneys general to protect their citizens' privacy through
national uniform regulations, while preserving the right of the
FTC to intervene when it feels necessary.
3. A study and report back to Congress by the National
Academy of Sciences on a series of complex but important issues
that must be resolved in order to ensure that the benefits of
the Information Age are not distorted or unrealized. These
include:
a. An analysis of the benefits and risks inherent in the
use of personal information for both consumer empowerment and
continued growth of electronic commerce;
b. an important examination of existing differences
between the collection of information online and offline, an
examination we hope will lead to greater harmonization between
the two;
c. an analysis of the benefits and risks of providing
various levels of consumer access to business databases and;
d. an examination of the security of personal
information collected online.
It is our view that the Information Age cannot move forward
without these questions being answered. At the same time, the
importance of getting the answers right precludes any overly
precipitous rush to judgment. Hewlett-Packard does not believe
that balancing consumer confidence and market growth is a zero
sum game. We are confident that the National Academy of
Sciences will present Congress with a reasoned set of
recommendations of where further policymaking may be necessary
and also where it may not. Congress should not be asked to
legislate on this complex, vital area of our economy based on
anecdotal evidence. Nor should a reasoned debate be limited by
proscriptions that, given enough time, the marketplace will
ultimately supply all answers.
We would welcome the public debate that will be spawned by
the studied recommendations of the National Academy of Sciences
and believe it is by far the best way to discover, as Senator
Breaux said, win-win answers for consumers and the economy.
And finally,
4. we think it important that the Internet and electronic
commerce be treated as an interstate issue. We agree with the
authors of 2928 that we must develop national uniform privacy
policies.
We also think that S. 809 has also defined the right goals
for consumer privacy protections, and we would like to continue
to work with Senator Burns' and Senator Wyden's offices to find
industry consensus on how we can achieve workable solutions for
such issues as opt-in and access.
We also think S. 2606 has raised many of the right issues
for consumer confidence, including clear and conspicuous
disclosure. Other sections of S. 2606 raise issues that deserve
further study, and others, such as section 303, the Private
Right of Action, may be inappropriate as a solution for an
issue that we believe we can find agreement and consensus
solutions between consumers, businesses, and policymakers.
Current concerns about consumer confidence must not be
allowed to turn into barriers for empowering consumers through
global electronic commerce. Hewlett-Packard believes that this
hearing is an important step in the right direction, and we
welcome the opportunity to work with this Committee in the
development of national policies governing the collection and
use of personal information.
I would be pleased to answer any questions you all may
have.
[The prepared statement of Mr. Cooper follows:]
Prepared Statement of Scott Cooper, Manager, Technology Policy,
Hewlett-Packard Company, Washington, DC
Mr. Chairman and Members of the Committee. Hewlett-Packard
appreciates this opportunity to testify today at this important hearing
on privacy. My name is Scott Cooper, and I am Manager for Technology
Policy for HP.
We at HP believe that the Information Age will provide numerous
tools that will empower consumers and allow them to participate with
confidence in the global electronic marketplace. Consumers already have
access to a tremendous amount of information to help them negotiate
prices, terms and conditions. They are no longer limited in where they
shop, when they shop, and with whom they do business.
But these benefits cannot be fully realized if consumers are
concerned about how their personal information is treated online.
While industry self-regulation is not the complete solution, we
think the private sector has done a good job of responding to privacy
concerns during the seminal growth of e-commerce. It is sometimes easy
to forget how recent a phenomenon Internet commerce is. Five years ago,
almost nothing was bought or sold online. So we are still finding our
way in this new environment. From that perspective, the efforts to date
by businesses to meet consumer privacy concerns have been pretty
impressive. And HP believes that self-regulation and credible third
party enforcement--such as the Better Business Bureau privacy seal
program--is the singlemost important step that businesses can take to
ensure that consumers' privacy will be respected and protected online.
As an example of our concern on this issue, HP is making an offer
that we hope will encourage many more companies to join HP as a member
of the Better Business Bureau Privacy Seal program. For the past four
months HP has paid the application fees of start-up companies--
identified by the BBB--to join the BBBOnLine Privacy Seal program. We
have also offered limited, free consultation from HP's Privacy Managers
to help each company get started.
This offer reflects, I believe, our commitment to addressing
consumer privacy concerns, and in fact, the BBB program has been
singled out by the European Commission as the kind of privacy program
that gives them confidence that an American `safe harbor' will meet
European adequacy standards for privacy.
And just two weeks ago, HP's CEO, Carly Fiorina joined with Michael
Dell of Dell Computer to send a joint letter to their fellow ``Fortune
500'' CEO's requesting that they also join the BBB privacy seal
program.
Even with all these self-regulatory efforts by HP and other
companies, it is unlikely that the majority of commercial websites will
post consumer-friendly easily-readable privacy policies, or join
privacy programs such as the BBB; at least in the short run. And
unfortunately, there is a perverse legal incentive for commercial
websites not to post a clear and conspicuous privacy notice. Currently,
if a website posts a privacy policy or posts a 3rd-party privacy seal
and fails to live up to that policy, then it is liable to enforcement
from the FTC for having committed a deceptive act. If the website does
not state a policy, or couches that policy in so many disclaimers and
other confusing legalese in order to limit liability, then consumers
will not have the material information they need to decide whether they
wish to do business with that website.
And consumers have expressed their dissatisfaction with the ability
of self-regulation alone to provide necessary consumer confidence on
privacy. In a recent Business Week/Harris Poll, 92 percent of Net users
expressed discomfort with sites sharing personal information with other
sites. And 57 percent of those respondents to the survey said that
government should pass laws on how personal information is collected.
Hewlett-Packard has argued for some time now that consumers deserve
to have necessary material information about a website's privacy policy
in order for them to make an informed choice whether they wanted to do
business with that site. We have advocated that a key consumer right is
that of disclosure; that is, requiring that all commercial websites--
clearly and conspicuously--state what that website does with personal
information. Consumers can then decide whether they want to continue a
transaction with that website, or go to another that has a privacy
disclosure more to their liking.
Hewlett-Packard was therefore supportive of efforts by Congressman
Boucher and Goodlatte--the co-chairs of the House Internet Caucus--to
protect consumer privacy through greater disclosure. And in May of last
year, they introduced H.R. 1685 which includes as Title III an ``Online
Privacy Protection'' section that requires commercial websites to
``clearly and conspicuously provide notice of its collection, use and
disclosure policies'' with enforcement authority to the Federal Trade
Commission.
HP believes that clear and conspicuous privacy disclosure is not
only the right thing to do for consumers; it is also the right thing
for businesses if they want to grow and serve their customers in the
Internet environment. If consumers in the marketplace decide that
privacy is important to them--and they have--then the competitive
advantage will be with those sites that have more consumer-friendly
privacy policies.
Hewlett-Packard thus strongly commends the original co-sponsors of
S. 2928, Senators McCain, Kerry, Abraham and Boxer, for their
leadership in protecting the privacy of consumers who use the Internet.
We look forward to substantive legislative hearings in the next
Congress to flesh out the details of this proposal; but for the most
part we think the authors have it just about right:
1. ``[C]lear, conspicuous and easily understood'' disclosure
requirements are key. We also commend the authors for including a
``Safe Harbor'' section that recognizes the importance of self-
regulatory 3rd party seal programs that have been approved by the FTC.
2. Recognizing the importance of empowering state attorneys
general to protect their citizens privacy through national uniform
regulations; while preserving the right of the FTC to intervene when it
feels necessary.
3. A study and report back to Congress by the National Academy of
Sciences on a series of complex but important issues that must be
resolved in order to ensure that the benefits of the Information Age
are not distorted or unrealized. These include:
a. An analysis of the benefits and risks inherent in the use
of personal information for both consumer empowerment and continued
growth of the electronic marketplace;
b. an important examination of existing differences between
the collection of information online and offline; an examination we
hope will lead to greater harmonization between the two;
c. an analysis of the benefits and risks of providing various
levels of consumer access to business databases;
d. and an examination of the security of personal information
collected online.
It is our view that the Information Age cannot move forward without
these questions being answered. At the same time, the importance of
getting the answers right precludes any overly-precipitous rush to
judgement. Hewlett-Packard does not believe that balancing consumer
confidence and market growth is a zero-sum game. We are confident that
the National Academy of Sciences will present Congress with a reasoned
set of recommendations of where further policymaking may be necessary;
and also, where it may not. Congress should not be asked to legislate
in this complex, vital area of our economy based on anecdotal evidence.
Nor should a reasoned debate be limited by proscriptions that given
enough time, `the marketplace' will ultimately supply all answers.
We would welcome the public debate that would be spawned by studied
recommendations of the National Academy of Sciences and believe that
that is by far the best way to discover ``win-win' answers for
consumers and the economy.
And finally,
4. we think it important that the Internet and electronic commerce
be treated as an interstate issue. We agree with the authors of S. 2928
that we must develop national, uniform privacy policies.
But in order to truly earn the trust on consumers, we cannot stop
here, We also need to expand ongoing efforts to ensure that the global
electronic marketplace is a clean, well-lighted venue for both
consumers and businesses. For example, consumers need to have
confidence that when they do business across national borders, that
there will be a redress system in place should anything go wrong with
the transaction.
HP is working with 70+ businesses from around the world through the
Global Business Dialogue for electronic commerce to develop worldwide
consensus standards on consumer redress systems; what are called
alternative dispute resolution mechanisms, or ADR. In this effort we
are working with consumer groups, government bodies such as the FTC and
the European Commission to ensure that consumers and businesses will
quickly, fairly and cheaply resolve complaints related to online
transactions.
Current concerns about consumer confidence must not be allowed to
turn into barriers to empowering consumers through global e-commerce.
Hewlett-Packard believes that S. 2928 is a significant step in the
right direction, and we welcome the opportunity to work with this
Committee in the development of national policies governing the
collection and use of personal information.
I would be pleased to answer any questions that you may have.
______
Hewlett-Packard Proposal on Privacy Disclosure
1) Industry self-regulation and credible third party enforcement is
the best model for developing the necessary trust that private data
will be respected and protected online. It is unlikely however that the
majority of websites will post privacy policies in at least the short
run. And unfortunately. there is a perverse legal incentive for
commercial websites not to post a privacy statement. Currently, if a
website posts a privacy policy and fails to live up to that policy, it
is liable to enforcement from the FTC for having committed a deceptive
act. If the website does not state any policy, it is not legally
vulnerable because no deception can be inferred. Therefore while the
largest websites will probably post privacy statements, the large
majority of sites may not: and that makes industry vulnerable to
intrusive regulatory initiatives.
2) One way to deal with that problem would be through disclosure:
that is requiring that all commercial websites--clearly and
conspicuously--state what that website does with personal information.
A disclosure requirement would not require a website to do anything
other than it is currently doing; it would only require that the
website inform consumers what it is that they do with personal
information. Consumers could then decide whether they want to continue
a transaction with that website, or go to another that has a privacy
disclosure more to their liking. If consumers in the marketplace decide
that privacy is important to them, then the competitive advantage will
be with those sites that have more stringent privacy policies.
3) This concept of ``material information'' is a basic concept of
U.S. consumer protection law. (See the ``FTC Policy Statement on
Deception''.) Simply stated, consumers have the right to information
that is essential for them to make an informed choice about a product
or service. To fail to make such information available to consumers is
a deceptive act. Through rule or case law, this `material information'
concept is a basis for US advertising regulation, and in a number of
other areas:
Telemarketing: It is deceptive to fail to verbally disclose (in a
clear and conspicuous manner) costs, material restrictions, refund
policies, prize odds, material costs, etc.
900-Number (Pay-per-Call): It is deceptive to fail to verbally
disclose (in a free preamble) the service to be provided, cost per
minute, and other fees created by the call. (The `clear and
conspicuous' disclosures also carry over into print and TV ads for
900#s)
Used Car Warranties: It is deceptive not to conspicuously post on
every used car a sticker that states in writing what warranty (if any)
a dealer offers on a used car.
Acknowledging that consumers have the right to know how their
personal information may be used is a pro-consumer initiative that will
give consumers and businesses greater certainty and confidence in
undertaking negotiations on the Internet.
(All documents cited can be found on the FTC website at
www.ftc.gov)
September 15, 2000
______
<> <> <>
<>
<>
<>, <> <>
Dear <>:
We are writing to enlist your company's participation in meaningful
and credible self-regulation to protect your customers privacy on the
Internet. BBBOnLine, the Internet subsidiary of the Council of Better
Business Bureaus, was developed to promote trust and confidence on the
Internet. Eighteen major corporations sponsor, serve on the Board, and
helped build the BBBOnLine Privacy Program (a list of these companies
is attached.) The goal was to build the most comprehensive and least
expensive privacy trustmark so that businesses could demonstrate their
commitment to adhere to their online privacy notices.
The recent ``Safe Harbor'' agreement covering online transfers of
personal data reached between the U.S., Department of Commerce and the
European Union would have not been possible without BBBOnLine's
credibility and reputation. This agreement will allow personal data
transfers from European Union citizens to BBBOnLine participants and
others meeting the safe-harbor provisions. If you do not meet these
``Safe Harbor'' provisions your company may have difficulty
transferring data from Europe (including from your European operations)
to the U.S. If these transfers are not possible this could obviously
take a staggering negative toll on US--EU commerce.
In addition, BBBOnLine has recently announced a joint trustmark
with the government-sponsored privacy seal program in Japan operated by
the Japan Information Development Processing Center (JIPDEC) This joint
venture will allow BBBOnLine seal holders to qualify for Japan's
privacy seal and JIPDEC seal holders in Japan to qualify for the
BBBOnLine seal. This option is unavailable from any other trustmark
program and is another example of the global reach of BBBOnLine's
reputation as the most comprehensive and credible form of online
privacy self regulation available.
The U.S. Congress, state legislatures, and federal regulatory
agencies are continuing their efforts to regulate online privacy. While
they recognize the value of the BBBOnLine Trustmark program, they
highlight that not enough businesses have made a commitment. There is
still time to send a significant message to legislators and regulators
that businesses are committed to protecting consumer privacy through
self regulation by participating in the BBBOnLine Privacy Program.
This letter is to urge <> to apply and qualify for
the BBBOnLine Privacy seal to demonstrate your commitment to self-
regulation. The cost is low and the benefits to your company and
business in general are great. Together we can send a strong message
that industry is willing to accept the online privacy challenge. For
information on the BBBOnLine Privacy Program please have your staff
contact Ms. Mercedes Lemp at 703.247-3661, email her at
[email protected] or look at BBBOnLine's website at
www.bbbonline.org.
Sincerely,
Carly Fiorina,
CEO,
Hewlett Packard Company.
Michael Dell,
CEO,
Dell Computer Corporation.
______
BBBOnLine Founding Sponsors
America Online
Ameritech
AT&T Corp.
Bank of America
Dun & Bradstreet
Eastman Kodak Company
GTE
Hewlett-Packard Company
IBM Corporation
Intel Corporation
Microsoft Corporation
The Procter & Gamble Company
Reed Elsevier Inc.
Road Runner
Sony Electronics
US WEST
VISA
Xerox Corporation
The Chairman. Thank you, Mr. Cooper.
Mr. Vradenburg, welcome.
STATEMENT OF GEORGE VRADENBURG, III, SENIOR VICE PRESIDENT FOR
GLOBAL AND STRATEGIC POLICY, AMERICA ONLINE
Mr. Vradenburg. Thank you, Mr. Chairman and Members of the
Committee, and I thank you very much for the opportunity to
testify here this morning on this important issue.
As consumers demand the power and convenience of the PC on
their TV sets and the mobility to take the Internet with them
on their wireless and other personal devices, it is becoming
clear that online interactivity will become an integral and
seamless aspect of how we live in a modern society. This rapid
consumer-driven environment we live in in the Internet requires
industry to know more about our consumers than in the past in
order to serve them better, at lower cost, and with the
products and services they want. This is all to the good for
consumers, for our economy, and for our society. But we must
recognize that we in business, and you as government, have a
greater responsibility than in the past for the proper
treatment and handling of consumers' personal information.
With that in mind, we are happy to be participating in this
important national debate. We believe that we have reached a
critical point at which industry and government must take the
next step together in order for us to get where we need to be
on privacy.
AOL is proud to have been a leader in a wide range of
industry-led and industry-based efforts to address privacy
issues. We were founding members of the Online Privacy Alliance
and NetCoalition and are strong supporters of TRUSTe,
BBBOnLine, the DMA, and other efforts to set high corporate
standards for privacy protection. And we have worked in our
role as co-chair of the Global Business Dialogue on Electronic
Commerce to promote strong privacy policies around the world
because we believe this particular issue knows no boundaries,
no borders, and must be addressed with its global impact in
mind.
Within our own company, we have worked hard to develop
privacy policies based on the input we have received from our
members over the years. We have described our privacy policy in
detail before this Committee in recent testimony, so I will not
discuss all the specifics here again. I would just emphasize
that the cornerstone of our policy is that we clearly explain
to our members what information we collect, why we collect it,
how they can exercise choice about the use and disclosure of
that information.
We at AOL are proud of the steps we have taken to create a
privacy friendly environment online for our members. We have
adopted these policies because our business, more than ever,
requires us to respond to consumer demands. We take privacy
seriously in order to build consumer and our own member trust
in the medium. And we know that many other online businesses
feel exactly the same way.
The progress that industry has made in recent months is
real. One thing the FTC Online Privacy Report last May clearly
shows is that the proportion of commercial websites posting
privacy policies has skyrocketed in less than 3 years from
fewer than 14 percent to over 90 percent. Unbelievable progress
for an industry that barely existed just a few years ago. And
the rapid adoption and use of the Internet in this country, it
seems to me, is a symbol that in fact consumers are taking to
this new medium with a greater rapidity than virtually any
medium in history, suggesting that in fact consumer confidence
not only is high but growing in this medium.
Despite this remarkable progress, it is clear from the
level of public concern that still more needs to be done in
order to broaden consumer confidence in the online medium.
Although the industry has come a long way in creating and
promoting best practices in protecting consumer privacy online,
we think legislation may now be able to play an important role
in setting baseline standards for privacy protection and
ensuring that companies all play by the same rules.
How do we decide what those baseline standards should be?
Examining this issue in light of the needs of our own members,
we have come to realize that the success that industry has
attained thus far in the area of privacy protection is largely
attributable to market-led initiatives premised on notice and
choice. The fundamental principle of privacy protection is to
inform consumers of our personal information handling
practices--to give them the ability to determine how that
information may be collected, used and disclosed. Only in that
way can we both reflect the diversity of suppliers in our
industry and the wide diversity of consumer privacy preferences
in society.
As Congress turns its full attention to this issue next
year, we at AOL would, therefore, ask the Members of this
Committee to base their legislative initiatives on these key
principles of notice and choice, backed up by strong
enforcement authority. This type of solution will allow
companies to determine the most effective ways to implement
notice and choice under their particular business models, while
ensuring that companies do indeed comply with those
requirements. In today's online world, consumer preferences can
vary greatly from user to user, and we are in need of a
legislative approach that will give consumers the flexibility
to express those preferences on an ever-expanding variety of
platforms and devices, from their PC's to their televisions, to
their hand-held wireless devices.
We think that the legislation that you, Mr. Chairman, have
cosponsored is a good example of a legislative approach that
does set a baseline standard for notice and choice backed by
strong enforcement, under which market-driven initiatives and
technology innovation can continue to blossom, but providing
additional confidence to consumers that they are, in fact,
being honestly informed of what is being done with their
personal information and that they have choices in how that
information is used.
So, we commend you, Mr. Chairman, along with your
cosponsors, Senators Abraham, Kerry, and Boxer, for their
efforts in drafting this bill which would ensure that all
companies live up to these important principles by giving the
FTC clear authority to enforce the notice and choice
requirements.
We are also pleased that other Members of this Committee
have recognized the importance of addressing this issue, most
notably Senators Hollings, Wyden, Burns, and Bryan, with whom
we have worked very closely in adopting the Children's Online
Privacy Protection Act. We look forward to working with all
Members of this Committee in the next Congress to develop
privacy legislation that will respect what we believe to be
important principles of notice and choice.
We recognize that the power of the Internet can only be
fully realized if consumers feel confident that their privacy
is properly protected when they take advantage of the many
benefits that this medium has to offer. As the Committee
continues its work on this issue next year, we urge you to
consider the risks of an over-regulatory approach and the need
for a solution to this issue that is flexible enough to sustain
both diverse business models and to respond to diverse consumer
preferences.
We must also encourage user-friendly consumer interfaces.
That is, we must emphasize the importance of easy-to-use, easy-
to-find, easy-to-read policies of choice and to develop in the
marketplace a wide variety of choice techniques and
technologies.
We commend the efforts of all the Members of this
Committee. We look forward to working with you next year to
build an effective privacy solution that will work for all of
us. Thank you, Mr. Chairman.
[The prepared statement of Mr. Vradenburg follows:]
Prepared Statement of George Vradenburg, III, Senior Vice President for
Global and Strategic Policy, America Online, Dulles, VA
Chairman McCain, Senator Hollings, and Members of the Committee, I
would like to thank you, on behalf of America Online, for the
opportunity to discuss proposed legislative responses to the issue of
online privacy.
From the very beginning, we at AOL realized that this medium would
not grow, and our company would not succeed, unless our members were
confident in their privacy and security online. That's why protecting
our members' privacy has always been one of our top priorities at AOL
and why we have dedicated significant time, energy, and resources to
establishing one of the industry's strongest privacy policies and
educating our members about this issue.
Online privacy has gained increasing attention in recent months, as
the Internet has become a central part of the lives of more and more
Americans. As consumers demand the power of the PC on their TVs, the
convenience of interactivity on their TVs, and the mobility to take the
Internet with them on their wireless and other personal devices, it is
becoming clear that Internet-oriented interactivity will become an
integral and seamless aspect of how we live in a modern society. This
rapid, consumer-driven environment requires industry to know more about
their consumers than in the past in order to serve them better and at
lower cost and with the products and services they want. Gone are the
days when a manufactured good was delivered through a tiered
distribution system into the hands of distant and anonymous customers.
In the future, many services will be delivered completely online and
the service provider and customer will have an almost intimate
relationship. In that environment, businesses will be under increasing
pressure to be responsive but will also be necessarily entrusted with
more personal information about their customers. This is all to the
good . . . for consumers, for our economy and for our society. But in
that environment we, as a society, must recognize that businesses will
have a greater responsibility than in the past for the proper treatment
and handling of customer's personal information, and for ensuring that
consumers are fully informed about just what corporate policies and
practices are. With that in mind, we are happy to be participating in
this important national debate, and we believe that we have reached a
critical point at which industry and government must take the next step
together in order for us to get to where we need to be on privacy.
AOL is proud to have been a leader on a wide range of industry-
based efforts to address privacy issues. We were founding members of
the Online Privacy Alliance and NetCoalition and are strong supporters
of TRUSTe, BBBOnLine, the DMA, and other efforts to set a high
corporate standard for privacy protection. We also were an early
supporter of P3P, a technology being developed by the World Wide Web
Consortium that will empower consumers to set their own privacy
preferences as they surf the Web. And we have worked in our role as Co-
Chair of the Global Business Dialogue on Electronic Commerce (GBDe) to
promote strong privacy practices by companies around the world, because
we believe that the issue of privacy knows no borders and must be
addressed with its global impact in mind.
Within our own company, AOL has worked hard to develop privacy
policies based on the input we've received from our members over the
years. Because consumers want to control their own privacy--rather than
having their privacy options dictated by government or private
industry--we've created a privacy policy that clearly explains to our
members what information we collect, why we collect it, and how they
can exercise choice about the use and disclosure of that information.
We have described our privacy policy in detail in recent testimony
before this Committee, so I will not discuss all of the specifics again
here. I would just emphasize that the cornerstone of our policy is that
we give our members clear choices about whether and how we use their
personal information, we make those choices easy to find and easy to
exercise, and we make sure that our members are well informed about
what those choices are.
AOL's privacy commitment is company-wide. We have a designated
official within the company who is devoted to ensuring privacy
compliance among all of our brands, and we have integrated privacy
criteria into the review process for new products. We also make sure
that our policies are well understood and properly implemented by our
employees. We require all employees to agree to abide by our privacy
policy, and we limit employee access only to member information needed
for their jobs.
AOL takes extra steps to protect the safety and privacy of children
online. To protect our youngest members, we have created a special
environment just for children--our ``Kids Only'' area--where extra
protections are in place to ensure that our children are in the safest
possible environment. Furthermore, through AOL's ``Parental Controls,''
parents are able to protect their children's privacy by setting strict
limits on whom their children may send e-mail to and receive e-mail
from online. As you know, AOL supported legislation in the 105th
Congress to set baseline standards for protecting kids' privacy
online--precisely because of the unique concerns relating to child
safety in the online environment. We worked closely with Senator Bryan,
Chairman McCain, the FTC, and key industry and public interest groups
to help pass and implement the Children's Online Privacy Protection Act
(COPPA), and we believe the enactment of this bill was a major step in
the ongoing effort to make the Internet safe for children.
Because the best privacy protection is an informed consumer, we
have dedicated significant efforts to educating our members about the
steps they can take to protect their own privacy online. Through Steve
Case letters, in-house advertisements, and industry-wide public service
campaigns, we have given tens of millions of users helpful tips about
keeping their personal information secure. For instance, we encourage
our members to check to see whether every site they visit on the Web
has posted a privacy policy and to review those policies before giving
any information or purchasing any products on those sites. We also help
them learn how to protect their passwords and personal information and
avoid falling for scams or downloading viruses.
Additionally, we have developed tools to help all Internet users
protect their privacy when they surf the Web. Netscape, which is part
of the AOL family, has one of the strongest commitments to privacy in
the industry, and the newest version of the Netscape browser clearly
demonstrates that commitment. Netscape 6.0, which is now in a beta
testing phase, includes an exciting new tool called the ``Cookie
Manager,'' which allows users to control the amount of passive
information that is collected about them by other companies when they
surf the Net. Through that tool, consumers are able to view, edit, or
delete any or all of the cookies that are placed on their computers by
the websites that they visit; and they can choose for themselves which
websites they will accept cookies from and which websites they won't.
Although AOL does not track the movements of our members when they surf
the Web, we believe that it is important, given the recent concerns
raised about the issue of ``online profiling,'' to give consumers the
ability to control what information they disclose online wherever they
go on the Internet. The Netscape Cookie Manager is a timely and
effective way to empower consumers to set their own privacy
preferences.
We at AOL are proud of the steps we've taken to create a privacy-
friendly environment online for our members. We are also committed to
fostering best practices among our business partners and industry
colleagues. One of the strongest examples of this effort is our
``Certified Merchant'' program, through which we work with our hundreds
of business partners to guarantee our members the highest standards of
privacy and customer satisfaction when they visit e-commerce sites
through AOL. Under that program, AOL requires every merchant doing
business on AOL to adhere to strict consumer protection standards and
privacy policies as rigorous as our own.
We've adopted these policies because our business, more than ever,
requires us to respond to consumer demands and take privacy seriously
in order to build consumer trust in the medium. And we know that many
other online businesses feel exactly the same way. That's why AOL
helped form the Online Privacy Alliance 2 years ago. And that's why AOL
and NetCoalition.com, a group representing some of the largest and most
active online companies, sent a letter to 500 CEOs earlier this year
encouraging them to post comprehensive privacy policies based on the
key fair information principles, and to fully implement these policies
within their companies. The progress that industry has made is real--
one thing the FTC online privacy report last May clearly shows is that
the proportion of commercial websites posting privacy policies has
skyrocketed in less than 3 years from less than 14 percent to over 90
percent--unbelievable progress for an industry that barely existed just
a few years ago and which today is demonstrating the most rapid growth
in the history of media.
Despite this remarkable progress, it is clear from the level of
public concern over privacy that more still needs to be done to broaden
consumer confidence in the online medium. Although many industry
leaders--including AOL--have worked hard to build their brands on
privacy protection, too many online users are still worried about how
their information will be collected and used by other companies doing
business online. We believe, therefore, that it is time for government
and industry to move forward together to expand consumer confidence and
protect consumer privacy. Although the industry has come a long way in
creating and promoting best practices for protecting consumer privacy,
we think that legislation can play an important role in setting
baseline standards for privacy protection and ensuring that all
companies play by the same rules.
But how do we decide what these baseline standards should be?
Examining this issue in light of the needs of our own members, we have
come to realize that the success that industry has attained thus far in
the area of privacy protection is largely attributable to market-led
initiatives premised on notice and choice. The fundamental principle of
privacy protection is to inform consumers of personal information
practices and give them the ability to determine how that information
may be collected, used, and disclosed. These tenets of ``notice and
choice'' are essential to the development of all of the privacy
initiatives that AOL undertakes, and guide the efforts of all companies
who have made strong commitments to user privacy.
As Congress turns its full attention to this issue next year, we at
AOL would therefore ask the Members of this Committee to base their
legislative initiatives on these key principles of notice and choice.
Furthermore, we believe that the best way to implement these standards
is by backing up these basic notice and choice requirements with strong
enforcement efforts. This type of solution will allow companies to
determine the most effective ways to implement notice and choice under
their particular business models, while ensuring that companies do
indeed comply with these requirements. In today's online world,
consumer preferences can vary greatly from user to user, and we are in
need of a legislative approach that will give consumers the flexibility
to express these preferences on an ever-expanding variety of platforms
and devices--from their PCs to their televisions to their handheld
wireless devices.
We would suggest that the U.S. securities laws provide a helpful
model for this type of enforcement-based approach. Securities
disclosure requirements offer flexibility for a variety of business
models, but the strong enforcement behind these requirements ensures
that companies will provide consumers with honest disclosures about
their securities practices. Just as the U.S. financial markets are
thriving under this type of enforcement-based model for securities law,
so too will e-commerce continue to thrive if Congress enacts an
enforcement-based approach to consumer privacy.
It is clear that companies are responding to the increasing
marketplace demand for online privacy, and that the tremendous growth
of e-commerce reflects positive trends on a variety of consumer
protection issues, including privacy. Less than 3 years ago, many
companies had to be convinced to join the OPA and adopt robust privacy
policies. Today, these same companies are competing to build the best
privacy solutions, have invested millions of dollars in developing
privacy technology, and are spending large advertising dollars to
distinguish themselves as privacy-friendly. The privacy technology fair
sponsored by the Congressional Internet Caucus just 2 weeks ago gave
companies an opportunity to demonstrate some of the exciting tools that
are being developed today, as businesses compete to find the best ways
to empower consumers to protect their own privacy online. Restrictive
regulatory action could very likely curb such market innovation and
competition, and discourage creative and flexible approaches to privacy
protection.
We think that S. 2928 is a good example of a legislative approach
that sets a baseline standard for notice and choice backed by strong
enforcement, under which market-driven initiatives and technology
innovation can continue to blossom. We commend Senators McCain and
Kerry on this Committee--as well as Senators Abraham and Boxer--for
cosponsoring this bill, which would ensure that all companies live up
to these important principles by giving the FTC clear authority to
enforce the notice and choice requirements. We believe this type of
enforcement-based approach appropriately builds on existing market
practices to set a baseline standard for privacy protection.
We are also pleased that many other Members of the Committee have
recognized the importance of addressing this issue--most notably
Senators Hollings, Wyden, and Burns. Senators Burns and Wyden have
worked hard to craft S. 809, an approach that is based also on the key
principles of notice and choice. The bill would ensure that companies
provide clear notices to consumers about the personal information being
collected and the possible use or disclosure of that information, as
well as providing an easy-to-use mechanism for limiting the use and
disclosure of that information. We are concerned that this bill would
delegate broad rulemaking authority to the FTC, which could have an
adverse impact on competition and technology innovation in the privacy
space.
S 2606, drafted by Senator Hollings, is one of the most
comprehensive privacy proposals introduced to date. However, we
respectfully disagree with the approach taken by this particular bill,
and hope to have the opportunity to work further with Senator Hollings
next year on possible modifications to the proposal. S. 2606 recognizes
the importance of ensuring that companies provide consumers with
meaningful notice and choice with respect to the collection and use of
their personal information. However, this bill mandates that the choice
mechanism provided to consumers be based on an ``opt-in'' model.
While we agree with Senator Hollings that consumers should be
provided with meaningful choice, we believe that it is not appropriate
for all types of consumer information to be forced into the opt-in
model in all circumstances. In the diverse online marketplace, we
believe it is impossible to mandate a ``one-size-fits-all'' solution to
consumer choice, and we should ensure that the legal framework for
online privacy is flexible enough to accommodate the diversity in the
online world.
We commend the efforts of all of the Members of this Committee, and
are particularly pleased that each of the approaches includes a
provision that would preempt inconsistent state law so that companies
would not be subject to a potential patchwork of contradictory privacy
requirements. We look forward to working with you next year, Mr.
Chairman, along with the other members of this Committee and other
Members of Congress, as you consider the appropriate legislative
approach to protecting online privacy, because we believe that baseline
privacy protections are important both to consumers and to the
continued growth of the Internet.
At AOL we recognize that the power of the Internet can only be
fully realized if consumers feel confident that their privacy is
properly protected when they take advantage of the many benefits that
this medium has to offer. If consumers do not feel secure online, they
will not engage in online commerce or communication--and without this
confidence, our business cannot continue grow. For this reason, the
borderless environment that is the Internet needs privacy solutions
that are workable and can scale across state and national boundaries,
while encouraging technology solutions that hold the greatest promise
for user empowerment. Most of all, we must balance privacy initiatives
with consumers' desire for personalization, customization and the other
exciting benefits of the interactive medium, so that consumers can
choose for themselves what kind of online experiences they want to
enjoy.
As you continue your work on this issue next year, we urge you to
consider the risks of any over-regulatory approach and the need for a
solution that is flexible enough to sustain diverse business models,
encourage user-friendly consumer interfaces, accommodate widely varying
consumer preferences, and allow for rapid changes in technology,
platforms, and services. The time has come for us to work together to
find an effective legislative approach to online privacy protection. We
at AOL are ready for that challenge, and look forward to working with
all of you next year to build a solution that works for all of us.
Thank you.
The Chairman. Thank you.
Mr. Garfinkel, welcome.
STATEMENT OF SIMSON GARFINKEL,
CAMBRIDGE, MA
Mr. Garfinkel. Thank you. Mr. Chairman, Members of the
Committee, my name is Simson Garfinkel. In January, I published
a book called Database Nation: The Death of Privacy in the 21st
Century. It was my ninth book. Besides that, I have experience
as an entrepreneur in the field of computers and as a reporter
who has covered this field for many years. What I am not very
good at is reading prepared statements, and so I am going to
diverge from my prepared comments, which have been given to you
as part of the record.
The Chairman. Your entire statement will be made part of
the record, Mr. Garfinkel.
Mr. Garfinkel. Thank you.
In January and February, I went around the country speaking
with Americans because of my book being published, and since
then I have received literally thousands of e-mail messages.
The conclusion that I have is that most Americans want much
more privacy protection both in the law and in technology.
I have also discovered that Americans are largely ignorant
about the extent of abuses and uses of their personal
information at this point in time and that they do not
understand how to use the mechanisms that have already been
made available to them under the current self-regulatory
regime. A good example is many of AOL users are very unhappy
that they get these advertisements popping up, but few of them
that I have spoken with know how to turn that off.
Many Americans feel that privacy is over. One of the things
that I was trying to show people is that it is not over. There
are many opportunities for us to change the future right now.
The other thing is that many Americans feel that they own
their personal information. I have them repeat this to me again
and again. In fact, in the law they do not own their own
personal information. What Americans are looking for is a way
of controlling their personal information, some sort of moral
right for that information, and that is what the legislation
proposed here can do for them.
The fundamental right that they are seeking is access to
their own personal information that is stored on other
computers and at other businesses and organizations. This is
the basis of the Fair Credit Reporting Act. It is the basis of
the Privacy Act. And it is something that advanced technology
makes very easy to do. All of these Web-based systems for
collecting personal information can be easily turned around and
give the user access to the information that has been collected
both from the user and from other sources. All these systems
need that personal information to serve up customized
advertisements or to make decisions. I have built these e-
commerce systems and I know that it is merely a decision on the
part of the company running the system whether or not to give
the consumer access to their own information. It is not a
technical hurdle.
I am also very concerned about the connection of software
running on a person's PC with software on the Internet. You can
imagine your PC programs, your Microsoft Word, other programs
could scan through personal information on your computer and
then send that over an encrypted link to a third party or to
the vendor. Right now American consumers have no way of knowing
if that is happening and, in fact, no right to know if that is
happening or not.
I am also very concerned that any legislation this
Committee passes have opt-in provisions rather than the opt-out
provisions that is currently embodied in two pieces of
legislation. The problem with the opt-out is that the opt-out
provisions can be very difficult for consumers to follow. Opt-
in provisions require that companies properly disclose what
they are doing and propose a value proposition to the consumer.
I think that without that, many of the deals happening between
companies and consumers are inherently one-sided.
Finally, I would like to say that we really do need a
comprehensive solution for all privacy issues facing Americans.
I would like to see legislation on that matter considered, but
we should not let the need for comprehensive legislation get in
the way of adopting legislation right now that covers the
online regimes. It is very important that we put in place
protections for consumers in the online world now before more
companies spring into being that make violating privacy or make
using personal information in ways that are counter to the
interests of most Americans the basis of their business plans.
We are seeing more and more of these companies spring up.
Last, I think that we should be creating a single privacy
office as a focal point for the enforcement of all of this
legislation. There are many, many pieces of privacy legislation
in the code right now. Such a privacy office could be a
resource center for both government and for business and for
consumers. One of the concerns that I have with many of the
pieces of legislation is that they break up enforcement into
many different divisions of the federal government. I
understand that there are reasons for doing that, but
ultimately I think that the interest of consumers and business
will be served by a single focal point.
That is what I wanted to say.
[The prepared statement of Mr. Garfinkel follows:]
Prepared Statement of Simson Garfinkel, Cambridge, MA
Mr. Chairman and members of the Committee, I am honored to speak
before you today.
My name is Simson Garfinkel. I am perhaps best known in the field
of consumer privacy because of my book Database Nation: The Death of
Privacy in the 21st Century, which was published this January. As a
journalist, I have written about intersection of privacy and
information technology for more than twelve years. Besides Database
Nation, I am the co-author of five books on computer security. Finally,
I am an experienced technologist and an entrepreneur. I have had an
Internet e-mail address since 1983. In 1995, I started Vineyard.NET, an
Internet Service Provider on Martha's Vineyard. In 1998, I started a
company called Sandstorm Enterprises, which develops advanced computer
security tools. I am currently the Chief Scientist at
Broadband2Wireless, a company that is building a nation-wide high-speed
wireless Internet service. I also serve as an advisor to two firms that
sell privacy-related products and services. I must say, however, that I
am here speaking for myself, for none of the companies with which I am
currently affiliated.
Mr. Chairman, as you know, many surveys have found that Americans
are very concerned about the growing number of threats to their
privacy. Other surveys have found that many Americans are refusing to
participate in e-commerce on the Internet, because they are fearful
that they will be compromising their privacy in the process. Indeed, I
have many friends who do not use the Internet to make purchases, to
view their bank statements, or to pay their bills. Some of these
friends are extremely sophisticated individuals: they feel that by
making use of e-commerce, they will be putting their personal
information at risk, and that they might become victims of fraud as a
result. It's hard to argue with this point of view given the dramatic
rise in identity theft that we have seen in recent years.
In any event, this January, after my book was published, I went on
a book tour around the country. I spoke with many Americans about
privacy, both on and off the Internet. Most of the people that I spoke
with realized that there were few if any protections for their personal
information in Cyberspace. What you might find more revealing, however,
is that few Americans realized how poorly their privacy is protected
off the Internet. Although Congress has passed a whole slew of privacy
laws over the past twenty years, it really is a legislative patchwork.
There are many basic protections that Americans feel they do have, but
which in fact they do not. For example, many Americans do not realize
that stores routinely engage in covert video surveillance, and that
there is no legal requirement to notify shoppers that such surveillance
is taking place.
One of the points that I make when I speak about privacy is that
Americans tend to approach electronic privacy issues as a big tabula
rasa, an uncharted ocean, if you will, in which there are many
questions and few answers. Yet for more than 25 years we've had a
consistent set of principles that do a wonderful job confronting and
solving these electronic privacy issues. I am speaking, of course, of
the Code of Fair Information Practices, as well as the refinements on
the code that have been made over the years.
The reason that the principles in the CFIP have been around so long
is that they resonate with our basic democratic beliefs. The CFIP was
developed for the information age, and I think that these practices can
and should be extended to the Internet.
All of the bills that you are considering embody aspects of the
CFIP. I believe that S.2606 goes further and does a better job
protecting the interests of Americans. In the rest of my time, I'd like
to explain why.
Each and every bill you are considering require businesses to state
their policies regarding the collection of personal information. But
what then? After notice, I believe that access is a value that is
central to our principles of fair play and justice.
Access
Imagine that you learned of a company that was in the business of
collecting and selling large amounts of personal information. You
contact the company and ask them if they have a file on you. They say
that they won't tell you. You ask if you can see the contents of your
file. The company says ``no.'' You ask if you can have a list of the
other firms to which your personal information has been transferred.
The company responds that it is impossible to create such a list, and
even if it were, that information is trade secret.
You can imagine how frustrated and how powerless you would feel.
This is the situation that confronted most Americans in the 1960s.
The companies were credit reporting agencies like Retail Credit (now
Equifax) and TRW (now Experian.) When Congress considered legislation
that ultimately became the Fair Credit Reporting Act, those companies
insisted that giving consumers access to their credit reports would be
unworkable, a tremendous economic burden, and would be subject to
abuse. Today, nearly 30 years later, we view access to credit reports
as a fundamental right.
As a technologist, I can tell you that it is granting an individual
access to their personal information is much easier to do today than it
was 30 years ago. Consider the case of cookies and Doubleclick. I have
met many people who do not want an internet advertising firm such as
Doubleclick watching over their shoulder and keeping track of every
website they visit, every article that they read. They see that
Doubleclick has put a cookie on their computer and they want to know
what Doubleclick's computer's have in the databanks.
Now Doubleclick's computer's consult this database every single
time they show a banner advertisement over the Internet. Doubleclick
prides itself on this capability--it is Doubleclick's value added. The
company even has a patent on the technology, US5,948,061: a ``Method of
delivery, targeting, and measuring advertising over networks.'' It
would be a simple matter to turn this technology around so that when a
user visits the Doubleclick site, the Doubleclick computers would
report the personal information that they have on file about the
individual.
Consent
Beyond the issue of access, the issue of Consent is paramount to
any discussion of online privacy.
An overwhelming number of Americans that I have spoken with believe
that they own their personal information. It's true that this
information runs contrary to US law. Nevertheless, it is a deeply held
belief among the vast majority of Americans.
The bills that you have for consideration before you take two very
difficult views of personal information ownership. By creating a so-
called ``opt-out'' regime, S.809 and S.2928 essentially give ownership
of personal information to corporations and businesses. These bills
tell Corporate America: ``you can do anything you want with a
consumer's personal information, unless that consumer has the knowledge
and the foresight to tell you otherwise.''
I submit to you that this approach is inherently unfair.
Many Americans complain about telemarketing calls that they receive
during dinnertime. When I was writing the book Database Nation, I was
surprised to learn that Americans have been complaining about these
nightly interruptions for more than thirty-five years. Now for many
years the Direct Marketing Association has operated its so-called
Telephone Preference Service that lets Americans put their phone
numbers on a ``do-not call list.'' But few Americans know that these
services even exist.
Now many people think that privacy policies and the use of personal
information are solely issues having to do with junk mail,
telemarketing calls, and spam e-mail. This is not the case. As we move
into the 21st Century, there is a vast array of actions that Internet-
savvy firms will be able to perform with our personal information. It
will be difficult for us to keep track of all the ways that our
personal information can and will be exploited. It will be nearly
impossible for us to meaningfully opt-out.
Consider this hypothetical example. What if a company were to
electronically rifle my online address book, get the list of every
person that I correspond with, and then send each one an e-mail
message? What if these e-mail messages claimed to be from me, and
contained endorsements of the company's new product? What if the
company had an opt-out privacy policy, but it was so complicated to
opt-out that few people understood what was being done with their
personal information until it was too late? This Committee might very
well hold hearings to investigate the company, alleging that the
practices were illegally appropriating the personal information and
identities of consumers. As it turns out, technologies that appropriate
e-mail address books are already being deployed. I have attached to the
end of my written testimony an article written by Boston Globe
columnist Hiawatha Bray which alleges that Microsoft is using a
technique such as this to market its new MSN server. Indeed, the only
reason that Mr. Bray did not inadvertently send out thousands of e-mail
to every person in his address book when he tried out Microsoft's new
MSN server is that the service first asked Mr. Bray's permission--that
is, the service abides by an opt-in policy.
An opt-in regime is inherently more democratic than an opt-out one.
With opt-in, companies explain to consumers what will be done with
their personal information, and then it's up to the consumer to decide
whether or not they wish to participate. This is the same sort of
``informed consent'' system that has become the standard in medicine,
banking, and other areas.
One of the growing critiques of the opt-out approach favored by
S.809 and S.2928 is that these policies require consumers to read,
understand, and act upon the so-called ``privacy policies'' posted by
websites. Unfortunately, these policies are frequently difficult-to-
understand and do little to protect privacy. To demonstrate how opaque
these privacy policies are, I've attached the ``DoubleClick Privacy
Statement'' at the end of my written testimony. I have a master's
degree in journalism, I've written a book on privacy, and I've taken
courses at law school, and I really don't understand what DoubleClick
is with personal information. The advantage of an opt-in regime is
that, in an opt-in regime, if a company does clearly explain its
practices and their advantages to consumers, the resultantly confused
consumers will have reason to opt-in.
As I said before, most Americans believe that they own their
personal information. But ownership really isn't the right word. As I
make clear in my book Database Nation, what is owned can be transferred
or sold. American's view of their own privacy is much closer to the
French notion of moral rights. Americans feel that they have a right to
privacy protection. They feel that they have a right to have companies
protect their privacy unless they give explicit permission otherwise.
Americans feel they have a right to be let alone. Americans want to
live in an opt-in system. Opt-out is contrary to our democratic
principles and heritage.
Enforcement
One concern that I have with all of the bills that you are
currently considering is the issue of enforcement. I think that it
makes sense to have a single agency within the US government that is
responsible for enforcing privacy laws. Right now, that agency seems to
be the Federal Trade Commission. I'm not sure that the FTC is the right
choice--I would like to see an independent Privacy Office that's
responsible for both the commercial sector and for the laws that apply
to the federal government and to the laws that are enforced through the
FCC. I think that it makes sense to build a center of expertise within
the federal government. I think that a Privacy Office could be a
resource to the rest of the federal government, and to private industry
as well.
But I understand that this Congress is unlikely to create a Privacy
Office and that the Federal Trade Commission seems to be the current
privacy torchbearer. Indeed, the Commission did an excellent job on its
recent privacy study. I'm pleased that S.2606 would create a FTC Office
of Online Privacy.
I am however concerned that both S.2928 and S.2606 split
enforcement between the Federal Trade Commission and an assortment of
other federal agencies. I understand that there are technical reasons
for doing this, but I think that they should be reconsidered.
I am very pleased that S.2928 establishes a statutory civil penalty
of $22,000 for each privacy violation. Traditionally, one of the
hardest problems for those faced with privacy violations has been to
demonstrate damages. Likewise, creation of a private right of action in
S.2606, with awards up to $50,000 for willful and knowing violations,
will make it far easier for wronged individuals to pursue compensation
in our courts. This may be an effective deterrent.
I think that S.2606's protection of Whistleblowers (section 305) is
an important protection that is missing from the other bills under
consideration. Often times the privacy abuses that occur within an
organization are unknown to outsiders. In these cases, it is important
to encourage insiders to step forward, and the protection for
whistleblowers will create protections for these individuals.
In this age of mega-corporations, a vast amount of personal
information could be collected and used in a manner that could be
considered ``solely for internal company processes.'' For this reason,
I think that the exemption for ``internal company processes'' in S.809
is a dangerous precedent. Company policies should not be exempt from
privacy legislation simply because they do not involve third-parties.
Bankruptcy is a real threat faced by many organizations that
collect personally identifiable information. It is very important that
information collected by an organization when it is financially healthy
not be auctioned off to the highest bidder during a bankruptcy
proceeding. S.2606 takes personally identifiable information off the
table of the bankruptcy courts. This is a very important provision that
should be echoed by the other legislation under consideration.
I am also concerned that the legislation under consideration does
not adequately address non-commercial threats to privacy. For example,
exempting non-profit organizations, such as S.2928 does, would allow
public radio stations to engage in privacy abuses in the interest of
fund raising. As we know, this has happened in the past; I would like
to see legislation prohibit such abuses from happening on the Internet
in the future.
In Conclusion
Mr. Chairman, I believe that the United States will eventually have
some form of legislation that protects consumers' personal information,
both on and off the Internet. I believe that such legislation is vital
to the long term health of democracy in this country.
What I do not know, Mr. Chairman, is whether comprehensive privacy-
protecting legislation will be passed this year, next year, or in
twenty years. I do know that the longer the US Congress waits to pass
such legislation, the more economic dislocation there will be when it
is final passed. That is because the longer you wait, the more
businesses will spring up whose business model depends upon
misrepresentation and privacy invasion. There are a few such companies
now; with no action, there will be more next year.
Nevertheless, I think that it would be foolish to delay the passage
of legislation that protects online privacy while the Congress tries to
create that comprehensive privacy legislation.
The American people believe that they have a right to privacy, and
they wish to see this body pass legislation that affirms that right.
Paramount to protecting the right to privacy in the digital age is the
rights of individuals to have access to their own information, and the
right to have their information protected and held in trust unless they
explicitly give permission for it to be used otherwise. I therefore
cannot support S.809 and S.2928, because both of these bills would
create an opt-out regime. Instead, I would urge this body to make
S.2606 the basis of any privacy legislation that is approved by this
Committee.
______
UPGRADE
Microsoft serves up its own spam
By Hiawatha Bray, Globe Columnist, Globe Staff
9/28/2000
Sometimes I feel like that ape in the beginning of the movie
``2001.'' There he is, starving amidst a pile of animal bones. He's so
stupid that it takes a singing black slab from outer space to make him
grab a tibia and go kill something. Couldn't he just figure it out on
his own?
I felt that way yesterday as I read of the latest outrage involving
unwanted e-mail, better known as spam. I am, of course, opposed to it.
And so, ostensibly, is Microsoft Corp, which has built antispam
features into its e-mail software and its Web-based Hotmail service.
This makes me wonder why Microsoft is presently engaged in a
massive spam campaign of its own, one that features the unwitting
participation of many Internet users. But I'm even more puzzled by the
fact that evidence of the outrage landed in my lap, and I ignored it.
A few weeks back, I installed the preview version of the new
Explorer software for Microsoft's MSN online service. Basically,
Microsoft has customized its Internet Explorer browser with specialized
links that mimic the features found on America Online. It's a pretty
good job. MSN Explorer's extra clutter isn't to my taste, but newbies
may find it congenial.
Anyway, after installing the MSN software, I was invited to click a
check box that would have sent e-mails to my friends to announce the
joyous event. This should have got me thinking.
Instead, I did what I almost always do when installing Internet
software. I clicked ``no thanks'' and forgot all about it.
Alas, not every user of the new software was so cautious. That's
why I received an e-mail last week from a reader who was hopping mad
about getting an unsolicited advertisement from Microsoft, sent to him
by some guy he'd never heard of.
The reader fired off a complaint to Microsoft, and got this reply:
``When a user installs MSN Explorer, they have the option of sending an
e-mail from MSN Explorer to invite you to use the program. This is not
an advertisement or commercial e-mail sent to solicit information from
you by MSN--it is only an invitation sent by an individual member to
try the new product.''
This didn't satisfy the reader, but incredibly, it satisfied me.
Here's my response: ``Well, that's not quite spam, is it? Maybe it's a
questionable tactic, but it was sent by someone you presumably know.''
Proof positive that too much e-mail makes you stupid. Had I not
been so swamped with the stuff, I might have put two and two together.
After all, I'd written quite a bit on the Melissa computer virus--
the one that automatically sent copies of itself to every e-mail
address on a victim's computer. Melissa, you'll recall, only affected
users of Microsoft's e-mail software.
So I had all of the pieces of the puzzle, and only needed to snap
them together. I didn't. But others did, and by yesterday morning it
was the talk of the Web.
Sure enough, the MSN software, unless you tell it otherwise, will
check to see if your computer has a copy of Microsoft's Outlook Express
e-mail program. If it's there, the software then checks the program's
address book, scoops up all of the e-mail addresses contained therein,
and sends them an ``invitation'' to join MSN. This invitation is, of
course, signed by you.
If I hadn't clicked the ``don't you dare'' box while installing MSN
Explorer, I'd have sent this warm, personal invitation to 2,290 of my
nearest and dearest friends. That's how many names are in my Outlook
Express address book. These are mostly tech-industry types who'd have
held me in even lower regard than they already do once this
personalized spam arrived. For spam is exactly what this is, and of a
particularly insidious kind.
Granted, MSN Explorer asks for permission before cranking out the
mail. But how many users realize that they'll be sending advertisements
for Microsoft? How many understand that they're sending these ads to
their bosses, their bookies, their best customers--everybody?
I understand that Microsoft is frustrated; MSN has 3 million users
to AOL's 24 million. But I never thought they'd stoop to the favorite
market tool of Internet pornographers. Somebody at MSN had a
brainstorm, but then failed to think it through. I guess we need a
couple more of those black slabs. Put one in the MSN marketing
department, and the other next to my desk.
Hiawatha Bray is a member of the Globe Staff. He can be reached by
e-mail at [email protected].
This story ran on page E01 of the Boston Globe on 9/28/2000. �
Copyright 2000 Globe Newspaper Company.
______
September 28, 2000
DoubleClick Privacy Statement
Internet user privacy is of paramount importance to DoubleClick,
our advertisers and our Web publishers. The success of our business
depends upon our ability to maintain the trust of our users. Below is
information regarding DoubleClick's commitment to protect the privacy
of users and to ensure the integrity of the Internet.
Information Collected in Ad Delivery
In the course of delivering an ad to you, DoubleClick does not
collect any personally-identifiable information about you, such as your
name, address, phone number or email address. DoubleClick does,
however, collect non-personally identifiable information about you,
such as the server your computer is logged onto, your browser type (for
example, Netscape or Internet Explorer), and whether you responded to
the ad delivered.
The non-personally identifiable information collected by
DoubleClick is used for the purpose of targeting ads and measuring ad
effectiveness on behalf of DoubleClick's advertisers and Web publishers
who specifically request it. For additional information on the
information that is collected by DoubleClick in the process of
delivering an ad to you, please.
However, as described in ``Abacus Alliance'' and ``Information
Collected by DoubleClick's Web Sites'' below, non-personally
identifiable information collected by DoubleClick in the course of ad
delivery can be associated with a user's personally identifiable
information if that user has agreed to receive personally-tailored ads.
In addition, in connection solely with the delivery of ads via
DoubleClick's DART technology to one particular Web publisher's Web
site, DoubleClick combines the non-personally-identifiable data
collected by DoubleClick from a user's computer with the log-in name
and demographic data about users collected by the Web publisher and
furnished to DoubleClick for the purpose of ad targeting on the Web
publisher's Web site. DoubleClick has requested that this information
be disclosed on the Web site's privacy statement.
In addition, in connection solely with the delivery of ads via
DoubleClick's DART technology to one particular Web publisher's Web
site, DoubleClick combines the non-personally-identifiable data
collected by DoubleClick from a user's computer with the log-in name
and demographic data about users collected by the Web publisher and
furnished to DoubleClick for the purpose of ad targeting on the Web
publisher's Web site. DoubleClick has requested that this information
be disclosed on the Web site's privacy statement.
There are also other cases when a user voluntarily provides
personal information in response to an ad (a survey or purchase form,
for example). In these situations, DoubleClick (or a third party
engaged by DoubleClick) collects the information on behalf of the
advertiser and/or Web site. This information is used by the advertiser
and/or Web site so that you can receive the goods, services or
information that you requested. Where indicated, DoubleClick may use
this information in aggregate form to get a better general
understanding of the type of individuals viewing ads or visiting the
Web sites. Unless specifically disclosed, the personally-identifiable
information collected by DoubleClick in these cases is not used to
deliver personally-tailored ads to a user and is not linked by
DoubleClick to any other information.
Abacus Alliance
On November 23, 1999, DoubleClick Inc. completed its merger with
Abacus Direct Corporation. Abacus, now a division of DoubleClick, will
continue to operate Abacus Direct, the direct mail element of the
Abacus Alliance. In addition, Abacus has begun building Abacus Online,
the Internet element of the Abacus Alliance.
The Abacus Online portion of the Abacus Alliance will enable U.S.
consumers on the Internet to receive advertising messages tailored to
their individual interests. As with all DoubleClick products and
services, Abacus Online is fully committed to offering online consumers
notice about the collection and use of personal information about them,
and the choice not to participate. Abacus Online will maintain a
database consisting of personally-identifiable information about those
Internet users who have received notice that their personal information
will be used for online marketing purposes and associated with
information about them available from other sources, and who have been
offered the choice not to receive these tailored messages. The notice
and opportunity to choose will appear on those Web sites that
contribute user information to the Abacus Alliance, usually when the
user is given the opportunity to provide personally identifiable
information (e.g., on a user registration page, or on an order form).
Abacus, on behalf of Internet retailers and advertisers, will use
statistical modeling techniques to identify those online consumers in
the Abacus Online database who would most likely be interested in a
particular product or service. All advertising messages delivered to
online consumers identified by Abacus Online will be delivered by
DoubleClick's patented DART technology.
Strict efforts will be made to ensure that all information in the
Abacus Online database is collected in a manner that gives users clear
notice and choice. Personally-identifiable information in the Abacus
Online database will not be sold or disclosed to any merchant,
advertiser or Web publisher.
Name and address information volunteered by a user on an Abacus
Alliance Web site is associated by Abacus through the use of a match
code and the DoubleClick cookie with other information about that
individual. Information in the Abacus Online database includes the
user's name, address, retail, catalog and online purchase history, and
demographic data. The database also includes the user's non-personally-
identifiable information collected by Web sites and other businesses
with which DoubleClick does business. Unless specifically disclosed to
the contrary in a Web site's privacy policy, most non-personally-
identifiable information collected by DoubleClick from Web sites on the
DoubleClick Network is included in the Abacus Online database. However,
the Abacus Online database will not associate any personally-
identifiable medical, financial, or sexual preference information with
an individual. Neither will it associate information from children.
Sweepstakes
DoubleClick's Flashbase, Inc. subsidiary provides automation tools
that allow our clients to provide online contests and sweepstakes
(``DoubleClick sweepstakes'').
All DoubleClick sweepstakes entry forms must provide a way for you
to opt-out of any communication from the sweepstakes manager that is
not related to awarding prizes for the sweepstakes. Entry forms must
further provide consumers with a choice whether to receive email
marketing materials from third parties. When you enter a DoubleClick
sweepstakes, the information you provide is not be shared with
DoubleClick or any third party, unless you agree by checking the opt-in
box on the sweepstakes entry form. If you enter a sweepstakes, you
agree that the sweepstakes sponsor may use your name in relation to
announcing and promoting the winners of the sweepstakes. See the
official rules of the sweepstakes you are entering for additional
information.
DoubleClick does collect aggregate, anonymous information about the
sweepstakes. That information is primarily used to help sweepstakes
managers choose prizes and make other decisions regarding the
organization of the sweepstakes. DoubleClick does not associate
information provided through the sweepstakes with your other web
browsing activities or clickstream data.
Email
DoubleClick uses DARTmail, a version of DART technology, to bring
you emails that may include ads. Email is sent only to people who have
consented to receive a particular email publication or mailing from a
company. If at any time you would like to end your subscription to an
email publication or mailing, follow either the directions posted at
the end of the email publication or mailing, or the directions at the
email newsletter company's Web site.
In order to bring you more relevant advertising, your email address
may be joined with the information you provided at our client's website
and may be augmented with other data sources. However, DoubleClick does
not link your email address to your other Web browsing activities or
clickstream data.
Information Collected by DoubleClick's Web Sites
The Web sites owned or controlled by DoubleClick, such as
www.NetDeals.com and www.IAF.net may ask for and collect personally-
identifiable information. DoubleClick is committed to providing
meaningful notice and choice to users before any personally-
identifiable information is submitted to us. Specifically, users will
be informed about how DoubleClick may use such information, including
whether it will be shared with marketing partners or combined with
other information available to us. In most cases, the information
provided by a user will be contributed to the Abacus Online database to
enable personally-tailored ad delivery online. Users will always be
offered the choice not to provide personally-identifiable information
or to have it shared with others.
Access
DoubleClick offers users who have voluntarily provided personally-
identifiable information to DoubleClick the opportunity to review the
information provided and to correct any errors.
Cookies and Opt-Out
DoubleClick, along with thousands of other Web sites, uses cookies
to enhance your Web viewing experience. DoubleClick's cookies do not
damage your system or files in any way.
Here's how it works. When you are first served an ad by
DoubleClick, DoubleClick assigns you a unique number and records that
number in the cookie file of your computer. Then, when you visit a Web
site on which DoubleClick serves ads, DoubleClick reads this number to
help target ads to you. The cookie can help ensure that you do not see
the same ad over and over again. Cookies can also help advertisers
measure how you utilize an advertiser's site. This information helps
our advertisers cater their ads to your needs.
If you have chosen on any of the Web sites with which Abacus does
business to receive ads tailored to you personally as part of Abacus
Online's services, the cookie will allow DoubleClick and Abacus Online
to recognize you online in order to deliver you a relevant message.
However, if you have not chosen to receive personally-targeted ads,
then the DoubleClick cookie will not be associated with any personal
information about you, and DoubleClick (including Abacus) will not be
able to identify you personally online.
While we believe that cookies enhance your Web experience by
limiting the repetitiveness of advertising and increasing the level of
relevant content on the Web, they are not essential for us to continue
our leadership position in Web advertising.
While some third parties offer programs to manually delete your
cookies, DoubleClick goes one step further by offering you a ``blank''
or ``opt-out cookie'' to prevent any data from being associated with
your browser or you individually. If you do not want the benefits of
cookies, there is a simple procedure that allows you to deny or accept
this feature. By denying DoubleClick's cookies, ads delivered to you by
DoubleClick can only be targeted based on the non-personally-
identifiable information that is available from the Internet
environment, including information about your browser type and Internet
service provider. By denying the DoubleClick cookie, we are unable to
recognize your browser from one visit to the next, and you may
therefore notice that you receive the same ad multiple times.
If you have previously chosen to receive personally-tailored ads by
being included in the Abacus Online database, you can later elect to
stop receiving personally-tailored ads by denying DoubleClick cookies.
Your opt-out will be effective for the entire life of your browser
or until you delete the cookie file on your hard drive. In each of
these instances, you will appear as a new user to DoubleClick. Unless
you deny the DoubleClick cookie again, DoubleClick's ad server will
deliver a new cookie to your browser.
Disclosure
DoubleClick makes available all of our information practices at
www.doubleclick.net, including in-depth descriptions of our targeting
capabilities, our privacy policy, and full disclosure on the use of
cookies. In addition, we provide all users with the option to contact
us at with any further questions or concerns.
Security
DoubleClick will maintain the confidentiality of the information
that it collects during the process of delivering an ad. DoubleClick
maintains internal practices that help to protect the security and
confidentiality of this information by limiting employee access to and
use of this information.
Industry Efforts to Protect Consumer Privacy
DoubleClick is committed to protecting consumer privacy online. We
are active members of the Network Advertising Initiative,
NetCoalition.com, Online Privacy Alliance, Internet Advertising Bureau,
New York New Media Association, and the American Advertising
Federation.
For more information about protecting your privacy online, we
recommend that you visit www.nai.org, www.netcoalition.com, and
www.privacyalliance.org.
We also recommend that you review this Privacy Statement
periodically, as DoubleClick may update it from time to time.
______
1973: The Code of Fair Information Practices
The Code of Fair Information Practices was the central contribution
of the HEW (Health, Education, Welfare) Advisory Committee on Automated
Data Systems. The Advisory Committee was established in 1972, and the
report released in July. The citation for the report is as follows:
U.S. Dep't. of Health, Education and Welfare, Secretary's Advisory
Committee on Automated Personal Data Systems, Records, computers, and
the Rights of Citizens (1973).
The Code of Fair Information Practices is based on 5 principles:
1. There must be no personal data record-keeping systems
whose very existence is secret.
2. There must be a way for a person to find out what
information about the person is in a record and how it is used.
3. There must be a way for a person to prevent information
about the person that was obtained for one purpose from being
used or made available for other purposes without the person's
consent.
4. There must be a way for a person to correct or amend a
record of identifiable information about the person.
5. Any organization creating, maintaining, using, or
disseminating records of identifiable personal data must assure
the reliability of the data for their intended use and must
take precautions to prevent misuses of the data.
1980: OECD Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data
Today privacy advocates have moved beyond the 1973 Code of Fair
Information Practices and have adopted the OECD's 1980 Guideliens on
the Protection of Privacy and Transborder Flows of Personal Data. You
can find the entire document on the OECD website. The most important
principles are:
Collection Limitation Principle
There should be limits to the collection of personal data and any
such data should be obtained by lawful and fair means and, where
appropriate, with the knowledge or consent of the data subject.
Data Quality Principle
Personal data should be relevant to the purposes for which they are
to be used, and, to the extent necessary for those purposes, should be
accurate, complete and kept up-to-date.
Purpose Specification Principle
The purposes for which personal data are collected should be
specified not later than at the time of data collection and the
subsequent use limited to the fulfilment of those purposes or such
others as are not incompatible with those purposes and as are specified
on each occasion of change of purpose.
Use Limitation Principle
Personal data should not be disclosed, made available or otherwise
used for purposes other than those specified in accordance with
Paragraph 9 except:
a. with the consent of the data subject; or
b. by the authority of law.
Security Safeguards Principle
Personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorized access, destruction, use,
modification or disclosure of data.
Openness Principle
There should be a general policy of openness about developments,
practices and policies with respect to personal data. Means should be
readily available of establishing the existence and nature of personal
data, and the main purposes of their use, as well as the identity and
usual residence of the data controller.
Individual Participation Principle
An individual should have the right:
a. To obtain from a data controller, or otherwise, confirmation
of whether or not the data controller has data relating to him;
b. To have communicated to him, data relating to him
within a reasonable time;
at a charge, if any, that is not excessive;
in a reasonable manner; and
in a form that is readily intelligible to him;
c. To be given reasons if a request made under subparagraphs(a)
and (b) is denied, and to be able to challenge such denial; and
d. To challenge data relating to him and, if the challenge is
successful to have the data erased, rectified, completed or amended.
Accountability Principle
A data controller should be accountable for complying with measures
which give effect to the principles stated above.
The Chairman. Thank you, Mr. Garfinkel.
Mr. Rotenberg, we will go with you and then we will run
over and vote.
STATEMENT OF MARC ROTENBERG, PRESIDENT, ELECTRONIC PRIVACY
INFORMATION CENTER
Mr. Rotenberg. Mr. Chairman, Members of the Committee,
thank you very much for the opportunity to be here. My name is
Marc Rotenberg. I am Director of the Electronic Privacy
Information Center. I have also taught the law of information
privacy at Georgetown for the last 10 years, and my textbook,
which is a collection of privacy laws from the U.S. and around
the world, is now in its third edition.
I am going to focus on the substance of the three proposals
before the Committee today. I would like at the outset to
commend you for your focus on this issue. Privacy is obviously
a very important concern for Americans. Many believe it is the
No. 1 issue facing the future of the Internet, and there has
clearly been progress in addressing the issue, among the
privacy groups and the Congress and also the industry groups.
But the critical decision now is what is the legislative
approach that is going to provide meaningful protection for
Americans going forward.
Now, there is a very attractive proposal on the table. It
is a proposal based on notice and choice. It says, in effect,
let us inform people about the collection and use of their
personal information and give them some choices. This is the
approach that Mr. Vradenburg and others have endorsed. It is,
by and large, the approach, sir, in your bill, and it is the
approach generally followed by the industry groups that talk a
great deal about privacy.
But the critical point to understand is that notice and
choice operating alone, without the other rights that are
typically found in a privacy bill, do not provide privacy
protection. What they will provide, in fact, is a type of
warning label or disclaimer. They will allow companies to do
whatever they wish with the personal information that they
collect, and they will not establish any substantive rights for
individuals who provide their information.
The Chairman. That is an interesting interpretation of this
legislation. It is a fascinating one, but please proceed. It
could not be further from the truth, but please go ahead.
Mr. Rotenberg. It may not be the intent of the legislation.
I will be clear on this point. It may not be the intent, but I
have to tell you that in practice this is how it operates.
Privacy warning notices are found in the work place. They
tell employees that they do not have an expectation of privacy
in the use of a computer or a telephone. Privacy warning
notices are found on commercial websites. They tell people who
buy products that the information that they offer will be
disclosed to third parties. This is how privacy notices have
typically operated.
Now, I think it is important to contrast this approach with
the way that privacy laws have traditionally been constructed
in the United States. Privacy laws in the past, whether it is
the cable act or the video act or the credit reporting act, are
based on a group of rights called fair information practices.
They include rights of access, rights to limit the disclosure
of information, sometimes even obligations to destroy the
information about individuals that is collected. This is what
you see, for example, in the Video Privacy Protection Act.
Companies are actually told that after a period of time, to
protect the privacy interests of their customers, they are
expected to destroy the information. Now, that approach, the
approach that is based upon fair information practices, is the
way that we have traditionally constructed privacy protection
in this country.
Now, the argument can be made, well, things are changing
very quickly with the Internet. Maybe we need a more modern
approach.
The Chairman. Do you disagree with that, that times are
changing very quickly?
Mr. Rotenberg. No. Actually I think things are changing
quickly.
But the second point I wanted to make, Mr. Chairman, is
that these privacy laws that we have adopted in the past, that
have included all of these rights--quite a bit more, I am
trying to point out, than notice and consent--were in fact a
response to changing technologies. The Privacy Act was a
response to the computerization of records in the federal
government.
The Chairman. No. The Privacy Act was an attempt to protect
someone's privacy whether it be computerized or on paper. At my
age, Mr. Rotenberg, I remember it very well. I do not think you
were around then.
Mr. Rotenberg. Well, Mr. Chairman, I was around. I was
maybe a few years younger.
I think there is certainly a lot to show in the history
that it was the automation of records, and the Cable Act was
the response to cable television.
The Chairman. If you do not mind my interrupting you again.
It was because of egregious violations of people's privacy that
took place that required Congress and the American people to
demand action. There were a number of scandals. It had nothing
to do with computerization or non-computerization. It had to do
with direct and egregious violations of Americans' privacy. I
think I can show you a clear legislative record of that and the
scandals associated with it.
Please proceed.
Mr. Rotenberg. Mr. Chairman, the Privacy Act was passed by
the post-Watergate Congress in 1974, and there was no question
that the misuse of personal information by the President at
that time supported the congressional effort.
But the beginning of congressional hearings, the reason
that Congress got interested in this issue in the 1960's, was
because of a proposal called the National Data Center. In 1965,
the federal government said let us take all of the information
on American citizens, automate it, made possible now with
computers, and use it for statistical purposes and government
programs. And beginning in 1966, both the House and the Senate
held a series of hearings to look at the automation----
The Chairman. And never acted until egregious violations of
American citizens' privacy were committed.
Look, I have got to stop because there is only one minute
left. We will take a very brief break. There are two votes, and
I will look forward to continuing this dialog. We will return
in approximately five to ten minutes. We will take a break.
[Recess.]
The Chairman. We will recommence the hearing, and Mr.
Rotenberg, I will try to restrain myself from interrupting you
for the rest of your testimony. I do not guarantee it. I will
try.
[Laughter.]
The Chairman. Thank you and thank you for your indulgence.
Mr. Rotenberg. Thank you, Mr. Chairman. I will also agree
to move on past the Privacy Act because I guess we have our
differing views.
This really was my point, that over the last 25 years,
there have been a lot of new technologies that Congress has
confronted. Congress has confronted cable and electronic mail
and videotapes, fax machines, and so forth. In each instance,
rather than saying technology is changing quickly or we do not
understand it, maybe we should not regulate, Congress has come
up with good privacy legislation. You did it with children's
information on the Internet last year.
The point of my testimony here is to really say that I
think we need to put in place the kind of meaningful safeguards
that we have in the past with new technologies to safeguard the
interests of consumers. I think 2606 does that very well. This
is a bill that is forward looking. It anticipates a bunch of
problems. It updates and amends current privacy laws that are
already doing a good job, and most critically, it provides an
effective form of protection. It gives people some baseline
rights. And I think that is what they need. I think that is
what the public is asking for. I think that is what the
industry increasingly understands is likely to come about.
Now, I understand this is toward the end of the session and
maybe all these things cannot be worked out now, but I do have
to underscore, we have never done a privacy bill in this
country based simply on notice and choice. We have always tried
to give people something more. We can talk about how far we can
go, whether access works in all circumstances or in some
circumstances or for certain types of information. I think that
is an important debate to have, but we have to give people
something more than notice and choice.
We also have to give them an opportunity to pursue privacy
complaints on their own if they wish. We think a private right
of action is absolutely vital to protect privacy interests. One
of the problems that we have seen over the past year following
the developments with the FTC, which is certainly working very
hard to try to protect privacy, is that they are just not able
to respond to all the privacy complaints that they are
receiving. And because of the way section 5 is structured, they
really do operate almost like a choke point on the types of
claims that can be brought under this unfair and deceptive
trade practices.
Privacy bills have traditionally given people a private
right of action so that if they wish, they can pursue the
matter in court. Not many of these cases are brought, but when
they are brought, I think they are quite important to protect
and safeguard privacy interests.
So, I want to thank you again, Mr. Chairman. I understand
the Committee has done a lot of important work in this area.
And I just urge you, please, to consider what type of rights
people are going to have online going forward to protect their
privacy.
[The prepared statement of Mr. Rotenberg follows:]
Prepared Statement of Marc Rotenberg, President, Electronic Privacy
Information Center, Washington, DC
My name is Marc Rotenberg.\1\ I am the Executive Director of the
Electronic Privacy Information Center (EPIC) in Washington DC and an
adjunct professor at Georgetown University Law School where I teach
information privacy law.\2\ I am grateful for the opportunity to appear
before the Committee today. I also appreciate the Committee's ongoing
efforts to explore the important issue of Internet privacy.
---------------------------------------------------------------------------
\1\ Executive director, Electronic Privacy Information Center;
adjunct professor, Georgetown University Law Center; editor, The
Privacy Law Sourcebook 2000: United States Law, International Law, and
Recent Development; editor (with Philip Agre) Technology and Privacy:
The New Landscape (MIT Press 1998).
\2\ The Electronic Privacy Information Center is a project of the
Fund for Constitutional Government, a non-profit charitable
organization established in 1974 to protect civil liberties and
constitutional rights. More information about EPIC is available at the
EPIC web site http://www.epic.org
---------------------------------------------------------------------------
I will focus my comments on the need to ensure strong privacy
safeguards for the Internet based on Fair Information Practices. These
guidelines are the basis for almost all privacy laws, and provide the
framework to evaluate the proposals currently before the Committee.
I will address specific provisions of the Online Privacy Protection
Act, the Consumer Privacy Protection Act, and the Consumer Internet
Privacy Protection Act. I will recommend that the Committee adopt
strong, sensible provisions that safeguard the interests of consumers
and provide clarity and a level playing field for businesses. I will
also address some of the issues that are not addressed directly in the
legislative proposals, such as the need to protect online anonymity.
Status of Internet Privacy
Mr. Chairman, at the outset, I wish to make 3 brief points
concerning Internet privacy. First, we believe that there is widespread
public support for legislation in this area and also that industry
recognizes that such legislation is appropriate and necessary. Polling
data routinely shows that the public believes that privacy laws for the
Internet are needed.\3\ And although industry groups have objected as a
general matter to government regulation of the Internet, in the area of
online privacy I believe most will concede that legislation is
likely.\4\
---------------------------------------------------------------------------
\3\ Business Week/Harris Poll: A Growing Threat, March 20, 2000,
[http://www.businessweek.com/2000/00_12/b3673010.htm]. The poll found
that 57 percent of people surveyed supported laws governing the
collection and use of personal information online while only 15 percent
supported letting industry groups develop voluntary standards. Georgia
Tech Graphic, Visualization, & Usability Center's Tenth WWW User Survey
(October 1998) [http://www.gvu.gatech.edu/user_surveys/survey-1998-10/
graphs/privacy/q59.htm] This poll found that 41 percent agreed strongly
and 31 percent agreed somewhat with the statement: ``There should be
new laws to protect privacy on the Internet.''
\4\ ``Mixed Views on Privacy Self-Regulation,'' DM News, October 2,
2000 [http://www.dmnews.com/articles/2000-10-02/10780.html]
---------------------------------------------------------------------------
Second, while we recognize that commercial web sites have made
progress in developing and posting privacy notices, we do not believe
that these policies alone protect online privacy. In fact, privacy
notices without other substantive rights operate more like warning
labels or disclaimers than actual privacy safeguards. Although it would
be tempting to pass legislation based simply on the notice requirement,
we believe such a bill over the long term would reduce the expectation
of privacy and the level of online protection. A substantive privacy
measure must provide more than notice.
Third, we believe that enforcement mechanisms must remain flexible.
Any legislation that leaves a central agency in the position to limit
enforcement at the local level or prevents an individual from pursuing
a privacy complaint in court could significantly undermine the
protection of privacy interests. And to the extent that the FTC plays a
central role in overseeing the enforcement of privacy, it is vitally
important that formal reporting requirements be established so that
this Committee, the Congress, and the public will be able to evaluate
the effectiveness of privacy protection in the United States.
Privacy Laws and the Role of Fair Information Practices
The basic goal of privacy legislation is to outline the
responsibilities of organizations that collect personal information and
to provide rights to those individuals that provide the personal
information. These rights and responsibilities are commonly referred to
as ``Fair Information Practices.'' Fair Information Practices ensure
that consumers have control over their personal data and that companies
abide by ethical business practices.
Fair Information Practices have provided the basis for privacy
legislation across both the public and private sectors. The Fair Credit
Reporting Act of 1970 placed requirements on credit reporting agencies,
restricting their ability to disclose information about individual
consumers and providing a right of access so that individuals could
inspect their credit reports and determine whether decisions affecting
their ability to obtain a loan or receive credit were based on accurate
and complete information.\5\ Since 1970, privacy laws based on Fair
Information Practices have covered educational records \6\, cable
subscriber records \7\, email \8\, video rental records \9\, and
telephone toll records \10\. The recently passed Children's Online
Privacy Protection Act \11\ requires parental consent before
information is collected from minors and access to any information
already collected.
---------------------------------------------------------------------------
\5\ Fair Credit Reporting Act (1970) 15 U.S.C. Sec. 1681.
\6\ Family Educational Rights and Privacy Act (1974) 20 U.S.C.
Sec. 1232g.
\7\ Cable Communications Policy Act (1984) 47 U.S.C. Sec. 551.
\8\ Electronic Communications Privacy Act (1986) 18 U.S.C.
Sec. 2510.
\9\ Video Privacy Protection Act (1988) 18 U.S.C. Sec. 2710.
\10\ See Telecommunications Act (1996) 47 U.S.C. Sec. 222.
\11\ Children's Online Privacy Protection Act (1999) 15 U.S.C.
Sec. 6501.
---------------------------------------------------------------------------
For more than 25 years, the United States has established privacy
laws based on Fair Information Practices directly in response to the
development of new technologies, such as computer databases, cable
television, electronic mail, movies on video tape, and fax machines.
Far from discouraging innovation, these baseline privacy standards have
promoted consumer trust and confidence as new services have emerged.
Privacy laws have also provided businesses with clear rules and a level
playing field.
Fair Information Practices have also contributed to the development
of privacy laws around the world. Important international agreements
such as the Organization for Economic Co-operation and Development
(OECD) Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data and the recently concluded Safe Harbor arrangement have
been built on Fair Information Practices \12\. These international
guidelines have become more important as we move toward a global
economy where US firms seek to sell products online in other countries
and US consumers have increasingly made their personal information
available over the Internet to companies operating all around the
world.
---------------------------------------------------------------------------
\12\ http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM
---------------------------------------------------------------------------
Because of the central role that Fair Information Practices have
played in the development of privacy law in the United States and the
increasing importance of these principles for online commerce going
forward, I believe they provide the appropriate framework to evaluate
the bills now pending before the Committee.
Fair Information Practices Principles and Consumers
Strong legal protections built on Fair Information Practices
satisfy the basic, common sense privacy expectations of consumers. The
bills under consideration today follow the rubric of notice,
``choice,'' access, security, and enforcement when discussing Fair
Information Practices. While this is not a complete list of the
obligations that can be found in US privacy law, it is a useful
framework for evaluating privacy measures. All three bills present
various approaches towards upholding Fair Information Practices and
establishing baseline standards for Internet privacy.
Notice
The first principle of privacy protection is that a consumer should
be provided notice of the collection, use and dissemination of his or
her personal information. A privacy notice or a privacy policy should
tell a consumer when his or her personal information will be collected,
the purpose it will be used for and whether it will be disclosed to a
third party. Simply put, a privacy notice should be a basic description
of what information a company collects and for what purposes.
The problems with current privacy policies have been brought up by
the Committee in earlier hearings. They tend to be long, confusing, and
full of obscure legal language. It is ironic that a principle intended
to make consumers aware of privacy practices has been subverted to one
that misleads and frustrates consumers on a regular basis. There is the
additional problem that companies have found it too easy to change
privacy policies when they wish. This was the problem with Doubleclick
that gave rise to the FTC investigation.
Furthermore, although notice is an important part of a privacy
policy it does not by itself constitute privacy protection. Notice must
be accompanied by the other principles of Fair Information Practices.
This point was made clear in EPIC's recent report ``Surfer Beware 3:
Privacy Policies Without Privacy Protection''. This study found that
while the vast majority of high-traffic e-commerce sites had privacy
policies none of those sites displayed a privacy policy that provided
the full range of Fair Information Practices \13\.
---------------------------------------------------------------------------
\13\ http://www.epic.org/reports/surfer-beware3.html
---------------------------------------------------------------------------
S. 2928, the ``Consumer Internet Privacy Enhancement Act'', has the
most extensive discussion of notice in comparison to S. 809 and S.
2606. However, it is possible that the amount of information that this
bill requires to be disclosed will likely overwhelm the average
Internet user. The speed and convenience of shopping online will
quickly hit speed bumps if all consumers are expected to read such
notices before transacting business. Consumers should be assured that
baseline principles to safeguard their privacy apply to every site they
visit. They should not be burdened with having to examine and
comprehend each line of a privacy policy before they decide whether or
not to transact business with that specific company.
The notice provisions of S. 809, the ``Online Privacy Protection
Act of 1999'', and S. 2606, the ``Consumer Internet Privacy Enhancement
Act'', are less burdensome but neither are perfect. While S. 2606
specifies that notice should be ``clear and conspicuous'', S. 809
prudently requires that contact information is provided. While the
legislative construction would be difficult, notice should be able
easily understood by most consumers. Of course, contact information
should be included as well.
In addition to this basic analysis of notice, S. 2606 properly
addresses a growing trend of Internet companies that unilaterally
change privacy policies on their customers. The requirement of notice
of a policy change and consent before information can be used in
accordance with the new policy would ensure that companies could not
change terms on their customers. Furthermore, it would force companies
to think more carefully the first time they write their privacy policy.
Consent
The principle of consent is based on the view that if a consumer
provides information for a particular transaction it should not be used
for another purpose without first obtaining the consent of the
consumer. The purpose of this requirement is to ensure fairness and
transparency and to prevent the type of ``bait and switch'' that can
easily result if a consumer is led to believe that a disclosure of
personal data is necessary for a transaction when it will in fact be
used for another purpose. If I provide my name and mailing address so a
book I ordered online will arrive at my house, the information should
not be used for another purpose without my permission.
Opt-in means asking the consumer's permission before information is
collected or used. Opt-out means that a consumer will have to go
through a long, burdensome process to tell a company that she doesn't
want information used in a particular way. Which one will help a
consumer control her information? Which will encourage companies to
make it as difficult as possible to let her exercise that control?
We support opt-in as a common-sense standard that will give
consumers a fair chance at controlling their personal information. The
affirmative consent requirement that would be established by S. 2606 is
a ``consumer friendly privacy standard'' that allows for individuals to
rightly decide how their information held by others should be used.
The exceptions in S. 809 for consent present an issue that the
Committee should consider. S. 809 excludes ``transactional information
where identifiable information is not removed'' from its consent
requirement. While S. 2606 establishes that personally identifying
information may only be collected and used with consent, a great deal
of information is collected and tied to unique identifiers.
While it does not establish an opt-in, only S. 809 recognizes that
``transactional information'' or clickstream data should be considered
personal information. Within the bill, personal information includes
``information that is maintained with, or can be searched or retrieved
by means of'' other identifiers. Transactional information is data
generated by online movements--pages visited, searches conducted, links
clicked--and has been at the center of recent privacy controversies
over online profiling. Not including this information as part of an
online privacy bill and protecting it would overlook a major concern of
Internet consumers.
Access
One of the critical requirements of genuine privacy protection is
to ensure that consumers are able to see the information about them
that is collected. The right of access, which can be found in laws
ranging from the Fair Credit Reporting Act to the Privacy Act to
medical privacy laws across the country, is oftentimes the most
effective way that individuals have to monitor the collection of their
date and to object to inappropriate uses of personal information.
Businesses sometimes object to providing access because they claim
that it is too costly. But it is also possible that many organizations
simply don't want to actually show their customers how their personal
information is actually used. This is a risky strategy that we believe
online companies should avoid.
In the online world it is much easier to provide access to profile
information. Many websites today, from airline reservations to online
banking, are making information that they have about their customers
more readily available over the Internet. Many of these companies
realize the importance of ensuring the information they have is
accurate and developing a transparent and accountable business-customer
relationship.
But we need a much broader right of access in the online world
because some bad actors are taking advantage of technological tools
that are beyond the knowledge of most Internet users. The online world
enables far-reaching profiling of private behavior in a way that is
simply not possible in the physical world. This became clear during the
past year over the debate with Doubleclick and it is today a critical
issue with Amazon.
Any company that creates a persistent profile on a known user, or
that could be linked to a known user, should be required to make known
to that user all of the information that is acquired and how it is used
in decisions affecting that person's life. The profile should always be
only ``one-click'' away--there is no reason on the Internet that
companies should force users to go through elaborate procedures or pay
fees to obtain this information about them.
It would also be appropriate in many cases to give individuals the
right to compel a company to destroy a file that has been created
improperly or used in a way that has caused some harm to the
individual. Data could still be preserved in an aggregate form, but
individuals should be able to tell a company that they no longer have
permission to make use of the personal information that they have
obtained.
S. 2606 provides the most robust right of access. Providing
``reasonable'' access to personally identifying information and the
ability to correct or delete information allows the consumer to control
what happens to her data.
S. 809 is better than S. 2928 on access, though the numerous
exemptions create several problems. Transactional information,
especially where identifiable information is not removed, has received
some of the greatest recent attention as mentioned above via online
profiling. Personal information that is used internally or
confidentially is the type of information that should be most subject
to access since it is used outside the realm of normal customer
interaction. If one of the goals of access is transparency, the
information which is most hidden should be brought to light. The other
exceptions for discarded data and data that has no impact seem
redundant or unnecessary. The presumption of access is that if personal
information is held by a company, it should be provided to the
consumer. Discarded data is not held by a company and whether data has
impact should be a question the consumer should answer.\14\
---------------------------------------------------------------------------
\14\ For further comments on S. 809, see Testimony and Statement
for the Record of Marc Rotenberg, Director Electronic Privacy
Information Center, Hearing on S. 809, The Online Privacy Protection
Act of 1999, Before the Subcommittee on Communications Committee on
Commerce, Science and Transportation, U.S. Senate, July 27, 1999,
[http://www.epic.org/privacy/internet/EPIC_testimony_799.pdf]
---------------------------------------------------------------------------
Enforcement
Perhaps the most important element of Fair Information Practices is
enforcement. Absent an effective means to ensure compliance, privacy
principles will have little impact on business practices.
The key to enforcement is the independence of the enforcer. Self-
regulation has been an incomplete solution to privacy protection due to
this lack of independence. A company overseeing its financial
supporters will not be effective or independent. In our view, the Safe
Harbors created by both S. 809 and S. 2928 lack sufficient oversight to
ensure privacy protection. Privacy advocacy groups like EPIC have
documented reasons to be concerned through its ``Surfer Beware''
reports.\15\ If self-regulation had been effective, the FTC would not
have reluctantly made its recommendation for legislation earlier this
session and we would not be discussing 3 potential Internet privacy
laws today.
---------------------------------------------------------------------------
\15\ EPIC, ``Surfer Beware I: Personal Privacy and the Internet''
(1997) [http://www.epic.org/reports/surfer-beware.html]; EPIC, ``Surfer
Beware II: Notice is Not Enough'' (1998) [http://www.epic.org/reports/
surfer-beware2.html]; EPIC, ``Surfer Beware III: Privacy Policies
without Privacy Protection'' (1999) [http://www.epic.org/reports/
surfer-beware3.html].
---------------------------------------------------------------------------
All three bills allow State Attorneys General to police unethical
companies that harm the consumers in their jurisdiction. However, all
three allow the FTC to intervene in proceedings and permit its actions
to take precedence over the actions of State Attorneys General. While
we recognize the important role of the FTC in the protection of
consumers, it still remains unclear whether it is the appropriate
agency to safeguard privacy interests. Rather than putting roadblocks
in the way of State Attorneys General, we should allow consumers to be
protected by local authorities and other independent agencies that are
available.
It is also important to ensure that individual consumers are able
to pursue privacy complaints. For that reason, a right to private
action with a provision of liquidated damages should be provided. This
preserves the right of consumers to pursue privacy complains when
necessary. While S. 2928 does establish a fixed level of civil
penalties, S. 2606 establishes a private right of action, liquidated
damages attorney's fees, and punitive damages.
None of the bills provide for the establishment of a privacy
agency. S. 2606 goes furthest in establishing a FTC Office of Online
Privacy but like the other bills rely on the existing section 5
authority of the Federal Trade Commission. The reliance of privacy
guidelines on the FTC Act prohibiting unfair and deceptive business
practices has not provided an adequate basis for the protection of
privacy interests and has failed to develop simple dispute resolution
procedures that could assist both consumers and companies resolve
privacy problems.
Most consumers are not lawyers, computer experts, or privacy
advocates. For that reason, many countries have created independent
data protection agencies that answer questions and follow up on
consumer complaints. In addition to providing invaluable assistance for
consumers, a privacy agency can bring the consumer perspective to other
government agencies and business groups. These agencies are also
generally responsible for public education and international
coordination with privacy agencies in other countries. In order to help
consumers resolve complaints and to penalize unethical companies, they
should have the power to take action when irresponsible companies
breach privacy principles established in law.
Additional Issues
State Preemption
All three bills propose state preemption, though S. 2606 will allow
for common law tort and certain other claims to go forward. Limiting
the ability of states to develop additional safeguards to protect the
privacy interests of their citizens is a dangerous precedent and has
only occurred in a few statutes. By and large federal privacy laws
operate as a floor and allow states, ``the laboratories of democracy,''
to develop new and innovate safeguards as required.\16\ We believe this
approach should be followed with Internet privacy.
---------------------------------------------------------------------------
\16\ See, e.g., Video Privacy Protection Act (1988) 18 U.S.C.
Sec. 2710(f), Cable Communications Policy Act (1984) 47 U.S.C.
Sec. 551(g).
---------------------------------------------------------------------------
Additional Safeguards
In addition to the other substantive provisions to protect privacy
on the Internet. S. 2606 also proposes important amendments that would
update current privacy laws. The Video Privacy Protection Act would be
extended to include all video recordings, recorded music, and book
purchases. The Cable Communications Policy Act would be extended to
satellite TV subscriptions. These are sensible recommendations that
build on current laws.
Anonymity
Finally, although the bills do not directly address the issue of
online anonymity, I would like to underscore that this issue remains
one of the central challenges of Internet privacy. While anonymity does
create some risk, the loss of anonymity in the online world could
significantly undermine any legislative effort to safeguard privacy. We
have noticed a disturbing trend in the last year with more and more web
sites requiring registration and making use of new tracking techniques
to profile Internet users. Legislative safeguards will help limit the
worst of the abuses, but formal recognition of a right to be anonymous
in the online world may be the most robust form of privacy protection
in the years ahead.
Conclusion
We commend the Committee for the important efforts to address
online privacy. We believe that S. 2606 provides the most robust
framework to protect privacy on the Internet, that it is consistent
with other privacy laws, and that it is in the interests of consumers
and business to ensure a high standard for privacy protection in the
world of e-commerce. We urge the Committee not to place too much value
on privacy notices without other substantive safeguards. Privacy law is
based on Fair Information Practices, a collection of rights and
responsibilities that help safeguard the interests on consumers in the
world of rapidly changing technology.
References
Articles, Reports and Web Sites
EPIC letter to FTC, Dec. 14, 1995 [http://www.epic.org/privacy/
internet/ftc/ftc_letter.html]
EPIC, ``Surfer Beware I: Personal Privacy and the Internet'' (1997)
[http://www.epic.org/reports/surfer-beware.html]
EPIC, ``Surfer Beware II: Notice is Not Enough'' (1998)
[http://www.epic.org/reports/surfer-beware2.html]
FTC, ``Online Privacy: A Report to Congress'' (1999) [http://
www.ftc.gov/reports/privacy3/index.htm].
Doubleclick page [http://www.privacy.org/doubletrouble/]
Junkbusters [http://www.junkbusters.com/ht/en/new.html#Ginsu]
Jerry Kang, ``Information Privacy in Cyberspace Transactions,'' 50
Stanford Law Review 1193 (1998).
Letter to Senator John McCain, August 1, 1997 (from Center for
Media Education, Privacy Rights Clearinghouse, Privacy Times,
Electronic Frontier Foundation, Consumer Federation of America, EFF-
Austin, Consumer Project on Technology, Electronic Privacy Information
Center, Privacy Journal) [http://www.epic.org/privacy/databases/
ftc_letter_0797.html]
Joel R. Reidenberg, ``Restoring Americans' Privacy in Electronic
Commerce,'' 14 Berkeley Technology Law Journal 771 (1999).
Testimony of Marc Rotenberg before the Subcommittee on
Communications, Senate Commerce Committee on the Online Privacy
Protection Act of 1999, July 27, 1999.
Paul Schwartz, ``Privacy and Democracy in Cyberspace,'' 52
Vanderbilt Law Review 1609-1702 (November 1999).
Gregory Shaffer, ``Globalization and Social Protection: The Impact
of EU and International Rules in the Ratcheting Up of U.S. Privacy
Standards,'' 25 Yale Journal of International Law 1-88 (Winter 2000)
Books
Phil Agre and Marc Rotenberg, eds., Technology and Privacy: The New
Landscape (MIT Press 1997)
Colin Bennet, Regulating Privacy (Cornell Press 1992)
David H. Flaherty, Protecting Privacy in Surveillance Societies:
The Federal Republic of Germany, Sweden, France, Canada, and the United
States (Chapel Hill 1989).
Priscilla M. Regan, Legislating Privacy: Technology, Social Values
and Public Policy (University of North Carolina Press 1995)
Marc Rotenberg, The Privacy Law Sourcebook 2000: United States Law,
International Law, and Recent Developments (EPIC 2000).
Paul Schwartz and Joel Reidenberg, Data Privacy Law: A Study of
United States Data Protection (Michie 1996)
The Chairman. I thank you and I thank the witnesses for
being here.
A great deal of the debate on this issue revolves around
the issue of opt-in versus opt-out. I would like to hear all
the witnesses' views of the advantages and disadvantages to
both consumers and businesses associated with each of these
approaches. We will begin with you, Mr. Cooper, and go down the
line.
Mr. Cooper. Thank you, Mr. Chairman.
Hewlett-Packard has done a lot of work lately, in fact very
aggressive work, in moving from an opt-out to an opt-in
situation for our own websites. We have learned a lot as we are
doing it. It is not as easy as we first thought. Very few
things dealing with the Internet are. But we think that that is
the way to go. It is certainly right for consumers. It is also,
we think, a good business practice.
As we are doing this, we are finding that there are certain
areas where opt-in may be difficult either because of logistics
or because it then sets off other problems that kind of
escalate down the road.
I think we have come to the conclusion that we think there
should be sort of a reverse of what is now kind of the
rebuttable presumption on opt-in/opt-out. I think now it is
that everything is opt-out unless there is the decision either
by the company or Congress or others that it should be an opt-
in. We have certainly seen with financial services, with
children, with medical records, those have turned into opt-in.
I think ultimately we could see where there should be the
rebuttable presumption where everything would be an opt-in
unless there were reasons that could be given that it should be
an opt-out. So, we do not think that opt-in works in all cases,
but we think that is probably where companies should go in
their own personal uses.
The Chairman. Mr. Vradenburg.
Mr. Vradenburg. I think we are only at the beginning of
understanding exactly how to effectively give consumers choice.
Your bill, Senator McCain, focuses on the ease of use and
clarity with the choices offered and exercised. It neither uses
the word opt-in or opt-out. I think that focus is right. How
easy do we make the choice and how clear do we make the
information needed by the consumer to make that choice? A one-
size-fits-all kind of approach here is not going to work.
In a number of areas, we too have moved toward an opt-in
approach, whether it be in the financial area, where obviously
people do not put their financial records online unless they
clearly choose to do so, whether it be the medical and health
area, where in fact the High Ethics Coalition has recommended
opt-in policies for a wide variety of companies dealing with
health care information, and clearly we did that in the
children's arena. But in fact, I think to say that one-size-
fits-all with respect to all of the information exchanges that
are currently going on or may go on in the future is an unwise
approach and that we ought to focus, as your bill does, on the
ease with which consumers can both find, understand, and then
exercise the choices they are offered.
The Chairman. Mr. Garfinkel.
Mr. Garfinkel. Thank you, Mr. Chairman.
A few years ago, Bill Gates said that opt-in/opt-out was an
irrelevant distinction. He said you could just put up a
question and force people to answer it one way or another.
The Chairman. Do you agree with Mr. Gates' assessment?
Mr. Garfinkel. No, I do not and I am about to explain why.
Since then we have learned that opt-in/opt-out is
extraordinarily important. With opt-out, it requires that
consumers be tremendously informed. I have been a computer
security practitioner for about 10 years now, and for the first
five, I thought that all the security problems would be dealt
with when we properly educated people. But we have learned that
you really cannot educate people. People just do not have the
time. Many people do not have the ability.
With an opt-in system, it requires that the business
explain to the consumer the value proposition to get the
consumer to make an affirmative statement to share their
information. If the business does not adequately explain what
is going on, the consumer has no incentive to opt-in. With opt-
out, it is just the reverse. The business has an incentive not
to explain things clearly.
Now, let me explain this in terms of positional
information, something I am extraordinarily concerned about.
Every cellular telephone that is used in the world right now
has to track the movements of its user because that is the way
the cellular telephone systems deliver the calls. Now, it might
be that the company is recording your positions over time and
selling that information. If you have an opt-out regime, it is
up to me to find my cellular company's privacy statement to
read it to find out if they are selling my positional
information rather than simply being told that they would like
to do that and being given the choice.
We have recently seen that with the Sprint PCS. They have
Web forms that you can do on your phone, and it was revealing
personal information when people filled out their forms. It was
revealing their phone number. People were never told it was
doing that. It might have been on some privacy statement
somewhere.
So, my feeling is that with the way Americans approach
technology, an opt-in regime is the only one that really makes
sense. It is the only one that is fair.
The Chairman. Mr. Rotenberg.
Mr. Rotenberg. Mr. Chairman, I think opt-in is just common
sense. I think if a company wants to take personal information
that is acquired through a commercial transaction and use it
for a purpose unrelated to the transaction, most people would
think maybe I will agree to do that, but should you not ask me
first?
What happens under the opt-out regime is companies realize
that this information has a great deal of value and that if
they actually have to go back and ask the customer, the person
might object. So, they make it difficult and they discourage
people from exercising any control.
I think it is not surprising, and in some ways commendable,
that industry has moved toward opt-in, but I think if you
legislate opt-in, you will, in effect, protect the good actors.
If you do not, there will be a lot of bad actors running around
taking advantage of weak opt-out policies.
The Chairman. I have one more question for the panel. Mr.
Cooper, you want to respond to that.
The FTC would favor an approach that would provide them
with rulemaking authority to regulate privacy on the Internet.
Do you agree with that approach?
Mr. Cooper. First of all, one last thought on opt-in/opt-
out. I think that your legislation has advantages that really
have not been discussed to the degree that they need to be,
which is clear and conspicuous. I think this is the important
key to opt-out, and I think it is something that we need to do
as quickly as possible. If the FTC has authority to insist that
any privacy policy is described in a clear and conspicuous
manner, then I think a lot of the problems that have been
discussed at the witness table should go away because
businesses cannot hide what their policy is. I think if you are
going to do one thing, having clear and conspicuous privacy
policies is the thing. The FTC does that for a living. They do
clear and conspicuous on advertising, on used cars, on
telemarketing, you name it. That is the front line of defense
for the FTC on consumer protection.
As far as giving a rulemaking to the FTC, we are not too
sure that they do not already have the power within their
section 5 authority to do pretty much I think everything that
you have described in your bill. If it requires a further
working through of that, I would hope that it would be an open
process where we would have either hearings before this
Committee or some sort of hearing process before the FTC to
ensure that there is that balance between their needs for
protecting consumers and the ability of the marketplace to
continue growing as it has.
The Chairman. Mr. Vradenburg.
Mr. Vradenburg. Mr. Chairman, I have gotten somewhat
distrustful of the FTC's rulemaking authority recently, and I
would say this: It does seem to me that Congress is going to
set the policy here, and if the policy is notice and choice, as
I think it should be, that is a market-driven choice where
basically companies will be out there clearly and conspicuously
giving notice of precisely what information is being collected,
how they are using it, what choice is being made.
My concern with additional rulemaking authority beyond the
traditional enforcement power of the FTC is that we will get
into a debate about what size the font ought to be, exactly how
many scrolls you ought to be able to go through, how you put it
on the cell phone. What we will end up doing is constraining
the innovation that is going on in the marketplace by depriving
the consumer of a variety of choices simply because the FTC has
described with excruciating detail precisely all of these
elements in a way that will make innovation and continued
technological progress in this industry and, indeed, new choice
techniques and methodologies and technologies continue to
evolve on the marketplace.
So, I am in favor of your approach in your bill, which is a
notice and choice approach, with clear and conspicuous
disclosure, with enforcement authority, believing that that
gives the marketplace its maximum capacity to continue to
innovate in this area and at the same time give confidence to
the American people through this body that, in fact, there are
some baseline standards being set in this arena.
The Chairman. Mr. Garfinkel.
Mr. Garfinkel. Thank you, Mr. Chairman.
I have long said that Congress should not be making
legislation on cookies, that it is far better for a regulatory
body to make those decisions. I think that the technology is
moving very fast and that a regulatory body is able to respond
to the changes in technology more quickly than Congress can
respond to it. So, I would think that would be a very good
place for the rulemaking authority, to be with the FTC.
At the same time, I do have some concerns about the FTC
largely because they are relating to trade, and I think that
there are issues on the Internet involving privacy that the FTC
is not concerning itself with, like the way nonprofits collect
information on the Internet. That is why I would ideally like
to see the creation of an independent organization to do that
within the government. But given the choice of not giving the
power to the FTC or giving the power to the FTC, I think that
giving it to the FTC and funding a privacy office within the
FTC so we can have a set of experts there who are resources for
the rest of the federal government would be the best solution.
The Chairman. Mr. Rotenberg.
Mr. Rotenberg. Mr. Chairman, I actually do not favor FTC
rulemaking authority in this area. I think the better approach
is to establish the statutory obligations to give people the
private right of action and to allow the FTC to do enforcement.
But my assessment is that when we do these very detailed
regulations with elaborate participation, as it should be, from
all the stakeholders, we end up with a set of rules, as Mr.
Vradenburg has suggested, that become very time-bound. They
work today but they may not look as good a couple of years out.
One of the remarkable things about U.S. privacy law,
whether it passed 5 years ago, 10 years ago, or 25 years ago,
is that it has been aging pretty well. As long as we stay away
from specific technologies, as long as we do not build privacy
laws tied to the technology of the day, I think that is the
more durable approach over time.
The Chairman. Thank you.
I think one thing that is clear from this hearing and from
the statements of the Senators and Members of the Committee, as
well as the witnesses, is that there is a wide division of
opinion as to how we address this issue. There is agreement
that it is an incredibly important and challenging issue that
continues to grow daily. There is not a consensus yet. We may
have to, in January, have another set of hearings in order to
try to build consensus on this issue.
But I also think that there is a compelling argument that
we not remain dormant here without acting on the issue. As
every day Internet users increase, the fact is that this issue
becomes more and more important.
We have never passed a bill that I can remember out of this
Committee directly on partisan lines. In fact, both sides have
different views on this issue, but we have usually tried to
reach consensus because it never moves if we do not get it out
of Committee with an overwhelming majority. So, I think the
hearing today, the statements by the Senators, as well as the
witnesses indicate that we have a ways to go before we have
consensus on this issue.
Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman. I agree with the
statement you just made as well.
A question for you, Mr. Cooper and Mr. Vradenburg. This is
an effort to find this consensus the chairman talks about. Are
the two of you against including access and security in a bill
at this point? Just yes or no I think would be helpful because
then I am going to ask you to explain it in a minute.
Mr. Cooper. Well, in a sense it is in the chairman's bill.
It just goes to a study for a report back to Congress.
Senator Wyden. But other than a report, you would not favor
any action at this time.
Mr. Cooper. We think those issues are too complicated to
decide within legislation.
Mr. Vradenburg. I agree with that.
Senator Wyden. As you know, in the Burns-Wyden bill, we
include access and security in an effort to try to give a lot
of flexibility for business and the like. Especially the access
issue is so key because if a consumer's profile contains
mistaken or fraudulently obtained information about a sensitive
topic, credit or medical information, there is a question about
how they would ever correct it if they did not have access to
it. I understand your concerns, and you all have been very
thoughtful in terms of dealing with us.
What I would like to do is ask Mr. Rotenberg and Mr.
Garfinkel to tell us why they think it is workable to do access
and security, and then have the two of you respond to that in
the name of, again, trying to find the kind of common ground
the chairman is talking about. Mr. Garfinkel and Mr. Rotenberg,
why do the two of you think it is possible to address access
and security now?
Mr. Rotenberg. I think the main point, Senator, is that in
this highly dynamic environment where companies are still
exploring a lot of different ways to take advantage of the new
technology, people are finding it not so difficult to provide
extensive information to their customers that in the past would
have been impractical or too expensive to provide. You can go
online today and see a profile of information that the airline
company that you deal with or the hotel that you make
reservations with or the bookstore that you buy from collected.
All the information that they have about you or, I should say
more precisely, most of the information they have about you is
now available to you. That is possible because the technology
is changing today and makes it possible for companies that say
we value access to do this.
Now, there are certain types of information that are not
being made available and then there are certain companies like
the online advertisers who have made it particularly difficult
to find these profiles. But I think the key point here is that
the technology makes it much easier today than it had been in
the past to make access real.
Mr. Garfinkel. I want to amplify what Marc says with two
examples.
The first example is from online advertising. The online
advertisers build a comprehensive profile of a person viewing
an Internet site, and they use that profile to decide what
advertisement to show the individual.
Now, a way to deal with the access and the security issues
are the information on the user's computer, the cookie that
pulls into that profile, could also be used as a kind of
password to access that profile. The computers that are serving
up the advertisement have the possession of all that
information, and they could very easily display the information
at the same time or at another time with another form rather
than simply using that information internally and then not
displaying it.
Technically, access is very easy to convey. The security
techniques that we have come up with on the Internet that we
have said are sufficient for downloading credit card
information, sufficient for viewing other kinds of highly
confidential information online should provide the same sorts
of security provisions for personal information when you are
showing that to the user.
Now, if you look at Amazon, Amazon has a tremendous amount
of personal information that they record. One of the things
that they record is every book that you have ever purchased,
and they use this for making recommendations when they show you
other books. You can ask for recommendations. One thing you can
do is you can go to a Web page on the Amazon system and see the
list of all the books that you have ever purchased, and if you
want Amazon to strike one of those books so that there will not
be a record, they allow you to delete it. Now, what I do not
know is if it is actually deleting it inside Amazon's computers
or not or if it is simply deleting it from what it shows me
because Amazon is not really known as a strong privacy player.
On the other hand, the fact that they are doing this and
making this capability available to consumers--and I have used
it and it seems to work--leads me to believe that these are not
insurmountable hurdles. They are in use now by some of the
corporations that are doing business on the Web.
Senator Wyden. Mr. Cooper, Mr. Vradenburg.
Mr. Vradenburg. Senator, I think the difficulty here is
more pragmatic than anything else. It is a matter of whether or
not one can develop adequate access standards and decide when
they apply in what circumstances and where we may not create a
greater danger to privacy than we create a user opportunity to
see their own records.
Regarding security, I think it is just a difficulty of
setting those standards. We have tried that inside the industry
and we have tried that inside government and have been unable
to do so.
Let me come back a second to access. We do not use
navigation information on our service. We do not use it for
marketing purposes. We do not sell it. So, the only purposes
that we would ever use that information for internally are
aggregated information and, indeed, really to improve the
service by finding out exactly in aggregate where people tend
to go and why they tend to go there. As a consequence, none of
our files are organized by a member, by a user. To require
access would perhaps cause us to have to create files that do
not now exist to make things more accessible not just to the
average user, but to the average hacker.
So, our problem and concern here is less sort of the
principle than the pragmatic effort to get at what it is that
people are to have access to, under what circumstances. The
easier you make it for the average user of the Internet to get
access to their information that may be disaggregated inside
our files is to make it more accessible to hackers.
I would also say, not in any adversarial way, one ought to
try and apply the standard to government. That is to say, I say
that not with an effort to say government is lousy and we are
great. I am just say to really apply the access standards that
you would adopt, go to your federal government agencies and
say, apply this access standard, and figure out whether or not
you are creating more danger to government users and government
records than you are creating an opportunity to use.
We saw this with Social Security records about a year ago
when there was an effort to provide more information to users
and more information about the file, and the great concern was
that those were hackable and that the information has become
more widely dispersed. Thus, there was a greater danger to
privacy in making access available, easier to users because it
was easier to get at by hackers.
So, this is a pragmatic problem that we address. We do not
think that the state of affairs is ready yet to address this in
federal legislation, and that is why we do not think it ought
to be embraced. That is why we have supported Senator McCain's
approach.
Mr. Cooper. We are always nervous when somebody says that
there is a simple solution to a technical Internet problem
because it may work in the first case or the first 10,000
cases, but when you try to scale these things with companies
that have very different kinds of approaches and they have
artifact systems and they have very different data bases or
completely non-interoperable data bases, trying to find a
simple solution that will fit all these I think is going to be
a problem.
I think what the FTC Advisory Commission on Access and
Security was able to describe was I think a direction where we
can work through those problems. They did not reach
conclusions, but I think they raised all the right questions.
But I think if we turn this over to a study, a reputable study
and one that reports back to Congress on a date certain with a
recommendation to Congress, I think that will certainly get our
attention. I think it will get every other companies'
attention. I think we can work through probably to some kind of
finality.
Senator Wyden. Mr. Chairman, I know my time is expired. The
reason I ask about these two points is I do not think you can
go to the American people in a credible way without a provision
involving access. I think you know, as a result of the efforts
that we have worked on together, that I want to do this in a
bipartisan way. I think what Mr. Vradenburg has said with
respect to ensuring that this is pragmatic is absolutely right.
But particularly with respect to this access question, I do
not see how you can go to the public without some way to get
the ability to get the chance to see that personal information.
I look forward to working with you on a bipartisan basis.
The Chairman. Senator Burns.
Thank you, Senator Wyden.
Senator Burns. Along the same line as Senator Wyden's
questioning--by the way, thank you you for coming today. Just
listening to the exchange, I happen to agree with the approach
that Senator Wyden and I have taken on access. It also points
to what you have remarked that it gives some concern to hackers
and this type of thing. We have talked about encryption ever
since I have been here, and the security measures that we have
to take in order to make ourselves secure. Yet, we keep getting
some feedback on strong encryption legislation. I think they go
hand in hand. I think as we go along with collecting this
information that we have to figure out some way to make it
secure.
Let us talk a little bit about the statement that you put
up with regard to your privacy. How many people actually
download that thing and read it and understand it? No matter if
you are an opt-out or an opt-in, it makes no difference on your
approach.
Mr. Vradenburg. I do not know the answer to that, although
we probably can provide that information to you, Senator. But
there are a rather substantial number of hits to that and to
the keyword privacy preferences on AOL and it is read quite
widely. Whether we can actually provide you numbers is a good
question, and I will look into that.
Senator Burns. I know you cannot provide the numbers of
people who want to read all the legalese and interpret it.
Mr. Vradenburg. We have tried to set forth eight
principles, which are relatively straightforward, on one or two
pages and then have links back to deeper information if people
would like to understand more about it precisely for that
reason because, indeed, one of the problems here is to be clear
with your customers. And to be honest with them, you have to be
as comprehensive as you can be, and that requires some length,
and you would like to lift out of that some basic principles
that you can get, and if you have need for deeper information,
you can get that too. So, how to present this in a way that is
easy to read is a challenge. We think we have done that, but I
recognize that it is a challenge.
Senator Burns. Mr. Rotenberg, you would like to comment.
Mr. Rotenberg. Senator, I was going to make two points.
First of all, I think there is a particular problem with notice
for Internet privacy from the consumer viewpoint, which is if
you think about buying a car or some other big transaction,
yes, you are going to read all the details----
Senator Burns. I do not do that. I buy my cars in garage
sales.
[Laughter.]
Mr. Rotenberg. Well, that is even better.
But, of course, if you are on the Internet, and you are
going from one website to another--this is more changing than
channel surfing on a television, if you find something
interesting, you want to go on to the next website. The
question is should you have to check the privacy policy before
you start reading information from a website.
Now, some people suggest that maybe the solution to that
problem is to automate it, but my concern about that approach
and the reason that we have not been supporters of P3P is I
think people are going to find pretty quickly that once they
have a few websites that they want to get to with low privacy
policies, they are going to have to turn down their privacy
dial to continue surfing. So, that is one kind of problem. You
move very quickly from one website to another.
Another kind of problem is that companies change their
privacy policies. They may begin with a good notice. Amazon,
for example, when they started, they said, we will not disclose
your personal information to third parties. We said that is a
good privacy policy. We are a privacy organization. We were
actually one of their first affiliates. They have got hundreds
of thousands now. We were one of the first groups online
selling books with Amazon. A couple weeks ago, they said, well,
we have changed our privacy policy and we can no longer give
you that assurance. What do we do with that?
Senator Burns. Mr. Cooper, and then I have a followup
question.
Mr. Cooper. Very quickly. Again, I think that clear and
conspicuous is the key here, and that is a term of art to the
FTC and we think it is very important that they have that
authority to go in and make sure that whatever somebody says is
clear and conspicuous.
We think the other thing that should be done is joining a
seal program. We have the Better Business Bureau seal on all
our websites. It was a hard program to come under. We think it
is sort of the gold standard for seal programs. It took a lot
of work to get all our websites underneath that, but we feel
very confident now that when people see that seal, that they
will recognize that they are dealing with a reputable company.
Senator Burns. I want to ask you, do you think Senator
Wyden's and my approach--we do not make it clear enough on the
opt-out situation? It is not clear?
Mr. Cooper. I think you and Senator Wyden have targeted
exactly those issues that need work on next year and that we,
as businesses, should be engaging with you and this Committee
to find those answers, or at least find the approach that will
lead us to those answers.
Senator Burns. Thank you very much.
Now, with saying that, give me your assessment on safe
harbor. Do you support safe harbor, and why has the majority, I
would say, of the industry been reluctant to accept safe harbor
legislation in this area.
Mr. Cooper. Speaking again for HP, we think that safe
harbor can be very useful because the FTC--and even with the
State attorneys general being able to enforce any FTC rules--
you do not have the eyes and ears you need to make sure that
this marketplace is going to be clean and well-lighted. I think
you need to have things like third-party enforcers to be able
to help police this market as well. So, I think the idea of
having the FTC being able to vet third-party seal programs is a
very good one. We would hope it would be a very high standard.
Again, we think BBB would certainly meet that.
What you get from that also is that--and BBB does this with
the FTC already--that if there are patterns of abuse, if they
find that a company has got a constant series of complaints
against them, each one perhaps not a very high level, but that
pattern creates what they think is an abusive technique, they
will pass that on to the FTC or the AG's as well. That might
not show up coming down from the enforcers themselves. We think
that third party can be very useful.
The Chairman. I want to apologize to my colleagues. I have
been informed there has been an objection voiced on the floor
to the hearing. We are going to have to be done in a half an
hour, and we still have another panel of two witnesses to hear
from. So, I would appreciate it if we could stick to a five-
minute rule so that we at least can get the second panel's
questions.
Senator Burns. Thank you, Mr. Chairman. I have no more
questions.
The Chairman. Thank you, sir.
Senator Bryan.
Senator Bryan. Thank you very much, Mr. Chairman.
Mr. Rotenberg, let me ask you. You have had some
reservations about FTC rulemaking, you indicated previously.
You talk about the need for clear notice in terms of what the
website is offering. How do we get that clear, understandable
notice so customers or consumers can intelligently inform
themselves, and what problems, for example, have occurred with
respect to the rulemaking of the Children's Online Privacy
Protection Act?
Mr. Rotenberg. I think in terms of notice, a baseline
requirement for clear and conspicuous notice of use and
collection and so forth takes you pretty far.
Senator Bryan. How do you define that? How do you enforce
it if you do not have an FTC rulemaking?
Mr. Rotenberg. Well, we have done it in other areas. The
Cable Act, for example, has a notice requirement that has been
litigated, and courts can take a look at that language, as they
do in other areas, and try to give a reasonable interpretation.
I think it is actually a good approach because it builds in
some flexibility.
Now, in fairness, I think the FTC did a good job with the
Children's Online Privacy Protection Act. It was a tough bill
to write regulations for because of the technology and because
of the range of issues that the bill sought to address. I
thought they did a good job.
But I think going forward, given the choice between FTC
rulemaking and a good set of statutory principles that courts
and others could come back to, the second will give you more
flexibility.
Senator Bryan. You believe that if we define what is
required by notice by congressional act as opposed to
delegating that authority to the FTC is likely to give us more
flexibility?
Mr. Rotenberg. In fact, Senator, that is what we have
typically done with privacy laws, not generally with consumer
protection because there are a lot of regulations and
rulemaking procedures. Interestingly, we are big privacy
advocates, but we are not necessarily in favor of a lot of
regulation. If there is a way to establish legal rights, make
those principles clear, create incentives, I think it is the
better approach.
Senator Bryan. Mr. Vradenburg, let me ask you about--there
are two different spellings. One on the notice indicates that
there is an N in his name and the other indicates there is not.
What is the correct pronunciation?
Mr. Vradenburg. Vradenburg, no N in there.
Senator Bryan. So, the information here is incorrect and
the information on our notice is correct.
The Chairman. We will fire one of the staffers.
[Laughter.]
Mr. Vradenburg. No less a punishment.
Senator Bryan. I would ask that this part of the colloquy
not be subtracted from my five minutes.
[Laughter.]
Senator Bryan. Mr. Vradenburg, the legislation that a
number of us have supported, the S. 2606 option, defines data
in two different categories. One is personally identifiable.
With that, we say there is an opt-in requirement.
Now, let me ask you this. Among those personally
identifiable information definitions would be included the
individual's first or last name, his home or other address,
telephone number, Social Security number, a credit card number.
Why shouldn't the consumer have the right to require that his
or her affirmative consent be given before that information be
collected? We are not talking about all data. I want to make
sure the record is clear.
Mr. Vradenburg. Well, Senator, actually I speak only from
AOL's experience. Quite clearly that information is obtained
only with the consumer's consent because they have to give us
that in order to sign up with the service, and they clearly
have made a choice to do that, with the exception of Social
Security information. But certainly name and address
information and telephone number information is given to us
right up front. We obviously do disclose at the time exactly
what use we will make of that information and the fact that we
do not disclose it to third parties except subject to that opt-
out requirement.
But I am not sure then what the issue is because clearly
the consumer is choosing to give us that information.
Senator Bryan. But I do not understand your response. If
that is the policy that you are following currently--that is,
you are, in effect, giving the consumer the ability to say,
look, I do not want this information collected with respect to
this type of information--why not provide a statutory
protection for the consumer? What is the objection to that? We
are not talking about all information. We are just talking
about this personally identifiable information. What would be
the objection?
Mr. Vradenburg. I guess, Senator, I am misunderstanding the
character of the issue here because clearly, in order to sign
up for our service or any paid-for service, you are typically
going to get that kind of information. The consumer clearly is
going to make a choice whether or not to give up that
information or to subscribe to the service.
If the question then is should they not be given an opt-in
or an opt-out or some choice before that information is then
redisclosed to somebody else outside the company, I agree with
you that the consumer ought to be given a choice. At AOL, we
make that choice available to the consumer, disclose to them up
front that if they do not wish us to make it available to
others by means of renting lists of our subscribers to others,
that they can opt-out and quite a few of them do.
Senator Bryan. Well, but that is opt-out, not opt-in. I
think we are playing games here with the words. In other words,
what opt-in requires is that you must get affirmative consent,
not notify them, look, if you do not want us to do this, give
us a call in some fashion. I am asking what is wrong with that,
particularly with this kind of information, Social Security
card number, telephone, credit card? Why should the policy not
be that you have to get their prior consent before you
disseminate----
Mr. Vradenburg. Well, Senator, this is a matter of
terminology. I do not want to get into a vocabulary debate. The
question is whether you get the consumer's consent, and I think
we do and we do in our processes get the consent. We do it
through an easy-to-use, easy-to-find, easy-to-make-a-choice
system online on our system. So, the vocabulary of opt-in and
opt-out gets us boxed into whether or not this is going to be
an easy-to-use choice on the part of the consumer.
Senator Bryan. Let me say that this is a complicated area.
I am the first to acknowledge it. Consumers are not confused.
An opt-in requires you have got to get the affirmative
permission before rather than saying, in effect, silence is
acquiescence, and that is the effect of opt-out, is silence is
acquiescence. If the consumer does nothing, you are
interpreting his or her silence as giving you the right to do
that. I do not think most Americans would view that as much
protection.
Thank you very much, Mr. Chairman.
The Chairman. Thank you.
Senator Rockefeller.
STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
Senator Rockefeller. Thank you, Mr. Chairman.
Mr. Cooper, you indicated that you favor protection for the
consumers. I want to do a little bit about opt-in. You support
opt-in for anything that has to do with medical records.
Correct?
Mr. Cooper. Yes. It is already I think a given.
Senator Rockefeller. And you support it for financial
records. Correct?
Mr. Cooper. Yes.
Senator Rockefeller. Do you support it for religious
affiliation?
Mr. Cooper. I am not too sure what the context would be.
What we have done within HP----
Senator Rockefeller. It is not a very complicated question.
Mr. Cooper. That would not be a question that would be
asked of somebody, by our company----
Senator Rockefeller. What about political party or beliefs?
Mr. Cooper. This is what I was afraid of. It is sort of the
slippery slope and where is that line drawn? What I can say is
that somewhere along that line, that line should be drawn, and
I am not sure exactly where that should be. But we would
certainly say that that is where I think the debate should be.
Again, back to the point I made earlier, I think we have to
flip that rebuttable presumption. In other words, I think you
should have to show the reasons why things should be left as
opt-out as opposed to the rebuttable presumption that it will
be considered opt-in unless there are other reasons. Some of it
may be logistic, just you have different data bases out there.
I understand where you are taking that question, and I
think we would agree that it would be the obligation of
companies to say where that line should be and why it was
important to have it as an opt-out rather than an opt-in.
Senator Rockefeller. What about ethnicity? Should that be
opt-in?
Mr. Cooper. I think it comes back to use of that
information because obviously the Census or a lot of other
groups will take that information and aggregate it. So, a lot
of this is how this is going to be used.
Senator Rockefeller. I find those answers troubling, as I
find your earlier statement that this is going to be very hard
to do in terms of technology. Of all the people in this world
to say this is going to be difficult to do from the
technological point of view--and I think you, Mr. Garfinkel,
said that access just is not that difficult and the rest of it.
I just find that not very compelling.
I do not have anything against commissions. I have served
on a Medicare commission, a children's commission, a coal
commission, all kinds of commissions. The problem is that
commissions tend to be an amalgam and they do not come out with
sharp things because there is always dissent because they are
so carefully picked that they are almost doomed to fail at the
very beginning.
So, when you say these are very hard to do from a
technological point of view, things are not as simple as they
would seem, of all the industries, yours would be the last one
that I would expect to hear that from.
Mr. Cooper. Well, not that they are impossible to do
because we can do them, but I think we have a better sense of
where the difficulties are, and we would certainly want to
share that with any group that is coming up with
recommendations.
What we like about the National Academy of Sciences is that
it avoids just exactly the kinds of problems you mentioned as
being difficulties, which is that you have an amalgam of
different groups that kind of cancel each other out. We would
want to have, an expert body, because we consider ourselves an
expert company on the Internet, that we could work with and
consumer groups could work with, to come up with those
recommendations to Congress, again at a date certain.
We are not saying that you cannot do it. I think this is
one of the problems that business has gotten itself into, is
that we have come up as a group to the Congress and said, ``you
cannot get there from here.'' At HP, we think you can.
Senator Rockefeller. I have got to hurry and I apologize to
you.
Suppose I have had cancer and it is in a data base, but it
has been in remission for 10 years, move a little bit out into
the future. I want to go in and take that out. Or let us say
that I have diabetes, and then for some miraculous reason,
somebody discovered the cure for diabetes and it went out. Do
you not believe that I should have the right to go in and
correct that information, eliminate that information?
Mr. Cooper. I think you should have the right to correct
any information that could identify you or certainly that is
wrong. But we have found some State actions, where they have
gone into medical privacy issues. You want to be careful how
you approach this because you could end up taking out data that
is used in the aggregate to identify problems with certain
areas, such as how the structures of diseases are evolving. So,
you want to make sure that you do not take this information in
the aggregate and not be able to use it in ways that will serve
people in general terms.
Senator Rockefeller. So, that would be one of the
advantages then of the Hollings bill that I support, and others
could have this in their bill too. We would preempt States. It
would be one standard for the whole country, so you would not
have to worry about that, would you?
Mr. Cooper. Well, all three bills include that, but we
definitely think that aggregated information can be very useful
to individuals, the economy as a whole, and the Nation as a
whole.
Senator Rockefeller. I happen to believe in access and
security very strongly. What is the point of having all of this
if it is not really secure? You say the seal, the gold
standard, all the rest of it. What is the point of having any
of this if it is not secure? Why would any bill leave out
security?
Mr. Cooper. Well, again we think that has to be addressed
and we think that we are getting close to what the answer
should be. We do not think that through the Committee process
we will have all the right answers certainly this Congress.
Senator Rockefeller. We are not going to pass this in this
Congress. This will not get passed until the 107th Congress. It
will be passed.
Mr. Cooper. We think there will be legislation at the
federal level as well.
What we would like to see, is that extra step, of a year
study within the McCain-Kerry bill to create the vetting
process that we think will reach the right answers.
Senator Rockefeller. But you do agree that the security
aspect is absolutely necessary.
Mr. Cooper. Yes, we do, as well as access. Those answers
have to be discovered to make the Internet work for consumers.
How we get there I think has to be at least an open process so
that the best answers can be discovered rather than the easiest
answer.
Senator Rockefeller. Mr. Rotenberg, just very quickly. In
that I am detecting a certain ambivalence in the answers and,
to be frank, wanting to have it both ways, could you comment on
what Mr. Cooper has said?
Mr. Rotenberg. I am sorry, Senator, which point? Regarding
the need for access----
Senator Rockefeller. Yes. In other words, yes, we want to
have security, but yes, we want to have the commission. Yes, we
want to take our time. There will be legislation but we need to
look at these things carefully. This could be difficult to
implement. Who knows what the consequences will be?
And we are not talking about telephone books. I did an
interview yesterday and somebody said the U.S. Chamber of
Commerce--wait a second. You have telephone books. Look, that
was then. That was like 30 centuries ago. We are talking about
worldwide millions, hundreds of millions of people.
Mr. Rotenberg. As I suggested earlier, I do not think there
is any question in anyone's mind at this point that privacy
protection is the No. 1 issue facing the future of the
Internet. This is everywhere that we read and in the polling
and you ask consumers, what is your view about the Internet. It
is exciting. It is great technology. It is a business
opportunity. But am I going to lose my privacy? I do not think
there is any question about the importance.
Now, on the access issue, I have to say it is a little
amusing and maybe, sir, this was your reaction as well. You can
go online tonight, if you do financial trading or bank records,
you have a tremendous amount of information online. A lot of
businesses have figured out how to make it possible for you to
get to your bank account information, to write checks, conduct
trades, give you access and provide you security. The thought
that at this point we need to create a study group to figure
out how to get that done--it is like turn on a computer and go
to one of these online brokerage firms. It is being done. The
question is, why is it not more widely done? Why can it not be
routinely done?
Senator Rockefeller. Thank you. Thank you, Mr. Chairman.
The Chairman. Senator Cleland.
STATEMENT OF HON. MAX CLELAND,
U.S. SENATOR FROM GEORGIA
Senator Cleland. Thank you very much, Mr. Chairman. Thank
you for the hearing.
I guess my instincts about telecommunications go back some
30-32 years ago when I was a young signal officer in Vietnam
and realizing that if you could not communicate securely, bad
things were going to happen. It does seem to me that in the
world of the Internet, where we have connectivity, where we do
not have just one-way communication--say, looking at a
television that is one way. If I voluntarily want to be part of
the Nielsen ratings, I can have a little box sitting on my TV
and I voluntarily opted in for somebody somewhere to follow the
patterns of my television viewing. I opted in. But if I did not
want to be part of the Nielsen ratings or some other ratings
system, I would have just sat there and enjoyed, in the privacy
of my home, watching television.
It seems to me with the Internet and what has been
described as the breaking down of walls, breaking down of
barriers, and this open playing field here, that it is a two-
way communication, and that when I access the Internet, I think
most of us still feel that it is a one-way, that we are getting
some good stuff. We access a lot of interesting things. It is
fascinating. We can play with it. We can surf it. We can do a
lot of good things. Basically I do not think Americans are
aware that somebody else is watching them while they are doing
that. I think therein is the rub.
The FTC found that some 92 percent of consumers on the
Internet are concerned and some 67 percent--that is two-
thirds--are very concerned about the potential misuse of their
personal information online. The personal information is if you
buy something online, you put your credit card on there, Visa,
American Express, whatever. That is personal information.
Fifty-seven percent of Internet users have decided not to
purchase online due to privacy concerns.
I think we are at one of those watersheds here where we
either work to enhance confidence about the use of the Internet
and being online or else we will see online usage attrit or not
used to its fullest potential, as you pointed out.
It is called privacy but I guess another way to look at it
is secure communication. Basically I think American consumers
assume security until they find out differently. So, in many
ways I think that is the baseline. They do not assume that
someone is watching them do their thing. So, that is where I
get a little bit confused here because my assumption is that
when I pay for a service and I access it, that my transactions
are going to be private unless told otherwise. It is when I
pick up a telephone. Some government agency cannot listen in on
my telephone or track my telephone conversation without my
knowledge or a court order. We have this pretty much ingrained
in our thought process.
So, quite frankly, I do not know whether to opt-in or opt-
out. If it is a jump ball every time I click on, I do not know
whether I am being watched or not being watched. I do not know
whether they are going to sell it to somebody else I do not
want to sell it to or not. Then if I access the privacy code,
then that could be changed tomorrow based on their view not
mine.
So, I think we are touching a raw nerve here with American
consumers who would love all the benefits of the Internet and
American business that would love all the benefits of the
Internet. And I am all for that. We just have a wonderful tool
here, but we just have to make sure that we keep American
confidence or consumer confidence in the Internet alive.
Therefore, we need you all to help us walk through this
mine field. None of us want to throw the baby out with the bath
water here. We want to move forward and not backward.
In this whole opt-in/opt-out thing, do you have any sense,
Mr. Rotenberg, that the American people just kind of assume
that their transactions are private unless told otherwise? Do
you have that sense?
Mr. Rotenberg. I think that is the common sense view,
Senator. I think it is as you described it. If a business asks
you for your credit card because you are going to buy something
by a credit card, you understand and you expect them to take
the credit card number for the purchase. If you want to have a
gift shipped to someone in your family around the holiday
season and they say, what is the address, and you give them the
address, you understand that that is to make sure that the
package is delivered.
Senator Cleland. May I just inject here? I call a florist
and I give them my American Express card number, but I am
dealing with that florist. It is a confidence thing. I do not
expect the florist to go down the mall and give my American
Express card number to everybody in the mall and then be
deluged with a bunch of offers on other things. I just do not
expect that. I expect the florist to hold that in confidence,
and it is a relationship kind of thing.
Mr. Rotenberg. I think the problem here and the reason that
there is a great deal of consumer concern is that we are
basically operating in an environment without rules. Businesses
understand that this personal data has value. It can be sold.
It can be reused, oftentimes for the benefit of consumers, I
should point out. There are certainly some benefits. But
consumers are losing control and businesses are not expected
today to follow any rules.
And I think that this tension is going to accelerate. I
think that this problem is going to increase going forward.
Businesses are going to be under increasing pressure to
generate revenues online, to make these e-commerce businesses
profitable. Consumers are going to be asked for more and more
detailed information.
We are about to enter a very interesting period where the
collection and use of genetic information will be
technologically possible within the next 5 to 10 years. And I
think it is important to put the rules in place.
The Chairman. Senator Cleland, thank you.
Senator Kerry, I know you have been waiting to ask a
question. Would you do me a favor? We have two more witnesses
in the next panel. As you know, we have been objected to and
are not supposed to go past 11:30. Mr. Berman is here in
Washington. Mr. Rubin, who is in the next panel, is from
Atlanta, and we all know how hard it is to get a flight out of
Atlanta to Washington.
[Laughter.]
The Chairman. So, I would ask for your indulgence. We will
assure Mr. Berman that we will invite him back to the next
hearing, and we will ask Mr. Rubin, who came all the way from
Atlanta, if he could give a brief statement, and then we could
ask questions. Would that be agreeable to you, John?
STATEMENT OF HON. JOHN F. KERRY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Kerry. Sure. I am not going to ask a question. I
just wanted to make a couple of points.
The Chairman. Maybe you could wrap up the hearing.
Senator Kerry. I will be happy to accommodate.
The Chairman. Thank you.
Mr. Rubin, would you come forward? The witnesses remain.
Bring a chair for Mr. Rubin. When the witnesses come from out
of town, we like to at least allow them to be heard.
Mr. Berman, I want to apologize to you and promise you that
you will be a witness at the next hearing in the first panel.
[Laughter.]
The Chairman. Mr. Rubin, would you give a brief statement?
Then, Senator Kerry, because of the objection to the Committee
meeting more than two hours, will wrap up by making some
comments. Maybe we could allow a response to your comments by
the panel, if that would be all right.
Senator Kerry. If they want to.
The Chairman. Mr. Rubin.
STATEMENT OF PAUL H. RUBIN, PROFESSOR OF ECONOMICS AND LAW,
EMORY UNIVERSITY
Mr. Rubin. Thank you for the opportunity to testify and
thank you for you considering my schedule trying to get back
and forth from Atlanta.
I am from Emory University, but I am here as a
representative of the Progress and Freedom Foundation which is
engaged in a big study, a major study, of how these Internet
markets work.
I think the conclusion we are reaching is that at this
point, in spite of all we have heard, there really is not very
good evidence that there is a market failure. We have markets
here. It is a new market, as we have all said.
In the FTC study, the most remarkable thing that I found
was the number of Internet sites and websites that have
increased their privacy notification. The various programs,
BBBOnLine, TRUSTe, are all relatively new. I think things are
progressing quite quickly and it is our belief and my belief
that we should really be very careful in looking at the problem
and seeing the extent to which markets can go some way toward
solving the problem.
We have heard lots of testimony this morning that people
are changing, the policies are changing. The websites are
posting privacy policies, and of course, if you go to a website
that does not have a privacy policy, consumers are starting to
learn what that means. We have heard people say that consumers
do not understand. We have also heard people say that consumers
are very concerned about privacy, and to the extent they are
concerned about privacy, it pays for private sellers and
websites to begin posting privacy policies.
We have heard discussions of new technologies that may be
coming online. We have heard mention of P3P, a protocol that
will perhaps greatly simplify consumer privacy preferences as
it goes forward.
So, I think the fear that we have is that it may be
premature that we really have not had time to observe how the
market will work.
There is discussion of a National Academy of Sciences
study. Progress and Freedom Foundation is also engaged in a
study. I think it is premature to legislate before we have this
information, before we have really had these objective studies
of the problem, as opposed to the evidence so far, which seems
to us to be mainly anecdotal. It is our belief that we really
should get more information.
Now, there have been discussions of the FTC. I used to work
at the FTC. I never found it to be a terribly flexible agency.
Once a rulemaking was in place, for example, it became very
difficult to change that rule. I was impressed, as I was
reading the P3P protocol that it was labeled P3P, Release 1.0,
which carries the connotation that there will be 2.0 and so
forth and so on. I have yet to see a law or a rulemaking that
comes with a release number, and the fear is that if we pass
something, it will perhaps freeze technology or change
technology, and that given the rapidity of change in this
industry, there is a real danger of passing something too soon.
So, you discussed going forward with the analysis and I
think that would be the recommendation, that we really do try
to get more information before we go ahead and do it, and
particular information about the way in which markets can and
are beginning to solve these problems as consumers express
their concerns.
[The prepared statement of Mr. Rubin follows:]
Prepared Statement of Paul H. Rubin, Professor of Economics and law,
Emory University, Atlanta, GA
Mr. Chairman and Members of the Committee:
I want to thank you for inviting me to testify on this important
matter this morning. I am appearing before you today in my capacity as
a Senior Fellow at The Progress & Freedom Foundation. While the views
expressed are my own and do not necessarily represent those of the
Foundation, its board, officers or staff, you should know that I am the
lead investigator in a major study of the costs and benefits of
regulating privacy now underway at the Foundation.\1\ The study is not
complete, but we have found enough to raise some questions relevant for
this morning's hearing. The issue as we see it is whether market forces
will be able do handle issues of privacy, or whether government
regulation will improve the functioning of the market.
---------------------------------------------------------------------------
\1\ I am also a professor of economics and law at Emory University.
---------------------------------------------------------------------------
I first discuss the market for privacy. I then address the issue of
whether we can expect government regulation to improve the situation. I
stress that these are preliminary results. To summarize, those results
suggest that legislation at this time would be premature. While
consumers clearly are concerned about on-line privacy, the risk of
unforeseen consequences from proposals for government intervention is
very high, and those consequences could be to impede the development of
the new medium to the detriment of consumers and the economy alike.
The Market
A transaction between a consumer and the owner or operator of a
website is a 2-party transaction. Therefore, in principle the parties
are free to negotiate the terms of that transaction. One of the terms
that can be negotiated in this way is the use of whatever information
the consumer gives to the website. There is no obvious reason why the
consumer cannot make the transaction conditional on the use of the
information, or why the marketplace will not offer the kinds of choices
consumers desire
For example, consider two competing websites both selling a
product--say, CDs. Assume that site CDP has a strong privacy policy,
and makes a strong and binding commitment to maintain privacy, and that
site CDNP has no privacy policy, and makes use of the information
provided by consumers for other purposes. Presumably, CDNP will sell
CDs cheaper than will CDP, because it earns revenue from the sale of
information received from consumers and so can charge a lower price for
CDs and still make a profit. But consumers might still prefer to deal
with CDP because the information is worth more to them than to the
website. This means that consumers would be willing to pay a higher
price for CDs and retain their rights in the information, rather than
paying a lower price and losing their rights. If this is the preference
of consumers, then at equilibrium CDP will get more business than CDNP,
and ultimately CDP's business model will prevail in the marketplace.
Alternatively, if the information were worth more to the website than
to the consumer, then consumers will prefer to deal with CDNP because
of the lower price, and CDNP's business model will prevail.
A more likely result is that some consumers will prefer more
privacy and deal with CDP, and others will prefer lower prices and deal
with CDNP. Merchants often offer different terms of sale and prices
(Wal-Mart and Macy's) and there is no reason to expect more uniformity
of terms in the market for information than in the markets for other
sorts of contractual provisions.
There are of course various assumptions in the above story. One of
the most important is that consumers know and understand the privacy
policies of the two websites. If they do not, then the market will not
function as described. For example, consumers who value the information
more than does the website might shop at CDNP because of its lower
price. Such consumers would be harmed, because they would be
transferring information at a price below its value to them.
Government mandated notice requirements, such as those proposed in
the Federal Trade Commission's recent Report to Congress,\2\ and in the
bills under consideration today, assume that consumers do not
understand the privacy policies of alternative websites and that
government action is needed to make such information available. As a
general matter, however, there are strong incentives for the
marketplace to provide such information to consumers. In the example
above, CDP will have an incentive to tell consumers that they will
guarantee privacy. They may do so by explicitly comparing themselves
with CDNP, but even if they do not, consumers will be able to learn
that CDP provides privacy. When they visit site CDNP they will not see
any mention of privacy, and will rationally assume that the site does
not provide this benefit.\3\ This competition between websites over
privacy policies is potentially important, although many analysts have
ignored such competition.
---------------------------------------------------------------------------
\2\ ``Privacy Online: Fair Information Practices in the Electronic
Marketplace: a Report to Congress,'' Federal Trade Commission, May,
2000.
\3\ Sanford Grossman (1981), ``The Informational Role of Warranties
and Private Disclosure About Product Quality,'' Journal of Law and
Economics v. 24, December: pp. 461-483.
---------------------------------------------------------------------------
It is sometimes argued that it may be too expensive for a given
site to provide useful information. This argument suggests that, if
consumers do not understand privacy issues, it would be costly for a
particular site to explain these issues, and other sites could free
ride on the efforts of one site to explain. Moreover, it would take a
substantial amount of time for a consumer to read and absorb the
privacy information provided by a site, and it may well be that the
cost of obtaining this information is greater than the value. This
could lead consumers either to avoid the Web altogether, or to
``mistakenly'' purchase from sites like CDNP and suffer a net loss.
The economics of transactions costs and various approaches to
minimizing such costs are one of the areas we are examining in our
study. As a general matter, however, issues like those above would be
of greatest concern if consumers were broadly ignorant of privacy
issues. While this may have been the case in the early days of the
Internet, it no longer is. Indeed, as summarized in Table 1, privacy
has become a major concern of users of the Internet, with most polls
showing that majorities of users are concerned with privacy. Some take
this level of concern as a justification for government regulation.
But, in fact, it is the opposite: If enough consumers are concerned
with privacy, the marketplace will be more likely to respond to their
concerns.
The FTC's report seems to suggest the market is responding as one
might expect. In its 1998 report, the FTC indicated that only 14
percent of websites disclosed their information practices. In the 2000
report, 88 percent of a random sample of sites and 100 percent of the
Most Popular sites had some privacy disclosure.\4\ Thus, in a very
short time, the percentage of sites voluntarily providing information
about privacy policies has increased from a small fraction of websites
to all of the most popular, and most of the others.
---------------------------------------------------------------------------
\4\ Data from ``Privacy Online,'' pp. i, ii.
---------------------------------------------------------------------------
There is substantial additional evidence that consumers and firms
are already making well informed decisions about privacy matters. For
example:
In one survey, the most common reasons for not registering
at a website are that the terms and conditions of the use of
information are not clearly specified, or that revealing the
requested information is not worth registering and being able
to access the site.\5\
---------------------------------------------------------------------------
\5\ GVU's 7th WWW User Survey, http://www.gvu.gatech.edu/gvu/
user_surveys/survey-1997-04/
Many companies, including IBM and Walt Disney, do not
advertise on websites that do not have privacy policies.\6\
---------------------------------------------------------------------------
\6\ ``It's Time for Rules in Wonderland,'' Business Week, March 20,
2000.
Companies are increasingly hiring ``privacy officers'' and
giving them substantial power and discretion in setting company
policies. In fact, Alan Westin, a well known privacy advocate
and expert, offers a training course for this position.\7\
---------------------------------------------------------------------------
\7\ D. Ian Hopper, ``Companies Adding Privacy Officers,'' AP, July
11, 2000.
There are other mechanisms available to minimize the costs of
dealing with privacy issues. One such mechanism is the use of voluntary
standards, as defined and explained by a consortium of web operators.
Large firms--Microsoft, AOL, Intel--make enough money and are large
enough forces so that it pays for them to internalize production of
various standards.\8\
---------------------------------------------------------------------------
\8\ Peter Swire (1997), ``Markets, Self-Regulation, and Government
Enforcement in the Protection of Personal Information,'' in Privacy and
Self-Regulation in the Information Age, U. S. Department of Commerce,
Washington, DC. http://www.ntia.doc.gov/reports/privacy/selfreg1.htm.
---------------------------------------------------------------------------
As a general matter, there are voluntary standards organizations
that deal with a wide variety of issues. ANSI (the American National
Standards Institute), for example, is an umbrella organization for over
1000 members.\9\ The American Society for Testing and Materials (ASTM)
is another voluntary standards organization.\10\ Defining a standard of
Internet privacy is in principle no different than defining other
standards. A standard can establish a set of defaults and can serve to
inform consumers of the options and issues involved in privacy. In
other words, a standard can serve to define the property rights so that
transactions can occur and the right can be properly assigned through
market processes.
---------------------------------------------------------------------------
\9\ See http://www.ansi.org/
\10\ http://www.astm.org/index.html
---------------------------------------------------------------------------
For example, the World Wide Web Consortium (W3C) is a consortium of
434 members, including the largest players in the Internet, such as
Microsoft, America Online and Cisco.\11\ This consortium is in the
process of drafting a major private privacy protocol, the Privacy
Preferences Project, P3P.\12\ While P3P is not yet operational, there
are numerous private seal programs already in place, including TRUSTe
and BBBOnline.\13\ The Direct Marketing Association also has various
voluntary standards in place, including a method consumers can use to
have their names removed from email lists, and members of the
Association must meet certain requirements regarding privacy on the
web.\14\ Thus, organizations such as the BBB, TRUSTe or W3C can define
property rights and provide information about them and about
alternatives.
---------------------------------------------------------------------------
\11\ For the W3C homepage, see http://www.w3.org. For the list of
members, see http://www.w3.org/Consortium/Member/List.
\12\ http://www.w3.org/P3P/.
\13\ http://www.bbbonline.org/
\14\ http://www.the-dma.org.
---------------------------------------------------------------------------
Government
While the market appears to be responding well to consumer demands
for more control over their personal information, some still argue that
there is a role for government regulation. Government, perhaps, might
move more quickly than the marketplace, or provide a greater degree of
uniformity, or better reflect the ``value'' of personal privacy in ways
the market would not. These are all issues we are examining in our
work.
One cautionary note about government regulation, however: It is
extremely inflexible. Once a major law is passed, it tends to establish
a regulatory framework that lasts for a long time. For example, the
Federal Communications Commission began allocating licenses using
inefficient methods such as administrative hearings when it was
founded, and it took many years until the agency began using an
auction, although economists and others advocated sale of licenses at
least as early as 1951.\15\ This danger has been referred to as
``freezing technology''--that is, destroying incentives for innovation,
since innovations will not satisfy the government requirements.
---------------------------------------------------------------------------
\15\ Thomas W. Hazlett (1998), ``Assigning Property Rights to Radio
Spectrum Users: Why Did FCC License Auctions Take 67 Years?'' 41
Journal of Law and Economics, Number 2, Part 2, October.
---------------------------------------------------------------------------
There are several reasons for the relative inflexibility of
government regulation. First, simply getting Congress to pass a major
piece of legislation is difficult. Congress has limited ability to pass
such legislation, and does not tend to re-examine an issue frequently.
Second, there is the regulatory time interval required to implement the
law. Third, and perhaps most important, the passage of a law and
subsequent promulgation of regulations create interest groups with an
interest in maintaining that law. For example, attorneys specialize in
dealing with the law as it exists, and become a vocal group in opposing
changes. Firms come into being specializing in institutions that comply
with the law, and these firms also lobby to retain the current law.
Regulatory authorities in charge of enforcing particular laws lobby for
the retention of these laws, an important component of the FCC delay
mentioned above. The institutions created by the law themselves become
barriers to entry, as potential entrants must adapt to these
institutions. On the other hand, those who could benefit from changes
in the law have difficulty in making their voices heard.
It is a cliche to say that the Internet is dynamic. But it is true.
Any regulation at this time would freeze some aspects of the Internet
in their current state. Even if the regulators were able to regulate
perfectly for today's environment, any regulations would quickly become
obsolete as the Internet changes. The P3P release is P3P 1.0,
indicating that, like software in general, the drafters expect that the
privacy policies embedded in the document will change over time.
Indeed, at several places in the document itself there are indications
of directions for change in future versions. While such expectations
drive software and the development of the web, laws passed by
government do not come with release numbers--because there is no
expectation that they will be changed quickly (or ever). While change
is the normal state of affairs for the Internet and for software and
other elements that interact with the Internet, it is not the way in
which government operates.
It is important to remember that technological and marketplace
developments in the privacy and security arena are happening almost
daily. One new program has increased the ability of websites to
identify consumers logging on to the website.\16\ The technology allows
the Checkfree website, in conjunction with Equifax, the credit
reporting agency, to identify customers quickly and accurately, thus
increasing security. Another relatively new service, PayPal from X.com,
enables consumers to pay bills on the Internet anonymously.\17\ A
virtually infinite array of such technologies is in development.\18\
Any regulation passed by Congress could interfere in unknown and
unpredictable ways with such technological progress.
---------------------------------------------------------------------------
\16\ D. Ian Hopper, ``New Way Found to ID Web Customers,'' AP, July
17, 2000.
\17\ Michelle Slatalla, ``Easy Payments Put Hole in the
Pocketbook,'' New York Times, June 29, 2000.
\18\ Peter Wayner, ``New Tools to Protect Online Privacy,'' New
York Times, November 11, 1999.
---------------------------------------------------------------------------
It is also important to keep in mind that government regulation is
of necessity of the ``one size fits all'' variety. But with respect to
Internet privacy, different consumers have different preferences. These
are documented carefully in a survey on Internet privacy by AT&T.\19\
For example, those most concerned about Internet privacy--those the
AT&T report calls ``privacy fundamentalists''--often already protect
themselves using a variety of techniques, such as anonymous
remailers.\20\ On the other hand, at least one company,
AllAdvantage.com, pays consumers for the right to monitor their
browsing, and some consumers are apparently willing to join this
program.\21\ Thus, consumers clearly have different preferences
regarding Internet privacy.
---------------------------------------------------------------------------
\19\ Lorrie Faith Cranor, Joesph Reagle, and Mark S. Ackerman,
(1999), ``Beyond Concern: Understanding Net Users' Attitudes About
Online Privacy,'' AT&T Labs-Research Technical Report TR 99.4.3, http:/
/www.research.att.com/library/trs/TRs/99/99.4/
\20\ Lorrie Faith Cranor, ``Agents of Choice: Tools That Facilitate
Notice and Choice about Web Site Data Practices'', available online.
\21\ http://www.alladvantage.com/home.asp?refid=
---------------------------------------------------------------------------
Furthermore, it seems likely that consumers have different privacy
preferences regarding different types of information. In one survey,
for example, consumers were less willing to provide social security and
credit card numbers than other types of information. Similarly, 78
percent would accept cookies to provide a customized service; 60
percent would accept a cookie for customized advertising; and 44
percent would accept cookies that conveyed information to many web
sites.\22\
---------------------------------------------------------------------------
\22\ Cranor et al., 1999.
---------------------------------------------------------------------------
Incorporating such nuances in a government regulation would be
difficult, and any privacy notice that resulted would have to be
exceedingly complex, perhaps to the point that most people would be
unwilling to read such a detailed notice. The very value of information
to advertisers is evidence that at least some consumers benefit from
the information being available to sellers. Advertisers would not value
information if they could not use it to sell products. But if consumers
buy products based on being contacted by merchants, then consumers must
benefit, else they would not buy the products. The modern theory of
advertising indicates that most or all advertising provides valuable
information, and if advertising leads to sales than at least some
subset of consumers is benefiting from the advertising.
Summary
In summary, there are reasons for expecting the market to manage
privacy issues efficiently. There are also substantial dangers from
inappropriate government intervention. If we rely on the market and the
decision turns out to be incorrect, we can always pass legislation
later. But if we regulate, it is much more difficult to change our
position. At The Progress & Freedom Foundation, we are working to
produce a report to help Congress and other policymakers evaluate the
relative merits of market-based approaches, on the one hand, and
government regulation on the other. The results of that research, at
this stage, suggest that premature legislation and/or regulation is
likely to do more harm than good.
Mr. Chairman and Members of the Committee, that completes my
prepared statement. I would of course be pleased to respond to any
questions you may have.
Table 1: Is Privacy Important to Internet Users?
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
AARP National Survey, 2000 Percentage of respondents having made internet 74% (40% very concerned,
purchases who say they are concerned about privacy 34% somewhat concerned,
Page 35)
AT&T Labs-Research: Beyond Percentage of respondents who say they are very or 87% (Page 6)
Concern: Understanding Net somewhat concerned about threats to personal
Users' Attitudes about Online privacy while online
Privacy, 1999
Louis Harris and Associates, Percentage of net users who are concerned about 81% (Page 3)
Inc.: E-Commerce and Privacy: threats to their personal privacy while online
What Net Users Want, press
release, 2000
IBM Multi-National Consumer Percentage of U.S. respondents who somewhat or 80% (Page 76)
Privacy Survey, 1999 strongly agree with the statement ``Consumers have
lost all control over how personal information is
collected and used by companies.''
IBM Multi-National Consumer Percentage of U.S. respondents who somewhat or 71% (Page 76)
Privacy Survey, 1999 strongly agree with the statement ``It's
impossible to protect consumer privacy in the
computer age.''
IBM Multi-National Consumer Percentage of U.S. respondents who somewhat or 64% (Page 76)
Privacy Survey, 1999 strongly agree with the statement ``Most
businesses handle the personal information they
collect about customers in a proper and
confidential way.''
IBM Multi-National Consumer Percentage of U.S. respondents who somewhat or 59% (Page 76)
Privacy Survey, 1999 strongly agree with the statement ``Existing laws
and organizational practices in the United States
provide a reasonable level of consumer privacy
protection today.''
Cyberdialogue: Capturing Percentage of respondents who feel that online 52% (Page 12)
Visitor Feedback, 1997 services which ask for personal information are
directly invading their privacy
Cyberdialogue: Privacy vs. Percentage of respondents who feel that online 37% (Page 1)
Personalization, 1999 services which ask for personal information are
directly invading their privacy
AARP National Survey, 2000 Percentage of respondents who cited concerns about 24% (Page 34)
privacy as a reason for not having made any
internet purchases (multiple answers were
permitted; ``not interested'' was top answer)
AARP National Survey, 2000 Percentage of respondents who cited security/ 6% (Page 24)
privacy concerns as a reason for not having
internet access (multiple answers were permitted;
``no interest or need'' was top answer)
----------------------------------------------------------------------------------------------------------------
References for Table 1:
American Association of Retired Persons, ``AARP National Survey on
Consumer Preparedness and E-Commerce: A Survey of Computer Users Age 45
and Older.'' March, 2000.
AT&T Labs, ``Beyond Concern: Understanding Net Users' Attitudes
about Online Privacy''. Available online at http://
www.research.att.com/library/trs/TRs/99/99.4/ 99.4.3/report.htm. April,
1999.
Cyber Dialogue, ``Capturing Visitor Feedback.'' Available at http:/
/www.cyberdialogue.com. March, 1997.
Cyber Dialogue, ``Privacy vs. Personalization: A Delicate
Balance.'' Available at http://www.cyberdialogue.com. 1999.
Cyber Dialogue, ``Privacy vs. Personalization Part III.'' Available
at http://www.cyberdialogue.com. 2000.
Harris Black International, ``The Use and Abuse of Personal
Consumer Information.'' Available online at http://
www.harrisblackintl.com/harris_poll/index.asp?PID=8. January, 2000.
Georgetown University, ``Georgetown Internet Privacy Policy Survey:
Report to the Federal Trade Commission''. Available online at http://
www.msb.edu/faculty/ culnanm/gippshome.html. June, 1999.
IBM, ``Multi-National Consumer Privacy Survey.'' October, 1999.
Louis Harris and Associates, Inc. and Dr. Alan F Westin, ``E-
Commerce and Privacy: What Net Users Want'', press release. Available
online at http://www.pandab.org/E-Commerce%20Exec.%20Summary.html.
July, 2000.
National Consumers League, ``Consumers and the 21st Century''.
Available online at http://www.natlconsumersleague.org/FNLSUM1.PDF,
1999.
NFO Interactive, ``Online Retail Monitor: Branding, Segmentation, &
Web Sites''. 1999.
Privacy and American Business, ``Personalized Marketing and Privacy
on the Net: What Consumers Want.'' November, 1999.
Privacy and American Business, ``'Freebies' and Privacy: What Net
Users Think.'' Available at www.privacyexchange.org/iss/surveys/
sr990714.html. July, 2000.
The Chairman. At what timeframe do you think we would have
this?
Mr. Rubin. Well, we are hoping to have at least a
preliminary study by January. I do not know what the time
table, for example, for the National Academy of Sciences is.
But I think at this point we do not have the information to
pass legislation.
The Chairman. Senator Kerry.
Senator Kerry. Thank you, Mr. Chairman.
The Chairman. And I thank you, Senator Kerry.
Senator Kerry. I am delighted. I just wanted to make a few
comments, and I think obviously we have got to try to respect
the time here.
I agree with Mr. Rubin, and I think you know, Mr. Chairman,
you and I have been working together. I think I was one of the
early advocates in this Committee, if not the first, to suggest
that there is a lot of unknown here as Congress began to sort
of respond to the hue and cry about privacy. There was some
early legislation submitted on this Committee, and I have great
respect for the authors of that legislation. It represents sort
of one pole in the debate. Senator McCain and I have written a
piece of legislation that represents a different one, and I am
confident there will be even other views as we move forward
here. But I would like to make a couple of points about it.
First, there is no question among any of us at all that
consumers expect a certain degree of privacy on the Internet.
We have seen that in survey upon survey, and we see it also I
think in behavior. And those concerns, I am confident, will be
addressed.
But I think the expectation of privacy when they surf the
Internet is different from what they demand particularly for
medical records and for financial information. I think those
are two items that particularly are distinguished, and we have
separate pieces of legislation addressing those.
A survey done in Massachusetts supports this conclusion.
Mass Insight Corporation found in a survey performed in May of
this year that where they can clearly perceive specific
benefits from data collection and information sharing on the
Internet, most people see the rewards outweighing any concerns
about privacy.
Now, Massachusetts does have more Internet users than the
national average, and that may make them more comfortable with
privacy practices on the Internet. But I think it also
indicates, as more and more people use the Internet, that they
too become more comfortable sharing certain kinds of
information in exchange for the benefits that they receive. A
very interesting statistic from that survey is that 70 percent
of Massachusetts adults have access to the Internet, and of
those, 69 percent say the benefits of electronic information
sharing outweigh the risks.
We also have a responsibility to establish a baseline for
privacy standards, but I think what Senator McCain and I have
done actually empowers consumers to make that kind of
discerning decision that best suits their needs.
I have mentioned that we obviously will deal with the
medical records and financial issues separately.
But I want to point out that another important finding in
the Massachusetts survey is that when asked to choose between
privacy risks and specific benefits and real-life tradeoffs,
more people say that we should encourage rather than discourage
technology-based information sharing.
In the category of shopping over the Internet, which is the
area that we are really targeting, 49 percent of the people
surveyed said we should encourage information sharing compared
to the 38 percent who said we should discourage it.
Finally, Mr. Chairman, I would just point out that given
our interest in campaign finance reform, 69 percent of the
people surveyed believe we should encourage more technology-
based information sharing in the laws regarding disclosure of
political contributions.
Now, I would like to point out also part of the early
debate, and Senator Cleland was just going through this a
little bit in his questions about offline/online distinctions.
Again, early on I have tried to point out that if privacy is
the concern in Americans' minds, we have to recognize that
while there are different sectors of the marketplace, the
marketplace is essentially the marketplace and privacy no
matter where it occurs. If the right to privacy accrues in one
place, certainly it accrues in another, and we have to look
very carefully at how we do anything--and a number of you have
mentioned this in your testimony this morning--really affects
the marketplace as a whole and the capacity to pick winners and
losers inadvertently sort of as an unintended consequence of
trying to protect rights in one place without being certain we
fully understand the implication of those rights in other
places.
Specifically, the list of areas which we are learning more
and more about where Americans are affected in the context of
privacy within the marketplace is really quite extraordinary.
One can easily solicit campaign contributions from donors who
have given to almost any list, and that is bought and sold in
the marketplace every day.
Age of any individual. Date of birth is included in almost
all data bases, and it can be used to determine whether the
magazine you subscribe to includes ads targeted to seniors or
to teenagers or so forth. All of that marketable and available.
The cost of your own house. Real estate transactions
available to the public at the county courthouse. Companies
copy this information, sell it to third parties. All kinds of
targeting can take place through that.
Travel habits. Airline frequent flyer programs keep track
of numerous habits, including frequency of travel,
destinations, hotels, car rentals, all of it available within
the marketplace.
Purchasing habits. Supermarket shopping carts could be
used, anywhere you purchase whatsoever, to create a data base
on individuals as to whether they purchase personal items that
might be embarrassing, home pregnancy tests, baby food,
anything, all of which can result in targeting.
Health information. When patients answer questionnaires and
disclose that they have cancer, diabetes, or arthritis, that
information can be sold to pharmaceutical companies and is and
winds up in various kinds of marketing and targeting.
Phone habits. A telephone company can tell how often and
where you travel by keeping track of how often and from where
you use your telephone calling card. They can sell that
information to hotel companies, to rental car companies, and
airlines.
Creditworthiness likewise opens people up to all kinds of
questions about bank marketing, higher interest rates, and so
forth.
Sexual preferences, subscriptions to magazines, or
contributions to an AIDS related charity would give marketers
an indication of sexual preference and marketing capacity.
Birth of a newborn, women who subscribe to parenting
magazines, shop at maternity stores, sign up for childbirth
classes, any number of things.
Browsing habits. Department stores in malls use
surveillance to study the best layouts of stores and displays.
Other information can clearly be gleaned from that.
So, we probably all have great differences of opinions
about which of these practices we believe is egregious and
violates our propriety, but it does not stop us from going to
the malls, making purchases or continuing to use credit cards
and engage in the marketplace. Clearly there are tiers and
distinctions of the violation, in a sense, of one's expected
zone of privacy, and Americans understand that.
I think, Mr. Chairman, we need to understand that very,
very clearly as we approach any kind of legislative effort here
with the understanding that the consequences of that clearly
can have major impacts on the marketplace itself, as well as
the growth of the Internet which depends on advertising to be
free. One of the most important things we need to take note of
is that Americans have an expectation that it will be free. And
if we are concerned about divide and other issues, that free
access is going to be increasingly important to us in terms of
equal access in America and equal opportunity to use the power
of the Internet.
So, I welcome these hearings. I think they have already
shed a lot of light. They have been helpful in educating the
Committee. We are not going to be able to legislate this year
obviously, but as we come into next year, I hope our study and
I hope other information will be available to us.
I do not know if any of the panelists want to comment
quickly on anything I have said, but I will not ask a specific
question.
The Chairman. I want to thank Senator Kerry for one of the
more in-depth analyses of this issue. I hope that every member
of the Committee gets a chance to read that statement because I
think it puts a perspective on this issue that is vitally
important. Sometimes we have a tendency to more narrowly focus.
I would like to ask the witnesses, beginning with you, Mr.
Rubin, if you any response to Senator Kerry's statement. We
will make it brief because we are about the incur the wrath of
the Senate rules. Mr. Rubin.
Mr. Rubin. I think it was a nice statement, particularly
pointing out that there may be further implications and things
that you do may affect the marketplace in ways that have not
been thought about. I think that is a very important point to
keep in mind going forward.
The Chairman. Mr. Rotenberg. By the way, you are free to
make any additional comments.
Mr. Rotenberg. I would just say, Mr. Chairman, I certainly
agree, Senator, it is a big and complex issue and it touches
many different aspects of our private lives. But we have
struggled with this issue in the United States for more than a
century now, and the wonderful thing about our legal system is
that it has adapted, and we have over time enlarged the legal
right of privacy as new technologies have evolved. This is a
complex one, but I do not think the enormity of the task should
be a reason not to proceed.
People value this right. They really do. We each value it
in a different way, but we do value it as a country. I think we
look to the Congress to ensure that it will be protected in
law.
The Chairman. Mr. Garfinkel.
Mr. Garfinkel. Senator Kerry, I am honored to be one of
your constituents.
But I would like to say something that industry has been
saying a lot, which is that unless there is this personally
targeted information, the Internet will not remain free. There
is no basis for that statement. There is no basis for saying
that you can get higher ad rates if you know who is at the end
of the Internet connection than you could by selling car ads on
a car site and electronics ads on an electronic site.
Personally targeted ads is something that the technology makes
available, but it is not something that necessarily is good. We
know that there are lots of things that the technology makes
available but that do not make economic sense, like video
telephones.
So, I would encourage you to say that there are a lot of
very important privacy issues here, and you touched upon them
all. But I am not sure we need to sell our privacy to get free
Internet service.
The Chairman. Do you think it is a violation of privacy,
one of the examples that Senator Kerry just mentioned, that
because one of us donates to one individual in a political
party, that that information should be sold throughout the
Nation to virtually every cause that there is? Do you believe
that is a violation of our privacy?
Mr. Garfinkel. We have made a decision as a people----
The Chairman. Well, I would like to know your opinion as to
whether it is a violation of privacy or not.
Mr. Garfinkel. I believe that the violation of privacy that
comes from the disclosure of political contributions is an
acceptable price because----
The Chairman. I am talking about selling that information,
not having it disclosed. We all know about disclosure laws, Mr.
Garfinkel.
Mr. Garfinkel. I believe that any information that comes
from the government that is sold now should be distributed for
free to the people of this country.
The Chairman. I am sorry that you will not answer my
question.
Mr. Vradenburg.
I think it is a legitimate question Mr. Kerry asked, and I
am sorry you will not answer it.
Go ahead, Mr. Vradenburg.
Mr. Vradenburg. Senator Kerry, I thought you brought a good
perspective to this, and I think the only closing comment I
would make is that we probably in industry share virtually
every value you articulated. And the great challenge that we
have to work through together during the course of the next
congressional session is achieving the balance between a
marketplace that provides free flow of information, which is
innovative and which provides a continuing refreshment of the
products and services and how we respond to consumers and, at
the same time, honor and respect the privacy values that
Senator Cleland has mentioned because I do think that there is
a balance here.
I think that we try and respond to it in industry in terms
of the conservatism with which, for example, AOL might take
with the handling of the personal information of its members,
but in fact, this is a conversation that we ought to have to
make sure that we have struck the right balance, whether it be
industry on the one side or government on the other.
Again, I do not think you were here, Senator Kerry, but I
would challenge the Committee, as it thinks through its bills,
to apply the bills to the government's handling of personal
information, not because I say that as a challenge, but to say
it as a technique by which we ought to discover the hardness of
some of these questions and the balances that you seek to
achieve.
Senator Kerry. I agree completely with that.
Mr. Vradenburg. As you look at the Freedom of Information
Act and the wider dissemination of government records, we will
begin to question that when it becomes available to your
neighbor as opposed to the private investigator or the lawyer
that you can hire. In fact, the wider dissemination of
information through electronic records is going to be a
challenge to our Freedom of Information Act and the way we look
at government records and the way we look at disclosure. I do
not think that the government has got it right yet. I am not
sure that business has got it uniformly right yet. But it is a
conversation that I think is vitally important and I think we
both have to go through that conversation honestly to try to
arrive at the right balance for both government and for
industry.
The Chairman. Mr. Cooper.
Mr. Cooper. I think this Committee deserves a lot of credit
for getting beyond the zero sum game that I think this issue
has been held hostage to up till now. I think what we are
finding is that a significant, hopefully a critical mass of
companies are willing to say we need to work with you, we need
to find ways of making this work, though not where we then say
that all the answers have been revealed, because I do not think
that they have.
We think that a lot of very useful information will be in
the aggregate whether it is in medical or whatever. We do not
want to lose that. We do not want to lose the advantages that
technology is giving us for taking the aggregate use of this
information to benefit the country as a whole.
At the same time, in working through these issues we will
have to engage business, consumers, and policymakers to find
the right answers. Hewlett-Packard thinks that McCain-Kerry has
it about right. We think the National Academy of Sciences is
the place to resolve a lot of these issues or at least give
Congress the opportunity to have a debate based upon a clear
set of facts that I do not think is going to come out of just a
polarized debate by the loudest voices.
Senator Kerry. Well, Mr. Chairman, thank you.
I would just point out that what the chairman and I have
introduced is a pretty strong requirement of notice and choice.
In point of fact, one of the reasons I ran through that list of
examples is, if you measure all of those, we are in fact
providing greater privacy opportunity through what we have
offered than anybody has in any of those other sectors I just
talked about. I ask people to take note of that. You will have
actually greater privacy, just through the notice requirements
and the choice requirements, than you have in any of those
other sectors of the economy.
You have to also measure the harm done. I go home and I
have got 50 magazines waiting for me from whatever it is,
targeted from whatever I have purchased previously. You could
stop them all, and most of them wind up very quickly going
straight--it is a shame what happens to the trees in the
process, but that is what happens. But what is the harm done
measured against the other choices we have? That is what we
have to ask very carefully here, is what is the harm done that
somebody got an advertisement. As long as personal information,
medical, financial, genetic is obviously an enormous concern,
these kinds of things. I think we ought to be able to define
that line fairly readily. So, I welcome the debate.
Thank you, Mr. Chairman.
The Chairman. I would like to apologize again to Mr.
Berman. Mr. Berman, we will see you next time. We will be
having several more hearings in the month of January because
this issue has obviously not been resolved.
I want to thank the witnesses for a spirited dialog. We
like to have the point/counterpoint in this Committee, and I
think it is very helpful to the members. I want to thank all of
you for coming, and we will welcome you back in January.
As much as I would like to assure people that we will pass
legislation between now and the next week or two, it simply is
not something that is going to happen. But at the same time, I
think by the time January or February rolls around, this issue
will have increasing importance that the Congress of the United
States act in some way on it.
I thank you all. This hearing is adjourned.
[Whereupon, at 11:49 a.m., the Committee was adjourned.]
APPENDIX
Prepared Statement of Hon. Max Cleland, U.S. Senator from Georgia
Reality television has hit an all-time high in the ratings system.
This form of entertainment allows viewers to watch the ``real'' lives
of people on TV, but once these viewers cut off their TV and cut on
their computer, they become the focus of reality web surfing. Cookies
allow on-line companies to gather a great deal of information about
consumers and possibly link this information with the person's name,
address, social security number, and other personally identifiable
information. While the people on television know the cameras are taping
their every move, many on-line consumers have no knowledge of how
companies monitor their behavior.
Today this Committee revisits the issue of on-line privacy.
Estimates are that 137 million Americans can access the Internet and
about 300 million people worldwide. America, with almost double the
number of net users, is the world leader, and the Federal Trade
Commission has recommended that these users need adequate privacy
protection when surfing the web.
I would like to remind the Committee of some statements in the FTC
report:
92 percent of consumers are concerned and 67 percent are ``very
concerned'' about the misuse of their personal information online;
57 percent of Internet users have decided not to purchase online
due to privacy concerns;
79 percent of consumers identified the ability to be removed
from a site's mailing list a ``very important'' criterion in assessing
a site's privacy protections, and
79 percent of Internet users believe that a procedure allowing
the consumer to see the information companies have stored about them is
``absolutely essential'' or ``very important.''
S. 2606, of which I am a co-sponsor, addresses these issues raised
by the FTC report. It allows customers to ``opt-in'' in order for
websites to use their personally identifiable information and ``opt-
out'' for use of non-personal information. S. 2606 also requires that
consumers have access to the information collected about them by a
website and the ability to correct it. It requires that consumers be
aware of how collected information will be used and that everything is
adequately protected.
Reality programs belong in a world in which people know their
actions are being taped. They do not belong in a world in which many
users are not aware of the vast amounts of information collected about
them. Notice, consent, access, and security are the recommendations of
the FTC report, and they are guiding principles of S. 2606. I look
forward to the testimony that will be offered here today.
______
Prepared Statement of Scott Cooper, Hewlett-Packard Co., Manager,
Technology Policy
Legislative questions about opt-in and opt-out
Levels of data collection affected by opt-in/opt-out strategies
The HP privacy policy is one external manifestation of HP company
strategy and vision to make the web a friendly place for customers,
inspiring trust. resulting in positive benefits and experiences, and e-
commerce growth.
When discussing privacy and opt-in/opt-out practices, its important
to address the scope and nature in applying these practices. The terms
are often used to cover different aspects of data collection and use
that differ in the level of privacy protection offered and the value
proposition between customers and businesses. These practices (opt-in,
opt-out) should be evaluated in relation to sharing personal data with
3rd parties, customer contact strategies using personal data and the
collection itself of personal data.
A. Data sharing with 3rd parties
1. Personal data. HP policy is not to sell or rent our customer
data. In the case of HP relationships with a few strategic partners, HP
policy is that customers must opt-in to share their personal data. We
believe this approach respects the trust and boundaries that customers
expect when providing their personal data to a company. This policy
applies to offline and online data. Customer feedback to HP is very
positive regarding these policies.
2. Aggregated (non-personal) data. HP occasionally shares
aggregate, non-personal data with a few strategic business partners for
the purpose of understanding web navigation and usage. This is how we
analyze design effectiveness, usability and usage trends of joint
programs or services offered, ultimately measuring successes (or the
lack of). These measures drive billing and payment between business
partners. HP receives aggregated non-personal data through the HP ad
banners placed on web sites. We do not accept personal data from these
sources or link the non-personal data to HP-held personal data. HP
receives virtually no customer feedback on this level of data sharing.
B. Contact based on data collection
The most common discussion regarding opt-in and opt-out relates to
direct contact from a company to a customer. When discussing this, it
is important to remember the scope which includes marketing contact,
support contact and administrative contact.
Marketing contact refers to programs and information directed at
customers or potential customers about new products and services.
Besides product information, features and benefits, this includes
special offers, promotions and sweepstakes. It may include market
research/customer surveys.
Support contact refers to information and solutions directed at
customers to solve functional, repair issues or improve performance and
usability. This includes software drivers, news and information,
diagnostic analysis/tools and product upgrade data.
Administrative contact refers to information directed to customers
as part of a process or transaction, such as order confirmation,
contract renewals and records management.
In all types of contact the approaches will vary from direct
person-to-person telephone (call center), email, or hardcopy mail.
Customers have views and concerns about marketing contact different
from support contact. In general, support-related contact is not an
issue for customers, given the correct assumption that it is collected
only for support purposes, but NOT specific to one transaction or
interaction. In cases where support-related personal data is used for
marketing contact, then the issues become the same as general marketing
contact. Some customers view the use of support contact personal data
for marketing purposes as a violation of trust even when they are
clearly informed that this is a possibility. The vast majority of
customers expect, value and even demand administrative contact.
In evaluating opt-in for HP, we have focused largely on marketing
contact and secondarily on support contact. In some contact the
boundaries between marketing and support contact are blurred--for
example where is the difference between sending information about new
products as compared to product upgrade notices that correct
functionality or prevent repair problems? In general, we believe the
difference is how the contact is initiated. With a support situation
there is often a true real need from a customer who explicitly or
implicitly (through diagnostics tools that generate support alarms)
initiate contact to HP.
Lets focus on the challenges of implementing an opt-in process for
marketing contact by using HP Subscription Services (InfoAgent) as an
example.
HP Subscription Services, through the HP InfoAgent technology,
provide the means for HP customers the opportunity to sign up
(subscribe) to a variety of software updates, support and marketing
newsletters, focused in the consumer peripheral space. Specifically,
software drivers (e.g. for a HP DeskJet printer, etc.), Support tools,
resources and tips by product category (e.g. for HP DeskJet or HP
LaserJet printers, etc) and product news, solutions and promotions by
product category (e.g. for HP ScanJet, etc.).
HP Subscription Services represents at most 25 percent of all
possible HP-related news and information sources available to/sent to
HP customers. When a customer subscribes, it can only happen as a
specific action on their part. Although it is not characterized this
way on the HP web site, I would call this a functional opt-in.
When the customer subscribes, HP asks the customer if he/she is
interested in receiving other related information from HP. In the past,
the box next to this question was pre-checked, indicating a ``YES''.
This is an opt-out.
Recently, HP changed the box next to this contact question to leave
it blank instead of pre-checked. This is a passive and poorly designed
opt-in. This particular approach drives much of the marketing
communities' (HP and otherwise) complaint about opt-in. If the contact
question is vague and/or if the customer is not REQUIRED to respond,
the results can be just as ineffective as the opt-out. Subscription
rates typically drop by 50-75 percent, mostly due to ``no action''
(unanswered) on the part of the customer. Ultimately this becomes then
not a technology issue but a business rule issue. In an opt-out
business model, the are those unanswered OK to contact? Most would say
yes. In an opt-in business model the answer to the ``OK to contact''
question is most likely no. But an additional process (with business
rules) must be created to confirm the customers' intent.
Our next step is to move to an ``active opt-in'' approach. We
believe if implemented properly, that a single, active opt-in works
well with regard to engaging trust and creating leading customer
experience. The new contact question will be:
``May HP contact you from time to time about products or services
of interest to you:
_Yes_No Postal Mail
_Yes_No E-Mail
_Yes_No Telephone
_Do Not Contact me''
As we implement this privacy/contact question today, we are working
to resolve across HP several issues around how to interpret and manage
customer responses to this question and in context with other places
this question may be asked. How to set business rules to apply
interpretation of existing customer data not collected in this question
format, such as how to handle data where the privacy/contact data is
``unknown'' (customer inaction, not asked, etc)? How should we
interpret a ``yes'' in postal mail with a ``do not contact me'' also
checked.
A customer could easily have multiple records with HP (product
registration, new subscription signup, etc) and continue to add them.
How should conflicting answers to the question be interpreted? By date?
Are there exceptions in certain HP business segments or functions? How
should the data be linked with other data from the customer gathered
offline through hardcopy product registration, tradeshows, promotional
offer responses, call centers, support centers, and sales
representatives? We've just begun to develop a detailed decision matrix
to apply business and data processing rules to these questions.
Our objective is to ask this privacy/contact question at each point
of data collection. Additionally we must find answers to issues about
customer notice and intent. A fundamental question for HP Subscription
services is that if a customer comes in who has registered (a product)
and subscribed at other times to several newsletters and software
drivers, and this time marks ``do not contact me''. . . . Does that
response apply to that specific registration event or does it cancel
every other subscription and software driver? We have hundreds of
customers today that subscribe through this service to dozens of
drivers and several newsletters. Part of the answer is in better
customer notice, explaining what will happen when ``do not contact me''
is marked. But there is significant concern about customer
satisfaction. Does a ``do not contact me'' apply to other subscription
and registration areas in HP . . . on the web, through a call center,
for support? Or does it apply just to that particular product/service
space? How exactly should we apply and interpret customer responses
across the whole of HP, for the other 75 percent of possible
destinations where a customer may choose to give information, subscribe
and so on?
HP has hundreds of customer databases and few are linked in any
meaningful way. Our long term vision, to be implemented over the next
few years, is that all major customer databases will be linked through
a top-level customer identification application. A few major databases
link today but many others remain. Linking requires software and
business process redesign in many HP organizations. Every database has
different data standards and system architectures that must be
rationalized.
So while the vision is to ``know our customer'' as they move
through different HP environments: call center, web, support,
marketing, sales (and as he/she desires to be known); the ability to
have one common view of a given customer and therefore manage privacy/
contact choices (among other things) is a mix of human-managed manual
processes tied to many individual, decentralized systems/databases.
We're excited about the move to opt-in because we believe it's the
right thing to do for HP customers in a marketing context. We believe
it is a competitive differentiator. Clearly, the implementation is more
complex than the old default opt-out approach. Our fist aim is in the
consumer space and for email. Other customer segments and contact
approaches are still under discussion. As part of HP consumer business
CRM (Customer Relationship Management), we plan to make all type of
contact, as per the question, opt-in. Our business customer approach
may be somewhat different, whether for solution developers, small-
medium businesses or support delivery.
Opt-in (and even opt-out) is much more about business process and
behavior than technology, but all must work together and be compatible
at all levels. The example above represents one set of business
processes and systems out of hundreds. HP wants to do this because we
think it's important. We want to do it right so that customer privacy
choices are honored, customer relationships and satisfaction is
enhanced and customers will be able to receive information that helps
their business or personal use of HP equipment be effective. Imagine
applying the issues described in the example across hundreds of
databases and business processes in HP.
Opt-in is difficult because many companies, like HP, do not have
the computer and database architecture or resources to manage the
change, at least not rapidly. To accommodate the business, process and
technology change requires time and resources. It requires a major
business process re-engineering. AND, its tougher in the US than Europe
because in the US, the web systems, technology and processes are
already in built vs. those in Europe, still in the embryonic stage of
web commerce.
Opt-in is difficult because companies fear the loss of valuable
customers and their means to communicate with them, inhibiting revenue
and eroding brand value.
Opt-in is difficult because opt-out has a tong tradition in the
U.S. that many feel is more appropriate to U.S. culture.
Opt-in has limited practicality for support or administrative
contact and would negatively impact customer satisfaction and
experience across the board. Opt-out makes more sense for support or
administrative contact.
Even when opt-in is well in place, HP must still have an opt-out
process, so that customers can remove themselves from contact/databases
they originally opted-in to.
Opt-in for aggregated non-personal data is impractical and would
negatively impact customer experience, customer satisfaction and web-
site/e-commerce use. It would be an experience comparable or worse than
turning on ``notify all cookies'' option in your web browser. And what
would be the comparable process in regard to offline data? When the
implementation of P3P technology becomes pervasive on both web sites
and user tools, customers and a web site could engage in a better
experience based on personal choice.
HP does believe customers should be given an easy simple way to
opt-out of unknown 3 party cookies, like those from advertisers. HP.com
policy prevents the placement of advertising on our web sections. HP
does obtain aggregate data only reports from advertising banners (and
print ads) placed on other web sites (publications) for the purpose of
understanding web effectiveness.
C. Collection of data in general
1. Personal data. Customers can go anywhere on hp.com without the
requirement to provide personal data. As described above in section B,
certain specific types of services do require varying levels of
personal information. Opt-in at this level doesn't apply in a practical
way because the customer chooses to engage in a specific transaction to
start the process. This applies to non-web (offline) services such as
call center activity, trade shows and market research.
2. Aggregated data. HP.com collects aggregate, non-personal data
used to understand web navigation, ease of use, popular sections,
unpopular sections and so on. This data is generally kept within the
specific hp.com web section rather than any kind of broad sharing
across the whole of hp. Broad sharing across hp would be interesting,
but is not a top priority, may not be relevant and would be expensive
functionality to build. Applying opt-in, or even opt-out practices at
this level would be hugely annoying, cumbersome and a just plain awful
customer experience.
Offline aggregate data collection is common, examples are market
research, product warranty databases, support diagnostic tools, and
sales representative records. There is no practical application of opt-
in/opt-out practices here.
______
Response to Written Questions Submitted By Hon. Ernest F. Hollings to
George Vradenburg, America Online, Inc.
Question. While more and more companies are adopting Opt-in, you
claim Opt-in is impractical and will interfere with the functionality
of the Internet and even with the economic viability of certain
companies. Please provide the Committee with a memorandum explaining in
detail the reasons behind these claims. What are the problems you
believe will be realized? What specifically are you or other Internet
companies doing now that Opt-in will prevent? What are the economic
costs you fear will occur? Please be specific, answer each of these
questions, explain your reasoning in detail, and provide examples for
each of your answers.
Answer. AOL supports a comprehensive approach to online privacy
that will ensure that consumers are provided with meaningful notice and
choice about the collection and use of their personal data by online
companies. We believe that, in most situations, the specific approach
to choice should be determined by the marketplace and the demands of
consumers; in some instances, the marketplace will require companies to
use an ``opt-in'' approach, and in other cases an ``opt-out'' approach
may be appropriate. As we work through this issue in the marketplace
and in Congress, we should design a system that best serves consumers,
rather than by a ``one-size-fits-all'' regulatory regime. Indeed, we
believe that ``choice'' can be provided in many different ways, and
that it is not even possible to force all choice mechanisms into the
opt-in or opt-out category, because many choice mechanisms actually
have characteristics of both categories.
For example, although subscribers to the AOL service must ``opt-
in'' to the AOL Terms of Service--which includes the AOL privacy
policy--as a condition of AOL membership, the choices offered within
that privacy policy for the use of personal data for marketing purposes
are provided in the form of an ``opt-out.'' Under AOL's current privacy
policy, which is considered to be among the most robust in the online
industry, new subscribers to the AOL service are provided with a
complete explanation of how their personal data can be collected and
used. Where members do not want their data to be used or disclosed to
third parties for marketing purposes, they are given clear instructions
on how to opt-out of such uses, so that they are able to maintain
complete control over the use of their personal information. AOL
members can change these marketing preferences at any time, and may
easily access the AOL privacy at any time by typing in the keyword
``privacy.'' We believe the AOL policy is a prime example of how a
meaningful ``choice'' mechanism can empower consumers to protect their
own privacy online, as well as provide consumers with the ability to
receive maximum benefit from the online medium.
In examining this question, it is critical to understand exactly
what is meant by the term ``opt-in.'' We presume that ``opt-in''
clearly cannot apply to information collection in cases where such
information is collected voluntarily from the consumer and is required
for the provision of a particular service. For instance, AOL members
may choose to provide us with information about their stock portfolio
so that they can receive personalized financial information or stock
quotes on the AOL service. However, there is no formal ``opt-in'' for
this feature; rather, consumers can simply choose to provide the
information and receive the service, or not to provide this information
and not receive the service. Where information is collected as a
condition of using a particular product or feature (i.e. registration
information), there may not be any ``choice'' offered with respect to
the collection of that information (beyond simply choosing not to use
the service), although a company may offer the consumer choice as to
whether and how that information is used for purposes other than
providing the service itself.
Certain merchants may use information that you provide voluntarily,
such as registration information or information about transactions
conducted with that merchant, to customize their services to your
particular interests or needs. For instance, an online bookseller might
use information about the books you've purchased to provide you with
recommendations for other books you might be interested in. Presumably,
the information was initially collected with your permission (i.e. you
chose to provide your name and address so that your book could be
delivered directly to you). But must the merchant obtain affirmative
consent for each additional use of that data, such as sending you
personalized marketing offers or recommending products that might be of
particular interest to you? The breadth of an opt-in requirement would
determine the extent to which we and other companies would need to
alter our business models. Depending on how an opt-in provision is
structured, Web sites and online service providers might be required to
recontact consumers in order to obtain consent in every instance when
their data is used, to retrofit their systems to code data previously
collected for the specific uses for which consumers consent, to
categorize and store the consents obtained, and to match any future
uses of the data with these categories.
In general, we believe that there may be some practical business,
technological, and convenience issues associated with an opt-in model
that could make such a model inappropriate as a governmental mandate
for all non-sensitive information, and could actually reduce the value
of the online medium to consumers. An opt-out approach--not an opt-in--
is widely used today in both the online and offline marketplace, and
creates the proper balance between protecting privacy and allowing
consumers to enjoy the benefits of personalization and customization.
Under an opt-out approach, the default always favors ``free information
flow,'' a goal that maximizes the inherent strengths of the medium and
its potential to improve consumers lives.
By contrast, a mandatory opt-in system sets the default rule to
``no information flow,'' undermining the innovation and growth of the
medium while making it more inconvenient for the average consumer to
engage in e-commerce transactions. More importantly, a mandatory opt-in
requirement would not account for technological developments that will
allow consumers to access the Internet or exercise choice in completely
new ways. For example, the shift from PC-based Internet access to
wireless Web access via a small handheld device is likely to make opt-
in prior to information collection extraordinarily difficult, if not
impossible, in certain circumstances. As Internet usage expands to a
new array of handheld and portable devices, the idea of forcing
consumers to click through screens upon screens of marketing preference
questions becomes much less feasible and could easily turn many
consumers away from these new platforms by making the online
registration process extremely complex and difficult to navigate.
In fact, it is entirely possible that a more complicated process
could actually confuse or overwhelm users, especially those novice
Internet users who comprise a vast segment of AOL's subscriber base.
And for smaller companies, whose entire business model may rely on
these new platforms or devices, such complexities could drastically
reduce their ability to attract consumers and their ability to compete
in the online marketplace. In short, there is no way to tell what new
products, business models, or devices will emerge over the next few
years or how those innovations will change the way that information is
exchanged across the Internet. Creating a mandatory opt-in regime today
would be as counterproductive as if Congress had tried to set tough
auto safety standards in 1880. Until this medium reaches maturity, we
won't even know the ways that consumers will want to exchange their
information, let alone what restrictions should be placed on that
exchange.
By setting the default rule against the collection of information
in all situations, an opt-in rule would make it much more difficult for
some companies to personalize their services and reach the consumers
most likely to be interested in them. Under an opt-in regime, it will
be far more difficult for consumers to set up personalized features and
receive the many benefits of a tailored Internet experience. As a
result, companies will not have the incentives to provide these
features and take full advantage of the exciting new technologies
available in the online environment to provide consumers with
customized services. Additionally, as e-mail marketing is nearly cost
free, limiting every advertiser's ability to reach a targeted audience
might encourage some companies to send untargeted solicitations to far
larger numbers of consumers. Such a requirement would inhibit
companies' ability to tailor their marketing efforts to consumer
preferences, and could limit the effectiveness of their customer
service and customer relations efforts.
Furthermore, more onerous opt-in regulation could make it harder
for new entrants to find their ``niche'' in the Internet marketplace
through innovative business models, and would likely reduce the
availability of ``free'' content on the Web that may be supported in
large part by advertising and marketing dollars. Because the average
consumer is more likely to choose whatever ``default'' option is
offered in an online transaction, an over-regulatory privacy regime
could severely limit companies' ability to balance consumer costs with
advertising revenue, which could ultimately lead to an increase in
consumer prices and a decrease in the diversity and richness of content
and services that can be offered to consumers. A more sensible model is
to allow companies the flexibility to provide privacy options in the
manner that works best for each particular business model, while
ensuring that consumers are always fully informed of all their privacy
choices.
Ultimately, we believe that true privacy protection rests on the
fundamental principles of notice and choice, and that it is not
necessary to mandate exactly how such choice must be provided under
every business model. Both opt-in and opt-out approaches allow
consumers to exercise choice about how their information may and may
not be used, but there may be other approaches to choice available as
well. In some cases, ``opt-in'' may be the most appropriate choice
mechanism. For example, we support an opt-in approach for the
collection and use of sensitive data such as medical, and financial
information, and for children's personal information. Indeed, that is
precisely why AOL supported the passage of the Children's Online
Privacy Protection Act (COPPA), which addressed the unique concerns
raised by the collection and use of children's information, and why we
have joined the Hi-Ethics (Health Internet Ethics) Coalition, a group
of the most widely used health Internet sites committed to providing
the highest standards of privacy protection for health-related
information.
But it is the marketplace--businesses and consumers together--that
must determine how choice can best be provided in each particular
instance. We should not get caught up in a debate over the terminology
of ``opt-in'' and ``opt-out,'' but should focus rather on the ultimate
goal of a choice requirement, which is to empower consumers to control
their personal data while maximizing the value of the online medium to
consumers. As long as consumers have a clear understanding of what
information is being collected about them, how it may be used, and how
they may limit its use and disclosure, consumers will be able to
exercise control over their privacy while still enjoying the full
benefits of customization and personalization that the Internet can
provide.
We agree that privacy policies that are buried in fine print or
written in incomprehensible legalese do not constitute adequate notice
and choice, and to the extent that some companies try to defend such
practices as consistent with an ``opt-out'' model, such practices
should be strictly prohibited. However, where consumers are properly
informed of their options for controlling the use of their personal
data, it is unnecessary and potentially harmful to mandate a particular
mechanism for providing choice to consumers in all circumstances.
Baseline requirements backed up by market-led technological solutions
will provide businesses and consumers with enough flexibility to adapt
to the changing online marketplace while ensuring that consumer privacy
is appropriately safeguarded.
______
Simson L. Garfinkel Letter to Hon. John McCain
Simson L. Garfinkel
Cambridge, MA, October 3, 2000
Hon. John McCain,
Chairman,
Committee on Commerce, Science and Transportation,
Washington, DC.
Subject: LIs it a violation of a privacy for lists of campaign
contributors to be sold?
Dear Senator McCain:
Thank you for giving me the opportunity to testify before your
Committee earlier today. I would like to apologize to you for my
inability to answer your final question, and I would like to attempt to
do so now.
You asked me, roughly paraphrased, Is it a violation of a privacy
for lists of campaign contributors to be sold? This is a deep question.
Instead of stumbling through several answers, I simply should have
asked your leave to send you an answer in writing.
Please allow me, Mr. McCain, to answer your question now:
Lists of campaign contributors that are sold do violate the
privacy of those contributors, if the lists are used in a manner that
is inconsistent with the purpose for which the information was
collected.
Clearly, the privacy of campaign contributors is violated when
their names and that information is made publicly available. Thus, my
first answer to your question was that, as a democracy, we have decided
that this violation of privacy is preferable to the corrosive power of
secret money in politics. You rightfully said that that you knew all
about the disclosure laws, and that was not the question that you were
asking me.
Once we have made the decision to make campaign contribution
information public, the next question is ``how will this information be
used.'' My second answer to your question was that this information
should not be sold by businesses, but given freely in electronic form
by the federal government. You again told me that I was not answering
the question that you were asking.
In fact, you were asking if the selling of this information by
third parties further violates the privacy of the campaign
contributors.
The answer to that question depends on what is done with the
information:
If the information is used to perform an analysis of the
role of money in politics, or to correlate donations with
voting patterns, its does not further violate the contributors'
privacy; this is the reason that the information was originally
collected.
If the information is used to solicit the contributors for
donations to museums, or public radio, or to join a country
club, then it does violate the contributors' privacy; these
uses run counter to the original reason that the information
was collected.
I believe this analysis shows the importance of passing a national
data protection act. Since 1973, the third item of the Code of Fair
Information Practices has held that ``[t]here must be a way for a
person to prevent information about the person that was obtained for
one purpose from being used or made available for other purposes
without the person's consent.'' I believe that adopting these
principles into US law is the best way to protect the privacy interests
of campaign contributors, and indeed of all Americans.
Thank you for your time.
Sincerely,
Simson L. Garfinkel
�