[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
INFORMATION PRIVACY: INDUSTRY BEST PRACTICES AND TECHNOLOGICAL
SOLUTIONS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
JUNE 21, 2001
__________
Serial No. 107-38
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
73-730 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York
Vice Chairman DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky LOIS CAPPS, California
BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona JANE HARMAN, California
ED BRYANT, Tennessee HENRY A. WAXMAN, California
STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon ANNA G. ESHOO, California
LEE TERRY, Nebraska JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Cerasale, Jerry, Senior Vice President, Government Affairs,
Direct Marketing Association, Inc.......................... 59
Cole, Steven J., Senior Vice President and General Counsel,
Corporate Secretary of the Council of Better Business
Bureaus, Inc............................................... 66
DeVault, Jerry R., National Director, Innovative Assurance
Solutions, Ernst & Young................................... 73
Hsu, Stephen, Co-Founder, Chairman and CEO, SafeWeb, Inc..... 29
Hughes, J. Trevor, Director, Privacy Compliance, Engage, Inc. 55
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center......................................... 76
Schlosstein, Frances, Vice President, Business Development
and Marketing, Webwasher................................... 25
Schwarz, John, CEO, Reciprocal............................... 32
Wallent, Michael, Product Unit Manager, Internet Explorer,
Microsoft Corporation...................................... 18
(iii)
INFORMATION PRIVACY: INDUSTRY BEST PRACTICES AND TECHNOLOGICAL
SOLUTIONS
----------
THURSDAY, JUNE 21, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2123, Rayburn House Office Building, Hon. Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Deal, Shimkus,
Bryant, Bono, Terry, Bass, Tauzin (ex officio), Towns, DeGette,
Doyle, Harman, Markey, and Eshoo.
Staff present: Ramsen Betfarhad, majority counsel; Mike
O'Rielly, majority professional staff; Brendan Williams,
legislative clerk; and Bruce M. Gwinn, minority counsel.
Mr. Stearns. Good morning. The Subcommittee on Commerce,
Trade, and Consumer Protection will come to order.
I wish, of course, to thank all of those in attendance,
especially our distinguished witnesses. Welcome to the
subcommittee's hearing. We entitled it ``Information Privacy:
Industry Best Practices and Technological Solutions.'' It could
also be entitled ``Software Solutions and Self-Determination.''
This hearing is the fifth in a six-part series of hearings
examining information privacy. The series is scheduled to
conclude next month. My colleagues, I am confident that this
morning's hearing, as with the four preceding it, will add to
an already rich record on the issues of information privacy.
The record developed by this subcommittee on information
privacy is the most comprehensive in Congress and enjoys both
an impressive range and depth. I invite all members to review
the record before formulating their thoughts and positions on
the issue of information privacy.
Today's hearing adds a new and important dimension to the
existing record--private sector response to privacy concerns.
That response engenders two components--technological solutions
and voluntary industry information privacy standards. I am
particularly pleased that this morning we will witness the
demonstration of just a handful of technological solutions that
are now available to the American consumer.
In my view, these solutions designed to reach information
privacy concerns of the consumer are a critical ingredient of
whatever is a recipe to the final solution of our problem.
Technological solutions are such a critical ingredient for
three reasons among many.
First, nothing offers a consumer greater control over his
information privacy destiny than technology. Using some of the
filtering software being demonstrated today, I, as an internet
user, can determine how much personal information I want to
share and for what purpose.
For example, I can determine to accept a ``good cookie,''
one that makes surfing a website seamless and efficient, as
easily as I can decide to reject a ``bad cookie,'' one designed
to track my online movements for purposes I don't care for.
The second reason why technology is a critical part of any
response to information privacy concerns is the fact that
technology responds to change much faster and with greater
responsiveness and precision to the new and continually
evolving privacy concerns than any other way of addressing
information privacy concerns.
Innovation and technological change has, and continues to
be, a hallmark of the American experience and its culture.
Technology has helped us combat many ills of society, albeit
not by itself. Moreover, solutions to privacy concerns have the
advantage of precision, not too dissimilar to laser surgery. A
tech solution can remove the bad cells with minimal, if any,
damage to the good cells surrounding the bad.
Finally, the incentive for the creation and constant
improvement upon technological tools, getting at consumers'
information privacy concern, is a great one. It is the mighty
dollar. When there is a consumer concern such as privacy, a
marketplace is created. Where there is a market, there are
dollars to be made. Where there are dollars for whatever
reason, there is creativity, innovation, speed, and efficiency.
The second component of the private sector response to the
American consumers' information privacy concerns is the
adoption of self-regulatory measures. Today's witnesses will
highlight a number of voluntary self-regulatory programs
adopted by direct marketers, online advertisers, and retailers.
Moreover, we will hear about a new field in ``assurance
services,'' privacy assurance. No one is under the illusion
that altruism has brought about this movement in self-
regulation. After all, substantial costs are associated with
the deployment, implementation, and adherence to these self-
regulatory standards governing consumer information privacy
practices.
Rather, it seems that many, if not the majority, of
companies dealing with individual consumers have reached the
conclusion that being responsive to their customers'
information privacy concerns is simply ``good business.'' Now,
how successful have they been? I don't know.
What I do know is that some companies have chosen to use
their privacy policies as a means of gaining a competitive
advantage vis-a-vis their competitors. Such competition
ultimately empowers a consumer to vote with his dollars as to
what are his or her information preferences.
In my many years of public service, I have yet to find an
important complex public policy concern that has lended itself
to a panacea quick-like solution. Information privacy concerns
are no exception. Private sector solutions, such as technology
and self-regulatory practice, however, do go a long way toward
mitigating those concerns.
So I look forward to our witnesses' testimony, and we are
just delighted to have them. And I will offer the ranking
member, the distinguished member from New York, Mr. Towns, an
opening statement.
[The prepared statement of Hon. Cliff Stearns follows:]
Prepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on
Commerce, Trade, and Consumer Protection
Good morning. I wish to thank all in attendance, especially our
distinguished witnesses. Welcome to Commerce, Trade, and Consumer
Protection subcommittee's hearing entitled, Information Privacy:
Industry Best Practices and Technological Solutions. This hearing is
the fifth in six part series of hearings examining information privacy.
The series is scheduled to conclude next month. I am confident that
this morning's hearing, as with the four preceding it, will add to an
already rich record on the issue of information privacy. The record
developed by this subcommittee on information privacy is the most
comprehensive in Congress and enjoys both an impressive range and
depth. I invite all members to review the record before formulating
their thoughts and positions on the issue of information privacy.
Today's hearing adds a new and important dimension to the existing
record: private sector response to privacy concerns. That response
engenders two components: technological solutions and voluntary
industry information privacy standards. I am particularly pleased that
this morning we will witness the demonstration of just a handful of the
technological solutions now available to the American consumer. In my
view, technological solutions designed to reach information privacy
concerns of the consumer are a critical ingredient of whatever is the
recipe to the solution for the problem.
Technological solutions are such a critical ingredient for three
reasons, among many. First, nothing offers a consumer greater control
over his ``information privacy destiny'' than technology. Using some of
the filtering software being demonstrated today, I, as an Internet
user, can determine how much personal information I wish to share and
for what purpose. For example, I can determine to accept a ``good
cookie--one that makes surfing a website seamless and efficient--as
easily as I can decide to reject a `bad cookie' '' one designed to
track my online movement for a purpose I don't care for. The second
reason why technology is a critical part of any response to information
privacy concerns is the fact that it responds to change much faster and
with greater responsiveness and precision to the new and continually
evolving privacy concerns than any other way of addressing information
privacy concerns. Innovation and technological change has and continues
to be a hallmark of the American experience. Technology has helped us
combat many ills of society, albeit not by itself. Moreover,
technological solutions to privacy concerns have the advantage of
precision. Not to dissimilar to laser surgery, a tech solution can
remove the bad cells with minimal, if any damage, to the good cells
surrounding the bad. Finally, the incentive for the creation and
constant improvement upon technological tools getting at consumer's
information privacy concerns is a great one. It is the mighty dollar.
When there is a consumer concern such as privacy, a market place is
created. Where there is a market, there are dollars to be made. Where
there are dollars, for whatever reason, there is creativity,
innovation, speed and efficiency.
The second component of the private sector response to the American
consumer's information privacy concerns is the adoption of self-
regulatory measures. Today's witnesses will highlight a number of
voluntary self-regulatory programs adopted by direct marketers, online
advertisers and retailers. Moreover, we'll hear about a new field in
``assurance services,'' privacy assurance. No one is under the illusion
that altruism has brought about this movement in self-regulation. After
all, substantial costs are associated with the deployment,
implementation and adherence to those self-regulatory standards
governing customer information privacy practices. Rather, it seems that
many, if not the majority, of companies dealing with individual
consumers have reached the conclusion that being responsive to their
customers information privacy concerns is simply good business. Now,
how successful they have been, I don't know. What I do know is that
some companies have chosen to use their privacy policies as a means of
gaining a competitive advantage vis-a-vis their competitors. Such
competition, ultimately empowers the consumer to vote with his feet
and/or dollars as to what are his or her information privacy
preferences.
In my many years of public service, I have yet to find an important
and complex public policy concern that has lent itself to a panacea
like solution. Information privacy concerns are no exception. Private
sector solutions such as technology and self-regulatory practices,
however, do go a long way towards mitigating those concerns.
Thank you. I look forward to the testimony.
Mr. Towns. Thank you very much, Mr. Chairman. I have a
prepared opening statement, but I would like to just put it in
the record and just make a couple of comments.
Mr. Stearns. Without objection, so ordered.
Mr. Towns. First of all, let me commend you, Mr. Chairman,
for the way you are handling this situation. The fact that you
are moving very slowly, you are listening, you are talking to a
lot of people before moving forward. I think that is really the
smart way to do it, and I want to commend you for that.
I also want to say that some people are saying that we
should just leave this alone and it will sort of work itself
out. But the consumers are out there saying, ``We want to be
protected.'' And I think that we need to take a very careful
look and try to find out ways and methods that we can protect
them.
And I feel very comfortable, Mr. Chairman, in the way you--
again, the way you are moving, because, you know, we need to
talk to people, we need to listen, and we need to visit. And I
have been trying to visit as many companies as I possibly can,
of course, in the New York area to talk to them to get their
input in terms of how we should handle this situation.
I don't want us to make the mistake that Thomas Jefferson
made. Thomas Jefferson read a pamphlet on how to swim and
jumped in the water and almost drown--you know, kicking his leg
and pulling his arm, and all of that. So I don't want to be
guilty of that. I think that we need to make certain that we
talk to people that are out there in the field on a day-to-day
basis, in terms of--and involved in this issue.
And I think that if we do that, then I think that at the
end of the day we can come up with something that will not put
a whole lot of folks out of business, but at the same time be
able to protect the consumer as well.
So I wanted to say to you, I salute you on that, and I am
anxious and eager to hear from the witnesses because I think
this is something that we must deal with eventually. No
question about it. And on that note, I yield back.
[The prepared statement of Hon. Ed Towns follows:]
Prepared Statement of Hon. Ed Towns, a Representative in Congress from
the State of New York
Mr. Chairman, thank you for holding this educational hearing on
information privacy. I would also like to join you in welcoming the
members of both panels assembled here today. I would especially like to
welcome my friend, John Schwarz, the CEO of Reciprocal, which is
located in New York's Silicon Alley. John has a great product to
display for us today and I look forward to hearing from him as well as
all the witnesses.
Mr. Chairman, I must say that I am heartened by the technologies
assembled here today that will allow consumers more control over their
personal identifiable information. I am particularly pleased with
Microsoft including the Platform for Privacy Preferences or (P3P) into
their latest edition of Internet Explorer. After seeing a demonstration
of this new technology integrated with the new Microsoft Operating
System, I feel that consumers are going to be empowered like never
before to not only further protect themselves but to further educate
themselves on protecting their privacy, which is of the utmost
importance.
I do not commend the P3P technology because it is an end all-be-all
for privacy protection, but rather because Microsoft is truly the first
company to offer a pragmatic solution which grants more power to the
consumer while they surf the Internet.
The other technology that I want to bring to my colleagues'
attention is that which is being used by Reciprocal. Reciprocal is a
company, which currently protects Intellectual Property on the Internet
by encrypting the content when it is purchased online. While Mr.
Schwarz will explain this more in depth during his testimony, his
technology can be and in the near future I believe should be used to
help protect medical as well as financial records, in addition to other
personal information belonging to consumers.
Companies need to feel that their efforts will not go unrewarded.
Many of my colleagues are bent on legislating Internet privacy. While I
would agree that minimum standards are needed, why limit an industry
that continually awes consumers with each new product developed? Let's
not put restrictions on the Internet or on the technology that is
bettering our constituents' lives.
I look forward to hearing the testimony from our witnesses and
yield back the balance of my time.
Mr. Stearns. I thank the gentleman.
The gentleman from Illinois, Mr. Shimkus?
Mr. Shimkus. Thank you, Mr. Chairman. And I will be brief;
we have two large panels. And I apologize for having to leave.
Our State delegation is meeting on appropriation issues, and I
get to chair that meeting at 11.
But I want to thank you for holding this hearing. I look
forward to the demonstrations that I am going to be able to
observe. We will have staff present.
Also, I am interested in hearing how the businesses depend
on sharing personal information and their views of new privacy
tools. We all know that our citizens want privacy protection.
We also know that our citizens want to accrue all of the
benefits of information sharing.
The question is: are these two issues mutually exclusive?
Hopefully you will inform us that what is--what the consumers
want is the best, and you are helping provide the technology
through the business model to solve those issues. I hope you
can answer those questions, and we look forward to hearing from
you.
I yield back my time, Mr. Chairman. Thank you.
Mr. Stearns. I thank the gentleman.
The gentlelady from California, Ms. Eshoo?
Ms. Eshoo. Thank you, Mr. Chairman. Good morning to you,
and welcome to the witnesses. We are grateful to you for coming
to Washington to enlighten us.
Today's hearing can provide very important information I
think for all of the members of the subcommittee for our
discussion on the need for privacy legislation. By examining
some of the existing technological solutions and business
practices, I think that we can learn and understand better and
be able to gauge the type of legislation that the issue calls
for.
I have introduced a bill, along with Congressman Chris
Cannon from Utah, that achieves--at least we think it achieves
a balance between the protection of online consumers and
continued promotion of technological innovation relative to the
evolution of e-commerce.
We want to be able to encourage the growth of the internet
and e-commerce, and I think that the bill strikes that balance.
It does this by establishing some basic minimum standards in
the form of notice and choice, and at the same time leaving
room for the industry to continue to develop its own privacy
protection technologies, some of which we are going to see
today.
We have to get this right legislatively. I think if there
is anything that is built into legislation that allows for the
unintended consequences that could happen we can really hurt
what we are really attempting to grow. So I am very mindful of
that, and I think anything that we do that--in haste, that we
could live to regret it legislatively.
We know that all of our constituents feel very strongly
about privacy. I think that privacy runs through the veins of
the American people. We have always had a resistance and a
suspicion of Big Brother, and I think that there are people out
there today that have a sense that they are suspicious or
afraid of Big Browser.
So we not only can collect information, it can be sold, it
can be shared. There are some blessings to that, but there is a
down side to it as well. So I think that today's hearing can go
a long ways with the subcommittee so that we can then tell our
colleagues about what technologies can do, but I also think
that it will help build a foundation for legislation in the
107th Congress to provide the privacy that the American people
feel so strongly about and insist upon justifiably.
So I look forward to hearing from the witnesses, and thank
you, Mr. Chairman, for having this important hearing.
Mr. Stearns. I thank the gentlelady.
My colleague from New Hampshire, Mr. Bass, is recognized.
Mr. Bass. Thank you very much, Mr. Chairman. And, again, I
repeat, I appreciate these series of hearings. They have been
tremendously informative for me as a newer member of the
committee and my first exposure to what is an exceedingly
complex and difficult issue.
I understand that before the Congress moves forward with
any kind of government solution--if you want to give it a
generic definition--we need to fully understand the scope of
the problem, the players involved, and what reasonable role
government can play, balancing the need to maintain a strong
and vital economy on the internet, while at the same time
protecting the rights of individuals.
I was, unfortunately, not able to come to the hearing that
was held yesterday on--or Tuesday, rather, on Ford v.
Firestone, because I was holding a cyber security/privacy
conference of my own in my district, in which a number of
individuals, some of whom are in the same business that you
folks are in, and others that are--that run concerns that have
a significant cyber exposure, to try to--we met to listen to
speakers who made presentations to try to make sure that we
understand, at least in my district, which is a very high-tech-
oriented district, what the problems are and what the potential
solutions are.
And without getting into some of the conclusions that were
drawn by this conference that I had, suffice it to say that
this hearing dovetails very well with the subject matter that I
am personally concerned with and that is the concern of a
significant constituency in New Hampshire.
So thank you, Mr. Chairman, and I will yield back to you.
Mr. Stearns. The gentleman yields back.
The gentleman from Massachusetts, the ranking member of the
Telecommunications Subcommittee, Mr. Markey?
Mr. Markey. Thank you, Mr. Chairman, very much. And we
welcome all of you best practices people, and, you know,
congratulations. We are going to give you each gold stars on
your forehead today for your excellent work. And you are going
to actually set a standard for this committee as to what we can
expect everyone else in the industry to do.
Obviously, we're not going to pass any laws that will
punish you, because you all do good work. But because you know
better than we do how many really bad people are out there
online, which is why all of your technologies are necessary, we
are going to have to pass laws to protect the public against
them. But you don't have to worry because you all are meeting
the standards for protection of the public.
That is the good news about your testimony today, that this
technology is there, that public privacy can be protected, that
it is not hard for the industry to do this. That is the good
news, that you have the strongest case that can be made to pass
legislation, that we need legislation, that we have to give
everyone the minimal rights to be able to protect their
information.
After all, we have done it before. You know, people's tax
returns are protected, their cell phone records, their
telephone records, their cable records. None of this is
publicly available. None of it can be disseminated without the
express permission of the individual.
We were doing that in an analog world. Now that we have you
digital geniuses here to help us to explain--there are some
people, believe it or not, who will tell us you can't do it in
a digital world, even though they did it in an analog world.
You know, how foolish, how anti-technology, huh? How
antediluvian they all are. Because we all know that we have
moved, actually, from the world of Big Brother to Big Browser.
The real threat now is less what the government can do to
you, but what corporate America can do to you, as these
corporate data-mining giants seek to combine every piece of
information about you so that they actually wind up knowing
more about yourself than you do or any other member of your
family.
Now, we should give every American, obviously, the right to
protect against that kind of invasion, because that is--that is
the central right that every American has. That is what
distinguishes us from the rest of the world.
And it is sad to think that the Europeans are ahead of us
in granting these kinds of rights, because we have--that is why
we fled all of these nice, European countries, most of us in
this room, our grandparents, because we weren't given these
rights to protect our religion, to protect our ethnic
background, to protect our privacy, from what the king--from
what these despots might try to do to us. So we thank you for
illustrating how this is possible.
And I think, Mr. Chairman, in conclusion, we need three
levels of protection. One, we need for every American to have
the right to access to these technologies--P3P, any other
technology that can wall out any of this information. We need
individuals to themselves try to protect themselves.
But at the third level, you have to realize that there are
still going to be corporate or individual attempts to intrude
upon our privacy. And as a result, there has to be a minimal
floor of privacy that every American is entitled to, legally
and enforceably.
And only at the point at which all three components are in
place simultaneously will there be a set of privacy protections
which can protect the public. But I want to thank all of you,
because there are many people, by the way, who don't want to
testify here today, who will contend that what you are saying
is really impossible, too difficult, can't do it,
technologically impossible to protect privacy, too complicated
for industry.
Even as industry says, ``We can move your information from
here to Kuala Lampur in the blink of an eye. And isn't it
great, this information age?'' And then when you say, ``Oh, by
the way, can you just let me check off someplace where I don't
want it disclosed,'' they go, oh, the horror, the technological
complexity of adding that one extra little box. I don't know
how we are going to do it. It is a little bit--I will just
conclude on this.
It is a little bit like this hearing that we had last week
where, you know, you have got the Energy Department here
saying, ``Yes, it is possible to deploy a Star Wars technology
that can be deployed in outer space with nuclear powerplants in
outer space, and lasers and beams and coordinated on the
ground, and knock down every Chinese and Russian missile in
under a minute and a half.''
And we can do this all in the next 4 years, and actually we
don't even need the anti-ballistic missile treaty, and we can
abrogate our relationships with just about every other country
in the world, and we know it is technologically possible.
And then you say to them, ``Well, can we improve the
efficiency of air conditioners?''
And they go, oh, the horror. The horror of trying to
improve air conditioners so that we can deal with the
electricity crisis. Okay?
So you are proof positive of something that is working in
the marketplace that--complemented with a legal minimal set of
enforceable protections that every American can sleep at night
knowing that if somebody tries to do something to them that
there will be a way in which the law can protect them.
Thank you, Mr. Chairman.
Mr. Stearns. Thank you.
The gentleman from Nebraska, Mr. Terry, is recognized for
an opening statement.
Mr. Terry. Thank you. I appreciate your holding this
hearing. Welcome to all of our witnesses, and I yield back.
Mr. Stearns. The gentleman yields back.
The gentlelady from Colorado, Ms. DeGette?
Ms. DeGette. Thank you, Mr. Chairman, for holding yet
another informative hearing on a topic none of us ever tire
of--privacy.
While I am always loathe to follow Mr. Markey, I still want
to add a few words, although I am sure not as glibly as Mr.
Markey often does.
Not too long ago, if an online business had a privacy
policy, they were probably way ahead of the eight ball,
regardless of what the privacy policy actually said. Now having
a privacy policy is not so important as what that policy
actually is. And, increasingly, consumers seem to know that.
During earlier hearings in this series on privacy, I
remarked that I see privacy as an issue that can be used to
great advantage by industry, if it realizes how important the
issue is to consumers. And we all know poll after poll shows
that personal privacy continues to be one of the top concerns
of individuals ranking right up there with health care and
social security. And in the technological age, privacy is an
increasing concern of consumers.
If businesses, like those today will testify, institute
straightforward and effective privacy policies, I think
customers will beat a path to their door. And there are a lot
of examples how this is already happening.
We need to address both the perceived and real fears people
have with respect to privacy, though, particularly in this
electronic age.
And I think this bears repeating today because the best
technology and privacy policies in the world won't do much to
further consumer protections if the consumer doesn't realize
what is aware to him or her, or if they don't understand the
vagaries of the particular technologies or policies they are
dealing with.
From a business perspective, a lot of time and money can be
invested in implementing a certain technology. And if the
customers can't figure it out, or if the customers don't even
know about the existence of the policy, then the business won't
reap the benefits.
One of the programs that I read about in the testimony for
today is the AICPA web trust program for online privacy. I
recently talked about this program with some of my constituents
who are members of the Colorado Association of CPAs, and they
told me that when this program was first getting off the ground
their members did not want to implement the system.
They thought it was a hassle. They thought it was
expensive, and so on. Many of the CPAs still have not put the
system into place, but those who have done so found they were
more than earning back their investment because of the
increased business that came their way because of higher levels
of consumer confidence in the business.
So I think it is both the responsibility of business and a
smart economic decision to make sure their privacy policies are
fully accessible to their customers. The trick will be, as Mr.
Markey pointed out, what do we do about the businesses who
don't understand that this is both the right thing to do for
consumers and also the economically prudent thing to do for
their own business? And how do we protect consumers?
It is an ongoing discussion that we will have. There is no
magic bullet, because of advances of technology. And I look
forward to hearing from our witnesses and hearing some of the
new advances, and I am happy to yield back, Mr. Chairman.
Mr. Stearns. I thank the very distinguished colleague.
The gentleman from Tennessee, Mr. Bryant, is recognized for
an opening statement.
Mr. Bryant. Thank you, Mr. Chairman. I, too, look forward
to hearing from our witnesses today as we continue our look
into the issue of information privacy.
It is good to see the private sector respond to the
concerns of so many--that so many people have about the
internet, and this hearing is a great opportunity for us to
learn more about the technologies developed and how it provides
consumers with the protection that they want.
In previous hearings, I have learned that each user has a
different opinion of what a violation of a person's privacy
entails. It is good to know that technology such as Webwasher,
Zero-Knowledge, P3P, and Microsoft Internet Explorer have been
developed so each user can choose what kind of protection she
wants when using the internet.
I am particularly glad that the Better Business Bureau has
taken the initiative as a third party to verify the security of
various websites. I am also looking forward to hearing from the
Direct Marketers Association and the National Advertisers
Initiative, so that we can learn more about the efforts used by
each to ensure that online advertisers don't overstep their
bounds.
Internet users like to be aware of instances when their
information is going to be shared, and I think most would like
to have that option of opting out.
I also hope that today's hearing can serve effectively as a
public forum to inform Americans about technologies, software,
and assurances out there, which a person can utilize to prevent
information about themselves and their internet habits from
being known by parties without knowledge or permission of that
user.
I also hope that this hearing will provide people with
information so that a user can have more confidence in the
security of internet.
With this, I would close my statement and thank the members
of this panel for coming here today. Thank you.
Mr. Stearns. I thank my colleague.
Mr. Doyle, Pennsylvania, is recognized for an opening
statement.
Mr. Doyle. Thank you, Mr. Chairman.
Good morning and welcome to all our invited guests and
witnesses. I am looking forward to hearing what you as industry
experts have to tell us regarding the viability and approach
that your companies have employed to make electronic
transactions via the internet more secure.
Many of my colleagues on this subcommittee are well aware
that today's hearing is the fifth in a series that the Chairman
has called to examine various aspects of internet privacy
debate. Without a doubt, the majority of American consumers are
concerned about the security of their personally identifiable
information that can be gathered while online.
This subcommittee has heard testimony from previous
witnesses who have conducted numerous surveys of online
customers that speak to this fact. Additionally, we are here
today to listen to the technological solutions and approaches
various companies have developed or are in the process of
developing to meet the privacy needs of online consumers.
Companies would not be developing and marketing these
services if a market demand for such goods did not exist. The
issue of controlling the information that is gathered about
consumers while online and how to go about limiting the
distribution of this information is a fundamental consumer
protection issue.
We have a significant challenge and a good deal of
discussion ahead of us before we reach a conclusion as to the
best way to ensure that personal information is protected
online while not stifling the continued growth of e-commerce in
America. Today we revisit the issue of proper industry self-
regulation this subcommittee raised in another previous
hearing, and hopefully we will see some definitive solutions to
privacy protection.
I find it encouraging that the industry is responding to
the challenges presented by internet privacy and is developing
and implementing security software or protocols to address
these concerns. It has been said that there is a buck to be
made with the development of such services. After all,
innovation and creative industry response to consumer needs has
long formed the backbone of commerce in this country.
I am concerned that although privacy protection companies
may prevent direct third-party access to personally
identifiable information, the privacy protection software
itself could be used to gather information which might be
shared with affiliated third party companies.
I am quite sure that the representatives of the companies
here today would never employ such tactics and are making great
strides to combat this abuse. But without a basic framework of
standards and regulations, other less responsible entities
could exploit public trust for financial gain.
Mr. Chairman, I look forward to hearing about the software
and the practices that our esteemed guests have developed to
ensure that this scenario does not become a reality.
I thank you, and I yield back.
Mr. Stearns. I thank my colleague.
And now we recognize for an opening statement the
distinguished Chairman of the full committee, the gentleman
from Louisiana, Mr. Tauzin.
Chairman Tauzin. Thank you, Mr. Chairman.
As the committee knows, this committee requested that
Chairman Stearns conduct a thorough review and educational
process on the issue of privacy. And, Mr. Chairman, I want to
compliment you on the fact that I think you have already
outdone your assignment.
This has been an extraordinarily instructive series of
hearings, and I think it is going to help our full committee at
some point make some very good and wise decisions regarding
privacy, not only online but for the general sake of the
American public. And I thank you for this hearing today.
Today, as you know, we focus on two very important aspects
of the question. In the privacy conference this committee
conducted last year with the Chamber of Commerce, we first-hand
saw and learned about some of the new technological
developments of new equipment and software that, in fact,
enable consumers to protect themselves online in various and in
sundry ways.
And we have also learned that over the last year there have
been a myriad of new products coming on board and new
technologies being developed. We will learn more about that
today, and I thank you for arranging that, Cliff.
Second, we will learn a lot more about the practices in the
self-regulatory regimes that exist in the marketplace by which
the industry and its players are attempting to do what a good
marketplace always does, and that is give consumers something
they want.
And we know that consumers do want an assurance that
privacy concerns are being addressed by the companies they deal
with, and the people they will deal with online, and that these
privacy concerns are taken seriously enough that consumers have
some confidence in both the security of their transactions and
the respect that will be given to information that consumers
would rather not be used in ways that they would not approve
of.
And so we will learn a lot today about the practices within
the industry. Mr. Chairman, in your last hearing we learned why
consumers have reason to be concerned, and that there are, in
fact, some bad practices in the marketplace. We have learned
recently, even worse, that Federal websites are filled with
cookies, websites where consumers don't necessarily volunteer
information but in many cases are obliged to give information
to a Federal agency.
So we have got some real work to do in both the publicly
owned websites of America and the Federal agencies and their
relation to their consumers and to the consumers who enter the
commercial online world and want and expect some degree of
security and privacy in their transactions.
This will be a very illuminating hearing because it will
help us understand what is, in fact, occurring out there,
particularly over the last year, that will give consumers more
and more control over this sensitive issue in their lives.
I also want to point out that while privacy concerns are
not limited to online transactions, this exercise today will
again give us more insight as to some of the broader issues of
privacy concerns in the marketplace. And, again, I thank you
for that.
Finally, I want to address one issue that has received a
little attention lately, and that's the changes that have
occurred in the other body, and as they affect the issue of
privacy and legislating on privacy.
Let me assure all of you that the subcommittee chairman and
I are committed to a very thoughtful, a very careful, and
professional review of these privacy concerns, and that changes
in the other body are nothing more than that--changes in the
other body.
We intend to keep our course, and we intend to proceed very
carefully in this area because we understand how delicately the
information age depends upon a very careful cut between
restricting information for the cause of protecting privacy and
permitting the free flow of information for the sake of an
information age that depends upon information.
We are going to proceed very carefully because our rule is
to do no harm and to facilitate and to actually encourage the
development of things we are going to learn about more today--
self-regulatory practices, self-regulatory regimes, enforcement
regimes, and technologies that empower consumers in this
marketplace.
Thank you very much, Mr. Chairman.
[The prepared statement of Hon. W.J. ``Billy'' Tauzin
follows:]
Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee
on Energy and Commerce
Thank you, Mr. Chairman, for holding this hearing. This is another
step in the education process on this important public policy issue.
You have certainly outdone yourself in an effort to provide the
Subcommittee with a full background on the subject of privacy.
Today's hearing focuses on two important pro-active steps
organizations are taking at their own initiative to help improve
consumer privacy: developing technological privacy solutions and
creating positive private sector practices and/or enforcement regimes.
For a number of reasons, some valid and some invalid, current
information exchange practices have generated increased concern by
consumers about their ability to maintain their personal privacy. From
the last hearing on privacy, we learned that consumer confidence is
somewhat shaken by the privacy practices of some companies. Today, we
get to look at what is being done about this.
With every problem, however, there is a corresponding opportunity.
As with most things in the free market, someone is going to find a way
to take advantage of this opportunity. The creative and innovative
nature of technology is starting to take root to fill in the gap
between the privacy protections consumers want and the information
gathering and exchange that some companies practice. Specifically, some
entrepreneurs and technology companies are developing products designed
to further protect consumer privacy. Software and hardware solutions
are sprouting-up in the marketplace to deal with consumer privacy
interests. These solutions come in many forms with differing options
and costs. From filtering products, to anonymous web-surfing, to
browser notifications and standards, technology is just starting to
enter this field. And this is just the tip of the iceberg. I expect
many new technologies to be created to address this issue and meet
consumer demand for privacy protections.
In addition, many American companies, recognizing it is in their
best interest to address consumer concerns, have already taken steps to
improve their privacy practices or provide necessary assurances to
consumers of their practices. In other words, many companies want to
promote consumer confidence by giving them what they want--better
privacy.
Self-imposed privacy enforcement and assurance regimes have been
created to promote company use of positive privacy practices--or
industry ``best practices.'' These regimes also come in many different
forms and may target specific sectors of industry. Today, we will hear
from a number of representatives about the steps they are taking, the
companies they represent or oversee, the processes they use to approve
and enforce their privacy practices, and more.
I think one important message to take from this hearing is the
great work that is being done by the private sector to promote consumer
confidence as it pertains to privacy. I appreciate the work of those
companies that are developing technology and those organizations
keeping privacy practices in line with consumer wishes.
I think the Committee can gain a valuable education by actually
trying to use and implement the technology that is out there. And so, I
will be asking the relevant interested parties, especially those not
able to testify today, to work with us over the next few months to show
us how your technology or industry best practice would work as they
apply to this Committee's website. I recognize that the privacy debate
is more than just what is happening online, but this should be a useful
exercise. In a voluntary way, I am hopeful that we can explore the
differing programs, including the seal and assurance programs, to learn
how they work. We also need to learn more about which technologies the
Committee could implement to ensure citizens feel comfortable with the
Committee's privacy practices. In other words, show us first-hand what
you have and what it really does.
Lastly, let me address one issue that has received added attention
recently because of the changed perspective of the Other Body towards
privacy. Let me assure everyone that the Subcommittee Chair and I are
committed to a well thought-out, deliberate, rational process as it
pertains to privacy and any potential fixes. The changes in the Other
Body and its impact on privacy are just that--changes in the Other
Body. We will continue along our own path.
I again thank the Subcommittee chair for holding this hearing and
look forward to the testimony of the witnesses.
Mr. Stearns. I thank the distinguished chairman.
We will now go to panel No. 1. Before I start, I would
introduce or indicate to my colleagues that Mother Nature has
prevented one of our witnesses from attending. Mr. Austin Hill
of Zero-Knowledge was unable to get a flight from Montreal to
Washington last night because of electrical storms. Mr. Hill
asked that his testimony be made part of the record in his
absence. And without objection, it will be so ordered.
[The prepared statement of Austin Hill follows:]
Prepared Statement of Austin Hill, Co-Founder, Executive Vice
President, and Chief Strategy Officer, Zero-Knowledge Systems, Inc.
Thank you, Mr. Chairman and members of the committee. I applaud the
Subcommittee's leadership in addressing privacy issues, and appreciate
the opportunity to talk today about the role technology solutions play
in maintaining information privacy in our global information society.
My name is Austin Hill, and I am the co-founder, executive vice-
president, and chief strategy officer for Zero-Knowledge Systems. Zero-
Knowledge is a provider of privacy-enabling technologies and services.
We employ 175 people and are headquartered in Montreal, Canada with
offices in Redwood City, California. Zero-Knowledge is the oldest and
largest privacy technology and services company. We employ many of the
world's leading privacy policy and cryptography experts, and have been
working since 1997 on technological ways to prevent the erosion of
privacy in the information society.1
---------------------------------------------------------------------------
\1\ See http://www.zeroknowledge.com for more information.
---------------------------------------------------------------------------
As both a privacy advocate and entrepreneur, I will outline the
factors creating our society's major privacy challenges, and detail
where we have the technological tools to manage and secure information
privacy.
INFORMATION PRIVACY: AN ENTREPRENEUR'S PERSPECTIVE
Four years ago, after successfully creating Canada's third largest
ISP, my partners and I started thinking about Internet privacy. We saw
studies showing that privacy was a growing concern for consumers and
immediately recognized its importance to an emerging e-business sector.
Much of our inspiration was based upon the idea that technology
will be everywhere: multiple networked devices, wireless location
services, intelligent homes, and ubiquitous networks. We believed that
if we, as a society, did not come to terms with how to safeguard
people's personal information, the technologies that would soon become
so pervasive would erode individual privacy. We also recognized that if
information privacy was not addressed in a way that offered customer
preference and choice while enabling businesses to build trusted
relationships with consumers, all of the coming advancements in
technology would not reach their full potential.
As a person who places a high value on individual privacy, I was
deeply concerned. Yet, I also saw an incredible opportunity for
privacy-enabling products and services. So, in 1997 my partners and I
created Zero-Knowledge Systems to be the company that provides the
solutions to ensure information privacy in our society.
At Zero-Knowledge we have long held the view that good privacy is
good for business, and the more we talk with our customers at some of
the world's leading companies, the more we see that industry leaders
share this view.
The Gartner Group articulated it well in a recent report, saying:
``The widespread adoption of the Internet and the web has shifted
cultural attitudes toward privacy. Heightened privacy sensitivity will
require online and offline businesses to re-examine existing
information practices. Through 2006 information privacy will be the
greatest inhibitor for consumer-based e-business.'' 2
---------------------------------------------------------------------------
\2\ Please visit http://www.gartner.com
---------------------------------------------------------------------------
We are at the beginning of the information technology revolution
and it is clear that privacy has emerged as both a major challenge and
opportunity. Now is the time to build privacy into business, and the
new products and services being deployed every day. On the positive
side, businesses and policy-makers such as yourselves have recognized
the problem and are actively looking for solutions. I firmly believe
that Zero-Knowledge and other companies are well positioned to provide
these solutions.
When examining what we need to address to provide the tools to
assure information privacy, one must look at the information itself.
How well an enterprise manages its personal information assets will
determine the success or failure of critical e-business initiatives. A
core business asset, personal information carries with it many
challenges and opportunities.
One must recognize the information explosion our society is in the
midst of. UC Berkeley's School of Information Management and Systems
stated that ``(m)ore information will be created in the next 3 years
than in the last 40,000 years.'' Between 1980 and 2000 we created 10
million terabytes of data. This includes music, books, credit, medical
and personal records and other common data types. From 2000 to 2003 we
will create 40 million terabytes of data.3
---------------------------------------------------------------------------
\3\ Please visit http//www.sims.Berkeley.edu
---------------------------------------------------------------------------
This is a truly astounding statistic. It becomes even more
important to today's discussion when two more factors are taken into
account.
The first is to again realize that the trend for technology is
toward pervasive devices and ubiquitous networks. Everything from your
car to your home and phone will talk to each other and share data. The
combination of the two technological trends of information explosion
and pervasive computing suggests that personal information will now
need to stored and transferred in a variety of new manners. Information
will not simply reside on a home PC, or a PDA, but will be stored on a
variety of networks, and with a variety of different organizations.
This data will then be shared via the fixed Internet, the mobile
Internet, and emerging personal area networks such as Bluetooth and
wireless 802.11 connections.
The second factor, and most relevant to your topic today, is that
of all of this data the overwhelming majority of it will be personal
information. Some estimates hold that over 80% of it will be personal
information, including medical records, insurance records, educational
records, personal communications, credit history, photos and home
video, and government records.4
---------------------------------------------------------------------------
\4\ EMC, the leading data storage company, http://www.emc.com
---------------------------------------------------------------------------
Zero-Knowledge believes that there are two classes of privacy-
enabling products necessary to fully address information privacy in a
climate such as this: (1) consumer-side privacy protection tools; and
(2) corporate-side Privacy Rights Management technologies.
Examples of privacy protection tools include products such as anti-
virus programs, firewalls, and encryption tools. The goal of privacy
protection technologies is to stop people from invading your privacy.
These types of tools place the burden of use on the consumer, but also
empower them to take control over and protect their privacy. We will
always have private data that only we as individuals can protect and so
it is essential for there to be privacy protection tools available to
consumers.
Zero-Knowledge has created the Freedom Internet Privacy Suite to
empower Internet users to secure and protect their privacy when online.
Its standard features include a firewall, ad manager, form filler, word
scanner, and cookie manager. These features combine to enable an
Internet user to control how and when their personal information is
released, and to protect their PC from malicious hackers. We also offer
Freedom's Premium Services, which add the industry's most robust
private encrypted email and private browsing to the suite. These two
services utilize the global Zero-Knowledge Network of servers that re-
route and privatize the traffic of Freedom users.
Other privacy protection solutions are available to consumers and
two of them are here to testify today, WebWasher and Microsoft with its
P3P-enabled browser. Technologies such as these are essential to ensure
that consumers have the tools necessary to protect their privacy.
The second class of privacy solutions I referred to, Privacy Rights
Management (PRM) technologies, represent an essential framework for
building information privacy into the enterprise.
In the information society, I must trust various organizations,
businesses or individuals such as my doctor with my personal
information. Hence, there is a requirement for those parties to be
responsible and accountable for how they manage my data. Today, no
tools exist for a business or organization to demonstrably protect and
manage the personal information it has collected about its valued
customers and employees.
Businesses must adhere to a complex and constantly emerging global
framework of privacy regulations and have begun hiring Chief Privacy
Officers (CPO) and other data protection officers to help with the
task. I have spoken with many of these new CPOs at Fortune 500
companies and they all articulate the same concern: they don't have the
tools to do their job. Imagine a Chief Financial Officer attempting to
do her job without tools such as Enterprise Resource Planning software
or even spreadsheets. It would be close to impossible. Unfortunately,
that's exactly the position that every CPO is in today. There is, quite
simply, a lack of tools for the job. This is where PRM technologies
will be applied. The core idea behind PRM is that the enterprise needs
a policy-based framework for data management and protection if it is to
comply with regulations, mitigate risk, support customer preferences
and build consumer trust.
There are several companies developing solutions that fit in the
Privacy Rights Management framework. These include IBM, Novell, and
Tivoli. PRM is an emerging category of enterprise software that will
help close the current gap between stated policies, customer
preferences and operational realities.
Privacy Rights Management: Software Solutions for the Global
Enterprise
The proliferation of data systems in both the public and private
sectors that handle sensitive personal information such as health/
medical records, financial/credit records, and location-based profiles
demand that proper controls be put in place to ensure this data does
not fall into the wrong hands and is not subject to misuse. It is of
great value for a business to have these controls in place in order to
mitigate risk, reduce the cost of compliance and build consumer trust.
A comment I often hear from CPOs at major corporations is that they
have no idea what personal information assets are present at their
company, who has access to them and how the data is being used. As a
case study, imagine a global corporation with operations in disparate
countries and several divisions. As an incoming CPO you will need to
first discover all of the personal information present throughout the
organization. You will need to know who controls each repository of
personal information, which people are allowed to access what
information and in what cases this information is combined with other
data resources.
Once that information is gathered you will have to assess which
regulations apply to what kinds of data. For example, a Customer
Relationship Management database located in Canada will be subject to
the recently enacted Personal Information Privacy and Electronic
Documents Act. Data held in a European country will be subject to the
EU Directive. American companies also face privacy legislation at the
local, state and federal level including the Gramm-Leach-Bliley (GLB)
Act and Health Insurance Portability and Accountability Act (HIPAA).
Combined with this global patchwork of regulations are the data and
privacy policies present in your company.
As Chief Privacy Officer your next challenge is to apply and
enforce data regulations and policies on the data and continually
monitor and assess the data flows within the organization. A CPO also
needs to grapple with issues such as providing consumers with access to
certain types of data in order to foster trust, and restricting third
party sharing of data in an environment where thousands of employees
might have access to information assets that are spread across multiple
applications. Some regulations such as HIPAA also call for businesses
to obtain consent from consumers before sharing their data. Setting up
a call center or mailing out hundreds of thousands of notices can be a
costly exercise compared to having tools that can automate this
procedure.
Zero-Knowledge Systems' Privacy Rights Management Suite is an
enterprise software solution designed to enable the entire range of
processes detailed above.
Our PRM Suite applies a policy-based framework to enterprise IT
infrastructures for the responsible management of personal information,
enabling business to mitigate risk, attain compliance and build
consumer trust. The various components of the Suite are designed as
tools to allow businesses to rollout their information privacy program
in an efficient and reliable manner, and include:
Discovery and inventory of personal information resources
Definition and articulation of privacy policies in an
application-readable form
Policy implementation at the application and data store level
System monitoring of personal information handling practices
Enforcement of information privacy requirements
Audit and assurance of information privacy practices
The Zero-Knowledge PRM Console, the first component of our PRM
Suite to be released in Q4 of this year, enables the end-to-end
management of information privacy within an enterprise. Information
security and privacy officers can discover, inventory, and classify
personal information (PI) assets while applying relevant global data
regulations and corporate privacy policy. The Console works with
existing IT resources such as customer and employee databases, Web
servers, enterprise applications and access control solutions.
PRM Console features include:
Discovery and Inventory module: Enables and centralizes the
identification, classification and management of personal
information throughout the enterprise
Modeling module: Supports compliance efforts by enabling the
application of rules based on regulation or corporate policy,
and customer preferences to personal information
Reporting module: Ensures privacy or security officers have
the reports needed to facilitate management, auditing and
verification
Underlying PRM is Privacy Rights Markup Language (PRML), a language
specification designed to capture the complex relationship between
business operations and personal information. PRML formalizes privacy
policies and operational procedures across enterprise applications and
data stores, producing detailed reports and requirements as output.
PRML's underlying principles are based on the OECD Fair Information
Practices and support a wide range of possible privacy policies and
several forms of output, including XML and plain English. Future
releases of PRML will provide automated enforcement within the
enterprise IT infrastructure.
The goal of the PRM Suite is to define a standard of functionality
that will secure personal information by providing data protection and
security officers and CPOs with a toolkit to facilitate and reduce the
cost of regulatory compliance, while supporting business objectives,
and customer preference and choice. The PRM Suite takes advantage of a
wide range of new and evolving technologies to support legacy
enterprise applications while simplifying integration through a
component-based application model. It supports applications ranging
from traditional client-server applications delivered over corporate
intranets to outward facing web services on the Internet.
If the developments of recent data and communication technologies
are going to fulfill their promise, customers need to trust businesses
with the collection, disclosure and use of their personal information.
The Zero-Knowledge PRM Suite provides a cost effective means to
implement privacy solutions that enable global and industry-wide
compliance, which in turn fosters consumer trust, and enhances both the
value of information assets.
THE PROMISE OF PRM AND PRIVACY ENABLING TECHNOLOGIES
PRM technologies such as Zero-Knowledge's PRM Suite can be a major
force in enabling businesses to build privacy into their operations and
thus raise the bar for privacy in our society.
The Zero-Knowledge PRM suite empowers data protection and security
officers with the tools to effectively address the intensifying demand
for consumer privacy, to navigate complex global regulations, and most
of all, to institutionalize the enterprise's commitment to protecting
consumer privacy in a demonstrable manner. Specifically, the Suite
allows for
assessment and mitigation of risk across the entire
organization
simplifies compliance in a cost-effective manner
assembles a dynamic inventory of company-wide information
assets and practices
enforces policy on personal information assets
generates reports to facilitate auditing and assurance
The key to successful adoption of data protection and information
privacy technologies within the enterprise is to assure that they
support corporate objectives, do not hinder commercial activity or
burden the enterprise with demands that cannot realistically be met.
Privacy Rights Management technologies are being developed to privacy-
enable everyday business operations in a way that is manageable and
cost-effective to the organization, yet still meets the high privacy
standards of consumers.
Business objectives like personalization, marketing, and online
transaction and payments do not have to compromise consumer privacy.
Analytical research, direct marketing, and trends in ubiquitous
communications also need not be impeded by privacy objectives such as
compliance, consent, notice, opt-in, access, or use limitation.
Building trust with consumers, managing data security risks, and
implementing sufficient safeguards can be achieved by aligning business
and privacy into a single, coherent, strategy that combines effective
policies and Privacy Rights Management technologies.
STANDING AT THE CROSSROADS
As both an entrepreneur and privacy advocate I believe we are at a
critical junction for privacy. We are currently experiencing the
largest explosion of information in history. The new networks and
devices being deployed will make personal information available
anywhere, anytime. The overwhelming majority of this information being
created and spread over a plethora of devices and networks will be
personal information--and it will primarily reside with businesses and
organizations, rather than with individuals themselves.
The information and networking explosion affects every individual,
organization and business. Whether the net effect will be positive for
information privacy or negative will depend on the policies we adopt,
and the availability of technologies to enforce those policies.
I believe the combination of consumer privacy protection tools and
Privacy Rights Management technologies within the enterprise provide an
immediate and fundamental framework for addressing privacy in the
information society. The combination of these privacy-enabling
technologies with strong privacy and data handling policies is a
powerful and effective approach.
In conclusion I want to articulate that over the past four years I
have been encouraged by the positive steps industry leaders and policy-
makers such as yourselves have taken. As a society, we have a critical
challenge and opportunity in front of us, and I hope we can continue to
work together to ensure information privacy and business can flourish
together.
Again, I thank the Subcommittee for the opportunity to participate
in today's hearing. This hearing provides a valuable opportunity to
discuss the important role that technology solutions play in addressing
both business and consumer needs with regard to privacy. Zero-Knowledge
Systems looks forward to continuing to work with the Subcommittee in
its review of privacy issues.
Mr. Stearns. We have with us this morning on panel No. 1
Ms. Frances Schlosstein, VP, Business Development and
Marketing, Webwasher, New York City; Mr. John Schwarz, CEO of
Reciprocal of New York City; Mr. Michael Wallent, Product Unit
Manager, Internet Explorer, Microsoft Corporation; and, last,
Mr. Stephen Hsu, Co-founder, Chairman, and CEO of SafeWeb,
Incorporated, Oakland, California.
We are delighted that you are here, and we look forward to
your opening statement. And we will start with you, Ms.
Schlosstein. Oh, we are going to start with Mr. Wallent, sorry,
with the demonstration. Go ahead.
STATEMENTS OF MICHAEL WALLENT, PRODUCT UNIT MANAGER, INTERNET
EXPLORER, MICROSOFT CORPORATION; FRANCES SCHLOSSTEIN, VICE
PRESIDENT, BUSINESS DEVELOPMENT AND MARKETING, WEBWASHER;
STEPHEN HSU, CO-FOUNDER, CHAIRMAN AND CEO, SAFEWEB, INC.; AND
JOHN SCHWARZ, CEO, RECIPROCAL
Mr. Wallent. I just want to ensure that the monitors are on
before we--sorry for the delay, sir. Could we get a little bit
more light, actually, so I can see my notes? Thank you.
Turn on the monitors. It should be on. Did it get
unplugged? Okay. Okay. It is great working for technology
companies.
Chairman Stearns----
Mr. Stearns. Mr. Wallent, just pull the microphone just a
little bit more closer to you. That would be helpful.
Mr. Wallent. Certainly.
Mr. Stearns. Yes, okay. Great. Okay.
Mr. Wallent. Chairman Stearns, ranking member Towns,
members of this committee, thank you very much for the
opportunity to testify here today. My name is Michael Wallent,
and I run the Internet Explorer team at Microsoft Corporation
in Redmond, Washington.
We are currently working on Internet Explorer version 6,
the next version of our popular browsing technology, which we
had planned to release with Windows XP on October 25 of this
year.
What I am going to show you today is a tool that gives
consumers on a broad scale greater control over their online
information than they have ever had before. One of the most
frequent issues that we hear are concerns about online
profiling or online tracking, issues that many of the members
here today raised in their statements.
This is the practice of collecting a history of a user's
actions as they work across the web or across a series of
sites. Once this information is combined with what is called
``personally identifiable information,`` such as a name, an
address, or a phone number, specific advertising or other
services can be targeted directly to that consumer.
Most of this tracking is done from a technological sense
through the use of a technology called cookies. Cookies are
simply small pieces of information that the website leaves on
the user's computer for later access. It is important to note
that cookies are neither good nor bad. Without cookies, the web
as we know it would simply not work.
There would be no customization, an important part of a
consumer's web surfing experience. E-commerce would be
accessibly difficult, and the economics of the web would be
radically different. Before we get into details about cookie
management, the topic I am going to talk about today, let me
define a couple of terms.
First of all, you will hear a lot about what are called
first party cookies. A first party cookie is simply a cookie
that comes from the website that the consumer knows that they
are visiting. I go to MSN. MSN serves me a cookie. It is a
first party cookie.
The other concept you will hear is what is called a third
party cookie. A third party cookie comes from some content on
the page that the consumer may not know about. A very common
example of this was seen with the online advertisers, such as
Doubleclick, Avenue A, or Engage, many of which the services
that even Microsoft uses today.
When a consumer goes to a website that has this online
advertising, if that online advertiser serves a cookie, that is
what we call a third party cookie. Third party cookies were, in
fact, implicated in many of the online tracking issues that
consumers brought to us. However, I will also note that third
party cookies do have some very consumer beneficial features
and some are very benign, and also, as I said, beneficial for
those consumers.
Last summer we made a first attempt at providing some
advanced cookie management for our customers. What we thought
was is that whenever a consumer encountered one of these third
party cookies that were at times implicated in online tracking
we would simply ask the consumer, ``Consumer: Would you like to
accept this cookie or block this cookie?'' When confronted with
this choice, though, consumers didn't really have enough
information to make that choice, and it was a confusing
question. We didn't have the capabilities at that time to give
consumers the information and the data they needed to answer
that question. So they simply turned the feature off.
At the same time, and for quite some time now, we have been
working with the World Wide Web Consortium or W3C on a standard
called P3P, which, again, many of you mentioned here today. The
goal of P3P is to provide a common language for a site to
describe its data practices, such as what data it collects, who
that data is given to, what the use of that data collection is.
It turned out that it was just this type of information
that consumers needed to use to make better decisions about
cookies. What we have now done in Internet Explorer 6's
integrated P3P technology is provide a precisely controllable,
non-intrusive model that gives consumers very easy-to-use
cookie controls.
One of the important issues that we faced, though, was how
to provide a heightened level of protection, what we call out
of the box, by default, so people would be protected without
any intervention on their behalf.
What we have come to, then, for this default or out of the
box setting is that in order for these third party cookies to
be used they must indicate--the company that provides the third
party cookie must have a P3P compliant privacy policy. And if
that privacy policy indicates that that site is reusing the
consumer's personally identifiable information, they must allow
the consumer to either opt in or opt out of that data practice,
or, even with a privacy policy, that cookie is, in fact,
blocked.
Let me show you how this works. We have some screen shots
that we took very recently that we will show you here today. It
is a little bit quicker than an online presentation.
So the first time a consumer connects to a website whose
privacy practices do not match the consumer's settings,
whatever they might be in Internet Explorer 6, this small
window appears. The goal of this window is to educate the
consumer about this new red-eye privacy icon that we see down
in the bottom right corner of the screen. I don't know if the
members can see that. There is an arrow, and I will point it
out to you. We will blow it up.
See this little red stop with the ``I.'' This is the new
red-eye privacy icon. Whenever it disappears on a website, it
indicates to the consumer that there is a fundamental mismatch
between the privacy policy of the website and the consumer's
current privacy preferences.
The other thing I would like to call out here is that the
privacy defaults that Microsoft created are by no means the
only choices that a consumer has. Here we see a dialog that
actually gives consumers control over what their privacy
settings are. By default here, we see that the setting is on
medium, which has the behavior that I described to you earlier,
which requires privacy policies and requires opt-out for any
personal information reuse.
We have heard a lot of comments and feedback about opt-in
privacy, and we felt it was very important to allow consumers a
very easy mechanism for them to choose to move to an opt-in
model. With this slider, if the user clicks up two notches,
they go to high privacy. High privacy requires privacy policies
across the board for all websites at all times.
And further than that, it requires that if there is any
personal information reuse that the user has expressly opted in
to that data reuse.
I would like to also point out that we also have a setting
that we call accept all cookies or the lowest possible security
setting, and this, in fact, is the status quo on the web with
browsers today. Now, I would like to just show an example of
what a consumer might encounter as they browse through the web
at a later time.
I shot an example here, sir, of The Wall Street Journal.
The Wall Street Journal I know is using advertising from
Doubleclick. And Doubleclick, while we are working with them
actively to deploy P3P-compliant privacy policies, has not yet
done so.
Because The Wall Street Journal has this advertising from
Doubleclick, Doubleclick is using third party cookies, and
there is no privacy preference or privacy policy around those
cookies. Those cookies are, in fact, blocked.
So we actually see here on the bottom right-hand corner of
the screen the little red-eye privacy icon. This is something
that we expect consumers to notice over time and be able to
clearly tell when they go to a site that has a privacy policy
that matches their settings, versus a privacy policy that does
not match their setting, helping them really control their
browsing experience.
And we can also see just in detail that the consumer can
get a lot of information about what specifically was blocked on
their behalf.
So while I am not showing it here today, we have many other
features in Internet Explorer 6 that help consumers control
their privacy, such as a mechanism to easily read the P3P
policy and provide a very common format such that consumers can
compare them between site to site. We have also ways for
consumers to import custom privacy settings of their own that
might be created by experts such as folks on the panel sitting
here with me today.
We also have mechanisms that are very easy for the consumer
to use to either block or opt out of specific sites, to either
block or always allow that content.
We are actively encouraging websites to deploy these P3P-
compliant privacy policies. Based on the feedback we have
received so far, we hope and expect that many of the top 100
websites, as well as the vast majority of the online
advertisers, to deploy P3P-compliant policies by the time we
ship Internet Explorer version 6.
IE6 is not a silver bullet solution to all online privacy
issues, though. But we believe it is a significant step,
showing that technology can play a very critical role in
addressing consumers' concerns. Fundamentally, we believe that
we have done work that consumers want and it will delight them.
Thank you, and I look forward to your questions.
[The prepared statement of Michael Wallent follows:]
Prepared Statement of Michael Wallent, Product Unit Manager, Internet
Explorer, Microsoft Corporation
Chairman Stearns, Ranking Member Towns, Members of this
distinguished committee, thank you for the opportunity to testify
before you today on subjects that are very important to consumers--
Internet privacy and the tools that consumers can use to protect their
privacy. My name is Michael Wallent, and I lead the Internet Explorer
technology team at Microsoft Corporation. At Microsoft, we are not only
dedicated to protecting consumer privacy, but from an even broader
perspective, to building an online community that customers trust and
to promoting vigorous growth of online opportunities for all.
overview: the marketplace is demanding better privacy tools
Today I would like to share with you just one of the things our
company is doing around the issue of online privacy. For several years,
Microsoft has been at the forefront of promoting privacy online. We
have been developing privacy best practices and procedures under the
leadership of our Director of Corporate Privacy, Richard Purcell. We
have been actively involved in coalitions such as getnetwise.org, which
focuses on building a safer web for our children. Elsewhere in the
company, we are developing futuristic technological tools that have the
potential to ultimately transform how online privacy protection is
delivered to consumers. My division of the company, the Internet
Explorer team, is just one place where privacy protection is a part of
our basic objectives.
One of the great things about working on Internet browsing
technology in general, and Internet Explorer specifically, is that
almost everyone that I meet has used this web surfing capability in
some way. Because the web is increasingly important in people's lives,
one of the issues customers raise with us more and more is their desire
to know that their privacy is being protected when they go online. When
we receive such feedback, we attempt to the extent possible to
incorporate features that meet this demand and that give consumers
better control of their personal information. In the end, it's my job
to build software that delights our customers. Because of consumer
demand, I currently have about 25 people working on the privacy
protections in Internet Explorer.
INTERNET EXPLORER 6.0: TACKLING ONLINE TRACKING
When we talk to our customers, one of the questions they raise most
often is whether their web surfing activities can be tracked. It is an
issue that the Microsoft Internet Explorer team has been working to
address for about eighteen months now. Tracking or profiling is the
practice of collecting a profile or history of a user's actions across
a web site or series of sites. When combined with ``personally
identifiable information,'' such as name, address, phone number or
other identification, whoever collects this profile can market or
target advertising or other services specifically to a customer.
Much of the online tracking you hear about comes through the use of
``cookies,'' small benign pieces of information that a web site stores
on an individual's computer. It is important to note that cookies in
and of themselves are neither good nor bad. Without cookies, the web
wouldn't work as people expect it to. There would be no customization,
no e-commerce and the economics of the web would be called into
question. However, consumers should still be in control of this
technology.
Since most online profiling comes through the use of cookies,
Microsoft has been concentrating its privacy protection mechanisms in
Internet Explorer around cookie management features, which we have
designed to enhance notice and choice of the information practices of
the web sites that consumers use. Based on our experience with a series
of test versions of Internet Explorer and our work with the World Wide
Web Consortium's (the ``W3C's'') Privacy Working Group, we believe that
the next version of Internet Explorer--IE 6.0--will take significant
strides in protecting consumers' privacy.
One of the most challenging things about building software for tens
or even hundreds of millions of people all around the world is that it
needs to work in a way that provides the protection consumers want, but
without disrupting or slowing their web browsing experience. In some of
the earlier test versions of privacy protections in Internet Explorer,
we found that consumers were actually frustrated with tools that
popped-up questions or prompted the consumer every time a cookie might
be used for tracking purposes. It turned out to be too burdensome and
confusing for consumers to understand exactly what was going on behind
the scenes on their computers.
From the significant usability tests that Microsoft does, we know
that if you constantly pop-up privacy questions, users either disregard
them or perform whatever action is necessary to make these pop-ups go
away. Obviously, this behavior undermines the goal of protecting the
user more thoroughly. So we've been working to create a solution that
helps consumers to control cookies. And we've been especially focused
on so-called third-party cookies that can be used to track your
activities across sites--that is, cookies that come from a party other
than the site a consumer is visiting. Our tools help consumers better
understand the source and purpose of the cookie, thereby giving the
consumer more control over whether it is accepted or rejected. Our
tools also offer a default level of privacy protection that is greater
than exists on the web today, so that out of the box, users of Internet
Explorer 6.0 enjoy protections they currently do not have.
PROTECTING PRIVACY THROUGH INDUSTRY STANDARDS
Before we get deeper into the details, let us focus on the role
industry standards have played in getting us to where we are today. As
my team of engineers was examining the best path to take to control
cookies through Internet Explorer, we were simultaneously working with
the World Wide Web Consortium on a technical standard called the
``Platform for Privacy Preferences Project'' or P3P. The goal of P3P is
to provide a common language for a site to describe its data
practices--such as what data the site collects, how the site uses it,
who gets access to it, how long the data is retained, what consumers
should do if they have a privacy complaint, etc. The common language
helps web sites describe the important aspects of their information
practices according to a standardized road map.
P3P also provides a mechanism for a site to provide a machine-
readable version of its data practices. The grand vision of P3P is that
once sites code their privacy policies according to the standard, and
consumers have P3P tools in their hands, consumers can automatically
match their individual privacy preferences against the practices of the
web sites they are visiting. If the web site satisfies the consumer's
preferences, the consumer enters the web site without incident. If the
site does not match the individual's personal setting, the consumer at
least is warned of that fact before proceeding.
In Internet Explorer 6.0, we take a significant first step in
promoting adoption of the industry's P3P standard by both web sites and
consumers. By providing a default level of protection out of the box,
we are creating incentives for web sites--and especially those that use
cookies in a third-party fashion--to code their privacy policies in the
P3P language. These incentives will exist because we anticipate that
millions of web surfers will choose to upgrade to IE 6.0 in the near
term and will automatically get the protections IE 6.0 offers.
USING P3P IN INTERNET EXPLORER 6.0
Again, based on our earlier research, consumers want to be able to
automatically control the use of cookies based on the data practices of
the site sending the cookie. The use of P3P technology to help solve
this online tracking problem is a natural fit.
How will this work? You can actually test these tools now by
downloading the public beta version of IE 6.0 at www.microsoft.com/
windows/ie. But to go through them quickly, here is an overview. By
default, in order for third-party cookies to be set to a consumer's
computer, a third party that collects personally identifiable
information must indicate, via a P3P-compliant mechanism, that the site
offers ``Notice'' and ``Choice.'' By notice, we mean that the site
provides the consumer a machine-readable privacy policy in P3P format,
which clearly states the information collection practices of that
party. If there is no notice, third-party cookies from this site are
blocked automatically by IE 6.0.
By choice, we mean that if a web site is reusing a consumer's
personally identifiable information, then it must allow the consumer to
``opt out'' of or ``opt in'' to that data reuse. If personal
information is being reused, and consumers don't have choice around
that use, then the cookies from that third-party web site are blocked.
This approach tracks the arrangement established last summer between
the Federal Trade Commission and prominent web advertisers. The core of
that arrangement is that a company that tracks users across sites, at a
minimum, must provide notice of that practice and the choice of opting
out of it.
To help consumers understand the concepts of notice and choice, the
first time a consumer connects to a web site whose privacy practices do
not match the default setting in Internet Explorer 6.0, an
informational dialog-box appears. This box attempts to educate the
consumer about a new ``red eye'' privacy icon that appears at the
bottom of the browser window and what this icon means in light of the
user's privacy settings. Then, with Internet Explorer 6.0, as users
browse other sites that attempt to set cookies but do not meet their
privacy settings, the red-eye will reappear, alerting the consumer to
potential privacy issues.
While we have taken care to establish what we believe is a workable
default setting, we've provided a sliding-scale feature that allows
consumers to easily change their privacy settings. With a single click,
consumers can change the default setting to higher privacy settings,
which have more stringent requirements for the use of privacy policies,
or to lower settings, which are less stringent. For example, the
``high'' setting requires all web sites, both first and third-party, to
obtain explicit (opt-in) consent before the reuse of personal
information. We additionally have a feature that allows almost infinite
customizability of the privacy settings, and we have an ``import''
function that allows the consumer to download a third party's privacy
settings (which, for example, may have default settings different from
IE 6.0) and insert them into the browsing technology.
This is just an overview of our technology's features. We are happy
to visit with any congressional office to review the tools in greater
detail.
OUR OTHER EFFORTS TO PROMOTE P3P ADOPTION
I also want to mention the fact that, in the run-up to the release
of IE 6.0, we are actively encouraging web sites to deploy P3P-
compliant privacy policies. Through our ongoing work with the top 100
sites on the web, and with the work that the Internet standards body is
doing, by the time that Internet Explorer 6.0 launches this fall, we
hope to see significant deployment. We've also developed what we call a
``Privacy Statement Wizard,'' an automated privacy statement generator
that can help smaller sites become P3P-compliant by creating policies
simply based on the site's answers to a series of questions about its
practices (subject, of course, to legal review by the site's lawyer).
The statement generator is currently available at http://microsoft.com/
privacy/wizard. It also will soon be available at Microsoft's small
business web portal, at http://privacy.bcentral.com.
PUTTING IE 6.0 IN PERSPECTIVE
Since P3P is an open standard, not controlled by Microsoft in any
way, we believe that other companies will develop additional privacy-
enhancing technologies that will also interact in an automated fashion
with sites that have posted P3P-compliant privacy policies. In fact,
we've already seen the emergence of tools that provide analysis of P3P
policies, as well as search engines that only return hits from sites
that follow P3P guidelines. Over the long run, we hope to see
widespread adoption of P3P by the web community, as well as increasing
consumer understanding of the power that P3P tools put in their hands
to enhance--and customize--their privacy protection. We believe
strongly that P3P is an empowering technology and that it can address
in a simpler way the complex questions around consumer preferences and
the articulation of sites' privacy policies.
We do not believe that the work we've done in IE 6.0 to enhance
consumer privacy is a silver-bullet solution, but we do believe it is a
significant positive step--showing that technology can play a critical
role in addressing consumers' online privacy concerns. We believe we
have done work that consumers want and that will delight them. We also
believe that allowing individuals to control their own personal
information is an important, enduring mission for Microsoft. It is an
ongoing process, and not just a single, all-encompassing step. We take
it seriously because our customers do. Finally, we believe that these
first steps that we have taken to include serious privacy protection in
Internet Explorer will lead to positive cooperation in the industry
around this topic and will result in a better Internet and a better
economy. In the future, we at Microsoft expect to do additional work in
this area, using P3P or other technologies, and we would be happy to
keep you abreast of those efforts.
Again, thank you for allowing me to be with you today and I look
forward to a continued dialogue.
Mr. Stearns. I thank you.
Ms. Schlosstein, we will start with you, then.
Ms. Schlosstein. Thank you.
Mr. Stearns. I think we are going to take a few moments
here to reestablish the connection, so that the projector can
provide the audience a little bit of view of what we are doing
here, if that is possible, so that they also would enjoy what
we see up here as members.
We are hoping in the near future--I know the Financial
Services Committee has retrofitted their committee hearing room
to do video teleconferencing. And so in this case, Mr. Austin
Hill of Montreal, Canada, could be with us today, if we had had
that capability.
And, likewise, we hope to have a projector screen here with
us that will all be in place, and we would not have to
continually have setups. We just move and plug it in, and we
will have that capability, we are assured, that will take place
in the near future. So we look forward to that.
Are you ready?
Ms. Schlosstein. I am.
Mr. Stearns. Okay. Go ahead.
STATEMENT OF FRANCES SCHLOSSTEIN
Ms. Schlosstein. Could I have just a little more light,
please?
Mr. Stearns. Just a little bit more light.
Ms. Schlosstein. Chairman Stearns, and members of the
committee, Webwasher.com, a leader in internet access
management and privacy technology, appears today not as an
advocate for or against privacy regulations, but truly as an
example of internet filtering technology.
We believe the technology does not and should not establish
policy. Technology executes policy. Those who use Webwasher
filtering software in a very real sense are already regulating
their own internet environment and establishing their own
policies of privacy.
What uniquely distinguishes Webwasher is our belief in
internet self-determination for the user. There can be no
internet privacy without the ability to control one's internet
exposure. Webwasher's technology can filter out any hidden data
object, oppose the security, privacy, band width, or legal
risks.
Today, 4 million individuals and small businesses are using
Webwasher worldwide, along with a growing number of enterprise
corporations. This morning I would like to take--to provide the
subcommittee with a brief look into Webwasher software
interface and the types of customizable results possible. And
for your convenience, I have included a copy of the
presentation slides that I will be discussing in our written
testimony.
Let us start now with an example of Webwasher in action,
providing privacy protection from unwanted cookies attached to
ads. This is Salon.com, a home page with no Webwasher filters
activated. And now the same Salon.com home page with Webwasher
filters activated for ad and cookie filtering.
As you see, the ads are eliminated at the top and side. To
assist the visuals, the same Webwash/Salon.com page with the
ads replaced by logo placeholders. This page includes nine ads
that represent 38 percent of the page's total band width. What
you don't see are the non-permission-based cookies behind the
ads which track user behavior. Fortunately, Webwasher does see
them.
Webwasher technology protects privacy and the results are
measurable. On one average desktop, we conducted a 30-day
filtering activity test. The test results--43 percent of band
width was saved by filtering out ads. What is more, 79 percent
of all cookies entering the network, nearly 5,000 cookies in
all, were non-permission-based cookies attached to the filtered
ads.
What is behind this technology? Let me show you the
Webwasher software interface. Take a look at the tabs across
the top--the standard filter, privacy filter, access control,
and security filters. You can customize each function. For
example, the privacy tab, a user can filter web bugs, cookies,
and referrer bugs.
Similarly, the security feature interface can be customized
to safeguard a corporate network. Webwasher includes a setting
for eliminating bad Java scripts, ActiveX commands, including
Trojan Horse-type viruses. This is accomplished through
Webwasher's media type and embedded object filters.
Webwasher also approaches privacy through access control.
Our access control settings deploy a dynamic, new, URL filter
data base to track, classify, and, when appropriate, block
changing visual content on millions of web pages. Webwasher
uses intelligent filtering and image recognition to generate
the most advanced web block list in the world right now.
Here you can see the filters for pornography and nudity
have been activated. To illustrate, here is the Playboy.com
page, including a pop-up ad before Webwasher is activated. Now,
with Webwasher, a user can block access to the website based on
the Playboy.com URL. This is the message generated when a user
attempts to visit a blocked site.
However, even if you did not know that Playboy was a site
that contained inappropriate images, our technology can filter
nudity, breast images, while leaving out content--leaving other
content untouched. This is an important achievement in helping
users control their privacy.
Webwasher takes a proactive approach to developing new
privacy technologies. Here is the next generation technology
that enables businesses and media to partner with consumers
more effectively. Webwasher is anticipating the day when
consumers, businesses, and media cooperate to implement a tight
filtering system.
Our seclude-it technology featured here filters advertising
according to user-determined interest profiles. For example,
this user selected entertainment and lifestyle as just one
category of ads they wish to receive. Seclude-it technology
will create a new channel from advertiser to consumer that
makes ads more targeted, effective, and welcomed.
What we have demonstrated today is the robust privacy
protection technology of Webwasher--a technology powerful and
flexible enough to execute policy, whether driven by
government, corporate, or individual users.
Mr. Chairman, thank you for inviting Webwasher to appear
and for assisting consumers, both individuals and corporations,
to become more aware of privacy technology options such as
Webwasher, already available today on the market and currently
being used by 4 million users worldwide.
Thank you.
[The prepared statement of Frances Schlosstein follows:]
Prepared Statement of Frances Schlosstein, Vice President, Business
Development and Marketing USA, WebWasher.com
INTRODUCTION
Chairman Stearns, Ranking Member Towns, and members of the
Subcommittee, thank you for the opportunity to participate in this
timely hearing and to share webwasher.com's unique perspective on the
role of technology in the Congressional information privacy debate.
As your Subcommittee continues to explore these issues in the
responsible manner that this series of hearings evidence, we firmly
believe that how Congress ultimately defines Internet privacy will
affirmatively determine Federal policy direction--as surely as
webwasher.com's definition of privacy has shaped our own technological
development strategy and core operational focus.
Over the past eighteen months, webwasher.com has directly
experienced the consumer demand for privacy--four million Internet
users in homes and schools have installed a free version of
webwasher.com's intelligent Internet filtering software. This initial
track-record, coupled with our emergence in the corporate enterprise
marketplace, demonstrates to us that available and currently deployable
technologies such as WebWasher already critically shape the privacy
policy debate, and thus must also play a role in any related
Congressional response to consumer concerns.
about webwasher and internet access management solutions
WebWasher is a state-of-the-art, all-in-one software tool that
blocks virus and worm-carrying Internet files, preempts the need for
intrusive employee Web monitoring, protects children from pornography,
and filters out up to 45% of Internet clutter that typically clogs
corporate networks.
How can one program do so many different things in facilitating
consumer and corporate privacy protection? Although WebWasher is a
single, streamlined piece of software, it has a fully modular menu of
independently operating filters that each target a specific category of
Internet content. Each filter can be easily toggled on or off and
configured for individual preferences, allowing each user--corporate or
individual--to execute a highly-customized Internet privacy policy:
Our privacy filter allows the user to filter out non-
permission-based cookies, Web bugs, and the HTTP ``referrer
string.'' Almost everyone has heard of ``cookies'' that allow
third parties to track without detection a user's movements on
the Web. Even more troublesome to corporations is the
``referrer string'' usually sent from browser to Website
server, potentially allowing an outsider to backtrack to the
last browser location, which could be an internal company Web
page.
Our access control setting deploys a dynamic, new URL filter
database to track, classify and, when appropriate, block
changing visual content on millions of Web pages. This
database--``DynaBLocator TM''--is being built with
the help of an exclusive, new image recognition technology that
can keep up with the thousands of porn sites and images that
are dynamically generated every day, without stable URL
addresses. WebWasher is using image recognition combined with a
dozen text-based rating systems to generate the most advanced
Web page blocklist in the world.
Our advertising filter includes a setting for eliminating
malicious (ill-intentioned) Java scripts, as well as Java
scripts designed to lock advertising into a Web page such that
the page will collapse if the advertising is removed. Bad
``ActiveX'' commands that could allow an intruder to read,
delete, or commingle company files can also be filtered.
Our advertising filter also includes dimension and pop-up
settings that remove--at the user's command--unwanted banner
and pop-up ads. Internet advertising becomes a serious business
issue when 35% to 45% of every page downloaded onto a corporate
network is not relevant for immediate core business needs.
Our ``Seclude-It TM'' technology filters
advertising according to a personal interest profile designed
and stored on the user's computer, creating a whole new channel
from advertiser to consumer that makes ads more valuable and
sticky. Advertisers must partner and meta-tag their content so
it can be read by the Seclude-It filter.
DEFINING PRIVACY AND BALANCING THE REGULATORY IMPULSE: USER SELF-
DETERMINATION AND INDIVIDUALIZED CONTROL
What distinguishes WebWasher--and what is truly unique about our
company--is that we equate Internet privacy with nothing less than
Internet user self-determination. This commitment to self-determination
for all Internet users--individual and corporate, public and private--
has from day one driven how we run our company and how we build our
tools.
Individualized user control is the reason why we developed, as our
technology platform, an Internet filtering software solution. If you
want to put the Internet's ``controls'' into the hands of its users--if
you want to establish choice as a primary value in the Internet data
transaction--then, we believe, you must create a broad technology for
filtering many categories of Internet data that is customizable to the
varying needs of users. Acting accordingly, we created and deployed
WebWasher.
Fundamentally, webwasher.com believes there can be no Internet
privacy without the ability to control one's Internet exposure. This
exposure is two-way because data simultaneously enters and exits a
user's computer. Only Webwasher, in a single software tool, addresses
the two-way need for consumers to control both what information is
distributed about them over the Web as well as what information enters
from the Web into the private realm of the workplace, home, or school.
The benefits of webwasher.com's two-way, intelligent filtering
solution are particularly obvious when compared to unidirectional
privacy technologies like encryption and hosted (anonymous) surfing
that are stuck in the one-way mode. WebWasher is the only leading
Internet filtering software that does not compromise its own users'
privacy by routing their Internet transmissions back through our own
company's server.
Privacy is the security of being able to set one's own course, and
most fundamentally, to protect oneself from perceived costs and risks.
Whether you are a home Web surfer, an education professional, or a
corporate IT manager for a Fortune 100 company, webwasher.com provides
a technology that empowers users to operate in a zone of privacy,
safety, and choice.
WEBWASHER IN THE ENTERPRISE: MEETING BUSINESS PRIVACY NEEDS
In many respects, the negatives of raw and unfiltered Internet
exposure are nowhere so great as in corporations, where thousands of
employees have unlimited desktop Internet access for many hours each
day. Many companies--whether they are global financial leaders or
multinational manufacturers--provide unlimited Internet access to their
employees.
IDC has estimated that each employee with unlimited Internet access
spends approximately one hour per day viewing non-work-related Internet
content, at an annual cost in productivity of $9,600 per employee.
Beyond this downtime, it only takes a few employees downloading music
or streaming video to bog down an entire network, just as it takes only
one employee viewing porn or hate content or downloading viral files in
the workplace to put the organization at serious technological or legal
risk.
As a spin-off of Siemens Corporation and as a leading global
developer of Internet access management software, webwasher.com has
worked very hard to understand and be responsive toward the many
categories of Internet data that pose security, privacy, or legal risks
for the enterprise user, and to assist in meeting their corporate risk
management needs through deployment of WebWasher.
Corporations are only now beginning to pre-emptively address the
privacy, security and cost implications of employee Internet access
through a new category of software exemplified by WebWasher Enterprise
Edition. According to a recent study by market analysts Frost &
Sullivan, the Internet access control and filtering software market
segment, while only a $68 million sector in 1999, is expected to
approach $1 billion in revenue potential by 2007.''
As a direct result of our own origin and development in the Siemens
corporate environment, WebWasher is especially suited for large
business users and particularly suited to respond to corporate demands
that mirror what our 4 million consumer users have already told us.
The corporate user's WebWasher software application has a full menu
of independently operating filters that each target a specific category
of Internet content: one filter uses a database to block long lists of
objectionable Websites and Web pages; other individual filters reach
deep into the Web page to remove invisible data ``objects'' like Web
bugs; and still another filter enables a block list for media-type
files such as ``.exe'' that often carry worms and viruses.
WebWasher's access control filter, powered by dynamic image
recognition technology, may prove so effective at managing employee
Internet use that it removes the need to monitor employee Internet use.
It promises a solution that is every bit as powerful as employee Web
monitoring, but much better at balancing the corporation's need to be
an Internet gatekeeper with demands for employee privacy. This same
tool could save corporations the cost of collecting and storing
voluminous amounts of data on employee Web surfing habits by allowing
companies to pre-emptively manage employee access to all relevant
categories of Internet content.
INTERNET ACCESS MANAGEMENT SOLUTIONS AND NEXT STEPS IN THE PRIVACY
DEBATE
While today's Internet is an amazing instrument of the Information
Economy, there is a toll for travelers on this information superhighway
and marketplace. With each click of a mouse, along with the information
a user has requested, kilobytes of data are transmitted automatically
without either the user's knowledge or consent. Most unseen data is
enabling to the information transaction. However, a limitless array of
behind-the-scenes channels open wide avenues for data operations
designed and controlled by third parties of which the user may never be
aware. In other cases, a user's self-determination and individualized
control may be compromised by the persistence, copiousness, or mere
offensiveness of unmanaged Internet content.
For all these reasons, an intelligent Internet access management
tool that can be easily customized and upgraded by the user seems the
obvious technological solution-- though not a simple one--as the
Internet dynamically expands and continually evolves new categories of
invasive content. Webwasher.com is committed to keeping its filtering
tool updated to address all new genres of Internet content that
significant numbers of users, for any reason, may want to filter.
Successful technologies like ours do not establish policy. In fact,
we pride ourselves on having developed and introduced an apositional
product that meets various users' needs. Again our definition of
privacy--user self-determination--has guided our product development.
Rather than be reactive to policy dialogue, our focus has been on--
merely providing real solutions responsive to growing demand. By
bringing privacy-enhancing technologies quickly to market,
webwasher.com has changed the privacy landscape and already has
impacted the conditions policymakers seek to address.
Yet, technology alone may not solve the Internet privacy dilemma.
Business and consumer users must first know what their privacy problems
are before they may act to adopt technical solutions to meet these
concerns. Achieving such awareness often proves problematic in the
Internet privacy arena since most privacy-violating data transfers over
the Internet are not ``visible'' to the consumer. We respectfully
recommend that removing this cloak of invisibility and assisting
consumers to become aware of the technological options already
available to them should be a primary focus of this Subcommittee's
agenda.
High privacy standards are often challenged as costly and limiting
to the growth and development of Web-based business. However, as an
Internet technology company that voluntarily adheres to very strict
privacy rules, webwasher.com can only report positive results in the
form of high customer retention and a sterling corporate image.
Although we do not testify today as advocates for or against
Federal privacy policy, we do see enhanced online privacy as an
essential pre-condition for the Internet's next level of development,
which will require winning the trust of those who have so far remained
skeptical of this new medium.
Mr. Chairman, allow me to thank you for the opportunity to appear
before the Subcommittee, and to close with a pledge: webwasher.com
intends to stay at the forefront of Internet technology in our
continuing mission to put the tools of Internet self-determination in
the hands of Internet users.
Webwasher.com greatly appreciates the opportunity to be of
assistance to the Subcommittee in this important review and is
available to serve as a further resource as required.
Mr. Stearns. I thank you.
Mr. Schwarz? Oh, we are going to go to Mr. Hsu. Be sure to
get that microphone right up close to you, so we can hear you.
STATEMENT OF STEPHEN HSU
Mr. Hsu. Mr. Chairman, and members of the subcommittee,
thank you for this opportunity to share my views on this
important subject. My company, SafeWeb, develops internet
privacy and security technologies for businesses and consumers.
Our core consumer product, SafeWeb.com, lets internet users
surf the web anonymously and securely. SafeWeb's technology
lets users access the entire web through a layer of encryption.
All of the information coming in and out of their computer is
fully encrypted, and dangerous codes such as cookies and web
bugs ares filtered.
Our servers act as a virtual intermediary and communicate
directly with the SSL, or secure socket layer, engine present
in every browser, so that no software download or installation
on the part of a user is necessary.
Because our solution is free, effective, and easy to use,
it has quickly grown to become one of the most widely used
online privacy services in the world. We currently secure 100
million web pages each month. We are currently licensing this
technology to businesses and governmental agencies that place
the utmost importance on security.
The United States Central Intelligence Agency is one of our
investors and has licensed our technology for internal use. The
ideas for our technology originated when I was an assistant
professor of physics at Yale University and was forced to deal
with numerous hacker intrusions on our department network.
A key insight that I had was that the Clinton
administration's relaxation of export controls on encryption,
combined with the requirements of secure e-commerce, would
guarantee a nearly 100 percent installed base of strong
encryption capability in every browser on every desktop.
Although you might not be aware of it, the web browser on
your computer has the capability of performing encryption that
is believed to be unbreakable even by the National Security
Agency or the Central Intelligence Agency. We set out to write
software that would make use of this widespread encryption
capability.
On a global level, SafeWeb is committed to fighting against
censorship and for freedom of information. Each day tens of
thousands of individuals in closed societies like China and
Iran use SafeWeb to access otherwise blocked contents, such as
the BBC, New York Times, and Voice of America websites.
They also use SafeWeb to anonymously express possibly
forbidden political views in chat rooms and on discussion
boards. Our foreign users can be confident that their
activities can neither be tracked, nor monitored, during a
SafeWeb session. We at SafeWeb share a strong belief in the
power of technology to transform closed societies.
It would be convenient to claim that technology alone can
solve the problem of digital privacy. However, I think this is
terribly optimistic. Tools such as ours tend to be adopted by
sophisticated technologically literate people and less so by
the average internet user. According to one survey, only 9
percent of online users have used encryption to scramble their
e-mail, and a mere 5 percent have taken advantage of anonymous
browsing.
Americans should not have to become experts on cookies, web
bugs, and relationship data bases in order to preserve their
privacy. It is my opinion that the protection of consumer
privacy requires both legal and technological action. I hope
that legislators will recognize the current trends and pass
laws that will protect the rights of individuals in this
burgeoning information age.
And now I would actually like to attempt something which is
a little bit tricky, which is a live demonstration. So this
laptop is the property of the U.S. Government, and I have not
installed any software on it. I am running Mr. Wallent's IE,
probably version 5, browser here.
And what you see here is what you would see if you just
typed in SafeWeb.com into the browser. It would connect to our
servers which are located on the internet, and they would allow
you to visit any website that you choose to view. For example,
here I think I have Yahoo's site. If you choose to go to
another site, you can type in--here I have typed in
AltaVista.com.
And what is actually happening now is that this computer is
contacting our servers and requesting that page, so you are
actually receiving AltaVista.com not through the normal means
but through our servers. And if you look carefully, you can see
this little lock icon, which means that you are viewing all of
this information through a layer of encryption.
Normally, you will only see that lock icon when you are
about to give your credit card number to an e-commerce site.
But if you use SafeWeb, all of the traffic coming in and out of
your computer is encrypted with 128-bit encryption--encryption
powerful enough that even intelligence agencies can't break it.
Here I have an icon of a cookie, which when clicked will
show you--this cookie will appear on the interface when a third
party tries to place a tracking cookie on you. And so here it
has intercepted one that would have come from AltaVista had it
not been blocked. So if I click on that, you can see that the
origin of the cookie was a server called ad.doubleclick.net.
Once that cookie is on your computer, Doubleclick can track
you from site to site and track all of your viewing habits. But
we have actually blocked that cookie as it passed through our
server.
We also offer various levels of configuration similar to
what Mr. Wallent talked about for his IE version 6, but
currently available already from SafeWeb, which allow you to
choose your level of sanitation of Java applets, plug-ins, and
different levels of cookie settings.
So I would like to thank the committee for this opportunity
to say a few things about SafeWeb. Thanks.
[The prepared statement of Stephen Hsu follows:]
Prepared Statement of Stephen D.H. Hsu, CEO and Co-founder, SafeWeb,
Inc.
Mr. Chairman and members of the Subcommittee: Thank you for this
opportunity to share my views on this important subject. SafeWeb
develops Internet privacy and security technologies for businesses and
consumers. Our core consumer product, www.safeweb.com, lets Internet
users surf the Web anonymously so that no one can pry into their online
communications.
SafeWeb's technology lets users access the entire Web through a
layer of encryption. All of the information coming in and out of their
computers is fully encrypted, and dangerous code such as cookies and
Web bugs is filtered. Our servers communicate directly with the SSL
(Secure Socket Layer) engine present in every browser so that no
software download or installation is necessary.
Because our solution is free, effective and easy to use, it has
quickly grown to become the most widely used online privacy service in
the world. We currently secure over 100 million Web pages each month
through www.safeweb.com. We are also licensing this technology to
businesses and governmental agencies that place the utmost importance
on security and require the strongest technology available to meet
their stringent requirements.
Before discussing the topic of privacy, let's begin with a broad
view of what is happening in information technology. You may be
familiar with Moore's Law, originally formulated by Gordon Moore, one
of the co-founders of Intel. Moore observed that the computing power of
microchips doubles roughly every 1.5 years. It is no surprise that
today's laptop is far superior to the supercomputer of 10 years ago. A
similar trend is occurring in the areas of data storage and data
transmission: the cost of storing data is cut in half each year and the
capacity to transmit data is doubling each year. With these factors in
play, the end result is exponential growth in our ability to store,
transmit and analyze information.
What does this mean for privacy? It means that technology will
inevitably make it easier for governments and corporations to invade
the privacy of individual citizens.
Consider the following example. Currently, someone with access to
my credit card records could gain a fairly accurate picture of my
eating, shopping and leisure habits. Perhaps two-thirds of all of my
personal purchases are made on this credit card. Imagine the situation
five years from now, when digital cash and smart cards are ubiquitous
and nearly 100 percent of all purchases are executed digitally.
Eventually, databases will be able to record not just how much money I
spend, but exactly what I purchased, as well as where and when I made
this purchase. This will apply to purchases of entertainment and food,
as well as other items. It will not be long before databases will be
capable of recording all of the phone and e-mail traffic of ordinary
individuals--not just basic data (e.g., identities of sender/caller/
recipient, time and length of communication), but the actual content of
the communications.
Why would someone be motivated to assemble such data? The answer is
simple. Most businesses, from banks to shoe stores, spend significant
amounts of money on customer acquisition. As businesses, they are
highly motivated to make this process as efficient and economical as
possible, and technology can oblige in astounding ways. Government and
law enforcement have different, but equally strong, motivations to know
more about what people are doing.
Is this a bad thing? Not necessarily. It would be foolish not to
acknowledge the advantages this future will bring both to individuals
as well as to corporations and governments. However, it is easy to see
that these massive databases, once created, will be subject to myriad
forms of abuse.
Survey after survey indicates that the overwhelming majority of
Americans is already concerned about their online privacy and desire
greater protections when they surf the Web. According to one recent
survey, Americans are more concerned about loss of privacy than health
care, crime, or taxes.1
---------------------------------------------------------------------------
\1\ Harris Interactive survey (National Consumers League), October
2000
---------------------------------------------------------------------------
On a global level, the need for online privacy and freedom of
speech is even more urgent. Despite different countries' differing
laws, we at SafeWeb believe that the right to privacy and the right of
free speech are not just rights granted to American citizens by the
United States Constitution; these are human rights that every country,
democratic or not, ought to accord their citizens. Approximately 327
million people worldwide use the Internet today, and an estimated 502
million people will be online by 2003.
As the number of Internet users steadily grows, we can expect
privacy concerns to escalate and grow increasingly volatile. The
general public has only just begun to realize the extent of the privacy
problem, and has only just begun to explore the possible privacy
solutions.
While it would be convenient to claim that technology alone can
solve these problems, to do so would be to pronounce a fallacy. There
are several companies like SafeWeb that create technologies to help
consumers protect their online privacy. However, these technological
tools tend to be used by sophisticated, technologically savvy people,
and less so by the average Internet user. According to one survey, only
nine percent of online users have used encryption to scramble their e-
mail, and a mere five percent have taken advantage of anonymous Web
browsing services.2 Americans should not have to become
experts on cookies, Web bugs or relational databases in order to
preserve their privacy.
---------------------------------------------------------------------------
\2\ The Pew Internet & American Life Report; Trust and privacy
online: Why Americans want to rewrite the rules (August 2000)
---------------------------------------------------------------------------
It is my opinion that the protection of consumer privacy requires
both legal and technological action. I hope that legislators will
recognize the current trends and pass laws that will protect the rights
of individuals in this burgeoning information age.
Thank you.
Mr. Stearns. Thank you.
Mr. Schwarz, I guess we will offer you a little bit of time
for you to set up.
Mr. Schwarz. Actually, I can fly----
Mr. Stearns. You can fly?
Mr. Schwarz. [continuing] directly.
Mr. Stearns. Wait a second. I think he has to--our staff
has to connect something here.
STATEMENT OF JOHN SCHWARZ
Mr. Schwarz. I decided that a presentation without the
slides may be more appropriate.
Mr. Chairman, Mr. Stearns, Congressman Towns, members of
the subcommittee, my name is John Schwarz. I am the President
and CEO of Reciprocal, Incorporated. I would like to thank you
for the opportunity to speak or testify before the panel.
I would like to start by saying that your committee is
focusing on issues which are extremely important not just to my
company but to our economy, to our citizens' privacy, and I
would argue to our citizens' security, and, obviously,
ultimately to my company's business.
In our view, privacy, intellectual property, and copyright
protection are all critical aspects of the same common issue.
We live in an age where the physical world such as we knew it
and continue to know it is being displaced by a digital one. In
other words, virtually everything that we know today can be
described in information and data. And once that knowledge is
available, recreating the physical is pretty easy.
Products are being converted to services. In other words,
what we used to buy as a ``one of'' thing we now today buy as a
service, as an access to something, as a way to use something.
And I would argue that national boundaries are becoming more
transparent each day as this data is being shipped across the
internet and other networks, literally without any barriers at
all.
And so in this environment I think we can argue that
securing digital assets and preventing unwanted digital
intrusion is equivalent to defending personal and potentially
national integrity. So we are talking about very important
issues.
My company, Reciprocal, provides customized business
infrastructure for the secure online delivery of digital
assets, such things as audio, video, books, documents, games,
or software. Our solution includes a defined set of features
and tools, access to prepaid transaction processing, and the
implementation resources needed to integrate the solution into
the customer's existing systems.
So we are not a producer of technology. We are a services
company that makes technology work for other people. And those
other people could be other businesses. Those people could be
the government. Those people could be private citizens.
We also offer consulting services to clients that need help
with the definition of business models or technology choices in
this digital distribution world. We run a secure online
delivery solution using our computer infrastructure.
Simply stated, our clients only need to identify the
digital assets that they wish to distribute and the channel
through which these products are to be delivered, and we do the
rest. We are arguing for a proactive management of digital
assets. These can be personal, corporate, governmental or
educational assets. But the proactive protection of those is
very important.
Just as an example, the global media market is approaching
$200 billion annually. Many of the properties are extremely
valuable. You have all seen first-run movies generating $75
million of sales in a single weekend or a best-selling book
selling 500,000 copies in a month.
In other industries, pharmaceutical clinical trials are
distributed to thousands of subjects and their doctors.
Contracts and other legal documents need to be verifiably
delivered and secured. And the access to these documents and
these media assets needs to be appropriately managed.
Virtually all media information today is produced in a
digital format. In fact, it is almost a definitive statement.
This means that it is copyable with perfect fidelity. Software
and hardware that enable the reproduction of digital assets is
now a standard feature on most computers.
Vast amounts of digital assets are, thus, illegally copied
and redistributed, and these digital assets include the
personal information which was described by my colleagues that
is gathered from the analysis of personal behavior as people
browse through the internet.
The market or the industry, our industry, has responded
with a large and all-too-often confusing array of solutions
developed to assist digital owners to keep what is theirs--from
a simple user ID and password, to certificates of authenticity,
to cookie management, to digital watermarking, to
fingerprinting, to encryption, and digital rights management.
The simple truth is none of these are infallible, and that
all are currently difficult to implement within what I would
call a comprehensive solution. All of these tools require
fairly substantial knowledge on the part of the people that
will be using them.
The Reciprocal role, or the role of my company, is to take
the complexity out of the decision processes and the
implementation and to provide the best flexible solution for
the problem at hand.
I would argue that our effectiveness and competitiveness as
individuals, as companies, and as a Nation is enhanced in an
environment where standards prevail, where systems can be open
because there is intellectual property protection for the
developer, where the invasion of privacy is treated as an
illegal activity, and where the authors can be assured that
their copyright has an enforceable contractual value.
And I think, by extension, we can argue that our individual
rights to privacy surpass the corporate rights to copyright and
to intellectual property.
The role of Reciprocal is to take it from there and make
sure that these solutions are available in an easy,
comprehensible, cheap, and effective way.
Thank you for listening, and I am happy to take questions.
[The prepared statement of John Schwarz follows:]
Prepared Statement of John Schwarz, President and CEO, Reciprocal Inc.
Dear Chairman Stearns, Congressman Towns, members of the sub-
committee: My name is John Schwarz. I am the President and CEO of
Reciprocal, Inc. Thank you for the opportunity to speak to you today.
Your committee is focusing on issues that are very important to our
economy, to our citizens' privacy and security, and to my company's
business. In our view, privacy, intellectual property and copyright
protection are all critical aspects of a common issue. We live in the
age where the physical world is being displaced by a digital one, where
products are being converted to services and where national boundaries
become more transparent each day. Consequently, being able to secure
digital assets and prevent unwanted digital intrusion is equivalent to
defending personal and national integrity.
Reciprocal provides customized business infrastructure for the
secure online delivery of digital assets (audio, video, books and
documents, games or software). Our solution includes a defined set of
features and tools, access to pre-paid transaction processing, and the
implementation resources needed to integrate the solution into the
customer's existing systems. In addition, we offer consulting services
to clients who need help with the definition of business models or
technology choices in the digital distribution world.
We run a secure online delivery solution using our own computer
infrastructure. Simply stated, our clients only need to identify the
digital assets they wish to distribute and the channel through which
these products are to be delivered and we do the rest.
The global media market is approaching $250B annually. Many of the
properties are extremely valuable--you have all seen a first run movie
generate $75M in sales in a single weekend, or a best selling book sell
500,000 copies in a month. In other industries, pharmaceutical clinical
trials are distributed to thousands of subjects and their doctors,
contracts and other legal documents need to be verifiably delivered and
secured.
Virtually all media today is produced in a digital format. This
means that it is copyable with perfect fidelity. Software and hardware
that enable the reproduction of digital assets is now a standard
feature on most computers. Vast amounts of digital assets are thus
illegally copied and redistributed.
The market has responded with a large and all too often confusing
array of solutions developed that assist digital asset owners to keep
what's theirs. From simple user id and password, to certificates of
authenticity, digital watermarking and fingerprinting, encryption and
digital rights management, the simple truth is that none are infallible
and all are currently difficult to implement within a comprehensive
solution.Reciprocal's role is to take the complexity out of the
decision process and implementation and to provide the best flexible
solution for the problem at hand.
Our effectiveness in enhanced in an environment where standards
prevail, where systems can be open because there is intellectual
property protection for the developer, where the invasion of privacy is
treated as an illegal activity, and where the authors can be assured
that their copyright has an enforceable contractual value.
Reciprocal can take it from there.
Once again, thank you for the opportunity to testify today and I
look forward to answering any questions members of the panel may have.
Mr. Stearns. Thank you. I will start with the questions.
Mr. Schwarz, as I understand it, you were the general
manager of the IBM plant down in Boca Raton before you started
your business.
Mr. Schwarz. That is correct.
Mr. Stearns. And so you have seen it from a more--a longer
perspective perhaps than most. In a nutshell, do you think the
U.S. Government, we as legislators, should set a standard for
internet privacy? Just yes or no, and then tell me why.
Mr. Schwarz. I would say eventually yes. Now may not be the
right time.
Mr. Stearns. So right now you, in your personal opinion,
with all of your experience at IBM, and your new company, you
do not think that we need to establish internet privacy as a
legislative body right at the moment.
Mr. Schwarz. I think as Congressman Markey had said
earlier, there has to be some sort of a minimum floor.
Mr. Stearns. Minimum floor. Okay.
Mr. Schwarz. What that is is going to be difficult to
define, and I don't think we know enough today to set that
standard.
Mr. Stearns. Well, Microsoft has worked with their new P3P,
when it is fully integrated I guess with Explorer 6--when is
that going to be released, Mr. Wallent?
Mr. Wallent. We actually have next Monday publicly
available data that has all of the functionality that I showed
you here today----
Mr. Stearns. Okay.
Mr. Wallent. [continuing] that anyone can download onto
Windows machines from Windows 98 forward. We expect to have a
final release of Internet Explorer 6 by October 25 of this
year, when we plan to launch Microsoft Windows XP.
Mr. Stearns. How many people will eventually be using this
new P3P technology?
Mr. Wallent. Well, if past history is any guide, we expect
that probably within the first 6 months of release of Internet
Explorer 6 approximately 30 percent of the people who use
Internet Explorer will be updated to the latest version. What
that means in real numbers is that we expect by mid-2002 to
have somewhere between 30 and 50 million people using Internet
Explorer 6.
Mr. Stearns. Worldwide.
Mr. Wallent. Worldwide, yes, sir.
Mr. Stearns. Okay. You noted your work with the World Wide
Web Consortium privacy working group on P3P. How important are
standards and standard-setting organizations when addressing
privacy concerns with technological solutions? And I guess the
question, like I talked to Mr. Schwarz, what role, if any,
should the government have in setting these standards?
Mr. Wallent. Certainly. With respect to the issue on
standards, the work we did with the World Wide Web Consortium
was critical, I believe, to creating a useable, worldwide
solution that will help control users' privacy. As we saw last
summer when Microsoft tried to do something that was not a
standard, but what we did only in our browsing software, it
wasn't very successful.
But yet when we pulled together the resources of the
overall internet economy and the internet community, I think we
worked to create something that will be very powerful for
consumers.
Mr. Stearns. Mr. Hsu, when you talk about SafeWeb, as I
understand it is a free service.
Mr. Hsu. Right.
Mr. Stearns. That you can go--the consumer can go on the
internet and download it and interface. How do you make money
with it?
Mr. Hsu. Actually, one correction. It doesn't require any
download.
Mr. Stearns. Okay.
Mr. Hsu. It interfaces directly with Internet Explorer or
any browser.
Mr. Stearns. So it is a seamless interface.
Mr. Hsu. Yes. The consumer service that we offer, which is
free to the consumer, actually pays for itself based on the
advertising that we run on the actual toolbar that you saw.
Mr. Stearns. What happens if somebody eliminates that
advertising that you are hoping to use to make sufficient funds
so that you can operate?
Mr. Hsu. Well, then, I think we would be in trouble. Let me
comment that I think most privacy startups are in trouble right
now. It is very difficult to monetize privacy, although there
is a widespread--if you look at opinion polls, a widespread
demand for it. It is very hard to monetize.
My company, like Austin Hill's company and all of the other
privacy companies, are probably going to get most of our
revenues from corporate clients, from security consulting, from
developing BPN-like products. And so it would be a mistake to
think that the privacy industry, technology industry, is in
good shape right now.
Mr. Stearns. Let me ask you the question I have asked Mr.
Wallent and Mr. Schwarz. Do you think at this point the U.S.
Government should set a standard in internet privacy?
Mr. Hsu. I have to agree with Mr. Schwarz that in the long
run I think it is absolutely necessary, because technologies
can only protect you to a certain extent. And in the end, your
data will be stored in data bases that you have no control
over.
Right now, I don't think it is a completely critical time.
I think that we could wait a few years and see how things
develop before we actually have to----
Mr. Stearns. Even so, the European Union has already
developed a pretty comprehensive internet privacy program. And
they argue that the opt-in or opt-out, depending upon the type
of information, whether it is medical or financial, is very
acute, and that this information should not be collected
without the person's approval.
So you don't think the citizen does have that right in the
United States to either opt-in or opt-out?
Mr. Hsu. I think that in the long run people should have
that option. However, if we delay a year or 2, it is not going
to kill anybody, because right now I think the data that is in
those data bases is not nearly as dangerous as what we are
going to see in 5 years.
Mr. Stearns. Okay. And my last question to Ms. Schlosstein.
Yours is also free to individuals but not to businesses, is
that correct?
Ms. Schlosstein. That is correct.
Mr. Stearns. And how many Americans I think have downloaded
your software?
Ms. Schlosstein. We estimate it is--approximately 50
percent of our downloads are from the United States and from
Americans, and that is 2 million of the consumers.
Mr. Stearns. And what would be your answer to the question
I have given to the other three. Should the Federal Government
set standards for internet privacy now or in the future?
Ms. Schlosstein. Well, we believe that it is inevitable.
What we stand for at Webwasher is user self-determination, that
individuals need and have the right to protect their privacy,
whether--both through the regulations and through the
technology that offers them a way to block and control their
own settings and filtering.
Mr. Stearns. All right. Thank you.
And now the ranking member, Mr. Towns?
Mr. Towns. Let me just sort of follow up along the same
line. It is said that most companies do not take privacy
seriously. Now, if most companies do not take privacy
seriously, then should we still continue to wait? Let me sort
of get a response as we move down the line, starting with you,
Mr. Hsu.
Mr. Hsu. I think companies are starting to take things more
seriously. But the problem is that once data is collected it is
very hard to tell how it will be used in the future. So that as
a company, a very well-intentioned company may collect a
tremendous amount of data, and there is no telling who will
have access to that data base in the future. So there is an
issue even though companies are taking privacy seriously.
Mr. Wallent. I believe, and I think Microsoft believes,
that given the work that we have done now in Internet Explorer
going forward, because of the position that we have in the
market, which we admit kind of carries much responsibility with
it, it also means that at times choices that we make impact
others, and I think that the choices that we have made around
Internet Explorer 6 in requiring P3P policies--if those sites
want to do user tracking.
Websites still work just fine without privacy policies, but
yet they don't get to track the users, and that user tracking
is something that really aids the economics of those sites very
greatly.
So we think that this economic incentive of the consumer
choosing a product like Internet Explorer, the sites wanting to
have information from the consumer, but the consumer being in
the driver's seat. Richard Purcell, our chief privacy officer
at Microsoft, often says that consumers tell him that they want
to use the web, not be used by the web. And I think the work we
have done in Internet Explorer starts to deliver on that
vision.
Mr. Towns. All right. Thank you very much.
Mr. Schwarz?
Mr. Schwarz. Congressman Towns, I am not sure that I would
argue that companies don't care about privacy. I think
companies care about privacy, certainly privacy related to
their own data.
They also care about privacy relative to their customers'
data. It is not clear whether companies care about data that
isn't theirs or isn't their customers', but that, in fact,
provides access to other people through that data.
I also would argue that individuals have often an interest
in transgressing privacy of other individuals' privacy. And
this is where the real crux of the matter is, because it is not
necessarily the willful behavior of companies disregarding
privacy laws or privacy rules.
It is the willful behavior of individuals that are
disregarding those rules, and that is I think where the
government needs to focus on is, how do we make sure that we
manage the intrusion into people's privacy by people with ill
intent?
Ms. Schlosstein. Webwasher responds to--believes very
strongly in the need for privacy protection and in the hands of
the user, whether it be defined as the individual, the
corporate user, or the school or government, whoever is
controlling the entrance to the network.
We believe right now we have technology--Webwasher has
technology, and we are finding that corporate infrastructures
are adopting this kind of technology for privacy and security.
And what we believe is that, with policy or without, products
such as Webwasher can, at the gateway or at the individual
desktop, be used by individuals to determine what comes in and
what comes out of their box now, and as a complement with
future policy.
Mr. Towns. All right. Thank you very much, Mr. Chairman. I
yield.
Mr. Stearns. I thank my colleague.
The gentleman from New Hampshire, Mr. Bass, is recognized.
Mr. Bass. Thank you very much, Mr. Chairman.
Ms. Schlosstein, the Webmaster filtering software----
Ms. Schlosstein. Webwasher.
Mr. Bass. I am sorry, Webwasher.
Ms. Schlosstein. I would like to, for the record, make that
correction. It is Webwasher.com.
Mr. Bass. Webwasher.com.
Ms. Schlosstein. Thank you.
Mr. Bass. Filters out all of these ads. How are the people
that are putting up these websites going to make money if
everybody starts washing out their ads?
Ms. Schlosstein. Well, one way to approach that is if you
saw the last slide that we presented, which was Webwasher's
secluded product, Webwasher takes really a pro-consumer stance
in that we have a right to decide what comes in or doesn't come
in to our networks.
And, therefore, it is not anti-advertising, but only that
we believe as the paradigm is shifting that the old paradigm of
advertising in--traditional advertising is not working on the
web, and that the future of advertising on the web is going to
be a cooperative activity between the consumer, the media, and
the businesses in the kind of activity that I demonstrated as
seclude-it, where one can select what kind of advertising
people want, when they want it, and making it really a more
profitable and more convenient and welcomed activity than it
currently is in the intrusive way.
Mr. Bass. Are there different types of advertising, though?
Is it a kind of advertising where it is just--is there any such
thing as an ad on a website that just is the ad and it doesn't
leave any information in your computer? Does that exist?
Ms. Schlosstein. Well, most ads, you know, are multi-
layered, so to speak, in that they--you will see the visual ad,
or whatever. But behind that ad it was--of the ads that we have
stripped out in that example that I gave you of Salon.com,
there were nine ads on that page. One component is it invaded
privacy. You could imply from the amount of band width or time
or space it took of the consumer's actual space.
But the other part that we didn't see were the cookies
behind that. Thirty-eight percent--I mean, 38 percent of the
band width, but 79 percent of all of the cookies that were
coming into that particular box were attached--were non-
permission-based. And so each ad that is coming in has attached
to it other--could have malicious code, could have--the pop-ups
could have cookies, could have other privacy-imposing
activities going on at the same time. And many do.
Mr. Bass. Does your service eliminate or filter out things
other than ads?
Ms. Schlosstein. Yes. The Webwasher technology takes a very
broad look at privacy, in that we look at not only advertising
or content filtering, we look at the access control. We view an
invasion of privacy, having children, for example, being
exposed to pornography inappropriately. We view privacy as
another approach or a front on privacy in a corporate
environment with malicious code, ActiveX, Trojan Horses, those
kinds of things, that could invade a corporate network and
scramble the files or whatever as another imposition on
corporate privacy and individual privacy.
And Webwasher's settings are such that you can customize
them to really address any one of those privacy concerns.
Mr. Bass. Do you or Mr.--is it Sue?
Mr. Hsu. Shoe as in tennis shoe.
Mr. Bass. You know who has your software, so you must have
a data base of users. Is that right?
Mr. Hsu. No. Actually, our product doesn't require you to
install any software on your computer. You just connect--you
point your browser at our servers. You set up that connection.
It is all encrypted, and then you just go.
Mr. Bass. Do you know that I have contacted you?
Mr. Hsu. No.
Mr. Bass. Really. How about you, Ms. Schlosstein? In other
words, do you have--if I sign up for Webwasher.com, do you know
I did?
Ms. Schlosstein. Webwasher practices what it preaches, in
that, no, we do not keep records of who downloads our----
Mr. Bass. So you can't use the information that I am using
your server----
Ms. Schlosstein. Absolutely not.
Mr. Bass. [continuing] and sell it to somebody else. It is
sort of like two mirrors. It goes----
Ms. Schlosstein. Right. Let me make a distinction here,
because I think it is very important between the two
technologies. And I think they are both valid and they are both
very important in terms of what Webwasher does and what
Webwasher is is completely controlled by the user as determined
whether it be the corporate, the individual, or whatever.
There is no outside governing body. We do not take or keep
or control any of that information, so there isn't any
possibility of a leakage of that information or a misuse of
that information, because it never leaves the control of who
that self-determined user is.
Mr. Bass. Can I interrupt you, because I am going to run
out of time.
Mr. Hsu, you made a comment at the very end of an answer to
the Chairman's question that this is nothing--I am going to
murder the quote here--that this is nothing compared to what it
is going to be like 5 years from now.
Mr. Hsu. That is absolutely true. I think----
Mr. Bass. Tell me about that. What is going to----
Mr. Hsu. Well, I think people might be familiar with
Moore's Law, which is that the power of CPUs doubles every year
and a half. Well, also the power of the band width we use to
transmit information and the cost of storing it, those things
increase by factors of two every year.
So we are on an exponential growth path. And all of those
abilities--to store data, transmit data, and analyze data--are
all useful in invading people's privacy. So we are just at the
very beginning right now. A few web entities have taken
aggressive advantage of the way browsers are written to put
these cookies on you and track you, but I think that is a very
minor thing compared to what you will see 5 years from now.
Mr. Bass. Thank you, Mr. Chairman.
Mr. Stearns. I thank you.
The gentlelady from California, Ms. Eshoo, is recognized
for----
Ms. Eshoo. I am going to pass, sir.
Mr. Stearns. All right. The gentleman from Nebraska, Mr.
Terry? Sorry, sorry, sorry. Mr. Markey from Massachusetts?
Sorry.
Mr. Markey. Thank you, Mr. Chairman.
Mr. Stearns. No problem.
Mr. Markey. First of all, let me say that I think there is
a false security privacy dichotomy which is made. In other
words, industries say that we have top-notch security, meaning
the information as it comes from your home to our company is
very secure. Once we get it, now it is a privacy policy. That
is a different thing altogether.
And now we have a right to modify the privacy. Okay? But
don't worry, it is secure. No purple-haired kid living next
door to you will be able to crack through our very top-notch
encryption.
Now, from a consumer's perspective, they see the whole
thing as privacy. They don't make this distinction. The reason
corporate America makes the distinction is they want to give
you confidence to let it go from your home to the bank or to
the hospital or to the company, but then it is a different set
of standards once it hits our company.
Now, we reserve the right to do certain things with it, and
you have got to check with us on an ongoing basis to see
whether or not your privacy is protected. Of course, the
individual doesn't quite see it that way. It is all security or
all privacy--whichever word you want to use, but it should be
the same the whole way.
So WebTV is a good example. That is a Microsoft product. So
I just pulled down here privacy policy for WebTV. So WebTV says
that when you register as a primary user of the WebTV network
service, WNI will request information that personally
identifies you or allows us to contact you. On the WebTV
network services information is your name, home address, phone
number, e-mail address, and credit card number--my credit card
number.
Now, you say back here that I have the right to opt out of
having this ever shared with anyone else. But I personally
believe you should have to get my permission. I mean, I gave
you my credit card number, but I want you to have to come to me
if you want to give it to somebody else.
Now, do you think that is unreasonable, Mr. Wallent, that
that should be a national standard? That if you are going to
take my very, very, very private credit card number, and I am
going to use it to do business with you, that you should have
to get permission from me if you are going to use it for any
other purpose. Do you think that would be an unreasonable
standard for the Congress to legislate?
Mr. Wallent. Well, just to be clear, Microsoft doesn't
oppose either privacy legislation or a specific standard per
se. But with all of this----
Mr. Markey. So you would not oppose--so Microsoft would not
oppose us applying an opt-in standard for credit card numbers.
Is that what you are saying?
Mr. Wallent. No, that is not what I am saying, sir.
Mr. Markey. Oh, I----
Mr. Wallent. What I am saying is we are not opposed to
legislation per se.
Mr. Markey. No, I understand that. But would you oppose us
applying an opt-in standard for credit card numbers that are
obtained by private sector corporate or individuals, and, then,
that they can't be retransferred for other purposes without the
explicit permission of individuals in America?
Mr. Wallent. I am certainly not a lawyer. I am a software
developer, which gives me some benefit sitting here with you.
Mr. Markey. Well, but you are American, you are a human
being. Okay. Do you think that--would you want someone taking
your credit card number and just selling it as information, or
would you want to have them have to get permission from you if
you had entrusted them with your credit card number?
Mr. Wallent. Well, I believe, sir, that information like
your credit card, there are laws today that prevent credit card
fraud. If I give Amazon.com my credit card number to buy a
book, that doesn't give them permission to charge pornography
on that credit card or some--you know, 10 other books that they
think I might like.
So I am not sure I quite understand your question, sir,
because I believe----
Mr. Markey. Right. There is a difference, though. We are
talking about a difference here. There is misuse of it, in
terms of creating credit card fraud, and then there is just my
desire to be private. I am giving it to you. I don't want you
to give it to somebody else, even if that other person isn't
going to potentially engage in fraud.
I just don't want the whole world to have my credit card
number. Do you think that that is--would that be an
unreasonable thing for us to legislate here?
Mr. Wallent. Well, sir, I think there is two separate
issues. One is Microsoft firmly believes in the concept of
notice and choice.
Mr. Markey. Well, that is what I am saying to you. So it is
no--who has the choice? Do you have to come to us and say,
``Here is your choice. If you don't give us permission, then we
can't use it. Please give us your permission.'' Or should it be
the other way around where we are going to use it, unless you
actively try to stop us.
Do you think it would be unreasonable for us to say that
you have to come to each of us and ask for our permission to
use the credit card information which you have gathered from us
for any purpose other than that which you originally contracted
from a corporation perspective to gain access to that number?
Mr. Wallent. As I said, we do fundamentally believe in the
concept of notice and choice. And I think----
Mr. Markey. But you are not answering my question. The
question is: what is the choice? Okay? Where is the burden
here? I know you are not going to answer it.
Here is why--I know you are not going to answer it, and I
know this is the answer that you had. But here is the problem--
at the back end of this thing, changes to the WebTV network
service statement of privacy. WNI may make changes to the
statement from time to time.
They will post changes to our privacy statement here, right
at the very bottom of this six-page privacy--we will post
changes here, so be sure to check that periodically to find out
if you have any more privacy that might have been changed here
tomorrow morning, even though today we gave you this. We may
also notify you of significant changes by e-mail. We may also
notify you. But we may not notify you, huh?
Well, that doesn't sound like a very strong commitment.
When I sign up, I want it to be my deal now and forever. Amen.
So, you know, it is a little bit troubling to be honest with
you. There is also another part in here that deals with video
and other information that you might gain from me. But, you
know, in the cable industry----
Mr. Stearns. The gentleman's time has expired.
Mr. Markey. Could I just--30 seconds, Mr. Chairman, and I
won't----
Mr. Stearns. By unanimous consent, so ordered.
Mr. Markey. I thank you.
In 1984, we passed the Cable Act, and in the Cable Act
every American out here, as they are flipping from station to
station, the cable industry cannot sell that information. They
can't tell anyone that you flip to that particular station at
11 at night. You know? That no one else in the family knows you
are watching at 11 at night, anyone else in the neighborhood,
or your boss. That is yours. And they have to get your explicit
permission to give out that information.
Well, a lot of the information that now, as we move 5 years
down the line, it is going to be online is the same kind of
very sensitive information. And I would like to think that
Microsoft would understand that, just as Americans, as human
beings. That the very same laws from the analog world must make
some sense, because each of us might not want everyone else
knowing that we were watching--gaining access to that
information.
And a credit card number is a good example, and the fact
that you won't give us a specific commitment here that we have
a right to protect our credit card number. Your coming to us is
a good indication of how far we have to go in this debate.
Mr. Stearns. I thank the gentleman. His time has expired.
The gentleman from Nebraska, Mr. Terry?
Mr. Terry. Thank you, Mr. Chairman.
I will actually allow you guys to talk a little bit here,
but let us follow up on the comments by Mr. Markey, because
there is different philosophies on how to help consumers with
privacy. You have all developed different types of technologies
that work.
Some of us feel that each consumer should be in control of
their own destiny here, they get to make their own decisions
instead of Congress making the decisions for them, personal
empowerment and allowing--and it seems like your technologies
allow that.
My question, though, is: what Mr. Markey is leading to, and
what begs the question from my standpoint, is these
technologies are great, they empower the consumer, but unless
you are watching a congressional hearing, which amazingly very
few people do, how do we get the word out? How do we actually
let consumers know about this? How do we educate consumers
about what is out there?
Because I would guarantee you, if you just pull 10 people
from my neighborhood together, and maybe one of them will even
know what a cookie is. So if I believe in personal empowerment
and letting consumers make their own decisions on their sliding
scale like you have developed, how do we let them do that? They
have to be educated to be able to make those type of decisions.
So where do you fit into the process? And what do you
believe should be done to educate consumers? I will let anybody
start with it. Go down the panel.
Mr. Hsu. Well, I think education is the main issue, because
I think most people don't understand what cookies are, and most
people don't understand that when they send an e-mail it is
like sending a postcard, that anyone in the middle between you
and the recipient can read it.
I deal with venture capitalists and tech reporters every
day who don't understand the privacy issues, and I don't think
the average person understands them either. So for industry to
say that people make these informed choices and punish
companies that have bad privacy policies I think is a little
optimistic, considering the privacy policy that Mr. Markey read
is very complex and most people can't understand it.
So I think that education is extremely important, but I am
not optimistic at the rate at which people will understand
these complex technologies.
Mr. Wallent. This raises the interesting issue that I tried
to bring up in my testimony, which is it comes to a question of
defaults. It is all well and fine to have controls in a product
like Internet Explorer that let people control their privacy
after the fact once they discover that that can be done.
We have tried to take a higher standard with Internet
Explorer 6 and provide good privacy defaults, requiring privacy
policies, and for reuse of personal information requiring that
consumers have the ability to opt out and providing easy ways
to let consumers dial up the bar, so it has to go to an opt-in
model.
Furthermore, besides just building our technology, I have a
team of about 15 people who spend full-time now evangelizing
P3P. Even though it is not a Microsoft technology, we
evangelize it to the top 100 websites, and also to all of the
online advertisers, to try to get them to use that technology
because we think it is the right thing for consumers.
Mr. Schwarz. I would just like to point out, in addition to
Congressman Markey's point about the cable TV law of 1984, I
would suspect that not one in a hundred people in this country
would know that, in fact, passing that information back and
forth is not allowed.
And so we are now some 16 or 17 years past that point, and
we still don't have that education in place. I am not even sure
that that education is necessary.
And so I think without some minimum floor that is, in fact,
legislated or somehow provided as a standard by the government
or by the industry, we will not make much progress in this
regard. So I would argue that--to your point on education,
education is important, but I think a minimum floor is going to
be required.
The question is going to be: what do we define as sensitive
data or data that must be protected? And how do we make that
standard happen? And I don't think we have the answer today.
Ms. Schlosstein. I agree that when Webwasher first started
out we allowed for--we actually didn't have settings, and we
requested that people actually set the settings themselves. And
the feedback that we got from our users was that they did
actually want to have default settings set, so that they
wouldn't have to deal with it on a microscopic basis. And I
think that is one of the dangers that we have with the P3P
platform and other very complex dialogs that occur.
So what Webwasher has done is we have actually just
listened to the consumer and what they want, and our default
settings are such that we have cookies--non-permission-based
advertising cookies are part of the default settings now as per
request by the consumers that have been using the product, and
then they can go in and customize it at will, whichever way
they want, if they have the knowledge and the desire to go it a
further--a higher level. So that is one way that we have
resolved that privacy initiative.
Mr. Terry. Thank you.
Mr. Stearns. The gentleman's time has expired.
The gentlelady from Colorado, Ms. DeGette, is recognized.
Ms. DeGette. Thank you, Mr. Chairman.
One thing that we are grappling with as policymakers is the
fact that increasingly states are beginning to look at privacy
issues, as well as Congress. And then you have an issue--an
international issue, of course, which many of you are dealing
with.
And so what I am wondering is how difficult it is for
companies to navigate between the divergent privacy policies of
different countries. Perhaps, Mr. Wallent, you could speak to
that for a moment.
Mr. Wallent. Certainly. So, obviously, not having a single
worldwide standard is obviously additional hurdles that
companies need to jump over. At Microsoft we are blessed with a
large number of people and good resources to help us solve
those problems.
So if you look at the work we have done on MSN, for
example, and the affiliated products there, they are able to
jump through the appropriate legislative and regulatory hoops
across the world.
Ms. DeGette. But I think you would probably agree that you
are unique in that capability.
Mr. Wallent. I absolutely would. And what I was going to
comment was is that it becomes excessively hard for smaller
companies who are just starting up or startups to kind of
follow all the right rules and understand what the laws are in
all of the different places. That is why, to some extent, I
think that technology standards such as P3P--everyone is
concerned about privacy regulation and defining the privacy
standards on a site.
P3P provides a common mechanism for a site to define their
privacy policy. Now, whether or not----
Ms. DeGette. Well, let me stop you. We only get 5 minutes--
--
Mr. Wallent. I am sorry.
Ms. DeGette. [continuing] so that is the problem. And so I
guess what I am positing, almost as a devil's advocate
position, except for I think there is some issue here, is
wouldn't there be a benefit to trying to craft one uniform
Federal law, so that at least we would have a consistent U.S.
standard? And I don't know what that standard would look like.
That is what we are grappling with.
But, you know, what we are looking at here is not just all
of the international issues, but now 50 divergent State laws.
Mr. Wallent. Right. So, as I was trying to answer for Mr.
Markey, Microsoft is not opposed to privacy legislation per se.
We believe in the concepts of notice and choice. But the devil
is in the details. What data----
Ms. DeGette. I understand that. But you think it would be a
good idea to try to craft something working on the details.
Mr. Wallent. I think that it is a challenge to decide what
data should be opt-in and what data should be opt-out, what
practices----
Ms. DeGette. I understand it is a challenge. But you think
it is a goal we should try to work together on? Yes or no.
Mr. Wallent. I think it is certainly a goal to protect
consumers' privacy. Absolutely.
Ms. DeGette. Right. Mr. Schwarz, I saw you nodding. Perhaps
you would like to comment on that.
Mr. Schwarz. I am in agreement. There is a requirement to
set a standard, to set a base, to set a minimum, but the
difficulty is going to be what data, to what extent, and I
don't know.
Ms. DeGette. Mr. Hsu, what is your view on this?
Mr. Hsu. Well, I think a uniform standard is always
preferable to a patchwork. A small company would have to do a
lot of work to try and comply with every state's varying
legislation.
Ms. DeGette. Ms. Schlosstein?
Ms. Schlosstein. I think that there is a need for a
baseline standard. But I think that beyond--above and beyond
that that the diversity in our country really demands a
diversity in policy and allows--that will allow for a diversity
in policy, and that the technology must be flexible enough in
order to reflect that diversity in policy.
Ms. DeGette. Thank you.
Something else that I am wondering about. We sit here and
we have these hearings, and we hear testimony about the cookies
and the different levels, and so on. And I must say, mainly due
to the fact that I have two young children, I feel like I am
pretty up on computer stuff. And also, I have a husband who is
active in high tech issues.
But I don't think I represent the average American
consumer, and I would bet that the average American consumer
doesn't even know about what a cookie is or that it is
happening on their computer when they order something from
Amazon.com. And all of you are shaking your heads in agreement.
I am wondering if any of you know what the level of
knowledge of consumers is of these issues, and what the
industry is doing to educate consumers about what they can do.
Perhaps we should start with you, Ms. Schlosstein.
Ms. Schlosstein. Well, I know--I would have to agree that
the knowledge level is low, and it is increasing very, very
quickly as these debates contribute to that, as conversations
in the public press about advertising cookies, and that I
believe in the last few weeks every single national and
international paper has had some sort of public article on
that.
So I believe the issue is escalating. We have found that
there is a completely growing demand for it, actually.
Ms. DeGette. Mr. Chairman, if I can ask unanimous consent
just for another additional time to allow the rest to answer
perhaps as to what efforts the industry is making for consumer
education.
Mr. Stearns. By unanimous consent, so ordered.
Ms. DeGette. Thank you.
Mr. Stearns. Go ahead. If the rest of you will answer her
question.
Mr. Schwarz. My answer would be that the level of knowledge
depends on the age of the person that you are talking to. I
would argue that kids that are in grade school, high school,
have no difficulty with most of what we talked about today.
When you get to people of our age, it is a different story.
And I don't think that we are going to change that. I think we
will have to wait for this new generation of people that are
growing up with computers as a toy to become consumers and
adults, to have the level of knowledge that is necessary to
make these informed decisions.
And so in the meanwhile, while we are dealing with
consumers that are not that educated, there is some level of
base that is necessary to protect them.
Mr. Wallent. To somewhat echo what Mr. Schwarz has said, I
think there was an interesting issue, though, where I don't
think in the technology industry it is our goal to try to
educate consumers about all of the little nitty details about
technology, about what a cookie is and what it does, and first
party and third party.
You have to have good consumer privacy and good solutions
for consumers that don't require them to understand what my job
is. It just has to work. It has to make sense for consumers and
have understandable choices for them to make. And that is
really something that we have tried to work very hard on.
Mr. Hsu. I agree with Mr. Wallent. I don't have any hope
that at any point in time 90 percent of the population will
understand what a cookie is or what a profiling data base is.
Even a kid who is very good at playing Doom may not understand
what Doubleclick is doing with their data. So I think that we
have to simply it in some way and inspire confidence in the
individual that things are being done, even though they don't
understand the technical nitty-gritty.
Ms. DeGette. Well, I guess I would just say that if people
don't know what is going on, they don't realize the need for
privacy policy. And so I think consumer education needs to
happen.
And, Mr. Chairman, I would ask if all of these witnesses
could perhaps supplement the record in writing by telling us
what their consumer education efforts are. They are never going
to understand the need to have a privacy policy if they don't
know what their risk is.
And I thank the Chair for its indulgence.
Mr. Stearns. I think what the gentlelady is alluding to the
panel is that we, as legislators, would like your input on what
we could do to educate, and what can be done on a national
scale to educate users of computers who will be let into this
camouflaged area where they think they are safe, where, in
fact, they could be detected and a lot of their privacy
revealed. So if you would do that, it would be appreciated.
The gentlelady's time is up, and the next person--there is
no one on this side. We will move to Mr. Doyle of Pennsylvania.
Mr. Doyle. Thank you, Mr. Chairman.
It has been very interesting. Mr. Markey and I were just
talking. I mean, when you think about the web and the
computers, so many of us are in kindergarten in terms of
understanding the applications. Those of us that started
dabbling in these things at a later stage of our lives, we
understand the implications of that information, but not the
applications.
Our children seem to understand the applications but don't
think about the implications of what they are doing on the web.
And how to bring everyone up to speed--I don't think we are
ever going to be able to do that. I don't think there is going
to be a way to effectively educate everybody on how to use
these tools.
I mean, most people just don't have a clue how to do any of
this, and I don't think they are aware of how the information
is being used. I think that is what is going to change this
down the road. I mean, the idea that somebody would be able to
sell a list of all of the telephone numbers you dialed in the
last month--you know, people would--they grasp that, and they
would never permit that.
What they don't grasp is how this data is floating around
the web and how people are able to track it and access it and
use it. People really don't understand that is what is going
on.
I remember a lot of us, the first time we discovered that
when you send an e-mail, and you erased it, everybody thought
it was erased. Then you found out it is still on the hard
drive, and I can bet you a lot less e-mails went out of this
place once that was discovered a few years back.
So I think, you know, as people come to understand, you
know, how this works, and as we start to progress as a Nation
in our education of the computer age, that it is inevitable
that there is going to be standards.
So maybe we are not ready just yet to figure out maybe what
that standard should be today, but we are going to figure it
out I think fairly quickly, because, as Mr. Hsu said, 3, 4, 5
years down the road, I mean, people are going to demand it once
they come to more fully understand how this information is
being used.
But I find it--the discussion fascinating. Mr. Wallent, I
am just curious. Now, you say there is sort of an incentive for
people to join into the privacy policies--you know, adopt the
privacy policies and code them in this P3P language because
otherwise the browser won't accept their cookies. Right?
Mr. Wallent. Yes, sir.
Mr. Doyle. And I am just wondering, do you see future
applications for this technology and the P3P standard, like to
extend it into other areas such as minimum encryption
standards?
Mr. Wallent. Sir, to answer your first question, sir, yes,
I do believe the P3P will be used--will be deployed onsites,
because if sites do not deploy it their advertising revenue and
some of their functionality will be blocked. With respect to
the application of P3P to other technologies like encryption,
P3P is a good generic technology to describe the data practices
of a site.
It is not exactly clear to me how that would be applied to
encryption, other than for the consumer to decide what level of
encryption that is required based on the data practices of that
site.
I just--if I could have just a moment, sir. I just wanted
to make it clear that I don't actually work for WebTV. I have
not worked on their privacy policy. Mr. Markey raises a very
legitimate concern about the credit card issue that we
absolutely will follow up with him after this to make sure that
that is addressed. We take private information very seriously
and want to make sure we address any concerns that exist on the
panel.
Mr. Doyle. I am just curious, too. What assurances are
really in place to make sure that, you know, when a website
agrees to Internet Explorer's privacy standards that they will
actually adhere to the privacy policy? I mean, in other words,
I may be secure on my side, but what stops a third party from
saying they are going to follow your internet privacy but then
just goes ahead and shares the information with someone else
anyway?
Mr. Wallent. Our analysis of that, sir, and from our
conversations with many of the State attorneys general on this
topic, is that existing consumer protection law about deceptive
trade practices would be covered. Essentially, the company is
making a legal representation as to what their business
practices are. If they say, ``No, we don't keep any of your
information,'' but yet go ahead and do it, then clearly they
are in violation of that. And the great thing is that we have
it on record as to what they said their practice was in an
unambiguous fashion.
Mr. Doyle. Yes?
Ms. Schlosstein. Could I just add to that? And I think that
is one of the issues that we are going to have to deal with
with P3P and other privacy protections that exist outside of
the user's immediate control.
And one of the things that--I mean, it could be a
complimentary function such as Webwasher or other technologies
that allow both that preference selection, but at the same
time, complimentary-wise, to be able to block or control
anything that is going out or that information that you do not
want circulated or you don't want, so that technology is
available.
Mr. Doyle. Great. Anyone else? Yes?
Mr. Schwarz. I would just like to also add that one of the
techniques that might be deployed is to work with companies
that, in fact, produce information which is sensitive
information, such as credit card, such as health data, and work
with them to make sure that the data that they produce or the
data that they control is never dealt with in an inappropriate
way.
Technology exists to protect that type of content, whether
through encryption or whether through hardware implementation.
And there may be another channel to get to the problem rather
than looking at it bottoms up through the grass-roots effort.
Mr. Doyle. Thank you.
Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman.
The gentlelady from California, Ms. Eshoo?
Ms. Eshoo. Thank you, Mr. Chairman.
Let me ask the panel if--first of all, if any of you
advertise your technologies online.
Mr. Hsu. We have in the past.
Ms. Eshoo. You have in the past. You don't today?
Mr. Hsu. Well, actually, I can't--it is possible that we
may actually have some banners running on other people's sites
right now. So----
Ms. Eshoo. It doesn't sound like it is a full-fledged
program, though.
Mr. Hsu. No, it is not a big effort.
Mr. Wallent. Microsoft, in our advertising for Windows XP,
privacy is one of the key messages around that. We plan to
spend as much money, if not more, on Windows XP than we did on
Windows 95 for the marketing efforts and launch. So we expect
that we will be touting our privacy efforts very, very heavily,
both online and through other media.
Mr. Schwarz. Our entire business is built around protecting
assets, and so we advertise by default.
Ms. Schlosstein. Though we protect privacy, we don't
advertise our product, but we do get--we have 4 million users
just by the identified need from it. People find out about it
through----
Ms. Eshoo. It really is a curiosity question more than
anything else, because we are talking about how best to have
the consumer understand that these technologies--first of all,
that they are available, how did they find out about them, and
I think there have been several questions kind of in and around
that.
But I was curious to know how, you know, the masses find
out about this. Or is it kind of, as we say inside the Beltway
here, is it within the--kind of the geek community that we know
that this is available. So it was a curiosity question.
Do any of your technologies--the P3P, Webwasher, SafeWeb--
do they slow down the browsing speeds of the online user?
Ms. Schlosstein. I can speak for Webwasher--does not.
Ms. Eshoo. Does not.
Ms. Schlosstein. It actually speeds it up because it
blocks--it actually filters out unwanted content and makes the
actual browsing experience faster and more accessible for the
user.
Ms. Eshoo. I mean, it is obvious why I am asking the
question. If it does slow down, then people will not be so apt
to move to the technology if, in fact----
Ms. Schlosstein. Yes. I think that is one of the benefits
of having it on your box or on your server is that you actually
can control it. Whereas, if it is--if it does, you are at the
mercy of another server.
Mr. Wallent. The performance issue around P3P was one of
the critical things that Microsoft participated on the
committee to try to resolve. And, in fact----
Ms. Eshoo. We have got to get you over to the State
Department. You know, you give these answers that are--there is
an answer buried in the answer, but it is not like upfront. It
is kind of diplomatic talk.
But at any rate, I congratulate you for having refined
that.
Mr. Wallent. No, there is no performance problem with
Internet Explorer.
Ms. Eshoo. Okay.
Mr. Hsu. In our case, because we are routing your data
through an intermediary server before we encrypt it, there is a
small performance hit.
Ms. Eshoo. What kind of feedback have you gotten from
consumers and businesses about what you have? And how do you
assess that?
Ms. Schlosstein. Webwasher has a support line where we get
500 to 600 e-mails a day, and 60 percent of them are positive.
So we are getting--I mean, we are getting rave reviews, thank
yous, all the time--not only for the privacy that we are
protecting but for the convenience that we are offering and
giving them user control and self-determination online.
Ms. Eshoo. So for the time that you have had the product,
give us just a little bit more. Put a little different----
Ms. Schlosstein. Okay. Well, we have 4 million users
worldwide. We have been--Webwasher has been around for about 18
months, almost 2 years, from when it was deployed. And in that
time, we find that as--ironically, it is a public education
issue.
And as this issue becomes more--every time there is an
article in the paper, we have an enormous spike in terms of
downloads onto our site. We can't tell you who they are because
we don't know exactly. But we have an enormous spike, and we
have an--we know that as the education and interest and
awareness level rises, the demand for more privacy is going to
really be enormous.
Ms. Eshoo. So you said, what, 500----
Ms. Schlosstein. We get 500 to 600 e-mails a day.
Ms. Eshoo. A day.
Ms. Schlosstein. A day. And I----
Ms. Eshoo. And they all say, ``This is terrific''? Or do
they give you----
Ms. Schlosstein. You know, unless it is a download blip or
something like that, in terms of the technological issue, or
they are saying it doesn't--they find the new advertising size
that we need to add to our new filters, or whatever. Most of it
is around, ``You are my hero,'' the convenience, ``I am not
bothered by the downloads anymore,'' the privacy is protected.
Ms. Eshoo. So it is positive.
Ms. Schlosstein. And it is very positive.
Ms. Eshoo. I love the name of your company. I think it is
just terrific.
Ms. Schlosstein. Thank you.
Ms. Eshoo. Did you come up with it?
Ms. Schlosstein. No, I would like to take credit.
Ms. Eshoo. Yes, good. Good.
Mr. Schwarz. Since our business, in fact, is making sure
that people only get access to what they have paid for, or
should have access to, this behavior is a fundamental component
of the relationship we have with our clients.
What we find is that if the service that we provide does
not make the experience that they have with the product that
they are trying to acquire any more difficult than it had been
prior to the introduction of the service, then they are
reasonably happy. Of course, when the service becomes
intrusive, it becomes a real problem for them. So the
convenience and the ease of use is a fundamental requirement
that cannot be broached.
Ms. Eshoo. But what do they say to you, and how do you----
Mr. Schwarz. Well, they simply stop buying.
Ms. Eshoo. Do you hear from a lot of people? They are
happy? They----
Mr. Schwarz. We have done implementation for about 300
firms that distribute----
Ms. Eshoo. I see.
Mr. Schwarz. [continuing] online, and have millions of
transactions actually using that service. What we find is when
the implementation for a certain client is intrusive in a way
that the user deals with the content that they are trying to
acquire, they stop buying. It is that simple. And you can track
that almost one for one.
What they do like is once----
Ms. Eshoo. I think we are just about--the red light is on.
Microsoft is not--can't get that information yet, because you
are not out there. Mr.--yes, the next person, because I think--
the red light is on, so I don't have any more time.
Mr. Hsu. We get tremendously positive feedback, and the
most positive feedback we get is typically from people in
closed societies like Saudi Arabia or China, who can't see most
of the web and are enabled to see it by using our service.
Ms. Eshoo. But do you know what I am looking for more than
anything else? Your indulgence, Mr. Chairman, for 30 seconds
more. Is it anecdotal, or do you actually--do you collect this,
so that there is a building--there is a record-building of the
technology and the response from people?
Mr. Hsu. We store it.
Ms. Eshoo. You do.
Mr. Hsu. We have thousands of e-mails from users that are
positive, yes.
Ms. Eshoo. Okay. Thank you.
Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentlelady.
Mr. Shimkus?
Mr. Shimkus. Thank you, Mr. Chairman, and I will be brief.
A simple question, kind of tied to my brief opening statement.
From the testimony--and as you can tell, I have been in and
out with other meetings. But my perception is that the market
has worked, the demand is present for a product to be offered.
These are supposedly success stories of the basic supply and
demand business model.
Briefly, tell--and, again, I apologize. This may have been
answered in some of the statements. But can you briefly just go
by--because the real debate is, how much do we intervene? What
do we do here in Washington to pass laws to protect privacy but
give people options?
Your testimony has made the compelling case that the market
is working. There is a demand. If government is to intervene
and attempt some standardization, which is--will be the
argument that is being made for public safety of personal
information--tell me the benefits and disadvantages of doing
that. And if you can just go left to right, starting with Ms.
Schlosstein.
Ms. Schlosstein. The benefits and disadvantages to policy?
Mr. Shimkus. Federal law mandating standards or standard
practices. Actually, maybe software requirements. We do that.
We do intervene so much sometimes that we actually dictate
technology. So is that good or bad?
Ms. Schlosstein. Well, the stance that Webwasher takes is
that we really support using--that we provide a technology that
allows for the execution of policies, whether they be minimal
or really excessive.
What we would suggest probably is that in the interest of
protecting consumer privacy and the right--the personal right,
user rights, that the minimum amount of regulation be imposed
by the government, and that you allow people to have the
technology to address it on their individual, corporate, or
governmental policies, so that they can be customized to
reflect the uniqueness that makes this country, which is that
we have so many different perspectives.
Mr. Shimkus. So that is a disadvantage, but you haven't
told me if there is a benefit to government intervention.
Ms. Schlosstein. Well, clearly, I mean, if you take the
case of child pornography, there is not a person in this room
that wouldn't--would say that children should not be protected
from pornography.
But at the same time, and this is the dilemma, the
conundrum, is you also wouldn't say with the--with the
education benefits that are available through the worldwide
web, that you wouldn't, at the same time, obstruct a child for
getting education through the web that is available to them,
because--and I understand there has been some trouble with like
the copyrights--that Middlesex College might be blocked from
the students doing research in colleges because sexes in
Middlesex has been blocked by a blocker.
And the technology is such, and I demonstrated a little bit
of that with our Dynablockade, or the block list function, with
now the technology that allows for image recognition and
contextual identification, so that you can read something
within the context.
So you can read skin tones and nudity within a context,
identify is it a medical site, is it an educationsite, is it a
pornography site, that the technology allows now for these
kinds of distinctions that will protect--will play on both
sides of the fence.
Mr. Shimkus. Let me get to the rest of them. But my
question stems to that. Does government intervention in
legislative language help corporate America, who is assessing
producing a product based upon demand, is our involvement
helpful, or is it harmful? Will it impede the ability for you
to do the research and development and reap the benefits of an
identified demand?
Let me go to the other members. So----
Ms. Schlosstein. Just to clarify that Webwasher is
apositional in that what we are designed to do is allow for
execution of policy that is needed.
Mr. Shimkus. Mr. Schwarz?
Mr. Schwarz. I think our view would be that you have to set
an environment within which behavior can be managed and the
markets can behave in a way that works. The point that I would
like to leave with you is that you need to move incrementally.
We don't know enough about these issues to set a standard
for all times. So you need to work within what is available and
work in a way that allows you to increment your way as the
industry has the ability to deliver or as the industry itself
learns.
There are almost 20 million people producing this
technology around the world each year. And they will be, by
definition, ahead of anything that you can think of as a
government or as a policymaking body. You need to stay in tune
and need to stay with that advancement and not to damage it in
some way.
Mr. Shimkus. Mr. Wallent?
Mr. Wallent. There are certainly critical areas that
legislation and your body can help with, especially in areas
like identity. In fact, we talked earlier about what if sites
deceive the public or tell them the wrong thing. I think the
challenge, though, is getting the technology right and making
sure that any specifications in the technology don't actually
retard progress.
Eighteen months ago I couldn't have told you the way the
P3P was going to work. It is hard to see into the future that
far and define the technology.
Mr. Shimkus. It is very hard for politicians who are not
working in engineering to make those determinations.
Mr. Hsu?
Mr. Hsu. Well, the technologies you have heard about today
can do things like protect you from cookie profiling or protect
your data by encryption. But I think the key point is that if I
make a transaction with Amazon, they know who I am, they know
where I live, they have my credit card number. It is stored in
their data base.
I cannot develop any technology that protects that data
once Amazon has it, and that is the province of legislation.
Mr. Shimkus. Thank you, Mr. Chairman. I yield back.
Mr. Stearns. Thank you.
We have completed our questions. Oh, yes. Sure.
Mr. Towns. One quick question.
Mr. Stearns. Yes, Mr. Towns?
Mr. Towns. Mr. Schwarz, you indicated in your testimony
that the technology currently used to protect intellectual
property could also be used to protect government documents and
records. Could you explain how this technology could benefit
consumers by protecting medical, financial records, and also
just personal information?
Mr. Schwarz. Absolutely, Congressman Towns. The fundamental
technology which we deploy is based on encryption. We place the
document in question into an encrypted envelope, and there is a
key assigned to that envelope, and the key is the private
property of the person that is designed or destined to be the
recipient of that document.
And so the key and the document are always in the hands of
that one individual that has been authorized to get access. And
that technology can be applied to any document, whether it is
medical information, whether it is financial information,
whether it is music, or whether it is video.
Mr. Stearns. And I thank panel No. 1 very much. I know how
valuable your time is. And we appreciate your answers, and we
look forward to continuing our discussion with you.
And now I will ask panel No. 2 to come forward. While panel
No. 2 is coming forward, I would point out to my colleagues and
to the audience that what has been alluded to by Webwasher is
what I guess they have called contextual content. But this is
really the start of artificial intelligence.
And what Mr. Hsu has mentioned, that Moore's Law has been
applying to chips, it is also applying to broad band and
storage. And so the analyzing, the storage, and all of this is
moving so rapidly that these logarithms that are going to be
created thereby where they will make decisions based upon
millions and millions shades of meaning, you will make a
contextual content decision which ultimately will be artificial
intelligence, which they will be able to determine whether to
block out something or not. And I think that alone is pretty
interesting in itself.
Now, panel No. 2 is Mr. Trevor Hughes, Director, Privacy
Compliance, Engage, Incorporated; Mr. Jerry Cerasale, Senior
Vice President, Government Affairs, Direct Marketing
Association, Incorporated; Mr. Steven J. Cole, Senior VP and
General Counsel, Corporate Secretary of the Council of Better
Business Bureaus, Incorporated; and Mr. Jerry DeVault, National
Director, Innovative Assurance Solutions, Ernst & Young. We
also have Mr. Marc Rotenberg, Executive Director, Electronic
Privacy Information Center, Washington, D.C.
What we have here is a decision as to whether to start here
with our opening statements. It is quarter after 12. I always
believe in just moving ahead, so we will just start with the
first opening statement, and we will just continue on and we
will break in about--a little after 7 or 8 minutes, and
hopefully then we will come back after lunch and--we have one
vote now, and then we have another vote in about 45 minutes to
an hour.
So we will start with the opening statements, if you folks
are all set up and you are ready with your demonstration. Is
that Okay? Okay. I can't see your name tag. Just move it to the
left. Yes. Mr. Hughes, why don't you start?
STATEMENTS OF J. TREVOR HUGHES, DIRECTOR, PRIVACY COMPLIANCE,
ENGAGE, INC.; JERRY CERASALE, SENIOR VICE PRESIDENT, GOVERNMENT
AFFAIRS, DIRECT MARKETING ASSOCIATION, INC.; STEVEN J. COLE,
SENIOR VP AND GENERAL COUNSEL, CORPORATE SECRETARY OF THE
COUNCIL OF BETTER BUSINESS BUREAUS, INC.; JERRY R. DEVAULT,
NATIONAL DIRECTOR, INNOVATIVE ASSURANCE SOLUTIONS, ERNST &
YOUNG; AND MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Hughes. By all means. Mr. Chairman, members of the
committee, good----
Mr. Stearns. If you don't mind just moving it as close as
possible to you.
Mr. Hughes. Absolutely. Good afternoon. My name is Trevor
Hughes, and I am Director of Privacy at Engage. Engage is an
online media company. I am speaking today on behalf of the
Network Advertising Initiative. Engage is a member company of
the Network Advertising Initiative.
The NAI is comprised of six online advertising companies,
such as Doubleclick, Engage, Avenue A, L90, Advanced Logic, and
that is it. We, as a group, represent to our belief
approximately 90 percent of the third party ad networks online
today.
What we do is provide services to both advertisers' and
publishers' websites online. We help to get advertisements to
websites, and we help websites to monetize the advertising
inventory that they have on their sites. One of the things that
we do in this process is online preference marketing, otherwise
known as profiling.
Profiling is the practice of viewing the click stream
habits of a browser as it goes from site to site within any one
of our members' networks. We, as a group, recognize that there
are significant consumer privacy issues associated with this
practice, and, as a result, almost 2 years ago now began a
process of developing principles in conjunction with the FTC
and the DOC, the Department of Commerce, to provide standard
guidelines for our industry in regards to online preference
marketing or profiling.
Those principles were released last July, almost a year ago
now, and we are very proud of them. We have been working for a
year under those principles. The principles, at their heart,
require notice and choice. They require that our members
provide notice through the thousands of websites that we
represent, and also that we provide choice, various different
forms of choice depending on the context of the data that we
are gathering.
What I would like to talk to you today about is one of our
most recent announcements, and that is of a gateway website
that we launched just last month. This gateway website provides
a number of important things to consumers. First of all, and
perhaps most important, it provides a global opt out, a single
opt-out source, where you can go and opt out of the online
preference marketing practices of all six members.
You can see here the home page of the NAI, the Network
Advertising Initiative. And in the bottom left corner of the
screen is the opt out. That button will take you to a page that
describes the process of anonymous profiling. Anonymous
profiling is one of the categories of online preference
marketing discussed under the NAI principles. Anonymous
profiling, or non-PII as we call it, does not involve any
personally identifiable information. In other words, we don't
know who you are. We don't have your name or your address or
your phone number or your credit card number. We don't have any
identifiable information.
Rather, what we have is information about your visit to a
certain site. Now, consumers may not want to have that
information gathered. For that reason, we provide an opt out.
This opt out is on this page. And as you scroll down, you can
see each company has a description of their practices, and then
a check box where you can select the opt-out option. You can
say that you would like to opt out.
Once you have done that, you have gone through the six
companies, I have checked off two in this example here--Engage
and L90--you get a confirmation page. The confirmation page
tells you, indeed, that you have opted out. You can see green
checkmarks indicating that the opt out was successful for both
Engage and L90.
We found that this is a very powerful tool for consumers.
And in the 1 month that the NAI gateway has been up, we have
had 30,000 visits to the website, and approximately 17,000
unique opt-outs at the website.
Not only do we provide a confirmation at the time that you
opt out, but you can also come to the site at any time to
verify what types of cookies you have on your browser from NAI
member companies. The verify function on the site is very
powerful. You can see I ran it here just the other day. And
what it does is it looks at your browser and tells you what
types of cookies you have on your browser.
You can see for most of the members there is no cookie on
this browser. Doubleclick has an active cookie. And because we
have just opted out of Engage and L90, we have opt-out cookies
from both Engage and L90. The combination of the opt out, the
confirmation, and the verify functions we feel provide really
significant--really significant consumer protection around
notice and choice.
The other thing that I would like to speak to you about
just briefly is the third party enforcement program that we
have announced and also released. We have an independent audit
firm, Arthur Andersen, now known as Andersen, and Andersen
actually audits every member, or actually every member is
responsible for obtaining an audit, whether through Andersen or
another audit firm.
Andersen also manages a compliance program for us, where
consumers can go to this site, which is accessible through the
NAI site, and actually file a complaint. There is a fairly
simple process that they can go through by entering some
information about what their complaint is, the member that is
involved, and Andersen will investigate those complaints.
Andersen also fully describes the complaint process.
After an investigation, if Andersen feels that action is
warranted it has a number of options available to it. It can
expel a member from the compliance program and remove the
compliance seal that Andersen offers. It can also notify the
FTC. And through the Andersen website that we see here, it can
also provide notice that the member has been expelled from the
program.
In summary, we feel that the NAI has truly worked
diligently over the past 18 months or so to develop a series of
protections and self-regulatory standards that are meaningful
and substantive. And the combination of our global opt-out and
the enforcement program offered through Andersen we feel really
do offer significant protections for consumers online today.
[The prepared statement of J. Trevor Hughes follows:]
Prepared Statement of J. Trevor Hughes, Director of Privacy, Engage,
Inc.
Mr. Chairman and Members of the Committee, I want to thank you for
inviting me to testify. My name is Trevor Hughes, and I am the Director
of Privacy for Engage. Engage is an Internet marketing and advertising
services company that provides strategic marketing solutions to
companies both online and offline. We were founded in 1995 and
currently operate as a majority-owned operating company of CMGI.
I'm here today representing the Network Advertising Initiative, an
industry group comprised of the leading Internet advertising companies
formed to address consumer privacy concerns. The NAI companies
represent more than 90 percent of the third-party Internet advertising
industry in terms of revenue and numbers of ads served. At the request
of the Federal Trade Commission and the Department of Commerce, we
formed the NAI to develop self-regulatory principles that would govern
the practice of online preference marketing, or so-called ``profiling''
practices.
Mr. Chairman, as you know, the NAI announced its self-regulatory
principles in July of last year after months of intensive consultations
with the Federal Trade Commission and Commerce Department. The Internet
advertising industry, and more specifically, the online preference
marketing industry, needed to adopt ``rules of the road'' for its
information practices to satisfy legitimate user concerns about
privacy. For the industry to write these rules in a manner that would
gain public confidence, the NAI needed the guiding hand of public
officials. The talks between the NAI and the federal government were
tough but fair, in that the industry had to make a number of important
concessions. Ultimately, we were pleased that the NAI could develop
industry self-regulatory guidelines that are meaningful and real and
which the FTC and Clinton Administration could and did unanimously
applaud.
The NAI principles deal with the practice of Online Preference
Marketing. We define this as ``data collected over time and across web-
sites, which is used to determine or predict consumer characteristics
or preferences for use in ad delivery on the Web.'' In other words, we
try to figure out that which is the best ad to play to a consumer at a
given point in time. This benefits the consumer, because they receive
banner ads more relevant than would otherwise be the case. It also
benefits the advertiser, because their advertising dollars are spent
more effectively. Perhaps most important, this presentation of relevant
advertisements allows many Web sites to gain a better return on their
advertising space than they would in an untargeted environment.
Collectively, our job is to make the Internet a more efficient and
competitive advertising medium that will further stimulate the growth
and viability of the Internet as a source for free or reduced-price
content and services. Many web sites depend on our services to be
competitive today.
Although OPM can be, and often stays, strictly anonymous, there are
valuable consumer services that can be offered by linking OPM data to
PII in an environment where consumers are given the option to choose
whether the combination of that data takes place. The NAI principles
lay out the ground rules and safeguards for the collection and use of
Non-PII, the collection and use of PII, and the merger of PII with Non-
PII.
In summary, here are the guidelines:
For Non-PII, we require notice and choice. NAI members must
disclose their OPM practices through their web sites and through the
NAI gateway web site, and in addition, where possible, they must
contractually require their web-sites partners to disclose the
collection of Non-PII for OPM. NAI members provide mechanisms for
consumers to opt-out from the use of Non-PII for OPM through their
respective web-sites and through the NAI gateway web-site.
For PII, we require that NAI members follow the Online Privacy
Alliance (OPA) guidelines for Online Privacy Policies. These policies
require the adoption and implementation of a privacy policy, and that
notice and choice be afforded. In addition to and above the
requirements of the OPA guidelines, NAI members will not use any
sensitive personally identifiable data for OPM, that is, we have banned
the use of any personally identifiable information about sensitive
medical or financial data, sexual behavior or sexual orientation, or
social security numbers for OPM.
For the merger of non-PII with PII, we have two scenarios. The
first case is where PII is linked with previously collected Non-PII. In
this case NAI members will not, without prior affirmative consent
(``opt-in'') merge PII with previously collected Non-PII. The second
case is where PII will be merged with Non-PII for OPM purposes on a
going forward basis. In this case NAI members will provide consumers
with robust notice and choice.
The NAI principles include several examples of what would be
considered robust notice for each of these scenarios.
The NAI principles commit NAI to develop a web site where consumers
can go to ``opt-out''. We have done so and launched the site in May.
Any consumer can today visit www.networkadvertising.org and opt-out for
any or all of the NAI member ad networks. We think this is a very
useful tool for consumers, and more than 30,000 consumers visited the
site during its first week of operation.
The NAI members also have agreed to establish a third-party
enforcement program, and we have retained Arthur Andersen and have
completed that task as well. I have attached a copy of the Andersen
Compliance Program document, which describes in detail all the various
elements of this independent enforcement mechanism.
Andersen has launched a website--www.andersencompliance.com--where
consumers can go to complain about failures to comply with the NAI
Principles. If Andersen finds these complaints to be valid, Andersen
can launch an investigation of any NAI member. And if Andersen finds
that a Member refuses to comply with the Principles, then Andersen will
remove the NAI member from the program, which means that the Member may
no longer display the NAI seal. Moreover, in such an instance Andersen
will notify the Federal Trade Commission with a summary of the
complaint, its investigation and the failure of the Member to comply.
Finally, the NAI members strongly believe that industry,
government, consumer, and advertiser pressures to set and maintain high
standards for privacy will render participation in the NAI all-but-
mandatory for all network advertisers.
We believe strongly that these principles represent a reasonable
and workable self-regulatory approach that satisfies the needs of
Internet commerce and advertising while addressing appropriately user
concerns about privacy.
In conclusion and to summarize, the NAI self-regulatory principles
are designed primarily to accomplish two things: first, to force
advertisers and web-sites where ``profiling'' occurs to post notices
that are strong and clear, and second, to make it easy for users to
opt-out. Under these principles, NAI companies agree to afford
consumers with important notice disclosures and appropriate methods of
choice for participation, while at the same time one of the main
engines behind this nation's booming new economy, the Internet, can
continue its remarkable growth and improve as a provider of free and
reduced-price content.
These agreements attested to by the signatories of the NAI
Principles represent unprecedented levels of user privacy protections.
Because of the contractual reach of these NAI companies across
literally thousands of Web sites, the NAI Principles already have had a
broad impact on Web privacy. We are very proud of these two new
websites for consumers--the NAI site and the Andersen site--and we
encourage you and your staff to visit these sites and give us your
feedback, as we continue to refine the NAI program.
Mr. Chairman, on behalf of the NAI, I want to pledge that we will
continue to work with the FTC, the Commerce Department and you and
members of your staff to ensure that these self-regulatory principles
live up to their promise.
Thank you, and I look forward to any questions you may have.
Mr. Stearns. I thank Mr. Hughes.
Mr. Cerasale?
STATEMENT OF JERRY CERASALE
Mr. Cerasale. Thank you, Mr. Chairman. Jerry Cerasale, the
Senior Vice President for Government Affairs for the Direct
Marketing Association. It is an association of companies with
about 5,000 members who market goods directly to consumers and
to businesses.
Basically, that type of marketing requires trust. If you
buy something without touching it, you paid for it before you
receive it. And in the United States, it is about $1.7 trillion
in sales a year. About $1 trillion of it is business to
consumers.
The DMA tries to build that trust through education,
supporting technology, creating privacy policy generators for
online marketers, self-regulatory guidelines, ethics
procedures, etcetera. And these are all outlined in my written
testimony, which I hope will be included in the record.
I want to focus today on the DMA's privacy promise to
American consumers, and I think they are putting up a chart
which kind of explains it. Every member marketer of the DMA
marketing to consumers must agree to this promise and reconfirm
it annually, regardless of the medium, whether it is mail,
telephone, or the internet.
What does it require? It requires you to tell people if you
are sharing their information, marketing information with
others. You have to tell them.
Second, you have to give the consumers a choice to say no,
they don't want you to share it, and to honor it.
The third one is if somebody tells you, listen, I am a
customer of yours, but I don't want you to send me any more
information via phone, telephone, whatever, phone, mail, or e-
mail, you have to honor that as well.
And the fourth thing is you have to use the preference
service, the suppression list that the DMA has. We have three
of them--the mail preference service, which has been in
existence since 1972. There are 4 million people on that list.
The telephone preference service has been in existence since
1985, 4 million again. By the way, the telephone preference
service is the do not call list for the State of Connecticut,
will be the do not call list for the State of Wyoming on July
1, and will be the do not call list for the State of Maine on
August 1.
And we also have an e-mail preference service, which we
started after Y2K, which has 50,000 names on it at the moment.
These services have to be used to eliminate the name, address,
e-mail address, phone number, whatever, from any marketing
campaign that a marketer has going out to try and find new
prospects.
So this, in a sense, is a do not contact me list based upon
the type of medium you use. It is free to consumers. Marketers
do have to pay to subscribe. But it is $460 a year, and it can
be subscribed to by a letter shop, which will clean up all of
the lists for anyone using that shop. So one subscription can
be used for a significant number of marketers. The EMPA--to get
on that list, go through E-MPS.org, and you can sign up right
online.
Now, what happens here with this? Well, we have staff in
Washington that just deal with compliance for the privacy
promise. So they are doing checks to make sure people are, in
fact, following what they promised.
The mail preference service, telephone preference service,
and e-mail preference service also are seated to ensure that
someone isn't using that list for marketing as opposed to
suppression. And we do get after people there through contract,
etcetera.
But we also have a process at the DMA, the Committee on
Ethical Business Practices, which reviews all DMA guidelines,
not just the privacy promise. We work for correction. It is
self-regulatory. We work to correct things to make it better,
to stop what they are doing or correct what is happening which
we think violates our guidelines, including the privacy
promise.
If you refuse to work with the DMA to correct it, we have a
couple of things that we can do. We have the potential of
public dismissal, and for the privacy promise we have an
antitrust exemption from the FTC. Or we can refer the question
to the appropriate law enforcement agency, be that the FTC, the
Postal Inspection Service, State Attorney General, the FCC if
it has to deal with telephone.
That is our promise. That is what we try and do. We have a
process already set up. We do a significant amount of
education, because we think it is important to provide
consumers with choice, with ability to control their
information, because you cannot have direct marketing without
information.
I have to have your name and address to provide to you the
good that you purchased. I have to have a means to collect
payment, most likely a credit card, to be able to do it. So
direct marketing, unlike going to a mall and paying cash,
requires information, and we have to have that consumer trust.
Thank you. I am ready to answer any questions.
[The prepared statement of Jerry Cerasale follows:]
Prepared Statement of Jerry Cerasale on Behalf of The Direct Marketing
Association, Inc.
I. INTRODUCTION.
Good morning, Mr. Chairman, and thank you for the opportunity to
appear before your Subcommittee as it examines industry best practices
and technological solutions for information privacy. I am Jerry
Cerasale, Senior Vice President of Government Affairs for The Direct
Marketing Association, Inc. (``The DMA''), the largest trade
association for businesses interested in online and offline direct,
database, and interactive marketing and electronic commerce.
The DMA represents nearly 5,000 companies in the United States and
53 foreign nations. Founded in 1917, its members include direct
marketers from every business segment, as well as the non-profit and
electronic marketing sectors. Included are catalogers, Internet
retailers and service providers, financial services providers, book and
magazine publishers, book and music clubs, retail stores, industrial
manufacturers, and a host of other vertical segments including the
service industries that support them.
The DMA's leadership also extends into the Internet and electronic
commerce areas through the companies that are members of The DMA's
Internet Alliance and the Association for Interactive Media. Members of
The DMA include L.L. Bean, Time Inc., Dell Computer, Gateway 2000,
DoubleClick, autobytel.com, BMG Direct, Charles Schwab & Co., Lucent
Technologies, eBay, Acxiom, AT&T, AOL TimeWarner, IBM, MCI WorldCom,
and others.
The DMA is a long-time leader in self-regulation and peer
regulation. DMA member companies, given their track record in
delivering high quality goods and services to consumers, have a major
stake in the success of both online and offline commerce. The healthy,
continued development of brick and mortar, catalog, and electronic
commerce depends on consumer trust. It is important that these online
and offline communications mediums engage in transparent marketing
practices to earn that trust.
Members of The DMA are held to effective industry standards. It is
these practices that I wish to focus on in my testimony today, which
will place into clearer focus the state of the direct marketing
industry's best privacy practices. The DMA's best practices include:
Several DMA programs which are essential to protecting privacy
online that, when created, were ahead of their time, and are
now industry tools and common best practices;
The DMA's self-regulatory Ethical Business Practice Guidelines
which protect consumers privacy by addressing complaints
concerning practices contrary to the Guidelines;
A new DMA program that will satisfy the enforcement
requirement of the U.S.-E.U. Safe Harbor to the European Data
Directive;
Several technology solutions supported by The DMA which will
help consumers to choose and enforce how their personal data is
collected and used by businesses; and
Important DMA public education initiatives which help the
government, businesses, and, most importantly, consumers to
better understand the information collection process.
II. THE DMA'S BASIC ONLINE AND OFFLINE PROGRAMS.
The DMA's members understand and respect the privacy needs of
consumers, can react much faster than the government to new conditions
in the marketplace, and therefore has developed a self-regulatory
response to privacy. For decades, The DMA and its members have worked
to develop effective consumer notice and choice practices as a
fundamental element of self-regulation.
Below is a brief description of The DMA's business practice tools
created to incorporate both notice and choice elements and to bolster a
responsible exchange of consumer information.
A. The DMA's Privacy Promise.
The DMA is providing leadership in the offline and online worlds
through the ``Privacy Promise to American Consumers,'' (``Privacy
Promise''), which became effective July 1, 1999. The Privacy Promise
requires, as a condition of membership in The DMA, that companies,
including online businesses, follow a set of privacy protection
practices:
Providing customers with notice of their ability to opt out of
information exchanges for marketing purposes;
Honoring promptly individual requests to opt out of the sale,
rental, or exchange of their contact information to third
parties for marketing purposes;
Accepting and maintaining consumer requests to be on an in-
house suppress file to stop receiving unwanted commercial
solicitations; and
Using The DMA Preference Service suppression files, which
exist for mail, telephone, and e-mail lists.
Members are permitted to display a recognizable ``seal'' that
assures consumers of a company's commitment to privacy protection.
B. The DMA's Privacy Principles and Guidance for Marketing Online.
The DMA is also providing leadership in the online world. The DMA's
Privacy Principles and Guidance for Marketing Online (``Online
Guidelines'') explain and highlight issues unique to online and
Internet marketing. When marketing online, companies are advised that
the notice they provide to consumers regarding their information
practices be placed in a prominent place. The notice should state
whether the marketer collects personal information online from
individuals, provide certain disclosures, identify the marketer and
provide an e-mail, postal address, and telephone number at which the
marketer can be contacted. Marketers sharing personal information
collected online are also required to provide consumers with an
opportunity to opt out from the rental, exchange, or sale of this
information for commercial purposes.
For online e-mail solicitations, The DMA Online Guidelines state
that member solicitations should be clearly identified as such and
disclose the marketer's identity. Marketers using e-mail are required
to furnish consumers, with whom they do not have an established
business relationship, with notice and a mechanism through which
consumers can notify the marketer that they do not wish to receive
future online solicitations.
C. The DMA's Preference Services.
The DMA has developed services to assist our members in adhering to
our primary values of notice and consent. The DMA offers three
different preference services for various mediums that empower
consumers with effective choice: (1) the Mail Preference Service
(``MPS''); (2) the Telephone Preference Service (``TPS''); and (3) the
e-Mail Preference Service (``e-MPS''). Use of these services by member
companies that market to consumers is required as a part of the Privacy
Promise. To protect against abuse of these Preference Services, The DMA
seeds and constantly monitors these lists.
1. Mail Preference Service.--In 1971, The DMA launched the MPS. The
MPS gives consumers the power to choose whether to receive promotional
mail at home. Those who wish not to receive promotional mail at home
can register with The DMA's MPS by providing a name, home address, and
signature by mail, at no cost, or online via the DMA Consumer Help Web
site. Once a consumer's name and home address is added to the list, it
remains on the list for five years. Consumers are informed about the
availability of this service through state and local consumer agencies
and print and broadcast advertising.
2. Telephone Preference Service.--Similar to the MPS, The DMA
created the TPS in 1985 to honor consumer choice in telemarketing. TPS
is a consumer service that is easy to use and offered at no cost. To
register with TPS, individuals need only provide a name, home address,
home telephone number, and signature, by either mail or via The DMA
Consumer Help Web site. Afterwards, individuals' names will remain on
the TPS list for five years.
The DMA is also the official distributor of the do-not-call list of
the States of Connecticut, Maine, and Wyoming. All of the names found
on these three States' do-not-call lists have been incorporated into
The DMA's TPS file.
3. e-Mail Preference Service.--In further developing responsible
marketing practices for the Internet age, we adapted the fundamental
principles of the MPS and TPS to create the e-MPS. The DMA's e-MPS
similarly empowers consumers with notice and choice concerning the
receipt of unsolicited commercial e-mail (``UCE''). Launched last year,
the e-MPS allows individuals to remove their e-mail addresses from
Internet marketing lists. This ambitious undertaking is aimed at
empowering consumers to exercise choice regarding receipt of UCE, while
creating opportunity for the many exciting new benefits of legitimate
marketing in the interactive economy.
Since January 2000, consumers have been able to register for the e-
MPS at a special DMA Web site. Consumers can use this service, at no
cost, to place their e-mail addresses on a list indicating that they do
not wish to receive UCE. This service affords consumers the flexibility
to determine the types of solicitations they receive. Through this
service, individuals can opt out of business-to-consumer UCE, business-
to-business UCE, or all UCE.
Consumers on the e-MPS list will receive no e-mail from DMA members
unless they have an established online business relationship with that
company. This service also is available to companies that are not
members of The DMA so that they too may take advantage of this
innovative service and respect the choice of consumers who choose not
to receive UCE.
D. The DMA's Privacy Policy Generator.
Another effective DMA program developed to help members provide
effective notice and choice to consumers is The DMA's Privacy Policy
Generator. This tool, available at The DMA's Web site, allows companies
to create and post effective privacy policies.
The DMA's Privacy Policy Generator (http://www.the-dma.org/
policy.html) enables companies, through a series of questions, to
develop customized privacy policies for posting on their Web sites
based on the companies' policies regarding the collection, use, and
sharing of personal information. The utility of this tool, and the ease
with which it is used, is demonstrated by the hundreds of companies
that have used it and sent these policies to The DMA for review.
E. The DMA's Children's Privacy Policy Generator.
Similarly, The DMA created the Children's Privacy Policy Generator,
which allows direct marketers to create and post effective children's
privacy policies. This tool can be used by marketers to help them
comply with the requirements of both the Children's Online Privacy
Protection Act (``COPPA'') and the Federal Trade Commission COPPA Rule
that implements the Act.
The DMA's Children's Privacy Policy Generator is easy to use and
guides marketers through an online step approach through which
marketers answer a series of questions. From these questions, marketers
are able to determine which disclosures they need to make in the
privacy policies posted on their Web sites based on their information
practices.
III. THE DMA'S ETHICS GUIDELINES.
The DMA's self-regulatory guidelines and procedures provide a
comprehensive and meaningful approach to addressing consumer privacy.
At the cornerstone of the DMA's self-regulatory approach are The DMA's
Guidelines for Ethical Business Practice (``Ethical Guidelines'' or
``Guidelines''). These Ethical Guidelines were adopted to aid its
members and others engaged in direct marketing in determining ethical
conduct in dealing with customers and other businesses which will be in
the best interest of their customers. The DMA has undertaken extensive
efforts to ensure that its members market ethically for the protection
of consumers. Indeed, on a daily basis, The DMA gives its members
advice on how to ensure that they are complying with its Guidelines.
In an effort to strengthen sound business practices in the
marketplace, The DMA established the Committee on Ethical Business
Practice to review direct marketing promotions and practices that may
violate the Ethical Guidelines. The Committee reviews potential
Guidelines violations of both association members and non-members. The
Committee has applied the Ethical Guidelines to hundreds of direct
marketing cases concerning deception, unfair business practices,
personal information protection, and other ethics issues.
A. The Process.
The Committee receives promotions and practices for review in a
number of ways: through consumers, member companies, non-members, or
sometimes consumer protection agencies.
If the majority of the Committee believes that the promotion or
practice brought to its attention potentially violates the Guidelines,
DMA staff contacts the company and points out the potential Guidelines
violation. The company is then given an opportunity to respond. If the
Committee does not believe the promotion violates the Ethical
Guidelines, the case is closed and the company is not contacted again.
Cases closed without company contact are handled confidentially.
Most companies cooperate with the Committee's efforts and agree to
modify the questioned promotion or practice. Because cooperation with
the Committee and compliance with The DMA's Ethical Guidelines are
voluntary, a confidential and meaningful dialogue about the particular
promotion or practices usually occurs, and the Committee and the
company are typically able to reach a satisfactory conclusion.
In those cases where the Committee is successful in obtaining the
company's cooperation to change the promotion or practice, or where the
Committee is persuaded that the violation did not take place, the case
proceedings remain confidential. The confidentiality protects all
parties and helps ensure that the Committee's goal of obtaining
compliance with the Guidelines is met.
In those rare instances where the Committee cannot come to a
satisfactory resolution with a member or non-member company, that is,
the Committee believes that the violations are continuing, the case may
be referred to The DMA's Board of Directors for further action. Cases
referred to the Board of Directors are made public by the Committee.
Board action could include censure, suspension of membership or
expulsion from the DMA. The Board may also decide to publicize its
action. Companies with promotions or practices that are found to
violate the law in addition to the Ethical Guidelines are referred to
appropriate law enforcement authorities for handling.
The Guidelines have proven to be an effective means of ensuring
ethical marketing practices by non-members as well. Although non-
members are not bound by The DMA Ethical Guidelines, it has been our
experience that non-member companies comply with Guidelines and
policies so as to comport with industry standard practices. The net
effect is to increase good business practices for the industry and to
increase consumer confidence in the marketplace. In addition, where a
non-member company's practice is illegal, we are able to refer the case
to the appropriate federal and/ or state law enforcement authority.
B. The Committee on Ethical Business Practice's Regulatory Approach.
The DMA's self-regulatory approach has proven successful in
addressing complaints regarding practices contrary to The DMA's Ethical
Guidelines. Working with both members and non-members, The DMA has
gained voluntary cooperation in adhering to these Guidelines. As a
result of The DMA's efforts, many companies have reformed their
practices in areas such as sweepstakes, predictive dialing, unsolicited
faxes, and e-mail to address the concerns raised by activities that are
violations of the Guidelines.
IV. THE DMA SAFE HARBOR PROGRAM FOR EUROPEAN DATA.
On May 22, 2001, The DMA became the first trade association to
provide a European Union Safe Harbor Enforcement Program (``DMASHP'' or
``Program'') at no cost to its members. The DMASHP, which is an
effective way for U.S. firms that choose to comply with European Union
(``E.U.'') data export regulations.
This Program is aimed at compliance with the enforcement element of
the Safe Harbor Principles. Technical assistance and educational
materials will be provided through the DMASHP to assist participants
throughout the process for meeting the Safe Harbor requirements. To
provide consumers with an easily recognizable symbol that signifies and
distinguishes a Program participant as being in compliance with the
Program, The DMA also created an easily recognizable DMASHP mark.
The Third Party Dispute Resolution Mechanism is a major component
under the DMASHP that provides businesses seeking to certify under the
Safe Harbor with an independent third-party dispute mechanism that
complies with the Safe Harbor enforcement requirements. The Safe Harbor
requires that the dispute resolution mechanism be readily available to
consumers, affordable, and be able to ensure compliance with the Safe
Harbor privacy protections. The DMASHP:
provides a fair and unbiased redress of the consumer's
concerns;
is visible so that consumers with concerns know where to turn
for resolution of their problem;
is accessible so that there are no barriers to the filing of a
complaint, whether they be financial or otherwise;
provides resolution in a timely manner;
provides finality for the consumer by reaching an independent
determination of the dispute; and
provides enforceability of the final conclusions in the
determination of the consumer's dispute.
The DMA also created a DMASHP Committee (``Committee''), which has
the power to hear both sides of a dispute and provide a final
determination. As mentioned above, when businesses join the DMASHP,
they are required to abide by the decisions of the Committee. They are
also notified in the DMASHP contract that the Committee will have the
authority to issue certain sanctions as a result of their decision. The
lynchpin to any dispute resolution mechanism is that it be impartial.
One way to ensure impartiality is to ensure openness of the results of
the program by publishing the outcomes of the cases on a regular basis
and for The DMA's staff to be constantly vigilant that the results are
fair and legal.
Overall, this Program will provide consumers with an easy method to
bring their disputes before the Committee. It is the goal of the
Program to obtain a determination of all cases in a quick and timely
manner, but in no case longer than 60 days.
V. TECHNOLOGY SOLUTIONS.
Technology is playing an increasingly important role in helping
users determine and enforce the ways that information about them is
used and collected. The DMA and marketers have been, and continue to
be, instrumental in the development of this important technology by
encouraging, supporting, and indeed helping to develop and promote,
such software.
Since its inception, The DMA has been involved in an initiative
that supports this concept--the Platform for Privacy Principles
(``P3P''). This initiative, undertaken by the World Wide Web
Consortium, has developed a ``negotiation'' approach for protecting
privacy. A broad coalition of information providers, advertising and
marketing specialists, software developers, credit services,
telecommunications companies, and consumer and online advocates worked
together on P3P to achieve a technological solution that will protect
privacy without hindering the development of the Internet as a civic
and commercial channel. P3P allows a user to agree to or modify the
privacy practices of a Web site, and be fully informed of the site's
practices before interacting with or disclosing information to a site.
There also have been several announcements by companies in the last few
months of other commercial products that will empower consumers with
respect to privacy online. As technology continues to improve, so will
consumer empowerment tools. We support the continued responsible use of
this cutting-edge solution as Congress, businesses, and consumers
evaluate it.
VI. PUBLIC EDUCATION.
Another important part of The DMA's efforts is spent in educating
consumers and businesses about the numerous DMA programs that are
available to them. The DMA has a vital interest in educating its
members and the general public about the responsibilities of people who
collect and use data, as well as the process. We take great pride in
our education initiatives, because through them individuals and
businesses will better understand the potential benefits of
interactivity and the choices individuals have to control information
that they submit to these businesses. Therefore, The DMA has developed
a Web page devoted to privacy and launched its Privacy Action Now
initiative.
The DMA has also made a special effort to empower children,
parents, educators, and librarians by establishing its http://
www.cybersavvy.org Web page for them and providing them with tools,
information, and resources to ensure safe Web surfing. Additionally, we
have produced a ``hard copy'' version of the Web site, Get CyberSavvy.
Get CyberSavvy has the distinction of being awarded first place honors
for excellence in consumer education by the National Association of
Consumer Affairs Administrators.
VII. CONCLUSION.
The DMA is a long-time leader in the marketing industry's self-
regulation and peer regulation. For decades, we have worked to develop
practices that will address and protect consumer privacy. We understand
that our online and offline worlds are more dynamic than ever and will
continue to develop effective business practices in a timely manner to
address consumer concerns as these mediums evolve. We congratulate the
Subcommittee for taking a closer look at the industry's best practices
and technology solutions and look forward to working with the
Subcommittee.
[The information on DMA is retained in subcommittee files.]
Mr. Shimkus [presiding]. Thank you. Right on time.
Next, we will turn to Mr. Cole, Senior Vice President and
General Counsel for the Corporate Secretary of the Council of
Better Business Bureaus, Incorporated. Welcome, and you have 5
minutes. And your full written testimony is already submitted
in the record.
Mr. Cerasale, your request was granted to put all of that
into the record.
STATEMENT OF STEVEN J. COLE
Mr. Cole. Thank you very much, and good afternoon. I
actually said good morning in my notes, but change that.
Now, you know the Better Business Bureau well, our almost
universal brand recognition and our reputation for impartiality
in the marketplace. BBB online operates two so-called trust
mark or seal programs, reliability and privacy, and both are
designed to help consumers identify companies safe to do
business with online by looking for sites with one of our trust
marks or using our search mechanism to find those sites.
It was our reputation and experience with self-regulation
that led the business community to ask us to create an online
privacy program. And the phrase ``self-regulation'' is not
boilerplate to us. We take it seriously. Our program standards
were formulated voluntarily, sleeves rolled up in work sessions
by a working group of about 30 of the most important
technology, consumer product, financial service, and
information companies in the United States.
Since our 1999 launch, we have received over 1,500
applications from over the United States and from 20 countries,
and we have awarded seals covering over 800 websites. And there
are now 1,000 sites that are either qualified or in the process
of qualifying.
We need to expand our reach, and I will touch on that
later, but we do reach companies with a huge share of the
market--high-tech companies like Hewlett-Packard, Intel, and
Agilent; communications companies like AT&T and MCI; and travel
services like American Airlines and Expedia; retailers like
Lowe's and Fingerhut; entertainment companies like Lucas Films
and Nickelodeon; and information companies like Dun &
Bradstreet; and consumer goods firms like Procter & Gamble and
Nestle.
In addition, our reliability trust mark now displayed on
about 10,000 websites will soon require, among other things,
that online advertisers post and adhere to fair information
principles. And this will apply to these 10,000 sites whether
or not they participate in our separate privacy seal program.
Now, our program that I am here to talk about today covers
the collection of personal information online, although a few
of our seal holders, such as Tupperware, apply their policies
to all information collected, both online and offline.
Disclosure is the cornerstone of our program. We want a
transparent environment with no surprises. And one of our key
requirements calls for easy-to-find, easy-to-read notices which
tell consumers the types of information collected, how their
information will be used, the choices available in preventing
these uses, and how the consumer could access information and
make corrections.
We require the notices be placed wherever personal
information is collected at the site, so that consumers are
informed at the right place and the right time about the
consequences of their actions, although some of our seal
holders like Xerox go further and put the notice on virtually
every page.
Mr. Chairman, there has been recent critical media coverage
of the complexity of some privacy notices, and we think it may
miss an important point. There is a very delicate balance to
draw between simple disclosures that may not tell the whole
story and full disclosure which does but has a lot of ifs,
ands, and buts, and definitions.
We work hard to strike that balance reasonably, and we
prefer full disclosure to the consumer with the simplest
language possible. But we don't want material information to be
hidden solely for the sake of brevity.
Privacy notices mean very little unless backed up by a
business' actual conforming practices to their notice. We use a
unique assessment tool that inquires into a seal applicant's
management processes. We ask about personnel policies and
training, about their relationship with third parties like
agents and contractors. We inquire into physical security and
electronic security procedures.
Our annual assessment process offers ongoing help and
tailored advice. Actually, we have been told that applying for
a seal is like getting a free consulting service. It is good
public policy even if it isn't the best business model.
Our program requirements include other important best
practices. Consumers must be allowed to opt out of transfers of
their personal information to third parties, and they must be
given an opportunity to opt in for certain transfers of
sensitive data, such as health care.
Seal holder websites must prominently disclose how
consumers can raise questions or complaints with the company
and with BBB online. They must participate in our dispute
resolution program, and they must afford consumers access to
personal information at a reasonable cost, not just to allow
correction of inaccuracies, but simply to inform them what is
being retained and what is retrievable about them. And some
companies like Kodak provide instant online access through
password-protected profiles.
Protection of online privacy requires a global outlook, so
our standards now incorporate the online safe harbor terms
negotiated by our government and the European Union. And I am
proud to say that EU officials have singled out BBB's program
as the most important factor in persuading them that self-
regulation could work.
We apply the safe harbor principles also to U.S.
transactions and U.S. customers. That is not done by everybody.
And we verify compliance with the requirements rather than rely
on self-certification.
On June 1 this month, I signed an agreement in Tokyo with
the Japan Information Processing Development Corporation to
launch the first ever cross-border, online trust mark program--
in this case, the reciprocal privacy seal program.
The program, with the encouragement of Japan's government,
provides for common privacy standards and recognition of each
organization's award of a seal by the other, and it provides a
co-branded privacy seal for use on the websites of either
country. And we think this is going to be a very effective way
to promote cross-border commerce.
Let me close by recognizing that there is still a large
portion of the marketplace that hasn't responded, and it is
fair to ask why this is so. One reason, we suspect, is the
marketplace is uncertain about the current legal environment.
Will there be legislation or not? Will self-regulation
technology have a role? What standards will ultimately govern?
Such uncertainty may fuel a reluctance to embrace any
particular voluntary self-regulation program. Now, this is not
to say that the business community has ignored privacy. Quite
to the contrary. But participating in a seal program is a big
commitment closely related to predictions about the future
legal framework. And, frankly, these predictions simply cannot
be safely made at this time.
Thank you for your interest.
[The prepared statement of Steven J. Cole follows:]
Prepared Statement of Steven J. Cole, Senior Vice President and General
Counsel, Council of Better Business Bureaus, Inc. and BBBOnLine, Inc.
Mr. Chairman and members of the Committee, my name is Steven J.
Cole, and I am the Senior Vice President, General Counsel, and
Corporate Secretary of the Council of Better Business Bureaus, Inc. I
am pleased to be here to speak with you about the BBBOnLine Privacy
Seal Program, one of the significant self-regulatory programs of
BBBOnLine, the Internet subsidiary of the Council of Better Business
Bureaus.
The Council of Better Business Bureaus (CBBB) is the umbrella
organization for the nation's Better Business Bureau system, which
consists of 129 local BBB's and branches and 270,000 member businesses
across the United States. The CBBB is a nonprofit business membership
organization tax exempt under section 501(c)(6) of the Internal Revenue
Code. More than 325 leading edge companies nationwide belong to the
CBBB and provide support for its mission of promoting ethical business
practices through voluntary self-regulation and consumer and business
education.
Each year, millions of consumers contact the Better Business Bureau
for pre-purchase information or for assistance in resolving marketplace
disputes. In large part, they are drawn to the BBB by its enormous name
recognition, reputation, and proven credibility. The BBB trademark is
one of the country's most widely recognized by both business and
consumers. The public looks to the Better Business Bureau for impartial
and reliable information on a broad range of companies, products and
services. We offer consumers and businesses a means to resolve disputes
through conciliation, mediation and, when necessary, arbitration.
Our name recognition, the extremely high level of trust we have
earned from the public, and our experience in operating self-regulation
and dispute settlement programs, including our previous experience with
offering another seal program in the BBBOnLine Reliability Program, are
some of the reasons the business community asked BBBOnLine to provide a
framework for self-regulation in the area of online privacy.
BBBOnLine is a 501(c)(6) tax-exempt organization, supported by
leading online marketing and technology companies in the United States.
A wholly owned subsidiary of the CBBB, BBBOnLine was established by the
CBBB and its member sponsors as a means to promote the highest ethical
business practices online through self-regulation and consumer
education and self-help measures, and thereby help to foster consumer
trust and confidence in this new market.
To help online companies distinguish themselves, BBBOnLine provides
two separate seal programs for online businesses--the Reliability Seal
Program and the Privacy Seal Program--and provides consumer information
through our website, www.bbbonline.org. Both programs emphasize the
importance of posting and adhering to a privacy notice that is based on
fair information practices which includes notice, choice, access and
security. These important privacy notice disclosures provide the
consumer with knowledge so that they may understand the company's
privacy and security practices before providing any personally
identifiable information. BBBOnLine's Reliability Program has developed
a Code of Online Business Practices which will help shape the rules of
the road for e-commerce, not only for privacy but for many other
aspects of consumer protection. This Code has become an international
model for other countries looking to advise their own online businesses
on best practices.
The BBBOnLine Privacy Program awards seals to online businesses
verified as meeting our high standards including: the posting of online
privacy policies meeting rigorous privacy principles, completion of a
comprehensive evaluation, monitoring and review by a trusted
organization, and participation in a consumer dispute resolution
system. Our goal as an organization has and continues to be providing
education for businesses and consumers on fair and honest practices in
the market place.
Our Privacy Program is a logical extension of this objective. The
Privacy Program is designed to be a user-friendly tool that helps
foster trust and confidence in online commerce and as a resource for
business as a simple, one-stop, non-intrusive way to demonstrate
compliance with credible online privacy principles.
The core of the BBBOnLine Privacy Program:
Awards an easily recognizable and affordable ``seal'' to
businesses that post online privacy policies meeting rigorous
principles, including notice to consumers, disclosure, choice
and consent, access, and security;
Offers a separate and distinct seal for sites directed at
children;
Provides a thorough and consumer-friendly dispute resolution
system;
Monitors compliance through requirements that participating
companies undertake, at application and at a minimum annually
thereafter, assessments of their online privacy practices; and,
Takes specific actions for non-compliance, such as seal
withdrawal, publicity and referral to government enforcement
agencies.
To ultimately qualify for a privacy seal, applicants must
successfully complete a comprehensive assessment process that examines
all relevant aspects of an applicant's information practices, including
privacy notice content and placement, security measures, transfer and
merger of information, access, correction; and (if the website or
online service falls within our children's guidelines) a comprehensive
set of additional children's requirements. Our assessment is an
educational tool, providing business with a template on how to
institute and maintain a credible regime promoting fair information
practices to foster protection of consumer privacy in the online world.
In the 27 months that the BBBOnLine Privacy Program has been in
operation, we have already gained much valuable experience. The
assessment process involves a careful dialog between ourselves and our
applicants, and often we find ourselves learning from each other. For
instance, in the process of evaluating the information practices of
applicants, we find that we are also educating them on the importance
of drafting clear privacy policies that disclose with sufficient
specificity what is being collected and how that information is being
used. We are talking with applicants about the necessity of providing
access to and correction of information, and simultaneously, the
importance of having in place verification methods for providing access
to only those individuals authorized to obtain it. We are educating
applicants on security measures, the many issues that arise in clearly
defining the scope of the privacy seal protections, and the best way to
protect children's privacy. In this way, we believe we are not only
certifying websites that follow the BBBOnLine criteria, but also
greatly raising the bar by giving applicants the time and guidance
needed to make them knowledgeable about the issues surrounding online
privacy.
In addition to the assessment process, BBBOnLine offers consumers
and businesses significant experience in resolving disputes. Using
BBB's dispute settlement experience, we stand ready to provide
consumers with a specialized forum to air and resolve privacy-related
disputes. We will accept complaints from both US residents and non-US
residents about companies and organizations with posted privacy notices
that misuse information or are alleged to have violated posted privacy
policies. Complaints can be about the actions of seal participants and
non-seal participants. Companies or organizations that do not cooperate
with us in a dispute resolution proceeding can, in turn, be subject to
public withdrawal of our seal and/or referral to the appropriate
government agency.
Both BBBOnLine's Privacy Program and Reliability Program are
designed to foster consumer trust and confidence on the Internet and
serve as a valuable resource for business as a simple, one-stop, non-
intrusive way to demonstrate compliance with credible online commercial
practices. As an aid to both businesses and the consumer, BBBOnLine's
privacy standards evolve over time to ensure that they incorporate the
rapidly evolving changes in this environment as well as important
governmental concerns.
As previously mentioned, the Better Business Bureau is well-known
for its role in providing consumers with pre-purchase information and
this role has become even more important with the increasing popularity
of the Internet. This medium enables consumers to shop from their home
computer instead of leaving home to visit a bricks and mortar
establishment. The appearance of a BBBOnLine seal on a website provides
consumers with a user-friendly tool because they can simply click on
the seal to confirm a company's participation in one of our programs.
This helps increase a consumer's comfort level when shopping online.
BBBOnLine also helps businesses educate their own customers. A
disclosure-based program both in process and design, BBBOnLine seeks to
create a transparent environment with no ``privacy surprises.'' We
require clear, easy to find, and easy to read privacy notices that
contain relevant disclosures. Consumers of a BBBOnLine seal holder must
be able to rely on the privacy notice, which means it must be
available, must be understandable, and must contain those disclosures
that consumers need to make informed choices about the collection and
use of their own information. Some of the key disclosures required by
BBBOnLine include:
What types of personally identifiable information are being
collected from them.
How their information will be used.
What choices the consumer has regarding the sharing of
personal information
How the consumer can access his or her personally identifiable
information to review and/or make corrections.
Recent critical media coverage of the complexity of some privacy
notices may miss an important point here--namely, that we have a very
delicate balance to draw between full disclosure, which includes
``ifs'' ``ands'' and ``buts'' and definitions because of the complexity
and diversity of the state of privacy practices and ground rules in
this country, and simpler disclosures that don't tell the whole story.
We work hard to strike that balance in reviewing applicant's policies.
We lean towards full disclosure, with an effort at using the simplest
language possible. But, we don't want important exceptions or
clarifications to be hidden for the sake of brevity.
BBBOnLine's website also serves as a great shopping aid for
consumers. One of the most popular features is BBBOnLine's searchable
database, a resource for anyone seeking out trustworthy online
businesses that have been approved by one of our seal programs. The
website also provides guidance should a dispute arise between a
consumer and a specific company. If necessary, the consumer also has
the opportunity to file a complaint against the company. Online
shoppers are increasing in numbers and these steps ensure that
confidence levels can rise at the same time.
BBBOnLine also serves as an educational resource for business, both
for those seeking a seal, and those already carrying one. As an
integral part of our application and renewal process, BBBOnLine offers
ongoing help, guidance, and tailored advice for the creation,
maintenance, and improvement of sound information policies.
This educational component for business is critical. It is rare for
us to receive an application from a business that is already 100%
compliant with our program standards. Privacy remains a new and complex
enough issue that many businesses are approaching the issue of online
privacy for the first time, and still learning how to best protect
privacy.
For instance, in our application and review process it may become
apparent that new procedures for consumer choice, access, data
security, and site design need to be implemented. Privacy notices must
often be amended to provide more meaningful and understandable
disclosures. Binding promises must be obtained to guarantee the correct
use of information.
The interactive process begins with standards that already
incorporate many of the best practices laid out by leading industry
coalitions, privacy advocates, and government bodies such as the
Federal Trade Commission.
One best practice recommended by these groups is the ability of
data subjects to not only correct their own information, but also to
later access and review their information. This is also a standard
requirement of BBBOnLine.
Another is the ability of data subjects to discern not only
``what'' information is being collected, but by ``whom.'' In the
increasingly seamless environment of the Internet, which can visually
blur the line between data collectors, BBBOnLine requires its seal
holders to provide specific disclosures when other data collectors are
incorporated into a site design, and to provide visual cues and
disclosures when there are links to outside parties that may look like
part of a seal-holder's site, either because of co-branding, licensed
services, or frames.
Likewise, BBBOnLine follows recognized best practices by requiring
all its seal holders to explain how they can be contacted in the
instance there are questions or concerns. Their participation in
BBBOnLine itself must be disclosed so that data subjects may take
advantage of our dispute resolution process.
Seal holders must provide a statement of their commitment to data
security. Seal holders must explain whether or not information is
shared with outside parties, and how that sharing can be prevented.
These are all reflections of best practices that have been made an
express part of the BBBOnLine Privacy Program standards.
Equally important, BBBOnLine does not limit its inquiry to just the
quality and placement of a seal holder's privacy notice. Because
privacy notices mean little unless backed up by a business' actual
practices, BBBOnLine also uses a unique assessment tool that inquires
into a seal applicant's management processes. We ask about staff
training. We ask about the relationship a seal applicant has with all
parties that have access to data, including agents and contractors. We
require the creation of internal security logs. We require confirmation
of physical security devices, such as doors and locks, in addition to
electronic security procedures such as encryption and passwords.
In some cases, the comprehensive, interactive, and educational
back-and-forth that leads to the grant of a BBBOnLine Privacy seal
leads to exemplary information practices that may even exceed
BBBOnLine's own standards. Once a business is educated on areas of
privacy concern, and given concrete suggestions on how these concerns
can be addressed, we find many companies creating even more creative
and effective ways to protect online privacy.
For example, BBBOnLine requires posted privacy notices that are
easy-to-find, and appear at least on every homepage, every page where
information is collected and every page that contains an active email
address. Many of our seal-holders, such as Xerox, go beyond this
requirement and place a link to their privacy notice on virtually every
page of their Web site.
BBBOnLine requires privacy notices to clearly explain a business'
online policies, as well as what online elements may not be covered. A
few of our seal holders, such as Tupperware, go the extra step of
applying the promises they make in their privacy notices to all
information collected (both online and offline) and honor these
promises universally for all the company's sites.
BBBOnLine requires its seal holders to provide data subjects access
to their own information, subject only to reasonable frequency and fee
limits. Practically all the BBBOnLine seal holders have chosen to
provide access and correction free-of-charge, and many, such as Kodak,
go the extra step of providing their customers instant access online
through password protected profiles.
In addition to these specific examples of good information
practices, it has also become apparent that when an organization sets
out with a comprehensive approach to privacy, many of the barriers,
costs, and challenges imposed by privacy compliance are reduced. There
are significant efficiencies realized when a ``privacy plan'' is
implemented across the board from the beginning of an organization's
online presence.
When privacy is folded into a corporate culture, new information
practices are implemented more quickly, online content and services are
more swiftly modified, costs are kept down, and compliance with third
party verification services (like BBBOnLine) becomes infinitely easier.
In this respect, we have found that one of the most powerful ways
to encourage good privacy practices is to empower businesses with the
knowledge, tools, and advice they need to make privacy an integral part
of their operation.
Based on leading industry standards and an expert privacy panel,
the guidance of the BBBOnLine Steering Committee, and the 88 year
history of the Better Business Bureau system in providing effective
self-regulation, the BBBOnLine standards continue to provide some of
the most effective and relevant standards for privacy.
To maintain our standards as a relevant education tool, BBBOnLine
has continued to adapt in the face of new regulation and marketplace
needs. BBBOnLine is able to do this because one of the inherent
advantages of a self-regulatory program is this ability to move quickly
and remain responsive, which proves especially important in the fast-
paced environment of the Internet.
To offer just one example, the BBBOnLine Privacy standards were
updated almost a year ago to incorporate the safe harbor privacy
principles negotiated between the Department of Commerce and the
European Union for the adequate protection of information under the
European Union's Directive on Data Protection. This program upgrade has
allowed BBBOnLine Privacy Seal holders to enter the EU safe harbor.
Several BBBOnLine seal holders, including Hewlett-Packard and Dun &
Bradstreet have since gone on to self-certify on the DOC's safe harbor
list. Unlike others, BBBOnLine's safe harbor compliance standards are
made applicable to US businesses and US consumers--so we have enhanced
protection in the US.
As the EU negotiations highlighted, privacy is not purely a North
American issue. In the borderless world of electronic commerce, online
privacy protection has become a key component of doing business in
today's global economy. Various countries have developed their own
country or region specific regulatory approaches to privacy. For the US
to remain competitive in e-commerce, privacy concerns need to be
addressed. This is another area where self regulatory programs like
BBBOnLine can help in the global arena to assist business and consumers
in promoting sound privacy practices and offer consumers and business a
forum for resolving disputes across borders.
In further response to the global marketplace, on June 1 of this
year I signed an agreement in Tokyo, Japan with the Japan Information
Processing Development Corporation (JIPDEC), the Japanese Government
sponsored privacy mark program, to launch the first ever cross border
privacy seal program. The program provides for a reciprocal seal which
provides US businesses who wish to market online to Japanese consumers
with a combined privacy seal, granted by BBBOnLine, which incorporates
the JIPDEC seal, which is easily recognizable in Japan. This effort
will also provide Japanese online marketers, marketing to the US, with
the BBBOnLine Privacy Seal for use in the US. Once a US company
qualifies for the BBBOnLine Privacy Seal, it will also automatically
qualify for the reciprocal JIPDEC seal. This groundbreaking agreement
will help foster e-commerce across borders and also facilitate
resolution of privacy disputes that may arise in cross border
transactions.
Since BBBOnLine's Privacy Seal Program has been officially ``open
for business'' we have received over 1500 applications from all over
the US and from 20 countries, and have awarded seals covering over 800
websites. When you factor in those currently in the application
process, there are over a 1000 sites that have either qualified for or
are in the process of qualifying for our seal.
The credible nature of our assessment process is illustrated by the
number of sites that do not ultimately qualify for the seal. The reason
is our program is tough. However, even those sites that go through our
process, but do not actually receive a seal, still benefit from
learning how to implement good privacy practices. While this has been a
good start, unfortunately, the percentage of applicants, compared to
the wider universe of websites that could benefit from the program, is
still small. Our applicants come from diverse segments of the market
place. Our seal holders include high technology companies like Intel,
Hewlett-Packard, Dell, Agilent Technologies; communications companies
like AT&T and MCI; travel related companies like American Airlines,
Union Pacific Railroad and Expedia; major retailers like Lowe's
Companies and Fingerhut; entertainment companies like Lucasfilm,
Nickelodeon, and Zagat Survey; major trade associations like the
American Electronics Association and the Electronic Retailing
Association, as well as major multinational firms like Proctor and
Gamble and Nestle. When you consider that significant companies like
these have all embraced the rigorous standards of the BBBOnLine Privacy
Program, you can appreciate the large number of consumers that already
benefit from our self regulatory program.
Even so, most of the applications we have received have come from
small to medium-sized businesses. The BBBOnLine Privacy Seal Program
was intentionally priced so that companies of all sizes could apply.
The only item keeping a company from participating in the program
should be its inability to meet the eligibility requirements; price
should not be a factor. The World Wide Web is made up of hundreds of
thousands of websites, most of which are not large companies. In order
for self-regulation to work it must be accessible to the majority of
web marketers, large and small companies alike.
However, even while BBBOnLine continues to grow, we recognize that
there's still a large portion of the marketplace that hasn't responded
to our message. One thing that the Committee might consider is why this
is so. One reason we suspect is that the marketplace is still uncertain
about the current legal environment. Will there be legislation or not?
Will self-regulation and technology be deemed the preferred route? What
standards will ultimately define widely accepted best practices? Such
uncertainty may fuel a reluctance to embrace any particular rush to
voluntary programs such as BBBOnLine, which is unfortunate, given what
we have already accomplished in such a short time frame. This is not to
say that the business community has ignored privacy. To the contrary--
as we have all seen, it is doing well in posting privacy policies on
web sites--but participating in a seal program is a big step, and is
closely related to predictions about the legal environment.
It is our hope that as the program grows, and as consumer awareness
and education increases, we will have been able to make the online
marketplace a safer place to negotiate for all.
We want to thank the Committee for your attention and hope that you
share in our enthusiasm for the tremendous progress already made.
I am available to answer any questions you may have. For those
individuals that may be reading this document, I have provided a list
of website addresses that may help you in further understanding the
various aspects of BBBOnLine programs.
Mr. Shimkus. Thank you.
Next we will turn to Mr. Jerry--is it pronounced DeVault?
Mr. DeVault. Yes, it is.
Mr. Shimkus. National Director, Innovative Assurance
Solutions. Welcome, and you have 5 minutes.
STATEMENT OF JERRY R. DEVAULT
Mr. DeVault. Thank you. Good afternoon. Ernst & Young is a
leader in providing auditing and assurance services around the
globe with 78,000 employees based in 130 countries. I will make
three points illustrating how privacy practices have evolved
and acquaint you with an emerging best practice independent
verification.
First, I would note that the mere existence of a privacy
policy, even a policy that includes standard components, is not
as impressive as it once was. Not long ago the privacy debate
centered on whether a website posted a privacy notice. Having a
policy and providing notice was the best practice. Privacy
policies were once a rarity.
Last year, all of the 100 most popular sites posted such
notices, yet concern remained. Notices did not adequately
discuss protections or key components emerging as industry
standards. In response, industry groups developed self-
regulatory policy, standards, and detailed components of the
notices.
Seal programs such as BBB online and trustee provided a
seal of approval to sites that pledged to include certain
requirements in their privacy policies. But with all of the
improvement in the quality and quantity of privacy notices, why
does public concern remain high? If effective policy practices
have been identified and incorporated into policies, shouldn't
that be enough?
This brings me to my second point, that promises alone
don't earn consumer trust. Today too many consumers don't trust
that organizations will follow through on their promises.
Providing notice, choice, access, and security will only work
if consumers can trust that companies will enforce them.
Leading companies are recognizing that it is not enough to
say what they will do with personally identifiable information.
Businesses must also prove to consumers that they are doing
what they say they are doing. Leading companies now provide
consumers and other stakeholders with more assurance about
their actions. They are proactively having third parties test
their assertions regarding the people, the processes, and the
technologies that operate and enforce their stated policies.
This testing requires that a company earn a compliance
report as compared to promising to comply with a set of self-
regulatory requirements stated on the website veneer.
Businesses increasingly looking for a more effective private
sector solution to privacy are turning to independent third
parties for verification of their practices.
Independent verification is not a new idea. More and more
companies undertake independent verification because they
realize it leads to enhanced consumer trust, which in turn can
result in more loyal customers and a return on their
investment. For example, a large international client credits
our independent verification services with contributing
significantly to its ability to double its online closing-to-
sale ratio and increasing website revenue by more than 45
percent.
In areas where Congress and the executive branch have
regulated treatment of sensitive financial and health data,
such as Gramm-Leach-Bliley and HPPA regulations, you have
required that more than their promises are in place to
safeguard consumer information. You have focused on actions,
which brings me to my final point.
Since building trust requires more than promises, the
mechanism selected to protect consumers should include
independent assurance or independent verification. And there
are several ways to police or assure compliance with privacy
policies: through the courts and increased litigation, through
increased powers of the Federal Government, or through
government facilitation of private sector solutions to this
public policy concern.
Determining which of these compliance measures to employ,
whether individually or in combination, is the policy question
faced by government and industry. If it is determined that the
private sector is the appropriate venue, industry groups simply
pledging to meet tailored promises will likely not be
sufficient in the eyes of consumers to achieve the goal.
As I previously indicated, companies will need to provide a
high level of assurance that its people, processes, and
technologies are operating effectively. The auditing profession
has developed a set of principles and criteria for online
privacy.
The AICPA and the Canadian Institute's Web Trust Program
for Online Privacy, which was mentioned earlier in opening
remarks, provides a global best practice, a set of generally
accepted privacy principles against which companies and self-
regulatory groups can interpret and implement policies,
procedures, and controls to maintain compliance with online
privacy practice standards.
The AICPA standards are the established criteria used by
auditing firms globally in more than 13 countries to test that
an organization operates in compliance with online privacy
assertions.
In conclusion, independent verification is an emerging best
practice. Ultimately, just as notices and standard policy
components and test seal programs took time to emerge and be
accepted into the framework for internet privacy, so will third
party independent verification.
The adoption of independent verification as a best practice
can provide increased assurance to consumers and to
policymakers alike, and, importantly, it can help stave off
more draconian governmental measures that could unduly impede
private sector initiatives.
I appreciate the opportunity to be here this morning, and I
welcome your questions.
[The prepared statement of Jerry R. DeVault follows:]
Prepared Statement of Jerry R. DeVault, National Leader, Innovative
Assurance Solutions
I. INTRODUCTION
Good morning Mr. Chairman, and thank you for the opportunity to
appear before your subcommittee on the topic of industry best practices
in your series of hearings on the important issue of privacy. I am
Jerry DeVault, National Leader of Innovative Assurance Solutions for
Ernst & Young LLP. As one of the ``big five'' accounting firms, Ernst &
Young is a leader in providing accounting and assurance services around
the globe, with 78,000 employees based in 130 countries. While the
Internet revolution has been occurring, Ernst & Young has been adapting
to offer our clients a variety of assurance services aimed at assisting
our customers in establishing trust with consumers, businesses, and
regulators on privacy and trust issues. Our clients include many of the
Fortune 500 companies as well as many new and emerging companies. As a
result of providing our services to numerous companies, Ernst & Young
has a unique perspective on the best privacy practices of various
industry sectors. Today, I would like to share this perspective with
you, explain how industry practices have evolved over the past several
years, and describe our premiere service in this area, the provision of
independent third-party verification services.
II. THE MERE EXISTENCE OF A PRIVACY POLICY ( EVEN A POLICY THAT
INCLUDES STANDARD COMPONENTS ( IS NOT AS IMPRESSIVE AS IT ONCE WAS.
Not long ago, the privacy debate centered on whether a web site
posted a privacy notice. The idea was that consumer concerns would be
alleviated if sites merely explained their practices in public notices.
At one point, privacy policies were a rarity. However, by last year,
according to the Federal Trade Commission's 2000 report to Congress,
all of the 100 most popular sites posted such notices.
Nonetheless, consumers and policymakers remained concerned because
many of these notices did not adequately discuss protections or contain
the key components emerging as industry standards. In response,
industry groups began to develop self-regulatory privacy standards
detailing the components of the notices. Seal programs such as
BBBOnLine and TRUSTe began to provide a seal of approval to sites that
pledged to include certain requirements in their privacy policies.
Leading businesses also began to undertake other best practices to
ensure that their publicly posted privacy notices were being followed.
These measures included developing internal procedures and training for
employees to follow the requirements of the organization's privacy
policies. Additionally, many businesses have empowered a chief privacy
officer or other dedicated official to develop and oversee internal
compliance processes.
Yet, even with this progress, consumers' and policymakers' concerns
surrounding privacy have not been alleviated. The obvious question is:
if effective privacy policies are posted on sites that compose the
overwhelming majority of Internet traffic, why does public concern
remain so high?
III. PROMISES ALONE DON'T EARN CONSUMERS' TRUST
One reason that concerns remain high is that consumers don't trust
that organizations will follow through on their promises. Making a
declaration to provide notice, choice, access and security will only
work if consumers can trust that companies will enforce them.
In the private sector, leading companies are recognizing that it is
not enough to say what they will do with personally identifiable
information; businesses must also prove to consumers that they are
doing what they say they are doing. Leading companies now find it
valuable to provide consumers and other stakeholders with more
assurance about their actions. They are proactively having third
parties test their assertions regarding the people, processes, and
technologies that operate and enforce their stated practices. This
additional step of robust testing requires a company to ``earn'' a
compliance report as compared to simply agreeing to comply with a set
of self-regulatory requirements stated on the web site ``veneer.''
Businesses, increasingly looking for a more effective private sector
solution to privacy, are turning to independent third parties for
verification of their practices.
Independent verification is not a new idea in the e-business arena.
More and more companies undertake independent verification as a best
practice because they realize that it leads to enhanced consumer
trust(which in turn can result in more loyal customers and a return on
their investment. For example, a large international client credits our
independent verification services with contributing significantly to
its ability to double its online ``closing the sale'' ratio and
increasing Web site revenue by more than 45 percent. In addition, our
clients recognize value in other ways such as differentiating
themselves from their competitors and proactively managing the risks of
online business.
Even in those areas in which Congress and the Executive Branch have
regulated the treatment of particularly sensitive information like
financial and health data, lawmakers have required more than mere
promises to safeguard consumer information.
Both the Gramm-Leach-Bliley Act and the HIPAA regulations are
focused on actions--they require that organizations have appropriate
controls and systems in place to ensure data is handled appropriately.
When the Department of Commerce negotiated a Safe Harbor for compliance
with the European Data Directive, they required that qualifying
companies certify that their practices comply with the Safe Harbor
principles. And certain self-regulatory organizations recognize that a
promise to follow policies is not enough. When the Network Advertising
companies found themselves under regulatory pressure, they wrote into
their self-regulatory program a requirement that participating
companies undergo independent verification of their privacy practices.
IV. SINCE BUILDING TRUST REQUIRES MORE THAN PROMISES, THE MECHANISMS
SELECTED TO PROTECT CONSUMERS SHOULD INCLUDE INDEPENDENT ASSURANCE.
There are several ways to police or assure compliance with privacy
policies: through the courts and increased litigation; through
increased powers of the federal government; or through government
facilitation of private sector solutions to this public policy concern.
Determining which of these compliance measures to employ--whether
individually or in combination--is the policy question faced by members
of this Subcommittee, the entire Congress, as well as industry. If it
is determined that the private sector is the appropriate venue,
industry groups simply pledging to meet tailored promises will likely
not be sufficient in the eyes of consumers to achieve the goal. As I
previously indicated, companies will need to provide a high level of
assurance that its people, processes, and technologies are operating
effectively.
Much like other areas where we provide assurance regarding business
practices, the auditing profession has developed a set of principles
and criteria for online privacy that incorporates an effective
assurance component. The American Institute of Certified Public
Accountants (AICPA) and the Canadian Institute of Chartered Accountants
(CICA) WebTrust Program for Online Privacy provides a global best
practice--a set of generally accepted privacy principles--against which
companies and self-regulatory groups can interpret and implement
policies, procedures, and controls to maintain compliance with online
privacy practice standards. In addition to being a set of principles
and criteria that have been reviewed by leading online privacy
organizations, WebTrust is the established criteria used by auditing
firms globally to test that an organization's people, processes and
technology operate in compliance with online privacy assertions.
Mr. Chairman, members of the subcommittee, widely adopted
independent verification as a ``best practice'' can provide increased
assurance to consumers and policy makers alike. It will reduce the need
for enforcement and investigation of information practices that could
unduly impede private sector initiatives. It will also serve as a
mechanism to demonstrate compliance if Congress ultimately finds it
necessary to legislate in this area and to assist companies in limiting
litigation risks.
V. CONCLUSION
In conclusion, independent verification is emerging as a best
practice. Ultimately, just as notices, standard privacy policy
components, and seal programs took time to emerge and be accepted into
a framework for Internet privacy, so too will independent third-party
verification. The adoption of independent verification as a ``best
practice'' can provide increased assurance to consumers and
policymakers alike. And, importantly, it can help stave off more
draconian governmental measures that could unduly impede private sector
initiatives.
I appreciate the opportunity to be here this morning, and am happy
to answer any questions.
Mr. Stearns. Thank you.
Mr. Rotenberg?
STATEMENT OF MARC ROTENBERG
Mr. Rotenberg. Thank you very much, Mr. Chairman, Mr.
Towns, members of the subcommittee. My name is Marc Rotenberg.
I am Executive Director of the Electronic Privacy Information
Center. I have also taught privacy law at Georgetown for the
last 12 years.
I am grateful to be here today, and I wanted to
particularly thank you, sir, for this series of hearings that
you have held on the privacy issue. I think it is very
important that we are able to have this opportunity to
carefully study this issue, and I appreciate the time that you
and the committee members have spent on this.
I would also like to say that while my organization and the
privacy and consumer organizations across the country that we
work with favor privacy legislation, we hope that you will
introduce a bill to safeguard the right of privacy. We also
appreciate the important role that technology plays in
safeguarding privacy.
In fact, my own group, EPIC, was one of the leading
organizations working to make strong encryption tools available
to users of the internet so that when people went online they
could do so with some assurance that their personal information
would be protected. And today on our website we make many
privacy tools available so that people will be able to protect
their online privacy.
We have never viewed the use of technology and the passage
of legislation as an either/or situation. We think they both go
together. And I would like to use a simple example that I think
will be familiar to many people about how this operates.
Think about the use of the telephone. You pick up a
telephone. You don't have to set a privacy setting on the side.
You don't have to figure out how much privacy you are going to
need for who you are talking to or who--you know, what you
might be talking about.
Federal law protects the privacy of that telephone call. It
doesn't matter whether you are rich or poor. It doesn't matter
whether you know a lot about how telephones work. The Federal
law gives everyone in this country strong privacy protection of
their communications when they use the telephone network.
Now it is also the case that when new technologies for
telephone came along, like the cordless phone, the cellular
phone, for example, that created some new privacy issues. And
so it was important to incorporate technological safeguards so
that your telephone didn't operate like a radio, like a
broadcasting device.
And so my point, simply stated, is that I think we need
both technology and law to protect privacy. And I think we need
it in particular for the internet, because I have to tell you,
frankly, what I am concerned about today, you have heard
descriptions of some very powerful privacy tools. Some of these
I think will work well; some of them not so well.
But I am afraid what we are opening the door to is a form
of privacy survivalism, which says to users of the internet, if
you are very sophisticated, if you know the difference between
128-bit crypto and 40-bit crypto, if you can change the
settings on your cookies, reconfigure your SSL, you can have
very good privacy.
But for the rest of you who are still trying to figure out
how to set the VCR that is sitting on top on your television so
it doesn't keep blinking, you may have some trouble. It is
going to be a little bit more difficult for you, and maybe you
have to get used to the idea of not having so much privacy.
And that is why we need legislation, because not all of us
are going to be able to figure out how to take advantage of
these tools. We need them built into the network. People need
to be able to use the internet like they use the telephone,
with the assurance that their personal information will not be
misused, that it won't be used for unrelated purposes, and that
their privacy will be protected.
Now, I would also like to suggest for you that as we look
more closely at some of these new privacy technologies, it is
very important to ask what type of privacy are they providing.
If I say to you, for example, that privacy means giving you a
notice about how your personal information might be used, and
then I develop a technology that puts notices on your computer
screens, on your cell phones, which is an interesting problem
by the way--if you are relying on privacy notices, what is
going to happen to people who begin doing business through
their cell phones. They are looking at a little screen and
trying to read a notice. That is a real problem.
But maybe I can do it. Maybe I can put notices everywhere.
Then the technology looks very good, because the standard that
you have set is actually quite low. It is quite easy to put
privacy notices on things. If you say, instead, that privacy
means being able to limit how information is being used, or
being able to see the information about you that is collected,
or, where possible, maybe even minimizing the information so it
doesn't stay around longer than it has to, than it is a harder
problem.
So I think it is very important as we are talking about
these two technologies, these new types of technologies, we
distinguish between those that genuinely protect privacy and
those that simply provide privacy warning labels.
Now, there is another interesting problem here to think
about, and I know the members of the committee don't want to
overregulate, and they are concerned about leaving the open
nature of the internet. And I think that view is widely shared.
But there is a bit of an irony here, and that is that in the
past privacy legislation has also given individuals safeguards
from government.
We have used privacy laws so that when government agents go
to private companies they have to satisfy a Fourth Amendment-
like standard before they can get access to your personal
information that is held by your bank, or held by your doctor,
or held by some other institution that may have aspects of your
private life that you don't want freely disclosed to the
government.
Now, by failing to enact privacy legislation out of concern
that you may be burdening industry, you are also failing to
establish traditional Fourth Amendment safeguards that have
been put in place for a whole lot of other businesses in this
country to safeguard the rights of citizens against their
government.
My final point is I think it is important when looking at
privacy tools to ask this question. Do they provide better
protection than could otherwise be provided in law? And in my
testimony I give the example which Mr. Markey referred to
earlier of the privacy provision in the Cable Act of 1984.
Small provision in there, it is like a page and a half. It is
one of the most powerful privacy laws in this country, and it
gives every person who uses cable television service a lot of
privacy rights.
I don't think there is a single product or service that was
presented to you this morning that provides as much privacy
protection as that provision that was enacted by Congress more
than 15 minutes ago. And so while we encourage these
technological developments, we think they are very important
for the future privacy, we also think that legislation is
vital.
Everyone in America should have the right to protect their
privacy online, whether or not they can afford these new
techniques or whether or not they understand them.
Thank you very much.
[The prepared statement of Marc Rotenberg follows:]
Prepared Statement of Marc Rotenberg, Electronic Privacy Information
Center, Executive Director, Georgetown University Law Center
I appreciate the opportunity to appear before the Subcommittee
today to discuss privacy issues. My name is Marc Rotenberg. I am
Executive Director of the Electronic Privacy Information Center in
Washington, and I have taught the Law of Information Privacy at
Georgetown since 1990.
I'd like to thank the Subcommittee and you, Mr. Chairman, for your
continued interest in these issues and for the series of hearings that
you have held. The privacy community remains hopeful that when these
hearings are concluded you will introduce legislation to safeguard
privacy and encourage confidence in the emerging electronic
marketplace.
I'd also like to acknowledge the work of the various companies that
are appearing today on privacy issues. While we may disagree with some
of their approaches, we recognize the ongoing effort to find
technological solutions to the challenge of privacy protection.
The focus of this hearing is on ``Industry Best Practices and
Technological Solutions.'' This is an issue that has been central to
the work of my organization--the Electronic Privacy Information
Center--since our first day and was also discussed in our book
Technology and Privacy: The New Landscape (MIT Press 1997).
While we favor legislation to protect privacy on the Internet, we
clearly understand that technology plays a critical role in
safeguarding privacy. In fact, we helped organize the online campaign
to reform the United States encryption policy so that Internet users
could exchange private communications and engage in secure online
transactions. And we have worked to encourage the development of
technical standards that allow Internet users to safeguard their data
and protect their identity. One of the most popular features on our web
site are the Practical Privacy Tools page which allows Internet users
to surf anonymously, delete cookies, encrypt private messages, erase
files, and filter ads.
DEFINITION OF PRIVACY IS CRITICAL
First, it is important at the beginning when discussing any
technological approach to privacy protection to have a clear
understanding of what privacy protection means. If you say, for
example, that privacy protection is simply telling people how you will
use their personal information and then you develop technologies that
provide notices on web sites, symbols on cell phone displays, or
technical standards for computers to exchange information about privacy
preferences, you actually do very little to safeguard personal
information. All of these approaches simply provide warnings to
consumers about how their personal data will be disclosed to others.
But if you understand that genuine privacy technologies actually
promote trust and confidence in the online environment, then you will
understand very quickly that notices do very little to protect privacy.
For example, one of the most important privacy technologies operating
on the Internet today is the Secure Socket Layer in Internet browsers
that allows two computers connected by the Internet to exchange
information securely.
Because of SSL you can enter a credit card number in your computer
and a merchant will receive the number and neither of you have to worry
that the number will be intercepted as it travels across the Internet.
It is a built-in security feature that protects the privacy of the
customer's personal information. SSL operates for Internet transactions
much like car safety features, such as air bags or seat belts. It
provides a basic level of safety that promotes consumer confidence in
the use of technology.
The problem today is that too many of the ``privacy solutions'' are
really just warning labels. They do not provide any actual technical
safeguard for personal information. There should be good privacy
technologies, such as SSL, built into the network and the services
provided to consumers.
EVALUATING PRIVACY TECHNOLOGIES AGAINST PRIVACY LEGISLATION
One critical standard for evaluating the various technical
approaches to privacy protection is to ask whether they provide at
least as much privacy for the consumer as would privacy legislation.
Consider, for example, the privacy provisions contained in the Cable
Act of 1984. Under that law, every consumer in the United States who
subscribes to a cable television service receives certain basic privacy
rights.
Cable providers must provide written notice to subscribers of their
privacy rights at the time they first subscribe to the cable service
and, thereafter, at least once a year. These notices must specify the
kind of information that may be collected, how it will be used, to whom
and how often it may be disclosed, how long it will be stored, how a
subscriber may access this information and the liability imposed by the
Act on providers.
Subject to limited exceptions, the Act requires cable service
providers to obtain the prior written or electronic consent of the
cable subscriber before collecting or disclosing personally
identifiable information. The Act grants cable subscribers the right to
access the data collected about them and to correct any errors. It also
provides for the destruction of personally identifiable information if
that information is no longer necessary. There is a clear Fourth
Amendment standard that limits the circumstances under which government
may gain access to our private viewing records. Finally, the law sets
out a private right of action including actual and punitive damages,
attorney's fees and litigation costs for violations of any of its
provisions. State and local cable privacy laws are not preempted by the
Act.
This is genuine privacy protection that legislation make possible.
Short of techniques that provide actual anonymity, I don't believe
there is a single proposal presented to you today that provides the
same level of privacy protection for consumers as the Cable Act that
was passed by the Congress more than 15 years ago.
NEED FOR LEGISLATION REMAINS
Over the past thirty years the United States Congress has done a
good job developing legislation to safeguard personal privacy even as
new technologies have emerged. We have laws to protect the privacy of
telephone calls, video rental records, automated health records, and
more. And just this past week, the Supreme Court made clear that simply
because there is new technology for surveillance does not mean that we
must sacrifice our right to privacy.
The problem is clear. Data collection by commercial firms has
become more intrusive as more commerce has moved online. The Internet
advertising industry, for example, believes there is nothing wrong with
creating an online profile of where you go on the Internet as long as
they give you the chance to ``opt-out.'' You won't know who is
profiling you. You won't be able to see what is collected about you.
And you won't know how this information affects your ability to buy
goods and services online.
And it is going to get worse.
The interview that appeared in US News and World Report this week
with a former industry insider is particularly revealing. An expert in
business practices and privacy audits Larry Ponemon told US News that
customer profiles, containing detailed personal information typically
have an 85% error rate. ``As an auditor,'' he said, ``you reach the
conclusion that it's pretty awful out there.'' When asked what the
bottom line is for consumers, he answered:
Most companies don't take privacy seriously. The general view
is: Collect as much data as you can, as quietly as possible.
It's dirt-cheap to store, and you never know when it will come
in handy. I still use the Internet, but I'm more cautious. I
won't share any medical data or do financial planning online.
I'll use my credit card only if I think the privacy policy is
reasonable, but I assume the worst.
LOOKING AHEAD
It would be tempting to say that industry is developing good
solutions, that more needs to be done, and that it is premature to
legislate, but I believe this is a short-sighted assessment of what is
currently taking place. In the absence of clear standards set out in
statute, privacy is being redefined from a set a basic rights to a
series of warning notices. The bottom line is that consumers are being
asked to trade their privacy when they go online. The companies post
privacy policies that are incomprehensible and easily changed.
It doesn't have to be this way. Congress can pass good privacy
legislation, similar to the provisions contained in the Cable Act of
1984, and still encourage the development of technological solutions.
This is the right way to go. We will need both good technology and good
legislation to safeguard privacy in the years ahead.
I appreciate the opportunity to appear before the Committee today
and will be pleased to answer your questions.
REFERENCES
Phil Agre and Marc Rotenberg, eds., Technology and Privacy: The New
Landscape (MIT Press 1997)
EPIC Practical Privacy Tools[http://www.epic.org/privacy/
tools.html]
EPIC and Junkbusters, ``Pretty Poor Privacy: An Assessment of P3P
and Internet Privacy'' [http://www.epic.org/Reports/
prettypoorprivacy.html]
Privacy Coalition [http://www.privacypledge.org]
Privacy Site [http://www.privacy.org]
Marc Rotenberg, The Privacy Law Sourcebook 2000: United States Law,
International Law, and Recent Developments (EPIC 2000).
Marc Rotenberg, ``Can We Keep a Secret?'' American Lawyer 57
(January 2001).
Paul M. Schwartz, ``Internet Privacy and the State: Charting a
Privacy Research Agenda,'' 32 Connecticut Law Review 815 (Spring 2000)
Mr. Stearns. I thank you for your opening statement. You
probably listened with interest to the preceding panel, and
particularly Microsoft when they talked about their P3P, in
effect that it is a default information privacy standard. Now,
I suspect that some of you would disagree and some of you would
agree with that.
Let me start with Mr. Hughes. What do you think of the P3P
as a default information privacy standard? Do you agree or not?
Mr. Hughes. Absolutely. The company that I work for,
Engage, actually was one of the companies that was involved in
the development of P3P. And the cookie management features that
you heard about in the Microsoft browser are a result of some
early work that Engage had done, our co-founder had done, on
something called trust labels.
So from the perspective of my company, we definitely have
been very involved in the development of P3P and cookie
management features.
Mr. Stearns. But Mr. Rotenberg I think made a very good
point in terms of talking about the Cable Act of 1984, and this
one and a half page document which outlined the privacy
provisions dealing with your cable. And I think he makes a
pretty good case that that same standard has to be applied to
the internet. Do you disagree?
Mr. Hughes. I think there are difficulties on the internet.
I think the internet, as a global medium, requires a standard
that has comparable ubiquity. And that standard is technology.
And by embedding the privacy protections in the technology, you
provide the greatest coverage possible. So I believe that the
browser is the right place to put those tools.
Mr. Stearns. So you are saying that you think government
has a role to do something like we did with the Cable
Television Act of 1984 or not? Just yes or no.
Mr. Hughes. The Network Advertising Initiative is
definitely open to the possibility of Federal legislation.
However, we would request or push for or suggest that a safe
harbor for self-regulatory regimes that are operating and
functional and meaningful, like the NAI self-regulatory regime,
be put in place.
Mr. Stearns. Mr. Cole, you know, he makes the analogy, you
pick up your phone and you don't think about privacy, but you
already have the privacy in place unless you go to the Fourth
Amendment that the government can't get involved and listen to
your phone calls--you know, tap into your phone.
Do you agree that we need a privacy bill, an internet
privacy bill here in Congress, much like we did for the Cable
Act of 1984?
Mr. Cole. I would like to respond to that in two ways, Mr.
Chairman.
Mr. Stearns. Sure.
Mr. Cole. First of all, I am not sure it is as clear-cut as
Marc would have it. I used to run Maryland's Consumer
Protection Program for the Attorney General, and I remember
that it depended often on State law whether or not you actually
had all of the privacy you wanted on those phone calls. So it
is a very--it is complicated, and it is not as clear. And I am
sure the internet----
Mr. Stearns. Well, I am sure the details of it--but as a
broad scope----
Mr. Cole. Well, it is not so clear that we have perfectly
legislated privacy, even of those areas where we tried. And
there may be a lesson about that. Either we need better
legislation or maybe legislation doesn't always work. But let
me get also to your question.
Our organization, simply as a matter of policy, does not
take position on legislation. Self-regulation could work
without legislation. We could help promote voluntary standards
for the business community in the absence of legislation, and
we could help provide compliance when there is legislation.
I would like to endorse the point made earlier--if there is
legislation from the Congress, you should follow the lead that
you took with the children's online privacy and in other
legislation, and there really should be a safe harbor for
voluntary efforts of compliance.
Mr. Stearns. Mr. DeVault, can you give us a scope of the
number of companies Ernst & Young provides privacy service for,
and how much revenues does the privacy protections practice
take in for your company? And what are the typical ballpark
costs for such services? Is that possible, to get this in a
broad way?
Mr. DeVault. Well, we are, as I mentioned, a global firm.
We have thousands of people that are focused on security,
privacy, and IT risk advisory services.
Mr. Stearns. Why don't we just take it in the United
States.
Mr. DeVault. In the United States, we have approximately
800 to 1,000 people that are, and that employs--obviously, it
keeps those people busy. That gives you a degree of the fees
that we have out of that business.
Mr. Stearns. So of the revenues in the United States, is
this--I think what we are--in the committee we are starting to
realize that this is a whole new area of revenue generation,
and that it could be a large segment in the future. When you
move to broad band, people will come to you, and so this--what
I think is an incipient industry which is going to create a
great deal of profit for people like yourself and others.
Mr. DeVault. Well, to give you an idea, the web trust
principles that I mentioned earlier were released on September
6, 2000. So they are very young, so our independent third party
verification services are very nascent as well. We have been
helping companies with their privacy policies and compliance
now for several years, since really the advent of the
commercialized internet.
And we see that this is a large business for software
companies, for marketing companies, for professional services
companies.
Mr. Stearns. Do companies tend to overpromise and
underdeliver in the privacy area? Mr. DeVault, how many
companies have failed Ernst & Young initial verification tests,
if any? How many have failed a followup verification test?
Mr. DeVault. At this point in time, we have certified as a
profession less than 10 companies. As I said, it is a very new
area for us. I would say, though, that every time we test there
are gaps between our criteria and the actions that we see, and
the good news is that we have clients that are interested in
filling those gaps, and we are helping them do that.
I think on a go-forward basis we will see what the
experience is in terms of testing as we go through. Our testing
is required every 6 months.
Mr. Stearns. Mr. Rotenberg, I think what you are sort of
saying is trust but verify, and the government has to verify in
some way by setting up a standard so that the public feels
comfortable.
After listening to the first panel, were you impressed,
though, that Webwasher--the type of things they can do, and
that maybe if that was part of an integral part of a web
browser that the legislation would be maybe not required as
much but it would help to alleviate the problem?
Mr. Rotenberg. Well, I think there were a number of good
approaches suggested on the first panel. And none of them I
think would be incompatible with privacy legislation. In fact,
I rather suspect that privacy legislation can provide a
foundation that builds support for a number of these
techniques. I mean, this has always been our view, that you
should have legislation that enables strong tools for privacy.
If you don't have the legislation, I think that is really
ultimately the decision that this subcommittee will have to
make. And if you say we are going to rely on these techniques
and hope this works, I think you are going to head toward a
world where people, in effect, will turn to their telephones,
know that there is no real legal protection there, and have to
figure out, in effect, what are the privacy settings right now?
Are the settings appropriate for the call I am about to make?
Do I need to purchase a little bit more privacy because this
call is particularly sensitive?
And you can imagine that that would evolve in the
marketplace. But I think over the long term people would be
less willing to use the telephone, because there will be no
baseline protection established in law that safeguards privacy.
So I really think that the best outcome is one that provides
that baseline assurance to everybody that privacy will be
protected and allows people to innovate and develop better
techniques and take it forward. I think that is the win-win
outcome here.
Mr. Stearns. Yes. My time has expired.
The ranking member, Mr. Towns, is recognized.
Mr. Towns. Thank you very much, Mr. Chairman.
Let me begin with you, Mr. Rotenberg. And let me say I was
very impressed with your testimony. I want to say that before I
ask this question.
Mr. Rotenberg. Thank you, sir.
Mr. Towns. You heard on the other panel, I think it was Mr.
Schwarz who said that, yes, eventually we need to pass
legislation, that laws should be in effect, but we do not know
enough now to do it. What is your response to that?
Mr. Rotenberg. Well, I would be happy to give him a couple
of copies of my books, but I think he has left the room. I
mean, I have been teaching privacy law for, you know, I said
more than 10 years. I have got a 500-page book that surveys
privacy law.
I think that Congress has done a good job over the years. I
mean, it was done for telephone. It was done for cable service.
It was done for electronic mail. There are a lot of good
principles in place, and I think we just need to take advantage
of them.
Mr. Stearns. Could we just have those two books brought up
to Mr. Towns and just let him quickly have access to them? And
then we will give them right back.
Mr. Towns. So the theory in terms of waiting and learning
more is ridiculous.
Mr. Rotenberg. Well, I don't see the benefit of waiting. I
see the caution about not passing legislation that creates
problems that might discourage innovation. But I do believe
that legislation can promote innovation, and that is the
approach I hope to end up with.
Mr. Towns. Yes. I was around in terms of the cable bill and
also the Telecommunications Act of 1996. And, of course, we
heard--some of the same arguments that are being put forth now
were put forth at that time, that we should not move forward
with the Telecommunications Act because things are just moving
too quickly, we need to wait and see.
But I don't think they are going to slow down. I think they
are going to continue to move. And I agree with you. I think at
some point in time that we have to come forward with some
legislation in order to make certain that the consumer is
protected. The question is in terms of, you know, how quick we
do it. I think that is something that we are dealing with.
But, here again, we are having a lot of hearings, and I
think we are collecting information. And then I hope that when
we do do it that we do not hurt a lot of folks. I think that we
want to help people, and that is the key.
The other issue is that, you know, what do we do with the
little folks out there that are providing information, that is
basically all they are doing. And this is, you know, their
business, and if we pass laws that a lot of them could be put
out of business. I mean, have you thought about that at all?
Mr. Rotenberg. Well, I think we need some standards in
place about how personal information is being collected and
used. I mean, I am concerned about these information brokers,
for example, that are getting access to a lot of very private
details. You know, and that stuff is being repackaged and sold.
There is a debate, as you probably know, taking place right now
about whether or not all court records should be put online.
Now, public trials in open courtrooms is critical to the
democratic system. But if you put in all of the information in
depositions, including, you know, psychologists who testify in
child custody cases, I mean, this has enormous implications for
personal privacy.
So I think we need to have, you know, a rule that will
apply to everybody--I mean, the big folks and the little folks.
Mr. Towns. Okay. Mr. DeVault, you talked about in terms of
the verification, and what are some of the things you think we
should do in order to verify whether or not a person is
actually--the consumer is protected?
Mr. DeVault. One of the things we do is we go much further
than, as I said, the veneer of the website. We really look past
just asking questions. And if a client is saying that they are
protecting data, we actually look at the data base, the machine
that the data resides on within that data base.
We determine whether it is approachable from the outside,
so we actually get into the process, we put together a robust
set of tests that we can then opine on and say that we believe
that that data has been protected in accordance with their
policies. And that is a level of testing that is much different
than I think people recognize has been occurring.
Mr. Towns. Yes. In your audit, they failed to come up to
standards. At what point in time would you say, okay, we are
not dealing with you anymore? I mean, how do you do that? I
mean, what do you do with this? I mean, I am not clear. It is
not clear to me what happens here.
Mr. DeVault. Well, if a company has engaged us to provide
them with a certification or an audit, and they are granted
that opinion, they can post a seal on their site which clicks
to our report, and a report from management that says we assert
that we are holding these promises to be true, and a report
from Ernest & Young which says that we have tested those
assertions.
If they fail to continue to maintain that posture, we will
take our report away. And so there is a consequence at this
point in time because it is voluntary. There isn't a signal
necessarily to any kind of a regulator or the government or
somebody else, other than the fact that if they had, in the
past, disclosed that they had passed the test, and afterwards
decided to not pass or fail, then our reports would come off
their website.
Mr. Towns. Thank you. I yield back. I don't have anything
to yield back, do I, Mr. Chairman? I am out of time.
Mr. Stearns. All right. Thank you, Mr. Towns.
The gentleman from Illinois, Mr. Shimkus?
Mr. Shimkus. Thank you, Mr. Chairman.
Mr. Rotenberg, you mentioned the Cable Act. I wasn't a
Member of Congress during that time. Can you tell me what the
cable industry was doing at that time to warrant this page and
a half on privacy that obviously you are very supportive of?
Mr. Rotenberg. Well, it is very interesting, sir. I have
actually studied the period. In the early 1980's when cable
television was being developed, people talked about it in a
very similar way that they talk about the internet today. You
are going to do online banking, you are going to be like
watching a football game and answer a poll question about what
the next, you know, play should be called.
People had a sense when cable television was being
developed in the early 1980's that it had interactive
capability. And there was consensus--and this is the key
answer--there was consensus then with the industry and with
Congress that because of this interactive capability, because
of the ability now with the television to collect information
from the viewer, which didn't previously exist because it is a
broadcast medium, that privacy safeguards should be
established.
And privacy safeguards, as I said, were very good, and I
don't believe that the cable industry in 1984 opposed them. So
when I come before you, sir, and testify and say basically that
I think people today for the internet should have similar
protections, it is partly because of this experience 20 years
ago that when faced with a very similar issue I think Congress
did the right thing, and I think it has worked out.
Now, people can say, well, you know, cable television isn't
doing all of those things that the internet might, but the
privacy is there.
Mr. Shimkus. I appreciate that historical look. But at the
time of the Act, the cable industry was not doing that. That
was just a forward-looking----
Mr. Rotenberg. Yes.
Mr. Shimkus. [continuing] response based upon what they
saw, the evolution. And as we see now, cable now is moving in
that shape or form somehow with interactivity, which is very
similar to high-speed internet service or the broad band
debate, and the like.
Obviously, last year we also talked about, debated, and
passed the electronic signatures and electronic records issue.
Because of that, we are transmitting actual legal documents,
signed, you know, through the vast unknown. We should still be
doing that, shouldn't we?
Mr. Rotenberg. I am sorry. Transmitting authenticated
documents?
Mr. Shimkus. Yes.
Mr. Rotenberg. I think so. I mean, I think the Digital
Signature Act provides some benefits for online commerce. That
is clear. But I don't think it resolves the privacy issue. I
mean, I think the privacy issue is still out there.
Now, I will say it was addressed in part by the past
Congress in the Children's Online Privacy Protection Act. And
there you looked at the situation involving kids under the age
of 13 and said, well, it would be nice for kids to be able to
go online and use some of these new services, but there are
justifiable concerns about the collection of their data. And so
you had legislation there to protect, you know, the privacy, so
I think that went part way.
Mr. Shimkus. I would like to turn to Mr. Cole and ask, in
reference to the compliance monitoring that you are attempting
to accomplish, first, the question is, how is that--first of
all, how is that going in that? And then I am going to really
then switch to Mr. DeVault to--in his testimony he talked about
the questions of compliance monitoring.
Mr. Cole. Yes, sir. We were talking earlier about trust and
verify. The Chairman mentioned that. And I want to make an
important distinction. Setting standards, whether it is a
voluntary organization doing it or the Congress doing it, it is
very different from verification, and we all need to take that
into account because finding out whether or not there really is
compliance with the standards requires a whole other set of
techniques than just writing the standards.
What we do is--I referred to it in my brief remarks is we
use a unique assessment device that over a period of weeks
brings the company through a series of questions that are
geared to determine whether it has set up the internal
processes it needs to comply with the promises it makes in its
privacy promise, whether it is training of staff in security
techniques within the company, and contracts with agents and
contractors with whom they may have to share information. So we
work with the company on the details of how it is implementing
its privacy policy.
Over the 2 years we have been running our program a few
hundred companies have failed to meet our requirements after
applying. They either decided they did not choose to meet them,
or we found that they were unable to meet them. We have not had
a need to withdraw a seal from a company that we granted one
to, and that is not surprising, because they have gone through
an intense process. They verified their procedures, and they
are willing to make corrections when we call it to their
attention.
Mr. Shimkus. Mr. Chairman, can Mr. DeVault respond?
Mr. Stearns. Sure. Go ahead. We will probably go another
round here, so----
Mr. Shimkus. Based upon the auditing aspect, you are
probably auditing some that have the seal and some who do not.
What is your--can you just give some input on that?
Mr. DeVault. I would just say that I think there is a bit
of expectation gap between what some of the seals may mean to a
consumer and what they are intended to do and what they
describe in the practices--what they are doing. And that has
been seen in some of the issues that have come up onsites that
have had seals on them.
We do see that there is some gap between the promises that
are being made and the actual actions within the people, the
processes, and the technologies, the real behind-the-scenes
processes. But I think that companies that are subscribing to
these seal programs really want to have good privacy policies.
Many of them are engaging us to come in and help them, make
sure that they can qualify for those seals, and then I think
that they are determining whether they want to go further and
make a public declaration of their compliance with that. And
that is what we are seeing in this next stage.
It is really an evolution from just making a policy that
has been read on a website to one that has been read and
conforms to some kind of a standard, and there is some inquiry
as to whether or not they are really doing what they say they
are doing, to the final step, which is some proof that says I
have engaged somebody independently to come in and really
robustly, in essence, rip my processes apart and determine
whether or not they are actually working.
And there are companies that are using that, not
necessarily just for a marketing purpose, but they are doing it
as a good internal practice, not publicly mentioned, as a risk
management approach to determine that the promises they are
making are promises that are kept.
Mr. Shimkus. Thank you. And I yield back, Mr. Chairman.
Thank you.
Mr. Stearns. Yes. I am just going to close here, and anyone
else can close with a question or two. Dealing with what is
called legacy data--and, Mr. Cerasale, this might be approach
for you. AT&T came in, and I was talking with them about my
cell phone.
And I said to them, ``When I delete a--when my answering
machine comes in on my cell phone and someone calls me and then
I delete it, where does it go?'' And they said, ``To a hard
disk.'' And I said, ``Well, how long do you keep that?'' they
said, ``The law has not determined how long.'' And I said,
``Are you going to keep it a year?'' They said, ``Well, right
now, we are not keeping it very long. We almost arbitrarily--in
30 days we get rid of it. But there is a possibility we might
have to keep it a longer period of time.''
So that goes to the point that if we today passed a bill,
what happens to all of the information that has been collected?
And how do we write a bill to allow today a U.S. citizen who
has all of their credit cards and all of this legacy data
protected? How do you do that? And is there much of that that
you think that would be a problem?
Mr. Cerasale. Well, keeping data is expensive, and, of
course, that is going to go--that will drop in time. But part
of the marketing process is that customers can go pretty freely
back to marketers they have dealt with before, and they have
information already on file, and so forth, that they use and it
can go quickly.
For example, purchasing online through Travelocity, I don't
have to enter a lot of data because it is already held in
there, including my credit card number. I think that the thing
that we have to focus on in this part of privacy, which I think
in the first panel we discussed security versus privacy, I
think the phone legislation is basically the security of
talking.
But if I call a catalog and give them my name and,
therefore, address and credit card number, so that they have
it, and then it goes to their privacy policy, it is totally
outside of that phone law, the law concerning telephones. You
have to--it is a problem that we do through self-regulation on
anything that you have already before. And if you go,
therefore, and change a privacy policy or have something
different, what do you do with the information beforehand? Is
it expensive to mark that data so that you treat it differently
than others?
Part of the situation that we look at is markers would
hold, in a sense, legacy data--is a customer, to try and see if
they can deal with that customer and how long it is to hold an
expense.
Mr. Stearns. How long do you hold information?
Mr. Cerasale. Well, DMA is not a marketer. It is an
association. So each----
Mr. Stearns. Well, I mean, your account, your clients.
Mr. Cerasale. The client----
Mr. Stearns. Just on the average.
Mr. Cerasale. Members will hold information--I don't think
there is any member that would hold customer information beyond
5 years, and that is probably less--it is probably less than
that because you have to try--20 percent of Americans move
every year. A phone number is good for only maybe 7 years, so
that information gets stale and it is useless after a certain
amount of time.
Mr. Stearns. Mr. Rotenberg, you know, if I want to look at
my credit report I can do that. Do you think there should be a
way for a consumer to take an active hand in tracking his or
her personal data in the marketer's data base, be able to
access and go in and to, you know----
Mr. Rotenberg. I think so. I think in particular where
personal profiles are credited. I mean, the issue of access
obviously is a question about how far do you go. Congress said
30 years ago if there are companies out there that are creating
these reports that are being used for credit determinations,
people should have the right to see those reports to make sure
they are accurate.
Now, if it is, you know, a single purchase, I think people
would say, well, maybe it is not so important. But what is
happening on the internet, and particularly with online
advertising, is companies are creating these profiles using
cookies very much like credit reports. But they don't have the
same obligation to tell you what is in that file about you, and
you don't know how that information is being used.
So I think the right of access to the profile would do a
lot to allow the individual to figure out how that data is
being used. It would keep the companies more honest. They could
still collect it. The Fair Credit Reporting Act doesn't say you
can't collect the information, but it does make the company
accountable to the person.
Mr. Stearns. Where would I go today to find out if somebody
was doing a composite of my personal information?
Mr. Rotenberg. I don't know the answer to that, sir.
Mr. Stearns. Does anyone know? Where would you go if--you
know, if I wanted to find who had a composite of my
information?
Mr. Cerasale. A great deal of information--marketing
information is held by the credit bureaus on the marketing
side, and all of them--all three major credit reporting
companies have--you go to them and see what they have in their
marketing side on them. And they all have that ability today.
Mr. Stearns. I want to thank the second panel for your
participation, and we know how busy you are, and also for
waiting through the first panel. And this is the--we have one
more internet privacy hearing, I think in July, but your
participation has been very helpful, and we look forward to
perhaps in the future calling you back--or calling you just
with any additional questions.
Thank you very much. The subcommittee is adjourned.
[Whereupon, at 1:14 p.m., the subcommittee was adjourned.]
�