[Senate Hearing 110-791]
[From the U.S. Government Publishing Office]
S. Hrg. 110-791
BROADBAND PROVIDERS
AND CONSUMER PRIVACY
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 25, 2008
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
48-450 PDF WASHINGTON : 2009
----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
DANIEL K. INOUYE, Hawaii, Chairman
JOHN D. ROCKEFELLER IV, West KAY BAILEY HUTCHISON, Texas,
Virginia Ranking
JOHN F. KERRY, Massachusetts TED STEVENS, Alaska
BYRON L. DORGAN, North Dakota JOHN McCAIN, Arizona
BARBARA BOXER, California OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida GORDON H. SMITH, Oregon
MARIA CANTWELL, Washington JOHN ENSIGN, Nevada
FRANK R. LAUTENBERG, New Jersey JOHN E. SUNUNU, New Hampshire
MARK PRYOR, Arkansas JIM DeMINT, South Carolina
THOMAS R. CARPER, Delaware DAVID VITTER, Louisiana
CLAIRE McCASKILL, Missouri JOHN THUNE, South Dakota
AMY KLOBUCHAR, Minnesota ROGER F. WICKER, Mississippi
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Lila Harper Helms, Democratic Deputy Staff Director and Policy Director
Christine D. Kurth, Republican Staff Director and General Counsel
Paul Nagle, Republican Chief Counsel
C O N T E N T S
----------
Page
Hearing held on September 25, 2008............................... 1
Statement of Senator Dorgan...................................... 1
Statement of Senator Hutchison................................... 2
Statement of Senator Klobuchar................................... 26
Statement of Senator Thune....................................... 29
Statement of Senator Vitter...................................... 3
Statement of Senator Wicker...................................... 31
Witnesses
Attwood, Dorothy, Senior Vice President, Public Policy and Chief
Privacy Officer, AT&T Inc...................................... 4
Prepared statement........................................... 5
Sohn, Gigi B., President, Public Knowledge....................... 15
Prepared statement........................................... 16
Stern, Peter, Executive Vice President, Chief Strategy Officer,
Time Warner Cable.............................................. 8
Prepared statement........................................... 10
Tauke, Thomas J., Executive Vice President, Verizon.............. 11
Prepared statement........................................... 13
Appendix
Inouye, Hon. Daniel K., U.S. Senator from Hawaii, prepared
statement...................................................... 37
BROADBAND PROVIDERS
AND CONSUMER PRIVACY
----------
THURSDAY, SEPTEMBER 25, 2008
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:06 a.m., in
room SR-253, Russell Senate Office Building, Hon. Byron L.
Dorgan, presiding.
OPENING STATEMENT OF HON. BYRON L. DORGAN,
U.S. SENATOR FROM NORTH DAKOTA
Senator Dorgan. The hearing will come to order.
This is a hearing of the Senate Commerce Committee. We have
a hearing today on broadband providers and consumer privacy, a
subject which is interesting and new, relatively new, to this
Committee. It is the second of a number of hearings on this
subject.
I wish all of you good morning.
I am joined by Senator Hutchison who is the Ranking Member.
Senator Inouye is not able to be with us and has asked me to
chair the hearing. I chaired the previous hearing on this
subject as well at his request, and I am happy to do that.
This hearing is to provide an examination of the privacy
rights of Internet users and the practices of broadband
providers. The Commerce Committee has had a long interest in
the subject of protecting privacy, and now I feel we need to
take a closer look at Internet users' privacy as the field of
online advertising develops.
I want to make it clear that I understand and I think all
of my colleagues in the Congress would understand that there
are many benefits to online advertising. It is an architecture
that is important to our economy. It allows many of the sites
and services that we all know and understand to grow and
thrive. So this is not an inquiry about whether advertising is
relevant or important. Advertising on the Internet plays an
important role in Internet commerce.
While most of the conversation about Internet advertising
in the past years has been focused on economic benefits,
however, consumers say in surveys that they worry about
privacy. Survey results released today from Consumer Reports
shows that 72 percent of consumers are concerned that their
online behavior is being tracked or profiled, and they are
concerned about that. The poll found that 93 percent of
Americans think Internet companies should always ask permission
before using personal information.
I think it is the case that the invisibility of data
collection practices and users' ability to control their
information is a concern, and I think it is time that the
Senate and regulators try to understand and focus on what are
the privacy questions and the aspects of the issue of privacy
that we should be dealing with.
In July, we held a hearing on privacy to examine concerns
about consumers being profiled and being tracked online. There
is a lot the Committee has yet to learn about data collection
practices. We learned some things at the last hearing. We heard
from NebuAd, a company that was working with some Internet
service providers to gain access to the content on their
networks in order to provide advertisers profiles of broadband
providers' customers. NebuAd later halted those plans.
In July, the broadband providers were not able to attend
our hearing. For many of them, this was a new area, and today
we appreciate the participation of AT&T, Verizon, and Time
Warner Cable. It should be noted that these companies had not
previously agreed to provide customer data to NebuAd or similar
companies.
We also appreciate the participation today of Public
Knowledge at this hearing.
We will focus on privacy expectations for customers of
Internet service providers. People do expose themselves online
by where they go and what they do, and often type in sensitive
information, personal information, and financial information.
We have very little competition in the broadband market. As a
matter of fact, around most of this country, most Americans
have one or at the most perhaps two choices for broadband. And
as broadband service is so vital to the American people and to
our communities, we want to make sure that providers are
respecting the privacy protections of consumers and that those
protections are in place. Internet service providers have
access to all of that customer's information and behavior, and
the question is what is being done with it.
Again, let me emphasize that I appreciate the Internet
service providers being willing to come to us today and talk
about these issues because the issues are not just important to
policymakers. These issues I think are important in the long
term to Internet service providers as well.
I do think we need to update our privacy laws and we need
to ensure we have similar protection across platforms. We need
to protect sensitive information, make sure customers know what
companies are doing with their information so that customers
can make informed choices about their participation, and are
given clear information about opt-in or dealing with other
regimes that might be established.
This is the second hearing, and I assume that the Commerce
Committee will want to hear more as we enter the next session
of Congress. Now the Committee is here to listen and to thank
the witnesses for testifying.
Let me call on my colleague from Texas, Senator Hutchison.
STATEMENT OF HON. KAY BAILEY HUTCHISON,
U.S. SENATOR FROM TEXAS
Senator Hutchison. Well, thank you, Senator Dorgan. I
appreciate your calling attention to this issue, and I want to
say that it is an important issue that we look at because we
know that there are many advertising opportunities now on the
Internet, which is a good thing, as the Senator said. It is
good for the economy. It is also good for business to be able
to target advertising and be able to have efficient use of the
advertising dollars.
I also think it is helpful to consumers to be able to find
the products they are looking for, the services that they are
looking for in a targeted way, and that provides more free
service on the Internet, which is what we all want. So that is
the good side of advertising.
On the other side, we surely need to be informed. Consumers
need to be informed about what online entities are doing with
their personal data information, and of course, since so many,
especially in our rural areas, depend on broadband for
commerce, as well as health care and education, people are
putting more of their personal information online. So I think
transparency and disclosure are very important.
I would say I hope we do not charge into legislating in
this area before we do fully understand what is possible, what
is not possible, what is helpful, and what is not helpful, and
what would help the right type of opportunities but not hinder
the overall ways that we can have access to advertising. So it
is a complicated area and one that we ought to look at, fully
understand before we rush into legislation that could curb our
economy.
I want to say that I am not going to be able to stay. I
have to be on the floor at 10:30, but I appreciate your calling
this hearing and I will certainly look at the testimony later.
Senator Dorgan. Senator Hutchison, thank you very much.
I share the view. I do not think that there will be a
stirring here to rush toward some sort of legislative approach.
I think, first, it is very important that we understand this.
There may well need to be legislative solutions at some point
in the future, but first, I think it is a complicated area and
we need to understand it. I certainly agree with that.
Senator Vitter?
STATEMENT OF HON. DAVID VITTER,
U.S. SENATOR FROM LOUISIANA
Senator Vitter. Thank you very much, Mr. Chairman, for
calling this hearing as well. We examined this issue earlier
this year in a hearing with other online companies. So I am
looking forward to the views of these Internet service
providers and others on this very important issue.
I agree we need to look at this carefully. We need to
attack bad behavior. We need to do it in a way that will not be
out of date tomorrow as technology advances, and I think we
need to do it in a way that is not technology-specific, picking
winners and losers, but sets a broad-based policy in a way that
can effectively be implemented.
So I look forward to listening closely to the testimony to
figure out how we can best accomplish that. Thank you.
Senator Dorgan. Thank you, Senator Vitter.
We have four witnesses today. We will, by consent, include
their entire statements as a part of the permanent record and
ask the witnesses to summarize their statements.
First, we will hear from Ms. Dorothy Attwood, who is the
Senior Vice President for Public Policy and Chief Privacy
Officer for AT&T Services. Ms. Attwood, thank you for being
with us. You may proceed.
STATEMENT OF DOROTHY ATTWOOD
SENIOR VICE PRESIDENT, PUBLIC POLICY
AND CHIEF PRIVACY OFFICER, AT&T INC.
Ms. Attwood. Thank you very much. Thank you, Senator Dorgan
and other Committee Members, for providing AT&T the opportunity
to discuss online behavioral advertising and its important
privacy implications.
My name is Dorothy Attwood and I am AT&T's Senior Vice
President and Chief Privacy Officer.
Senator Dorgan, AT&T appreciates your leadership on this
issue. It has fomented a necessary and productive discussion
among all key stakeholders, and it has encouraged our industry
to listen closely to our customers and take a careful look at
how best to engage in different modes of online advertising.
Indeed, you will hear today a remarkable consensus about the
overriding importance of a consumer-focused approach to online
advertising and the need to ensure that consumers maintain
ultimate and effective control over their information.
American consumers benefit immeasurably from our Internet
ecosystem, which is rich in innovative services and varied
content information and entertainment. Online advertising is a
key component of this ecosystem as it fuels investment and
enables many free and discounted services and funds today's
vast diversity of Internet content.
But online advertising, especially new forms of highly
targeted behavioral advertising, also raise important consumer
privacy concerns that policymakers and industry must carefully
weigh. Setting proper policy in this area is crucial to
maximizing the consumer benefit of a healthy Internet
marketplace.
Online behavioral advertising is the practice of tracking a
consumer's web browsing and search activity across unrelated
Websites. Notably, both the tracking and the association of the
websites are largely invisible to the end user and the
resulting information is used to create a distinct user profile
and deliver highly targeted or personalized advertising. It is,
indeed, a next generation capability and it can clearly be
distinguished from the simple and longstanding practice of
tracking a consumer's use of an individual Website or obviously
related Websites.
AT&T does not today engage in online behavioral advertising
either through the so-called ``deep packet'' inspection or any
other technique. Of course, if done properly, the practice can
be valuable to consumers and can measurably improve their
online experience. But we believe just as strongly that it is
essential to include strong privacy protections in the design
of any online behavioral advertising program and that any
privacy framework should shed clarifying light on what is today
something quite invisible to the consumer.
Thus, we will engage in online behavioral advertising only
after validating the various technologies and only after
establishing clear and consistent methods to ensure the
protection of and ultimate consumer control over consumer
information. Our deployment of any online behavioral
advertising practice will be governed by the imperative of
meaningful consent and a consumer-focused privacy framework
based on the following principles: transparency, customer
control, privacy protection, and customer value.
More specifically, we believe that a forward-looking
advertising practice requires a forward-looking customer notice
and consent model. For this reason, AT&T will not use consumer
information for online behavioral advertising without an
affirmative advance action by the customer that is based on a
clear explanation of how the consumer's action will affect the
use of her information. This means that a consumer's failure to
act will not result in any collection and use of that
consumer's information for online behavioral advertising
purposes by default.
Even though AT&T and most other Internet service providers
do not engage in online behavioral advertising, make no
mistake, this practice is well underway today. Already ad
networks and search engines track and store a vast trove of
data about consumers' online activities, and the technologies
they use have evolved just beyond tracking consumers' web
surfing activity at sites at which they sell advertising. They
now also have the ability to observe a user's entire web
browsing experience at a granular level. If anything, this
largely invisible practice of ad networks and search engines
raise at least the same privacy concerns as do other online
behavioral techniques that ISPs could employ.
For this reason, we believe that any privacy framework for
online behavioral advertising must apply to all entities
involved in Internet advertising, including ad networks, search
engines, and ISPs. A policy regime that applies only to one set
of actors will arbitrarily favor one business model or
technology over another, but most importantly represent only a
partial and entirely unpredictable solution for consumers.
Thus, we urge all entities that engage in online behavioral
advertising, including especially those who already are
engaging in the practice, to join AT&T in committing to a
policy of advance, affirmative consumer consent.
Again, thank you for the opportunity to speak here today,
and I look forward to your questions.
[The prepared statement of Ms. Attwood follows:]
Prepared Statement of Dorothy Attwood, Senior Vice President,
Public Policy and Chief Privacy Officer, AT&T Inc.
Thank you, Chairman Inouye and Ranking Member Hutchison, for
providing AT&T Inc. the opportunity to discuss online advertising and,
more specifically, the issue that has received a good deal of recent
attention, so-called online behavioral advertising. We trust that this
hearing will help the discussion evolve past slogans and rhetoric to a
more thoughtful examination of the facts and the development of a
holistic consumer privacy policy framework that all participants in the
online behavioral advertising sphere can and will adopt.
Your interest in these matters surely is warranted. Online
advertising fuels investment and innovation across a wide range of
Internet activities, and provides the revenue that enables consumers to
enjoy many free and discounted services. Likewise, website publishers
make most of their money from advertising, which revenue in turn funds
today's vast wealth and diversity of Internet content and information--
most of which consumers enjoy, again, for free. On the other hand,
online advertising, especially next-generation forms of highly targeted
behavioral advertising that involve tracking consumer web browsing and
search activities, raise important consumer-privacy concerns that
policymakers and industry must carefully weigh. In short, setting
proper policy in this area will be crucial to a healthy and growing
Internet ecosystem that benefits consumers.
AT&T does not today engage in online behavioral advertising, but we
understand the uniquely sensitive nature of this practice. We have
listened to our customers and watched the debate unfold, and are
responding by advocating for a consumer-focused framework. As described
in more detail herein, the pillars of this framework--transparency,
consumer control, privacy protection, and consumer value--can be the
foundation of a consistent regime applicable to all players in the
online behavioral advertising sphere--including not just Internet
Service Providers (``ISPs''), but also search engines and third party
advertising networks--that both ensures that consumers have ultimate
control over the use of their personal information and guards against
privacy abuses.\1\
---------------------------------------------------------------------------
\1\ The policy framework that AT&T proposes here is informed by and
should complement the Online Behavioral Advertising Self-Regulatory
Principles issued by staff of the Federal Trade Commission in December
of last year. Online Behavioral Advertising: Moving the Discussion
Forward to Possible Self-Regulatory Principles, available at http://
www.ftc.gov/05/2007/12/P85900stmt.pdf.
---------------------------------------------------------------------------
In particular, we believe that effective customer control for
online behavioral advertising requires meaningful consent and therefore
commit that AT&T will not use consumer information for online
behavioral advertising without an affirmative, advance action by the
consumer that is based on a clear explanation of how the consumer's
action will affect the use of her information. This concept--often
generically referred to as ``opt-in''--means that a consumer's failure
to act will not result in any collection and use by default of that
consumer's information for online behavioral advertising purposes. This
affirmative consent model differs materially from the default-based
privacy policies that advertising networks and search engines--which
already are engaged in online behavioral advertising--currently employ.
Given the obvious consumer benefits of such a model, we encourage all
companies that engage in online behavioral advertising--regardless of
the nature of their business models or the technologies they utilize--
likewise to adopt this affirmative-advance-consent paradigm.
What is Online Behavioral Advertising?
There is no single, settled definition of online behavioral
advertising in statute or case law, but the FTC and others have used
the term to refer to it as the tracking of a consumer's web search and
web browsing activities--by tracking either the person or a particular
Internet access device, be it a computer, data-enabled mobile phone, or
some other communications vehicle--to create a distinct profile of the
consumer's online behavior. In this sense, it can clearly be
distinguished from the simple practice of tracking a consumer's use of
an individual website or obviously-related websites (such as those
operated under a common trademark, trade name or conspicuously
disclosed corporate affiliation), which practice does not necessarily
raise the same privacy concerns as online behavioral advertising but
which nonetheless can and should expressly be disclosed to Internet
users. Privacy concerns about online behavioral advertising are not
new--indeed, DoubleClick's (now a Google subsidiary) use of tracking
cookies to collect and use information about consumer web browsing
activity was the subject of an FTC proceeding in 2000.\2\ More
recently, the FTC and Congress have appropriately asked questions about
the privacy implications of emerging online advertising businesses that
involve the tracking of consumer web browsing and search activity.
Thus, consistent with the focus of recent public discussion, we
consider online behavioral advertising to be: (1) the tracking of user
web browsing and search activity across unrelated websites, (2) when
the tracking and association of the websites or their components are
largely invisible to the user, and (3) the resulting information is
used to create a distinct user profile and deliver targeted advertising
content.
---------------------------------------------------------------------------
\2\ Letter from Joel Winston, Acting Associate Director, Division
of Financial Practices, Bureau of Consumer Protection, Federal Trade
Commission, to ChristineVarney, Hogan & Hartson, Re: DoubleClick Inc.
(Jan. 22, 2001)(memorializing closure of FTC staff investigation).
---------------------------------------------------------------------------
Online behavioral advertising can take many forms. It can, for
instance, involve the use by an ISP of technologies to capture and
analyze a user's Internet browsing activities and experience across
unrelated websites. These more ISP-specific methodologies are not,
however, the only--and certainly are not nearly the most prevalent--
forms of online behavioral advertising. Advertising-network
technologies have evolved beyond solely tracking consumer web surfing
activity at sites on which they sell advertising. They now also have
the ability to observe a user's entire web browsing experience at a
granular level. Techniques include the ad network ``dropping'' third-
party tracking ``cookies'' on a consumer's computer to capture consumer
visits to any one of thousands of unrelated websites; embedding
software on PCs; or automatically downloading applications that--
unbeknownst to the consumer--log the consumer's full session of
browsing activity.
Ad networks and other non-ISPs employ these capabilities at the
individual browser or computer level and they are as effective as any
technique that an ISP might employ at creating specific customer
profiles and enabling highly targeted advertising. Already ad networks
and search engines track and store a vast trove of data about
consumers' online activities. Google's practices exemplify the already
extensive use of online behavior advertising, particularly by nonISPs.
Google logs and stores users' search requests, can track the search
activity by IP address and a cookie that identifies the user's unique
browser, and can even correlate search activities across multiple
sessions, leading to the creation of a distinct and detailed user
profile. Through DoubleClick, Google can drop tracking cookies on
consumers' computers so that whenever the consumer visits websites that
contain a display ad placed by DoubleClick (which can be for virtually
any product or service), the consumer's web browsing activity can be
tracked across seemingly unrelated sites (e.g., CNN.com or ESPN.com).
Google further has access to enormous amounts of personal information
from its registered users, which its privacy policy expressly confirms
can be combined with information from other Google services or third
parties for the ``display of customized content and advertising.'' And
it even scans e-mails from nonGmail subscribers sent to Gmail
subscribers for contextual advertising purposes.
Thus, if anything, the largely invisible practices of ad-networks
and search engines raise at least the same privacy concerns as do the
online behavioral advertising techniques that ISPs could employ, such
as deep-packet-inspection, which have application beyond mere targeted
advertising, including managing network congestion, detecting viruses
and combating child pornography. In short, the privacy and other policy
issues surrounding online behavioral advertising are not technology-
specific. The relevant touchstones are the manner in which consumer
information is tracked and used, and the manner in which consumers are
given notice of and are able to consent to or prohibit such practices.
Those factors are entirely technology-neutral.
AT&T's Approach to Online Behavioral Advertising
AT&T does not today engage in online behavioral advertising.\3\
This is not because AT&T sees no value in this next-generation form of
online advertising. Indeed, if done properly, online behavioral
advertising could prove quite valuable to consumers and could
dramatically improve their online experiences. We do, however, believe
it is essential to include strong privacy protections in the design of
any online behavioral advertising program, which is why we will
initiate such a program only after testing and validating the various
technologies and only after establishing clear and consistent methods
and procedures to ensure the protection of, and ultimate consumer
control over, consumer information. We further intend to work with
privacy advocates, consumer privacy coalitions and fellow industry
participants in a cooperative, multifaceted effort that we trust can
and will lead to a predictable consumer driven framework in this area.
In any event, if AT&T deploys these technologies and processes, it will
do so the right way.
---------------------------------------------------------------------------
\3\ AT&T does engage in some of the more ordinary and established
aspects of online advertising. Like virtually every entity with a
retail Internet presence, AT&T tracks usage on its own websites, such
as att.com, in order to improve the online experience, optimize a
particular site's capabilities and ease-of-use, and provide the most
useful information to consumers about AT&T's products and services. In
addition, like thousands of other businesses that operate websites,
AT&T does business with advertising networks and has partnered with
providers of online search. For example, on the AT&T broadband Internet
access portal, AT&T makes space available for advertising provided by
the Yahoo! advertising network, and users of the portal may be shown
advertising that is based on their activity across sites signed up to
the Yahoo! advertising network. Also by way of example, we have
arranged for the Google search box to appear on our my.att.net site. In
this regard, then, we are no different than any other website
publisher.
---------------------------------------------------------------------------
Against this backdrop, AT&T has already listened closely to its
customers and will adopt meaningful and flexible privacy principles
that will guide any effort to engage in online behavioral advertising.
We summarize this framework as follows:
Transparency: Consumers must have full and complete notice
of what information will be collected, how it will be used, and
how it will be protected.
Consumer Control: Consumers must have easily understood
tools that will allow them to exercise meaningful consent,
which should be a sacrosanct precondition to tracking online
activities to be used for online behavioral advertising.
Privacy protection: The privacy of consumers/users and their
personal information will be vigorously protected, and we will
deploy technology to guard against unauthorized access to
personally identifiable information.
Consumer Value: The consumer benefits of an online
behavioral advertising program include the ability to receive a
differentiated, secure Internet experience that provides
consumers with customized Internet advertisements that are
relevant to their interests. But we think the future is about
much more than just customized advertising. Consumers have
shown that in a world of almost limitless choices in the
content and services available on the Internet, they see great
value in being able to customize their unique online
experience. That is the ultimate promise of the technological
advances that are emerging in the market today.
Call to Action
We believe these principles offer a rational approach to protecting
consumer privacy while allowing the market for Internet advertising and
its related products and services to grow. But, in order for consumers
truly to be in control of their information, all entities involved in
Internet advertising, including ad networks, search engines and ISPs,
will need to adhere to a consistent set of principles. A policy regime
that applies only to one set of actors will arbitrarily favor one
business model or technology over another and, more importantly,
represent only a partial and entirely unpredictable solution for
consumers. After all, consumers do not want information and control
with respect to just a subset of potential online advertising or the
tracking and targeting that might underlie those ads. Thus, we urge all
entities that engage in online behavioral advertising--including
especially those who already engage in the practice--to join AT&T in
committing to a policy of advance, affirmative consumer consent.
Senator Dorgan. Ms. Attwood, thank you very much for your
testimony.
Next, we will hear from Mr. Peter Stern who is the Chief
Strategy Officer for Time Warner Cable. Mr. Stern, you may
proceed.
STATEMENT OF PETER STERN, EXECUTIVE VICE PRESIDENT, CHIEF
STRATEGY OFFICER, TIME WARNER CABLE
Mr. Stern. Good morning, Mr. Chairman, Members of the
Committee. My name is Peter Stern. I am Executive Vice
President and Chief Strategy Officer at Time Warner Cable.
I am pleased to testify before you today and appreciate
this Committee's diligent effort to grapple with the complex
and still-evolving Internet advertising marketplace and to
assess its impact on consumer privacy.
Presently, Time Warner Cable does not engage in targeted
Internet advertising as an ISP or as a Website operator.
If Time Warner Cable decides to engage in such activities,
our customers' privacy will be a fundamental consideration. The
protection of subscriber privacy is not only important as a
matter of public policy. Our ability to succeed depends on
winning and retaining the trust of our customers. Accordingly,
we support a framework that would provide consumers with the
opportunity to affirmatively consent to receive online targeted
advertising.
We believe that achieving and sustaining our subscribers'
trust requires adhering to a privacy framework that addresses
four principles: first, giving customers control; second,
providing transparency and disclosure; third, safeguarding
personal information; and fourth, providing customers with
value.
Let me also add, however, that any such framework can only
truly protect the privacy interests of consumers if it is
universally adopted by all providers of targeted online
advertising. Quite simply, it makes no difference to a consumer
whether a targeted online ad is based on data collected by an
ISP, an ad network, or an applications provider. A framework
that leaves any provider uncovered would leave all users
unprotected. In addition, common rules are the only way to
ensure all businesses can compete on a level playing field.
Let me elaborate briefly on the four principles I have
mentioned.
First, customer control means consumers will be able to
exercise affirmative consent before having their online
activities collected and used for targeted online advertising.
Internet subscribers that decline to consent or fail to act
should not have their online activities tracked or used for
targeted online advertising. Control also means that the
consent mechanism should be easy to use. Customers should be
free to change their election at any time, and their election
will remain in effect unless they change it.
Second, transparency and disclosure means ensuring that a
customer's consent to targeted online advertising is informed.
This means giving Internet users clear and timely notice
regarding what is collected, how it is used, and what consumers
need to do if they do not want to participate. And by this, we
do not mean fine print. We mean prominent and plain English.
Third, safeguarding information means preventing
unauthorized access to customers' personal information. It also
means preventing disclosure or sale of such information to
third parties absent consent of the customer.
Last, providing value means offering targeted online
advertising in a manner that enhances the Internet experience
for consumers. Instead of a barrage of irrelevant ads,
consumers can receive ads tailored to reflect their interests.
Targeted online advertising can also be used to protect
consumers from seeing ads they do not want. Advertising can be
a public good when it educates consumers about relevant
choices.
Most companies that provide services on the Internet are
presently under no obligation to disclose or obtain consent for
the collection and use of consumers' online information. While
some provide disclosure and give consumers the ability to opt
out, this falls short of the principle of consumer control I
have articulated.
Therefore, Time Warner Cable believes that the four
principles I have outlined should serve as a policy framework
that would apply to all companies involved in targeted online
advertising. Time Warner Cable stands ready to work with this
Committee and other stakeholders to help foster the development
and implementation of such a framework.
I thank the Members of this Committee for the opportunity
to appear before you today on this important issue, and I would
be happy to answer any questions you might have.
[The prepared statement of Mr. Stern follows:]
Prepared Statement of Peter Stern, Executive Vice President,
Chief Strategy Officer, Time Warner Cable
Good morning, Mr. Chairman, Members of the Committee, my name is
Peter Stern. I am Executive Vice President and Chief Strategy Officer
at Time Warner Cable, where I am responsible for strategy and planning,
including for our Road Runner high-speed online service.
I am pleased to testify before you today and appreciate this
Committee's diligent effort to grapple with the complex and still-
evolving Internet advertising marketplace and to assess its impact on
consumer privacy.
Presently, Time Warner Cable does not engage in targeted Internet
advertising as an ISP or as a website operator.
Should Time Warner Cable decide to engage in such activities, our
customers' privacy will be a fundamental consideration. The protection
of subscriber privacy is not only important as a matter of public
policy, but it is also central to the success of our business. The
bedrock foundation of our business is our relationship with our
subscribers. We operate in a highly competitive marketplace, and our
ability to succeed depends on winning and retaining the trust of those
customers. Accordingly, we support a framework that would provide
consumers with the opportunity to affirmatively consent to receive
online targeted advertising.
In the context of targeted online advertising, we believe that
achieving and sustaining our subscribers' trust requires adherence to a
privacy framework that addresses four principles: first, giving
customers control; second, providing transparency and disclosure;
third, safeguarding personal information; and fourth, providing
customers with value.
Let me also add, however, that we strongly believe that any such
framework can only truly protect the privacy interests of consumers if
it is universally adopted by all providers of targeted online
advertising, including ad networks, application providers and ISPs.
Quite simply, it makes no difference to a consumer whether a targeted
online ad is based on data collected by an ISP, an ad network or an
applications provider. A framework that leaves any provider uncovered
would leave all users unprotected. In addition, a common set of rules
protecting consumer privacy is the only way to ensure that all
businesses that provide online advertising can compete and innovate on
a level playing field.
Before I go any further, allow me to clarify our definition of
targeted online advertising for the purposes of applying the framework
I described. At Time Warner Cable, we define it as displaying different
online ads to a consumer based on that consumer's behavior on unrelated
websites. So, if ads are delivered to a consumer based on that
consumer's particular history of visits to multiple unrelated websites,
that's targeted online advertising.
On the other hand, delivering relevant ads to a consumer based on
their behavior on an individual website (or group of related websites)
is not targeted online advertising. For example, if you go to Apple's
website and search for an iPod, and Apple delivers ads and promotions
for iPods while you are still on the Apple website, that's not targeted
online advertising. That's being responsive to what you asked for, when
and where you wanted it. It becomes targeted online advertising,
however, if this information is retained in order to deliver ads for
iPods and other portable music players while you are visiting unrelated
websites.
Let me elaborate briefly on the four principles I've mentioned.
First, customer control means consumers will be able to exercise
affirmative consent to having their activities collected and used for
targeted online advertising. Internet subscribers that decline to
consent or fail to act should not have their online activities tracked
or used for targeted online advertising. Control also means that the
consent mechanisms should be easy to use, to ensure that customers are
free to change their election at any time, and that their election will
remain in effect unless they change it.
Second, transparency and disclosure means ensuring that a
customer's consent to targeted online advertising is informed. This
means giving Internet users clear and timely notice regarding what type
of online usage information is tracked and collected, how that
information is used to provide targeted online advertising, and what
steps consumers can take should they decline to participate. And by
this, we don't mean fine print. We mean prominent and plain English.
Third, safeguarding personal information means preventing
unauthorized access to customers' personal information. It also should
mean preventing disclosure or sale of such information to third parties
absent consent of the customer. We also believe that policymakers and
the public should continue to discuss whether there are categories of
particularly sensitive information, such as personal medical
information, that should be entirely off limits to targeted online
advertising or subject to special controls.
Last, providing value means offering targeted online advertising in
a manner that enhances the Internet experience for consumers. Time
Warner Cable firmly believes that targeted online advertising can
benefit consumers. Instead of a barrage of irrelevant ads, subscribers
can receive information about services and offerings tailored to
reflect their interests. Targeted online advertising can also be used
to protect consumers from seeing ads they don't want. Advertising can
be a public good, when it educates consumers about relevant choices.
Properly implemented, technology can help advertising achieve this
potential, possibly even increasing the number of ads consumers want to
see.
In addition, targeted online advertising provides important
benefits for advertisers and providers of Internet applications and
services. Revenues from such advertising can offset the costs of
providing services to consumers, and can allow businesses to offer
services at discounts or even without direct payment from end users. In
this manner, targeted online advertising can deliver value to consumers
while helping to preserve and promote access to and enjoyment of the
rich diversity of the Internet.
Most companies that provide services on the Internet are presently
under no obligation to disclose, or obtain consent for, the collection
and use of consumers' online usage information. And in the case of some
of the largest ad networks and applications providers, the amount of
information such companies possess about consumers dwarfs that obtained
by ISPs.
It is certainly true that many providers of targeted online
advertising already voluntarily disclose the extent to which they
collect and use data about consumers. And some may also provide
consumers the ability to ``opt out'' of participating in such an
arrangement. But the extent of such disclosure varies greatly and is
often opaque; and the process for opting out can be complicated, and in
any case falls short of the principle of consumer control I have
articulated.
Therefore, Time Warner Cable believes that the four principles I
have outlined--customer control, transparency and disclosure,
safeguarding personal information, and providing value--should serve as
the cornerstone of a uniform policy framework that would apply to all
companies involved in targeted online advertising. Time Warner Cable
stands ready to work with this Committee and other stakeholders to help
foster the development and implementation of such a framework.
I thank the Members of this Committee for the opportunity to appear
before you today on this important issue, and I would be happy to
answer any questions you might have.
Senator Dorgan. Mr. Stern, thank you very much for being
with us.
Next, we will hear from Mr. Tom Tauke, the Executive Vice
President of Public Affairs, Policy and Communications at
Verizon Communications. Mr. Tauke, you may proceed.
STATEMENT OF THOMAS J. TAUKE,
EXECUTIVE VICE PRESIDENT, VERIZON
Mr. Tauke. Verizon is not engaged in behavioral
advertising, but we are very much aware of the concerns that
have been expressed by consumers and this Committee about some
of the practices that other Internet players are engaged in to
send targeted advertising to consumers. Therefore, we have
focused attention within Verizon on what policies and practices
related to online advertising we should follow to keep faith
with our own customers. And we've looked at what practices
would work for the entire on-line industry.
Perhaps it would be useful if I just outlined the framework
of our thinking.
First, we focused on the consumer and tried to look at the
issue from his or her perspective. It seemed clear to us that
consumers want information so they know what is going on. They
want to be in control of their online experience, and they want
to be able to choose whether or not their online usage is
tracked and used to send them targeted advertising.
Second, we concluded that any policy governing online
advertising should be centered around the notion of meaningful
consent by the consumer. We had a lot of discussion about opt
in and opt out. We concluded that those terms are not
particularly meaningful in the online world. Most consumers, I
suspect, are like me. We are trying to do something online. The
screen pops up. We hit ``OK'' or ``continue'' and move on, not
really aware of what we just opted into.
So we focused on the concept of meaningful consent and what
that means. Our sense is that meaningful consumer consent in
this context requires three elements.
One, transparency. That means conspicuous and clearly
explained disclosure to consumers about what types of data are
collected for what purposes and how it will be used.
Affirmative choice is the second principle. With knowledge
of what they are choosing, consumers would have to
affirmatively act, affirmatively agree to permit tracking of
their online activity.
And third, consumer control. Consumers should have the
ongoing ability to change their choice.
Senator Dorgan, you put this pretty well in a previous
hearing on this issue when you talked about a consumer going
into the mall. I believe it was your daughter. If you walk into
the store and the store keeps track of what you are doing and
buying so they can bill you at the end, you know, you probably
think that is OK. And if you do not like it, you walk out. But
if someone starts following you around the mall tracking your
activity from store to store, you would feel pretty uneasy
about that, I suspect, unless you had invited them along.
Using that analogy, what we believe is that before anyone
follows a consumer around online to target them for
advertising, that the consumer must know what is going on, must
make an affirmative choice to permit that activity, and should
be able to turn around at any time and say, I do not want you
following me around anymore.
We have been talking to other companies engaged in online
services, and we believe that there is a lot of support, as
evidenced here today, for the recommendations we are making in
the testimony I submitted to the Committee. Really, everyone
should embrace policies that put the consumer in control of the
online experience, and from consumers' perspective, it really
does not matter who is doing the behavioral advertising,
whether it is companies providing their browser or their search
engine, their access, or any other online service. All online
players should protect the privacy of online users.
The advertising industry, importantly, also appears to be
interested in establishing a set of consistent best practices.
That industry has a pretty good record of self-policing, with
the Federal Trade Commission helping ensure that the
advertising industry's best practices are enforced to protect
consumers.
With that model in mind, we are reaching out to the online
industry to see if we can develop a set of best practices for
online advertising that will protect consumers. And we will
work with this Committee and other interested organizations to
figure out how we can make sure the consumers feel secure and
in charge when they are online, that the rapidly advancing
communications and information processing technology is used to
enhance consumers' online experience, not spoil it, and that
the Internet continues to open new worlds of opportunities for
each of us.
Thank you very much.
[The prepared statement of Mr. Tauke follows:]
Prepared Statement of Thomas J. Tauke, Executive Vice President,
Verizon
Chairman Inouye, Ranking Member Hutchison and Members of the
Committee: thank you for the opportunity to discuss the important
concerns and perspectives surrounding consumer privacy in the area of
online advertising.
Today, more than 60 million American homes are connected to the
Internet via broadband, and the wide range of content, services, and
applications online--most offered for free--draws more people online
every day.
While Verizon does not rely on online advertising as a significant
source of revenue, we recognize that it has been a key business model
that has helped make the Internet a growth engine for the U.S. economy.
Yet, using consumers' web-surfing data to foster targeted online
advertising raises complex and important issues surrounding online
privacy. Consumers and policymakers want to understand what personal
information is being collected and used for advertising purposes. They
want to know what privacy and consumer protections are in place, and
what choices are available to participate--or not--in behavioral
advertising models.
In a rapidly changing and innovative environment like the Internet,
maintaining consumer trust is essential. It is critical that consumers
understand what forms of targeted online advertising their service
providers and favorite websites employ. If certain practices cause
consumers to believe that their privacy will not be protected, or their
preferences won't be respected, they will be less likely to trust their
online services, and the tremendous power of the Internet to benefit
consumers will be diminished. So, maintaining consumer trust in the
online experience is critical to the future success of the Internet.
With that in mind, let me begin by describing the online
advertising techniques Verizon uses today over its wireline networks.
Verizon's online advertising involves the practices commonly
accepted throughout the Internet, such as the use of cookies or ad
delivery servers to provide advertising that is limited to users of
Verizon's own services or websites. We also provide ad-supported search
results to help consumers find the websites they are looking for when
they mistype an address. These practices, which are neither new nor
unique, improve consumers' interaction with our websites and services,
and increase the relevance of the advertising displayed to our
customers or to visitors of our sites.
One technology that has received attention of late is ``packet
inspection.'' To be clear, Verizon has not used--and does not use--
packet inspection technology to target advertising to customers, and we
have not deployed the technology in our wireline network for such
purposes.
Packet inspection can be a helpful engineering tool to manage
network traffic and enable online services and applications consumers
may wish to use. The perceived problem with ``packet inspection'' is
not the technology. Many useful technologies can be used for nefarious
purposes. The problem arises if packet inspection is used to
inappropriately track customers' online activity without their
knowledge and consent and invade their personal privacy.
In fact, any technology that is used to track and collect consumer
online behavior for the purposes of targeted advertising--regardless of
which company is doing the collecting--should only be used with the
customer's knowledge and consent in accordance with the law, a
company's specific privacy policies, and the privacy principles
outlined below.
Protecting our customers' privacy has long been, and will continue
to be, a priority at Verizon. We are committed to maintaining strong
and meaningful privacy protections for consumers in this era of rapidly
changing technological advances. We are strong proponents of
transparency and believe that consumers are entitled to know what kinds
of information we collect and use, and should have ready access to
effective tools that allow them to control the use of that information.
At Verizon we have worked to craft--and communicate to our
customers--responsible policies aimed at protecting online privacy.
We can commit--and believe that all companies should commit--to a
set of best practices in the area of online behavioral advertising. The
principles and best practices should apply to all online companies
regardless of their technology or the platform used. The principles
underlying the consumer protection practices we support are these:
First, meaningful consent.
Verizon believes that before a company captures certain Internet-
usage data for targeted or customized advertising purposes, it should
obtain meaningful, affirmative consent from consumers. Meaningful
consent requires: (1) transparency, (2) affirmative choice, and (3)
consumer control.
Transparency involves conspicuous, clearly explained disclosure to
consumers as to what types of data are collected and for what purpose
that data is being used, how that data is retained and for how long,
and who is permitted access to the data.
Consumers would then be able to use these clear explanations to
make an affirmative choice that their information can be collected and
used for online behavioral advertising. Importantly, a consumer's
failure to consent should mean that there is no collection and use of
that consumer's information for online behaviorally targeted
advertising based on tracking of the consumer's Internet usage.
Finally, consumer control means that consumers have an ongoing
opportunity to make a different choice about behavioral advertising. In
other words, should consumers at some later time choose not to
participate in the behavioral advertising, there are equally clear and
easy-to-use instructions to make that change. That preference should
remain in effect unless and until the consumer changes it.
Second, security practices.
Any company engaged in tracking and collecting consumer online
behavioral information must have appropriate access, security, and
technological controls to guard against unauthorized access to any
personal information.
Third, safeguards for sensitive information.
Special attention must be given to the protection of information of
a sensitive nature (e.g., accessing medical websites). This information
should not be collected and used for online behavioral advertising
unless specific, affirmative consent, and customer controls are in
place to limit such use. Specific policies may be necessary to deal
with this type of information.
Consistent with our long-standing policies and practices, Verizon
also believes that the content of communications, such as e-mail,
instant messages, or VoIP calls, should not be used, analyzed, or
disclosed for purposes of Internet-based targeted advertising.
Fourth, certification.
It is critical that all participants in online advertising--ad
networks, publishers, search engines, Internet service providers,
browser developers and other application providers--commit to these
common sense principles and best practices through a broad-based, third
party coalition. To achieve this, we plan to work with stakeholders in
the Internet and advertising arenas, including other companies,
industry groups and policy organizations.
The focus of this coalition and the principles should be the
protection of consumers, not the technology or applications that happen
to enable the data collection. Widespread and uniform adoption of
principles will greatly enhance the public trust, address expressed
privacy concerns regarding web tracking practices, and serve as a
foundation for further discussion with policymakers and consumer
groups.
We believe that companies engaged in online behavioral advertising
should agree to participate in a credible, third-party certification
process to demonstrate to consumers that they are doing what they say
with regard to the collection and use of information for online
behavioral advertising. This process would confirm that companies are
complying with and respecting consumers' expressed choices regarding
such data collection.
We believe a framework such as this is a rational approach that
protects consumer privacy, while allowing the market for Internet
advertising and its related products and services to grow.
Should a company fail to comply with these principles, we believe
the Federal Trade Commission has authority over abuses in the privacy
area and can take appropriate measures against companies that
intentionally violate applicable consumer protection laws.
We hope to use the next few months to work with all players in the
Internet space to create and agree to live by industry best practices
for online advertising.
Thank you.
Senator Dorgan. Mr. Tauke, thank you very much for your
testimony.
Finally, we will hear from Ms. Gigi Sohn, the President and
Co-Founder of Public Knowledge. Ms. Sohn, you may proceed.
STATEMENT OF GIGI B. SOHN, PRESIDENT,
PUBLIC KNOWLEDGE
Ms. Sohn. Senator Dorgan, Members of the Committee, thanks
for giving me the opportunity today to testify on behalf of
Internet users.
I would like to focus my comments on the growing use of
technologies known as deep packet inspection, or DPI.
The use of DPI technology has serious implications for the
privacy rights of Americans. Public Knowledge, in partnership
with Free Press, has been analyzing these technologies and
their impact on both privacy and an open Internet. Our
organizations published a white paper entitled NebuAd and
Partner ISPs: Wiretapping, Forgery, and Browser Hijacking,
which examined the technical and policy aspects of DPI. I
applaud the Committee for its scrutiny of the use of these
technologies.
Simply put, DPI is the Internet equivalent of the Postal
Service reading your mail. While a postal worker might read
your mail for any number of reasons, the fact remains that your
letter is being read by the very person whose job it is to
deliver it.
When you use the Internet for web browsing, e-mail, or any
other purpose, the data you send and receive is broken up into
small chunks called packets. These packets are wrapped in
envelopes which, much like paper envelopes, contain addresses
for both the sender and the receiver, though they contain
little information about what is inside.
Until recently, when you handed that envelope to your ISP,
the ISP simply read the address, figured out where to send the
envelope, and handed it off to the proper mail carrier.
Now we understand that some ISPs are opening these
envelopes, reading their contents, and keeping varying amounts
of information about the communications inside for their own
purposes. In many cases, ISPs are actually passing copies of
the envelopes on to third parties who, in turn, read and make
use of that information. For the most part, customers are not
aware that their ISPs are engaging in this behavior. The end
result is much like if the Postal Service were to open your
letter, photocopy it, hand that copy to a third party, and then
reseal the letter so that you would never know it had been
opened in the first place.
So far, we have seen ISPs like Comcast use DPI as a means
to identify and block certain types of Internet traffic, in
violation of the FCC's Internet policy statement. We have also
seen advertising companies like NebuAd use DPI to collect
browsing histories, online habits, and other potentially
personal information about users in order to display
advertisements targeted to a specific user's interests.
The very nature of DPI raises grave privacy concerns.
As a result, when evaluating an implementation of DPI,
there are three basic questions that must be answered in order
to assess both the impact on the user's privacy and the
acceptability of the use of the technology in question. First,
what purpose is the collected data being used for? Second, how
is the data collected and utilized? Third, how is affirmative
informed consent obtained?
Given the power of DPI and the scope of its possible uses,
it is critical that we establish industry guidelines and legal
protections for users. And while the use of personal data by
web service providers is not the focus of today's hearing, such
uses raise separate, yet important privacy questions.
Thus, any solution should strive to be comprehensive in
scope and ensure that the basic principles of privacy
protection are applied across the entire Internet ecosystem.
These protections must ensure, first, that the purpose of the
use of consumer data is one that is consistent with users'
privacy expectations; second, that the amount and type of data
collected is narrowly tailored to the proposed use and that the
data is not kept or disseminated to third parties past what is
necessary; and third, that customers have access to and
actually receive adequate information about the proposed use
and have affirmatively and actively consented to any practices
that might violate their privacy expectations.
To achieve these goals, Congress should pass legislation
that encapsulates these requirements and makes clear that the
FCC has the power to enforce them.
Even though the Communications Act aims to provide
comprehensive privacy protection for users of all
communications technologies, gaps in the law have allowed the
privacy of some Internet users to fall through the cracks. The
time has now come to address these inequalities and guarantee
the right to privacy for all Internet users.
In closing, I want to make one extra comment about the
legislation. I want to commend the ISPs to my right for
adopting the principles they have announced today,
transparency, control, privacy protection, consumer value. But
the problem is that the ISPs that are not here are the ones
that use NebuAd and the ones that told Representative Markey
and Representative Barton that they thought that they were
acting within the law. And that is why I believe you need
comprehensive legislation to ensure that all ISPs and not just
the good guys are protecting users' privacies.
Public Knowledge is eager to work with the Committee to
craft privacy legislation that will protect all Internet users.
I look forward to your questions.
[The prepared statement of Ms. Sohn follows:]
Prepared Statement of Gigi B. Sohn, President, Public Knowledge
Chairman Inouye, Ranking Member Hutchison and Members of the
Committee, thank you for giving me the opportunity to testify about
broadband providers and consumer privacy. I'd like to focus today on
the growing use of the collection of technologies known as ``Deep
Packet Inspection,'' or DPI, which has immense implications for the
privacy rights of the American public. Over the past several months,
Public Knowledge, in partnership with Free Press, has been analyzing
these technologies and their impact on privacy and an open Internet. In
June, our organizations published a white paper entitled NebuAd and
Partner ISPs: Wiretapping, Forgery and Browser Hijacking, which
examined the technical and policy aspects of DPI. I applaud the
Committee for its continued scrutiny of the use of these
technologies.\1\
---------------------------------------------------------------------------
\1\ I would like to thank Public Knowledge's Equal Justice Works
Fellow Jef Pearlman, Policy Analyst Mehan Jayasuriya, and Law Clerk
Michael Weinberg for assisting me with this testimony.
---------------------------------------------------------------------------
I. Introduction
Today's hearing on consumer privacy comes in the wake of two high-
profile online consumer privacy violations, both of which involved the
use of Deep Packet Inspection (DPI) technology on an Internet Service
Provider's (ISP) network.
The first instance came to light in October 2007, when an
Associated Press report revealed that Comcast was interfering with its
customers' BitTorrent traffic.\2\ The report confirmed earlier tests
conducted by independent network researcher Robb Topolski, who found
that Comcast was analyzing its users' web traffic in order to determine
the types of applications and protocols being used. The company then
used a technique called ``packet spoofing'' to delay, degrade and in
some cases, block traffic that was identified as being used for
BitTorrent, a popular peer-to-peer file sharing protocol. Public
Knowledge and Free Press filed a formal complaint with the FCC in
November 2007, calling for the Commission to open a formal
investigation into the ISP's practices.\3\
---------------------------------------------------------------------------
\2\ See Associated Press article, `' Comcast blocks some Internet
traffic", (October 19, 2007), available at http://www.msnbc.msn.com/id/
21376597.
\3\ See Free Press and Public Knowledge, Formal Complaint of Free
Press and Public Knowledge Against Comcast Corporation for Secretly
Degrading Peer to Peer Applications, (November 1, 2007), available at
http://www.publicknowledge.org/pdf/fp_pk_comcast_complaint.pdf
[hereinafter Comcast Complaint].
---------------------------------------------------------------------------
In January 2008, the FCC announced that it had opened a formal
investigation into Comcast's blocking of BitTorrent traffic. This
investigation concluded in August 2008 with the FCC upholding the
Public Knowledge and Free Press complaint and reprimanding Comcast for
its degradation of its users' traffic. In its ruling against
Comcast,\4\ the FCC ordered the company to stop blocking BitTorrent
traffic and to develop a new set of network management practices that
did not violate the FCC's Broadband Policy Statement.\5\ In its letter
of response to the FCC, Comcast confirmed that it had used DPI
equipment from the Sandvine Corporation in order to identify and block
BitTorrent traffic.\6\
---------------------------------------------------------------------------
\4\ See Federal Communications Commission, Memorandum Opinion and
Order (August 1, 2008), available at http://hraunfoss.fcc.gov/
edocs_public/attachmatch/FCC-08-183A1.pdf.
\5\ See FCC, Policy Statement, (August 5, 2005), available at
http://www.publicknowledge.org/pdf/FCC-05-151A1.pdf.
\6\ See Comcast Corporation, Attachment A: Comcast Corporation
Description of Current Network Management Practices, (September 19,
2008), available at http://downloads.comcast.net/docs/
Attachment_A_Current_Practices.pdf.
---------------------------------------------------------------------------
The second instance surfaced in May 2008, when it was revealed that
various regional ISPs had contracted with Knobbed, a company that
provided highly targeted behavioral advertising solutions using DPI
equipment. In test deployments of this technology, all of the traffic
traveling over an ISP's network was routed through a DPI appliance
which collected data on specific users, including websites visited,
terms searched for and services and applications used. This data was
then sent to Knobbed, which in turn, used the data to create detailed
user profiles. These profiles were used to display highly targeted
advertisements, which were dynamically displayed to the user as he or
she surfed the Web.
In May 2008, Representatives Edward Markey (Chairman, Subcommittee
on Telecommunications and the Internet) and Joe Barton (Ranking Member,
Senate Committee on Energy and Commerce) sent a letter to Knobbed,\7\
asking the company to put its pilot tests on hold, pending an
investigation into the company's practices. A coalition of 15 consumer
advocacy and privacy groups publicly voiced their support for this
letter and urged the Congressmen to continue their investigation of
Knobbed and other behavioral advertising companies.\8\ In June 2008,
Public Knowledge and Free Press released a technical analysis of
Knobbed's behavioral advertising system, authored by networking
researcher Robb Topolski.\9\ The report revealed that Knobbed and its
partner ISPs repeatedly violated the privacy of users, with little or
no notification that DPI equipment was being used. Following the
release of the report, the House Committee on Energy and Commerce
convened a hearing on the topic of DPI, wherein Knobbed CEO Bob Dykes
was asked to testify.
---------------------------------------------------------------------------
\7\ Representative Edward J. Markey and Representative Joe Barton,
Letter to Neil Smit, President and CEO, Charter Communications (May 16,
2008), available at http://markey.house.gov/docs/telecomm/
letter_charter_comm_privacy.pdf.
\8\ Center for Democracy and Technology et al., Letter to
Representatives Markey and Barton (June 6, 2008), available at http://
www.cdt.org/privacy/20080606markeybarton.pdf.
\9\ See Public Knowledge and Free Press, Knobbed and Partner ISPs:
Wiretapping, Forgery and Browser Hijacking (June 18, 2008) available at
http://www.publicknowledge.org/pdf/nebuad-report-20080618.pdf.
---------------------------------------------------------------------------
On August 1, 2008, the House Committee on Energy and Commerce
followed up with a letter to 33 ISPs and software companies asking for
details regarding how they were using DPI and whether and how they were
disclosing those uses to their customers.\10\ As a result of the
Congressional scrutiny, all of Knobbed's ISP partners, including WOW!
(Wide Open West), CenturyTel, Charter, Bresnan and Embarq, have decided
to put a hold on their test deployments with Knobbed. In September
2008, Bob Dykes announced that he was leaving Knobbed and following his
departure, the company announced that it was abandoning its behavioral
advertising initiatives, in favor or more traditional advertising
technologies.
---------------------------------------------------------------------------
\10\ See John D. Dingell (Chairman, Senate Committee on Energy and
Commerce), Joe Barton (Ranking Member, Senate Committee on Energy and
Commerce), Edward J. Markey (Chairman, Subcommittee on
Telecommunications and the Internet), Cliff Stearns (Ranking Member,
Subcommittee on Telecommunications and the Internet), Letter to ISPs
(Aug. 1, 2008), available at http://markey.house.gov/docs/telecomm/
letter_dpi_33_companies.pdf.
---------------------------------------------------------------------------
II. Deep Packet Inspection
To put it simply, Deep Packet Inspection is the Internet equivalent
of the postal service reading your mail. They might be reading your
mail for any number of reasons, but the fact remains that your mail is
being read by the people whose job it is to deliver it.
When you use the Internet for web browsing, e-mail or any other
purpose, the data you send and receive is broken up into small chunks
called ``packets.'' These packets are wrapped in envelopes, which, much
like paper envelopes, contain addresses for both the sender and the
receiver--though they contain little information about what's inside.
Until recently, when you handed that envelope to your ISP, the ISP
simply read the address, figured out where to send the envelope in
order to get it to its destination, and handed it off to the proper
mail carrier.
Now, we understand that more and more ISPs are opening these
envelopes, reading their contents, and keeping or using varying amounts
of information about the communications inside for their own purposes.
In some cases, ISPs are actually passing copies of the envelopes on to
third parties who do the actual reading and use. In others, ISPs are
using the contents to change the normal ways that the Internet works.
And for the most part, customers are not aware that their ISPs are
engaging in this behavior--much like if the postal service were to open
your letter, photocopy it, hand that copy to a third party and then re-
seal the letter, so that you would never know it had even been opened
in the first place.
III. The Privacy Implications of DPI
It should be clear that the very nature of DPI technology raises
grave privacy concerns. An ISP, by necessity, sees every piece of data
a user sends or receives on the Internet. In the past, ISPs had little
incentive to look at this information and the related privacy concerns
provided a strong deterrent against doing so. However, now that
technology is widely available to make use of and monetize this
information, companies are exploring the limits of what they can do
permissibly.
When evaluating an implementation of DPI technology, there are
three basic questions that must be answered in order to assess both the
impact on a user's privacy and acceptability of use of the technology
in question:
1. Purpose: What purpose is the collected data being used for?
2. Collection: How is the data collected and utilized?
3. Consent: How was affirmative informed consent obtained?
An understanding of these questions can inform legislators and
policymakers in the formation of policies, which will adequately
protect users of Internet connections and services. The uses for DPI
are myriad, and most raise serious privacy concerns, but each use
should be measured individually against a comprehensive privacy policy.
It is also important to note that there are two parties to any
Internet communication. In almost all cases, the party on the other end
of a user's line will have no meaningful ability at all to know what
kind of monitoring is being employed by that user's ISP or what is
being done with the collected data, and will have no opportunity at all
to give or to deny consent. For example, if I send you an e-mail and my
ISP is using DPI to read the contents of my e-mails, your privacy has
just been violated without your knowledge or consent. Any comprehensive
privacy policy that addresses technologies like DPI must take into
account not only the privacy rights of an ISP's customers, but also
those of anyone who communicates with these customers.
A. Purpose
Given DPI's potential to be used as an intrusive tool, we must
first ask why the user's traffic is being collected or analyzed at all.
Is the use of DPI integral to the functioning of the network or is the
technology simply being used to provide the ISP with an additional
revenue stream? Does the technology in question primarily benefit the
ISP's bottom line, or does it give direct benefits to the customer's
use of the Internet? Is it used to protect users or the integrity of
the network, or simply to offer new or improved additional services?
Not all uses of DPI are inherently problematic. The first
widespread uses of DPI were for security purposes: to stop malicious
programs like viruses and worms from passing from one infected computer
to another over the Internet. However, as seen in the recent complaint
and decision against Comcast at the Federal Communications Commission
(FCC), DPI can also be used to engage in impermissible, discriminatory
network management practices. Taken to an extreme, we can even imagine
a future where DPI is used to record and disseminate every single move
a user makes on the Internet--from web browsing, e-mail and instant
messaging to VoIP phone calls and video chats--to the ISP's own
business advantage.
Understanding the purpose of DPI use is the first step to
understanding whether that use will violate a user's expectations of
privacy.
B. Collection
After we understand the purpose of a particular use of DPI, we can
analyze how the data is collected and used toward that purpose. Is the
user's data being collected by the ISP for its own use, or is it being
passed to a third party with no connection to the user? Is all of the
user's data collected, or a smaller subset of the data? Is the amount
collected narrowly tailored to achieve the stated purpose, or broader
than necessary, or is the amount of data actually used smaller than
that collected?
It is important to note here that we should evaluate both the
amount of data which reaches the party using it, and the amount of that
data which is used. This is because additional data that is sent to a
third party provides more opportunity for abuse of user privacy--even
if that third party later chose to discard some of the more personal
information. For instance, even though companies like Knobbed may
choose to ignore the personal medical records or e-mails of its
partner's customers, they were provided the data to do exactly that.
This problem is compounded by the fact that an ISP or partner must
engage in DPI to even discover what type of data is being transmitted,
thereby possibly violating the user's privacy before any decision is
made regarding what is to be done with the data.
It is also necessary to identify the ways in which the collected
data might be tied to the user's actual identity. Is the data obtained
using DPI explicitly tied to data obtained through other means--for
example, the ISP's billing information, demographic information, or
personal information stored on a third-party website? Can the collected
data be later aggregated with this type of information? Will the data
itself contain personally identifying information (PII), such as names,
addresses, and credit card information submitted to websites? These
questions are important because if the data in question contains PII or
if it is later connected with other user data, the privacy implications
are multiplied.
Implicit in the data collection question are also questions about
data storage. Is the collected data kept by the party using it? If so,
for how long? Is it kept in its original, complete form, or in some
type of summary? Is any PII kept with the stored data?
Understanding what and how data is collected and how well that
comports with the stated purpose of the collection is necessary to
evaluating whether the collection will violate users' privacy
expectations.
C. Consent
No inspection of a user's data will be acceptable without that
user's affirmative, informed consent or law enforcement obligations. To
ensure this is obtained, we must evaluate both how users are notified
of the ways in which their ISP and its partners intend to use DPI, and
the method by which those users affirmatively consent (or decline to
consent) to those uses. To do this, we must ensure that before a user's
data is inspected, the user actually receives complete, useful
information, and that the user knowingly and affirmatively assents to
the stated uses.
Are the answers to the above questions about purpose and collection
accessible for users, and complete in the information they divulge? If
any third parties are involved in the monitoring, are their identities
provided for the user? Are the answers written so that the average user
can make sense of them? Are the policies in question detailed in a
place and manner that ensures that the user is likely to read them? Is
the user actively notified of the presence of and changes to policies
and monitoring activities, or are changes made to web pages and written
into the Terms of Service--without any notification to the user?
Without accurate and easily understandable information that a user is
actually aware of, that user cannot make informed choices about how
best to manage his or her privacy online.
Finally, what is the process by which users agree (or decline to
agree) to the use of these technologies? Are they subject to DPI before
they receive meaningful notice of its use, or is the user required to
take an affirmative action before his or her data is recorded or
analyzed? Is the information and the action specific to the monitoring
activities, or is it hidden in a larger ``Acceptable Use Policy,''
``End User License Agreement,'' or other document? Does the user have
the meaningful ability to change his or her choice later? Is the user
actively offered a periodic chance to withdraw consent, or is he or she
only asked once? And is the option not to consent a real one, without
crippling or disabling of the user's service as the only alternative?
Without meaningful, informed, affirmative consent on the part of
the user, personal data should not be used for any purpose that is not
necessary to providing basic Internet service.
IV. ISP Disclosures
In response to Chairman Dingell and Ranking Member Barton's letter,
33 ISPs and software companies described whether and how they were
using DPI and whether and how they were disclosing those uses to their
customers.\11\ These responses are helpful in understanding how, to
date, the above three questions have been answered unsatisfactorily.
---------------------------------------------------------------------------
\11\ All 33 response letters are available at the House Energy and
Commerce Committee's Subcommittee on Telecommunications and the
Internet website at http://energycommerce.house
.gov/Press_110/080108.ResponsesDataCollectionLetter.shtml.
---------------------------------------------------------------------------
Carriers that responded to the letter fell into two basic camps.
The first group of ISPs did not employ Knobbed's services and did not
use any similar DPI equipment. These ISPs generally had not deployed
any technologies that could track individual users' browsing habits or
correlate advertising information with personal information possessed
by the ISP.\12\
---------------------------------------------------------------------------
\12\ See, e.g., Response Letters of AT&T, Verizon, and Time-Warner.
---------------------------------------------------------------------------
The second camp contained those ISPs who performed trials of or
deployed third-party DPI-based behavioral advertising systems.\13\
Importantly, these ISPs generally did not inspect user data themselves,
but passed it off to their partners for analysis. According to these
ISPs, they were assured that measures were in place to ensure that
those partners did not retain medical information, personal data, e-
mails, or other types of especially sensitive data.\14\ Also, all of
these ISPs stated that they and Knobbed did not tie the tracked
Internet data to personal customer data already known to the ISP
(billing information, etc.).\15\
---------------------------------------------------------------------------
\13\ See, e.g., Response Letters of WOW!, Charter Communications,
Knology, and CenturyTel.
\14\ See Response Letter of Charter Communications 2.
\15\ See Response Letter of Knology 1.
---------------------------------------------------------------------------
However, as a technical matter, the personal data embedded in a
user's Internet communications was handed off to the ISP's partners,
when the ISP itself is actually responsible for safeguarding its users
data. In some cases, the identity of the partner was not divulged to
the user. These partners had no direct interactions with the user,
meaning that final control of what data was used and how rested not
with the user or even the ISP, but with this third party. To return to
the postal service analogy, it is as if the ISPs photocopied users'
letters and handed these copies to third parties, who agreed to only
write down which commercial products were mentioned in the letters, and
not anything else that someone might consider sensitive. However, the
decision as to what, exactly, should be considered `sensitive,' is not
made by the user but rather, by this third-party company.
Customer notification and consent varied from ISP to ISP, but there
were significant trends. ISPs generally posted modified terms of
service and often updated the `Frequently Asked Questions' section on
their websites, but usually declined to directly contact users or call
attention to the significance of the new service. Knology, for
instance, updated their Customer Service Agreement on their website,
which is presented to new users, but apparently made no other attempt
to draw attention to the change.\16\
---------------------------------------------------------------------------
\16\ See Response Letter of Knology 2.
---------------------------------------------------------------------------
The level of detail in the disclosures also fell far short of the
minimum that is necessary for customers to make an informed decision.
For example, CenturyTel sent an e-mail informing users only that it had
``updated its Privacy Policy concerning Internet Access Services'' and
provided a web link to the updated policy.\17\ The policy in question
stated only:
---------------------------------------------------------------------------
\17\ Response Letter of CenturyTel 3. 18 Id. 3 (emphasis added).
Online Advertising and Third-party Ad Servers.
CenturyTel partners with a third party to deliver or facilitate
delivery of advertisements to our users while they are surfing
the Web. This delivery of advertisements may be facilitated by
the serving of ad tags outside the publisher's existing HTML
code. These advertisements will be based on those users'
anonymous surfing behavior while they are online. This
anonymous information will not include those users' names, e-
mail addresses, telephone number, or any other personally
identifiable information. By opting out, you will continue to
receive advertisements as normal; except these advertisements
will be less relevant and less useful to you. If you would like
to opt out, click here or visit http://www.nebuad.com/privacy/
servicesPrivacy.php.\18\
---------------------------------------------------------------------------
\18\ Id. 3.
---------------------------------------------------------------------------
A later letter sent out by CenturyTel stated the following:
CenturyTel continually looks for ways to improve your overall
online experience. In that regard, we have enhanced our High-
Speed Internet service by working with partners to provide
targeted, online advertising for your convenience and benefit.
Targeted, online advertising minimizes irrelevant or unwanted
ads that clutter your web pages. If you do not wish to receive
targeted, online advertisements, or if you would simply like
more information about CenturyTel's use of online advertising,
third-party ad servers and the measures you can take to protect
your privacy, please review our Privacy Policy by visiting
http://www.centurytel.com/Pages/PrivacyPolicy/#adv.\19\
---------------------------------------------------------------------------
\19\ Id. 3-4.
No mention is made at all of providing actual user data (let alone
all of a user's packets) to third parties. Only a single mention of ads
being ``based on those users' anonymous surfing behavior'' is offered
in the first notice, and the second presents the service only as
enhanced, ``targeted advertising for your convenience and benefit''
without mention of the methods involved to deliver said advertisements.
It's worth noting that these examples are not unique to CenturyTel or
even unusual; rather, they are indicative of the level of detail
provided in many ISP notices. Such notices do not make clear to the
user what is actually being done with the data they send and receive
over the Internet. None of the ISPs appears to have required that a
user take any affirmative action at all before having their data handed
wholesale to a third party. Inaction or failure to read the notice was
simply treated as an `opt-in'.
It is important to note that nearly every ISP that responded
mentioned that they run their own websites, and use traditional
tracking methods such as cookies to observe and record the behavior of
their customers on their sites, much like Google, Yahoo, Microsoft, and
many other web service providers do. Likewise, many ISPs also use what
is called a ``DNS redirect,'' which, rather than returning an error to
a user's web browser when he or she types in an incorrect web address,
redirects the user to another web page which may have related
suggestions, advertisements, or other information.
These non-DPI practices have privacy implications that overlap with
the ones being discussed today, but which are different in kind and
scope. It is the difference between you writing down what I tell you on
the phone and my phone company recording my conversation with you
because unlike my phone company, you cannot record what I've said on my
phone calls to other people. Nonetheless, the privacy practices of and
personal information available to application providers raise their own
serious questions of legal policy, and any regulatory regime we
consider must be comprehensive and attempt to ensure the protection of
Internet users against privacy invasions from all such sources.
V. Current Law
Independent analysis by the Center for Democracy and Technology
suggests that although it is far from clear, despite ISP claims,\20\
past experiments with DPI and behavioral advertising of the type
engaged in by Knobbed may run afoul of existing law. Critically,
however, some of the laws in question might not apply if the ISP
engaged in this behavior internally, instead of delegating
responsibility to a third party.\21\ Thus, an ISP might legally be able
to read and analyze all of its customers' communications as long as it
does so itself--hardly an improvement in privacy.
---------------------------------------------------------------------------
\20\ See Center for Democracy and Technology, An Overview of the
Federal Wiretap Act, Electronic Communications Privacy Act, and State
Two-Party Consent Laws of Relevance to the Knobbed System and Other
Uses of Internet Traffic Content from ISPs for Behavioral Advertising,
(July 8, 2008), available at http://www.cdt.org/privacy/
20080708ISPtraffic.pdf [hereinafter CDT Behavioral Advertising
Overview].
\21\ See id. at 6-9.
---------------------------------------------------------------------------
It is extremely important to note that without apparent exception,
every ISP that responded to Chairman Markey's letter concluded that
both the tracking and opt-out mechanism were legal, or at the very
least, were ``not unlawful or impermissible.'' \22\ One ISP even went
so far as to claim that it ``offered customers easy-to-use opt-out
mechanisms as recommended by the FTC.'' \23\ However, even the ``opt-
out'' method was questionable, as the act of opting out did not stop
the delivery to and monitoring by the third-party partner but only the
presentation of targeted ads and stored profiles.\24\
---------------------------------------------------------------------------
\22\ Response Letter of CenturyTel 2-3 (Aug. 7, 2008). Cable One
does describe their disclosures in their Acceptable Use Policies as
``opt-in'' because the user must check and acceptance box, but this
does not qualify as either an affirmative step specific to monitoring
or a meaningful opportunity to deny consent, because the alternative is
no Internet service at all. See Response Letter of Cable One 3 (Aug. 8,
2008).
\23\ Response Letter of Charter Communications 2 (Aug. 8, 2008)
(emphasis added).
\24\ Ryan Singel, Congressmen Ask Charter to Freeze Web Profiling
Plan, Threat Level from Wired.com (May 16, 2008). See also Ryan Singel,
Can Charter Broadband Customers Really Opt-Out of Spying? Maybe Not,
Wired (May 16, 2008).
---------------------------------------------------------------------------
Yet to date, no enforcement actions have been taken against a
practice that is of significant concern to citizens and lawmakers
alike. Regardless of whether or not the actions taken by ISPs are
technically legal, the existing legal regime is clearly not effective
at preventing such privacy violations. And if ISPs believe they can
legally and profitably engage in this behavior with only a minimal
effort made to notify and protect users, they will continue to do so.
To the credit of the ISPs here today, several providers have made
commitments to ensuring that there is transparency, affirmative
consent, and ongoing control by customers. For example, Time-Warner's
testimony suggests control, transparency, disclosure, and safeguarding
personal information as principles on which to base a privacy
framework. AT&T states that the company will not engage in behavioral
advertising without affirmative, advance action by the consumer that is
based on a clear explanation of how that information will be used. But
while these are laudable principles and we applaud the carriers here
today for their stated commitment to customer privacy, promises by
individual ISPs are not enough and do not obviate the need for a
comprehensive governmental policy.
Part of the reason for the current lack of enforcement can be
traced to ambiguity in the FCC's authority to protect the privacy of
Internet users, despite the FCC's time-honored role in protecting the
privacy of communications as a whole. Congress has long recognized that
providers of communications services occupy an especially sensitive
position in society. As data conduits, communications services are
uniquely positioned to track customers and collect information about
their daily lives. The Communications Act, which created the FCC,
contains provisions designed to protect the privacy of telephone and
cable customers. But those same protections have yet to be
unambiguously extended to Internet customers. As a result, customers
cannot be confident that their sensitive information is protected from
unwanted intrusion. In a society where Internet services are
increasingly used to transmit personal and sensitive information, this
is clearly problematic.
Section 222 of the Communications Act applies to the privacy of
customer information collected by common carriers.\25\ The statute
recognizes that ``individually identifiable consumer proprietary
network information'' is created by, and critical to the functioning
of, telecommunications services.\26\ However, the statute strictly
limits the use of that information to applications that handle tasks
like billing and the maintenance of network integrity.\27\ Carriers are
allowed to provide aggregate consumer information to third parties, but
this information must have both ``individual customer identities and
characteristics'' removed.\28\ Viewed holistically, this section
manifests a Congressional understanding that common carriers have
access to sensitive personal information, and that common carriers have
legitimate reasons to use that data. However, this understanding is
balanced by strict prohibitions against any non-essential use or the
disclosure of sensitive data.
---------------------------------------------------------------------------
\25\ 47 U.S.C. � 222.
\26\ See 47 U.S.C. � 222(c)(1).
\27\ See 47 U.S.C. � 222(d).
\28\ See 47 U.S.C. � 222(c)(3), (h)(2).
---------------------------------------------------------------------------
Although many common carriers provide Internet services to
consumers,\29\ such Internet services are not covered under Section
222.\30\ As a result, plain old telephone customers can be confident
that sensitive information contained in their phone records will be
kept confidential, but they cannot enjoy the same level of confidence
when it comes to sensitive information that Verizon might compile using
their DSL Internet activity.
---------------------------------------------------------------------------
\29\ See, e.g., Verizon, http://www.verizon.com/.
\30\ See National Cable & Telecommunications Assn. v. Brand X
Internet Services, 545 U.S. 967 (2005).
---------------------------------------------------------------------------
Section 631 of the Communications Act also marks an attempt by
Congress to protect the privacy of consumers, this time from cable
system operators. Again, the statute recognizes the fact that operators
will need to collect and use some personally identifiable information
in order to operate their systems. However, these operators are
required to obtain written permission from consumers in order to
collect any personally identifiable information that is not crucial to
the operation of the system.\31\ Additionally, operators are required
to obtain prior written or electronic consent before disclosing any
personally identifiable information.\32\ The statute does not impose
these same protections on aggregate data that does not identify a
particular customer,\33\ and allows an operator to disclose names and
addresses of subscribers as long as that information is not tied to use
or transactional information.\34\
---------------------------------------------------------------------------
\31\ See 47 U.S.C. � 551(b).
\32\ See 47 U.S.C. � 551(c)(1).
\33\ See 47 U.S.C. � 551(a)(2)(A).
\34\ See 47 U.S.C. � 551(c)(2).
---------------------------------------------------------------------------
As with Section 222, Section 631 specifically protects sensitive
information that network operators are uniquely positioned to collect.
However, unlike Section 222, which applies to phone customers but not
Internet service customers, Section 631 is written to apply to both
cable television subscribers and cable Internet subscribers.\35\
---------------------------------------------------------------------------
\35\ See 47 U.S.C. � 551(a)(2)(C)(ii).
---------------------------------------------------------------------------
Unfortunately, not all customers access the Internet by way of a
cable system. In addition to unprotected DSL service, customers can
access the Internet via a fiber optic network, a satellite based
service, or by using one of many wireless Internet standards. Instead
of relying on old categories that may protect some (but certainly not
all) consumers, Congress must recognize that all Internet service
providers share the same privileged position of access to their users'
personal data. As a result, Congress should collectively protect
customers with legislation that specifically addresses all Internet
service providers, rather than legislation that effectively forces
customers to access the Internet via a single, protected pathway.
The time has come for a comprehensive regulatory structure that
will ensure that the privacy rights of all Internet users are
protected, and one that, like the Telecommunications Act of 1996,
``expands very important privacy protections to individuals in their
relationships with these very large companies.'' \36\
---------------------------------------------------------------------------
\36\ Statement of Congressman Edward Markey, 142 Cong. Rec. H1145-
06 (Feb. 1, 1996).
---------------------------------------------------------------------------
VI. Fixing the Law
Given the power of the technology and the scope of possible uses,
it is critical that we establish industry guidelines and legal
protections for users. And while the use of personal data by
application providers is not the focus of our discussion today, as
discussed above, any solution should strive to be comprehensive in
scope and ensure that the basic principles of privacy protection are
applied across the entire Internet ecosystem. These protections should
meet three major goals that parallel the privacy inquiries described
above:
They must ensure that the purpose of the use of customer
data is one which can be consistent with consumers' privacy
expectations.
They must ensure that the amount and type of data collected
is narrowly tailored to the proposed use, and that the data is
not kept or disseminated to third parties past what is
necessary to that use.
They must ensure that customers have access to and actually
receive adequate information about the proposed use, and have
affirmatively and actively consented to any practices which
could violate customers' expectations of privacy.\37\
---------------------------------------------------------------------------
\37\ The FCC has already presented us with an example of how
Commission action and ISP disclosures can be used to help protect
Internet users from privacy invasions and impermissible network
management practices. In its order finding that Comcast's interference
with customer traffic was not reasonable network management, the
Commission ordered Comcast to fully disclose the details of its past
and planned practices, including use of DPI. See Federal Communications
Commission, Memorandum Opinion and Order � 54-56 (August 1, 2008),
available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-
183A1.pdf. Given the authority, the Commission could make this type of
disclosure an industry-wide baseline to ensure that customer's
decisions about granting consent are based on good, complete
information backed the force of law.
---------------------------------------------------------------------------
In order to achieve these goals, the Committee should seek to pass
legislation to encapsulate these requirements and to make it clear that
the FCC has the power to enforce them. As the Commission observed in
1998, ``The [Communications Act] recognizes that customers must be able
to control information they view as sensitive and personal from use,
disclosure, and access by carriers.'' \38\ The Committee and Congress
need only make it clear that Internet user privacy is another area of
communications where the Commission is empowered to protect consumer
privacy.
---------------------------------------------------------------------------
\38\ Federal Communications Commission, Common Carrier News Release
(Feb. 19, 1998), available at http://www.fcc.gov/Bureaus/
Common_Carrier/News_Releases/1998/nrcc8019.html (clarifying permissible
uses of Customer Proprietary Network Information).
---------------------------------------------------------------------------
VII. Conclusion
I would like to thank the Committee again for giving me the
opportunity to testify today. Public Knowledge is eager to work with
the Committee to craft comprehensive privacy legislation that will
protect Internet users. I look forward to your questions.
Senator Dorgan. Ms. Sohn, thank you for your testimony.
Why do we not start with where you concluded on deep packet
inspection? I know that our colleagues in the House had sent
questionnaires to Internet service providers and have received
some responses. How extensive do you think is this tactic of
deep packet inspection?
Ms. Sohn. Well, it was more extensive than it is now.
Because of the scrutiny over on the House side and also over
here, several of the ISPs that were using deep packet
inspection have ceased using deep packet inspection. There was
such an outcry. However, some are still using deep packet
inspection.
And as I said before, a number of those--actually all of
the providers that were using deep packet inspection who
responded to the House said that they believed that they were
fully acting within the law and that what they did to protect
consumers was adequate. And speaking to some of the folks--I
will let them speak for themselves--on my right, I know some of
them are considering using DPI as well, albeit with the
protections that they have outlined today.
Senator Dorgan. Is there a beneficial use of deep packet
inspection, for example, attempting to determine who is out
there that is providing viruses? So is deep packet inspection a
process that in some cases can be beneficial?
Ms. Sohn. Absolutely. Public Knowledge has been saying in
the 7 years of its existence, that you do not outlaw
technology. You outlaw bad uses of technology, and DPI, as you
stated, can be used for lawful and very beneficial purposes.
Senator Dorgan. But the testimony and knowledge we have,
for example, of NebuAd and others says that the purpose of deep
packet inspection is to track people's behavior in a wide range
of areas and then profile and do targeted advertising to that
profile, which is done, I assume, largely without the knowledge
of the user, which is very troublesome.
Ms. Attwood, you indicated to me that the fact that the
Senate and the House are beginning to evaluate these things was
helpful to your company because these are relatively new issues
and it really caused your company to be thinking what kind of
policies do we employ, how do we go through this and develop
policies internally. And I think that is commendable.
The question I think for the three providers here is what
kind of information do you collect at this point. What kind of
movements do you track and for what purpose?
Ms. Attwood. Well, it is a great question. I guess I would
elaborate. Here we are talking about behavioral advertising.
Senator Dorgan. Right.
Ms. Attwood. And in that context, we are not engaged in
that practice today. And we commend you and this Committee and
the attention and the effort to look at the way in which
collection of material has affected or prompted our consumers
to identify what they are concerned about.
That allows us to actually look as we enter into these
phases to say can we use privacy as a design element. Rather
than as a regulatory requirement or as something after the fact
that we have to look at, let us look and say our products and
services--privacy will be by design. And that is what this
dialogue allows us to do. It allows us to as an industry
galvanize around how we can construct the right framework so
that we can bring the benefits of both the advantages of an
advertising-supported model, which is really an innovation in
the Internet area, as well as the capabilities of protecting
the privacy of our customers.
So we have millions of customers, and therefore we have
lots of information that we use to improve the services and
products of our customers. There is a lot of value that can be
created and innovation that can be created in offering
additional targeted advertising, as well as additional value
propositions to the customer. We think that is something today
that has proved itself, whether it is affinity cards or whether
it is in some things that you already see. Those are areas
where we are hopeful we can help innovate, as long as we
consider privacy by design.
Senator Dorgan. As a consumer and an Internet user, I see
the value of targeted advertising because if I am on the
Internet wanting perhaps buy a pair of shoes and then I see
targeted advertising coming at me advertising certain kinds of
shoes, perhaps even that same brand, I understand that someone
saw I was looking at shoes, and so they were trying to provide
additional advertising about shoes. In many ways that is
useful, perhaps in some cases annoying, but in many other cases
useful.
But the other side of this is that an Internet service
provider would have a substantial body of knowledge. Let us
assume that my two colleagues, Senator Klobuchar and Senator
Thune, are customers of the same provider. You would have a
substantial amount of information about each of them, what they
have done, what their travels have been on the Internet, where
they have visited, and so on. And that could have enormous
financial value to a company. And someone comes to your company
and says, you know what? That information you are sitting on
has great, great value. We will pay a lot of money for it. So
that is where the advertising model on the Internet confronts
the issue of privacy that is very, very important.
So I appreciate the testimony today. I think all three of
you have said that your companies have had to sink their teeth
into this question of how do you deal with the privacy issue.
You have all talked, I think, about the opt-in strategy doing
so in a manner that has a customer that is fully informed.
I have seen a number of opt-in strategies that I think, Mr.
Tauke, you mentioned. People do not have the foggiest idea
whether they have opted in or opted out. They have simply
pushed the ``OK'' button with the cursor, and so there they
are.
This is a really interesting set of issues. I did indicate
that if somebody followed you into a mall with a clipboard and
traced everything you not just bought or store you visited, but
every single item you looked at, you have great angst about
that. Who on earth is doing this? And yet, that potential
exists. And so that is why we have to try to deal with this
tension between constructive advertising models on the Internet
and the right to privacy.
Senator Klobuchar is next.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Chairman Dorgan.
Thank you for having this hearing. Thank you to our witnesses.
At the last hearing on this, I expressed my views that
Americans have a love-hate relationship with advertising on the
Internet. We want to see some of it, and then some of it we do
not want.
I made the mistake, Mr. Chair, of using the example at the
last hearing of how I liked to see ads pop up for deals on
clothes, but I do not like it when my daughter who is 13 sees
ads for American Girls. And as a result, I would just like the
record to reflect, I got several letters from defenders of
American Girl dolls. It was in the Los Angeles Times--my quote.
And I just want the record to reflect that I have nothing
against the American Girl dolls, including Kirsten, Molly,
Kaya, and Kit Kittredge, which movie I just saw. So if you
could just make that clear.
Senator Dorgan. Well, the permanent record will reflect----
[Laughter.]
Senator Klobuchar. Thank you very much.
I actually just had some questions looking at your
testimony and thinking about what we talked about last time.
You know how when you have your credit record, you are able to
go back and clear it up and see what information is on there.
Do you think you should have the same ability to do that as a
consumer with any information that might be on there on your
shopping record or the information on you on the Internet? I do
not know who wants to take that.
Ms. Attwood. I am happy to address that. I think that is
one of the issues that would be interesting to develop, the
question of whether the customer not only can control the
information that is collected, but also can identify and see
what they look like online. And even more to your point--and I
do not want letters either, although I do not think I would get
them from American Girl.
Senator Klobuchar. These were just consumers for American
Girl, not the company.
Ms. Attwood. Maybe ultimately down the line you would be
able to have some flexibility in identifying what
advertisements you want to see and what you do not want to see.
So those could be age-specific. Those could be related to your
household, a particular interest in your household.
So the concept of customer control, the concept of using
the capabilities and enhancements of the technology to help
customize that experience is something of an exciting prospect
so long as we protect and really embrace the notion of privacy.
Senator Klobuchar. Mr. Stern?
Mr. Stern. Thank you, Senator.
If I may just add, not only does customer consent allow the
consumer to opt in, if they want to have online advertising be
targeted, but they can also opt out. And that gives them a
unique ability to do something that they cannot do with their
credit report, which is to wipe the slate clean. And so we
think that that is actually an important part of this, giving
customers the ability to make a decision and later change their
mind.
Senator Klobuchar. Very good. And the technology is
available to do that?
Mr. Stern. Yes, it is.
Senator Klobuchar. If we were to put together some
legislation at some point--and I know all three of you would
rather have it be self-regulating, but if Federal privacy
regulation is considered in Congress, what would you think the
key would be to this potential legislation? What do you think
should be in that? Are there any models you would look at like
the European data privacy law, or what would you look at to do
that? Mr. Tauke?
Mr. Tauke. Well, Senator, first of all, you are right. At
this juncture, we are not prepared to embrace legislation. We
actually think that there are some models on the books already
that could be useful. I mentioned in my testimony the
advertising industry's model where the FTC is the enforcing
agency.
One of the reasons why we are a little unsure about
legislation at this juncture is because this technology is
developing so rapidly, and there are different technologies
that are being used to do different things. As I think all of
us have alluded to in one way or another, the technology is not
in and of itself bad. The technology can do terrific things in
order to enhance online experiences. It is how it is handled
and what the consumer role is.
So having said that, with legislation I believe the notion
of meaningful consent and the consumer in charge of their
online experience are the two key elements. Exactly how that
translates into the technology of today and the technology and
practices of tomorrow is a little uncertain yet. That is why I
think if the industry could, in a sense, help establish some
best practices ourselves, try to keep up to date with that
stuff, get all the players involved, because the consumer does
not care who is tracking--you know, it is the same impact no
matter who is doing it--if we could do that and then that might
inform the Committee too of what we are doing and where gaps
may be and if you should step forward with some additional
legislation.
Senator Klobuchar. Do you think competition could push,
though, some of your fellow competitors not to keep up with
those regulations?
Mr. Tauke. Competition works both ways on this issue,
Senator. I mean, I think what we have found in our history on
some of these issues is being on the side of the consumer and
privacy is not a bad deal. We have had some fairly highly
publicized lawsuits over the last few years trying to protect
our consumers' privacy, and we think that benefited us in the
marketplace.
When we have dealt with issues like--I remember a couple
decades ago now, I guess, when we were dealing with caller ID.
In other words, there were a lot of fits and starts with caller
ID. Initially it was thought to be a great privacy protector
because you could see who is calling you. Then, of course,
there was concern that, oh, now the estranged husband knows
something about who is calling the wife and various other
things that happened. And so there was concern from a domestic
violence perspective and so on. Then we had blocking that came
into play and various other things happened with the
technology.
So we evolved to the place today I think where most
consumers really like the technology, the information it
provides. They know how to protect themselves if they do not
want their number following their call.
So I think it is the same thing here. We have to, over
time, figure out how to do this the right way.
But I think it is in our company's interest to be on the
side of privacy. I think that is a marketing advantage. I think
that for the industry as a whole, it is essential that we get
there. The worst thing for our industry is the consumers are
afraid to use the Internet.
Senator Klobuchar. And I would agree with you, especially
from larger, mainstream companies that do not want to be tarred
with having not protected privacy rights. But not all the
companies in the game might care about that as much. And that
is why I am looking at some rules that could maybe protect your
own industry if you had some rules that you already believe are
in your best interest that could protect the consumers from
other companies which might not share your interests in
protecting privacy as a marketing and as a good thing to do as
a company.
Ms. Attwood. Yes. I would like to underscore that because
not all folks in this space have consumers that they answer to.
We fully agree with Verizon's position about this being a
marketing advantage. AT&T views that absolutely as a great
opportunity here. But right now there is behavioral targeting
in the online environment, and it is by web actors who do not
have direct customers to answer to.
The beauty of an advertising-supported model is that it is
free. The disadvantage is that your customer is your
advertising industry. It is not retail. It is not our
customers. So while I think that there is a direct advantage
that we have to our customers, I think we would, at AT&T, say
another key element to any legislative proposal would be that
it apply to all actors because that is really the only way. I
mean, we talk a lot about from a competitive point of view, and
clearly that is of interest to AT&T.
But I would say from a customer confusion question, without
really addressing this issue holistically, when the customer
turns on the computer and goes to a web page and on that web
page there is advertising and on that advertising, that
customer has indicated to AT&T that they do not want to be
tracked, I cannot do anything to protect that customer from
being tracked by other entities that are, in fact, appearing in
that advertising space.
So until we address this holistically, even efforts from
companies such as ours suggesting that there ought to be
control and ought to be affirmative selection by the customer
cannot be implemented fully, and the customer can be confused.
Senator Klobuchar. Thank you.
Senator Dorgan. We had other companies testifying at the
first hearing, and at that point we did not have the Internet
service providers, which is why we wanted to have Internet
service providers at this hearing. I understand the point you
are making.
Senator Thune?
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Thank you, Mr. Chairman.
And that was an interesting hearing, and this is an issue
that is getting a lot of attention, as you would expect. And I
do not think there is any question that online advertising is
the fuel for this economic engine that is really driving the
world right now. It has resulted in substantial access to free
content for people on the worldwide Web.
But I do want to pick up on the previous discussion here
because I think, Mr. Tauke, you had mentioned in your remarks
that the industry is working to develop self-regulating privacy
standards for online advertising. And to get back to Ms.
Attwood's point, one entity cannot do this. There has got to be
some sort of an agreement, I think, within the industry.
So I guess my question is, what is the time line for those
standards? Who is participating in developing those standards?
What are those standards going to look like? And will you keep
us updated as you progress down that road?
Mr. Tauke. First, we have signed some nondisclosure
agreements with some other companies that would not permit me
to today publicly disclose who all the players are. But I think
it is fair to say that there are ISPs, there are
representatives of other online types of activities. So I think
we are seeing people from all parts of the online sector, the
search engines, the browsers, and so on, who are interested in
participating in this kind of thing.
We also have talked to and engaged with some in the
advertising industry who also have an interest.
I cannot tell you we will get there, but I am encouraged by
the progress so far. And I think it is feasible that in over a
matter of a few months we would be able to get a pretty strong
group of players in the industry to move forward with best
practices.
Then the question becomes how do you enforce those. First,
there is a lot to be said for shining the light of day on a lot
of practices, and if industry is focused on doing that, it is
able to do that, and force change. That happened with this
Committee. This Committee held a hearing, and as the witnesses
have pointed out, people stopped their behavior because the
light of day was shined upon it. That is what an industry group
can do.
Second, as we have alluded to earlier, the Federal Trade
Commission also has jurisdiction in this area, has indicated it
intends to assert jurisdiction, and if informed by good
industry practices and standards, then I think the FTC would
have greater ability to act appropriately.
Senator Thune. Do you have a time line for when all this
might----
Mr. Tauke. What I would like to say to you is it will all
happen in 2 months. I do not know that I can say that. I think
this is a process. You are familiar with that, of course, in
the Senate. It is a process. I think we have made good
progress. I think as you have heard this morning, several
companies are endorsing very similar principles here. So I
think that there is a consensus developing. And I hope by the
end of the year, certainly by the time you come back, that we
can report back to you and give you progress on where we are. I
think we will have something fairly good to say.
Senator Thune. That would be really helpful because I think
that that is a preferable solution to having us try and
legislate something in this area. But it has to be at least, I
think, somewhat comprehensive in terms of the scope of those
from industry who are participating in order to make it
effective. So I would encourage you as you continue down that
track.
And I would direct this, I guess, to any of our panelists.
But you talk about sensitive information deserving a greater
degree of protection than regular online uses. And I guess the
question would be, what is considered sensitive personal
information? Is that a health record? Is that a credit card
history, e-mails? What qualifies in your judgment in that
category of sensitive information?
Mr. Stern. Senator, all of those could count as sensitive
information. Certainly medical information is sensitive. And we
believe that this opt-in framework ensures that we will protect
those forms of sensitive information.
We also think that there are certain types of information--
and medical information may be one of those--that merits a
dialogue between policymakers and participants in industry that
would put even more stringent controls around certain types of
information, including making it possibly entirely off limits
for activities like targeted online advertising.
Ms. Sohn. I think it is critical that it is the Internet
user who makes that choice as to what is sensitive. Right now
with deep packet inspection, sometimes it is a third party or
the NebuAd that is deciding what is sensitive and not. As you
point out, there is not a commonly understood definition of
what sensitive is. So that is, to me, a critical part of
putting control back in the Internet users' hands. They decide
what is sensitive as opposed to a third party with whom they
are not even contracting.
Mr. Tauke. Let me just say first this is a tough area. It
is hard to define exactly what the sensitive information is and
precisely how you handle it.
So, for example, we all agree, I think, that medical
records would be sensitive information. Yet, I get my
prescriptions online. I do not know about the rest of you. And
I want my online pharmacist to keep track of what I have. I am
happy when they send me a notice saying, you know, it is time
to renew your prescription. If I would get another prescription
that interacted inappropriately with what I have today, I would
hope that they would notify me and tell me that. So that means
we are asking them, on the one hand, to keep track of some of
these things. On the other hand, this is certainly information
that most of us would say should not be tracked.
So there are some fine lines here to draw. It is tough, but
I think that this is part of what we hope we can make progress
on in an industry process.
Ms. Attwood. I would also underscore what Gigi said, which
is absolutely creating tools to enable our users to be able to
individually assess what is sensitive will be a critical thing,
again, another potentially wonderful advance that we could use
the technology to actually empower the customer to orient
themselves around what is sensitive.
The last thing that the provider wants to do is make that
judgment. I can tell you whether Government makes it or the
user makes it, the last thing that we want to do is try to make
some judgment as to what is important to our customers when it
comes to sensitive information.
Senator Thune. Mr. Chairman, I have one more question. My
time is expired.
Senator Dorgan. Why don't you proceed?
Senator Thune. OK. I would like to have you describe--Mr.
Stern, you mentioned the difference between relevant online
advertising and targeted online advertising. Could you
elaborate on the difference between those two, and from your
perspective, are those different types of targeted online
advertising that are more problematic for consumer privacy?
Mr. Stern. Ads can be relevant for a number of reasons,
Senator. For example, when customers come to a Website and they
go to the sports page of that Website and then they see
advertisements for team memorabilia, that context was used in
order to make the ad relevant. However, if the relevance is
based on the customer's behavior on other unrelated Websites,
then we would consider that targeted online advertising, the
type of advertising that should be governed under the four
principles that we talked about earlier, informed consent, plus
safeguarding consumer privacy, and value.
Senator Thune. Thanks, Mr. Chairman. Thank you all very
much for your testimony.
Senator Dorgan. Senator Wicker?
STATEMENT OF HON. ROGER F. WICKER,
U.S. SENATOR FROM MISSISSIPPI
Senator Wicker. Thank you, Chairman Dorgan, for having this
follow up hearing.
You know, I was sitting here thinking John Thune came to
the House of Representatives in 1996. I got here in 1994. We
were talking about this thing called the worldwide Web. If we
had a little time during the orientation, we could go to a room
and surf the worldwide Web. And to think how far this industry
has come in 12 or 14 short years is just breathtaking.
I pay my bills. I check my balance. I make purchases. And
it is the engine that is largely driving the international
economy, and we want to be able to facilitate that for the
economy and for job creation and for consumers' convenience.
So I appreciate the fact that there seems to be a feeling
that the Congress should defer perhaps and see if these issues
of privacy and behavioral advertising can be worked out among
the participants rather than as a result of legislation.
I will begin with Mr. Tauke. Maybe within 2 months, we
might have an agreement announced among the providers. How will
they compare to the proposed behavioral advertising guidelines
of the FTC?
Mr. Tauke. I think all of the companies that are engaged in
discussion on this issue are well aware of the FTC's
principles. And of course, you never know the outcome of a
discussion until it is completed. But I think what the FTC laid
out has been very helpful and informative, and in turn, we
would hope what the industry could come up with would also be
helpful and informative to the FTC.
Senator Wicker. OK. Other panelists?
Mr. Stern. Senator, we think the principles that we have
proposed are very similar to what was laid out by the FTC, but
they actually go one step further in protecting consumer
privacy. And that is that we are seeking affirmative customer
consent for the use of any type of information for the purposes
of targeted online advertising, not just personally
identifiable information.
Senator Wicker. And would you explain what you mean by that
to a layman?
Mr. Stern. Absolutely. When you held your testimony in July
and met with NebuAd, they talked about the ability that they
had with their technology to anonymize the data that they
received so that they would track the customer's behavior, but
it could not be attributed to any individual. It would be used
to deliver relevant ads to that individual while they browsed,
but they could not tie it back to a person. They could not tell
that that browsing behavior was your browsing behavior,
although they could change your browsing experience based on
the information.
What we are proposing is that we would not even do what
NebuAd talked about, absent affirmative customer consent. In
other words, we would not use your information whether or not
we could attribute it to you personally to deliver targeted
online advertising to you.
Senator Wicker. I see.
Other members of the panel?
Ms. Attwood. Well, I would just say I think that the FTC
process has greatly informed our industry discussions. They
were able to, along with great work that has been done in the
privacy consumer community by Ms. Sohn's group, by CDT, others
that have helped shed light on the issue, helped identify the
practices that are most concerning to consumers, and have
through the imprimatur of the FTC and its process created
importance, as has this Committee, creating the incentive for
the industry to come together to talk, to make sure that we
understand how we can, in fact, achieve ultimately a greater
sense of privacy assurance for consumers so that they use our
services and use the Internet even more. I think that there is
no question that the FTC process has been quite involved in the
development of that.
Ms. Sohn. Can I be the skunk at the self-regulatory party?
Because----
Senator Wicker. That would be a lot of fun.
Ms. Sohn. I want to make two points.
Number one is to address something that Senator Klobuchar
said about competition. The problem is that, at least in
broadband, there is not that much competition. This is
something my organization has talked about for a long, long
time. And a lot of the ISPs that were using deep packet
inspection and NebuAd were not subject to great competition. A
lot of them were rural ISPs. So the notion that there is going
to be this competitive pressure, I'm dubious.
The second thing--and this is the point that I discussed in
my oral testimony but discuss in more detail in my written
testimony--is that the Communications Act already does cover
some ISPs. There is a lot of talk about a level playing field,
but right now cable Internet services are covered by stricter
privacy regulation than broadband telephone information ISP
services. So there is already in the law gaps where Mr. Tauke's
company is being treated differently than a Comcast. So I do
think that at a minimum you need to amend the Communications
Act to fix those gaps because right now you do not have a level
playing field between broadband ISPs.
Senator Wicker. Response?
Mr. Tauke. Part of that highlights the point. Yes, there
are all kinds of rules that apply to all different companies
differently. If you guys could take on the Communications Act
and level the playing field, most of us would applaud heartily.
But rewriting that act--it has been a long process and it is
very hard to get anything to fruition when you take on that
major a task.
So we are not saying that we are opposed to the Committee
addressing the issue, but what you are doing here, having a
hearing, forcing industry to address the issue is helpful. We
have the FTC that has some authority already. We have an
industry that I think wants to get its act together. It is in
our own interest to clean up the act. Right? So I think that
can help.
If all that should happen, if the Senate--God bless you if
you go forward and do your thing. That is terrific. But in the
meanwhile, I think there is a need for this other activity to
go on. That will inform what you do. It may turn out this is
not such a big issue, or it may turn out there are other
problems that arise as this goes on. But we ought to go forward
with the self-regulatory approach, try to use what is there,
and that will help inform you, I think, what the challenges are
and where we may need additional legislation.
Senator Wicker. Thank you.
Senator Dorgan. Senator Wicker, thank you.
This issue of self-regulation--I think the process that is
ongoing is very valuable. But in the ultimate, self-regulation
works if there is, number one, adequate criteria established,
and number two, if it is enforceable. And one of my concerns is
that what is happening now and what will happen in the future
with respect to Internet advertising is various entities,
content providers, Internet service providers, and others, have
information that is going to become increasingly valuable, and
it is tempting product to sell to someone who would like to
purchase it. And so the question is under what conditions does
that happen.
I want to come back to this question. Mr. Stern, you talked
about when NebuAd appeared before this Committee and the
anonymizing of information. It seems to me, however, that if
NebuAd gathers all of this information and develops the
strategies for targeted advertising and profiling, that if they
are able to deliver that advertisement back to the Internet
address, it is really not anonymous, is it?
Mr. Stern. Senator, there is a separation between the
information that NebuAd has, which is a profile attached to an
anonymous identifier, and the information that the ISP has,
which is the connection between that anonymous identifier and
the individual. As a consequence, there is--and I am not an
expert on NebuAd's technology, given that we have not engaged
in targeted online advertising and we have not done any sort of
a deal with NebuAd or anyone like that--but there is, in fact,
a set of technologies that are used in that approach to protect
the customer's identity and anonymity.
Senator Dorgan. But there has to be a string somewhere from
the information gathered and then ultimately delivered to the
Internet address of the person whose tendencies on the Internet
have been profiled. I mean, this reminds me of the discussion I
sat in last night for 2 hours on the financial rescue issue,
the discussion about firewalls that exist. It turns out the
firewalls were not so fireproof.
Mr. Stern. That is correct, Senator. There is no perfect
technology here.
But the principles that we have outlined ensure that
targeted online advertising would only take place if consumers
affirmatively consent after being informed of how their
information will be used. As a consequence, we think that the
harm that you have raised is one that customers will be able to
evaluate and weigh against the benefits that they will enjoy by
being able to see more relevant ads.
Senator Dorgan. It is interesting. I was just looking at a
report that was released this morning. The information was
provided me last evening of what was to be released this
morning. It is a poll released today by Consumer Reports'
National Research Center, and it has a lot of interesting
information in it. There is a lot of misinformation out there
and a great deal of lack of information.
Consumers are aware that information about their surfing
habits, that is, movements on the Web, is being collected
online. And here is what they believe.
Sixty-one percent of consumers are confident that what they
do online is private and not shared without their permission.
That is what people now believe.
Fifty-seven percent believe that companies must identify
themselves and indicate why they are collecting data and
whether they intend to share it with other organizations.
Forty-eight percent believe that their consent is now
required for companies to use personal information they collect
from online activities.
Forty-three percent believe a court order is now required
to monitor activities online.
I only describe that to you because this is just released
this morning. What it does show is while people, I think almost
all of us would understand, are very concerned about privacy,
they have very little understanding about what exists or what
might not exist to create fences or gates or protections for
their online privacy.
I think that the work that our colleagues in the House have
done with their data gathering and hearings, the work that we
have done, and the work that the FTC is now doing and the
efforts by people in your industry to come together and develop
approaches--again, I think in many ways these hearings kind of
provoke and require people to be thinking what are we doing and
how does it relate to what our responsibilities are and what
the law is. I think all of this is constructive for us, as we
move down the road here, to understand what is necessary. Is
this something that can be self-regulated with enforcement
capabilities, or will there need to be, both at the FTC and
also will there need to be here in the Congress, some
legislative guidelines developed that will inform us as we move
forward.
I do not think any of us fully know the answer to that, but
we are now learning a great deal more than we knew, which I
think is progress.
I want to thank the three Internet service providers for
making themselves available for this hearing. Your testimony, I
think, is instructive for us.
Ms. Sohn, the title of your organization is Public
Knowledge, which is pretty all-encompassing I was thinking, as
I read that last evening. So we thank you for providing public
knowledge about these issues from your perspective, which I
think is also very valuable to this Committee.
This hearing is adjourned.
[Whereupon, at 11:10 a.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
For the American people, privacy is a treasured right, but it is
also a right under regular attack. In this digital age, commercial
forces can amass treasure troves of data about each and every one of
us. This is especially true when it comes to where we go and what we do
on the Internet.
Today we focus on the on-ramps to the Internet, and explore in
greater depth the consumer privacy policies of our Nation's largest
broadband providers. We will consider the abilities these providers
have to view our online behavior and discuss what notice they should
provide to consumers when they seek to do so. Further, we must examine
whether our communications laws governing consumer privacy have kept up
with rapidly changing technology or require adjustment.
I look forward to hearing from our witnesses.
�