[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
OPINION SURVEYS: WHAT CONSUMERS HAVE TO SAY ABOUT INFORMATION PRIVACY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
MAY 8, 2001
__________
Serial No. 107-35
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
72-825 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York
Vice Chairman DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky LOIS CAPPS, California
BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona JANE HARMAN, California
ED BRYANT, Tennessee HENRY A. WAXMAN, California
STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon ANNA G. ESHOO, California
LEE TERRY, Nebraska JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Bauman, Sandra, Vice President, Marketing and Business
Development, Wirthlin Worldwide............................ 23
Newport, Frank, Editor-in-Chief, Gallup Poll................. 20
Rainie, Lee, Director, Pew Internet & American Life Project.. 5
Taylor, Humphrey, Chairman, The Harris Poll, Harris
Interactive................................................ 11
Westin, Alan F., Professor Emeritus, Columbia University,
President, Privacy and American Business................... 14
(iii)
OPINION SURVEYS: WHAT CONSUMERS HAVE TO SAY ABOUT INFORMATION PRIVACY
----------
TUESDAY, MAY 8, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 3 p.m., in
room 2123, Rayburn House Office Building, Hon. Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Shimkus, Bryant,
Walden, Terry, Tauzin (ex officio), and Doyle.
Staff present: Ramsen Betfarhad, majority counsel; Mike
O'Rielly, majority professional staff; Kelly Zerzan, majority
counsel; Anthony Habib, legislative clerk; M. Bruce Gwinn,
minority counsel.
Mr. Stearns. I welcome you all to the Subcommittee on
Commerce, Trade and Consumer Protection. This is the fourth in
a series of hearings on Information Privacy. I thank all of you
for attending this hearing this afternoon, especially our
witnesses.
Today's witnesses include representatives of four major
national polling organizations that have surveyed public
opinion on the issue of information privacy. One such survey
was just completed last week. We are also pleased to have Dr.
Westin, a prominent researcher in the field of information
privacy, who began his research and surveys on the issue over
30 years ago.
Credible and scientific public opinion surveys on multi-
faceted public policy issues such as information privacy can be
at times both instructive and perplexing. Still, at no time are
surveys dispositive, nor should they be.
In reviewing the polling data, I realize that like most
important things in life, there is more to the story being told
by the data than a cursory first glance would suggest.
Therefore, after reviewing the survey results, I found myself
facing more questions rather than answers regarding Americans'
views on information privacy.
I look to our witnesses to answer some of those questions,
and maybe one or two questions on other mysteries of life, like
how do you do a good jump shot.
I walk away with a somewhat puzzled, but concrete,
conclusive feeling from some of these surveys. They suggest
that most Americans are anxious about what they perceive to be
a loss of control over the dissemination and use of their
personal information. It seems that this anxiety has been
exacerbated with the advent of the Internet. Still, some of
those same polls also indicate that different people mean
different things when they talk about their information privacy
and their anxieties.
As one of today's witnesses observes, for some Americans
information privacy means anonymity. They want no information
about them traced or disclosed in any circumstance. For others,
information privacy means confidentiality. They are not
comfortable letting information be passed along to third
parties without permission. For many Americans, information
privacy equals simply security. Yet, where poll results are
seemingly clear and thus instructive is the fact that Americans
are most anxious about the improper use of their personal
information, when that improper use can lead to real harm.
Those real harms, in turn, seem to be intimately related to
Americans' information security concerns.
For example, polls indicate that the vast majority, 87
percent, fear financial loss through disclosure of their credit
card information, while 80 percent of Americans fear that the
Internet can be used to commit wide-scale fraud, and 70 percent
are anxious about criminals or pranksters sending out computer
viruses that alter or wipe out personal computer files.
In addition, the fact that Americans are particularly
concerned about protecting their information privacy against
government intrusions is consistent with the proposition that
Americans are most anxious about their information privacy when
they perceive a real harm attaching.
The survey results also seem to reflect a truism--different
people think differently about the same issue. It seems that
older Americans, women, parents and, most importantly, Internet
novices, are more anxious about losing control over their
personal information. There is an inverse correlation between
time spent online and the increased willingness to engage in
what is called ``trusting behavior online.'' Trusting behavior
online includes buying and selling goods, banking, getting
health information, communicating via email or instant
messaging with strangers, joining support groups and making
friends and dates online.
The surveys seem also to suggest that what we as Americans
say in response to a survey question may be different from what
we actually do. Two-thirds of American Internet users having
expressed serious information privacy concerns have,
nevertheless, engaged in at least one trusting activity online,
such as purchasing a book online.
Moreover, while the majority of Americans have a negative
visceral reaction to online tracking and profiling, a
relatively few take steps to shield their identities. For
example, one survey reports that only 1 in 10 Internet users
has set his or her browser to reject ``cookies.'' This brings
me to another observation.
Surveys suggest that Americans as a whole lack knowledge as
to when, how and for what purpose information about them is
collected and used. For example, according to one survey, 56
percent of Internet users do not know what a ``cookie'' is. Yet
another survey reports that 48 percent of Americans who
regularly surf the World-Wide-Web admit to paying little or no
attention to matters such as online tracking and profiling.
And, finally, one of the more interesting survey results is
that as most Americans are anxious about the loss of control
over their personal information, they want rules, but they
reject the notion that the Government and/or Internet companies
are the best stewards of their personal information privacy.
When asked who would do the best job setting those rules,
50 percent said Internet users themselves would be best adept
at setting those rules, while only 24 percent said the Federal
Government, and 18 percent said Internet companies would be
best adept at setting those rules.
Another survey registered some 71 percent of Internet users
saying they themselves, rather than the Government or online
businesses, would have the most say over how Internet companies
track Web activities.
My colleagues, if the public opinion poll suggests one
thing definitely, it is that the American public consumer, with
the issues of information privacy, is as complex as the issue
is itself. So, I look forward to the witnesses' testimony, and
the gentleman from Pennsylvania, Mr. Doyle, is recognized for
an opening comment, as Ranking Member.
Mr. Doyle. Thank you, Mr. Chairman. I am happy to join my
friend here on the panel. Mr. Chairman, I would ask unanimous
consent that the opening statement of Mr. Towns be included.
Mr. Stearns. Without objection, so ordered.
Mr. Doyle. Thank you, Mr. Chairman. I want to thank you for
convening today's hearing providing us insight as to what
American consumers are saying about their information privacy.
I want to thank our invited witnesses for taking the time this
afternoon to share with us the results of these efforts.
I have received a good deal of mail from my constituents
concerning information privacy issues, some expressing concern
that the Government is not doing enough to protect personal
information, and others advocating that the Government is doing
too much. But regardless of their particular opinion on the
issue, the bottom line is, the majority of the contact I
receive sends a clear message that people in Pennsylvania are
very concerned about what happens to and with their personal
information, no matter if they are on- or off-line or if the
Government or a private entity is managing the affairs.
I can tell you that as a consumer I am concerned about the
extent of information on my family's Internet usage and how
that is gathered through the use of cookies, and by whom that
information is used.
Establishing guidelines and limits of information usage and
ensuring proper enforcement presents significant challenges on
a national scale, especially considering the varying degrees
the general populace feels comfortable allowing the Government
or industry to establish regulations related to information
privacy.
Additionally, concerns about private health information
online or off remains very critical to most people and the
Nation. Perhaps most telling is the statistic Mr. Rainie of the
Pew Internet and Life Project gives us. Eighty-five percent of
those who seek health information online are concerned that an
insurance company may raise their rates or deny them coverage
because of the health sites they have visited. Of that, 72
percent are very concerned this may occur.
Without a doubt, protection from discrimination based on
personal health information is a great concern to many
Americans. That is why many of us have supported the Genetic
Nondiscrimination and Health Insurance and Employment Act, H.R.
602, again this session, and will continue to do so until this
important bill is signed into law.
Many of my colleagues on this committee and 229 Members of
Congress support this legislation. No person should be denied
coverage or forced to pay higher premiums because they are
genetically predisposed to develop a certain health condition.
Entities that compile such information while consumers are
online must be held accountable for such actions.
My colleagues, I look forward to the information that our
panel of witnesses will provide us today. I think it will come
as no surprise that the American public want to be secure
online and want their Government to take the appropriate
measures to ensure their desires are protected. Thank you, Mr.
Chairman.
Mr. Stearns. Thank my colleague. The gentleman from
Nebraska, Mr. Terry.
Mr. Terry. Pass, Mr. Chairman.
Mr. Stearns. The gentleman from Illinois, Mr. Shimkus, is
recognized.
Mr. Shimkus. Thank you, Mr. Chairman. I, too, appreciate
you having this hearing. I just quote Diana DeGette, you know,
the public, the individuals have a hard time understanding the
benefit we have through sharing information as much as some
individual folks who don't understand the benefits of holding
classified or important information to themselves.
The scary thing about going into privacy is it is kind of
like opening Pandora's Box because there are going to be so
many conflicting concerns and emotions involved. Where do you
start? How do you finish? Nobody will be satisfied. And it is
into this muddle mess that the Chairman is venturing, and I
commend him because it is, as I think we are going to find out
from the testimony today, really a pressing concern and
something we need to get our hands around, reluctantly probably
from many corners.
So, thank you for taking the time. Your testimony is very,
very important, and I look forward to hearing your testimony
and asking questions. And I yield back my time, Mr. Chairman.
Thank you.
Mr. Stearns. I thank my colleague. We will now hear from
our panel: Mr. Harrison Lee Rainie, Director of Pew Internet &
American Life Project; Mr. Humphrey Taylor, Chairman of The
Harris Poll, Harris Interactive; Dr. Alan Westin, Professor
Emeritus, Columbia University, President, Privacy and American
Business; Dr. Newport, Editor-in-Chief, Gallup Poll, and Dr.
Sandra Bauman, Vice President of Marketing and Business
Development, the Wirthlin Worldwide Group. I want to thank all
of you for your attendance here, and we will start from my left
and go to my right and, Mr. Rainie, we will have your opening
statement.
STATEMENTS OF LEE RAINIE, DIRECTOR, PEW INTERNET & AMERICAN
LIFE PROJECT; HUMPHREY TAYLOR, CHAIRMAN, THE HARRIS POLL,
HARRIS INTERACTIVE; ALAN F. WESTIN, PROFESSOR EMERITUS,
COLUMBIA UNIVERSITY, PRESIDENT, PRIVACY AND AMERICAN BUSINESS;
FRANK NEWPORT, EDITOR-IN-CHIEF, GALLUP POLL; AND SANDRA BAUMAN,
VICE PRESIDENT, MARKETING AND BUSINESS DEVELOPMENT, WIRTHLIN
WORLDWIDE
Mr. Rainie. Thank you. Chairman Stearns, honorable members
of the subcommittee, it is an honor for the Pew Internet &
American Life Project to be asked to testify at this important
hearing. The project is an independent, nonpartisan, research
operation created to examine the social impact of the Internet
with a grant from the Pew Charitable Trusts. We have no agenda
except analytical research.
Our surveys show that Americans with Internet access would
like the presumption of privacy when they are online, and they
would like to be in control of when pieces of their identity
are given out. If they could craft a Golden Rule for the
Internet, it would be: ``Nobody should know what I do on the
Web or anything else about me unless I say so.''
Not surprisingly, these Americans have great concerns about
their privacy being compromised, but it is also clear that
different people mean different things when they are talking
about privacy. For some, privacy means absolute anonymity; for
others, it means absolute confidentiality. They are comfortable
letting some Web-based organizations know about them, but they
do not want that information passed along to third parties
without their permission. And for others, privacy means
security; More than two-thirds of Internet users worry that
hackers will steal their credit card information.
Americans are most anxious, of course, about highly
sensitive information that might be used to cause them harm.
For instance, most Internet users fear insurance companies
learning about their searches for medical information and
perhaps changing their insurance status or canceling their
insurance. Many fear their employers might find out about their
health searches and worry how that would affect their job
status.
At the same time they express anxiety about their privacy,
Internet users do a striking number of intimate and trusting
things online. More than two-thirds of those who have serious
privacy concerns have done at least one of the things that is
on the chart to your right. It starts in the upper, left-hand
corner with seeking medical information, using credit cards for
online purchases, seeking financial information, making travel
reservations. About a third of Internet users have customized
Web sites or have gotten registration for email alerts on
various subjects including news, health concerns, weather, and
even horoscopes. Some have responded to email from strangers,
some have participated by giving their full name and discussing
both medical problems and personal problems in online support
groups, and some have gone to dating sites.
To some degree then, there is a gap between Internet users
expressed fears and their actual behavior. Perhaps one of the
reasons for that apparent contradiction is that few Internet
users have ever had a serious problem online. Another reason is
that the majority of Internet users do not know if, or how,
they are being tracked. Most feel they are anonymous online
unless they take affirmative steps to disclose information
about themselves. The majority, 56 percent, of Internet users
do not know what a ``cookie'' is. They don't know the basic
mechanics of how they are tracked and profiled through the use
of cookies, and they don't know this is going on almost all of
the time they have access to the Web.
One useful way to measure the gap between Internet users'
attitudes and their behaviors is to look at the privacy
protection steps they have taken, and that is on the next chart
before you. If you compare this chart, the privacy protection
steps they have taken, to the previous one, you will see that
Internet users are much less likely to take privacy protection
steps than they are to do things online where significant
pieces of information about them are disclosed.
The most serious Internet users, of course, know how to lie
to protect their identity. They have set up secondary email
accounts. Some of them, a pretty small percentage, know how to
use encryption to protect their email in anonymizing
technology, but it is a very small number. These tools are not
being used by the vast majority of Internet users.
Even though Internet users have fears about their online
privacy, these sentiments do not translate into a universal
yearning for anonymity. In fact, almost two-thirds of them are
comfortable with disclosing information under the terms of the
basic Information Age bargain: ``I give you a piece of
information about me in return for something of value from
you.''
In addition, there is at least one other context in which
the strong public concern about privacy is tempered by other
fears, and that is when Americans express their anxiety about
online crime. We found recently that 54 percent of all
Americans and 60 percent of Internet users approve of the FBI
or law enforcement agencies intercepting email sent to or from
people suspected of criminal activities. At the same time, 62
percent of Americans say new laws should be written to make
sure that ordinary citizens' privacy is protected from
government agency interceptions like the ones that they approve
of.
It is also important to understand that concern about
privacy is notably higher among some groups, especially
parents, older Americans, women, African Americans, and
Hispanics who have Internet access. In general, those who are
most worried about privacy tend to be the ones who do the least
online.
One of the biggest questions hanging over the Internet is
whether today's newcomers will eventually act like today's
veterans in their online behavior and their beliefs. The
veteran population is dominated by young, upscale, well
educated, white men. The Internet novice population looks a lot
more like the rest of American because it has large numbers of
women, African Americans, Hispanics, and those from modest
economic circumstances.
As you can see from the final chart that is over here and
in your material, veterans are much more likely to have
exploited key features of the Internet. They are more likely to
have clicked on advertisements. They are more likely to have
purchased goods online. They are more likely even in their
beliefs to be tolerant of tracking. They are more likely to
have responded to emails from strangers. They are a more
trusting crowd.
The issue, of course, is whether this large, newcomer group
which is more concerned about privacy issues, will feel less
anxious as time passes, and will do more activities online.
Several weeks ago, we wrapped up a survey of people that we
also interviewed a year ago, so we have year-to-year
comparisons of their behavior and their beliefs. Our
preliminary analysis suggests that experience online
significantly increases the commercial transactions of Internet
users as well as their willingness to do trusting things
online.
What are the policy implications of these findings?
Internet users embrace principles of notice, choice, access to
information about them, and security. Internet users would
prefer a different tilt on the privacy playing field, one where
the burden of effort is shifted away from them to be vigilant
about managing their identity and toward those who want to
collect information about them.
Internet users would profit from an industry-led education
campaign that focuses on the mechanics and virtues of tracking.
Companies would gain in users' eyes if they offered a clearer
and more convincing explanation for the value of cookies,
specifically how cookies enhance user experiences and how their
use is tied to advertisers' support of much of the free content
on the Web.
Finally, Internet users would appreciate more technology
tools to give them a sense of control, or at least
transparency, in letting them know what is happening to pieces
of their identities as they move through Internet space. Thank
you.
[The prepared statement of Lee Rainie follows:]
Prepared Statement of Lee Rainie, Director, Pew Internet & American
Life Project
Chairman Stearns and honorable members of the Subcommittee, it is a
distinct honor for the Pew Internet & American Life Project to be asked
to testify at this important hearing. I am the director of the project.
It is an independent, nonpartisan, center created to examine the social
impact of the Internet with a grant from the Pew Charitable Trusts. We
do not have an advocacy agenda. I will be talking today about our
findings from several polls we conducted last year and in February this
year that illustrate some fascinating cross currents on the privacy
issue.
At the most fundamental level, Americans would like the presumption
of privacy when they are online and they would like to be in control of
when pieces of their identity are given out. This is the Information
Age corollary to the classic American formulation of privacy: the right
to be left alone. In the 21st Century, they want right to control their
identities. If they could craft a Golden Rule of the Internet it would
be: ``Nobody should know what I do on the Web or anything else about me
unless I say so.''
Not surprisingly, these Americans have great concerns about their
privacy being compromised. Still, it has become clear in our work
related to this issue that different people mean different things when
they are talking about privacy. The context of the questions and of the
behavior needs to be understood in order to grasp how Americans feel
about privacy. For instance, the definition of the term is very
important. For some it means anonymity. About a quarter of Internet
users say they want no information about them traced or disclosed in
any circumstance.
For others, the concept of ``privacy'' means confidentiality. They
are comfortable letting some Web sites or organizations know about
them, but they do not want that information passed along to third
parties without permission. And for others it means security; they are
anxious that information about them is going to be discovered by
hackers (68% of Internet users worry hackers will steal their credit
card information) or that important personal data will be inadvertently
disclosed by a sloppy Web operation.
Americans also are most anxious about improper use of their
information when it could do them real harm. Most Internet users fear
insurance companies learning about their health and medical information
searches and, as a result, changing or canceling insurance because of
the kinds of Web sites that were visited. Many fear their employers
might find out and that could affect their job status. And the vast
majority fear financial loss through disclosure of their credit card
information.
TRUSTING BEHAVIOR
At the same time they overwhelmingly express concern about their
online privacy, American Internet users do a striking number of
intimate and trusting things online. This is another aspect of how the
context of privacy discussions is important to understand. More than
two-thirds of Internet users who have serious privacy concerns have
done at least one of these things online: purchase goods, make travel
reservations, get health information, respond to email and instant
messages from strangers, make friends and dates with people they have
never met face-to-face, join support groups, place their calendars and
address books online, and participate in online auctions.
Perhaps one of the reasons for that level of trustful behavior is
that few Internet users have ever had a serious problem online. Just 4%
of Internet users say they have felt threatened in some way while they
were online; 3% say they have been cheated when they tried to buy
something online; and fewer than 3% believe their credit card
information has been stolen online. The irksome issue is ``spam,'' the
online equivalent of junk mail, which makes about a third of Internet
users unhappy to varying degrees. And about a quarter of Internet users
say they have gotten an offensive email from a stranger.
Yet another reason for the high level of trusting activity online
is the majority of Internet users do not know if or how they are being
tracked. Most feel they are anonymous online unless they take
affirmative steps to disclose information about themselves. This is
enormously important, for instance, to some who seek health
information, especially when they are conducting their searches in the
privacy of their den or recreation room. Most are unaware, of course,
that many of the health-related Web sites they visit plant cookies--
small bits of encrypted information deposited on a computer's hard
drive so the online firm can track the user's clicks through the site
(and sometimes other sites) and to identify that computer the next time
it visits the health site. Fully 56% of Internet users do not know what
a cookie is; and just a tenth of Internet users have set their browsers
to reject cookies.
In principle, Americans do not much like the idea of online
tracking and profiling--by a two-to-one margin they say that tracking
is an invasion of privacy, rather than a tool to help Web sites provide
customized information to users. Still, relatively few take steps to
shield their identities: 24% of Internet users have provided a fake
name or personal information in order to avoid giving a Web site real
information; 9% have used encryption to scramble their email; 5% have
used ``anonymizing'' software that hides their computer identity from
Web sites they visit.
INFORMATION TRANSACTIONS
Internet users' preference for a presumption of privacy does not
translate into a universal yearning for anonymity. In fact, most are
comfortable with disclosing information under the terms of basic
information transaction of the Internet age in which the bargain
between a user and a Web site is: ``I give you a piece of my identity
in return for something of value from you.'' Some 54% of Internet users
have chosen to provide personal information in order to use a Web site
and an additional 10% say would be willing to provide it under the
right circumstances.
They want rules, but they reject the notion that the government and
Internet companies are the best stewards of their personal privacy.
Asked who would do the best job setting those rules, 50% of online
Americans said Internet users' themselves would be best, 24% said the
federal government would be best; and 18% said Internet companies would
be best.
And they are clear in their gut-level preference for what they
would like the rule to be: 86% of Internet users say that Internet
companies should ask people for permission to use their personal
information. It is important to add that at the time we measured this
sentiment last spring, we knew that most Internet users would not know
the intricacies of the policy debate about the different kinds of
options--opt-in or opt-out or robust-opt-out and everything in between.
So, we did not pose our questions in a way that would sort out
Americans' views on these matters. We know they express every way they
can that they would like to control the process of information
collection and disclosure.
Finally, there is also at least one other context in which the
strong public concern about privacy is tempered by another fear: the
anxiety about online crime. In a survey in February, we found that
substantial majorities of Americans were concerned about every kind of
online crime. As a result, 54% of all Americans (and 60% of Internet
users) approve of the FBI or law enforcement agencies intercepting
email over the Internet sent to and from people suspected of criminal
activities; 34% of all Americans said they disapprove; 12% said they
don't know. At the same time, 62% of Americans say new laws should be
written to make sure that ordinary citizens' privacy is protected from
government agencies.
DEMOGRAPHIC CONTEXT
Concerns about privacy are notably higher among some groups,
especially Internet novices (those who first got online within the past
six months), parents, older Americans, and women. In some cases, these
fears also apply to online African-Americans, Hispanics, and those in
households with modest income levels. These fears are often associated
with lower participation in online life and some online activities,
especially commercial transactions. For instance, one of our surveys
suggested that those who had the strongest fears about privacy
violations online were 20% less likely to have shared information with
a Web site; 15% less likely to have used their credit cards online, and
15% less likely to have clicked on an ad.
One of the biggest questions hanging over the Internet is whether
today's newcomers will eventually act like today's veterans in their
online behavior and in their beliefs. The veteran population is
dominated by young, upscale, well-educated, white men. They are much
more likely than others to say they are unconcerned about their privacy
being compromised in the online world and much more likely to spend
money and manage money (through online banking and brokerage
activities) than other Internet groups. On the other hand, the novice
Internet population looks a lot more like the rest of America with lots
of women, minorities, and those from modest-income households, and
without college educations. The issue is whether this large newcomer
group, which is more concerned about privacy issues, will feel less
anxious as time passes and will do more business online.
We are just getting some preliminary information that suggests
experience online significantly increases the commercial activities of
Internet users as well as their willingness to do other trusting
activities online, such as seeking health information. In March 2001,
we reinterviewed about 90 Internet users who told us in March 2000 they
had recently gotten Internet access. In the course of a year of gaining
experience online, this group showed a 15% increase in the number of
trusting activities this group had performing online and a nearly 50%
increase in the commercial activities it had performed online. This is
too small a group from which to draw strong conclusions, but it
suggests that experience breeds higher levels of trust.
Privacy concerns are an even bigger issue to those who do not now
have Internet access. More than 82 million American adults to not have
Internet connections and more than half of them say they have no plans
to get access. One of the major concerns they cite is the danger and
unreliability of the online world. These worries are most acute among
older Americans.
POLICY IMPLICATIONS
Internet users would be happier if their online experiences were
governed by the strong preference to be in charge of their identities.
They embrace principles of notice, choice, access to information about
them, and security. Internet users would prefer a different tilt on the
privacy playing field, where the burden of effort was shifted away from
them and towards those who want to collect information about them.
Internet users would surely profit from an industry-led education
campaign that focused on the mechanics of tracking. Companies would
gain in users' eyes if they offered a clearer and more convincing
explanation of the virtues of cookies--specifically, how their use
enhances users' experiences and makes it simpler and more efficient for
them to use the Web, and how their use enables advertisers to support
the vast amount of free content on the Web. Our surveys show that most
Americans viscerally oppose the ideas of online tracking and profiling
and they will need a lot of convincing before they accept some of the
benefits of those activities.
Finally, users would appreciate more technological tools that would
give them a sense of control, or at least transparency in letting them
know what is happening to the pieces of their identity they are
divulging as they move through Internet space.
addendum: other significant findings in pew internet project surveys
86% of Internet users think Internet companies should ask
people for permission to use personal information when people
give it to them.
71% of Internet users say they themselves, rather than the
government or online businesses, should have the most say over
how Internet companies track Web activities,
54% of Internet users believe that Web sites' tracking of
users is harmful because it invades their privacy; 27% say
tracking is helpful because it allows the sites to provide
information tailored to specific consumers.
89% of those who seek health information online (we call them
``health seekers'') are concerned that a health-related Web
site might sell or give away information about what they did
online; 71% are ``very concerned'' about such privacy
violations.
85% of health seekers are concerned that an insurance company
might raise their rates or deny them coverage because of the
health sites they have visited; 72% are ``very concerned''
about this possibility.
52% of health seekers are concerned that their employer might
find out what health sites they have visited. This ranks
comparatively low in part because most health seekers are
getting their information online from home.
60% of Internet users think that putting medical records
online is a bad thing, even if the records are on a secure,
password-protected site, because they worry about other people
seeing their personal information. The rest think it's a good
thing because they and their doctors would have easy access to
patients' medical records.
94% of Internet users want privacy violators to be
disciplined. If an Internet company violated its stated privacy
policy and used personal information in ways that it said it
would not, 11% of Internet users say the company's owners
should be sent to prison; 27% say the owners should be fined;
26% say the site should be shut down; 30% say the site should
be placed on a list of fraudulent Web sites.
Internet users are pretty savvy about at least one privacy
safeguard: passwords. Sixty-eight percent of Internet users use
different passwords when they register at various Web sites.
While many are concerned about their privacy online, there is
no evidence that the Internet is a more menacing threat to
privacy, in most Americans' opinion, than activities in the
offline world. That applies, for instance, to credit card
information. Of all those Americans who had used their credit
card to buy something over the phone, 56% said they worried
about someone else getting their credit card number. In
comparison, of all those with Internet access who used their
credit card to buy something online, 54% said they worried
about someone else getting their credit card number.
Similarly, Americans are just as likely to approve FBI or law
enforcement surveillance of criminal suspects' phone calls and
postal mail as they are to approve surveillance of suspects'
email. Fully 56% of all Americans approve of the FBI or law
enforcement agencies intercepting telephone calls to and from
people suspected of criminal activities; 55% of all Americans
approve of the FBI or law enforcement agencies intercepting
letters and packages sent by mail to and from people suspected
of criminal activities; 54% of all Americans approve of the FBI
or law enforcement agencies intercepting email over the
Internet sent to and from people suspected of criminal
activities.
11% of all Americans and 17% of Internet users know someone
who was fired or disciplined because of an email they sent or a
Web site they went to at work.
25% of Internet users have been hit by computer viruses. The
vast majority of the viruses have been sent to them via email.
Older Americans are more likely than younger Americans to
express concerns about privacy and the Internet. Fully 67% of
those between the ages of 50 and 64 years old say they are
``very concerned'' about businesses and people they don't know
getting personal information about them or their families,
compared to 46% of between 18 and 29.
81% of those who get health information online would like to
have the right to sue a medical company that gave away or sold
information in violation of its privacy promises.
92% of Americans say they are concerned about child
pornography on the Internet and 50% of Americans cite child
porn as the single most heinous crime that takes place online.
In other areas, 87% of Americans say they are concerned about
credit card theft online; 82% are concerned about how organized
terrorists can wreak havoc with Internet tools; 80% fear that
the Internet can be used to commit wide scale fraud; 78% fear
hackers getting access to government computer networks; 76%
fear hackers getting access to business networks; and 70% are
anxious about criminals or pranksters sending out computer
viruses that alter or wipe out personal computer files.
62% of Americans say new laws should be written to make sure
that ordinary citizens' privacy is protected from government
agencies.
Among the relatively small number of Americans (21%) who have
heard about the FBI's email sniffing program called
``Carnivore'' or ``DCS1000,'' there is much more evenly divided
opinion. Forty-five percent of people who have heard of it say
Carnivore is good because it will allow the FBI a new way of
tracking down criminals. Another 45% say Carnivore is bad
because it could be used to read emails to and from ordinary
citizens.
79% of Internet users who did not buy gifts during the holiday
season of 2000 said they do not like to send credit card or
other personal information over the Internet.
Mr. Stearns. Mr. Taylor.
STATEMENT OF HUMPHREY TAYLOR
Mr. Taylor. Mr. Chairman, Members of Congress, many thanks
for inviting me to give this testimony. I am delighted to be
here. I will slightly abbreviate my written remarks in the
interest of time.
Harris Interactive, formerly Lewis Harris and Associates,
sometimes known as the Harris Poll, has conducted some 30
surveys on privacy issues over more than 20 years. Many of
these surveys were done with my friend and privacy mentor, Dr.
Westin over here, whose knowledge and wisdom and judgment on
this subject has been invaluable to us.
In the interest of time, I am going to talk only really
about privacy on the Internet, and not about the many other
things we have covered. Because of the need for brevity,
however, it is important to make three general comments. One is
that public opinion, as I think Dr. Westin will tell you, is
not at all homogeneous.
Second, the public opinion on privacy issues is not stable,
it changes, and will continue to change. Third, that privacy
is, as you have said, a very multi-faceted issue covering
everything from identity fraud and discrimination to
embarrassment--for example, if it lets people know that you
have been visiting porno sites--or just plain nuisance from
being repeatedly spammed.
We have described privacy as a ``landmine issue'' because
it is something which may blow up in the faces of people who
are not expecting it. They are not aware that it is there as an
issue until it blows up.
When we ask people to tell us what issues are important to
them spontaneously, they very rarely mention privacy. It is not
usually a top-of-the-mind issue. But whenever we ask people
about the importance of privacy, they almost invariably tell us
that it is important or very important.
And, indeed, the public concern about privacy and the
public perceptions of the importance of privacy and the
feelings that they have lost control of their privacy have all
been increasing over the last two decades.
When somebody does tread on an issue like this and it does
explode, the potential for public outrage is very substantial,
and there can be very strong demands for punitive government
regulations of industries, most of which are entirely innocent
of any wrongdoing, but where there are a few bad apples in the
barrel.
What are the biggest concerns about privacy online? The
largest numbers in our surveys, between 50 and 65 percent, say
they are very concerned about Web sites which provide
information, personal information about them to other
organizations without their knowledge, Web sites which collect
information about them without their knowledge, Web sites which
merge their shopping and browsing habits to develop profiles of
their behaviors and tastes, and their financial or other
sensitive information being stolen.
Now, you should know that the public differentiates quite
sharply between different companies and different industries
and different organizations, and that the public is much more
trusting of some than of others so it depends who you are, and
clearly trust is something which can be earned and can equally
easily, or much more easily, be lost.
I interpret our data as showing that having and displaying
strong privacy policies is not just something which is ethical,
but which is something actually good marketing and good
business, whether or not people actually read them and, in most
cases, or in many cases, only a small minority of Internet
users actually read the privacy notices.
There is clear evidence of the public's willingness to
trade information, personal information, in return for
benefits. However, most people have very little idea about how
companies are now using that information in ways which are
helpful to them, and they don't therefore see why it is
necessary to provide that information. But when the use of that
information is explained to them in terms of specific benefits
to them, they become much, much more willing to provide it.
We also see that the use of the Internet over time
increases trust and decreases concern about privacy because, as
you just heard, relatively few people have suffered any adverse
consequences.
Familiarity with the Internet generally breeds not
contempt, but comfort and trust. This is also true of the user
purchasing online and the use of credit cards.
Finally, what does the public want from government? Well,
ours and other surveys show that on balance the public doesn't
have much confidence in government's ability to protect their
privacy and, indeed, often views them as a greater potential
threat to their privacy than the private sector. And, ideally,
people say that it would be better if industry or companies
could self-regulate to protect their privacy.
Having said that, our surveys also show that the majority
of the public favor government regulation to protect their
privacy because they actually do not believe that the
industries will self-regulate effectively. In other words,
there will be enough bad apples in the barrel to make
regulation necessary.
We also have information as to the specific things that the
public wants in the way of protection. Overwhelming majorities
want people who collect information about them to ask their
permission before using their personal information for any
other purpose than it was originally given for. They want the
companies to explain to consumers what personal information is
collected about them and how it is used. They want these
companies to allow consumers to see the information the company
has stored about them. And they want to be told exactly how
their sensitive information is secured in both transmission and
storage.
Finally, as I said, I think that having good, strong
privacy protection policies and notices is not only something
which the public wants, but which is also actually good for
legitimate business. Thank you, Mr. Chairman.
[The prepared statement of Humphrey Taylor follows:]
Prepared Statement of Humphrey Taylor, Chairman, The Harris Poll,
Harris Interactive
INTRODUCTION
Thank you for inviting me to today's hearing.
Harris Interactive, formerly Louis Harris & Associates (and often
known as The Harris Poll) has conducted more than 30 surveys over the
last 23 years on privacy issues for clients such as IBM, Equifax, The
Privacy Leadership Initiative, The Wall Street Journal, Business Week,
and the National Consumers League. Many of these surveys were done with
the invaluable advice of my privacy mentor, Dr. Alan Westin. I should
note that Harris Interactive conducts many research projects using the
Internet, that we have strong privacy protection for our respondents,
and that we are member of the Privacy Leadership Initiative (PLI).
However, today I speak only for myself. My opinions are not necessarily
those of anyone else.
Much of this research, relating to issues such as direct mail,
consumer databases and marketing generally, in relation to credit,
insurance, medical records, employment, telecommunications, law
enforcement and the Census for example, had nothing to do directly with
the Internet. In my brief time today, I will try to give you the big
picture of what we found in our research about privacy on the Internet,
and not mention the many other privacy issues we have addressed in our
research.
Because of the need for brevity, three words of caution are
necessary:
1. Public opinion--as I hope Alan Westin will tell you--is not at all
homogeneous.
2. Public opinion is not stable. It has changed and will continue to
change.
3. Privacy is a multi-faceted issue involving everything from identity
fraud and discrimination or embarrassment to minor annoyances.
how important is privacy online as an issue?
I have often described privacy as a ``landmine issue.'' It is only
rarely mentioned spontaneously by the public as a ``top of mind'' issue
but, when asked about privacy, large majorities of the public say it is
an important issue, that they do not believe their privacy is
adequately protected and they are very concerned about it. We use the
word ``landmine'' because we believe privacy can very quickly become a
major issue based either on bad personal experience or on negative
media coverage of offensive violations of privacy. (This is what
happened with credit ratings.)
When this happens public outrage can grow rapidly and support
strong, even punitive, government regulations of industries most of
whose members are blameless.
WHAT ARE PEOPLE'S BIGGEST CONCERNS ABOUT PRIVACY ONLINE?
The largest number of online users are ``very concerned'' that:
------------------------------------------------------------------------
------------------------------------------------------------------------
Websites will provide personal information about them to 64%
other organizations without their knowledge...............
Websites will collect information about them without their 59%
knowledge.................................................
Websites will merge their shopping and browsing habits to 53%
develop profiles of their behavior and tastes.............
Their financial, or other sensitive information, will be 53%
stolen....................................................
------------------------------------------------------------------------
THE PUBLIC DIFFERENTIATES BETWEEN DIFFERENT COMPANIES AND DIFFERENT
INDUSTRIES
Several surveys have shown that the public is much more trusting of
some industries and of some companies, than of others. This trust must
be earned--and can easily be lost. Having, and displaying, strong
privacy protection policies is one factor consumers use to
differentiate between them.
what online consumers want
Very large majorities of online users think it is ``absolutely
essential'' or ``very important'' that sites:
------------------------------------------------------------------------
------------------------------------------------------------------------
Ask consumers permission before using their personal 94%
information for any other purpose than it was originally
given for.................................................
Explain to consumers what personal information is collected 87%
about them and how it is used.............................
Allow consumers to see the information the company has 82%
stored about them.........................................
Tell consumers exactly how their sensitive information is 82%
secured in transmission and storage.......................
------------------------------------------------------------------------
PRIVACY CONCERNS INFLUENCE ONLINE ACTIVITY, PARTICULARLY PURCHASING
ONLINE
While concerns about privacy are only a modest barrier to the use
of the Internet and the Web, they do inhibit it. This is particularly
true of the public's reluctance to purchase goods or services online
and to use credit cards to do so.
THE IMPACT OF STRONG PRIVACY PROTECTION POLICIES AND NOTICES
Many of those who are unwilling, or reluctant, to use the Internet
and in particular to purchase products and services online, say they
would be much more likely to do so if companies had strong privacy
protection policies and displayed them prominently. This willingness to
do business with such companies increases even more when respondents
believe that such policies are observed and enforced.
Having, and displaying, strong privacy policies is good marketing
and good business, whether or not people actually read them (only a
modest minority of Internet users do so regularly).
THE PUBLIC'S WILLINGNESS TO TRADE INFORMATION FOR BENEFITS
Many people do not seem to have much understanding of how companies
who are selling financial services or other goods or services use
information about consumers to target their sales efforts to those who
are most likely to buy them. As a result, they do not see why they
should provide the information.
However, when the use of the information, and benefits to
consumers, are explained to them they become much more willing to
provide it.
In other words, many people who are initially reluctant to provide
personal information are willing to do so when this is seen to be of
some benefit to them.
USE OF THE INTERNET INCREASES TRUST AND DECREASES CONCERNS ABOUT
PRIVACY
Familiarity with the Internet generally breeds comfort and trust,
not contempt. The more people use the Internet without suffering
adverse effects, the less they are concerned that their privacy might
be violated. This is true of online purchasing and credit card use.
WHAT DOES THE PUBLIC WANT FROM GOVERNMENT?
On balance, the public trusts the government rather less than it
trusts business to protect its privacy. Ideally people would prefer
that industries adopt sound privacy protection policies to having
government regulation. However, substantial majorities of the public
believe government regulation to protect consumer privacy on the
Internet is necessary, presumably because they do not believe that
self-regulation will be successful. Absent adequate legal protection,
people seem to believe that consumer protection will be abused.
Mr. Stearns. Thank you.
Dr. Westin, welcome.
STATEMENT OF ALAN F. WESTIN
Mr. Westin. Mr. Chairman and members of the subcommittee, I
am appearing today at your invitation as a long-time privacy
expert. Some people think my first article on privacy was
published the same year as Lewis Brandeis' in the Harvard Law
Review but, of course, his was in 1890, mine was in 1952, so
that gives me about 50 years of pioneering with the privacy
issue, endlessly fascinating. Also, I appear as someone who,
for his sins, has participated as the Academic Advisor in 45
national surveys of the American public and leadership groups
on privacy, starting in 1970.
I think it helps to start by recognizing that surveys are a
complex blend of art, science and advocacy, and whenever you
get survey findings you always have to, as I am sure Members of
Congress alone are accustomed to do, take a careful look at how
the questions are framed and the order in which they are
presented, and the kind of sample, and also the sponsors and
what their perspectives are.
So, with that background, the subcommittee asked me to
address three questions and to give my view as to what the
surveys--not only my own, but my organization, Privacy and
American Business, has literally 120 national surveys on
privacy in our library--some excellent, some poor, mixed bag,
and I did do a review of a lot of them in order to answer the
three questions which the counsel asked me to address.
First, has there been a transformation of consumer privacy
attitudes over the past decade? And I think good surveys tell
us absolutely ``yes.'' That whereas once only about a third of
the American public expressed any concern about threats to
their privacy, we now have nine out of ten Americans saying
they are concerned about the potential misuse of their
information and threats to their privacy in America today, and
what is important is, 77 percent expressed themselves as very
concerned.
Equally important, we find that there is a new wave of what
I call ``privacy assertive behavior'' on the part of American
consumers. Three out of four, 78 percent, report that they
refuse to give information to businesses because they felt it
was too personal and not really needed by the businesses, and
over 80 percent think businesses collect too much personal
information for the services they provide.
Majorities tell us that they have declined to patronize
companies that they thought were going to misuse their
information or create profiles about them.
We also know that when people are given a list of reasons
why they are not on the Internet or why they are not buying on
the Internet, majorities say that privacy is the single, most
important reason for that behavior.
At the same time--this is what makes privacy such an
interesting issue--American consumers, by large majorities,
want all the benefits and opportunities of a consumer service
society and of a market-driven social system. As long as you
give them proper notice and choice, more than three out of four
respondents again and again say it is all right for the
businesses they patronize to look at their transactions and
their interests, and to communicate with them things that they
think will be of interest to them.
So, we have concern about privacy, but also a desire to
enjoy the benefits of a consumer society, and the question is,
how do Americans divide in those balances between those two
values?
Over the years, surveys that I have done with Harris and
with Opinion Research Corporation have produced a profile of
three segments of the American public. First, you have what we
call ``Privacy Fundamentalists,'' about 25 percent of the
public. These are people intensely concerned about privacy, who
generally will reject benefits offered to them by business or
will be skeptical about government's need for information, and
will want to see legislation to control business collection and
use of personal information.
At the opposite end, you have what I call the ``Privacy
Unconcerned,'' used to be 20 percent but now it is down to 12
percent, who really don't know what the privacy issue is all
about. I like to think that for 5 cents off, they will give you
any information you want about their family, their lifestyle,
their travel plans, and so forth.
In between are what we call the ``Privacy Pragmatists,''
and that is 63 percent which represents approximately 126
million American adults and, essentially, they go through a
very structured process when concerned with their privacy.
First, they want to know what is the benefit to them as a
consumer if their personal information is provided or if they
give it, what is collected about them.
Second, they want to know what privacy risks they run if
the information is collected and used.
Third, they look to see what safeguards the company or the
industry offers to protect them against those risks.
Finally, and most important, they ask do they trust you, do
they trust the company or the industry, and if they want the
benefit and they are worried about the risks but they don't
trust the company or the industry, then they want legislation
to protect them and a governmental role of oversight and
implementation.
Second question the committee asked me to address is, do we
understand what are the driving sources of these privacy
attitudes which all the witnesses are reporting? I think good
surveys tell us a great deal about that.
My own work suggests that there is a correlation between
the distrust level of American consumers and citizens and their
attitudes on privacy. We have a ``distrust index'' that
measures people's attitudes toward government, voting, the
business community, and technology, and when people score high
in distrust, they tend to take the strongest ``privacy
attitude,'' and when they have low distrust or even no
distrust, then they tend to be much more accepting of
information collection and its use.
But when you dig down at a deeper level, I think privacy
has three components that the surveys truly illuminate. First
is what I call ``anti-intrusion.'' People are hostile to
unwanted mail and especially to telemarketing. Seventy-eight
percent of respondents are angry about telemarketing to them
without their consent.
Second element is ``anti-manipulation.'' People fear that
profiles are going to be collected about them that will allow
the kind of hidden persuader type of marketing we associate
with Vance Packard and the Naked Society and the other anti-
manipulation themes.
Third, they worry about discrimination, that information
will be collected and secretly used through credit scoring or
algorithms that they don't know about in order to decide
whether they get credit or insurance or whether they are
employed.
I think those three are components of what the privacy
concern is all about.
More recently, we have some new elements that are in some
ways even more powerful. First is the Internet leads people to
make astounding self-revelation, if you think about it. People
are going to places and looking at things and revealing things
about themselves that has no precedent really in Western
history in terms of self-revelation and communication. And
people are worried about tracking or hacking them in terms of
that kind of experimental and revelatory behavior.
Second, people are concerned about identity theft. Another
survey I did found that one out of five households in America
report that a victim in their household has been the object of
identity theft.
Finally, what do consumers want? I think good surveys
indicate that what consumers want is systems for informed
privacy choices to be implemented and enforced. Majorities
think it would be better if business did this, but they are
ready and anxious that government step in if business fails to
do so or if there is outlaw behavior.
We know that a majority of the American public does not
favor the European Union style of omnibus national privacy
legislation and a national privacy regulatory agency, but when
it comes to sensitive information such as financial information
or health information, overwhelming majorities are looking to
legislative protections to set the rules and the standards for
that kind of activity.
We also know that in terms of where Congress is going,
large majorities would like to see Congress pass anti-spam
legislation, would like to see genetic privacy legislation
enacted, and that some kind of framework legislation for online
privacy is heavily favored.
Let me close, though, by noting that surveys are not a very
good way to write legislation. Surveys are a dun to the general
public, they are not policy wonks, they can't get down into the
guts and details of good legislation. Also, we are really just
opening up some meaningful debate about what the costs and
dislocations of some of the proposals for online privacy
legislation would bring to the fore. And I think it is going to
take a lot of legislative wisdom and expert input to get to
good legislation.
What the surveys tell us is that the overwhelming majority
of the American public is looking for systems of protection,
but crafting good legislation is not something you should look
to surveys for much help on.
[The prepared statement of Alan F. Westin follows:]
Prepared Statement of Alan F. Westin, Professor of Public Law &
Government Emeritus, Columbia University, and President, Privacy and
American Business
EXECUTIVE SUMMARY
This testimony is based on my experience as the academic advisor to
45 national privacy surveys between 1979 and 2001, and my analysis of
more than 120 privacy surveys held in the Privacy & American Business
survey library. I am answering questions posed by the subcommittee as a
political scientist and privacy expert.
1. There has been a well-documented transformation in consumer
privacy attitudes over the past decade, moving concerns from a modest
matter for a minority of consumers in the 1980s to an issue of high
intensity expressed by more than three-fourth of American consumers in
2001. In addition, a majority of consumers has become quite privacy
assertive in their relations with businesses, making decisions on who
to use and what information to provide based on their own privacy
judgments.
2. But US consumers also want the benefits of a consumer-service
economy, and they are not monolithic in their privacy views. Tracked
across the past decade, they divide into three segments with very
different general approaches to privacy views and tradeoffs--a high,
medium, and low privacy perspective described in the main testimony.
About 125 million American adults fall into the moderate--Privacy
Pragmatist--category. How to merit and secure the trust of this group
should be the focus of businesses and lawmakers alike.
3. The driving factors behind high privacy concerns stem from high
levels of distrust of institutions and the fears of technology abuse.
Privacy concerns are centered on intrusions, manipulation, and
discrimination; on special concerns about third parties capturing the
sensitive self-revelations users are making on the internet; and on
consumer concerns about identity theft and stalking through capture of
personal information.
4. The great majority of consumers favor a notice and choice
approach to privacy policies. They hope that business will do this well
but stand ready to invoke government intervention if business fails.
For especially sensitive types of information--financial and health--
and for online protection, large majorities favor legislative
standards. However, surveys generally do not offer much useful data, on
the details of such legislation, since consumers are not policy wonks,
and the debates over costs and economic dislocations in adopting
policies such as ``all-opt-in'' are just beginning in to be heard in
the legislative chambers.
Three Subcommittee Questions
The Subcommittee has asked me to present a critical analysis of
privacy surveys published over the past decade, offering my views on
three questions. Has there been a transformation of the privacy
concerns of American consumers in the Internet age? If so, what are the
sources of this development? And what do these concerns suggest about
legislative choices on privacy protection?
My perspective in responding is that of a political scientist and
privacy expert (author of Privacy and Freedom, 1967) who has been the
academic advisor to 45 national public and leadership surveys on
privacy since 1970 that were sponsored by a wide variety of
foundations, government-research agencies, and business organizations.
(A short bio has been provided in Appendix One, along with a Selected
List in appendix Two of the privacy surveys on which I have been the
academic advisor.) Since the 1970's, I have been presenting the results
of my privacy surveys to Congressional committees, the FTC and FCC, and
various Federal Executive Agencies.
At the outset, of course, legislators should recognize that
contemporary survey research is a complex blend of art, science, and
advocacy. No one should accept ``survey findings''--on privacy or any
other social or political issue--without examining the content and
order of the questions, the representativeness of the sample, and the
perspectives of the sponsors.
Based on my reading of the solid surveys within a larger pool of
over 120 U.S. privacy survey reports collected in the Privacy &
American Business library, I believe these offer useful answers to the
questions posed by the Subcommittee:
1. Has There Has Been A Transformation In Consumer Privacy Attitudes
Over The Past Decade? Definitely yes.
Surveys show that today nine out of ten Americans are concerned
about the potential misuse of their personal information; three fourths
of them (77%) say they are now ``very concerned.'' Even more
significantly, a majority of American consumers have become privacy-
assertive. They are refusing to give their personal information to
businesses when they feel it is too personal or not really needed,
asking not to be marketed to, and declining to patronize a business
because of uncertainty about how their personal information would be
used. Concern about privacy is the single most cited reason Net users
give for not making purchases and for non-Net-users declining to go
onto the Net.
At the same time, however, surveys show that most consumers want
the opportunities and benefits of our consumer-service and marketing-
driven society. With proper notice and choice, more than three out of
four consider it acceptable that businesses compile profiles of their
interests and communicate offers to them.
Further, consumers continue to divide into three basic segments
that my surveys have been tracking since the early 1990's, when it
comes to overall consumer privacy preferences. these are Privacy
Fundamentalists (25%), who reject offers of benefits, want only opt-in,
and seek legislative privacy rules; Privacy Unconcerned (now down to
12% from 20% three years ago), who are comfortable giving their
information for almost any consumer value; and--the most important
group for Congresspersons to understand--the Privacy Pragmatists (63%
or 125 million strong). Privacy Pragmatists ask what's the benefit to
them, what privacy risks arise, what protections are offered, and do
they trust the company or industry to apply those safeguards and to
respect their individual choice. How to create conditions of trust for
the Privacy Pragmatists is the challenge for businesses and law-makers
alike.
Overall, surveys show that privacy now scores as one of the top
consumer and social-policy issues in the U.S., especially intense among
women, a strong concern of both conservatives and liberals, and a
political imperative for both Republicans and Democrats.
2. Do We Understand The Driving Sources Of This Transformation? Yes, We
do
Consumers report that their views on privacy do not come solely
from what they read or hear in the media but strongly reflect their own
personal experiences and those of family and friends. As far as driving
factors, my surveys since 1978 have shown that the higher a
respondent's general distrust of institutions and fears of technology
abuse by organizations, the greater will be the concerns about privacy.
We also know that ``privacy'' in the consumer-business relationship has
three components expressed by survey respondents: anti-intrusion
(against unwanted mail or telemarketing); anti-manipulation (against
compiling profiles that allow ``hidden persuader'' marketing); and
anti-discrimination (against secret standards being used for making
consumer risk-assessments, as for credit or insurance).
Three additional underlying factors fueling current high privacy
concerns have been documented in surveys: (a) fears about tracking or
hacking the unprecedented self-revelation that most Internet users
engage in (with email, forums, information-seeking, and purchasing);
(b) concerns about tangible and serious harm from identity theft,
through capture of consumer's personally-identifying information, and
(c) fears, especially by women, of stalkers or child-predators gaining
location information from either public-record sources or Internet
communications.
3. So, What Do Consumers Want? Systems for Informed Privacy Choices,
Implemented and Enforced.
In general, majorities of consumers think it would be best if
businesses put good privacy policies in place voluntarily, and saw to
their wide implementation; if they fail to do so, consumers want law to
step in.
Organizational surveys in 2000-2001 show that a majority of
American businesses have--at last--gotten the message that most
consumers really care, and will make decisions to assert their
interests on the basis of privacy. Surveys of business conduct on and
off the Net show most businesses are now adopting meaningful privacy
policies, and a majority of consumers say in public surveys that they
think this is happening. Surveys have also shown that a majority of the
American public does not favor a European-Union-style omnibus national
privacy law and a national data protection regulatory agency.
There are some new issues we have yet to test in surveys but are
beginning to do. A survey that Privacy & American Business is now
putting in the field, for example, asks consumers whether they think
that the appointment of Corporate Privacy Officers (CPOs) by companies
is a positive development, what consumers want CPOs to do, and whether
such institutionalization of privacy responsibility in individual firms
would enhance consumer confidence in such companies.
However, it is clear that where especially sensitive consumer
information is being collected and exchanged today--in the financial
and health areas in particular--surveys show the public wants to see
legal privacy-protection rules enacted and enforcement actively
pursued. Reflecting that overwhelming sentiment, Congress included
Title V in the Financial Modernization Act of 1999 and both Presidents
Clinton and Bush supported the health privacy regulations of HIPAA.
Surveys showing overwhelming Net-user hostility to spam will, and in my
judgment should, lead Congress to pass anti-spam legislation at this
session. Similar survey results showing strong public opposition to
uses of genetic information for employment or health-insurance purposes
suggest that well-designed legislation here would be responsive to the
public's deep concerns.
As for online privacy legislation, surveys show strong majorities
favoring ``action'' by Congress to set framework rules. But general-
public surveys do not provide good data on what kind of online privacy
legislation consumers would support, since the public is not made up of
policy wonks and the key policy issues lie in the legislative details.
Debates are just developing on what true costs and market dislocations
would be created by some of the sweeping, ``all-opt-in'' proposals for
online privacy legislation, and these remain to be tested--if indeed
they can be--through survey methods.
Summing Up
A decade of extensive survey research, much of it solid and
credible, documents a steadily rising rational and justified public
demand to set new, privacy-protecting rules for collection and use of
consumer personal information by businesses. The work of this decade.
among survey researchers and Congresspersons alike, is to discover what
will persuade the 125 million American Privacy Pragmatists that we have
the right blend of business initiatives and legal oversight for good
consumer information relationships with business.
Mr. Stearns. Thank you.
Dr. Newport.
STATEMENT OF FRANK NEWPORT
Mr. Newport. Good morning, Mr. Chairman, members of the
committee. I appreciate having this opportunity to review with
the subcommittee the findings of our Gallup polls relating to
privacy over the Internet.
Although there are concerns about privacy that relate to a
wide variety of settings in today's society, my testimony today
will focus on concerns relating to personal information and use
patterns of the Internet.
Our data suggest that roughly 50 to 55 percent of adult
Americans say they use the Internet on a regular basis either
at home, work or at school, and it is this population that I
will be referring to in the rest of this very brief testimony.
One key question that we asked Internet users in one poll
last fall that is particularly germane to this subcommittee is,
``What is the role of the Federal Government in these
matters?'' The response of about half of our Internet users
said that the Federal Government should be ``paying more
attention to matters of Internet privacy.'' About a third said
that what the Federal Government was doing now was about right.
And--and this relates to what Representative Doyle, I think,
mentioned just briefly in his introductory remarks--about 13
percent, a relatively low number, said that the Government
should, in fact, be paying less attention to matters of
Internet privacy.
We obtained roughly the same answers when we asked in a
slightly different way if the Federal Government should do more
or less to ensure citizens' privacy online. In this case,
however, only 6 percent said that the Government should do
less. That same rough number, about half, said the Government
should ``do more,'' and 40 percent said what the Government was
doing now was about right.
The interpretation of these types of responses, for myself
and ourselves at the Gallup Poll, is a challenge in part
because this is a new area of research. We have very little
trend data. It is not a question about Internet privacy and
what the Government should be doing that Dr. Gallup was asking
back in the 1930's and the 1940's, obviously, so we can't go
back in time and see whether that is relatively high or
relatively low. It is tough to place the current sentiment in
the context of historical patterns, and we also have few pre-
existing hypotheses against which we are testing the data.
Now, we do know that roughly half of Internet users say
that they are very concerned about the ``privacy of personal
information you give out on the Internet, as well as privacy
regarding what you do on the Internet.'' Another three in ten
are somewhat concerned, meaning that only about 20 percent,
echoing what we have been hearing, say that they are not
concerned.
But, on the other hand--and I think this is a very
important point--the issue itself does not appear at this point
to be highly salient to Internet users. Just about 16 percent
in our poll last fall said that they were following issues
related to privacy of personal information and use patterns on
the Internet very closely, half said that they were not
following the issue closely at all--and, again, this sample was
a sample of those who told us that they regularly use the
Internet. In a way, I think this goes back to Mr. Rainie's
testimony that at this point most people have not had a major
privacy concern and therefore it is not a very highly salient
issue.
Our overall conclusion is that this is an issue which is of
significant potential concern--I would underscore the word
``potential''--but one which has not yet moved to the point
where it is currently a front-burner problem to many Americans
who regularly use the Internet. As my colleague, Humphrey,
said, we do not find it hardly at all in our most important
problem questions when we ask Americans what it is that are
burning concerns on their mind at this point.
We can be a little more specific. In one poll last fall, we
gave our respondents six different dimensions of Internet
privacy and asked which ones they were most concerned about.
Interestingly for the subcommittee, at the top of the list were
concerns about the Government being able to tap into Internet
email. Sixty-three percent of Internet users said they were
very concerned about this issue, putting it No. 1 out of the 6
that we tested. Second was the issue of large, online data
bases,. Sixty percent said they were very concerned about that
issue. There was less concern about the Government's ability to
tap into suspects' computers, and at the bottom of our list,
relatively less concerned about Internet advertisers who gather
marketing information about people who click on ads and
corporate Web sites which gather marketing information about
consumers by tracking their habits. The percentage of Americans
were very concerned about all of these issues ranges from
roughly 43 to 63 percent.
In summary, I would repeat that in our opinion the issue of
Internet privacy is not one of the greatest concerns to
Internet users today, but one which has the potential--and I
heard the word ``landmine'' used a moment ago, which seems a
reasonable term to use--to be a significant perceived problem
in the years ahead. It is not a problem at this point which a
lot of consumers have had trouble with, and therefore is not
one which comes readily top-of-mind when you stop Internet
users on the street, figuratively speaking, and ask what it is
that is a pressing concern to them at this point.
In terms of what the Federal Government should be doing,
remedies and actions, as mentioned, about half of the Internet
user population said the Government should get more involved.
On a relative basis, this does not put this high on the list,
in our opinion, of priorities that the average American or even
average Internet user has for the Federal Government.
One last point. Our polls show--and we did ask Americans
this--that when asked which political party would do a better
job handling this issue, it came to almost an absolute tie
between Republicans and Democrats. So, at this point, at least
as of last fall, it was not perceived as a highly partisan
issue in terms of who would do the better job of trying to
address these issues. Thank you.
[The prepared statement of Frank Newport follows:]
Prepared Statement of Frank Newport, Editor-in-Chief, The Gallup Poll
Mister Chairman, members of the committee, and guests.
I appreciate having this opportunity to review with the
Subcommittee on Commerce, Trade and Consumer Protection the findings of
our Gallup polls relating to privacy over the Internet.
Although there are concerns about privacy that relate to a wide
variety of settings in today's society, my testimony today focuses
exclusively on concerns relating to personal information and use
patterns of the Internet.
Our data suggest that about 53% of adult Americans use the Internet
on a regular basis either at home, work or at school. It is to this
population that I will be referring in the rest of this testimony.
One key question we asked Internet users in our poll last fall
related to the role of the Federal government in these matters. About
half of Internet users said that the Federal government should be
``paying more attention to matters of Internet'' privacy. About a third
said that what the federal government was doing now was about right,
while 13% said that the government should in fact pay ``less
attention'' to matters of Internet privacy.
We obtained roughly the same answers when we asked in a slightly
different way if the federal government should do more or do less to
ensure citizens' privacy on line. In this case, however, only 6% said
that the government should do less. Half said ``do more'' and forty
percent said what the government was doing now was about right.
The interpretation of these types of responses is a challenge. In
this particular situation, we have no trend data. This is the first
time we have asked about Internet privacy in this fashion, and
therefore we cannot place the current sentiment in the context of
historical patterns. We also have few pre-existing hypotheses.
We do know that roughly half of Internet users say that they are
very concerned about the `privacy of personal information you give out
on the Internet, as well as privacy regarding what you do on the
Internet''. Another three out of ten are somewhat concerned, meaning
that only about twenty percent say they are not concerned.
But, on the other hand, the issue itself does not appear to be
highly salient to Internet users. Just about 16% said in our poll last
fall that they were following issues relating to privacy of personal
information and use patterns on the Internet very closely, while about
half said that they weren't following the issue closely at all.
Our conclusion is that this is an issue which is of significant
potential concern, but one which has not yet moved to the point where
it is a currently front-burner problem to many Americans who regularly
use the Internet.
We can get a little more specific. We gave our respondents six
different dimensions of the Internet privacy issue and asked them to
rate their concern over each.
At the top of the list are concerns about the government being able
to ``tap'' into Internet e-mail. For whatever reason, some 63% of
Internet users are ``very concerned'' about this issue. Second in the
list comes the issue of ``large online databases which publish
telephone directories, property tax information, legal information and
other publicly available records which allow database subscribers to
investigate the lives of ordinary Americans''. Sixty percent of
Internet users are very concerned about this issue.
There is somewhat less concern about the government's ability to
``tap'' into suspects' computers, and still less concern about Internet
advertisers gathering marketing information about people who click on
their ads, and corporate websites which gather marketing information
about consumers by tracking their habits.
Although the percentage of Americans who are ``very'' concerned
about these issues ranges from 43% to 63%, most of the rest say that
they are at least ``somewhat'' concerned. Relatively few web users say
that they are not too or not at all concerned.
In summary, I would say that the issue of Internet privacy is not
one of the gravest concern to Internet users today, but one which has
the potential to be a significant perceived problem in the years ahead.
In terms of specific governmental remedies and actions, about half of
the Internet user population feels that the federal government should
get more involved, but most of the rest think that the government is
doing today is just about right.
One last point. Our poll shows that Americans have no preconceived
notion as to which political party will do a better job handling this
issue.
Thank you.
Mr. Stearns. Thank you.
Dr. Bauman.
STATEMENT OF SANDRA BAUMAN
Ms. Bauman. Thank you, Mr. Chairman and honorable Members,
for the opportunity to speak before you today. My name is
Sandra Bauman. I am a Vice President at Wirthlin Worldwide, a
30-plus-year-old international public opinion research and
consulting company with headquarters in McLean, Virginia.
It is an honor to speak with you today about the research
we have conducted regarding information privacy. Let me first
start by acknowledging that in some sense Americans are
generally concerned about how companies are using their
personal information. What they fear most is that somehow their
personal information will get into the wrong hands and cause
them some harm, such as hurting their credit history or having
their identity stolen. At the same time, consumers also
understand that in order to get information or complete a
transaction, they need to give some information. Whether it be
online or distance shopping, consumers are willing to give
personal information that is deemed necessary for a particular
transaction, rather than some possibly sensitive personal
information that doesn't seem necessary or relevant.
This is intuitive, of course. The challenge is to
understand what types of information are more sensitive and
what types of information customers deem necessary to that
particular transaction. If we were to generically ask in a
poll, ``Are you concerned about your privacy?'' of course a
majority would say yes because there is no context. Why
wouldn't you be concerned about your privacy? It depends on why
it is necessary to share information in the first place.
Different situations may require different types of
disclosure of personal information. Consumers may be very
comfortable providing a specific piece of information in one
context, yet uncomfortable providing that very same piece of
information in another context.
At Wirthlin Worldwide, we have conducted a great deal of
opinion research in the recent years on the subject of privacy,
most of which is proprietary to a number of different clients,
but last year we conducted a multi-phase, in-depth qualitative
study, including several focus groups and 85 in-depth one-on-
one values-based laddering interviews. The interviews were
designed to provide a thorough, in-depth understanding of the
general public's attitudes about privacy issues by uncovering
their perceptions of the direct marketing industry and related
industries at both rational attribute and benefit levels, and
emotional and values levels. These interviews are very in-
depth. They last on average 2 hours each.
Findings from these qualitative studies and generally from
our experience in our 30-year history indicate that people make
choices and form opinions based on closely held personal
values. The rational elements of decisionmaking process are
important in supporting the emotional components that they tap
into.
As individuals feel protected and that they have control,
the physical benefits from sharing information satisfy
emotional needs. In fact, we summarize the way people think
about the need to provide personal information similarly to how
the panelists articulated it today: I want to give what I want
to give when I want, and I want to get what I want when I want.
In other words, consumers are willing to part with information
they perceive necessary to commence or complete a transaction
of their choice, as long as their values of control and safety
are intact.
Most recently, we conducted a nationwide telephone study to
obtain an up-to-date picture of how the public is viewing
privacy issues. Our survey was conducted late last week and has
a margin of error of about 4 percentage points.
We found that there are categories of information that
consumers are willing to share in order to conduct a
transaction, and other information they believe should never be
shared, which you can see on the chart here to your right. It
is also in your materials.
For example, the majority of people say they are never
comfortable sharing their Social Security number, financial
information, medical information, or information about their
children. These types of information are deemed sensitive and,
therefore, individuals are less likely to share information
which falls into the category of ``not necessary'' or ``none of
your business.''
Conversely, people are usually comfortable revealing their
gender, age, education, occupation, hobbies and interests, and
how they heard about a particular company.
There are actions businesses can take to further satisfy
consumers' needs for safety and control of personal
information. A second chart here to your right. For example,
our study finds that 6 in 10 consumers are more confident in
sharing their personal information, knowing that they can opt-
out of direct marketing and telemarketing lists. Three-quarters
tell us they are more supportive of allowing industry to
address the use of personal data knowing that the opt-out
policy is in effect. Other things that comfort consumers are
using technology to prevent identity theft, restricting access
to medical and financial data for marketing purposes, and
communications campaigns about highlighting consumer rights and
privacy protections. If businesses champion a series of safety
and security measures, consumers would have a better sense of
control and feel that by providing personal information they
have made a smart choice, saving themselves time and money.
The Internet, which is still a relatively new medium, is
not completely understood by the public, even by many users.
Most aren't sure exactly how it works. They know it is a
communications tool, they can receive information, provide
information, but they don't know when information travels over
the Internet where it goes and who is at the other end. It is
this fear of the unknown that raises the level of skepticism
for many consumers and reduces their feelings of control.
For example, most people will provide their credit card to
a stranger to process a transaction at a traditional business
or restaurant without concern for their personal credit data.
These practices have a tradition of being secure and are
therefore widely accepted by consumers. The same is true for
catalog purchases. Of 11 factors that are important to a
purchase decision, concern over privacy of personal information
or credit card information rank 9th and 10th out of a list of
11.
With a new medium such as the Internet, consumers' level of
comfort is tied to their experience. Our research shows that as
people have positive experiences with Internet commerce, their
level of skepticism is diminished. Over time, as more and more
people experience Internet commerce, the unknown nature of the
medium will fade as it becomes part of our daily lives.
In summary, companies that voluntarily enact good privacy
policies, ones that are easily understood by everyday
consumers, can help comfort consumers that their information
will not be abused. Industry can achieve this effectively by
engaging in self-regulating policies concerning the collection,
use, storage and exchange of personal information. Thank you.
[The prepared statement of Sandra Bauman follows:]
Prepared Statement of Sandra Bauman, Wirthlin Worldwide
Americans are generally concerned about how companies who collect
personal information use the information. What they fear most is that
somehow this personal information they share gets into the wrong hands
and some harm comes to them, such as having their identity stolen. At
the same time, consumers understand that in order to get information,
they need to give information. That said, in order to conduct a
transaction, whether it be online or distance shopping, they are more
willing to give personal information that is deemed necessary for that
transaction, rather than some possibly sensitive personal information
that doesn't seem necessary.
This is intuitive, of course. The challenge is to understand what
types of information are more sensitive and what types of information
customers deem necessary to a transaction. If we were to generically
ask in a poll: ``Are you concerned about your privacy?,'' of course a
large percentage would say yes because it is taken out of context in
terms of why the information was necessary to share in the first place.
Different situations may require different types of disclosure of
personal information.
Wirthlin Worldwide has conducted a great deal of opinion research
in the past three years on the subject of privacy (most of which is
proprietary to a number of different clients), but in the aggregate as
we drill down into what the consumer receives in returnfor the sharing
of personal information ``both from the internet transactions and
direct shopping--the picture is painted differently than what some
would have you think.
In March 2000, we conducted a multi-phase qualitative study on
privacy. Our approach began with four group discussions in
Philadelphia, PA and Grand Rapids, MI, which were designed to uncover
initial impressions of the public's attitudes toward privacy issues.
Following these group discussions, we conducted a total of 85 in-depth
one-on-one values-based laddering interviews. These interviews were
designed to provide a thorough, in-depth understanding of the general
public's attitudes about privacy issues by uncovering respondent's
perceptions of the direct marketing industry at both the rational and
emotional level. These interviews lasted approximately 2 hours and were
conducted in New York, NY, Chicago, IL, Los Angeles, CA and Washington,
DC.
Most recently, we conducted a nationwide telephone study to obtain
an up-to-date picture of how the public views privacy issues. Our
survey was conducted late last week, on May 2-3, 2001. We contacted 617
respondents to participate in the 13-minute survey, the results of
which we have prepared for you. The margin of error for a study of this
size is +3.9 percentage points.
Findings from the two qualitative studies indicate that people make
choices and form opinions based on personally held values. The rational
elements of the decision-making process are important in supporting the
emotional components they tap into. As long as individuals feel
protected and that they have control, the physical benefits from
sharing information satisfy emotional needs. In fact, we summarize the
way people think about the need to provide personal information in this
way: I want to give what I want when I want, and I want to get what I
want when I want. In other words, consumers are willing to part with
information they perceive as necessary to commence or complete a
transaction of their choice.
There are categories of information consumers are willing to share
in order to conduct a transaction and other personal information they
believe should never be shared. In our most recent research, for
example, the majority of people say they are ``never comfortable''
sharing their social security number, financial information, medical
information or information about their children. These types of
information are deemed sensitive and therefore individuals are less
likely to share information which falls into the category of ``not
necessary'' or ``none of your business.'' Conversely, people are
usually comfortable revealing their gender, age, education, occupation,
hobbies and interests, and how they heard about the site.
There are actions businesses can take to make the information that
is shared more secure, which would result in raising consumers'
confidence to give personal information in the first place. For
example, actions that make consumers more comfortable include: using
industry services to opt-out of direct marketing and telemarketing
lists, using technology to prevent identity theft, restricting access
to medical and financial data for marketing purposes and communications
campaigns about highlighting consumer rights and privacy protections.
If businesses champion a series of safety and security measures,
consumers would have a better sense of control and feel that by
providing personal information they have made a smart choice, saving
time and money.
The Internet, which is still a relatively new medium, is not
completely understood by the public, even by many users. Most do not
know how it operates. They know the Internet is a communication tool
for receiving and providing information. However, they do not know how
information travels over the Internet and who is at the other end of
the monitor. It is a fear of the unknown that raises the level of
skepticism for many consumers and reduces their feelings of control
For example, most people will provide their credit card to a
stranger to process a transaction at a traditional business or
restaurant without concern for their personal credit data. These
practices have a tradition of being secure and are therefore widely
accepted. With a new medium such as the Internet, consumers' level of
comfort is tied to their experience. Those who participate in Internet
commerce tend to feel more knowledgeable about the Internet and more
comfortable with providing personal information. Our research shows
that as people have positive experiences with Internet commerce, their
level of skepticism is diminished. Over time, as more and more people
experience Internet commerce, the unknown nature of the medium will
fade as it become more a part of our daily lives.
In summary, companies that voluntarily enact good privacy
policies--ones that are easily understood by everyday consumers--can
help comfort consumers that their information will not be abused.
Industry can achieve this effectively through self-regulating policies
concerning the collection, use, storage and exchange of personal
information.
Thank you.
Mr. Stearns. Thank you, Dr. Bauman.
Just as a general comment here, the tendency after
listening to you is to want to ask you a lot about the
Internet, but obviously your expertise is basically a polling
of information, so we can't get into, you know, what would you
do if you were a policymaker and X, Y, Z because you are on
this area of trying to understand what the American people
perceive about the Internet. And it is interesting that it
seems to come in almost all your opening statements, that the
public is not really educated. I mean, one of you folks has
broken down the understanding for this to the people who are
basically the ``skeptics,'' the ``pragmatists,'' and the people
who just don't know. And the fundamentalists are 25 percent,
they are the skeptics, and the pragmatists are the 63 percent,
and the unconcerned are 12 percent. And how much should the
Government protect these unconcerned, you know, is a very
difficult question.
But I thought we will try, if we can, just to try and
understand better what you are talking about in terms of the
surveys, so let me just go to you, Mr. Rainie, and ask what you
mean in your opening statement when you say ``demographic
context''? Could you mention--explain what that means? Your
survey highlights that term.
Mr. Rainie. Yes. Different people in different groups have
different senses of the privacy issues. Parents are much more
concerned than nonparents because of information that might
relate to their children. Women show a greater degree of
concern, for instance, than men on some issues because they
just feel like they are stewards of certain kinds of
information that men don't feel as close to.
So, there is a hierarchy of information values--you have
heard it from other witnesses, too. Health information,
financial information, credit information, information about
children, matters most to people, and it matters most to
specific groups of people.
Mr. Stearns. The problem is, as a legislator, are we here
to try and protect the consumer even though they are
uneducated? You know, the person who really uses the Internet,
like somebody who is like my younger son who has been using it
for many years, doesn't have any concern at all. And you
observed that although Americans do not much like online
traffic tracking and profiling, a lot of them take relatively
few steps to stop it. You know, a person can find out how to
prevent the cookies from coming in through the preference on
their Web browser, or they could stop the keystroking
monitoring, they could probably do that. They could also do
encryption. But they just don't seem to be interested.
And so I guess is there something in the data that suggests
why they have this fear but they don't take any action?
Mr. Rainie. Well, I think they don't know the mechanism of
how it is done, and I think in some cases it is expecting a lot
of them to understand all the technologies that are at play,
all the possible ways information can be gathered, bundled,
disseminated and passed along. For some people, they are really
into it and they are happy to be vigilant about checking
privacy policies, be vigilant about checking the source of
information, but for a lot of people that is a lot of work and
they have got other things to do with their lives and they
expect this technology to help them, not be an extra burden in
their lives.
And so I am not sure that throwing all the onus on them is
one that they would be happy with. Clearly, for them, tracking
is a dirty word. They haven't yet begun to comprehend all of
the ways that it is a benefit to them, or potential benefit to
them. Transactions haven't been very explicit to them. I think
a lot of their concern would go away if a better case were made
about how that were done.
Mr. Stearns. Dr. Westin, you indicated in your statement
that nine out of ten Americans are concerned about the
potential misuse of their personal information and that three-
fourths of them say they are very concerned. What are they
concerned about? I mean, can you give us specifically what
their fears are?
Mr. Westin. More and more, as I said, identity theft is one
of the things that is in the minds of the respondents.
Mr. Stearns. Identity theft--they get their Social
Security, they get their pin numbers and they start walking off
with their money out of their bank accounts.
Mr. Westin. That is correct. And as I mentioned, one out of
five households reported that there had been in their
households someone who had been the victim of an identity
theft. So, talk about harm as opposed to potential, one of the
harms is that people perceive that if their telephone calling
card can be obtained, if their credit card information can be
obtained, their Social Security number can be obtained, that
these are all the tools that the fraud artist can use.
One of the largest causes of people not getting mortgages
today is that they have had an identity theft and have not been
able to clear up in time their credit history, and we found
that it takes between 1 year and 1\1/2\ years for somebody to
overcome the harm done to them in their credit report and in
their relations with retailers and charge card companies as a
result of identity theft. That's an example of where people are
connecting the collection of their personal information to a
concrete harm that has happened to them or somebody they know.
Mr. Stearns. Dr. Bauman, you know, this is just, as we
point out, this Internet privacy concern or fear is not just on
the Internet, but they also have it about their personal sense
of information--they are worried about it so much so that we
have passed in Congress the Gramm-Leach-Bliley Act and also
HIPPA regulations. I don't know if you are familiar with those,
but I guess the question is, consumers seem to have a general
concern, and maybe they are pushing the issue more than
legislators need to be worried about. Have you seen any change
in consumer perception after we have passed these two major
pieces of legislation, the HIPPA regulations and the Gramm-
Leach-Bliley Act?
Ms. Bauman. Our research didn't specifically ask about
pieces of legislation, so I can't speak to that directly, but
our findings in both our qualitative and our quantitative
surveys are very consistent with the other research that has
been presented here today.
Mr. Stearns. Mr. Taylor, you have cited, for example, that
privacy is a potential landmine issue. Perhaps you could give
me a worst-case scenario of what you mean by a landmine issue.
Mr. Taylor. Well, an example historically of where privacy
did explode was in relation to credit and, to some extent,
insurance, and it needs some highly publicized instance of
somebody abusing somebody else's privacy for the landmine to go
off.
Now, it seems to me that this could occur in terms of
identity fraud, such as Dr. Westin has described. It could
certainly occur in relation to discrimination for health
insurance or life insurance or employment or credit. It could
certainly go off if, for example, a public figure's use of the
Internet to access pornography sites was highly publicized,
that would certainly trigger a few angry calls. Or, indeed, if
the volume of spamming got so intense you might expect to see
more and more people saying let us make spamming illegal, as I
believe faxing, cold faxing marketing is illegal.
Mr. Stearns. Right now, I could not find the history on
your using the public library in your hometown, what books you
took out. Likewise, I couldn't find out what videos you have
taken out over a number of years or any length of period. So,
likewise, it seemed to me that Congress might have a
responsibility here to say we want to prevent this keystroke
monitoring to protect the consumer, even though the consumer
probably has no concern themselves on what we are talking
about. So, it is a combination of the chicken or the egg. I
mean, should we educate the consumer and then protect him, or
just protect him before we go out and educate him?
Mr. Taylor. Well, ``should'' is your decision, not mine,
but historically I think that legislators have normally reacted
after the landmine has gone off, not before. That isn't to say
that that is the ideal way of doing it.
Mr. Stearns. Maybe just as a general question before I
complete, and just ask yes or no. If Congress went ahead and
instituted an Internet privacy bill and presented it, you know,
the White House signing in the Rose Garden and everything, do
you think that would give a higher level of confidence to the
consumer so that he or she, those folks that are in the one
category here, might help the Internet, might increase business
if we, by Congress being a leader here, could actually bring
more trust to the Internet and increase ecommerce business? Do
you follow what I am saying? Just yes or no, or just a slight
comment. Mr. Rainie. It is a little off your survey question,
but it may be, after all this information, you might have an
intimate or innate ability to say, yes, we think it will help
ecommerce and give more trust, or not.
Mr. Rainie. I am going to steal Dr. Westin's thunder by
repeating what he said. Writing legislation before-the-fact and
particularly off survey work is tricky business. One of the
things that we tried to do in several of our surveys was walk
respondents through to the point where they actually were
facing the clearest policy choice that I think is frame for all
of you, which is, do you want Government to do it, or do you
believe businesses can self-regulate? And invariably, as we
walked the respondents through these questions, they wanted to
stop right at the point where they were in charge. They wanted
to assert that as the primary value that they want control over
their identities, they want to have a seat at the table when
any decisions are made, and we couldn't get them to help sort
it out because they feel so disenfranchised as things stand
right now.
Mr. Taylor. Mr. Chairman, unlike, I think, the other
polling organizations represented here, Harris Interactive
conducts more surveys online than in person or by telephone,
and we are very strong advocates of Federal legislation to
establish high standards to which we want to adhere, and to
have a level playing field.
So, for our business, we think that legislation and
regulation would be very good for our business and for the
consumer.
Mr. Westin. My other hat is a privacy expert, not a survey
expert, and I think the time has come, the surveys would
suggest, for what could be called ``framework'' legislation for
online privacy. What I mean by that is that if you set in
motion requirements that Web sites post privacy policies, step
one, that you provide that the individual is well informed to
exercise the choices that those policies provide, whether it is
opt-out or clicking to opt-in. And, third, whether you have
supervisory jurisdiction in a body like the Federal Trade
Commission, for example, that under its existing Section 5
jurisdiction can look for prosecuting or issuing cease-and-
desist orders for any Web site that violates its promises, you
would have put in place what I think the Chairman is talking
about when you ask what would it take to give confidence for
people to use the Internet.
It worries me if there would be any kind of legislative
standard to opt-in as the requirement or the default because I
think that all the survey research shows that consumers want
choice, but they don't want somebody to dictate what their
choice is. And I think notice and choice, to me, especially in
the Internet environment, means stating what the Web site wants
the information for, how it will use it, and to give the
individual a choice then to opt-out or not to do business with
the Web site.
So, I would argue that all the survey material tells you
that the public is seeking tools for confidence. What Congress
can do, in my judgment, is to provide a piece of framework
legislation that allows then the good businesses to have good
relations with the consumers who come to their Web sites, but
allows consumers not to do business with those companies that
are not posting the kind of privacy policies that the consumer
wants to expose themselves to.
Mr. Newport. Mr. Chairman, Dr. Westin has good points. My
initial reaction to your specific question was, I would not
anticipate an enormous change if Congress did pass the
legislation and it was signed in the Rose Garden of the White
House. At this point, I don't think there is dramatic evidence
that a lot of consumers are staying off the Internet or in any
way restricting their behavior because of concerns over privacy
except when we pollsters ask those questions, so I don't think
at this point there is a pent up demand to use the Internet
that once this legislation was signed we would see dramatic
change, at least initially.
Ms. Bauman. I agree with Mr. Rainie that our research finds
that the public wants to retain control of their personal
information and decide which information to divulge and when.
To some degree, they can't be in full control without
understanding their options and tools available to them in
controlling these items of personal information.
In our qualitative research, which was very in-depth, we
heard from consumers that they want businesses to self-
regulate, they think that is important, but they also want
businesses to collaborate with Government on these efforts, and
that way builds trust between the consumers and the companies.
Mr. Stearns. My time has obviously expired. Mr. Doyle.
Mr. Doyle. Thank you, Mr. Chairman. It just seems to me--I
mean, I remember the first time I gave my credit card online,
there is a certain element of risk-reward. I think the public
in general is just somewhat schizophrenic on this whole idea of
what they really want with privacy. It seems to me, you know,
if you are dealing with sensitive financial data or medical
information, I think there seems--I mean, there seems to be
more of a tendency of people wanting privacy there yet, on the
other hand, you hear retailers say, ``Well, one of the ways to
prohibit spamming or eliminating junk mail on the Internet is
for us to learn more about the people that we are trying to
serve, and we can reach a point where you are only receiving
the kind of advertisement that you want to receive because you
have indicated what some of your buying preferences are, or
those types of things.''
You go into a supermarket in Pittsburgh and you shop at
Giant Eagle, they have got a thing--I think it is called the
Advantage Card or something--that basically they scan your card
going in, and the enticement is they give you some discounts on
their products, but then they start to learn about your buying
patterns, and they tell us, well, that helps them better serve
the people that walk into the store because they know what to
order, when to order it, and what you are going to buy.
So, you see these tremendous benefits on the one hand where
retailers can tailor-design advertising and products to people
based on what they say they want. On the other hand, there is a
real worry out there about giving information about your
medical history. And I just wondered, does most of your
surveying show that the greatest concern is really in the areas
of medical privacy and financial records, and is there maybe a
need for us to look more closely or deal more strictly with
those areas as opposed to retail shopping or eBay buying? I
mean, I am just wondering what--is that where the major concern
is when you are talking with your--and just generally to the
panel.
Mr. Newport. In one survey we did last fall, we gave people
a list and, indeed, financial and health care information was
at the top of the list of concerns. The things which were lower
were not so much retail--I am not sure they were on the list--
but employment history and educational background history,
where you had degrees and things like that, seemed to be of
much less concern.
But you mentioned, Congressman Doyle, the two magic words,
I think--financial and health.
Ms. Bauman. Our study also found that, that was conducted
late last week--medical information, financial information. The
great majority of the people said they were ``never
comfortable'' providing that information.
Mr. Westin. Our surveys show that one of the apprehensions
people have is that the mergers that have brought together
banks, credit card companies, insurers and investment firms,
has broken down what once was a great protection of privacy,
which was the ``silo'' effect that your information was in one
silo and, because of competitiveness and industry separation,
it wasn't shared.
There is a great concern today that the mergers and
acquisitions have opened up much larger pools of sharing of
information, and that is why Congress in Title 5, in the Gramm-
Leach-Bliley Act, tried to deal with the difference between
sharing information outside with affiliates, and the choices
that individuals are looking for in terms of the way their
information circulates inside those merged institutions.
Mr. Rainie. We found in a survey of people who use the
Internet to get health information, that even in those
circumstances where they are getting sensitive information
online, they are adamantly opposed, for instance, to having
their medical records put online. Sixty percent of those health
seekers said ``We would not feel comfortable having our health
records online even at a password-protected, secure Web site.''
We put that in the questionnaire to give them some level of
assurance of it. Their default thought is this is way too
sensitive. The harm that can come from improper disclosure of
this is way too grave for me to risk it.
Now, my guess is that over time, if people's doctors
educate them and say to them, ``If you put your records online,
the likelihood of a medical error being made when you are in an
emergency situation or a loved one is in an emergency
situation, that level of concern might go down,'' but no one in
the people we were talking to had a great sense that that was
the tradeoff. All they thought was, ``My gosh, this is
horrible, and horrible things could happen to me or a loved one
if this kind of information were disclosed.''
Mr. Taylor. I agree with what you have heard from the other
witnesses. We asked last year, people to say how concerned they
were about different kinds of information not being protected,
and the top five items were credit card number, Social Security
number, financial assets and information about finances, name
and address so that people could actually reach me, and,
finally, medical and health records.
Mr. Doyle. Thank you. Mr. Chairman, I see my time is up.
Mr. Stearns. I thank my colleague. Mr. Shimkus.
Mr. Shimkus. Thank you, Mr. Chairman. Mr. Doyle has got to
learn how to be a Ranking Member, and don't you know you get to
go way past your time like the Chairman.
It is great to have you. I keep thinking of Richard Dawson
saying, ``Survey says,'' boom, ``Survey says,'' and that brings
up a little bit of controversy about this hearing of should we
be making public policy based upon surveys. Of course, our
President says no, but many of us use polling data quite
frequently. In fact, Wirthlin Worldwide is mine, and I would
like to welcome Dr. Bauman. I know she doesn't deal with me or
in that spectrum, but there is a lot of credibility in what you
all bring to the table, and I appreciate you all being here
today.
Dr. Westin, I want to follow up on a comment that you made,
first of all. You said one in every five people have been a
victim of identity theft. That probably needs some more
clarification. That is two out of every ten people.
I have heard of identity theft because I serve on this
committee, it is my fifth year. But I bet you I could go
through quite a few people before I know of anybody. I don't
know of anybody in my immediate realm, and I come from a family
of seven kids, or identity theft. Can you help us and tell us
where you get this one in every five?
Mr. Westin. We asked a question that said, ``Have you or a
member of your household been the victim of an identity theft,
which is defined as someone assuming your identity to charge
goods or services, or assume your identity for financial
gain.'' Keep in mind then, that that could be somebody who
watches you put in your telephone calling card at an airport,
or somebody who has obtained your credit card in the ways we
have been discussing. So, it is not one out of five adults or
people, it is one out of five households.
In my own household, almost every member of my household
has had one or another of these happen--credit card charge pops
up on an Internet account or a credit card account. Twice I
have had my telephone calling card obtained by somebody who
must have seen me putting it in in an airport.
So, I don't think that that is out of line with some
figures that the Treasury Department, the Secret Service and
others have put out recently, indicating how enormously
widespread these kinds of identity thefts have become.
So, it is true that this is self-reporting, and survey
people always are cautious when people report things and you
don't have objective verification. But if you ask in a survey
has this happened to you, and there is no shame in saying it
has or hasn't, and there is no advantage in saying it has or
hasn't, and if the question really described concretely what
you mean by identity theft, I think that you have to take the
finding fairly seriously.
Mr. Shimkus. Does anyone, based upon their research,
corroborate the two out of ten, or--as far as identity--not to
cause a fight between the brethren here and the industry, but
anyone want to add to that?
Mr. Rainie. We have data which is similar to that, so we
will corroborate, yes.
Mr. Shimkus. Thank you. Survey says two out of five
panelists agree. What is a better judge of the impact of this?
We are mostly focusing on consumers or mostly ecommerce. I
mean, we will go into a whole brave, new world when we deal
with medical privacy. My opening statement talks about the
conflict between the two. I don't know if they can be handled
similarly. But on the ecommerce end, what is the ability of a
projection on business based upon having good privacy
protection versus real-world data on what really occurs in a
market? A survey is a projection. Real data as far as sales and
commerce is a real deal.
I think, Dr. Newport, you mentioned that were we to move in
with some of these privacy provisions--correct me if I am
wrong--your point was we may not see an automatic jump in
ecommerce, is that correct?
Mr. Newport. Yes, that is what I said. I don't know that we
have strong evidence which suggests that lots of people are
restraining from buying things or doing other things on the
Internet because of concerns about privacy. And as I mentioned
in some of my data, although when we asked people ``Are you
concerned'' and they say ``yes,'' it is not, as others have
mentioned, a highly spontaneous problem that comes up when we
talk to people in our polling and, therefore, that is why I
think several of us have said right now I am not sure that
there is an enormous front-runner concern over it.
Mr. Shimkus. Dr. Bauman, I have one--the question that I
wanted to ask Dr. Bauman, and anyone else can add--in your
questioning, did you address the additional cost-benefit
analysis that may occur, and what would the consumer accept as
reasonable cost for protection, or was there in essence no
boundaries?
Ms. Bauman. That is an interesting question, Congressman.
We didn't----
Mr. Shimkus. Yes, it is my job.
Ms. Bauman. We didn't exactly specifically go into the
cost-benefit analysis. What we did ask them about is if certain
provisions were in place, would that make you more comfortable
and more supportive of industry engaging in self-regulation,
and overwhelmingly they said yes to all of those various types
of self-regulating policies and actions.
Mr. Shimkus. Anyone else want to add--and my time, Mr.
Chairman--on the cost-benefit analysis of moving forward?
Mr. Westin. In 1994, we did a survey of how consumers felt
about consumer reporting. What we found was overwhelmingly
consumers accepted the fact that if credit grantors did not get
good credit information about payment of bills and bankruptcies
and liens, that it would cost more for every consumer, it would
take much longer for their applications to be approved, that
minorities would not get the advantages that they seek because
they would be not enhanced in any way in the marketing to them,
and so forth.
So, I think consumers, in fact, are quite accepting of the
benefits that come from information being used for quality risk
assessment, and in the tradeoff there, they are very aware that
there are costs in not having information for making these
kinds of judgments.
Mr. Shimkus. Thank you very much. Mr. Chairman, I yield
back.
Mr. Taylor. Could I just add one note. At the risk of
sounding arrogant, we are very, very proud of the very strong
privacy protection policy we have for our online surveys, which
I described earlier, and it is interesting that in our
telephone surveys we get about 2 percent of people who will
willingly self-identify as gay, lesbian or bisexual. When we do
this with in-person surveys with a ballot box so that the
anonymous form is put in the ballot box, that goes up to 4
percent. In our online surveys, we are consistently getting 6
percent who self-identify in that way. We believe it is because
they trust us not to reveal that information to anyone, and we
think they would not do so if we did not have strong privacy
protection.
Mr. Shimkus. Mr. Chairman, if I could.
Mr. Stearns. Sure.
Mr. Shimkus. Is that because on your survey when it pops
up, you have got, as was stated before, you post the privacy
provisions and that you believe that the consumer or the
individual will be well informed and will make a judgment based
upon the trust they put in your ability to keep that
information private?
Mr. Taylor. Yes.
Mr. Shimkus. Thank you, Mr. Chairman.
Mr. Stearns. The gentleman from Tennessee, Mr. Bryant.
Mr. Bryant. In this committee, I am going to go by John
Shimkus from here on. You have your identity stolen now.
I want to welcome the panel and apologize for being late.
We just landed from back home, and so I have kind of caught up
with some of what you are saying. I do appreciate, as Mr.
Shimkus does, your value in polling and what you do add to this
hearing.
I would suspect, from personal experience, a lot of the
concern that people would have online would be just--many
haven't developed a comfort zone yet in the use of the
Internet, and aren't as skilled as they believe many others
are, and they have a fear, I am sure, of hackers and things
like that getting in the records, but probably, by and large, I
think it is more as people get comfortable using it and their
own abilities and realize that it can be safely used with
adequate protections, that you will find the so-called consumer
confidence going up in this.
I am wondering--I think, Mr. Taylor, if I could ask you--is
there something that the companies can do in making a
compelling case to these consumers that in exchange for this
personal information, there is a benefit, a consumer benefit
there, and how can they do this, if they can?
Mr. Taylor. Well, I think that you have heard from several
of us that they certainly can do that and that they should do
that, and it is necessary because, in general, people are often
unaware of the benefits themselves as opposed to the company
they are dealing with of providing that information.
If you take, for example, information about automobile
accidents for insurance, people realize pretty quickly that if
you obtain that information and if you have got a good,
accident-free record, you will get a better insurance rate, but
initially that probably had to be explained to people. So, you
have to spell out the benefits and they have to be real
benefits, and I would say that sometimes they may not be real
benefits, in which case you have got a problem.
Mr. Bryant. In sort of a follow-up to that, your work for
PLI indicates that the presence of privacy statements and seals
are valued by the public. Further, your work indicates that
consumers rarely take advantage of these privacy tools. In
essence, is it accurate to say that if the consumers see
privacy statements and seals, that they are less likely to
leave a site than not, notwithstanding whether the company
actually provides technology solutions to help the consumer?
Mr. Taylor. Yes, it is clear that the posting of privacy
policies has a positive impact, even though, in some of our
surveys, very few people are actually reading all of them, and
there is also a fair amount of skepticism as to whether
companies actually enforce their privacy policy. So, it is both
a question of having good policies and displaying them and, of
course, enforcing them.
Mr. Bryant. Dr. Bauman, we have talked about this issue a
little bit, but I want to follow up in terms of Gramm-Leach-
Bliley and HIPPA. It seems that consumers are most concerned
about sharing their personal sensitive information such as
medical or financial information. Many of these poll results
have indicated that consumers believe that legislative action
is needed. Have you seen a change in consumer confidence as a
result of the passage of these bills, Gramm-Leach-Bliley and
the HIPPA regulations, and, if not, would you expect to see a
change? These basically incorporate privacy protections. Do you
see anything out there in your polling results that would
reflect the passage of this legislation?
Ms. Bauman. Like I said before, we haven't specifically
asked people about pieces of legislation or even their
awareness of them, so I can't speak directly to that question,
although it is definitely a logical one that could be tested.
People generally are uncomfortable providing that type of
information, and when we do our in-depth qualitative work, we
find the two values that emerge here are people wanting that
peace of mind protecting their personal security, and also
having that personal control to determine that destiny.
So, I would think that those two pieces of legislation
would be comforting, although our research hasn't directly
tested it either before or--so, therefore, I can't speak about
it changing over time either.
Mr. Bryant. This is, I think, a question for Dr. Westin.
Your site evidence that consumers fear privacy keeps them from
participating in the Internet or going on the Net. However, you
state in your testimony that surveys to-date haven't been
helpful in determining what consumers want in terms of
legislation to protect privacy.
Mr. Westin. Yes. If I could go back to your earlier
question, Congressman, isn't it important to know that Gramm-
Leach-Bliley is just beginning to kick in in terms of behavior
toward consumers? It is the flood of notices that people are
now getting from the banks, insurance companies, an avalanche
of them, two or three dozen for a typical family, very
complicated. Federal regulators require that you say things
that nobody would ever want to say to a consumer, but you have
got to follow the regulations both with a litany of what they
tell you you must do.
So, I don't think we know yet how consumers are reacting to
the Gramm-Leach-Bliley structure of rights. It is going to play
out as they begin to understand the way their information is
going to be used and what rights they have.
As far as HIPPA is concerned, it is going to be 2 more
years before those regulations go into full effect, so you
can't really expect consumers to feel anything yet about the
medical and health privacy. Most of the providers are just
beginning to get themselves organized to bring in compliance
with that in 2 years.
So, especially in the survey sense, I don't think you will
find much knowledge on the part of consumers about those two
interventions by Congress, and only one is an enacted, in-force
regulation, the other is something that has to play out across
2 more years.
As to the question you asked me, I think that what I was
trying to say was that in crafting legislation, putting the
choices between, let us say, an opt-in or an opt-out regime
into a survey in a way that you give much credence to the
response of the individual, it is very difficult because that
is a question in which you are really struggling to figure out
what the effects would be of one regime in terms of the
confidence of consumers to business and the business model, as
to how they are going to make money on the Internet.
So, what I was trying to suggest is that consumers can
express concern, but when legislators go to decide what the way
to respond to that concern is, that is where legislative skills
and policy analysis and cost-benefit analysis is what you have
to bring to bear. I have never seen a good survey on cost-
benefit analysis in privacy that I would put much credence in.
Mr. Bryant. Thank you, and I thank each member of the panel
for your appearance and testimony today. Thank you, Mr.
Chairman.
Mr. Stearns. Thank you. Mr. Walden.
Mr. Walden. Thank you, Mr. Chairman. I wanted to follow up
on what Dr. Westin was saying, especially your comment about
the Gramm-Leach-Bliley notices. Probably like a lot of people
in this room, we have been getting them. I think to myself, it
is a good thing it is an opt-out as opposed to an opt-in
because we probably have all kinds of things getting canceled
because after a while you just--have any of you actually read
those notices in detail?
Mr. Westin. I have to for my job.
Mr. Walden. If you weren't required for your job to have
read them, would they--it seems to me we have raised the issue
a bit, but in a very complex, grammatical way. Does anybody
want to comment on the effect of that notification process?
Mr. Taylor. There is an interesting analogy. In the 1980's,
I think, and early 1990's, the pharmaceutical industry was
under a great deal of pressure to put in patient package
inserts describing the risks and the potential side effects of
medication. This was not something which large numbers of the
public were demanding, but there were activists who were
demanding it, and it was the reluctance of the industry to do
this which made people very critical of them and very
suspicious of them. They now are required to do it. Our data
shows that almost nobody reads them, but the fact that they are
there is a little bit reassuring, and the criticism of the
industry has died down, so I actually think it was good for the
industry even though they fought against it.
Mr. Walden. Interesting. All right. Reading through the
testimony and some of the data, am I correct in summarizing
that the bulk of people don't look to the Federal Government
for new legislation here, they would rather control their own
destiny on the Internet, control their own information?
Mr. Westin. I think it is complicated because sometimes
survey research puts the question this way: Do you think
Congress should enact legislation to protect your privacy on
the Internet, and that is a motherhood-type question and it is
not surprising that 60 or 70 percent will say, yes, they are in
favor of it. But if you give them alternatives, if you say:
Would you rather have an option to make your choices as to how
your information is used, or do you think business ought to do
this as a matter of self-regulation and Government should just
police those who do not do it----
Mr. Walden. The hackers and the violators.
Mr. Westin. Exactly--you get a very different result, which
suggests that it is in the framing in the question as to
whether you make it motherhood or whether you give options and
choices, that you really will get your data back.
Mr. Newport. And, Congressman, even with the motherhood
effect--Mother's Day is coming, that is an appropriate point--
we only had half of the individuals, regular Internet users,
who said, yes, the Federal Government should be more involved
than they are currently. Our interpretation contextually was
that that is a fairly low number.
It is easy--I think that Dr. Westin is absolutely correct--
it is easy for a respondent to say, ``Well, of course,
Government should do more``, and the fact that only half said
yes, the Federal Government should do more, to us suggested
that there was not a strong clamoring on the part of
constituents for the Government to intervene.
Mr. Walden. Well, isn't it accurate, too, that a very small
percentage of users even understand cookies and their ability
to do anything about that? I read that in some testimony here.
Mr. Rainie. Yes. Our finding is that more than half of
Internet users and a significant portion even of veteran users
do not know what cookies are, do not know the basic mechanisms
of tracking. And so they would appreciate more knowledge about
that, and they would appreciate a much better explanation of
the virtues of what they get out of cookies.
Mr. Stearns. Is the gentleman complete?
Mr. Walden. I would yield back. Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman. We are going to close
here. I think this member, this Chairman, is left with a little
bit of ambivalence here because we were hoping in June to try
to draft something. We feel from the previous hearings that
although we might be ahead of the consumer, we thought it would
be worthwhile to put something as a marker and not drop it as a
bill, then get the response of people in industry--the
software, the hardware companies, consumers--and try to get
feedback on what they felt. And we thought we would do sort of
a minimalist type of approach because the perception is that, I
think even from the surveys, that a lot of people have some
concerns, as Dr. Westin pointed out.
But at this point, as many of the Members said, you really
can't necessarily develop legislation based upon a survey, but
there is the possibility of a landmine, and that is what we
have to weigh. We haven't had any consumers running to us down
in our districts saying, ``Please, please give me an Internet
privacy bill,'' but I innately feel that if we did have
provided a bill of some type and provided a consistency across
the Internet for protection, and the consumer thought he or she
had that, it would certainly increase, I think, ultimately, the
consumer using ecommerce as a form of business.
And so I think the hearing today has pointed out some of
the ambivalence that we all felt. I think you have done a
superb job of giving us your opinion on this, and we appreciate
your time. And with that, the subcommittee is adjourned.
[Whereupon, at 4:40 p.m., the subcommittee was adjourned.]
�