[Senate Hearing 112-302]
[From the U.S. Government Publishing Office]






                                                        S. Hrg. 112-302

                  THE STATE OF ONLINE CONSUMER PRIVACY

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 16, 2011

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation













                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
  73-308 PDF              WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas, 
JOHN F. KERRY, Massachusetts             Ranking
BARBARA BOXER, California            OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida                 JOHN ENSIGN, Nevada
MARIA CANTWELL, Washington           JIM DeMINT, South Carolina
FRANK R. LAUTENBERG, New Jersey      JOHN THUNE, South Dakota
MARK PRYOR, Arkansas                 ROGER F. WICKER, Mississippi
CLAIRE McCASKILL, Missouri           JOHNNY ISAKSON, Georgia
AMY KLOBUCHAR, Minnesota             ROY BLUNT, Missouri
TOM UDALL, New Mexico                JOHN BOOZMAN, Arkansas
MARK WARNER, Virginia                PATRICK J. TOOMEY, Pennsylvania
MARK BEGICH, Alaska                  MARCO RUBIO, Florida
                                     KELLY AYOTTE, New Hampshire
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                   Bruce H. Andrews, General Counsel
                 Ann Begeman, Republican Staff Director
             Brian M. Hendricks, Republican General Counsel














                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 16, 2011...................................     1
Statement of Senator Pryor.......................................     1
    Prepared statement...........................................     2
Statement of Senator Kerry.......................................     3
Statement of Senator Isakson.....................................     6
Statement of Senator McCaskill...................................    29
Statement of Senator Klobuchar...................................    31

                               Witnesses

Hon. Jon D. Leibowitz, Chairman, Federal Trade Commission........     6
    Prepared statement of the Federal Trade Commission...........     9
Hon. Lawrence E. Strickling, Assistant Secretary for 
  Communications and Information, National Telecommunications and 
  Information Administration, U.S. Department of Commerce........    16
    Prepared statement...........................................    18
Erich Andersen, Deputy General Counsel, Microsoft Corporation....    34
    Prepared statement...........................................    36
John Montgomery, Chief Operating Officer, North America, GroupM 
  Interaction....................................................    41
    Prepared statement...........................................    43
Ashkan Soltani, Independent Privacy Researcher and Consultant....    50
    Prepared statement...........................................    52
Barbara Lawler, Chief Privacy Officer, Intuit Inc................    59
    Prepared statement...........................................    61
Christopher R. Calabrese, Legislative Counsel, American Civil 
  Liberties Union, Washington Legislative Office.................    65
    Prepared statement...........................................    67

                                Appendix

Hon. Mark Begich, U.S. Senator from Alaska, prepared statement...    85
Response to written questions submitted to Hon. Jon D. Leibowitz 
  by:
    Hon. Mark Pryor..............................................    85
    Hon. Kay Bailey Hutchison....................................    87
Response to written questions submitted to Lawrence E. Strickling 
  by:
    Hon. Mark Pryor..............................................    89
    Hon. Mark Begich.............................................    90
Response to written questions submitted to John Montgomery by:
    Hon. Kay Bailey Hutchison....................................    90
Response to written question submitted to Erich D. Andersen by:
    Hon. Kay Bailey Hutchison....................................    92
    Hon. John Ensign.............................................    92
Response to written questions submitted to Barbara Lawler by:
    Hon. Mark Pryor..............................................    93
    Hon. Mark Begich.............................................    94
    Hon. Kay Bailey Hutchison....................................    94
    Hon. John Ensign.............................................    96
Response to written questions submitted to Christopher R. 
  Calabrese by:
    Hon. Mark Begich.............................................    96
Comments on ``The State of Online Privacy'' by Adam Thierer, 
  Senior Research Fellow, United States Senate, Committee on 
  Commerce, Science, and Transportation..........................    98

 
                  THE STATE OF ONLINE CONSUMER PRIVACY

                              ----------                              


                       WEDNESDAY, MARCH 16, 2011

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:05 a.m. in 
room SR-253, Russell Senate Office Building, Hon. Mark Pryor, 
presiding.

             OPENING STATEMENT OF HON. MARK PRYOR, 
                   U.S. SENATOR FROM ARKANSAS

    Senator Pryor [presiding]. I will go ahead and call this to 
order. I want to thank everyone for being here. And we have 
several witnesses today, and we're going to have a great 
hearing. And I want to thank everyone.
    First, I want to thank the Commerce Committee staff for 
pulling this hearing together. They really have pulled together 
an excellent panel, two panels of witnesses.
    One thing that Senator Kerry and I were just talking about 
is the Senate is supposed to vote at 10:30. And based on Senate 
time, we don't know if that means 10:30, 10:45, 11, whatever. 
But we're supposed to vote at 10:30. So at some point we're 
going to have to swap the gavel back and forth and race and 
vote and come back. But we'll try to keep the hearing going 
during that time.
    Also I know that Senator Kerry has really been a leader on 
this type of legislation, looking at privacy concerns and has 
been working on a bill and so we would like to hear from him in 
just a few moments on that.
    What I thought I would do is just give a very brief 
statement. And I know that Senator Hutchison is on the way and 
other Senators are on the way. We might dispense with the 
opening statements for all the Senators, if that's OK, except I 
thought I might call on Senator Kerry for just a few moments to 
talk about his legislation and then go onto the panel. And once 
Senator Hutchison shows up we'll certainly recognize her for 
her opening statement.
    But let me just say that as we start today I want to 
welcome everyone to the Commerce Committee's hearing on ``The 
State of Online Consumer Privacy.'' This is a very challenging 
endeavor. We want to balance the free Internet, you know, the 
ability to access free content and services for all users, with 
concerns that are raised about user's privacy and general 
information collection practices online.
    So consumers can conduct research and read online 
newspapers. They can write e-mails and respond to each other in 
real time. Some of them will be worried about how their 
information is being collected online. Some of them may be 
willing to surrender some information in exchange for the free 
content. Others don't have any idea this is going on.
    So this is a real challenge. As many good things as we can 
say about the Internet and how it has really revolutionized 
information, and it's been so great in so many ways, privacy is 
an area that we need to keep focused on and try to balance 
these interests and try to make sure that it's a good place to 
be and a good place to conduct business.
    So our first panel is going to be the Federal Trade 
Commission and the Department of Commerce.
    Our second panel we'll hear from consumer advocates, 
technology specialists and members of the business community. 
Their insights and experience are valuable and very much 
appreciated.
    I don't know if everyone knows the polling data, but 
recently Common Sense Media published some results that said 85 
percent of parents say they're more concerned about online 
privacy than they were 5 years ago.
    Seventy-five percent of parents don't think social 
networking sites do a good job of protecting their children's 
online privacy.
    Ninety-one percent of parents think search engines and 
social networking sites should not be able to share kid's 
physical location with other companies until parents give 
authorization.
    So these are just a few of the issues that we'll hear about 
today. And that as the Senate Commerce Committee and the Senate 
as a whole and the Congress as a whole moves through this 
Congress we'll try to work through these issues as best we can.
    Again, Senator Hutchison is on the way. And we'll recognize 
her in a few moments for her opening statement. But until she 
gets here, Senator Kerry would you like to say a few words?
    [The prepared statement of Senator Pryor follows:]

   Prepared Statement of Hon. Mark Pryor, U.S. Senator from Arkansas
    Welcome to the Commerce Committee's hearing on ``The State of 
Online Consumer Privacy.''
    Today we meet to discuss a challenging endeavor: how to balance a 
free Internet--the ability to access free content and services for all 
users--with concerns raised about users' privacy and general 
information collection practices online.
    Consumers can conduct research and read online newspapers. They can 
write e-mails and respond to each other in real time. Some of them may 
be worried about how their information is being collected online. Some 
of them may be willing to surrender some information in exchange for 
free content.
    I look forward to listening to all sides to determine how best to 
negotiate these perspectives: consumers' privacy concerns with a desire 
to preserve a robust and thriving Internet experience for all users.
    First, we'll hear from the Federal Trade Commission and the 
Department of Commerce, both of which recently issued reports on 
consumer privacy and data security. I look forward to examining their 
findings.
    On the second panel, we'll hear from consumer advocates, technology 
specialists and members of the business community. Their insights and 
experience are valuable and appreciated.
    While industry has dedicated much time to developing basic self-
regulatory principles and their efforts are a great starting point, 
they alone have not eased peoples' concerns about the collection of 
their personal information from on-line sources. And they will not, 
alone, prevent abuses from unscrupulous people and organizations.
    This is particularly true when it comes to information collected 
on-line about kids. The supporting statistics are clear. According to 
Common Sense Media:

   85 percent of parents say they are more concerned about 
        online privacy than they were 5 years ago;

   75 percent of parents don't think social networking sites do 
        a good job of protecting children's online privacy;

   91 percent of parents think search engines and social 
        networking sites should not be able to share kids' physical 
        location with other companies until parents give authorization.

    The Federal Trade Commission stressed in its December staff report 
the importance of improving transparency and consumer choice in the 
online privacy arena.
    Incomprehensible privacy policies and user agreements are out. 
Better disclosures, better consumer choice and improved safety features 
are in.
    Of course, one of the most elusive challenges we face as a society 
is how to address the seemingly permanent nature of written comments 
and information shared on the Internet. In other words, what will new 
kinds of information ``sharing'' mean for our children's future--and 
for their reputations?
    Will they be discriminated against with insurers or future 
employers based on financial, health or personal data they disclosed 
online when they were teenagers--due to an assumption that the 
information they shared would be protected--or based on an assumption 
that they were controlling who could see that information?
    Is it clearly explained to them that when they download certain 
applications or ``apps'' on their phones or computers, they may be 
allowing those ``apps'' to access their personal information--or their 
specific geographic location at any point in time?
    Many people in their teens and twenties now may well opt to share 
this kind of information--thinking that the privacy trade-offs are well 
worth it--but they should go into those choices with their eyes open.
    Behavioral advertising has transformed the advertising industry. 
That isn't going to change. In fact, if anything, it will increase as 
more and more varied types of retailers and services do business 
online.
    However, there's an inherent trade-off between free online content 
and the sale of personal information that keeps it free. We need to 
discuss the proper balance and think about whether this trade-off will 
remain relevant into the future.
    Finally, one of the most important questions and one I'm focused on 
this year is whether we should treat adults and children differently 
online and have different requirements for the collection and 
dissemination of their information.
    These questions will engage the attention of this Committee during 
the 112th Congress and for a long time to come. I will be working over 
the coming months in an effort to address several of these issues.
    And nothing is off the table. I welcome the witnesses with us today 
and I look forward to hearing their testimony.

               STATEMENT OF HON. JOHN F. KERRY, 
                U.S. SENATOR FROM MASSACHUSETTS

    Senator Kerry. Thank you, Mr. Chairman. I would like to 
just for a sec.
    First of all thanks for having this hearing with Senator 
Rockefeller, I know, wanted to be here, but was unable to be.
    And thanks for your leadership and stewardship on these 
issues.
    I must say I was impressed by the energy and amount of--
we're talking about the social network. It was a hell of a 
social network in here before this hearing started.
    [Laughter.]
    Senator Kerry. A lot of chatter.
    As we all know modern technology allows private entities to 
observe the activities and actions of Americans on a scale that 
is unimaginable. And there's no general law of commerce to 
govern that surveillance. And that's why I intend, along with 
other colleagues, to propose one, a commercial privacy bill of 
rights.
    The purpose of the legislation, I want to emphasize, is not 
to discourage information sharing but rather to encourage it. 
But under a common code of conduct that respects the rights of 
both the people sharing the information and the legitimate 
organizations collecting and using it on fair terms and 
conditions. I think the folks that we've been working with, 
many of them here today in the industries, know that throughout 
my tenure on this Committee and now as Chair of the 
Communications Subcommittee, I have worked hard to protect the 
innovation and open architecture of the net.
    I've worked hard to fight for net neutrality. I've worked 
hard to prevent taxation and other things. So I believe in this 
now vital resource for our country in so many ways. But it is 
important to recognize that increasingly the American people 
have concerns and express those concerns.
    Every single app that any one of us applies to our 
smartphone or child applies to it is an observational 
opportunity for a private company. And, amazingly, Internet 
users collectively sent 107 trillion, that's with a ``t,'' e-
mail messages in 2010. Each of those messages is a scanable 
entity for key words that indicate the interests or patterns of 
the people who send them.
    Facebook started 2010 with 350 million users and ended it 
with more than 600 million, almost all of which are sharing 
information broadly whether they realize it or not. And the 
collection and use of information offline from grocery stores 
to hotels to airlines has also reached a record high enhancing 
the data businesses collect online.
    So on the positive side, all of this information sharing is 
generating enormous economic activity. And we like that. We 
want that. And it encourages all kinds of innovation. And we 
want that.
    But it's also created new opportunities for unethical 
collectors of information, unwilling to abide by fair 
information practice principles. And the question can be asked, 
why should they? Because, you know, there's no law that 
requires that they do. That has understandably generated a lot 
of anxiety among Americans about protecting their identity, 
protecting their personal information, protecting their habits. 
Protecting the choices that they make which they think they're 
making in the privacy of their relationship to their keyboard 
and to their computer or to their phone or whatever instrument 
they're using, iPad, otherwise.
    People have asked so what's the problem that this 
legislation would seek to solve? Well under current law there 
are companies today engaged in the practice of harvesting 
information from websites and elsewhere and using and selling 
the information without the consent and/or notification or 
knowledge of the people to whom that information pertains. 
There are also companies engaged in the practice of using and 
collecting information that are not building privacy into the 
design of their services and as a result they lack the 
appropriate procedures and protections to ensure people's 
information is secured and being treated fairly. Once a 
person's information is collected there are no legal 
restrictions on the further distribution other than those that 
the collector chooses to impose on themselves.
    And lastly, Americans cannot today demand that someone who 
has collected their information stop using it.
    Each of these activities is a problem that Americans are 
asking us to address. Now I've long thought that baseline 
privacy protections in law were sort of a matter of common 
sense. And over the last 6 months I've reached out to our 
colleagues on both sides of the aisle, to privacy experts at 
firms, in academia and to the advocacy community with one 
simple goal--to figure out why we haven't reached a consensus 
on a national standard for the treatment of people's 
information and what we can do to establish one.
    And let me just say thank you to many of the people here 
today. There's been a very positive reaction to this, a 
concerted effort. The Obama Administration, the Commerce 
Department, others are working diligently to try to help mold 
this, shape it. And I've been impressed by the cooperative 
atmosphere within which everybody is working.
    Many of the companies that have rejected legislation in the 
past have made massive investments in privacy protection for 
their own customers and at their own firms. A fair share of 
them now have Chief Privacy Officers, who care deeply about the 
issue. And they've spent a lot of time thinking about it.
    These are serious people. Many of them here. Some of them 
will testify today. And they believe people's information is 
deserving of respect and protection not just because it makes 
good business sense to protect your customers but also because 
I believe they think it's the right thing to do. And it's in 
keeping with a sort of value system and ethic that we share 
here in America about individuality and privacy.
    The entire goal of the drafting process that we're using to 
write a commercial privacy bill of rights is to win pro-
privacy, pro-innovation experts over to the side of 
establishing a common code of conduct so that their customers 
are not just protected when working with them, but generally 
protected in the course of commerce. And I think we all benefit 
by that. I believe that gaining these allies will depend on our 
willingness to recognize and respect the obvious good that can 
come from appropriate collection and the use of data while also 
allowing for experimentation and flexibility in the 
implementation of privacy practices through the establishment 
of safe harbor programs.
    So we approach this with a real open mind. And I think 
people will acknowledge a fair amount of reasonableness and 
flexibility. But we can't let the status quo stand. We can't 
continue to allow the collectors of people's information to 
dictate the level of privacy protection that Americans will get 
when they engage in commerce. And we can't continue to let the 
firms that provide no protections, provide misleading 
statements in some cases, about protection, about a protection 
that they can change at will, at whim, at fancy or allow them 
just to send the information along to others without regard to 
where it goes or under what conditions that it goes there.
    So my--Mr. Chairman, I hope we're going to establish clear 
and flexible rules for behavior in our legislation. And if not, 
I think everybody understands that enforcement agencies are 
going to step up and react against unfair and/or deceptive 
practices with cases that will be built sort of individually as 
you go along with less clear direction than we could provide if 
we do this in a sensible, legislative way. If we don't act, the 
world's largest markets will continue to impose on our 
innovators their own rules for private e-protection. And I 
believe those rules could well wind up being less flexible and 
less innovative than what I will be proposing.
    So I look forward to working with the witnesses here today. 
And I thank you very much, Mr. Chairman, for allowing me to 
make that statement.
    Senator Pryor. Thank you.
    Senator Isakson?

               STATEMENT OF HON. JOHNNY ISAKSON, 
                   U.S. SENATOR FROM GEORGIA

    Senator Isakson. Thank you, Mr. Chairman. I'll be brief but 
I can't help but think as I was listening to Senator Kerry 
speak, I ran a company for 22 years and we did about $1.2 
million in advertising in various mediums to sell our product. 
And we would always pick the medium whether it was TV or radio 
or classified newspaper or display in a magazine by trying to 
pick the medium we thought the most people would be potential 
customers for our product would actually go to. And that 
provided anonymity for the potential customer and made me do a 
lot of thinking.
    What the Internet has done and technology has done it's 
allowed that anonymous information that was subject to analysts 
and guesses to become a potential commodity that could actually 
be sold for purposes other than that determination. So I think 
it's at a very appropriate time that the Commerce Committee 
look at this, because of the expanse of the Internet, the 
expanse of the information and what is taking place in the 
revolution that it's brought to American marketing.
    So I look forward to being a part of the Committee, a part 
of the work. And look forward to working with Senator Kerry, 
Senator Pryor and the others on the Committee to find the right 
message to send and the right road to go down.
    Thank you, Mr. Chairman.
    Senator Pryor. Thank you.
    Now our first panel here both of these witnesses we have 
extraordinary bios and lists of accomplishments that we could 
discuss and we will submit for the record.
    But what I'd like to do is just simply introduce them as 
the Honorable Jon D. Leibowitz, Chairman of the Federal Trade 
Commission.
    And the Honorable Lawrence E. Strickling, the Administrator 
of the National Telecommunications and Information 
Administration.
    Chairman Leibowitz?

  STATEMENT OF HON. JON D. LEIBOWITZ, CHAIRMAN, FEDERAL TRADE 
                           COMMISSION

    Mr. Leibowitz. Thank you, Chairman Pryor. And Senator 
Kerry, Senator Isakson and let me also mention Senator 
Rockefeller, thank you for your leadership on privacy issues as 
well as for giving me the opportunity to be here with Larry 
Strickling from the Department of Commerce. Our two agencies 
have a very long history of cooperation, and we are eager to 
build on that as we work together to protect consumer privacy 
while ensuring business growth and innovation.
    As you know, over the past several decades the FTC has 
protected privacy through law enforcement, through education 
and through policy efforts. Just this week we announced our 
first major enforcement effort aimed at abusive behavioral 
marketing practices. We charged the online advertising network 
Chitika with violating the FTC Act by offering consumers the 
ability to opt-out of targeted advertising but without telling 
them that the opt-out vanished in 10 days.
    That vanishing opt-out, a 10-day vanishing opt-out, is not 
only wrong, it is unacceptable. Consumers deserve meaningful 
and not illusory control over what companies do with their 
personal information. Chitika has agreed to an order that 
requires it to destroy personal data it collected and provide 
an opt-out on all ads that's effective for at least 5 years.
    This case, and it is the first of many more privacy 
enforcement cases you'll see from us, should send a strong 
signal to the online ad industry. The FTC will not tolerate 
attempts to subvert consumer choice. And overall we have 
brought well over 100 spam and spyware cases and 30 data 
security cases over the last 10 years.
    Turning to the policy front. As I heard in your opening 
statements recognizing the real benefits of information 
collection, the status quo, as you said, Senator Kerry, isn't 
acceptable. We released a report on consumer privacy in 
December designed to reduce privacy burdens on both businesses 
and consumers alike while ensuring business growth and 
continuing Internet innovation. The report made three primary 
recommendations.
    First, companies need to bake in privacy protections like 
data security and accuracy into all of their activities. We 
call that privacy by design.
    Second, choices about privacy of personal data should be 
presented to consumers in a simple way, and at the time they 
are making decisions about that data.
    And third, transparency needs to be improved. Privacy 
notices must be clearer, shorter and more standardized, 
otherwise no one will read them. And indeed very few people 
actually do.
    The comment period on the proposed new framework just 
closed and we received 446 comments, which may be a record for 
us. And we expect to issue a final report later this year.
    To further the idea of simplifying choices for consumers, 
the report recommended a Do Not Track mechanism. Now while that 
name sounds similar to our Do Not Call registry, which the 
government runs, we're looking instead to the private sector to 
create a way for consumers to choose whether to allow their 
Internet surfing to be monitored. Simply put you should have a 
choice, all of us should have a choice about whether third 
parties, all invisible to us, can trail us around the Internet 
as we shop or search for information about say, a medical 
diagnosis.
    This goes back to your point about the deanonymization of 
information here and over the last 10 years when you're 
thinking about the Internet. Do Not Track will give all 
Americans a choice about whether to be followed online. More 
than that, when data is protected consumers will more readily 
trust companies in the marketplace and that encourages business 
growth and business innovation.
    Now stakeholders have responded very, very positively to 
our call for Do Not Track. Two of the largest browser 
companies, Microsoft and Mozilla, rolled out new mechanisms to 
allow consumers control over the use of their personal 
information for online behavioral advertising. The industry has 
now demonstrated that Do Not Track is feasible so the 
discussion turns to which approach is best.
    One promising effort involves an industry coalition 
comprised of media and ad marketing companies in an association 
known as the Digital Advertising Alliance. The Alliance has 
developed an icon which they hope will be deployed industry 
wide that will display in targeted advertisements and link to 
more information and choices. For my part, I still remain 
concerned that the current proposal won't result in a permanent 
opt-out for all ad networks. And it doesn't allow consumers to 
control collection of their personal data just the blocking of 
ads that go back to them.
    But many of the Alliance's members want to go further to 
protect consumers. My understanding--and actually it's in 
today's Wall Street Journal as well--is that there's a sort of 
insurgent group of more than 30 companies that wants to 
prohibit most types of tracking and embrace the Mozilla header. 
And so we're cautiously optimistic that the Alliance is moving 
in the right direction.
    Mr. Chairman, I ask for unanimous consent for an additional 
minute.
    Senator Pryor. Sure. Absolutely.
    Mr. Leibowitz. So from my perspective I'm sort of agnostic 
as to whether the private sector should implement Do Not Track 
or if Congress should require it. I think sometimes it's easier 
for the private sector to do it. But we do need to make sure 
that Do Not Track isn't just an empty slogan but that it really 
works for the American people.
    There are five critical principles that we believe should 
be included in any robust, effective Do Not Track mechanism.
    One, Do Not Track should be universal so the consumers 
don't have to repeatedly make choices on a company by company 
basis.
    Two, Do Not Track should be easy to find and easy to use.
    Three, any choices offered should be persistent and should 
not be deleted if for example, a consumer clears his or her 
``cookies'' or turns off a computer.
    Four, Do Not Track should not only allow consumers to opt-
out of advertising, it should allow them to opt-out of tracking 
all together. And personally, from my perspective, I don't mind 
getting targeted ads. I think there's a real benefit to that. 
But people ought to be given a choice about whether or not they 
want to be tracked.
    And finally, it should be effective and enforceable without 
technical loopholes.
    We hope to continue to see the private sector develop tools 
that meet these standards more broadly. We're hopeful that 
American businesses will step up their efforts. And we've 
started to see them protect consumer privacy by applying the 
consensus principles from our report: privacy by design, 
transparency and consumer choice. Working together with this 
Committee, and with the Department of Commerce, we believe we 
can make that happen.
    So I thank you for this hearing.
    [The prepared statement of Mr. Leibowitz follows:]

           Prepared Statement of the Federal Trade Commission
    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee, I am Jon Leibowitz, Chairman of the Federal Trade Commission 
(``FTC'' or ``Commission''). I appreciate the opportunity to present 
the Commission's testimony on privacy.\1\
---------------------------------------------------------------------------
    \1\ This written statement represents the views of the Federal 
Trade Commission. Commissioner Kovacic dissents. His concerns about the 
Commission's testimony, and the report by its staff, are set forth in 
his statement on the latter. In particular, he believes that the 
endorsement of a Do Not Track mechanism by staff (in the report) and 
the Commission (in this testimony) is premature. My oral presentation 
and responses are my own and do not necessarily reflect the views of 
the Commission or of any other Commissioner.
---------------------------------------------------------------------------
    Privacy has been an important component of the Commission's 
consumer protection mission for 40 years. During this time, the 
Commission has employed a variety of strategies to protect consumer 
privacy, including law enforcement, regulation, outreach to consumers 
and businesses, and policy initiatives.\2\
---------------------------------------------------------------------------
    \2\ Information on the FTC's privacy initiatives generally may be 
found at http://business.ftc.gov/privacy-and-security.
---------------------------------------------------------------------------
    Over the years, the Commission's goal in the privacy arena has 
remained constant: to protect consumers' personal information and 
ensure that they have the confidence to take advantage of the many 
benefits offered by the dynamic and ever-changing marketplace. To meet 
this objective, the Commission has periodically re-examined its 
approach to privacy to ensure that it keeps pace with advances in 
technology and changing business practices as well as to ensure that 
incentives for American innovation are maintained. The latest effort in 
this process is a Preliminary FTC Staff Report, released in December, 
which proposes a framework for protecting consumer privacy in this era 
of rapid technological change. This proposed framework is intended to 
inform policymakers, including Congress, as they develop solutions, 
policies, and potential laws governing privacy, and guide and motivate 
industry as it develops more robust and effective best practices and 
self-regulatory guidelines.
    This testimony begins by describing the Commission's recent efforts 
to protect consumer privacy through law enforcement, education, and 
policy initiatives. It then sets forth some highlights from the Staff 
Report on consumer privacy, and concludes with a discussion of issues 
related to a universal choice mechanism for behavioral tracking, 
commonly referred to as ``Do Not Track''.
I. The FTC's Efforts to Protect Consumer Privacy
A. Enforcement
    The Commission continues to pursue an aggressive and bipartisan 
privacy enforcement agenda. In the last 15 years, it has brought 32 
data security cases; 64 cases against companies for improperly calling 
consumers on the Do Not Call registry; 86 cases against companies for 
violating the Fair Credit Reporting Act (``FCRA''); \3\ 97 spam cases; 
15 spyware (or nuisance adware) cases; and 15 cases against companies 
for violating the Children's Online Privacy Protection Act (``COPPA''). 
Where the FTC has authority to seek civil penalties, it has 
aggressively done so. It has obtained $60 million in civil penalties in 
Do Not Call cases, $21 million in civil penalties under the FCRA, $5.7 
million under the CAN-SPAM Act,\4\ and $3.2 million under COPPA. Where 
the Commission does not have authority to seek civil penalties, as in 
the data security and spyware areas, it has sought such authority from 
Congress. In addition, the Commission has brought numerous cases 
against companies for violating the FTC Act by making deceptive claims 
about the privacy protection they afford to the information they 
collect, which has the effect of undermining consumer choices on 
privacy. This testimony describes four such cases that the Commission 
has brought within the past several months.
---------------------------------------------------------------------------
    \3\ 15 U.S.C.  1681e-i.
    \4\ 15 U.S.C.  7701-7713.
---------------------------------------------------------------------------
    Just this week, the Commission announced its first online 
behavioral advertising case against an online network advertiser, 
Chitika, that acts as an intermediary between website publishers and 
advertisers. The Commission alleged that Chitika violated the FTC Act 
by offering consumers the ability to opt-out of the collection of 
information to be used for targeted advertising--without telling them 
that the opt-out lasted only 10 days.\5\ The Commission's order 
prohibits Chitika from making future privacy misrepresentations. It 
also requires Chitika to provide consumers with an effective opt-out 
mechanism, link to this opt-out mechanism in its advertisements, and 
provide a notice on its website for consumers who may have opted out 
when Chitika's opt-out mechanism was ineffective. Finally, the order 
requires Chitika to destroy any data that can be associated with a 
consumer that it collected during the time its opt-out mechanism was 
ineffective.
---------------------------------------------------------------------------
    \5\ Chitika, Inc., FTC File No. 102 3087 (Mar. 14, 2011) (consent 
order accepted for public comment).
---------------------------------------------------------------------------
    Second, earlier this month, the Commission approved a final consent 
order in a case involving the social networking service Twitter.\6\ On 
one level, Twitter is a traditional data security case--the FTC charged 
that serious lapses in the company's data security allowed hackers to 
obtain unauthorized administrative control of Twitter. As a result, 
hackers had access to private ``tweets'' and non-public user 
information and took over user accounts, including among others, those 
of President Obama and Rupert Murdoch. On another level, the case 
stands for the proposition that social networking services must honor 
the commitments they make to keep their users' communications private. 
The order prohibits misrepresentations about the extent to which 
Twitter protects the privacy of communications, requires Twitter to 
maintain reasonable security, and mandates independent, comprehensive 
audits of Twitter's security practices.\7\
---------------------------------------------------------------------------
    \6\ Twitter, Inc., FTC File No. 092 3093 (Mar. 11, 2011) (consent 
order) (resolving allegations that Twitter deceived its customers by 
failing to honor their choices to designate certain ``tweets'' as 
private).
    \7\ Many of the Commission's earliest consumer privacy cases 
similarly held companies accountable for their privacy statements and 
practices. See, e.g., GeoCities, Inc., FTC Docket No. C-3850 (Feb. 5, 
1999) (consent order) (alleging that company misrepresented the 
purposes for which it was collecting personal information from both 
children and adults); Liberty Fin. Cos., FTC Docket No. C-3891 (Aug. 
12, 1999) (consent order) (alleging that site falsely represented that 
personal information collected from children, including information 
about family finances, would be maintained anonymously); FTC v. 
ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan. 10, 2000) (consent 
order) (alleging that online auctionsite obtained consumer data from 
competitor site and then sent deceptive, unsolicited e-mail messages to 
those consumers seeking their business); FTC v. Toysmart.com LLC, 00-
CV-11341-RGS (D. Mass. filed July 10, 2000) (alleging site attempted to 
sell personal customer information, despite the representation in its 
privacy policy that such information would never be disclosed to a 
third party); FTC v. Rennert, No. CV-S-00-0861-JBR (D. Nev. July 24, 
2000) (consent order) (alleging that defendants misrepresented their 
security practices and how they would use consumer information); Educ. 
Research Ctr. of Am., Inc.; Student Marketing Grp., Inc., FTC Docket 
No. C-4079 (May 6, 2003) (consent order) (alleging that personal data 
collected from students for educational purposes was sold to commercial 
marketers); The Nat'l Research Ctr. for College & Univ. Admissions, FTC 
Docket No. C-4071 (Jun. 28, 2003) (consent order) (same); Gateway 
Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004) (consent order) 
(alleging that company rented customer information to list brokers in 
violation of its privacy policy); Vision I Props., LLC, FTC Docket No. 
C-4135 (Apr. 19, 2005) (consent order) (alleging that a service 
provider disclosed customer information in violation of merchant 
privacy policies). Sears Holdings Mgmt. Corp., FTC Docket No. C-4264 
(Aug. 31, 2009) (consent order).
---------------------------------------------------------------------------
    Third, in December, the Commission announced a case against 
EchoMetrix, a company selling a software program called Sentry Parental 
Controls that enables parents to monitor their children's activities 
online. The Commission alleged that EchoMetrix sold certain information 
that it collected from children via this software to third parties for 
marketing purposes, without telling parents. The Commission's order 
prohibits the company from sharing information gathered from its 
monitoring software and requires the company to destroy any such 
information in its database of marketing information.\8\
---------------------------------------------------------------------------
    \8\ FTC v. Echometrix, Inc., No. CV10-5516 (E.D.N.Y. Nov. 30, 2010) 
(consent order).
---------------------------------------------------------------------------
    Finally, in September, the Commission settled a case against U.S. 
Search, a data broker that maintained an online service, which allowed 
consumers to search for information about others. The company allowed 
consumers to opt-out of having their information appear in search 
results, for a fee of $10. Although 4,000 consumers paid the fee and 
opted out, their personal information still appeared in search results. 
The Commission's settlement requires U.S. Search to disclose 
limitations on its opt-out offer, and to provide refunds to consumers 
who had previously opted out.\9\
---------------------------------------------------------------------------
    \9\ US Search, Inc., FTC File No. 102 3131 (Sept. 22, 2010) 
(consent order accepted for public comment).
---------------------------------------------------------------------------
    In addition to these privacy enforcement actions, the Commission 
has been aggressive on the data security front to ensure that companies 
protect the sensitive data they collect about consumers. In February 
2011, three companies that resell consumers' credit reports agreed to 
settle FTC charges that they did not take reasonable steps to protect 
consumers' personal information, which allowed computer hackers to 
access more than 1,800 credit reports via their clients' computer 
networks. These are the first cases the FTC has brought against credit 
report resellers for their failure to ensure that the companies to whom 
they provide consumer reports maintain reasonable security.\10\ The 
Commission alleged that the resellers violated the FCRA, the Gramm-
Leach-Bliley Safeguards Rule, and Section 5 of the FTC Act. The consent 
orders bar the companies from violating these laws, require them to 
implement comprehensive information security programs, and require them 
to obtain independent audits, every other year for 20 years.
---------------------------------------------------------------------------
    \10\ SettlementOne Credit Corp., File No. 082 3208; ACRAnet, Inc., 
File No. 092 3088; and Fajilan and Associates, Inc., File No. 092 3089 
(Feb. 3, 2011) (consent orders accepted for public comment).
---------------------------------------------------------------------------
B. Consumer and Business Education
    The FTC has done groundbreaking outreach to businesses and 
consumers in the area of consumer privacy. For example, the 
Commission's well-known OnGuard Online website educates consumers about 
spam, spyware, phishing, peer-to-peer (``P2P'') file sharing, social 
networking, laptop security, and identity theft.\11\ The FTC has 
developed additional resources specifically for children, parents, and 
teachers to help children stay safe online. In response to the 
Broadband Data Improvement Act of 2008, the FTC produced the brochure 
Net Cetera: Chatting with Kids About Being Online to give adults 
practical tips to help children navigate the online world.\12\ The 
publication includes information about how parents should talk to 
children about online privacy, sexting, and cyberbullying. In less than 
1 year, the Commission already has distributed more than 7 million 
copies of Net Cetera to schools and communities nationwide. The 
Commission also offers specific guidance to young people concerning 
certain types of Internet services, including, for example, social 
networking and video and photo sharing.\13\
---------------------------------------------------------------------------
    \11\ See http://www.onguardonline.gov/topics/social-networking-
sites.aspx. Since its launch in 2005, OnGuard Online and its Spanish-
language counterpart Alertaena Linea have attracted nearly 12 million 
unique visits.
    \12\ See Press Release, FTC, OnGuardOnline.gov Off to a Fast Start 
with Online Child Safety Campaign (Mar. 31, 2010), available at http://
www.ftc.gov/opa/2010/03/netcetera.shtm.
    \13\ See http://www.onguardonline.gov/topics/social-networking-
sites.aspx; http://www.on
guardonline.gov/topics/net-cetera-mobile-phones.aspx.
---------------------------------------------------------------------------
    Most recently, the FTC released a consumer education publication on 
the safe use of wi-fi hot spots.\14\ The publication, available on the 
FTC and Onguard Online websites, explains that when using wireless 
networks, consumers should convey personal information only if it is 
encrypted--either through an encrypted website or a secure network. The 
piece notes that an encrypted website is one whose URL begins with 
``https'', rather than ``http''; it further notes that in order to be 
secure, a Wi-Fi network must be password-protected.
---------------------------------------------------------------------------
    \14\ See http://www.onguardonline.gov/topics/hotspots.aspx.
---------------------------------------------------------------------------
    Business education is also an important priority for the FTC. For 
example, the Commission developed a widely-distributed guide to help 
small and medium-sized businesses implement appropriate data security 
for the personal information they collect and maintain.\15\ The FTC 
also develops business education materials to respond to specific 
emerging issues, such as a recent brochure on security risks associated 
with P2P file-sharing software.\16\
---------------------------------------------------------------------------
    \15\ See Protecting Personal Information: A Guide For Business, 
available at http://www.ftc
.gov/infosecurity.
    \16\ See generally http://business.ftc.gov/privacy-and-security.
---------------------------------------------------------------------------
C. Policy and Rulemaking Initiatives
    The Commission's efforts with respect to privacy include public 
workshops and reports to examine the implications of new technologies 
on consumer privacy. For example, in November 2007, the Commission held 
a two-day Town Hall event to discuss the privacy implications of online 
behavioral advertising.\17\ Based upon the Town Hall discussions, staff 
released for public comment a set of proposed principles to encourage 
industry members to improve their behavioral advertising practices.\18\ 
Thereafter, in February 2009, staff released a report (``OBA Report'') 
setting forth the following revised principles based on the comments 
received: (1) transparency and consumer control; (2) reasonable 
security and limited retention for consumer data; (3) affirmative 
express consent for material retroactive changes to privacy policies; 
and (4) affirmative express consent for the use of sensitive data.\19\
---------------------------------------------------------------------------
    \17\ FTC Town Hall, Ehavioral Advertising: Tracking, Targeting, & 
Technology (Nov.1-2, 2007), available at http://www.ftc.gov/bcp/
workshops/ehavioral/index.shtml.
    \18\ See FTC Staff, Online Behavioral Advertising: Moving the 
Discussion Forward to Possible Self-Regulatory Principles (Dec. 20, 
2007), available at http://www.ftc.gov/os/2007/12/P859900stmt.pdf.
    \19\ See FTC Staff Report: Self-Regulatory Principles For Online 
Behavioral Advertising (Feb. 2009), available at http://www.ftc.gov/os/
2009/02/P085400behavadreport.pdf, at 33-37, 46. The revisions primarily 
concerned the principles' scope and application to specific business 
models. Id. at 20-30.
---------------------------------------------------------------------------
    The Commission also reviews its rules periodically to ensure that 
they are appropriately updated in light of changes in the marketplace. 
For example, the Commission is currently reviewing its rule 
implementing the COPPA and anticipates completing that review in the 
coming months.\20\
---------------------------------------------------------------------------
    \20\ See http://business.ftc.gov/documents/coppa-rulemaking-and-
rule-reviews; Request for Public Comment on the Federal Trade 
Commission's Implementation of the Children's Online Privacy Protection 
Rule, 17 Fed. Reg. 17089 (Apr. 5, 2010), available at http://
www.ftc.gov/os/fedreg/2010/april/P104503coppa-rule.pdf.
---------------------------------------------------------------------------
II. Privacy Roundtables and Report
    The Commission also recently conducted a series of public 
roundtables on consumer privacy,\21\ which took place in December 2009, 
and January and March 2010. The roundtables served to explore the 
effectiveness of current privacy approaches in addressing the 
challenges of the rapidly evolving market for consumer information, 
including consideration of the risks and benefits of consumer 
information collection and use; consumer expectations surrounding 
various information management practices; and the adequacy of existing 
legal and self-regulatory regimes to address privacy interests. Staff 
issued a preliminary privacy report in December 2010,\22\ which 
discusses the major themes that emerged from these roundtables, 
including the ubiquitous collection and use of consumer data; 
consumers' lack of understanding and ability to make informed choices 
about the collection and use of their data; the importance of privacy 
to many consumers; the significant benefits enabled by the increasing 
flow of information; and the blurring of the distinction between 
personally identifiable information and supposedly anonymous or de-
identified information.\23\
---------------------------------------------------------------------------
    \21\ See Press Release, FTC, FTC to Host Public Roundtables to 
Address Evolving Privacy Issues (Sept. 15, 2009), available at http://
www.ftc.gov/opa/2009/09/privacyrt.shtm.
    \22\ See A Preliminary FTC Staff Report on Protecting Consumer 
Privacy in an Era of Rapid Change: A Proposed Framework for Businesses 
and Policymakers (Dec. 1, 2010), available at http://www.ftc.gov/os/
2010/12/101201privacyreport.pdf. Commissioners Kovacic and Rosch issued 
concurring statements available at http://www.ftc.gov/os/2010/12/
101201privacy
report.pdf at Appendix D and Appendix E, respectively.
    \23\ Id. at 22-38.
---------------------------------------------------------------------------
    At the roundtables, stakeholders across the board emphasized the 
need to improve the transparency of businesses' data practices, 
simplify the ability of consumers to exercise choices about how their 
information is collected and used, and ensure that businesses take 
privacy-protective measures as they develop and implement systems that 
involve consumer information. At the same time, the roundtable 
commenters and participants urged regulators to be cautious about 
restricting the exchange and use of consumer data in order to preserve 
the substantial consumer benefits made possible through the flow of 
information. Based on these comments, the preliminary staff privacy 
report proposed a new framework to guide policymakers and industry as 
they consider further steps to improve consumer privacy protection.
A. The Proposed Framework
    The proposed framework included three main concepts. First, FTC 
staff proposed that companies should adopt a ``privacy by design'' 
approach by building privacy protections into their everyday business 
practices. Such protections include providing reasonable security for 
consumer data, collecting only the data needed for a specific business 
purpose, retaining data only as long as necessary to fulfill that 
purpose, safely disposing of data no longer in use, and implementing 
reasonable procedures to promote data accuracy. Companies also should 
implement and enforce procedurally sound privacy practices throughout 
their organizations, including, for example, assigning personnel to 
oversee privacy issues, training employees on privacy issues, and 
conducting privacy reviews when developing new products and services. 
Such concepts are not new, but the time has come for industry to 
implement them systematically. Implementation can be scaled, however, 
to each company's business operations. For example, the Staff Report 
recommended that companies that collect and use small amounts of 
nonsensitive consumer data should not have to devote the same level of 
resources to implementing privacy programs as companies that collect 
vast amounts of consumer data or data of a sensitive nature.
    Second, the Commission staff proposed that companies provide 
simpler and more streamlined choices to consumers about their data 
practices. Under this approach, consumer choice would not be necessary 
for a limited set of ``commonly accepted'' data practices, thus 
allowing clearer, more meaningful choice with respect to practices of 
greater concern. This component of the proposed framework reflects the 
concept that consumers reasonably expect companies to engage in certain 
practices namely, product and service fulfillment, internal operations 
such as assessing the quality of services offered, fraud prevention, 
legal compliance, and first-party marketing. Some of these practices, 
such as a retailer's collection of a consumer's address solely to 
deliver a product the consumer ordered, are obvious from the context of 
the transaction, and therefore, consumers' consent to them can be 
inferred. Others are sufficiently accepted or necessary for public 
policy reasons that companies need not request consent to engage in 
them. The Staff Report suggested that by clarifying those practices for 
which consumer consent is unnecessary, companies will be able to 
streamline their communications with consumers, which will reduce the 
burden and confusion on consumers and businesses alike.
    For data practices that are not ``commonly accepted,'' consumers 
should have the ability to make informed and meaningful choices. To be 
most effective, choices should be clearly and concisely described and 
offered at a time and in a context in which the consumer is making a 
decision about his or her data. Depending upon the particular business 
model, this may entail a ``just-in-time'' approach, in which the 
company seeks consent at the point a consumer enters his personal data 
or before he accepts a product or service. One way to facilitate 
consumer choice is to provide it in a uniform and comprehensive way. 
Such an approach has been proposed for behavioral advertising, whereby 
consumers would be able to choose whether to allow the collection and 
use of data regarding their online searching and browsing activities. 
This idea is discussed further below.
    Third, the Staff Report proposed a number of measures that 
companies should take to make their data practices more transparent to 
consumers. For instance, in addition to providing the contextual 
disclosures described above, companies should improve their privacy 
notices so that consumers, advocacy groups, regulators, and others can 
compare data practices and choices across companies, thus promoting 
competition among companies. The staff also proposed providing 
consumers with reasonable access to the data that companies maintain 
about them, particularly for non-consumer-facing entities such as data 
brokers. Because of the significant costs associated with access, the 
Staff Report noted that the extent of access should be proportional to 
both the sensitivity of the data and its intended use. In addition, the 
Staff Report stated that companies must provide prominent disclosures 
and obtain affirmative consent before using data in a materially 
different manner than claimed when the data was collected.
    Finally, the Staff Report proposed that stakeholders undertake a 
broad effort to educate consumers about commercial data practices and 
the choices available to them. Increasing consumer understanding of the 
commercial collection and use of their information is important to both 
empowering consumers to make informed choices regarding their privacy 
and facilitating competition on privacy across companies. In addition 
to proposing these broad principles, the staff sought comment from all 
interested parties to help guide further development and refinement of 
the proposed framework through February 18, 2011. Close to 450 comments 
were received and staff expects to issue a final report this year.
B. Do Not Track
    As noted above, the Staff Report included a recommendation to 
implement a universal choice mechanism for behavioral tracking, 
including behavioral advertising, often referred to as ``Do Not 
Track.'' \24\ Although behavioral tracking benefits consumers by 
helping support online content and services and allowing personalized 
advertising that many consumers value, the practice remains largely 
invisible to most consumers. Some surveys \25\ show that certain 
consumers who are aware of the practice are uncomfortable with it.\26\ 
A recent USA Today/Gallup poll found that 47 percent of consumers would 
like to choose which advertisers may deliver them targeted 
advertisements and 37 percent would like to receive no targeted 
advertisements at all.\27\ In another poll, 80 percent of consumers 
supported a Do Not Track option.\28\ In addition, according to a recent 
Wall Street Journal article, because of concerns that third-party 
tracking may be intrusive, some websites are increasing their scrutiny 
of such third-party tracking on their sites.\29\
---------------------------------------------------------------------------
    \24\ See FTC Staff Report, supra note 22. See also Rosch concurring 
statement, id., in which Commissioner Rosch supported a Do Not Track 
mechanism only if it were ``technically feasible'' and implemented in a 
fashion that provides informed consumer choice regarding all the 
attributes of such a mechanism. To clarify, Commissioner Rosch 
continues to believe that a variety of questions need to be answered 
prior to the endorsement of any particular Do Not Track mechanism.
    \25\ Consumer survey evidence, by itself, has limitations. For 
instance, the way questions are presented may affect survey results. 
Also, while survey evidence may reveal a consumer's stated attitudes 
about privacy, survey evidence does not necessarily reveal what actions 
a consumer will take in real-world situations. The Commission does not 
endorse the reliability or methodology of any surveys discussed herein.
    \26\ See, e.g., Transcript of December 7, 2009, FTC Privacy 
Roundtable, Remarks of Alan Westin of Columbia University, at 93-94, 
available at http://www.ftc.gov/bcp/workshops/privacy
roundtables/PrivacyRoundtable_Dec2009_Transcript.pdf; Written Comment 
of Berkeley Center for Law & Technology, Americans Reject Tailored 
Advertising and Three Activities that Enable It, cmt. #544506-00113, 
available at http://www.ftc.gov/os/comments/privacyroundtable/544506-
00113.pdf; Written Comment of Craig Wills, Personalized Approach to Web 
Privacy Awareness, Attitudes and Actions, cmt. #544506-00119, available 
at http://www.ftc.gov/os/comments/privacyroundtable/544506-00119.pdf; 
Written Comment of Alan Westin, How Online Users Feel About Behavioral 
Marketing and How Adoption of Privacy and Security Policies Could 
Affect Their Feelings, cmt. #544506-00052, available at http://
www.ftc.gov/os/comments/privacyroundtable/544506-00052.pdf; see also 
Poll: Consumers Concerned About Internet Privacy, Consumers Union, 
available at http://www.consumersunion.org/pub/core_tele
com_and_utilities/006189.html.
    \27\ See U.S. Internet Users Ready to Limit Online Tracking for Ads 
(Dec. 21, 2010), available at http://www.gallup.com/poll/145337/
internet-users-ready-limit-online-tracking-ads.aspx.
    \28\ See News Release, Consumer Watchdog, Americans Favor Broad 
Range Of Online Privacy Protections for Consumers (Jul. 27, 2010), 
available at http://www.consumerwatchdog.org/newsrelease/consumer-
watchdog-poll-finds-concern-about-g oogles-wi-spy-snooping.
    \29\ Jessica Vascellaro, Websites Rein in Tracking Tools, Wall St. 
J., Nov. 9, 2010, available at http://online.wsj.com/article/
SB10001424052748703957804575602730678670278.html.
---------------------------------------------------------------------------
    In light of the concerns expressed about online tracking, the Staff 
Report recommended a Do Not Track mechanism. A robust, effective Do Not 
Track system would ensure that consumers can opt-out once, rather than 
having to exercise choices on a company-by-company or transaction-by-
transaction basis. Such a universal mechanism could be accomplished 
through legislation or potentially through robust, enforceable self-
regulation.
    The FTC repeatedly has called on stakeholders to develop and 
implement better tools to allow consumers to control the collection and 
use of their online browsing data.\30\ Industry participants have begun 
to respond to this call. Two major browser vendors, Microsoft and 
Mozilla, have recently announced the development of new choice 
mechanisms for online behavioral advertising that seek to provide 
increased transparency, greater consumer control, and improved ease of 
use.\31\ Just as important, the World Wide Web Consortium (W3C) has 
accepted a submission by Microsoft to consider a technical standard for 
a universal choice mechanism.The W3C announced an April 2011 workshop 
to begin the public dialogue with relevant stakeholders regarding how 
to incorporate do not track preferences into Internet browsing so 
websites can respect a user's preference not to be tracked.\32\ 
Finally, just last week, Stanford's Center for Internet and Society and 
Mozilla jointly submitted a proposal to the Internet Engineering Task 
Force outlining a header-based Do Not Track mechanism and discussing 
how web services should respond to such a mechanism.\33\
---------------------------------------------------------------------------
    \30\ See e.g., Do Not Track: Hearing before the Subcomm. On 
Commerce, Trade and Consumer Prot. of the H. Comm. On Energy and 
Commerce, 111th Cong. (Dec. 2, 2010), available at http://www.ftc.gov/
os/testimony/101202donottrack.pdf (prepared statement of the FTC, 
Commissioner Kovacic dissenting).
    \31\ See Press Release, Microsoft, Providing Windows Customers with 
More Choice and Control of Their Privacy Online with Internet Explorer 
9 (Dec. 7, 2010), available at http://www
.microsoft.com/presspass/features/2010/dec10/12-07ie9privacyqa.mspx; 
Mozilla Blog, Mozilla Firefox 4 Beta, now including ``Do Not Track'' 
capabilities, http://blog.mozilla.com/blog/2011/02/08/mozilla-firefox-
4-beta-now-including-do-not-track-cap abilities/ (Feb. 8, 2011).
    \32\ See W3C Blog, Do Not Track at W3C, http://www.w3.org/QA/2011/
02/do_not_
track_at_w3c.html (Feb. 24, 2011).
    \33\ See Do Not Track: A Universal Third-Party Web Tracking Opt Out 
(Mar. 7, 2011), available at http://tools.ietf.org/html/draft-mayer-do-
not-track-00; see also http://firstpersoncookie.word
press.com/2011/03/09/mozilla-makes-joint-submission-to-ietf-on-d nt/.
---------------------------------------------------------------------------
    The online advertising industry has also made progress in this 
area. For example, an industry coalition comprised of media and 
marketing associations, known as the Digital Advertising Alliance, has 
developed self-regulatory guidelines and an opt-out mechanism for 
behavioral advertising.\34\ The coalition has developed an icon to 
display in or near targeted advertisements that links to more 
information and choices and has pledged to implement this effort 
industry-wide.\35\ The coalition reports that adoption of the icon and 
simplified disclosures grew dramatically at the end of last year.\36\ 
In addition, Google has developed a browser add-on that can be used to 
block targeted advertisements from companies that participate in the 
Digital Advertising Alliance.\37\
---------------------------------------------------------------------------
    \34\ See Press Release, Interactive Advertising Bureau, Major 
Marketing Media Trade Groups Launch Program to Give Consumers Enhanced 
Control over Collection and Use of Web Viewing Data for Online 
Behavioral Advertising (Oct. 4, 2010), available at http://www.iab.net/
about_the_iab/recent_press_releases/press_release_archive/
press_release/pr-100410; Tony Romm and Kim Hart, Political Intel: FTC 
Chairman on Self-Regulatory Ad Effort, POLITICO Forums, http://
dyn.politico.com/members/forums/thread.cfm?catid=24&subcatid=78&
threadid=4611665 (Oct. 11, 2010).
    \35\ The coalition has stated that providing consumers with choices 
about online advertising is essential to building the trust necessary 
for the marketplace to grow. See Interactive Advertising Bureau, supra 
note 34.
    \36\ See Written Comment of the Direct Marketing Assoc. Responding 
to Preliminary Staff Report, cmt. #00449, at 21.
    \37\ See Google Chrome Web Store, Keep My Opt-Outs, available at 
https://chrome.google.com/webstore/detail/
hhnjdplhmcnkiecampfdgfjilccfpfoe; see also Google Public Policy Blog, 
Keep your opt-outs http://googlepublicpolicy.blogspot.com/2011/01/keep-
your-opt-outs.html (Jan. 24, 2011).
---------------------------------------------------------------------------
    These recent industry efforts to improve consumer control are 
promising, but they are still in the embryonic stage, and their 
effectiveness remains to be seen. As industry continues to explore 
technical options and implement self-regulatory programs, and Congress 
continues to examine Do Not Track, several issues should be considered. 
First, any Do Not Track system should be implemented universally, so 
that consumers do not have to repeatedly opt-out of tracking on 
different sites. Second, the choice mechanism should be easy to find, 
easy to understand, and easy to use. Third, any choices offered should 
be persistent and should not be deleted if, for example, consumers 
clear their cookies or update their browsers. Fourth, a Do Not Track 
system should be comprehensive, effective, and enforceable. It should 
opt consumers out of behavioral tracking through any means and not 
permit technical loopholes.\38\
---------------------------------------------------------------------------
    \38\ For example, consumers may believe they have opted out of 
tracking if they block third-party cookies on their browsers; yet they 
may still be tracked through Flash cookies or other mechanisms.
    A Flash cookie, or a Flash local shared object, is a data file that 
is stored on a consumer's computer by a website that uses Adobe's Flash 
player technology. Like a regular http cookie, a Flash cookie can store 
information about a consumer's online activities. Unlike regular 
cookies, Flash cookies are stored in an area not controlled by the 
browser. Thus, when a consumer deletes or clears the cookies from his 
browser using tools provided through the browser, this may not delete 
Flash cookies stored on his computer.
    Recently, a researcher released a software tool that demonstrates 
several technical mechanisms in addition to Flash cookies that websites 
can use to persistently track consumers, even if they have attempted to 
prevent such tracking through existing tools. See http://samy.pl/
evercookie; see also Tanzina Vega, New Web Code Draws Concerns Over 
Privacy Risks, The New York Times, Oct. 10, 2010, available at http://
www.nytimes.com/2010/10/11/business/media/11privacy.html.
---------------------------------------------------------------------------
    Finally, it is important to emphasize what is meant by ``tracking'' 
as stakeholders continue to consider ``Do Not Track'' approaches. 
Consumers certainly may want to opt-out of more than targeted 
advertising--they may want to opt-out of the creation and use of 
behavioral profiles for any secondary purposes. For example, they may 
want to be sure that their browsing behavior is not used to make 
employment or insurance decisions about them. They may also want to 
opt-out of having their browsing behavior sold to data brokers for 
unspecified future uses. At the same time, no system that allows for 
unrestricted web browsing can or should prohibit information collection 
entirely. As noted the Staff Report, information collection is 
necessary for fraud prevention and other commonly accepted practices, 
such as capping the number of times a consumer sees a particular 
advertisement. The limited nature of that collection, however, is 
qualitatively different from the collection of information to track and 
profile consumers as they browse the web. Given these considerations, 
an effective Do Not Track system would go beyond simply opting 
consumers out of receiving targeted advertisements; it would opt them 
out of collection of behavioral data for all purposes that are not 
commonly accepted.
    Commission staff will monitor further industry innovation in this 
area, which may build upon existing industry initiatives and 
incorporate elements of the different mechanisms being proposed today.
III. Conclusion
    Thank you for the opportunity to provide the Commission's views. We 
look forward to continuing this important dialogue with Congress and 
this Committee.

    Senator Pryor. Mr. Strickling?

 STATEMENT OF HON. LAWRENCE E. STRICKLING, ASSISTANT SECRETARY 
FOR COMMUNICATIONS AND INFORMATION, NATIONAL TELECOMMUNICATIONS 
                        AND INFORMATION 
          ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE

    Mr. Strickling. Thank you, Chairman Pryor, Senators Kerry 
and Isakson. It's a pleasure to be here today to testify on 
behalf of the Department of Commerce to discuss the state of 
online consumer privacy. And I welcome the opportunity to 
discuss how we can better protect consumer data privacy in this 
rapidly evolving Internet economy. And in doing so I'm quite 
pleased to testify here today with Chairman Jon Leibowitz of 
the Federal Trade Commission.
    As the principal advisor to the President on communications 
and information policy, the NTIA has been hard at work over the 
last 2 years with Secretary Locke's Internet Policy Task Force, 
Department of Commerce General Counsel Cam Kerry, and 
colleagues throughout the Executive Branch, to conduct a broad 
assessment of how well our current policy framework for 
consumer data is serving consumers, businesses and other 
participants in the Internet economy.
    I would also like to thank, in particular, the Federal 
Trade Commission for its collaboration with us and its 
leadership over the years in addressing this important issue.
    To guide the overall agenda of the Internet Policy Task 
Force, which includes issues in addition to privacy, we have 
focused on two key principles.
    The first is the idea of trust. It's imperative for the 
sustainability and continued growth of the Internet that we 
preserve the trust of all actors on the Internet. And nowhere 
is this clearer than in the context of consumer privacy. If 
users do not trust that their personal information is safe on 
the Internet they'll be reluctant to adopt new services.
    Our second principle is that we want to encourage multi-
stakeholder processes to address key Internet issues. We want 
stakeholders to come together to deal with these issues in ways 
that display the flexibility, speed and efficiency that often 
are lacking with more traditional regulatory responses.
    These two principles inform the new framework for 
addressing online privacy that the Department proposed in its 
privacy ``Green Paper'' last December. The key elements of this 
framework include the following:
    First, we recommended the establishment of a set of Fair 
Information Practice Principles as the foundation for the 
protection of consumer privacy in the Internet economy. These 
principles will set a baseline of consistent, comprehensible 
data privacy protection in new and established commercial 
contexts.
    Second, to promote flexibility and speed to address privacy 
issues as they arise, the ``Green Paper'' recommended that the 
Department engage actively with industry and consumer groups to 
develop enforceable codes of conduct.
    And third, consistent with the FTC's existing enforcement 
role in the protection of privacy, the ``Green Paper'' 
recommends strengthening the Commission's authority to enforce 
these baseline privacy principles.
    We received roughly 100 comments on the ``Green Paper'' and 
we are working hard to prepare a final document later this 
spring as a statement of Administration policy in this area. 
But, as we have reviewed the comments and we continued our 
discussions, I can report today that the Administration now 
recommends that Congress enact legislation to provide a firm 
legal foundation supporting specific aspects of this new 
policy.
    We specifically recommend that any legislation to provide a 
stronger statutory framework to protect consumer privacy should 
contain three key elements.
    First, it should create baseline consumer data privacy 
protections--as Senator Kerry referred to it, a consumer bill 
of rights--that are enforceable at law. Specifically, we 
support making a comprehensive set of FIPPs the basis of this 
law. This set of agreed-upon principles would provide clear 
privacy protections for personal data in the commercial context 
in which existing privacy laws do not apply or offer adequate 
protection.
    Second, legislation should provide the FTC with the 
authority to enforce any baseline protections. Granting the FTC 
explicit authority to enforce baseline privacy principles will 
strengthen its role in consumer data privacy protection and 
enforcement, resulting in better protection for consumers.
    Third, legislation should create a framework that provides 
incentives for the development of enforceable codes of conduct 
as well as continued innovation around privacy protections. 
These codes can allow industry and government to adapt rapidly 
to a fast evolving online marketplace. And one incentive we 
urge Congress to consider is to give the FTC the authority to 
offer a safe harbor for companies that implement codes of 
conduct that are consistent with the baseline protections.
    This statutory framework is designed to be flexible, to 
keep its requirements well-tailored, and to provide a basis for 
greater interoperability with other countries' privacy laws.
    Working together with Congress, the FTC, the Executive 
Office of the President and other stakeholders, I am confident 
in our ability to provide consumers with meaningful privacy 
protections in the Internet economy, backed by effective 
enforcement that could adapt to changes in technology, market 
conditions, and consumer expectations. Establishing and 
maintaining this dynamic consumer data privacy framework is not 
a one shot game, and it will require the ongoing engagement of 
all stakeholders. The Department and the Administration are 
firmly committed to that engagement.
    With or without legislation, the Department and NTIA will 
continue to make consumer data privacy a top priority. We will 
convene Internet stakeholders to discuss how best to encourage 
the development of privacy codes of conduct. The Department 
will support the Administration's efforts to encourage global 
interoperability by stepping up our engagement in international 
policymaking bodies. And we will continue to work with Congress 
and all other stakeholders to develop consensus on reforms to 
our consumer data privacy policy framework.
    I look forward to working with this Committee on this 
important issue, starting with answering any questions you have 
for me today. Thank you.
    [The prepared statement of Mr. Strickling follows:]

Prepared Statement of Hon. Lawrence E. Strickling, Assistant Secretary 
  for Communications and Information, National Telecommunications and 
        Information Administration, U.S. Department of Commerce
I. Introduction
    Chairman Rockefeller, Ranking Member Hutchison, distinguished 
Committee Members, thank you for the opportunity to testify on behalf 
of the Department of Commerce (``Department'') to discuss Internet 
privacy policy reform. I welcome the opportunity to discuss how we can 
better protect consumer data privacy in the rapidly evolving Internet 
Age. In doing so, I am pleased to testify here today with Jonathan 
Leibowitz, the Chairman of the Federal Trade Commission (FTC).
    As the principal advisor to the President on communications and 
information policy, the National Telecommunications and Information 
Administration (NTIA) has been hard at work over the last 2 years with 
Secretary Locke's Internet Policy Task Force and colleagues throughout 
the Executive Branch to conduct a broad assessment of how well our 
current consumer data privacy policy framework serves consumers, 
businesses, and other participants in the Internet economy. Over the 
same period of time, the Internet Policy Task Force has engaged, 
formally and informally, with a broad array of stakeholders, including 
companies, consumer advocates, academic privacy experts, and other 
government agencies. We identified privacy as a key issue in 
strengthening consumer trust, which, in turn, is critical to realizing 
the full potential for innovation and growth of the Internet. Our work 
culminated in the release of the Task Force's ``Green Paper'' on 
consumer data privacy in the Internet economy on December 16, 2010. The 
Green Paper made ten separate recommendations about how to strengthen 
consumer data privacy protections in ways that also promote innovation, 
but it also brought to light many additional questions.
    We sought public comment on these recommendations, and we have been 
busy considering the roughly 100 written responses that were filed. One 
general conclusion to be drawn from the comments is that the commenters 
believe that American consumers should have stronger privacy 
protections, and the companies that run our Internet economy should 
have clearer rules of the road to guide their uses of data about 
consumers.
II. Stakeholders' Perspectives on Our Current Consumer Data Privacy 
        Framework
    The Internet economy is sparking tremendous innovation. During the 
past fifteen years, networked information technologies--personal 
computers, mobile phones, wireless connections and other devices--have 
been transforming our social, political and economic landscape. A 
decade ago, going online meant accessing the Internet on a computer in 
your home. Today,``going online'' includes smartphones, portable games, 
and interactive TVs, with numerous companies developing global 
computing platforms in the ``cloud.''
    The Internet is also an essential platform for economic growth, 
both domestically and globally. Almost any transaction you can think of 
is being conducted online--from consumers paying their utility bills 
and people purchasing books, movies and clothes, to major corporations 
paying their vendors and selling to their customers. According to the 
U.S. Census Bureau, domestic online transactions currently total about 
$3.7 trillion annually.\1\ Internet commerce is a leading source of job 
growth as well, with the number of domestic IT jobs growing by 26 
percent from 1998 to 2008, four times faster than U.S. employment as a 
whole.\2\ By 2018, IT employment is expected to grow by another 22 
percent.\3\
---------------------------------------------------------------------------
    \1\ U.S. Census Bureau, Commerce Department, ``E-Stats,'' May 27, 
2010, available at http://www.census.gov/econ/estats/2008/
2008reportfinal.pdf.
    \2\ Commerce Secretary Gary Locke, Remarks on Cybersecurity and 
Innovation, Georgetown University, Washington, D.C. (September 23, 
2010).
    \3\ Id.
---------------------------------------------------------------------------
    As powerful and exciting as these developments are, they also raise 
new privacy issues. The large-scale collection, analysis, and storage 
of personal information is becoming more central to the Internet 
economy. These activities help to make the online economy more 
efficient and companies more responsive to their customer needs. Yet 
these same practices also give rise to growing unease among consumers, 
who are unsure about how data about their activities and transactions 
are collected, used, and stored.\4\ A basic element of our current 
consumer data privacy framework is the privacy policy. As we mentioned 
in the Green Paper, these lengthy, dense, and legalistic documents do 
not appear to be effective in informing consumers of their online 
privacy choices. Surveys show that most Americans incorrectly believe 
that a website that has an online privacy policy is prohibited from 
selling personal information it collects from customers.\5\ In 
addition, many consumers believe that having a privacy policy 
guarantees strong privacy rights, which is not necessarily the case.\6\
---------------------------------------------------------------------------
    \4\ According to a recent survey, 83 percent of adults say they are 
``more concerned about online privacy than they were 5 years ago.'' 
Common Sense Media, Online Privacy: What Does It Mean to Parents and 
Kids (2010), available at http://www.commonsensemedia.org/sites/
default/files/privacypoll.pdf (last visited March 5, 2011).
    \5\ Joseph Turow, Chris Jay Hoofnagle, Deirdre K. Mulligan, 
Nathaniel Good & Jens Grossklags, The Federal Trade Commission and 
Consumer Privacy in the Coming Decade, 3 I/S: Journal of Law & Policy 
723 (2007), available at http://www.is-journal.org/.
    \6\ Chris Jay Hoofnagle & Jennifer King, Research Report: What 
Californians Understand About Privacy Offline (2008), available at 
http://papers.ssrn.com/sol3/papers.cfm?abstract
_id=1133075.
---------------------------------------------------------------------------
    The difficulty of understanding a single privacy policy, however, 
is modest when compared to the problem of comprehending how personal 
data flows in today's online environment. A recent study found that 36 
of the 50 most-visited websites state in their privacy policies that 
they allow third-party tracking.\7\ This same study found that a few 
prominent sites allow more than 20 different third-party tracking 
mechanisms in the course of a month. One site even allowed 100 such 
mechanisms.\8\ As the study points out, the privacy policy of the site 
that an individual actually visits typically does not apply to these 
third parties.\9\ In other words, to fully understand the privacy 
implications of using a particular site, individuals will often have to 
begin by considering the privacy policies of many other entities that 
could gain access to data about them.
---------------------------------------------------------------------------
    \7\ Joshua Gomez, Travis Pinnick, and Ashkan Soltani, Know Privacy, 
at 27, June 1, 2009, available at http://knowprivacy.org/report/
KnowPrivacy_Final_Report.pdf.
    \8\ Id. at 26.
    \9\ Id.
---------------------------------------------------------------------------
    As Americans begin using smartphones and other mobile Internet 
devices in addition to, or instead of, laptop and desktop computers, 
the difficulties of understanding personal data flow become even more 
acute. The small screens that enable us to carry blogs, social 
networks, and video around in our pockets pose a new challenge to 
presenting consumers with information about personal data collection 
and use. These devices may also make location information available, 
which opens the door to an amazing array of new applications and 
services, but also adds further complexity to consumer data privacy 
issues.\10\ Assuring consumers that their privacy interests will be 
protected in this rapidly changing environment is our core challenge.
---------------------------------------------------------------------------
    \10\ See, e.g., Frank Groeneveld, Barry Borsboom, and Boy van 
Amstel, Over-sharing and Location Awareness, Feb. 24, 2010, http://
www.cdt.org/blogs/cdt/over-sharing-and-location-awareness (discussing, 
in the context of their project called ``Please Rob Me,'' how adding 
location information to information posted on social networking sites 
can have unintended consequences).
---------------------------------------------------------------------------
    During the Department's outreach to stakeholders, we received 
comments from consumer groups, industry, and leading privacy scholars, 
all of whom agreed that large proportions of Americans do not fully 
understand and appreciate what information is being collected about 
them, and how they are able to stop certain practices from taking 
place.\11\ Several consumer advocacy and civil liberties groups 
expressed these concerns. These groups supported the Department's 
overall recommendation to develop stronger privacy protections for 
personal data in the commercial setting. One group expressed this 
shared view about a basic lack of transparency particularly well:
---------------------------------------------------------------------------
    \11\ All comments that the Department received in response to the 
Green Paper are available at http://www.ntia.doc.gov/comments/
101214614-0614-01/.

        [C]onsumers face a continuum of risk to personal privacy, 
        ranging from minor nuisances to improper disclosures of 
        sensitive information and identity theft. Such unscrupulous 
        practices, carried out without the consumers' knowledge or 
        consent, lead to diminished consumer trust in Internet data 
        practices, thus stunting growth and innovation.\12\
---------------------------------------------------------------------------
    \12\ Consumers Union, Comment on Department of Commerce Privacy 
Green Paper, Jan. 28, 2011, at 2.

    Moreover, many consumer groups made a strong economic case for 
consumer data privacy reform. Simply put, the inability to distinguish 
among companies' privacy practices may lead consumers to conclude that 
all companies engage in equally invasive practices. As one group noted, 
``even companies willing to adopt the most stringent privacy policies 
find that overseas customers are skeptical of those assurances because 
of the lack of U.S. privacy laws to back them up.'' \13\
---------------------------------------------------------------------------
    \13\ Center for Democracy and Technology, Comment on Department of 
Commerce Privacy Green Paper, Jan. 28, 2011, at 3.
---------------------------------------------------------------------------
    Interestingly, industry shares these views in many respects. Some 
of the leading innovators in the Internet economy see things the same 
way. In comments, a leading IT company refuted the argument that 
baseline consumer data privacy protections would slow innovation: ``We 
disagree with the arguments some have advocated against the adoption of 
legislation, particularly that privacy legislation would stifle 
innovation and would hinder the growth of new technologies by small 
businesses. Instead, we believe that well-crafted legislation can 
actually enable small business e-commerce growth.'' \14\ Other 
companies reiterated the call for Federal privacy legislation; one 
argued that ``dramatic and rapid technological advances are testing how 
the fundamental principles that underpin consumer privacy and data 
protection law--such as notice, consent, reasonable security, and data 
retention--should apply.'' \15\ Another stressed that ``consumer-facing 
companies . . . have powerful market incentives to protect user 
privacy, and must respond to user demands in order to remain 
competitive.'' \16\ To ensure continued consumer trust, this company 
``strongly supports the development of a comprehensive privacy 
framework for commercial actors . . . that create[s] a baseline for 
privacy regulation that is flexible, scalable, and proportional.'' \17\ 
In short, uncertainty over keeping the trust of consumers online is as 
unsettling for some businesses as it is for consumers.
---------------------------------------------------------------------------
    \14\ Intel, Comment on Department of Commerce Privacy Green Paper, 
Jan. 28, 2011, at 3.
    \15\ Microsoft, Comment on Department of Commerce Privacy Green 
Paper, Jan. 28, 2011, at 1.
    \16\ Google, Comment on Department of Commerce Privacy Green Paper, 
Jan. 28, 2011, at 2.
    \17\ Id.
---------------------------------------------------------------------------
    Commenters were not unanimous in their support for legislation, and 
some expressed opposition to enacting baseline consumer data privacy 
legislation. Some commenters asserted that legislation is appropriate 
only where ``particularly sensitive privacy interests'' are 
concerned.\18\ Others argued that a legislative framework would be 
``too inflexible,'' \19\ a ``one size fits all'' \20\ collection of 
rules that will become ``static.'' \21\ The Department took these 
concerns seriously when developing the Green Paper's Dynamic Privacy 
Framework for consumer data. A central feature of the Framework is an 
emphasis on developing industry-specific, enforceable codes of conduct 
that establish how Fair Information Practice Principles (FIPPs) apply 
in a given commercial context. And these concerns are reflected in the 
contours of the recommendations in this testimony.
---------------------------------------------------------------------------
    \18\ Financial Services Forum, Comment on Department of Commerce 
Privacy Green Paper, Jan. 28, 2011, at 8.
    \19\ American Association of Advertising Agencies et al., Comment 
on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 1.
    \20\ Direct Marketing Ass'n, Comment on Department of Commerce 
Privacy Green Paper, Jan. 28, 2011, at 4; see also American Business 
Media, Comment on Department of Commerce Privacy Green Paper, Jan. 28, 
2011, at 4; Computer & Communications Industry Association, Comment on 
Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 18; 
Keller & Heckman, Comment on Department of Commerce Privacy Green 
Paper, Jan. 28, 2011 at 1.
    \21\ Business Software Alliance, Comment on Department of Commerce 
Privacy Green Paper, Jan. 28, 2011, at 4.
---------------------------------------------------------------------------
    Thus, based on an initial review of comments, the Department sees a 
shared set of principles that could help to inform our efforts to 
reform consumer data privacy in the Internet economy. The general 
agreement of commenters appears to rest on two tenets. First, to 
harness the full power of the Internet age, we need to establish norms 
and ground rules that promote innovative uses of information while 
respecting consumers' legitimate privacy interests. Second, as we go 
about establishing these privacy guidelines, we also need to be careful 
to avoid creating an overly complicated regulatory environment.
III. Strengthening Our Consumer Data Privacy Framework Through 
        Baseline Protections
    Exactly three months ago, the Department published its Green Paper, 
which contained a set of preliminary policy recommendations to enhance 
consumer protection, strengthen online trust, and bolster the Internet 
economy. The paper made ten recommendations and sought comment on a set 
of additional questions. In response to the paper, the Department 
received thoughtful and well-researched comments from over a hundred 
stakeholders representing industry, consumer groups, and academia.
    Having carefully reviewed all stakeholder comments to the Green 
Paper, the Department has concluded that the U.S. consumer data privacy 
framework will benefit from legislation to establish a clearer set of 
rules for the road for businesses and consumers, while preserving the 
innovation and free flow of information that are hallmarks of the 
Internet. The Department's privacy Green Paper--much like the staff 
report of the Federal Trade Commission (FTC)--highlights the need for 
stronger privacy protections for American consumers. As pointed out in 
the Commerce report, the United States has a range of data privacy laws 
that apply to individual sectors of the economy, such as health care, 
consumer credit, and personal finance. But these laws may not offer 
protection to some of the data uses associated with consumers' 
activities in the Internet economy. An overarching set of privacy 
principles on which consumers and businesses can rely could create a 
stronger foundation for consumer trust in the Internet by providing 
this broadly applicable framework.
    Legislation to provide a stronger statutory framework to protect 
consumers' online privacy interests should contain three key elements. 
First, the Administration recommends that legislation set forth 
baseline consumer data privacy protections--that is, a ``consumer 
privacy bill of rights.'' Second, legislation should provide the FTC 
with the authority to enforce any baseline protections. Third, 
legislation should create a framework that provides incentives for the 
development of codes of conduct as well as continued innovation around 
privacy protections, which could include providing the FTC with the 
authority to offer a safe harbor for companies that implement codes of 
conduct that are consistent with the baseline protections. This 
statutory framework is designed to be flexible, to keep its 
requirements well-tailored, and to provide a basis for greater 
interoperability with other countries' privacy laws.
A. Enacting a Consumer Privacy Bill of Rights
    The Administration urges Congress to enact a ``consumer privacy 
bill of rights'' to provide baseline consumer data privacy protections. 
Legislation should consider statutory baseline protections for consumer 
data privacy that are enforceable at law and are based on a 
comprehensive set of FIPPs. Comprehensive FIPPs, a collection of 
agreed-upon principles for the handling of consumer information, would 
provide clear privacy protections for personal data in commercial 
contexts that are not covered by existing Federal privacy laws or 
otherwise require additional protection. To borrow from one of the 
responses we received, baseline FIPPs are something that consumers 
want, companies need, and the economy will appreciate.\22\
---------------------------------------------------------------------------
    \22\ See Comment of Hewlett-Packard Co. on Notice of Inquiry, at 2, 
June 14, 2010, available at http://www.ntia.doc.gov/comments/100402174-
0175-01/attachments/HP%20Comments%2E
pdf.
---------------------------------------------------------------------------
    The Administration recommends that the baseline should be broad and 
flexible enough to allow consumer privacy protection and business 
practices to adapt as new technologies and services emerge. As noted by 
two privacy scholars, ``[b]roadly worded legislation . . . motivates 
firms to produce an industry code of conduct as a way to construe and 
clarify the statutory scheme. Thus, baseline privacy legislation and 
incentives for industry to develop codes of conduct can go hand-in-
hand.'' \23\
---------------------------------------------------------------------------
    \23\ Professors Ira Rubinstein and Dennis Hirsch, Comment to the 
Department Privacy Green Paper, January 28, 2011, available at http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=D120453B-
FB2B-4034-962C-C0A352328531.
---------------------------------------------------------------------------
    Finally, a baseline law holds the promise of making our consumer 
data privacy framework more interoperable with international 
frameworks. Again, leading Internet innovators support baseline 
legislation as a means of achieving this objective. For example, a 
leading online company noted that ``FIPPs is a common language used by 
many governments worldwide, so use of similar terminology will enhance 
opportunities for agreement and practical approaches to data policy.'' 
\24\ A Web standards organization stated that ``[e]stablishing baseline 
commercial data privacy principles contribute[s] to the further 
harmonization of the global e-commerce market at least for the 
countries attached to the OECD, and improve[s] the transatlantic 
relations on online services of all sorts.'' \25\ Other comments, which 
represent a wide variety of American companies, consumer advocates, and 
academic scholars, also supported this position, often noting that 
improving global interoperability could benefit companies by reducing 
their compliance burdens overseas.\26\
---------------------------------------------------------------------------
    \24\ Yahoo!, Comment to the Department Privacy Green Paper, January 
28, 2011, available at http://www.ntia.doc.gov/comments/101214614-0614-
01/comment.cfm?e=F6A50C0B-00CC-44A6-B475-FE218170CA02.
    \25\ World Wide Web Consortium, Comment to the Department Privacy 
Green Paper, January 28, 2011, available at http://www.ntia.doc.gov/
comments/101214614-0614-01/attachments/ResponseW3C.pdf.
    \26\ See, e.g., Professors Ira Rubinstein and Dennis Hirsch, 
Comment to the Department Privacy Green Paper, January 28, 2011, 
available at http://www.ntia.doc.gov/comments/101214614-0614-01/
comment.cfm?e=D120453B-FB2B-4034-962C-C0A352328531; Intel, Comment to 
Department Privacy Green Paper, January 28, 2011, available at http://
www.ntia.doc.gov/comments/101214614-0614-01/attachments/
Intel%20Corp%20Dept%20Commerce%20green%20paper%20
comment.pdf (``Intel supports Federal legislation based on the Fair 
Information Practices (FIPs) as described in the 1980 Organization for 
Economic Co-Operation and Development (OECD) Privacy Guidelines.'')
---------------------------------------------------------------------------
    The Green Paper suggested that comprehensive FIPPs can serve as a 
basis for stronger consumer trust while also providing the flexibility 
necessary to define more detailed rules that are appropriate for the 
relationships and personal data exchanges that arise in a specific 
commercial context. The FIPPs that the Green Paper presented for 
discussion were transparency, individual participation, purpose 
specification, data minimization, use limitation, data quality and 
integrity, security, and accountability and auditing. We received many 
thoughtful comments on how each of these principles might apply to the 
commercial context, and we are continuing to assess whether these 
principles provide the right framework for online consumer data 
privacy. The Administration looks forward to working further with 
Congress and stakeholders to define these baseline protections.
B. Implementing Enforceable Codes of Conduct Developed Through Multi-
        Stakeholder Processes
    To encourage specific but adaptable rules for businesses and 
consumers in the implementation of baseline privacy principles, the 
Administration recommends a framework that can promptly address 
specific privacy issues as they emerge. In this framework, stakeholders 
from the commercial, consumer advocacy and academic sectors, as well as 
the FTC and other government agencies would come together to develop 
enforceable best practices or codes of conduct based on the principles 
in baseline legislation. This process would allow stakeholders to 
develop codes of conduct that address privacy issues in emerging 
technologies and business practices, without the need for additional 
legislation. In this framework, the FTC could have the authority to 
provide appropriate incentives, such as a safe harbor, for business to 
develop and adopt codes of conduct. Compliance with an approved code of 
conduct might be deemed compliance with the statutory FIPPs. Of those 
stakeholders that supported legislation, most one telecommunication 
company's conclusions that ``[a]s the Green Paper observes, such a safe 
harbor provision will reinforce the industry's incentives to develop 
self-governance practices that address emerging issues, and to follow 
such practices.'' \27\ In addition, legislation should ensure that 
stakeholders have appropriate incentives to revise enforceable codes of 
conduct as changes in technology, market conditions, and consumer 
expectations warrant.
---------------------------------------------------------------------------
    \27\ Verizon, Comment to the Department Privacy Green Paper, 
January 28, 2011, available at http://www.ntia.doc.gov/comments/
101214614-0614-01/comment.cfm?e=6BFB924F-75DD-4472
-94F3-F76DB8EE0376.
---------------------------------------------------------------------------
    This recommendation reflects the Department's view that government 
must support policy development processes that are nimble enough to 
respond quickly to consumer data privacy issues as they emerge and that 
incorporate the perspectives of all stakeholders. Industry, consumer 
groups, and civil society, as well as the government, all have vital 
roles to play in putting baseline privacy protections into practice in 
the United States. A leading IT company captured this multi-stakeholder 
perspective well, commenting that ``no single entity can achieve the 
goal of building trust . . . as it is clearly a shared responsibility. 
There is a role for governments, industry, and Non-Governmental 
Organizations/advocacy groups (NGO's) working together to form a 
`triangle of trust.' '' \28\ A multi-stakeholder strategy for 
implementation ensures that government establishes the base of this 
trust triangle. Such a strategy will be critical to ensure that we end 
up with a framework that is rational, that provides businesses with 
better information about what consumers expect (and vice versa), but 
that is also dynamic. Below, I explain in greater detail the leading 
role that the Department of Commerce could play in putting this multi-
stakeholder model into practice.
---------------------------------------------------------------------------
    \28\ Intel, Comment to Department Privacy Green Paper, January 28, 
2011, available at http://www.ntia.doc.gov/comments/101214614-0614-01/
attachments/Intel%20Corp%20Dept%20Comm
erce%20green%20paper%20comment.pdf.
---------------------------------------------------------------------------
C. Strengthening the FTC's Authority
    The independent expertise of the FTC is another key element of this 
framework. In addition to its leadership in developing consumer data 
privacy policy, the FTC plays a vital role as the Nation's independent 
consumer privacy enforcement authority. Granting the FTC explicit 
authority to enforce baseline privacy principles would strengthen its 
role in consumer data privacy policy and enforcement, resulting in 
better protection for consumers and evolving standards that can adapt 
to a rapidly evolving online marketplace.
D. Establishing Limiting Principles on Consumer Data Privacy 
        Legislation
    As the Committee considers these recommendations, we would also 
like to provide our thoughts on limitations that Congress should 
observe in crafting consumer data that strengthens consumer privacy 
protections and encourages continuing innovation. Legislation should 
not add duplicative or overly burdensome regulatory requirements to 
businesses that are already adhering to the principles in baseline 
consumer data privacy legislation. Legislation should be technology-
neutral, so that it allows firms flexibility in deciding how to comply 
with its requirements and encourages business models that are 
consistent with baseline principles but use personal data in ways that 
we have not yet contemplated. And, domestic privacy legislation should 
provide a basis for greater transnational cooperation on consumer 
privacy enforcement issues, as well as more streamlined cross-border 
data flows and reduced compliance burdens for U.S. businesses facing 
numerous foreign privacy laws.
IV. The Department's and NTIA's Next Steps on Internet Privacy Policy
    With or without legislation, the Department and NTIA will continue 
to make consumer data privacy on the Internet a top priority. We will 
convene Internet stakeholders to discuss how best to encourage the 
development of privacy codes of conduct. And, the Department will 
support the Administration's efforts to encourage global 
interoperability by stepping up our engagement in international 
policymaking bodies. Finally, we will continue to work with Congress 
and all stakeholders to develop consensus on reforms to our consumer 
data privacy policy framework.
A. Convening Voluntary Efforts to Define Baseline Privacy Protections
    The Department of Commerce can play a leading role in bringing 
stakeholders together rapidly to develop enforceable codes of conduct, 
in order to provide greater certainty for businesses and necessary 
protections for consumers. The Green Paper notes that the Department--
and particularly NTIA--has the necessary expertise and can work with 
others in government to convene companies, consumer groups, academics, 
and Federal and State government agencies. It will be important to 
bring NTIA's experience to bear in these activities, since NTIA can 
work with other agencies and provide a center of consumer data privacy 
policy expertise. The Department received significant stakeholder 
support for the recommendation that it play a central role in convening 
stakeholders. A broad array of organizations, including consumer 
groups, companies, and industry groups announced their support for the 
Department to help coordinate outreach to stakeholders to work together 
on enforceable codes of conduct.\29\
---------------------------------------------------------------------------
    \29\ See, e.g., Comments of Center for Democracy and Technology; 
Comments of Consumers Union; Comments of Microsoft; Comments of 
Walmart; Comments of Intel; Comments of Google; Comments of Facebook; 
Comments of Interactive Advertising Bureau; and Comments of Yahoo!
---------------------------------------------------------------------------
    Indeed, the Department is pleased to be part of an Administration 
effort in which this approach to protecting consumer data privacy may 
be immediately useful: The National Strategy for Trusted Identities in 
Cyberspace (NSTIC).\30\ The NSTIC, which is a separate Administration 
initiative being developed in close consultation with the private 
sector, and is not part of the legislative proposal discussed in this 
testimony, envisions enhancing online privacy and security through 
services that provide credentials that improve upon the username and 
password schemes that are common online. The NSTIC proposes a system 
that would provide individuals the option of obtaining a strong 
credential to use in sensitive online transactions. The NSTIC calls for 
the participants in this digital identity marketplace to implement 
privacy protections that are based on the FIPPs. Developing enforceable 
codes of conduct through multi-stakeholder processes is one way that 
the Department can work with the private sector to implement these 
protections.
---------------------------------------------------------------------------
    \30\ For further information, see NIST, About NSTIC, http://
www.nist.gov/nstic/ (last visited Mar. 14, 2011).
---------------------------------------------------------------------------
    We thank you, Chairman Rockefeller, for supporting the announcement 
that the Department of Commerce will host the National Program Office 
to coordinate the Federal activities to implement NSTIC. With the 
leadership of the private sector, the Department is ready and willing 
to support the implementation of NSTIC by leveraging the tremendous 
resources of NTIA and the National Institute of Standards and 
Technology.
B. Encouraging Global Interoperability
    Consistent with the general goal of decreasing regulatory barriers 
to trade and commerce, the Department will work with our allies and 
trading partners to reduce barriers to cross-border data flow by 
increasing the global interoperability of privacy frameworks. While the 
privacy laws across the globe have substantive differences, these laws 
are frequently based on similar fundamental values. The Department will 
work with our allies to find practical means of bridging differences, 
especially those that are often more a matter of form than substance.
    The Department will work with other agencies to ensure that global 
privacy interoperability builds on accountability, mutual recognition 
and reciprocity, and enforcement cooperation principles pioneered in 
the Organisation for Economic Cooperation and Development (OECD) and 
Asia-Pacific Economic Cooperation (APEC). Agreements with other privacy 
authorities around the world (coordinated by key actors in the Federal 
Government) could reduce significant business global compliance costs.
C. Developing Further Administration Views on U.S. Internet Policy
    Finally, we are working to ensure that our work on consumer data 
privacy policy complements and informs other Internet policy 
development efforts that are underway in the Department and throughout 
the Administration. An invaluable mechanism for making this happen is 
the Privacy and Internet Policy Subcommittee of the National Science 
and Technology Council. The Subcommittee, which the White House 
announced last fall, is chaired by Commerce Department General Counsel 
Cameron Kerry and Justice Department's Assistant Attorney General 
Christopher Schroeder. The Subcommittee provides a forum for Federal 
agencies and key White House offices to coordinate and exchange ideas 
on how to promote a broad, visible, forward-looking commitment to a 
consistent set of Internet policy principles. These core principles--
all of which apply to the consumer data privacy context--include 
facilitating transparency, promoting cooperation, strengthening multi-
stakeholder governance models, and building trust in online 
environments.
    The Subcommittee has already provided the substantive policy 
discussions that led to the legislative reform recommendations that I 
am presenting today. The Department of Commerce looks forward to 
continuing to work with this Committee.
V. Conclusion
    In the end, the Obama Administration's goal is to advance the 
domestic and global dialogues in ways that will protect consumers and 
innovation, and to provide leadership on information privacy policy, 
regulation, and legislation.
    Working together with Congress, the FTC, the Executive Office of 
the President, and other stakeholders, I am confident in our ability to 
provide consumers with meaningful privacy protections in the Internet 
economy, backed by effective enforcement, that can adapt to changes in 
technology, market conditions, and consumer expectations. Establishing 
and maintaining this dynamic consumer data privacy framework is not a 
one-shot game; it will require the ongoing engagement of all 
stakeholders. The Department and the Administration are firmly 
committed to that engagement. The legislative approach that I have 
outlined today would lend extremely valuable support to the dynamic 
framework that we envision. I welcome any questions you have for me. 
Thank you.

    Senator Pryor. Thank you.
    Chairman Leibowitz, let me start with you if I may. And 
that is in your opening statement you mention this new icon 
that online advertisers are using. My understanding is that 
just came online just, you know, last several weeks at some 
point. Are you encouraged by what you see or is it too early to 
know if that's going to work?
    Mr. Leibowitz. Well I would say we are encouraged by what 
we are seeing. I would say the industry has been working in 
good faith on this icon notion probably for the last 2 years. I 
think you'll have someone testifying on the next panel about 
that.
    I would say that the pace of moving forward has become far 
more rapid since the summer hearings this Committee held and 
the House Energy and Commerce Committee held in the fall and 
since we released our report in December. So it is promising 
from our perspective. The majority of Commissioners would like 
to see a Do Not Track mechanism that includes a prohibition on 
tracking, not just sending ads back to consumers.
    But there are important developments really just in the 
last few days, including a number of members of that Digital 
Advertising Alliance who would like to see restrictions on 
tracking except for fraud purposes. So, yes.
    Senator Pryor. Thank you.
    Mr. Strickling, I think I saw yesterday, maybe last night, 
a story that the White House is talking about a privacy bill of 
rights or--do you anticipate that they'll come forward with a 
proposal, with a bill or is this more just general concepts 
that, you know, we can expect to see from the White House?
    Mr. Strickling. Yes, sir. The ``Green Paper'' was put out 
in December. And we are currently working to develop a more 
complete and what we hope will be an Administration statement 
of policy later this spring. What I testified to this morning 
is that the Administration is now at the point of recommending 
that this be dealt with in legislation.
    We will continue to flesh out the particulars as we 
complete our overall policy paper. But we're prepared to start 
working with this Committee and other Members of Congress on 
those specifics now.
    Senator Pryor. Thank you.
    Mr. Leibowitz, I have some questions for you about Do Not 
Track, but I think what I'd like to do is go to Senator Isakson 
since the vote just started and allow Senator Isakson to ask 
and then Senator Kerry.
    Go ahead.
    Senator Isakson. Thank you, Mr. Chairman.
    Mr. Leibowitz, in your--on page two of your prepared 
testimony you have the number of cases you brought over the 
last 15 years in various categories, spam, fair credit 
reporting act, etcetera, children's protection. Is that volume 
by category proportionate to the number of complaints that you 
get or is it just?
    Mr. Leibowitz. Well, we keep a complaint database, Consumer 
Sentinel, and that's one way and a very important way in which 
we develop cases. There are other ways as well. It's not a 
perfect symmetry, but we like to think it's in proportion to 
the need to bring cases. As you know we're a very small agency. 
So we try to leverage our limited resources.
    But we think we try to go where the harm is or is going to 
be. And so we think it's reflective of that. But let me--I'll 
get you some consumer complaints.
    [The Federal Trade Commission submitted to the Committee, 
after this hearing, the Federal Trade Commission Consumer 
Sentinel Network Data Book, January-December 2010, published 
March 2011. It is available at http://www.ftc.gov/sentinel/
reports/sentinel-annual-reports/sentinel-cy2010.pdf. The 
executive summary follows.]

                           Executive Summary 
                  Consumer Sentinel Network Data Book
                         January-December 2010
   The Consumer Sentinel Network (CSN) contains over 6.1 
        million complaints dating from calendar year 2006 through 
        calendar year 2010. There are over 7.8 million do-not-call 
        complaints from this same time period.

   The CSN received over 1.3 million complaints during calendar 
        year 2010: 54 percent fraud complaints; 19 percent identity 
        theft complaints; and 27 percent other types of complaints.

   Identity theft was the number one complaint category in the 
        CSN for calendar year 2010 with 19 percent of the overall 
        complaints, followed by Debt Collection (11 percent); Internet 
        Services (5 percent); Prizes, Sweepstakes and Lotteries (5 
        percent); Shop-at-Home and Catalog Sales (4 percent); Impostor 
        Scams (4 percent); Internet Auction (4 percent); Foreign Money 
        Offers and Counterfeit Check Scams (3 percent); Telephone and 
        Mobile Services (3 percent); and Credit Cards (2 percent). The 
        complete ranking of all thirty complaint categories is listed 
        on page six of this report.
Fraud
   A total of 725,087 CSN 2010 complaints were fraud-related. 
        Consumers reported paying over $1.7 billion in those fraud 
        complaints; the median amount paid was $594. Eighty-six percent 
        of the consumers who reported a fraud-related complaint also 
        reported an amount paid.

   Sixty percent of all fraud-related complaints reported the 
        method of initial contact. Of those complaints, 45 percent said 
        e-mail, while another 11 percent said an Internet website. Only 
        10 percent of those consumers reported mail as the initial 
        point of contact.

   Colorado is the state with the highest per capita rate of 
        reported fraud and other types of complaints, followed by 
        Maryland and Nevada.
Identity Theft
   Government documents/benefits fraud (19 percent) was the 
        most common form of reported identity theft, followed by credit 
        card fraud (15 percent), phone or utilities fraud (14 percent), 
        and employment fraud (11 percent). Other significant categories 
        of identity theft reported by victims were bank fraud (10 
        percent) and loan fraud (4 percent).

   Government documents/benefits fraud increased 4 percentage 
        points since calendar year 2008; identity theft-related credit 
        card fraud, on the other hand, declined 5 percentage points 
        since calendar year 2008.

   Forty-two percent of identity theft complainants reported 
        whether they contacted law enforcement. Of those victims, 72 
        percent notified a police department. Sixty-two percent 
        indicated a report was taken.

   Florida is the state with the highest per capita rate of 
        reported identity theft complaints, followed by Arizona and 
        California.

    Mr. Leibowitz. As you know being a member of this 
Committee, sometimes you'll see something you'll read about or 
a Commissioner will and that will go into the investigative 
process. So there are all different ways we bring cases.
    Senator Isakson. That is exactly where I was going with my 
follow up question. In most federal enforcement agencies the 
cases they pursue are in response to complaints from citizens. 
But you also--do you also monitor news media and reports and 
then follow up based on whether or not it appears to fall under 
your responsibility?
    Mr. Leibowitz. Sure, we do. And in fact we brought a very 
important antitrust case because Senator Klobuchar raised it at 
a hearing maybe a year ago. This was on a merger involving a 
drug used for children with heart defects. And so it comes from 
a lot of places.
    You know, we're a very bipartisan agency. All the 
Commissioners have ideas of about what we should be doing and 
it all is channeled into our investigative and our enforcement 
efforts.
    Senator Isakson. Where does the volume of penalties, I 
mean, $60 million in civil penalties, $21 million in civil 
penalties and five. It looks like to me it's about $80 million 
in civil penalties you collect over the year. Where does that 
money go? Back into the agency or back to the general treasury?
    Mr. Leibowitz. It goes back to Treasury. And then more 
often we will try to get redress for consumers. One of the 
things that we try to obtain in the financial reform 
legislation was the ability to get civil penalties for 
violations of our standard unfair and deceptive acts or 
practices authority. And it didn't make it into the final 
legislation.
    It was something that Caspar Weinberger actually supported 
when he was the FTC Chair back in the early 1970s. And we hope 
to come back and revisit that going forward. But as a result, 
we have limited fining authority. It usually goes back to 
Treasury.
    Senator Isakson. I'm assuming based on what I've heard in 
the testimony that probably the most effective way to protect 
the consumer would be give them a mechanism to protect 
themselves. You talked about the icon where you can just 
elect----
    Mr. Leibowitz. Yes.
    Senator Isakson.--whether or not your information can be 
shared or not. Do we know if technologically that--I think 
technologically anything can be done now, but is that doable?
    Mr. Leibowitz. Yes, that is doable. And the only question 
is about exactly which way to do it.
    Senator Isakson. Thank you, Mr. Chairman.
    Senator Pryor. Thank you.
    Senator Kerry?
    Senator Kerry. Thank you, Mr. Chairman.
    Chairman Leibowitz, I want to try--a lot has been discussed 
about the Do Not Track proposal. And I want to try to hone in 
on it a little bit. Is it your judgment that if a company comes 
up with a pretty strict policy which has broad privacy 
protections and adequate opt in, et cetera, et cetera, and opt-
out or out, do you think then that the Do Not Track is still 
necessary?
    Mr. Leibowitz. At this point I think we do, because if 
individual companies have individual practices that may support 
a baseline consumer or commercial bill of rights here, I think 
that is a great idea it may not mean that every company has 
that. And I think what we're trying to do, like you, is develop 
a baseline for privacy protection for consumers.
    So from my perspective a Do Not Track mechanism that's easy 
to implement, going back to Senator Isakson's point, could be 
an important choice mechanism for consumers and an important 
way to protect privacy for consumers who want to limit 
tracking.
    Senator Kerry. So in terms of the potential harm or 
protection depending on which way you look at it, that you're 
trying to provide the consumer if you had a Do Not Track it 
doesn't mean that they're going to get no advertising like a Do 
Not Call means you're not going to get any calls. It simply 
means you're not going to get customized advertising. But 
you'll still get bombarded by advertising.
    Mr. Leibowitz. You will still get advertising. It may not 
be targeted. But again, from our perspective----
    Senator Kerry. So the analogy to Do Not Call is not an 
appropriate one. Would you----
    Mr. Leibowitz. Yes, it's very different than Do Not Call.
    Senator Kerry. OK.
    Mr. Leibowitz. It's very different from Do Not Call. It's 
also not government run as we run the Do Not Call list.
    Senator Kerry. OK.
    So then is there an assumption therefore that if you had a 
standard and you had a code and you had a strong privacy 
offering that the tracking is per se bad?
    Mr. Leibowitz. No, we don't think tracking is per se bad at 
all. We think most consumers won't mind being tracked. They get 
more personalized advertising.
    We just think consumers ought to have the ability to opt 
out of that kind of tracking. I mean, the analogy we sometimes 
use is if you're walking around a mall, someone shouldn't be 
sort of tracking--following you around even if they don't know 
who you are and sending e-mails off to the stores in front of 
you saying well, that's Jon Leibowitz. He's interested in 
buying a Madras jacket in his usual green and red colors.
    You know, you should have the right not to be followed 
around if you don't want to be followed around.
    Senator Kerry. So if a firm has a very strong policy, a 
privacy policy and then you have another firm that doesn't have 
a very strong kind of policy.
    Mr. Leibowitz. Right.
    Senator Kerry. You're going to treat them both the same in 
the context of the Do Not Track.
    Mr. Leibowitz. Well.
    Senator Kerry. There's no virtue to having the stronger 
policy and therefore allowing the tracking to take place in the 
context of that stronger policy.
    Mr. Leibowitz. Well, stronger policy outside of Do Not 
Track may have many virtues, right? It will include privacy by 
design. It will include readable privacy notices. They'll be 
transparency. They'll be more choice.
    But my sense is that a lot of the most responsible 
companies support a Do Not Track notion for third party 
cookies. And so I think there's an enormous benefit to having a 
baseline FIPPs privacy protection and then negotiated industry 
codes. We're working with the Commerce Department on that.
    But we also think there's a value in having the ability to 
opt-out of targeted advertising or maybe targeted advertising 
for just sensitive information like medical searches or 
financial information.
    Senator Kerry. With respect to the Wall Street Journal 
series on the issue of what they know. I assume you followed 
that?
    What did you draw from that? What came out of that in your 
judgment?
    Mr. Leibowitz. So let me say a few general things and some 
specific things.
    So generally, what came out of that--and it was a series of 
stories, as you know, last summer, and then many follow-ups.
    One is that some companies have very good privacy 
practices, but many of them do not. And it results in an 
enormous amount of information being collected about consumers 
that's invisible to consumers and not on the sites that they're 
on, but by cookies and software embedded in consumer's 
computers. And so it really was a motivation for us to step up 
our enforcement efforts and to write our privacy report.
    And then more specifically, we're having a debate about 
whether to propose a Do Not Track mechanism. And one of the 
issues we had internally in the Commission was: is it 
technologically feasible? And of course, one of the stories, as 
you know, was about Microsoft having developed this and the 
balancing act they did between their privacy advocates and 
engineers on the one hand and their marketers. And how they 
resolved it was they sort of split the difference.
    And so we knew then that Do Not Track was technologically 
feasible. And Microsoft to its credit has stepped up and 
endorsed the concept since our report.
    Senator Kerry. Thank you.
    [Laughter.]

              STATEMENT OF HON. CLAIRE McCASKILL, 
                   U.S. SENATOR FROM MISSOURI

    Senator McCaskill. Thank you, Mr. Chairman.
    I--you know when you talk about privacy it's in the same 
category as motherhood and apple pie in this country. And I 
think we've got a real problem here because what most Americans 
don't understand and frankly, what maybe, unfortunately, two 
Members of Congress don't understand is we have monetized the 
Internet with behavior marketing. It is an amazing amount of 
free information that is immediately accessible because of 
behaviorally marketing. So I guess, you know, it equals money.
    And so I guess my first question is have--does anybody 
know? Do either of you know what the cost is going to be in 
terms of the economic vibrancy of the Internet for some of the 
things that are being considered? And isn't it fair to envision 
that a Do Not Track in fairness since behavioral marketing is 
money, isn't it fair to think that some of these companies are 
going to charge for that?
    Mr. Leibowitz. For opting out of tracking?
    Senator McCaskill. Yes.
    Mr. Leibowitz. We have not seen that yet even in the----
    Senator McCaskill. But we haven't passed any laws yet.
    Mr. Leibowitz. No, but to their credit, there is a major 
group of companies, called the Digital Advertising Alliance, 
that's in the process of offering some sort of free opt-out. 
Now we think it should go a little further. But no one has 
talked about monetizing that.
    And I think that's a good thing. And I think it's a 
recognition also that businesses understand that if you put 
some limits on tracking or you have some privacy protections as 
the Commerce Department envisions--and I'm supportive of that 
though you don't necessarily need to be--the sky won't fall 
down on Internet commerce. It's going to continue. And indeed 
if consumers have more trust in the Internet, they're going to 
do more business on the Internet too.
    Senator McCaskill. Do you think that there is envisioned 
where we draw the line? For example, we would never dream of 
telling Slim Fast they couldn't advertise on Oprah, right? 
Behavioral marketing. They know that there are mostly women 
that are watching that show. And they know that most of their 
product is consumed by women. And so they are behaviorally 
marketing to that segment.
    How will we draw the line between what kind of behavioral 
marketing is fair and what kind of behavioral marketing invades 
privacy?
    Mr. Leibowitz. Well, I think you've raised a really 
important point. And I don't know if you were here when Senator 
Isakson was speaking. He used to run a company. They 
advertised. And he pointed out that there's a difference 
between advertising on the Internet where you can figure out 
things about people, not from classic PI, personal information, 
but from the aggregated enormous amounts of information.
    And so it's different than advertising on Oprah or 
advertising on TV. And that seems to me, that's a point where 
we want to ensure privacy protections for consumers. And I 
think that the Department--I don't speak for the Department of 
Commerce, but I assume that you do.
    Mr. Strickling. And I would just add to the comments the 
Chairman has made that in our discussions we find a very strong 
level of support among industry to create this baseline of 
protections. The baseline though, it's fair to call it a bill 
of rights. I mean what we have in mind is not unlike the Bill 
of Rights, a concise statement of the right that the consumer 
has, and then relying on industry, working with consumer 
groups, working with other experts in the field, to come up 
with these codes of conduct that provide more specificity.
    We think, in that regard, we don't have to see the 
government drawing some of these very difficult lines and 
imposing them as regulation as long as we're providing adequate 
oversight of this process by which industry, working with all 
stakeholders, develops appropriate codes. We think we can get 
to a regime that will greatly improve privacy for consumers and 
still meet the needs of businesses who want to continue to see 
the growth of the Internet.
    Mr. Leibowitz. If I can just follow up briefly. And you're 
right. I don't think most American consumers understand where 
their information is going, how it's been monetized, how it's 
been traded. But in another sort of bedrock level, I think they 
get the issues of Internet privacy.
    There was a poll by a group called Consumer Watchdog that 
found 80 percent of Americans wanted to see a Do Not Track 
option. I think Common Sense Media had a poll that you 
mentioned, talking about greater concern that parents had over 
their kids.
    Senator McCaskill. Right.
    Mr. Leibowitz. About Internet privacy and safety. Gallup 
had a poll that also reflected this. So I think at some level 
Americans understand.
    Senator McCaskill. I agree. And I don't mean to cut you 
off. But I don't want to miss this vote and while I'm going to 
try to come back--I just think we've got to be very careful 
about the unintended consequences.
    We know the good guys are going to try to do this right. We 
know the bad guys, it's going to be very hard to regulate them 
in a way that makes sense. So what I don't want to do is 
handcuff the good guys because with all due respect, I mean, 
you know, if we think we're doing a really good job in consumer 
oversight of the commerce in this country right now. You know, 
I mean, don't get me started on the ads I see on cable TV that 
I just need to get my government benefit and all of the things 
that are out there that are not being adequately policed.
    So I just want to make sure that we don't kill the goose 
that laid the golden egg here under the rubric of the very 
laudable notion of privacy. I just think that we've got to go 
very carefully, make sure that we think about the unintended 
consequences and most importantly, think about the bad guys 
that aren't going to pay any attention to your code of conduct.
    And consumers are going to continue to not have confidence 
in the Internet as long as those bad guys are out there. So I 
just--I think we've got to be very careful and not go too fast, 
too far, without thinking about what may be down the line.
    Mr. Strickling. If I could respond quickly to that. I think 
the proposal that we've made answers your concern. It would 
have legislation that would create a baseline of these fair 
information practice principles. And those are some of the 
things that the Chairman mentioned earlier, things like 
transparency and disclosure, what level of consent.
    I'm confident that if, in doing so, the Congress also gives 
the FTC the enforcement authority to enforce that they're going 
to be able to go after the bad guys based on that baseline. But 
what the baseline allows though is the flexibility to the good 
guys, as you call them, to craft the more specific protections 
that they need to have to allow them to run their businesses.
    Senator McCaskill. I agree. I will just tell you that I 
have a feeling that, Mr. Leibowitz, that your budget is not 
going to grow enormously over the next decade. And you've got 
plenty of work to do over there.
    And frankly a lot of work that needs to be done that you 
can't do now. And if we're going to add to your work load and 
at the same time do something that is going to minimize the 
amazing things we've done on the Internet, I just think we've 
got to make sure America buys into that agreement.
    Mr. Leibowitz. Yes, I agree with that.
    Senator Pryor. Let me interrupt here just for a second 
because this vote is about to close. And Senator, we need to 
run over there and vote. So what I'll do is recess this for 
just a few moments. Let us go do these two votes. And then 
we'll reconvene in just a few minutes.
    Thank you.
    [Recess.]
    Senator Pryor. I'll reconvene the hearing. I want to thank 
everyone for being patient with us and we had those two votes. 
And my understanding is we have a few Senators on the way back 
over. But I know that Senator Klobuchar wanted to ask questions 
of this first panel.
    So Senator Klobuchar?

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Well, thank you very much, Chairman. 
Thank you for holding this hearing. And thank you to our two 
witnesses and as well as the second panel.
    But thank you, Chairman Leibowitz and Administrator 
Strickling. It is great to be here with you on an important 
topic. And I wanted to focus a little bit on websites with 
teens and children maybe because I walked into my daughter's 
room last night and she was webcasting with her friend. And 
luckily they were working on their homework. And the interview 
she's doing with Senator Murkowski which will be I'm sure, 
devastating to Senator Murkowski.
    But I wanted to ask you a few questions on this. A recent 
Wall Street Journal article examined 50 websites popular with 
teens and children to see what tracking tools they installed on 
a test computer. As a group the sites used over 4,000 cookies, 
beacons and other pieces of tracking technology. That it 
actually 30 percent more than were found in a similar analysis 
of adult websites which is rather disturbing I think that there 
were more of these being used on children's websites.
    Can you describe your agency's experiences dealing with 
tracking of children and teens online? And what do you think 
needs to be done here?
    Mr. Leibowitz. Well, I think there's no doubt that there's 
an extraordinary amount of monetizing of teen information. As 
you know, from your daughter, who I believe is a very 
responsible 15 year old. And I know from my children that they 
spend a lot of time online.
    And so one of the recommendations in our report discusses 
the need for a kind of enhanced consent for children. We're 
taking comments on that.
    But of course one of the other issues with teens is often, 
they act impulsively. They put things online that they never 
expect will remain there. When a privacy policy of a social 
network switches from something that protects privacy to 
something that has less privacy protections sometimes kids 
don't realize or teens don't realize that a lot of information 
that they thought was private will be put online.
    So it's a very important issue for us. And we are studying 
it.
    Senator Klobuchar. OK. Anything you would like to add, 
Administrator?
    Mr. Strickling. No.
    Senator Klobuchar. As we talk about privacy I wondered 
Chairman Leibowitz, if the FTC has looked into the issue of 
privacy notifications on smartphones. As you can imagine those 
are smaller letters and harder to read, yet they access the 
same type of information and also have the same kind of privacy 
concerns as other larger computer screens.
    Mr. Leibowitz. Well, I believe in our report we looked at 
mobile phones. We've done a number of hearings on mobile issues 
because, you're right. In terms of privacy policies they're 
much harder to read. In terms of applications for children, of 
course, you wrote to us about a particular application. And we 
were glad to see that the alleged malefactors have improved 
their app standards.
    These are all very, very important issues and particularly 
in the mobile space. We're going to try to see how we can 
encourage more consumer choice and more transparency. So few 
people and certainly so few children understand the terms of 
service. You need to have easy-to-understand terms of service 
for children or parents who have a lot of information that's 
taken from kids and that's placed online--information that 
perhaps parents wouldn't want their kids to share, and kids or 
teens may not want to share themselves.
    Senator Klobuchar. Administrator?
    Mr. Strickling. I think what I'd like to say in response to 
both of the examples you've given is the fact that it's 
impossible for us to predict today what the privacy issue is 
going to be 6 months or 12 months from now. And that's why the 
framework that the Administration is proposing for legislation 
to use codes of conduct that will be prepared by this multi-
stakeholder group of industry is very important because it 
gives you the speed and the flexibility to respond to these 
types of issues when they arise. If we're chasing after these 
issues and trying to write regulations in a more formal way 
that perhaps take a year to write, we can't possibly stay up on 
the issues that arise.
    Senator Klobuchar. So the argument--yes.
    Mr. Strickling. And so overall I think this again is 
further demonstration of the need to have an industry-based, 
actually a full multi-stakeholder process to work on these 
codes of conduct and to deal with these issues when they arise. 
And indeed that in effect is what, you know, Chairman Leibowitz 
and the FTC are doing on an individual issue basis, is 
assembling the parties to get them to talk about these issues 
and nudging them in the right direction. And I think that's the 
appropriate model we want going forward.
    Senator Klobuchar. I think that's the name of Cass 
Sunstein's book--Nudge.
    Mr. Leibowitz. Nudge.
    Senator Klobuchar. So that's all----
    Mr. Leibowitz. Not noodge, not noodge. Nudge.
    Senator Klobuchar. It looks like you want to add something. 
But I just want--Chairman Leibowitz, but I wanted to follow up 
on that. It would seem to me just one of the problems is, as we 
all know under the best circumstance it takes so long for us to 
get these laws done. So clearly if we can get these voluntary 
codes of conduct that would respect the development of the 
technology and also not interfere with the development of the 
technology would be key as long as we actually get these 
voluntary codes of conduct.
    Mr. Chairman?
    Mr. Leibowitz. Yes. And I wanted to check to our Bureau 
Director to make sure I could say this. We have multiple 
investigations going on of inadequate notice on mobile and to 
kids. And apparently in one of the investigations we're doing, 
the privacy notice on mobile was 151 or 152 clicks or screens 
away.
    [Laughter.]
    Mr. Leibowitz. So I think the reasonable consumer will 
not----
    Senator Klobuchar. You're kidding. So you mean if they 
wanted to find the privacy notice they had to click 152 times 
to get to the window that----
    Mr. Leibowitz. 106 or 107 because the first time you may 
not have to click. But yes.
    Senator Klobuchar. OK. Well I get it. Well, thank you for 
clarifying that for the record.
    [Laughter.]
    Senator Klobuchar. Alright. Thank you to both of you. And I 
appreciate the way that this is moving. I think it's the right 
way. Thank you.
    Senator Pryor. Thank you both for joining us today. There 
are several Senators who either had to come and go or expressed 
an interest in being here. And probably we'll leave the record 
open for a couple weeks to allow Senators to ask questions. 
We'd appreciate a quick response.
    But thank you all for being here today. And I'll go ahead 
and introduce our second panel.
    Mr. Leibowitz. Thank you, Mr. Chairman.
    Senator Pryor. Oh, thank you very much. Thank you.
    We'll go ahead and bring up our second panel. And the staff 
as always will do a quick switch, switcheroo here. And bring 
the second panel forward with their name tags.
    And as they are doing this what I'll do is I'll go ahead 
and introduce the members of the second panel. And then once 
they get situated I'll just call on them as we go down the row.
    First would be Erich Andersen, Vice President and Deputy 
General Counsel of Microsoft.
    Second will be John Montgomery, Chief Operating Officer of 
GroupM Interaction.
    Third will be Ashkan Soltani, Researcher and Consultant.
    Fourth will be Barbara Lawler, Chief Privacy Officer for 
Intuit.
    And the fifth, last but certainly not least, will be Chris 
Calabrese, Legislative Counsel with the American Civil 
Liberties Union.
    So as we're getting set up here. And I see water is getting 
poured and charts are getting established. Just one moment we 
will go ahead and call on Mr. Andersen whenever we are ready. 
So, Mr. Andersen, go ahead.

                STATEMENT OF ERICH D. ANDERSEN, 
         DEPUTY GENERAL COUNSEL, MICROSOFT CORPORATION

    Mr. Andersen. OK. Thank you, Mr. Chairman.
    Mr. Chairman and honorable members of the Committee, my 
name is Erich Andersen and I'm the Deputy General Counsel of 
Microsoft's Windows Division. Thank you for inviting me to 
testify today about the state of online privacy. We applaud the 
leadership that the Committee has shown on this issue.
    I also want to endorse Assistant Secretary Strickling's 
call for federal privacy legislation.
    Legislation can be an important component of a multipronged 
approach to privacy but also includes technology tools, 
industry initiatives and consumer education. At Microsoft 
consumer trust is vital to our business. And privacy is a 
critical component to earning and maintaining that trust. In 
all our service offerings we strive to be transparent about our 
privacy practices, offer meaningful privacy choices and protect 
the security of the data that we store.
    In my role for the Windows Division, I've worked with our 
software team to develop privacy enhancing features for Windows 
and Internet Explorer. We have groups working on similar 
efforts throughout Microsoft including for our Bing search 
engine, Xbox gaming platform and our advertising services. The 
different ways that we engage with consumers give us a unique 
perspective on the privacy discussion. In light of our 
experience we believe that a combination of technology tools, 
industry initiatives, consumer education and legislation is 
needed to protect privacy and promote innovation.
    Let me briefly explain the importance of technology. At 
Microsoft we have implemented privacy by design. We engineer 
privacy into our products and services from the outset. And we 
consider privacy throughout the product life cycle.
    One example of where we put this principle into practice is 
the privacy features we've developed for Internet Explorer. The 
most recent version of Internet Explorer, IE 9 was released 
this week. And it offers a ground breaking new tool called 
tracking protection.
    This Do Not Track feature allows consumers to decide which 
sites can receive their data and blocks content from sites that 
they view as engaged in tracking providing consumers with 
greater control over their online experiences. We're very proud 
that Internet Explorer was the first major browser to respond 
to the FTC's recent call for a Do Not Track mechanism. We look 
forward to working with all stakeholders to implement Do Not 
Track tools in a meaningful way for consumers and businesses 
alike.
    Industry initiatives can be effective in complementing 
technology tools. For instance, we've long partnered with the 
Network Advertising Initiative to develop principles governing 
online behavioral advertising. We're continuing to collaborate 
with members of the Digital Advertising Alliance and others in 
the advertising industry to implement guidelines and best 
practices to help ensure that consumers understand and can 
easily opt-out of behavioral advertising.
    The third element of a comprehensive approach to privacy is 
consumer education. We agree with the FTC and the Commerce 
Department that consumers need a better understanding of data 
practices. That's why we provide consumers with clear 
information about our own practices and offer choices about 
what data will be collected and how it will be used. We've also 
partnered with consumer advocates and government agencies to 
develop educational materials on consumer privacy and data 
security.
    The last critical element is federal privacy legislation. 
Legislation is needed because the current sectoral approach to 
privacy regulation is confusing to consumers and it's costly 
for businesses. We believe that legislation should establish a 
common set of privacy and security requirements that are not 
specific to any one technology, industry or business model.
    For particular industries or business models industry 
initiatives should co-exist with or should build on top of the 
baseline obligations of the law. Online advertising is a 
perfect example. Baseline federal privacy requirements around 
user notice, control and security can complement industry 
initiatives and innovative technology tools.
    In conclusion, Microsoft is committed to working with you 
to protect consumer privacy in a way that complements technical 
and industry based measures and promotes continued innovation. 
Thank you for giving us this opportunity to testify today. I 
look forward to answering any questions you may have.
    [The prepared statement of Mr. Andersen follows:]

     Prepared Statement of Erich Andersen, Deputy General Counsel, 
                         Microsoft Corporation
    Chairman Rockefeller, Ranking Member Hutchison, and honorable 
Members of the Committee, my name is Erich Andersen, and I am Deputy 
General Counsel of Microsoft's Windows Division. Thank you for the 
opportunity to share Microsoft's views on an issue that needs the 
attention of Congress and the work of this Committee: the adoption of 
meaningful privacy legislation that protects individuals' privacy while 
complementing technological and industry-based measures and promoting 
continued innovation. We appreciate the leadership that the Committee 
has shown on this issue, and we are committed to working 
collaboratively with you, the Federal Trade Commission, the Department 
of Commerce, consumer groups, and other stakeholders to achieve this 
important balance.
    In my role for the Windows Division, I have worked with our 
software team to develop privacy-enhancing features and tools for 
Windows and Internet Explorer. We have teams working on similar efforts 
throughout Microsoft--for instance, in the Bing search team, the online 
advertising division, the Xbox group, and our cloud computing group. 
Our goal across Microsoft is to build trust with consumers by giving 
them the tools they want to make them productive and enrich their 
computing experience. Privacy is a critical component of earning and 
maintaining that trust. In all of our service offerings, we strive to 
be transparent about our privacy practices, offer meaningful privacy 
choices, and protect the security of the data we store.
    The multiple contexts in which we engage with consumers give us a 
unique perspective on the privacy discussion. For example, as a website 
operator, an ad network, and a browser manufacturer, we have a deep 
understanding of the roles that different participants in the digital 
ecosystem play in safeguarding consumer privacy. Also, based on our 
longstanding involvement in the privacy debate, we recognize that the 
combined efforts of industry and government are required to effectively 
balance the need to protect consumers' privacy interests and promote 
innovation. In light of our experience, we recommend a multi-pronged 
approach that includes legislation, industry self-regulation, 
technology tools, and consumer education.
    Today, I will explain why we believe that each of these four 
elements is important for protecting consumer privacy, and I will 
highlight steps that Microsoft has taken in each area. But first I 
would like to start with a discussion of how technology has reshaped 
consumers' engagement online and their privacy expectations.
I. Protecting Privacy While Enabling Innovation
    The explosive growth of the Internet, cloud computing, the 
proliferation of computers and handheld mobile devices, and the 
expansion of e-commerce, e-government, e-health, and other web-based 
services have brought tremendous social and economic benefits. At the 
same time, however, technology has fundamentally redefined how, where, 
and by whom data is collected, used, and shared. The challenge that 
industry and government must address together is how to best protect 
consumers' privacy while enabling businesses to develop a wide range of 
innovative products and services.
    Consider, for example, online advertising. Online advertising is 
the fuel that powers the Internet and drives the digital economy. Over 
$25 billion was spent on online advertising in 2010.\1\ Millions of 
websites are able to offer their content and services for free because 
of the revenue they derive from advertising online. For small and 
medium-sized businesses in particular, online advertising has created 
new opportunities to inform consumers about their products and 
services. One study estimates that the advertising-supported Internet 
ecosystem is responsible for creating 3.1 million American jobs, and 
that the dollar value of these wages totals approximately $300 
billion.\2\ Consumers also benefit--not only because online advertising 
enables the free services and content they enjoy, but because the ads 
they see are more likely to be relevant. Simply put, the richness and 
vibrancy of the modern Internet experience is due in large part to the 
success of online advertising.
---------------------------------------------------------------------------
    \1\ Kristen Schweizer, U.S. Web Advertising Exceeds Newspaper Print 
Ads in 2010, eMarketer Says, Bloomberg (Dec. 20, 2010), http://
www.bloomberg.com/news/2010-12-20/u-s-web-ads-exceed-newspaper-print-
ads-in-2010-emarketer-says.html.
    \2\ Hamilton Consultants, Inc., Economic Value of the Advertising-
Supported Internet Ecosystem 4 (June 20, 2009), http://www.iab.net/
media/file/Economic-Value-Report.pdf.
---------------------------------------------------------------------------
    The collection of data to serve ads on the Internet also has 
important privacy implications. When Justice Louis Brandeis famously 
defined privacy as ``the right to be let alone'' in 1890,\3\ he could 
not have foreseen how technology would revolutionize our world. An 
individual planning a trip to Boston can now go online to compare 
airfares, book a hotel room, map out restaurant recommendations that 
are convenient to her itinerary, and poll her network of friends for 
suggestions about things to do during her trip. Every day, people 
generate billions of page views, transactions, downloads, and search 
queries--a mountain of data, across a myriad of different devices, that 
reveals valuable information about users' interests. As one of 
Microsoft's senior executives recently recognized, industry can and 
must do better in addressing the fact that consumers often do not 
understand the ways in which their data is bought, sold, bartered, 
exchanged, traded, and used.\4\
---------------------------------------------------------------------------
    \3\ Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 
Harv. L. Rev. 193, 193 (1890).
    \4\ See Emily Steel, Microsoft Executive Urges Online Ad Industry 
to Police Itself, Wall St. J. Digits Blog (Feb. 28, 2011, 6:28 PM), 
http://blogs.wsj.com/digits/2011/02/28/microsoft-executive-urges-
online-ad-industry-to-police-itself/ (referencing comments by Rik van 
der Kooi, corporate vice president of Microsoft's Advertiser & 
Publisher Solutions group, at the annual leadership meeting of the 
Interactive Advertising Bureau).
---------------------------------------------------------------------------
    In the digital era, privacy is no longer about being ``let alone.'' 
Privacy is about knowing what data is being collected and what is 
happening to it, having choices about how it is collected and used, and 
being confident that it is secure. These three principles--
transparency, control, and security--underpin Microsoft's approach to 
privacy. They are also essential components of the thoughtful privacy 
frameworks recently advanced by the Federal Trade Commission (FTC) and 
the Department of Commerce.\5\ We believe that the principles of 
transparency, control, and security should inform legislative, self-
regulatory, technological, and educational initiatives to safeguard 
consumer privacy.
---------------------------------------------------------------------------
    \5\ See generally Fed. Trade Comm'n, Preliminary Staff Report, 
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed 
Framework for Businesses and Policymakers (Dec. 1, 2010) [hereinafter 
FTC Staff Report]; Internet Policy Task Force, Dep't of Commerce, 
Commercial Data Privacy and Innovation in the Internet Economy: A 
Dynamic Policy Framework (Dec. 16, 2010) [hereinafter Commerce Report]. 
As we noted in comments filed with the FTC and the Commerce Department, 
we applaud the Commission's and Department's efforts to develop a 
robust privacy framework that will withstand rapid technological 
advances while fostering innovation.
---------------------------------------------------------------------------
II. A Role for Congress and Comprehensive Privacy Legislation
    As we focus on what can be improved, it is important to note that 
in the past year, significant progress has been made toward protecting 
individuals' privacy: technological solutions to empower consumers to 
control their personal information are now widely available, consumers 
are much more educated about the nature and scope of privacy risks, 
enforcement actions have been taken by the FTC, and legitimate industry 
practices are becoming better and more consistent. Federal legislation 
can be an effective complement to this strategy, providing an 
additional layer of protection for consumers and another tool for 
enforcement officials.
    Historically, Congress has played an active role in protecting 
consumers online. Beginning in the late 1990s, Congress passed laws 
aimed at specific online harms and revised existing laws to account for 
the evolving ways in which technology was being used to collect, use, 
and share personal information. Examples include the Children's Online 
Privacy Protection Act of 1998, the privacy and security provisions for 
financial information in 1999's Gramm-Leach-Bliley Act, the CAN-SPAM 
Act of 2003, and the breach notification provisions for protected 
health information that were included in 2009's Health Information 
Technology for Economic and Clinical Health Act. Congress (and this 
Committee in particular) has also scrutinized important privacy-related 
issues such as online advertising, data security and breach 
notification, privacy in connection with broadband providers, spyware, 
and children's online safety.
    Although the progress that has been made is notable and should not 
be overlooked, our view since 2005 has been that Congress should take 
the next step and enact comprehensive Federal privacy legislation. One 
of the key problems with the current sectoral approach to privacy 
regulations is that it makes compliance a complex and costly task for 
many organizations. According to one estimate, by 2009 there were over 
300 Federal and state laws relating to privacy.\6\ The sector-specific 
approach also creates confusion among consumers, and can result in gaps 
in the law for emerging sectors or business models.
---------------------------------------------------------------------------
    \6\ Lee Gomes, The Hidden Cost of Privacy, Forbes, June 8, 2009, 
available at http://www.forbes.com/forbes/2009/0608/034-privacy-
research-hidden-cost-of-privacy.html.
---------------------------------------------------------------------------
    What industry needs is Federal privacy legislation that sets forth 
baseline privacy protections for transparency, consumer control, and 
security that are not specific to any one technology, industry, or 
business model. Privacy protections that apply across sectors would 
provide consistent baseline protections for consumers, and simplify 
compliance for businesses that increasingly operate across those 
sectors. Baseline privacy protections would also promote accountability 
by ensuring that all businesses use, store, and share commercial data 
in responsible ways, while still encouraging companies to compete on 
the basis of more robust privacy practices. In addition, legislation 
would create legal certainty by preempting state laws that are 
inconsistent with Federal policy.
    Microsoft is pleased to see that members in both chambers of 
Congress are taking up the issue of comprehensive privacy legislation 
in the current congressional session, and we also find it encouraging 
that some of these initiatives appear to have early bipartisan support. 
As these proposals advance through the legislative process, we note 
that any privacy legislation should be crafted with two goals in mind. 
First, the legislation must protect consumers' privacy and data 
security while enabling innovation and facilitating the productivity 
and cost-efficiency offered by new business models and computing 
paradigms. Second, the legislation should create privacy protections 
that can withstand the rapid pace of technological change so that 
consumer data is protected not only today, but also in the decades to 
come.
    To achieve these two ends, any proposed legislation should be 
tested against certain fundamental criteria, among them:

   Flexibility. The legislation should permit businesses to 
        adapt their policies and practices to match the contexts in 
        which consumer data is used and shared and be sufficiently 
        flexible to allow technological innovation to flourish.

   Certainty. The legislation should provide businesses with 
        certainty about whether their privacy policies and practices 
        comply with legal requirements.

   Simplified data flows. The legislation should seek to 
        facilitate the interstate and international data flows that are 
        necessary to enable more efficient, reliable, and secure 
        delivery of services, including through harmonizing 
        international privacy regimes and preempting a patchwork of 
        state privacy laws.

   Technology neutrality. The legislation should avoid 
        preferences for particular services, solutions, or mechanisms 
        to provide notice, obtain choice, or protect consumer data.

   Focus on substantive outcomes. Instead of imposing 
        prescriptive rules that may be of limited effect or that may 
        burden businesses without yielding commensurate privacy 
        benefits, the legislation should set privacy goals based on 
        criteria established in current public policy, then permit 
        businesses to adopt methods and practices to reach those goals 
        in a manner that best serves their business models, 
        technologies, and the demands of their customers.

    We look forward to continuing to work with this Committee to craft 
legislation that meets these criteria.
III. A Role for Industry Self-Regulation and Best Practices
    Legislation, while important, is only part of the solution. 
Legislation is an appropriate vehicle for setting baseline standards, 
but it must work in conjunction with industry self-regulation and best 
practices, technology solutions, and consumer education.
    Industry self-regulation is a useful complement to legislation for 
two reasons. First, self-regulatory efforts can easily be tailored to 
the particular context in which data about individuals is collected and 
used. Consumers have different privacy expectations depending on 
whether they are interacting with retailers, application developers, 
social media platforms, search engines, Internet service providers, 
publishers, advertisers, ad networks, or data exchanges. Effective 
privacy protections should take into account consumers' reasonable 
expectations of privacy, and industry self-regulation offers a flexible 
tool for doing so. Second, self-regulatory efforts are generally well-
positioned to keep pace with evolving technologies and business models. 
There is no question that technology, business models, and consumer 
adoption of online services will continue to change--and change 
rapidly. A decade ago, few consumers were publicly sharing their 
personal photographs and home videos, but today consumers regularly 
post these materials on social networking and online video websites 
without hesitation because they believe such services are valuable. In 
2003 Facebook was just an idea in the mind of a Harvard undergraduate, 
but today there are companies whose entire business model is built 
around developing applications for Facebook and other social media 
platforms.
    Given the complex and dynamic nature of the online ecosystem, 
crafting workable solutions requires engagement from multiple 
stakeholders. Microsoft has a history of working collaboratively with 
other companies to develop appropriate solutions that build on the 
principles of transparency, control, and security. For example, 
Microsoft is a strong supporter of the Self-Regulatory Program for 
Online Behavioral Advertising, which includes an educational website 
where consumers can learn about online advertising and choose not to 
have their information used for behavioral advertising. Additionally, 
data security is one of the focal points of the Program: participating 
organizations must agree to provide appropriate security for, and limit 
their retention of, data collected and used for behavioral advertising. 
In our multiple roles as a browser manufacturer, ad network, and 
website operator, we are coordinating with the Interactive Advertising 
Bureau and other participants in the Self-Regulatory Program to ensure 
that this important initiative is effective, enforceable, and broadly 
accepted. Consistent with our commitment to responsible industry 
leadership, we are also working at the World Wide Web Consortium, the 
standards-setting body for the Web, to develop an industry consensus 
about technical standards that can implemented across browsers to 
enable common tools for consumers to block tracking activities by third 
parties.
    Transparency, control, and security are also essential concepts in 
Microsoft's Privacy Guidelines for Developing Software Products and 
Services, which are based on our internal privacy standards. We make 
these standards publicly available at http://www.microsoft.com/privacy 
for other organizations to use when developing and guiding their own 
product development processes. To encourage industry to adopt these 
guidelines, we have taught courses for others in industry to educate 
them on the standards.
IV. A Role for Technology Solutions
    As a technology company, we naturally believe that technology has a 
key role to play in protecting consumer privacy. To ensure that we 
engineer privacy into our products from the outset and consider privacy 
issues throughout the project lifecycle, we have implemented internal 
policies and procedures that advance key principles such as 
transparency, control, and security.\7\ For example, in individual 
business groups such as Windows, Office, and Xbox, we have a three-tier 
system of privacy managers, privacy leads, and privacy champs who help 
make sure that our products and services comply with our standards and 
applicable privacy laws. We also have a dedicated Trustworthy Computing 
team that works with business groups across the company to ensure that 
their products and services adhere to Microsoft's security and privacy 
policies. Although my colleagues in other divisions would be delighted 
to provide you with details about our initiatives for Bing, Kinect, and 
other products and services, I want to focus on our industry-leading 
browser, Microsoft's Internet Explorer.
---------------------------------------------------------------------------
    \7\ Both the FTC's proposed framework and legislation currently 
moving through Congress recognize the importance of a robust privacy by 
design program. We support these efforts to encourage industry to 
incorporate privacy protections into their data practices and to 
develop comprehensive privacy programs.
---------------------------------------------------------------------------
    Internet Explorer has really been a pioneering technology for 
protecting consumer privacy online. It was the first browser to 
introduce InPrivate Browsing, a feature that prevents a consumer's 
browsing history, temporary Internet files, form data, cookies, and 
usernames and passwords from being retained by the browser, thereby 
leaving virtually no evidence of the consumer's browsing history. 
Another feature in Internet Explorer 8, InPrivate Filtering, watches 
for third-party content that appears with high frequency across 
websites from companies that may be engaged in tracking activities, 
while still allowing consumers to view the content on the sites they've 
chosen to visit.
    The InPrivate features were breakthroughs, but what I would like to 
highlight today is that Microsoft was the first of the major browser 
manufacturers to respond to the FTC's recent call for a persistent, 
browser-based ``Do Not Track'' mechanism.\8\ The version of our browser 
that is being released this week, Internet Explorer 9, will offer an 
innovative new feature, ``Tracking Protection,'' that allows consumers 
to decide which sites can receive their data and filters content from 
sites identified as privacy threats. Users will be able to create or 
download Tracking Protection Lists that identify websites which are, in 
the view of the list creator, trustworthy or untrustworthy. If a site 
is listed as a ``do not track'' site on a Tracking Protection List, 
Internet Explorer 9 will block third-party content from that site, 
unless the user visits the site directly by clicking on a link or 
typing its web address. By limiting ``calls'' to third-party websites, 
Internet Explorer 9 limits the information these third-party sites can 
collect--without relying on the third-party sites to read, interpret, 
and honor a do-not-track signal. At the same time, Tracking Protection 
Lists can include ``OK to call'' entries that permit calls to specific 
sites, which allows consumers to create exceptions in a given list.
---------------------------------------------------------------------------
    \8\ See FTC Staff Report 66 (``Commission staff supports a more 
uniform and comprehensive consumer choice mechanism for online 
behavioral advertising, sometimes referred to as `Do Not Track.' . . . 
The most practical method of providing uniform choice for online 
behavioral advertising would likely involve placing a setting similar 
to a persistent cookie on a consumer's browser and conveying that 
setting to sites that the browser visits, to signal whether or not the 
consumer wants to be tracked or receive targeted advertisements.'')
---------------------------------------------------------------------------
    The Tracking Protection feature is highly customizable and can be 
adapted to specific user preferences because anyone on the Web 
(including consumer groups and privacy advocates, enterprises, security 
firms, and consumers) will be able to create and publish Tracking 
Protection Lists--they are simply files that can be uploaded to a 
website and made available to others via a link. Tracking Protection 
also supports user control: consumers can create or subscribe to more 
than one list if they wish, they can subscribe and unsubscribe to lists 
as they see fit, and a decision to subscribe to a list or lists will 
enable Tracking Protection across all browsing sessions until the 
consumer chooses to turn it off. Finally, Tracking Protection was 
designed with security in mind: because the Web evolves over time and 
third parties might migrate to new domain names, Internet Explorer 9 
will automatically check for updates to a consumer's lists on a regular 
basis, helping ensure that the lists address the latest privacy and 
security threats.
V. A Role for Consumer Education
    We agree with the FTC and the Commerce Department that there is a 
need for greater consumer education to increase consumer understanding 
of data practices and their privacy implications.\9\ At Microsoft, we 
recognize that it is crucial to engage and educate consumers, to give 
them a voice and build a bridge to mutual understanding and benefit. 
That is why we provide consumers with clear information about our own 
practices and, where appropriate, offer choices about what data will be 
collected and how it will be used.
---------------------------------------------------------------------------
    \9\ See FTC Staff Report 78-79; Commerce Report 31-36.
---------------------------------------------------------------------------
    Microsoft was one of the first companies to adopt ``layered'' 
privacy notices. The Microsoft Online Privacy Statement provides 
consumers with the most important information about our privacy 
practices in a concise, one-page upfront summary with links to 
additional layers that describe in more detail our data collection and 
use practices, including the concepts of purpose specification and use 
limitation. Moreover, as noted above, we offer consumers easy ways to 
learn about online behavioral advertising and the privacy practices 
associated with the particular advertisements they receive, and to opt-
out of behavioral advertising if they so choose.
    We have also partnered with consumer advocates and government 
agencies to develop educational materials on consumer privacy and data 
security, such as:

   National Cyber Security Alliance (NCSA). Microsoft is part 
        of this nonprofit public-private partnership that offers online 
        safety and security information to the public on the http://
        www.staysafeonline.org website and through educational efforts 
        such as National Cyber Security Awareness Month.

   GetNetWise. Microsoft supports this public education 
        organization and website (www.getnetwise.org), which offers 
        Internet users resources for making informed decisions about 
        safer Internet use.

   Internet Keep Safe Coalition (www.ikeepsafe.org). Microsoft 
        is a part of this partnership of Governors, attorneys general, 
        public health and educational professionals, law enforcement, 
        and industry leaders working together for the health and safety 
        of youth online.

   Stop. Think. Connect (http://
        safetyandsecuritymessaging.org). Microsoft and a host of other 
        organizations support this online safety campaign that promotes 
        greater awareness and safer behavior on the Web.

    We believe that such initiatives are important for ensuring that 
consumers understand the importance of protecting their privacy and 
security online, and are equipped with the tools to do so.
VI. Conclusion
    Thank you for extending us an invitation to share our experience 
and recommendations with you. We commend the Committee for holding this 
hearing today, and we look forward to working with you to craft 
meaningful privacy protections that provide transparency, control, and 
security in a way that honors individuals' privacy expectations, 
complements existing technological and industry-based solutions, and 
promotes innovation.

    Senator Pryor. Thank you.
    Mr. Montgomery?

                 STATEMENT OF JOHN MONTGOMERY, 
          CHIEF OPERATING OFFICER, GroupM INTERACTION

    Mr. Montgomery. Senator Pryor, members of the Committee, 
good morning and thank you for the opportunity to testify.
    My name is John Montgomery. I'm the Chief Operating Officer 
of the North American operations of GroupM Interaction. GroupM 
is the world's leading, full service media investment operation 
employing over 17,000 employees in 81 countries. Our clients 
are some of the biggest brand advertisers in the world who we 
advise on where to place advertisements most effectively.
    I begin my remarks where I believe the Committee's 
examination should begin with a review of the tremendous 
benefits provided by online advertising. While the Internet has 
revolutionized our lives in extraordinary and exciting ways and 
advertising is the fuel for the Internet economic engine. 
Behavioral advertising, also called interest based advertising, 
is an essential practice that delivers advertising based on 
consumer preferences or interests as inferred from data about 
online activities.
    For example if a browser's activity suggested the user has 
a new baby we can show offers for baby products rather than 
retirement homes or sports cars. Consumers find such 
advertisements more relevant than random messages and 
advertisers are more likely to attract consumers that are 
interested in their products and services.
    We at GroupM and our clients strongly believe in protecting 
consumer privacy. It's not only the right thing to do, but it's 
good for business. And I'm excited to share with the Committee 
the work that we've done to make sure that the consumers have 
both transparency and control to exercise their preferences in 
regard to online behavioral advertising.
    GroupM has participated in an unprecedented cross industry 
effort by leading trade associations and companies that 
responds to the FTC's report that calls for self regulation on 
online behavioral advertising. This effort is being spearheaded 
by the leading associations that collectively represent the key 
elements of the Internet ecosystem, more than 5,000 companies 
in all. The FTC report set out a roadmap of key elements that 
should be included in self-regulation including transparency, 
consumer control and data security. And the major component of 
the program is the use of an icon that informs consumers that 
interest based advertising is occurring.
    And to help create this icon GroupM mobilized our market 
leading advertising teams to invest the same design, testing, 
and market research in this icon as we would use for our 
Fortune 500 clients. Let me briefly show you how the principle 
works from a consumer's perspective. If I could refer you to 
the boards on my right.
    Aboutads.info is a simple and effective ``one stop'' 
platform for consumers to opt-out of having their information 
collected and used for behavioral advertising purposes. 
Consumers can opt-out with the click of one button with respect 
to all participating companies. And GroupM and hundreds of 
leading companies are working to advance compliance with the 
program.
    Two other major elements of our implementation effort are 
education and enforcement. GroupM has partnered with the 
Interactive Advertising Bureau on a ``Privacy Matters'' 
education campaign to inform consumers about how they can 
manage their online experience and to explain how advertising 
supports the Internet. To date more than 600 million 
impressions are being delivered as part of this campaign.
    And finally I want to emphasize that companies will be held 
accountable for complying with the principles just as the FTC 
recommended. All of us in advertising have a strong incentive 
to maintain accountability in order to foster consumer trust. 
The principles are enforceable through programs being 
administered by the Direct Marketing Association and the 
Council of Better Business Bureaus. These organizations have 
long-standing effective and respected compliance programs that 
they are leveraging to cover the principles. Any company that 
claims to comply but fails to do so could face FTC enforcement 
for deceptive acts or practices.
    And whilst our program--whilst our progress has been 
exciting, our work continues. One of the major benefits of 
industry self regulation is the ability to respond quickly to 
changes to technology and business practices. For example 
recently, some policymakers have raised concerns that data 
collected for advertising purposes could be used as a basis for 
employment, credit or health insurance eligibility decisions.
    I want to emphasize that these are hypothetical concerns 
that do not reflect actual business practice. But nevertheless 
industry is stepping forward to address these concerns. And 
we're expanding our guidelines to clarify and ensure that such 
practices are prohibited and will never occur.
    The self regulatory principles owe much to the guidance of 
federal policymakers which have strengthened our independent 
commitment to consumer privacy and uniform choice. Now as you 
proceed in this dialogue it's vitally important to avoid mixed 
messages to consumers that could inhibit them from exercising 
their choice to the self-regulatory tool that's already 
available. We have to ensure that there's a single standard to 
make it simple for consumers. We do not want to add confusion 
to an already complex arena. Now I want to make it clear that 
we are working with a browser company such as Microsoft and 
Firefox and even Chrome, who are a part of the coalition to 
incorporate self-regulation and Do Not Track together.
    So in conclusion, we believe that the program creates the 
right framework that encourages both innovation and privacy 
bringing the benefits for online services and privacy 
protection to consumers. Thank you, and I look forward to any 
questions.
    [The prepared statement of Mr. Montgomery follows:]

    Prepared Statement of John Montgomery, Chief Operating Officer, 
                   North America, GroupM Interaction
I. Introduction
    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee, good morning and thank you for the opportunity to speak at 
this important hearing.
    My name is John Montgomery and I am the Chief Operating Officer for 
the North American operations of GroupM Interaction (``GroupM''). 
Headquartered in New York City, GroupM is the world's leading full-
service media investment management operation, employing over 17,000 
employees in 81 countries. GroupM is the parent company of WPP's 
market-leading media communications agencies, including Maxus, MEC, 
Mindshare and Mediacom. Our clients are major global companies with 
brands that are household names. In the simplest terms, we advise 
clients on how to use advertising and where to place advertisements 
most effectively. Our business is built on the belief that both 
consumers and companies benefit when advertising provides timely and 
relevant information to those consumers who are most likely to be 
interested. While this philosophy is not new or unique to the Internet, 
online advertising has given us new tools to help our clients.
    We at GroupM strongly believe in protecting consumer privacy. It is 
not only the right thing to do, but it is also good for business. We 
want to build consumer trust in the online experience, and therefore we 
believe that consumers should be able to choose whether and how their 
data is collected or used for online behavioral advertising. Our 
clients also want to provide these choices to maintain the confidence 
of their customers. Global companies work hard every day to protect 
their brands, and they recognize that their customers may have 
different preferences about online advertising.
    My testimony today will describe how we have worked successfully 
with other industry leaders to give consumers these choices, and to 
create easy, uniform, and effective tools for them to exercise their 
choices. Our contributions illustrate the industry-wide collaboration 
and support behind this self-regulatory effort, which are truly 
impressive given our highly competitive marketplace.
II. Online Advertising Benefits Consumers and the Economy
    I begin my remarks where I believe the Committee's examination 
should begin--with a review of the tremendous benefits provided by 
online advertising, especially behavioral advertising.
    It is impossible to overstate the economic importance of the 
Internet today. Even in difficult times, e-commerce has continued to 
grow, thrive, and employ millions of Americans. The Internet is now the 
focus and a symbol of the United States' famed innovation, ingenuity, 
inventiveness, and entrepreneurial spirit, as well as the venture 
funding that follows. The Internet has already revolutionized our 
lives, and it continues to evolve in extraordinary and exciting ways. 
And as the Department of Commerce recently concluded, thus far the 
United States' approach to Internet policy has enabled the digital 
economy to flourish.\1\
---------------------------------------------------------------------------
    \1\ Department of Commerce Internet Policy Task Force, Commercial 
Data Privacy and Innovation in the Internet Economy: A Dynamic Policy 
Framework at 1 (December 2010) (hereinafter ``Commerce Policy 
Framework''), available at http://www.commerce.gov/sites/default/files/
documents/2010/december/iptf-privacy-green-paper.pdf.
---------------------------------------------------------------------------
    Advertising helps to fuel the Internet economic engine. Revenues 
from online advertising support and facilitate e-commerce and subsidize 
the cost of content and services that consumers value, such as online 
newspapers, blogs, social networking sites, e-mail, and phone services. 
Because of advertising support, consumers can access a wealth of online 
resources for free or at a low cost. These resources have transformed 
our daily lives. Imagine parents who discover their child is sick at 
two o'clock in the morning. They can go online to look up basic medical 
information or find directions to the nearest doctor's office or 
emergency room. The Internet is now so established that we tend to take 
these resources for granted, but in fact they are largely supported by 
advertising.
    Online advertising is equally vital to established businesses and 
new start-up companies. A study commissioned by the Interactive 
Advertising Bureau estimated that some three million Americans are 
employed due to the advertising-supported Internet.\2\ Online 
advertising also fosters competition by making it easier for emerging 
businesses to reach potential customers. In turn, these entrepreneurs 
spur existing market leaders to continue innovating.
---------------------------------------------------------------------------
    \2\ Hamilton Consultants, Inc. with Professors John Deighton and 
John Quelch, Economic Value of the Advertising-Supported Internet 
Ecosystem, at 4 (June 10, 2009), available at http://www.iab.net/media/
file/Economic-Value-Report.pdf.
---------------------------------------------------------------------------
    Behavioral advertising is an essential form of online advertising. 
As the Committee knows, behavioral advertising, also called interest-
based advertising, is delivered based on consumer preferences or 
interests as inferred from data about online activities. Consumers are 
likely to find behavioral advertisements more relevant than random 
messages, and advertisers are more likely to attract consumers that are 
interested in their products and services. For example, if a browser's 
activity suggests that the user has a new baby, we can show offers for 
baby products rather than retirement homes or sports cars. Websites 
also benefit because behavioral advertising garners better responses, 
allowing websites to earn more revenue--and support more content and 
services--for fewer advertisements.
    At the same time, we recognize and respect that some consumers may 
prefer not to receive behavioral advertising. I am excited to share 
with the Committee the work we have done to make sure that consumers 
have both transparency and control to exercise their preferences in 
regard to online behavioral advertising.
III. Industry Self-Regulatory Principles Follow the Federal Trade 
        Commission Roadmap
    In February 2009, after an extended deliberative process, the 
Federal Trade Commission published a Staff Report that called upon 
industry to ``redouble its efforts'' to create self-regulation of 
online behavioral advertising.\3\ The report set out a roadmap of 
several key elements that should be included in self-regulation, such 
as transparency, consumer control, and data security. The Commission 
also made clear that consumer tools to exercise choice should be easy 
to use, effective, uniform, and ubiquitous.
---------------------------------------------------------------------------
    \3\ Federal Trade Commission Staff Report, Self-Regulatory 
Principles for Online Behavioral Advertising at 47 (February 2009), 
available at http://www.ftc.gov/os/2009/02/P085400behav
adreport.pdf.
---------------------------------------------------------------------------
    In the two years since the Commission's Staff Report, GroupM is 
pleased to have participated in an unprecedented cross-industry effort 
by leading trade associations and companies to respond to the Federal 
Trade Commission's endorsement of self-regulation. This effort has been 
spearheaded by the American Association of Advertising Agencies, the 
Association of National Advertisers, the Interactive Advertising 
Bureau, and the Direct Marketing Association, and also includes the 
American Advertising Federation, the Network Advertising Initiative, 
and other leading industry associations that represent components of 
the Internet ecosystem. These associations and the companies 
participating in the self-regulatory effort collectively account for 
the vast majority of online behavioral advertising. Following the 
roadmap set out by the Commission, we have worked diligently to develop 
standards, launch innovative tools, and educate consumers to make sure 
they have the choices they deserve.
    In July 2009, just 5 months after the Federal Trade Commission's 
guidance, our coalition announced a groundbreaking set of Self-
Regulatory Principles for Online Behavioral Advertising.\4\ The 
Principles apply across the entire online advertising ecosystem. They 
address all of the key elements called for in the Federal Trade 
Commission's 2009 Staff Report, namely:
---------------------------------------------------------------------------
    \4\ American Association of Advertising Agencies, Association of 
National Advertisers, Direct Marketing Association, Interactive 
Advertising Bureau, and Council of Better Business Bureaus, Self-
Regulatory Principles for Online Behavioral Advertising (July 2009), 
available at http://www.aboutads.info/resource/download/seven-
principles-07-01-09.pdf.

---------------------------------------------------------------------------
   Consumer education,

   Enhanced notice of data practices,

   Innovative choice mechanisms,

   Data security,

   Sensitive data protection,

   Consent for retroactive material policy changes, and

   Enforcement.

    The Self-Regulatory Principles prescribe expectations for companies 
in each of these areas. They provide uniform definitions for key terms 
and include detailed Commentary to aid compliance.
    GroupM believes that the Self-Regulatory Principles are 
comprehensive yet flexible enough to respond to the complex and rapidly 
evolving online advertising ecosystem. Most importantly, they are 
supported by all of the major industry stakeholders. We were pleased, 
therefore, that the Commerce Department's recent draft framework on 
privacy and innovation also favors voluntary and enforceable industry 
codes like our initiative.\5\
---------------------------------------------------------------------------
    \5\ Commerce Policy Framework at 5, 41-44.
---------------------------------------------------------------------------
IV. Implementing Self-Regulation: Uniform Choice, Consumer Education, 
        and Enforcement
    Since releasing the Principles in July 2009, GroupM and other 
industry leaders have made significant investments in implementing the 
Principles across the Internet. A timeline of milestones is attached 
(Attachment 1). The development and launch of our Advertising Option 
Icon has been a key focus of this implementation phase, and I am very 
proud of GroupM's important contributions in this area. Advertisers who 
are adopting this icon for their advertisements are finding that the 
icon enhances a company's brand relating to its privacy stance. The 
icon is a win-win for consumers and businesses.
    The Federal Trade Commission made clear, and we agree, that 
consumers should get notice of behavioral advertising practices that is 
uniform, ubiquitous, and ``just in time'' to make decisions. For 
uniformity, we also agreed that this notice should use a special 
graphic icon that would be memorable to consumers. To assist in the 
creation of this icon, GroupM mobilized our market-leading advertising 
teams to invest the same design, testing, and market research in this 
icon that we would use for our Fortune 500 clients. Our work was the 
basis for the Advertising Option Icon (Attachment 2), a simple but 
attention-grabbing graphic that we hope will become as universally 
familiar and recognizable as the recycling logo.
    To make sure this notice is ubiquitous and ``just in time,'' as 
recommended by the Federal Trade Commission, we reached the innovative 
solution of embedding the icon where data is collected and used for 
online behavioral advertising.
    Let me briefly review how the Principles work from a consumer's 
perspective:

   First, an advertisement covered by the Principles is 
        identified with the Advertising Option Icon, which appears in 
        the advertisement right where the consumer will notice it 
        (Attachment 3). The icon launched last December and has already 
        been served in billions of advertisements, and we expect to 
        reach the milestone of one trillion impressions by the end of 
        this year.

   Clicking the Advertising Option Icon brings up a brief 
        statement about online behavioral advertising, with a link to 
        more information and opt-out choices.

   Interested consumers can click this link to visit 
        AboutAds.info, an industry- sponsored website that provides 
        consumer education (Attachment 4) and, most importantly, 
        consumer choice (Attachment 5).

    AboutAds.info is a simple and effective ``one stop'' platform for 
consumers to opt-out of having their information collected and used for 
behavioral advertising purposes. Consumers can opt-out with respect to 
all participating companies, or they can pick and choose which 
companies may collect and use their data.
    The Federal Trade Commission has recently referred to this type of 
process as a ``Do Not Track'' system. We believe that our program 
provides ``uniform notice and choice.'' Regardless of what terminology 
is used, our self-regulatory tools meet all of the policy goals that 
the Commission has publicly set forth. As implementation proceeds, no 
matter where consumers go online, they will see one memorable icon that 
leads to the same familiar and easy-to-use choice mechanism.
    Companies can easily implement this uniform process and become 
compliant with the Self-Regulatory Principles by working with 
``approved providers'' Evidon, TRUSTe, and DoubleVerify, which offer 
technical solutions for compliance. GroupM is working with Evidon to 
advance compliance in all of our offerings and agencies. Hundreds of 
leading companies are already compliant or in the process of complying.
    Two other major elements of our implementation effort are education 
and enforcement. GroupM is strongly committed to consumer education and 
has made significant investments in this area. Our goal is to build 
consumer trust by helping consumers to understand and exercise their 
choices.
    First, we have partnered with the Interactive Advertising Bureau on 
the ``Privacy Matters'' educational campaign to inform consumers about 
how they can manage their online experience and to explain how 
advertising supports the Internet. For this campaign, we used catchy 
and controversial slogans like ``Advertising Is Creepy'' to appeal to 
the consumers most interested in learning more. As part of this 
unparalleled effort, the Interactive Advertising Bureau's online 
publisher members have delivered close to 600 million online public 
service announcements. These announcements link to the ``Privacy 
Matters'' website (http://www.iab.net/privacymatters/), which features 
fun educational modules on advertising practices and safe Web browsing. 
Through January 2011, the results of this campaign have been excellent, 
with a click-through-rate that is substantially out-performing the 
standard range for public service campaigns.
    GroupM has also supported the industry coalition effort to 
publicize the Self-Regulatory Principles and associated tools for 
businesses and consumers. This multifaceted campaign, which supplements 
the consumer notice provided by the Advertising Option Icon, has 
included the launch of the AboutAds.info website, community outreach by 
the participating trade associations, a series of educational webinars 
to assist businesses with coming into compliance with the Principles, 
and the delivery of additional online public service announcements.
    Finally, I want to emphasize that companies will be held 
accountable for complying with the Principles, just as the Federal 
Trade Commission recommended. The Principles are enforceable through 
programs being administered by the Direct Marketing Association and the 
Council of Better Business Bureaus.\6\ These organizations have 
longstanding, effective, and respected compliance programs that they 
are leveraging to cover the Principles. The Council of Better Business 
Bureaus has created a new program and hired additional employees to 
administer the Principles. All of us in the advertising industry have a 
strong incentive to maintain accountability in order to foster consumer 
trust. In addition, any company that claims to comply, but fails to do 
so, could face Federal Trade Commission enforcement for deceptive acts 
or practices.
---------------------------------------------------------------------------
    \6\ Direct Marketing Association Press Release, ``DMA Launches 
Enforcement for Online Behavioral Advertising'' (January 31, 2011); 
Council of Better Business Bureaus Press Release, ``Council Steps Up 
Enforcement of Interest-Based Advertising,'' (March 7, 2011).
---------------------------------------------------------------------------
V. The Future of Self-Regulation
    As I explained, the Self-Regulatory Principles include all of the 
elements set out in the Federal Trade Commission's 2009 roadmap. Less 
than 2 years after the Principles were announced, and thanks to strong 
investment by the business community, our implementation phase is 
gaining strong momentum. Every day, we are adding more members to the 
compliance programs, putting more Advertising Option Icons out on the 
Internet, and reaching more consumers with uniform notice and choice.
    While our progress has been exciting, our work continues. One of 
the major benefits of industry self-regulation is its ability to 
respond quickly to changes in technology and business practices. For 
example, some policymakers have raised concerns that data collected for 
advertising purposes could be used as a basis for employment, credit, 
or health insurance eligibility decisions.\7\ I want to emphasize that 
these are hypothetical concerns that do not reflect actual business 
practices. Nevertheless, industry is stepping forward to address these 
concerns and we are expanding our guidelines to clarify and ensure that 
such practices are prohibited and will never occur. This type of 
adaptability is essential to avoid stifling innovation in the complex 
and dynamic Internet environment. We welcome additional input from 
policymakers and we are committed to examining any future concerns that 
may arise.
---------------------------------------------------------------------------
    \7\ Representative Jackie Speier, ``Do Not Track Our Online Data,'' 
Politico (March 4, 2011), available at http://www.politico.com/news/
stories/0311/50614.html; Jon Leibowitz, ``FTC Chairman: `Do Not Track' 
Rules Would Help Web Thrive--Online commerce and personal privacy are 
not incompatible,'' U.S. News (January 3, 2011), available at http://
www.usnews.com/opinion/articles/2011/01/03/ftc-chairman-do-not-track-
rules-would-help-web-thrive-jon-leibow
itz.
---------------------------------------------------------------------------
    The Self-Regulatory Principles owe much to the guidance of Federal 
policymakers, which has strengthened our independent commitment to 
consumer privacy and uniform choice. As we proceed in this dialogue, it 
is vitally important to avoid confusing or mixed messages to consumers 
that could inhibit them from exercising their choices through the self-
regulatory tool that is already available. It is equally important to 
maintain incentives for the business community, which has already 
invested so much in self-regulation, to come into compliance with the 
Principles. GroupM and our partners look forward to continuing our 
efforts and working cooperatively with the Committee, the Federal Trade 
Commission, and the Department of Commerce as we move forward with 
implementing the Self-Regulatory Principles for Online Behavioral 
Advertising and discussing these important issues. We believe that this 
program creates the right framework that encourages both innovation and 
privacy, bringing the benefits of online services and privacy 
protection to consumers.
                                  ***
    Thank you for inviting me to share GroupM's perspective on ``The 
State of Online Consumer Privacy.'' I look forward to answering any 
questions that the Committee may have.
                                 ______
                                 
Attachment 1: Timeline of Industry Effort to Develop and Implement 
        Self-Regulatory Principles for Online Behavioral Adverting




December 2007         Federal Trade Commission staff releases proposed
                       principles to guide the development of industry
                       self-regulation in the area of online behavioral
                       advertising.April 2008            Industry leaders file comments on Federal Trade
                       Commission's proposals and convene task force to
                       examine existing self- regulatory efforts.October 2008          Industry coalition begins drafting new self-
                       regulatory guidelines.February 2009         Federal Trade Commission releases final Staff
                       Report on Self-Regulatory Principles for Online
                       Behavioral AdvertisingJuly 2009             After building support among industry
                       stakeholders, coalition releases cross-industry
                       Self-Regulatory Principles for Online Behavioral
                       Advertising (``Principles'') that correspond to
                       the guidelines in the FTC staff report.August 2009           Coalition turns to enforcement, operational
                       implementation, and educational planning.November 2009         Interactive Advertising Bureau and Network
                       Advertising Initiative lead effort to develop
                       technical specifications for implementing
                       enhanced notice through a link in or around an
                       advertisement.December 2009         Coalition launches ``Privacy Matters'' education
                       campaign, which has been designed to educate
                       consumers about how they can manage their online
                       experience and to help consumers better
                       understand and appreciate how online advertising
                       supports the Internet.January 2010          Coalition announces intention to provide enhanced
                       notice to consumers through a link/icon embedded
                       in online behavioral advertisements (or, if such
                       notice is not delivered, on the Web page where
                       the behavioral advertisement occurs).March 2010            Coalition commences effort to operationalize the
                       Principles, including providing business
                       education webinars, trademarking distinctive
                       Advertising Option Icon, and developing an
                       industry- wide Website to deliver consumer
                       education, provide information concerning parties
                       engaged in online behavioral advertising, and
                       offer consumer choice.October 2010          AboutAds.info Website launches. Companies may
                       register to use the Advertising Option Icon and
                       acquire specific technical guidance for the
                       icon's implementation and use.
                      Coalition selects the first ``approved provider''
                       to offer technical solutions for compliance with
                       the Principles.November 2010         Coalition launches consumer-facing AboutAds,info
                       Consumer Opt-Out Page, where consumers may easily
                       opt-out of some or all of the interest-based
                       advertisements they receive.December 2010         Coalition selects two additional ``approved
                       provider'' vendors.January 2011          Direct Marketing Association enforcement program
                       goes into effect.February 2011         Principles and Communication Advisory Committee
                       convenes to consider application of the
                       Principles to mobile platforms, as well as ways
                       to encourage international adoption of the icon
                       and standards consistent with the Principles.March 2011            Council of Better Business Bureaus enforcement
                       program goes into effect.
                      Accountability program selects vendor to provide
                       technical platform to monitor participating
                       companies' compliance with the Principles.
Attachment 2. Advertising Option Icon



Attachment 3. Sample Advertisement with Embedded Advertising Option 
        Icon

        
        
Attachment 4. About Ads.info Home Page



Attachment 5. AboutAds.info Uniform Consumer Choice Page



                                 ______
                                 

    Senator Pryor. Thank you.
    Mr. Soltani?

                 STATEMENT OF ASHKAN SOLTANI, 
         INDEPENDENT PRIVACY RESEARCHER AND CONSULTANT

    Mr. Soltani. Thank you. Senator Pryor and distinguished 
members of the Committee, thank you for the opportunity to 
testify about online consumer privacy and the state of web 
tracking. My name is Ashkan Soltani. I'm a technology 
researcher and consultant specializing in privacy and security 
on the Internet.
    As background I served for a year as a technologist in the 
Division of Privacy and Identity Protection at the Federal 
Trade Commission. I was also the primary technical consultant 
on the Wall Street Journal's ``What they know'' series. I 
should note the opinions here are my own and don't reflect the 
views of my previous employers.
    In my testimony I will describe findings from my research 
about the pervasiveness of online tracking. I will discuss the 
extent to which consumers can control unwanted tracking. I will 
conclude with a description of the proposed Do Not Track 
mechanisms.
    The practice of using third party services is very common 
on the web today. In 2009 I co-authored a study where we found 
an average of 12 third party trackers on the top 100 most 
visited websites. One site used roughly 100 different trackers. 
That means when a user visits that website 100 unseen entities 
are notified of that visit.
    The very reason why online tracking is effective and why it 
raises privacy concerns is that the third-party entities can 
monitor user's behavior across multiple, unrelated websites. In 
our study one advertising service could track a user's web 
browsing activity down to approximately 90 percent of the 
websites we've examined. This company is not alone in its 
reach. Widgets from a single social networking company 
currently gather data across several million websites. These 
companies that were positioned to infer a great deal more than 
just the user's interests in automobiles or sporting goods. 
This unique vantage point enables them to collect the vast 
majority of a user's web browsing activity.
    It's important to point out that online tracking is not 
limited to desktop computers. Mobile devices and smartphones 
raise unique privacy concerns because people always have them 
on their persons. Application and services running on these 
devices may have the ability to access precise location 
information providing third parties with intimate details about 
a user's habits.
    Every major web browser includes a patchwork of privacy-
enhancing technologies that are not enabled by default and that 
are often difficult to configure. Worse yet, even when properly 
configured online tracking companies have consistently devised 
ways to circumvent their function. As a result browser vendors 
and thus consumers are losing this game of privacy Whack-a-
Mole.
    Many ad services seek to temper privacy concerns by 
offering users a way to opt-out of behavioral advertising. 
However these opt-outs typically only allow users to opt out of 
receiving targeted ads not opt out of the underlying tracking 
fully. I don't think this is what most consumers would expect.
    Finally, not all companies that engage in online tracking 
offer an opt-out. By my count only about a quarter of the 
online trackers I'm aware of have existing opt-out mechanisms.
    Today's consumer choice mechanisms fail to provide users 
with meaningful control. Advocates and industry have been 
working to establish an easy to use tool to control online 
tracking commonly referred to as Do Not Track. Two separate but 
complementary approaches have been now advanced. And while I 
won't discuss them in technical detail here, I'm happy to 
answer any questions you might have about them.
    To conclude, online tracking is pervasive on the Internet 
and it's an issue that's often difficult for users to 
understand. Even when they do realize they are being tracked 
there's often very little that can be done. Consumers need more 
transparency into who is tracking them online, what information 
is being collected and how this information is being used, 
shared and sold.
    There is a clear need for better privacy controls to 
prevent unwanted tracking. And industry has not delivered. To 
be effective privacy protections online will likely require 
both technology and policy working in tandem.
    Thank you for inviting me today. And I hope that my 
testimony here is helpful. I'm grateful that the Committee has 
invited a technologist to participate since these issues can be 
deeply technical in nature. I look forward to helping you 
understand these nuances that make online tracking such an 
interesting and yet complex issue.
    I'm happy to answer any questions.
    [The prepared statement of Mr. Soltani follows:]

               Prepared Statement of Ashkan Soltani,\1\ 
             Independent Privacy Researcher and Consultant
---------------------------------------------------------------------------
    \1\ My oral and written testimony here today to the Committee 
represents my own personal views, and does not reflect the views of any 
of the organizations I have consulted or worked for in the past.
---------------------------------------------------------------------------
    Chairman Rockefeller, Ranking Member Hutchison, and the 
distinguished members of the Committee, thank you for the opportunity 
to testify about online consumer privacy and the state of tracking on 
the Web today.
    My name is Ashkan Soltani. I am a technology researcher and 
consultant specializing in consumer privacy and security on the 
Internet. I have more than 15 years of experience as a technical 
consultant to Internet companies and Federal Government agencies. I 
received my Master's degree in Information Science from the University 
of California at Berkeley, where I conducted extensive research and 
published two major reports on the extent and means of online tracking. 
Last year, I served as a staff technologist in the Division of Privacy 
and Identity Protection at the Federal Trade Commission on 
investigations related to Internet technology and consumer privacy. I 
have also worked as the primary technical consultant on the Wall Street 
Journal's What They Know series investigating Internet privacy issues 
on the ground.
    I have been asked to testify about the current state of online 
tracking from a technical perspective. I will describe the basics of 
how online tracking works and discuss some of my research that 
demonstrates how pervasive tracking is online today. I will then 
discuss the extent to which consumers are actually aware that they are 
being tracked online and whether they are able to meaningfully control 
unwanted tracking with existing industry-provided and browser-based 
mechanisms. Finally, I will discuss the Do Not Track proposals in light 
of these findings.
A. How Online Tracking Works
    As an illustrative example to explain how consumers are tracked 
online, we can step through a typical Web browsing session. A user 
wants to look up information about cholesterol on WebMD, so he types 
``www.webmd.com'' into his browser's location bar and navigates to a 
specific page on WebMD's site focused on cholesterol. The browser 
contacts the WebMD server to retrieve the contents of the page. Much of 
the page's content will be provided directly by WebMD itself, but some 
of the content may originate from other entities, such as an 
advertisement provided by an online advertising service such as 
Google's DoubleClick. As a result, although the browser's location bar 
will show ``www.webmd.com,'' many other third party entities may have a 
presence on the website, and often it is unclear to the user which 
content comes from which provider.
    A useful analogy may be to imagine a picture frame that has slots 
to display a number of different photos. WebMD provides the ``frame'' 
and a few of the ``photos,'' while the rest of the ``photos'' are 
provided by third parties that WebMD has partnered with. This practice 
of embedding content from third party entities is nearly universal on 
the Web today. As I will explain below, it is primarily these third 
party entities that are capable of tracking users as they browse the 
Web.
    In this example, the WebMD page on cholesterol includes a third 
party online advertisement that is displayed at the top of the page. As 
the web browser fetches the ad, two things relevant to tracking 
typically occur. First, the company providing advertisements can 
attempt to uniquely identify the browser using a variety of technical 
mechanisms, which I will discuss below. The simplest and most common 
technique is to use a browser cookie. In this context, a cookie is a 
file containing a unique identifier that is placed on the user's 
computer by the third party ad service and is transmitted back to the 
service upon each subsequent ad request.\2\ Second, the ad service can 
record detailed information about this interaction. The ad service may 
log the date and time of the ad request, which ad was displayed, and 
perhaps the details about the content of the WebMD page on which the ad 
was shown. Most importantly, the ad service can link all this 
information to the unique identifier, and collect this information 
together in a consumer data base.
---------------------------------------------------------------------------
    \2\ Cookies are text files that can store various types of 
information. For the purposes of tracking, they typically contain 
unique descriptors such as user=1234567890 or e-mail=john.doe
@host.com.
---------------------------------------------------------------------------
    Some time later, the user checks the weather by browsing to 
``www.weather.com.'' It turns out that the same third party ad service 
used by WebMD is also providing ads for the Weather Channel's site. As 
an ad loads in the margins of the Washington, D.C. forecast page, the 
ad service can again uniquely identify the user's browser, using the 
same cookie file that was previously stored. The ad service can now tie 
the user's browsing activity between the two sites together--the same 
browser that previously accessed health information about cholesterol 
also looked up the weather forecast in Washington, D.C. As the user 
continues to browse, this ad service can continue to follow the user's 
activity on the websites on which it has a presence. These activities 
are the essence of online tracking.
    Web browsing interactions are generally described as being in one 
of two categories, first party or third party. A first party is 
typically defined as an entity whose site the user knowingly visits and 
whose Web address appears in the browser's location bar--in the 
scenario above, WebMD and then later, the Weather Channel. Users 
typically interact with a first party by directly typing its Web 
address into the location bar or by browsing to it from another site, 
for instance, by following a link from a search engine or a social 
network.
    A third party is an entity that provides content that is included 
on a first party site, like the ad service in our earlier scenario. 
While some third party interactions are visible to the user, such as a 
displayed ad or an embedded video, it may not be clear that this 
content is being provided by someone other than the site they are 
visiting. However, other third party interactions may be invisible to 
the user. For example, a ``web bug'' is an imperceptible image placed 
on first party sites, but operated by third parties, for the express 
purpose of invisibly tracking users.\3\ These third party tracking 
objects can only appear on a site with the knowledge and consent of the 
first party. As an example, ads from Google DoubleClick will only 
appear on Weather Channel pages if the Weather Channel explicitly 
decides to include DoubleClick on its site.
---------------------------------------------------------------------------
    \3\ Web bugs are sometimes also referred to as tracking pixels or 
web beacons. Web bugs are typically used to provide websites with 
information that will help them understand and optimize web usage, and 
typically track users.
---------------------------------------------------------------------------
    Note also that the same business entity can be both a first party 
or a third party, depending on the context. For instance, if a user 
browses directly to ``www.youtube.com'' to watch online videos, YouTube 
is a first party. But, if a first party site such as CNN.com embeds a 
YouTube video into one of its stories, YouTube is now a third party.
    In our scenario, the ad service uses a standard browser cookie to 
link together two separate user interactions--one on WebMD and the 
other on the Weather Channel. Even though the cookie by itself does not 
usually identify the user by name, third party trackers are able to 
build a ``browsing profile'' that consists of data from numerous Web 
interactions over time from the same user.\4\ This browsing profile has 
the potential to reveal quite a bit of information about the user's 
real world identity.\5\
---------------------------------------------------------------------------
    \4\ Of course, some browsers may be shared by multiple users, but 
often browsers will be used primarily by a single user. This is 
particularly salient in the case of mobile phones, where the sharing of 
devices is less common.
    \5\ Each data point may also reveal the time of each site access 
and in many cases the user's approximate geographic location based on 
his IP address. More advanced tracking techniques on a single page may 
be able to determine exactly how the user moves his mouse on the page 
or what text on the page gets highlighted and copied.
---------------------------------------------------------------------------
    Despite some claims that these collected browsing profiles are 
``anonymous,'' recent computer science research suggests that it is 
often quite easy to re-identify datasets that contain user 
information.\6\ As the number of data points in a browsing profile 
increases, so too does the possibility that it can eventually be re-
identified to reveal the user's actual identity, such as a name, e-mail 
address, or other personally identifiable information. For example, 
when a user purchases a product online, the merchant could decide to 
share the user's e-mail address--collected in the billing process--with 
a third-party ad service that is present on the purchase page. This 
issue can also arise with the use of social networks, whereby 
identifying information may leak to third party ad services.\7\
---------------------------------------------------------------------------
    \6\ Narayanan, A., & Shmatikov, V. (2008). How to Break Anonymity 
of the Netflix Prize Dataset. In Proc. of 29th IEEE Symposium on 
Security and Privacy, Oakland, CA, May 2008, pp. 111-125. and Ohm, P. 
Broken Promises of Privacy: Responding to the Surprising Failure of 
Anonymization (2009, August 13). University of Colorado Law Legal 
Studies Research Paper No. 09-12. Available at SSRN: http://ssrn.com/
abstract=1450006.
    \7\ Krishnamurthy, B. and Willis, C. (2009). On the leakage of 
personally identifiable information via online social networks. In 
Proceedings of the 2nd ACM workshop on Online social networks (WOSN 
`09). ACM, New York, NY, USA, 7-12. DOI=10.1145/1592665.1592668 from 
http://doi.acm.org/10.1145/1592665.1592668.
---------------------------------------------------------------------------
1. The State of Online Tracking
    The practice of using third party services to add tracking and 
other functionality to a website is quite common. In our Berkeley 
KnowPrivacy study, we found an average of 12 trackers present on each 
of the top 100 most popular websites, with one having as many as 100 
different trackers over the course of a month.\8\ This means that when 
a user visits that website, potentially 100 entities--nearly all unseen 
by the user--will learn about the visit.
---------------------------------------------------------------------------
    \8\ Gomez, J., Pinnick, T., and Soltani, A. (2009, June 1). 
KnowPrivacy available at http://knowprivacy.org/report/
KnowPrivacy_Final_Report.pdf, p.26.
---------------------------------------------------------------------------
    The very reason why online tracking is both effective and why it 
raises privacy concerns is that third party entities can track 
consumers across multiple unrelated first party websites. In our 
Berkeley study, we also found that some third party trackers have an 
extensive ``reach'' across a large number of first party sites. One 
advertising company was able to monitor activity on 91 of the top 100 
most popular sites, as well as 88 percent of 350,000 sites sampled in 
our dataset, as of March 2009.\9\ In 2010, a leading social network 
announced that their third party sharing widgets were present on 2.5 
million websites\10\ and growing at a rate of 10,000 sites per day.\11\ 
In both these examples, the presence of third party objects generates a 
steady stream of data that flows to a single entity. These uniquely 
pervasive positions give these companies the capacity to infer a great 
deal more than just a user's interest in automobiles or sporting goods. 
Their tracking technologies reach the vast majority of every user's Web 
browsing activity.
---------------------------------------------------------------------------
    \9\ Id. p. 27.
    \10\ Constine, J. (2011, February 27). All of Facebook's Like 
Buttons on Third-Party Sites Now Publish a Full News Feed Story. Inside 
Facebook--Tracking Facebook and the Facebook Platform for Developers 
and Marketers from http://www.insidefacebook.com/2011/02/27/like-
button-full-story/.
    \11\ Parr, B. (2010, October 26). 10,000 Websites Integrate with 
Facebook Every Day. Social Media News and Web Tips--Mashable--The 
Social Media Guide. from http://mashable.com/2010/10/26/10000-websites-
integrate-with-facebook-every-day/.
---------------------------------------------------------------------------
    It is important to point out that online tracking is not limited to 
Web browsers. Consumers are connecting to the Internet using a variety 
of devices that extend beyond what we consider a typical PC-and-browser 
setup. Mobile phones, televisions, set top boxes (such as a Tivo or a 
cable box), video game consoles and even some automobiles are now 
equipped with Internet connectivity and can leverage Web services which 
include online advertisement. Some of these platforms also allow 
applications written by third parties, the most prominent example being 
``app stores'' on mobile smartphones.\12\ Mobile devices, in 
particular, raise unique privacy concerns because consumers carry them 
nearly all of the time.\13\ As such, applications and services running 
on the phone may have the ability to access precise geolocation 
information, using GPS technology, to learn even more intimate details 
about a consumer's physical habits.
---------------------------------------------------------------------------
    \12\ The Wall Street Journal reported that 47 of the 101 third 
party mobile applications tested transmitted location to third parties. 
56 of the same apps transmitted unique device identifiers (UDIDs) which 
act similar to permanent cookies, and which users currently have no 
control over. See Thurm, S. (2011, December 17). IPhone and Android 
Apps Breach Privacy--WSJ.com. The Wall Street Journal from http:// 
online.wsj.com/article/SB1.
    \13\ Three in five mobile phone owners say they carry their phones 
at all times, even inside the home. See: Stanton, D. (2008, September 
8). New Study Shows Mobile Phones Merging New, Established Roles. 
Knowledge Networks from http://www.knowledgenetworks.com/news/releases/
2008/091808_mobilephones.html.
---------------------------------------------------------------------------
2. Existing Privacy Tools are Easily Circumvented
    Every major Web browser includes privacy enhancing technologies 
that can be used by consumers to limit the extent to which they are 
tracked online. Unfortunately, these built-in tools, which include 
``private browsing modes'' and cookie controls, only protect users from 
some tracking technologies, and do not provide consumers with the 
privacy protections they may reasonably expect.\14\
---------------------------------------------------------------------------
    \14\ Soghoian, C. (2010, December 9). Why Private Browsing Modes Do 
Not Deliver Real Privacy, Internet Architecture Board, Web Privacy 
Workshop, from http://www.iab.org/about/workshops/privacy/papers/
christopher_soghoian.pdf.
---------------------------------------------------------------------------
    As one example, cookie blocking features in the major Web browsers 
do not always work in the same way, and even sophisticated users do not 
fully understand these intricacies.\15\ This may cause consumers to 
have misplaced beliefs about the extent browsers are protecting them 
from tracking. But even when consumers do understand how these features 
work, sites have consistently devised new ways to track users and evade 
the protections of existing privacy tools.
---------------------------------------------------------------------------
    \15\ Not all browsers implement third party cookie blocking in the 
same way. Typically browsers allow third party cookies by default but 
if a user elects to configure their browser to block third party 
cookies, 3 of the 4 major browsers allow the third party cookies to be 
read if they were previously set, such as in a first party context. 
This is a small technical nuance, but it allows certain players to 
proceed as normal with regards to online tracking and potentially cause 
confusion for consumers as to the degree their privacy is protected. 
Additionally, it significantly effects whether certain players, i.e., 
those that consumers have a first party relationship with, receive a 
competitive advantage over the lesser known websites.
---------------------------------------------------------------------------
    In a study called KnowPrivacy published by my Berkeley colleagues 
and I in 2009,\16\ we found that several ad services had deployed a new 
stealthy technique to resurrect tracking cookies, even after the user 
had used the available cookie deletion tools built into his browser. Ad 
services developed a way to ``remember'' the cookie file using another 
technology--Adobe's Flash Player--such that they could restore the 
cookie later, even after the user deleted it. This tracking 
technology--commonly called Flash cookies--is even more difficult for 
users to manage with existing privacy tools, when compared to standard 
cookie controls.\17\
---------------------------------------------------------------------------
    \16\ Soltani, A., Canty, S., Mayo, Q., Thomas, L., and Hoofnagle, 
C., Flash Cookies and Privacy (2009 August 10). Available at SSRN 
http://ssrn.com/abstract=1446862.
    \17\ Adobe has denounced the use of its Flash technology in order 
to restore tracking cookies. Although not yet widely deployed, the 
company has recently taken steps to work with major browser vendors in 
order to move Flash cookie privacy controls directly into the browser 
settings and allow users to manage them in a similar way as standard 
cookies. See Albanesius, C. (2011, March 8). Adobe Flash Player 10.3 
Beta Adds Greater Control Over'Flash Cookies' PC Magazine. from http://
www.pcmag.com/article2/0,2817,2381650,00.asp.
---------------------------------------------------------------------------
    Further, some ad services have shifted to new, cutting-edge 
tracking techniques, many of which are beyond the control of 
consumers.\18\ While these are less well known, they are no less 
powerful--and in some cases more powerful--in their ability to track 
users' browsing activities. From a technical perspective, browser 
vendors--and thus consumers--are losing the game of privacy Whack-a-
Mole. The ongoing development of new, hidden tracking techniques is far 
outpacing the ability of browser vendors to develop and deploy adequate 
defenses. As a result, consumers and the privacy controls available to 
them will likely fail to keep up.
---------------------------------------------------------------------------
    \18\ In the past year, I have confirmed tracking by third party 
companies on widely used websites using mechanisms including but not 
limited to browser fingerprinting (http://radar.oreilly.com/2011/03/
device-identification-bluecava.html), cache cookies (http://www.
wired.com/epicenter/2009/08/flash-cookie*researchers-spark-quantcast-
change/), CSS history profiling (http://blogs.forbes.com/kashmirhill/
2010/11/30/history-sniffing-how-youporn-checks-what-other-porn-sites-
youve-visited-and-ad-networks-test*the-quality-of-their-data/), domain 
masquerading (http://doi.acm.org/10.1145/1592665.1592668), UDIDs 
(http://online.wsj.com/article/
SB10001424052748704694004576020083703574602.html), and HTML5 storage 
(http://www.wired.com/threatlevel/2010/09/html5-safari-exploit/) to 
track consumers in ways that are difficult or even impossible to 
control.
---------------------------------------------------------------------------
B. Existing Consumer ``Notice and Choice'' Mechanisms
    The current system of industry self-regulation stresses two 
complementary approaches regarding online tracking: notice, though 
privacy policies and in-ad enhancements, and choice, through ad 
preference managers and industry-provided opt-out tools.
1. Privacy Policies
    For more than a decade, websites have routinely included privacy 
policies, typically linked to from the bottom of the front page. These 
documents are often long and difficult to read--most likely because 
they are written by lawyers, for lawyers--and have not helped consumers 
to stay informed about the degree of tracking online.\19\ Research has 
also shown that the majority of Americans incorrectly believe that the 
phrase ``privacy policy"--and its mere presence on websites--signifies 
that their information will be kept private.\20\
---------------------------------------------------------------------------
    \19\ McDonald, A. and Cranor, L. (2008) The Cost of Reading Privacy 
Policies. I/S: A Journal of Law and Policy for the Information Society 
2008 Privacy Year in Review issue. [Paper originally presented at TPRC 
2008, Sept 26-28, 2008, Arlington, VA.] and Privacy Leadership 
Initiative. Privacy Notices Research Final Results. Conducted by Harris 
Intereactive, (2001 Dec) from http://www.ftc.gov/bcp/workshops/glb/
supporting/harris%20results.pdf.
    \20\ Turow, J., Mulligan, D., and Hoofnagle C. (2007 Oct), 
Consumers Fundamentally Misunderstand the Online Advertising 
Marketplace, from http://groups.ischool.berkeley.edu/samuel
sonclinic/files/annenberg_samuelson_advertising.pdf.
---------------------------------------------------------------------------
    While there is much data to suggest that consumers do not actually 
read or understand privacy policies, even if they did, many existing 
privacy policies often provide confusing or even conflicting 
information. In our KnowPrivacy study, we found that, among the top 50 
most popular websites, many sites that claim to not share information 
with ``third parties'' later disclaim that they do share information 
with ``affiliates'', which sometimes number well over 2000 
companies.\21\
---------------------------------------------------------------------------
    \21\ Of the top 50 sites, all stated they collect IP address, 48 
collect contact information such as name and e-mail address, and 39 
collect click stream information. Bank of America had over 2,300 
``affiliates''. See Gomez et al. p 24 (previously cited) and 
KnowPrivacy, http://knowprivacy.org/profiles/bankofamerica.
---------------------------------------------------------------------------
2. Enhanced Notice for Online Ads
    One emerging self-regulatory measure is ``enhanced'' or ``robust'' 
notice for online ads. The purpose of enhanced notice is to increase 
transparency--directly within the ad--into why the particular ad was 
chosen and what the attached terms and policies are. Although this is a 
commendable step forward, the question is how many users will notice. 
One self-regulatory firm noted that, during the first few months of the 
industry's initiative, the notice on only 0.004 percent of ``enhanced'' 
ads were clicked by users actually clicked through to the detailed 
explanatory text.\22\ While the initiative is in its early days, this 
calls into question whether enhanced notice will be sufficient to 
deliver meaningful transparency.
---------------------------------------------------------------------------
    \22\ Evidon served over 11 billion impressions in their first full 
scale months. Among those who click on the icon (on .004 percent of ads 
served), about 3 percent of users opt-out of one or more provider. See 
Smith, S. (2011, March 11). MediaPost Publications Browsing Privacy's 
Next Steps 03/11/2011 from http:// www.mediapost.com/publications/
?fa=Articles.showArticle&art_aid.
---------------------------------------------------------------------------
3. Ad Preferences Managers
    The advertising industry has also created online tools that allow 
users to view and modify marketing inferences made about them within 
``ad preferences managers.'' For example, an ad preferences tool may 
show the inferences made about the user's demographic information (such 
as age, income range, education, or geographic location), shopping 
interests (such as sports, technology, or politics), or even 
significant life events (such as ``getting married soon'' or ``having a 
baby'') based on the user's browsing activity. In many cases, these 
tools also allow consumers to opt-out of certain consumer marketing 
sectors from which they do not wish to receive targeted ads.
    Like enhanced notice, ad preference managers improve transparency 
into the online ad serving ecosystem. But, these managers only present 
a high-level summary of the information collected by the ad service. 
Given their vantage point, third party ad services have the capability 
to make inferences or use the data for other, non-advertising-related 
purposes, that are not shown in the ad preference managers.\23\ I'm not 
implying that specific companies are engaged in this practice, just 
that collection, retention, and correlation of this behavioral data 
provides the capacity for this these inferences to be made. More 
transparency is needed--outside the realm of online targeted ads--about 
the information that is collected by third parties and how they are 
used.
---------------------------------------------------------------------------
    \23\ Similar to sports and shopping habits, a user's browsing 
habits could allow an observer to make inferences about a users race, 
sex, sexual orientation, health status, financial health, and political 
affiliation, even though these categories are typically excluded from 
online preference managers.
---------------------------------------------------------------------------
4. Cookie-based Choice Mechanisms
    In addition to notice and transparency, many ad services provide 
users with the ability to opt-out. Currently, most opt-outs work using 
special opt-out cookies--one for each ad service--stored in the user's 
Web browser. The cookie-based opt-outs have been plagued by a number of 
problems, some of which have been addressed in recent years and others 
which persist today.
    Once consumers realize they are being tracked, they must then begin 
the process of obtaining opt-out cookies from each tracking company. 
One self-regulatory technology firm has identified 600 companies 
involved in collecting or using tracking data about customers on their 
sample of 7 million domains.\24\ Another lists 323 tracking companies 
publicly.\25\ Given the value of this marketplace and the speed with 
which new entrants emerge, I suspect the actual number of companies 
engaged in tracking may be actually be even larger. Even still, 
identifying 600 hidden trackers and obtaining an opt-out is daunting 
task for even the most sophisticated privacy-conscious consumer.
---------------------------------------------------------------------------
    \24\ Steel, E. (2011, March 4). Council of Better Business Bureaus 
to Enforce Online Tracking Principles * Digits. WSJ Blogs--WSJ from 
http://blogs.wsj.com/digits/2011/03/04/council-to-enforce-online-
tracking-principles/.
    \25\ PrivacyChoice Tracker Index (Mar 14 2011) from http://
www.privacychoice.org/companies/all.
---------------------------------------------------------------------------
    Seeking to ease the process of obtaining opt-out cookies, industry 
self-regulatory groups such as the Network Advertising Initiative (NAI) 
have created one-stop websites where consumers can obtain opt-out 
cookies for multiple firms. However, these opt-out sites do not 
comprehensively cover all online tracking since only a fraction of 
approximate 600 companies discussed are covered.\26\ This problem 
exists in the mobile space as well. Currently, nine of the 16 mobile ad 
companies do not offer an opt-out,\27\ and data collected on mobile 
phones may be particularly sensitive, since it is often accompanied by 
hardware identifiers that users cannot change or geographic location 
information.
---------------------------------------------------------------------------
    \26\ At the time of this writing, the NAI opt-out (http://
www.networkadvertising.org/managing/optout.asp) currently allows 
consumers to opt-out of behavioral advertising by 68 member companies. 
AboutAds opt-out applies to 61 companies (http://www.aboutads.info/
choices/) and even the most comprehensive list of trackers, offered by 
the independent group PrivacyChoice only allows opt-out of 160 (http:// 
www.privacychoice.org/privacymark).
    \27\ Brock, J. (2011, March 16). Mobile Tracking Privacy: Three 
thoughts. PrivacyChoice Blog. from http://blog.privacychoice.org/
?p=2882.
---------------------------------------------------------------------------
    Most importantly, even when opt-outs are available, many firms only 
allow the user to opt-out of the receipt of targeted advertising, not 
the online tracking itself. Advertisers continue to collect and retain 
data in order to build a profile on the user, even in the presence of 
an opt-out cookie.
    Finally, cookie-based opt-out mechanisms are inherently brittle. 
Users are frequently taught to delete their browser cookies on a 
periodic basis to better protect their online privacy. But, when the 
user clears her browser cookies, she will also inadvertently clear her 
opt-out cookies, which will--counter-intuitively--opt the user back in 
to tracking.
C. Do Not Track Proposals
    Last July, this Committee held a hearing on the topic of online 
privacy during which the idea of ``Do Not Track'' was discussed. Ever 
since, there has been a significant amount of public discussion and 
debate regarding the possibility of a Do Not Track mechanism. While the 
name--Do Not Track--sounds much like the highly successful Do Not Call 
list,\28\ the only substantive similarity is that they both give 
consumers a single point of control to express their privacy 
preferences. While consumers can register their phone number in a FTC 
registry for Do Not Call, the single point of control for Do Not Track 
is likely to be a preference setting in the consumer's Web browser or 
mobile platform.
---------------------------------------------------------------------------
    \28\ The Do Not Call list is an FTC enforced initiative based on 
legislation that creates a centralized registry of numbers that 
telemarketers may not call, under monetary penalty.
---------------------------------------------------------------------------
    Two primary technical approaches to Do Not Track have been proposed 
and implemented by major Web browser vendors. The first method is 
called the header approach, and the second is called the blocking 
approach. Two browser vendors have already taken steps to include these 
mechanisms in upcoming releases of their products.\29\
---------------------------------------------------------------------------
    \29\ Mozilla's Firefox 4.0 and Microsoft's Internet Explorer 9 
(MSIE9) have announced support for the header mechanism. MSIE9 also 
supports the blocking method as well via their Tracker Protection Lists 
product.
---------------------------------------------------------------------------
1. The Header Approach
    In the header approach, the consumer can toggle a Do Not Track 
setting in his Web browser privacy preferences. When this setting is 
enabled, the browser transmits a special signal to each remote server 
that the consumer has expressed his preference to not be tracked.\30\ 
The idea is to give users the ability to send a clear, persistent and 
technology-neutral signal to websites regarding their tracking 
preference. Of course, in order this mechanism to be effective, it will 
depend upon a clear set of rules defining what websites should do when 
they receive this signal.
---------------------------------------------------------------------------
    \30\ Current proposals involve sending a Do Not Track signal using 
a browser header within the HTTP protocol.
---------------------------------------------------------------------------
    Under this approach, the onus is on the server to agree to respect 
the consumer's preference. It is possible that the server could ignore 
the user's request and continue to engage in tracking anyway, even once 
best practices are established. Thus, consumers will need a method to 
verify that servers are complying with the header, so they can keep 
firms honest about their commitment to respect user tracking 
preferences. Publisher sites and U.S. brands that advertise could 
choose to favor ad services that respect the header preference.
2. The Blocking Approach
    In the blocking approach, the consumer maintains (perhaps with the 
help of a trusted third party) a list of servers that are known to 
engage, or are suspected of engaging, in unwanted tracking behavior. 
Once a user has enabled this feature, his Web browser will 
automatically block all connections to the servers on the list which 
could also result in the blocking the display of advertisement.
    As opposed to the header approach, the responsibility to prevent 
tracking is solely on the consumer, that is, to obtain an up-to-date 
list of suspected tracking servers and to block them. Servers are under 
no express obligation to abstain from tracking, so if one is not 
blocked by a consumer's browser, it is free to continue tracking as 
usual.
    One concern with this approach is that it is sometimes difficult 
for consumers-at-large to determine whether a domain is engaging in 
tracking behavior and whether to add that domain to the block list. 
Additionally, there are many technical mechanisms that exist today that 
could be used to circumvent such blocking measures.\31\
---------------------------------------------------------------------------
    \31\ In particular, domains can ``spoof'' the first party 
transactions that are whitelisted in browsers, or effectively act as 
first parties. This means that they are bypassing any third party-
specific controls used in the browser. See Krishnamurthy et. al., 
(previously cited).
---------------------------------------------------------------------------
3. Other Considerations
    For any consumer choice mechanism to work, we need to clearing 
define what ``tracking'' means and what obligations are placed on 
tracking companies when consumers elect to opt-out of tracking. 
Consumer groups and privacy researchers have published proposals that 
attempt to define ``tracking,'' \32\ but the online advertising 
industry has not yet committed to respect the header nor follow any of 
the proposed definitions. For example, some in the industry have 
suggested that, like the current opt-out system, third parties be 
allowed permitted to continue to collect information. Others have 
proposed that third party services should refrain from collecting and 
retaining any information about consumers if they elect to not be 
tracked. This latter approach, while more privacy-preserving, may 
impact advertisers' abilities to deliver even non-targeted 
advertisements and includes numerous exceptions to tracking which may 
defeat the spirit of a privacy mechanism.
---------------------------------------------------------------------------
    \32\ What Does `Do Not Track' Mean? ``A Scoping Proposal'' by the 
Center for Democracy & Technology (2011, Jan 31) from http://cdt.org/
files/pdfs/CDT-DNT-Report.pdf.
---------------------------------------------------------------------------
    A potential way forward may be to agree upon a definition of 
``tracking'' that balances these conflicting priorities. One of the key 
components that enables tracking today is the use of unique 
identifiers. As such, it may be wise to consider a definition of 
tracking that focuses on these identifiers, in which third party 
services make a good faith effort to strip any unique identifiers 
associated with the user, browser or client device making the Web 
request once the request has been processed and the service delivered. 
By focusing on the identifiers, these companies would then be free to 
retain the remaining data associated with the user's request, providing 
that it cannot be re-identified (following current best practices in 
the space). This approach will likely be good for both business and 
consumers, since it allows businesses to observe how their websites are 
being used and secure their servers, while preventing the creation of 
individual profiles.
    Finally, it is important to consider whether creating more 
effective choice mechanisms for consumers may have perverse effects and 
ultimately drive websites to predicate access to content based on 
whether or not a consumer has consented to tracking. Websites could 
require that consumers allow tracking by third parties the website is 
affiliated with in order to gain access to it's content. In our 
original example, WebMD could require that their affiliates, such as 
DoubleClick, be allowed to track consumers in order to gain access to 
useful health information on the website. This trend could potentially 
favor large first parties over smaller, independent sites or allow 
companies to engage in even more invasive tracking upon receiving 
affirmative consent. This is not a reason to abandon efforts to improve 
consumer choice, but certainly a reason for Congress to consider the 
issue carefully.
D. Conclusion
    My research has shown that online tracking is pervasive. It is 
likely to be much more extensive than users might reasonably expect as 
they casually browse the Web. Many of these third party tracking 
activities are carefully tucked away from the view of the average user, 
and even in cases where the user realizes he is being tracked, the 
privacy tools he has available are often ineffective at stopping the 
most advanced forms of tracking.
    Consumers need more transparency into who is tracking them online, 
what data is being collected, and how this data is being used, shared 
or sold. Today's technical defenses to online tracking are not able to 
stop the leading tracking technologies, and consumers often do not have 
meaningful ways to control them. To be effective, privacy protections 
for consumers online will likely require both a technical and policy 
component, working in tandem, and I believe these discussions here 
today are a great step in making that union a reality.
    Internet-related debate involves issues that are deeply technical 
in nature and I am grateful that this Congressional committee has 
allowed technologists to participate. Thank you for inviting me to 
testify here today, and I look forward to helping the committee 
understand the technical issues that make online tracking such an 
interesting, yet complex, issue. I will be happy to answer any further 
questions.

    Senator Kerry [presiding]. Thanks. Who's next?
    Ms. Lawler?

                 STATEMENT OF BARBARA LAWLER, 
               CHIEF PRIVACY OFFICER, INTUIT INC.

    Ms. Lawler. Good morning. And thank you to the members of 
the Committee for the opportunity to comment on the state of 
online privacy. My name is Barbara Lawler and I'm the Chief 
Privacy Officer at Intuit. I ask that my full statement be put 
into the record due to time constraints.
    Senator Kerry. Without objection it will be.
    Ms. Lawler. Intuit's mission is to improve people's 
financial lives so profoundly they cannot imagine going back to 
the old way of doing things. It is through this mission that we 
approach the current privacy debate. Intuit is a unique 
corporation adhering to various regulatory data privacy regimes 
in the U.S. including financial and health care privacy and the 
privacy of tax return information.
    Additionally, we touch over 50 million people through our 
products. These people can trust us with their most sensitive 
data, their Federal and state income tax return information, 
their individual purchase transactions, bill payments and 
health information, their business accounts including employee 
payroll, accounts receivable, vendor lists, inventory and other 
business data. As more technology solutions move to the cloud, 
customers place more trust in us as we handle their sensitive 
data.
    At Intuit, we developed data stewardship principles that 
express how we think about how we use data, and offer 
guardrails to guide our judgment. The central concept of data 
stewardship is simple. It's our customer's data, not ours. We 
are and will be held accountable for the information entrusted 
to us.
    As you think about privacy legislation we encourage you to 
consider four things.
    One, a principles-based approach.
    Two, a focus on customers.
    Three, data-driven innovation.
    And four, global uniformity.
    First, we see the value in comprehensive, principles-based 
privacy legislation. Because we adhere to various privacy 
regimes, this idea could work in tandem with self-regulatory 
approaches, codes of conduct and best practices. A principles-
based approach is not prescriptive but enables flexibility to 
offer data driven solutions within existing sector specific 
privacy laws. A principles-based approach could fill the gaps 
that exist between different sector approaches while at the 
same time blending with them.
    It's also more likely to be received and effectively 
adapted by all businesses of all sizes. It is more likely to be 
understood by the public it seeks to protect. And a principles-
based approach is more likely to achieve consensus over time in 
the international context which will be essential to global 
competitiveness in the emerging digital economy.
    Such an approach could set forth a minimum set of 
requirements for business and provide a fundamental core level 
of consistency for businesses and consumers. Codes of conduct 
based on context, industry sector, technology platform and 
other data use drivers would build on top of a privacy 
baseline. Codes of conduct can serve as the framework and 
support for co-regulatory safe harbor programs.
    Second, any relevant data regime must be focused on the 
customer. At Intuit, customers are the heart of everything we 
do. What we learn through extensive customer research is that 
it's not about what we think is best for business or what we 
think should be done. It's about keeping what's important to 
the customer at the heart of the principles.
    Third, responsible data use can foster innovation. 
Consumers' expectations have changed as people are increasingly 
conducting their lives online. The volume and complexity of 
data in this new connected world presents boundless 
opportunities to unlock a tremendous amount of data to create 
better experiences and products for customers. Intuit's 
approach to data-driven innovation is to responsibly use data 
entrusted to us by our customers to improve their financial 
lives and the products and services we provide them.
    Last but not least, legislation must take into account the 
need for uniformity among various privacy regimes. In 
developing privacy principles there needs to be a uniform 
approach. While so many laws and regulations are based on 
essentially the same principles, multi-state and multinational 
companies are challenged by the differences among them.
    The essence of data stewardship cannot rely on just one 
element of our principles. It must be comprised of all of them 
combined: uniform principles-based legislation, customer driven 
innovation coupled with responsible, innovative and compelling 
data uses.
    Thank you again for giving Intuit the opportunity to 
express its thoughts on this important subject. We look forward 
to working with you as you evaluate privacy legislation and to 
answering any questions you may have.
    [The prepared statement of Ms. Lawler follows:]

  Prepared Statement of Barbara Lawler, Chief Privacy Officer, Intuit 
                                  Inc.
    Good morning and thank you Chairman Rockefeller, Ranking Member 
Hutchison, and members of the Committee for providing Intuit the 
opportunity to share our point of view on the best way to protect 
consumer privacy in the technology-driven, Internet era. We applaud the 
Committee for its attention to this important issue.
    Today, I'm here to talk to you about how Intuit views online 
consumer privacy. Intuit is in a unique position to comment on the 
current privacy debate. Not only do we have a unique perspective given 
the nature of our comprehensive business portfolio and compliance with 
privacy regimes, but fifty million people trust us with their most 
sensitive data. I will be talking today about the creation of Intuit's 
Data Stewardship Principles, the process of how we developed these 
principles, and what we learned from this process, as well as the 
principles themselves.
    As you think about comprehensive privacy legislation, we encourage 
you to focus on four things:

        1. principles-based privacy

        2. customers

        3. data driven innovation

        4. global uniformity
About Intuit
    Intuit was founded in Silicon Valley nearly thirty years ago. Our 
mission is to improve people's financial lives so profoundly, they 
cannot imagine going back to the old way of doing things.
    We started small with Quicken personal finance software, 
simplifying the common household dilemma of balancing the family 
checkbook. Today, we are one of the Nation's leading providers of tax, 
financial management and online banking solutions for consumers and 
small businesses, and the accountants, financial institutions and 
healthcare providers that serve them. We employ nearly 8,000 people, 
our revenues top $3.5 billion and we're recognized by Fortune Magazine 
as one of America's most-admired software companies and one of the 
country's best places to work.
    We have always believed that with our success comes the 
responsibility to give back. Part of delivering on our mission is 
serving as an advocate and resource for economic empowerment among 
lower income individuals and entrepreneurs. We have a track record of 
more than a decade of philanthropy that enables eligible lower income, 
disadvantaged and underserved individuals and small businesses to 
benefit from our tools and resources for free.
    Through it all we remain committed to creating new and easier ways 
for consumers and businesses to tackle life's financial chores with the 
help of technology. We help our customers make and save money, comply 
with laws and regulations, and give them more time to live their lives 
and grow their businesses.
    Our flagship products and services, including QuickBooks, Quicken, 
Mint.com and TurboTax, simplify small business management, payment and 
payroll processing, personal finance, and tax preparation and filing. 
We serve half of the accounting firms in the country, helping them be 
more productive with tax preparation software. And we help community 
banks and credit unions grow by providing on-demand solutions and 
services that make it easier for consumers and businesses to manage 
their money.
    The innovation and customer driven focus that inspired these 
breakthroughs leads us to uncover other unmet needs and large problems 
to solve. For example, we are working to simplify the way millions of 
Americans manage their health and medical expenses. Today, doctor's 
offices are paper-based, inefficient and need a way to reduce costs and 
delight their patients who are increasingly demanding online solutions. 
Our Intuit Health Patient Portal offering is a secure, online way for 
doctors and their patients to communicate and complete key tasks. 
Patients can request appointments and prescription refills, pay bills, 
complete forms, receive lab results, and exchange messages with their 
doctor. As a result, doctors are able to reduce costs, delight 
patients, and qualify for Meaningful Use stimulus funding.
    With all of these offerings, we help improve the lives of fifty 
million people, worldwide.
    We're able to do this because our customers entrust us with their 
most sensitive data--fifty million people trust us with their Federal 
and state income tax return information; their individual purchase 
transactions, bill payments, and health information; and their business 
accounts, including employee payroll, accounts receivable, vendor 
lists, inventory and other business data.
    We are widely recognized and respected for our strong privacy and 
security practices. Maintaining our customers' trust is critical to 
maintaining our business and competitive advantage. We do not view 
customer privacy and security as an exercise in compliance but as part 
of our value proposition.
    Intuit products span a range of sector-specific regulatory data 
privacy regimes in the US, including Gramm Leach Bliley Act, Fair 
Credit Reporting Act/Fair and Accurate Credit Transactions Act, IRC 
7216--the privacy of individuals' personal tax information, Health 
Insurance Portability and Accountability Act; and self-regulatory 
regimes including PCI Data Security Standards, the U.S.-E.U. Safe 
Harbor Program and the TRUSTe Privacy Seal Program.
    Given the nature of our comprehensive business, providing solutions 
for a range of tax, accounting, personal finance and health care needs, 
Intuit is in a unique position to comment and shape the online privacy 
debate.
Intuit's Data Stewardship Philosophy
    As more solutions move to the cloud, customers place trust in us as 
we handle their most sensitive data. Data Stewardship expresses how we 
think about the use of data, and offers guardrails to guide our 
judgment. Just as we talk with our customers about product development, 
we also talk about their expectations around privacy. They've told us 
explicitly that they expect us to be stewards of their data, using it 
responsibly and with integrity, for their benefit, while keeping it 
private and secure.
    The central concept of Data Stewardship is that it is the 
customers' data, not ours. Because we hold their most sensitive data, 
customers place a deep trust in us. Our customers have told us this 
directly through our extensive, consumer research. They care deeply how 
their data is used, they want clear and open explanations and to have 
contextual, relevant choices about those uses. They expect us to be 
accountable to keep our promises. Ethical data stewardship increases 
customers' confidence and trust.
    To ensure that our nearly 8,000 employees are clear about how we 
manage and respect information entrusted to us, we have created a set 
of company-wide data stewardship principles.\1\ These principles, 
derived directly from Intuit's core operating values--especially 
Integrity without Compromise--are intended to guide our mindset and 
behavior in all that we do. They reflect and reinforce that we're an 
organization that is accountable for its actions.
---------------------------------------------------------------------------
    \1\ See Appendix A for a list of our Data Stewardship Principles.
---------------------------------------------------------------------------
Intuit's Data Stewardship Principles
    When we apply our Data Stewardship Principles to leveraging data, 
they enable us to support Intuit's growth strategies while meeting and 
exceeding our customers' expectations about how we use their data to 
benefit them and run our business to provide the products and services 
that serve them.
    We are and will be accountable for the information entrusted to us. 
By design, our Data Stewardship Principles align closely with globally 
recognized fair information practices, including those for online 
privacy developed in the late 1990s and to their originating concepts, 
the Organization for Economic Cooperation and Development (OECD) 
privacy principles. As we have learned, we believe these Principles 
carry the most weight and meaning to actual consumers, based on an 
extensive research process we will describe below.
    As you think about comprehensive privacy legislation, we encourage 
you to focus on four things:

        1. principles-based privacy

        2. customers

        3. data driven innovation

        4. global uniformity

    First, we see the value in comprehensive principles-based privacy 
legislation. We believe there is value in the idea of baseline, 
principle-based privacy legislation that could work in tandem with 
self-regulatory approaches and codes of conduct. The Intuit Data 
Stewardship Principles represent our own internal code of conduct for 
data. A principles-based approach is not prescriptive but enables 
flexibility to offer data driven solutions within existing sector-
specific privacy laws and, most importantly, is technology-neutral.
    A principle-based approach could fill the gaps and crevices that 
exist between the differing sector approaches, while at the same time 
blending with them. It is also more likely to be received and 
effectively adapted by businesses of all sizes, including small 
businesses not actively engaged in the privacy landscape. It is more 
likely to be understood by the public it seeks to protect. And a 
principle-based approach is more likely to achieve consensus over time 
in the international context, which will be essential to global 
competitiveness in the emerging digital economy. Such an approach could 
set forth a minimum set of requirements for business, and provide a 
fundamental, core level of consistency for businesses and consumers. 
Codes of conduct, based on context, industry/sector, technology 
platform or other data use drivers would build on top of a privacy 
baseline. Codes of conduct can serve as the framework and support for 
co-regulatory safe harbor programs.
    Second, any relevant data regime must be focused on the customer. 
As we enter this important discussion, it is necessary to further 
emphasize the importance of both respect for the consumer participation 
and control of information and the value and benefit of continued 
innovation, in particular where the future of economic growth is 
going--data driven innovation. The key to our success and to ensuring 
balance among these interests is earning the customers' trust.
    At Intuit, customers are at the heart of everything we do. We were 
founded on the idea of customer driven innovation, a mindset and 
methodology to uncover important, unsolved problems. Many companies 
talk about customer focus, customer innovation, but the level of 
commitment to this, and the rigor we put behind it, differentiates us.
    For nearly thirty years, our passion for inventing products to 
solve important problems and perfecting those products to delight our 
customers, through direct customer feedback and observation, has made 
Intuit the first choice in financial software for consumers and small 
businesses. We have an instituted practice within our Corporation 
called ``follow me homes'' in which representatives from the 
Corporation spend a few hours with our customers to not only receive 
feedback on our products but to also identify key customer needs to 
amend our product. The Corporation commits to over 10,000 employee 
hours of ``follow me homes'' per year--with our CEO committing to 
approximately sixty hours per year himself. We supplement ``follow-me-
homes'' with direct customer research, and by bringing customers into 
special ``labs'' or focus groups to evaluate and give feedback on the 
customer experience and usability of our products and services. Our 
respect for the customer is reflected in the policies and practices 
that have driven our business. Trusted data stewardship is central to 
that commitment and to our success.
    The development of our Data Stewardship Principles is kept 
customers as our central focus: as our established practices suggest, 
we took our customers along with us on the journey to define our 
principles about the use of data in a way that reflects the needs, 
concerns and values of those customers. We took draft Data Stewardship 
Principles directly to our customers and asked them for their feedback, 
on both the concepts and words, on intent and practice, with real-world 
customer experience and expectations. Over the period of the last year 
alone, we conducted two rounds of quantitative, statistically valid 
surveys that cut across multiple customer bases and product lines to 
get feedback and learn if Data Stewardship and Privacy mattered to 
them, which principles and how much. We conducted four rounds of 
qualitative customer focus group sessions to dive deeper into the 
subtleties of transparency, choice, data use cases and security.
    Staying true to customer driven innovation, we iterated and refined 
the Data Stewardship Principles over the course of the customer 
research process. After several rounds of input and iteration, the 
Principles have been extremely well received. Let me share some of the 
insights from the more than 100 consumers and small businesses we 
talked to in focus groups:

   Customers may not read privacy policies but care deeply 
        about how their data is used.

   Consumers are smarter than some give them credit for--they 
        are aware of a wide range of data uses, to benefit them 
        directly and for necessary internal business operations.

   While a majority of our customers already have a positive 
        impression of Intuit, the Data Stewardship Principles further 
        build trust.

   Across all research studies, the principle around not 
        selling or sharing personal data is the most important.

   The more transparent (meaning open, simple and clear) the 
        company is, the more customer trust increases and the 
        customers' need for detailed and frequent or repetitive choice 
        mechanisms appears to decrease.

   Training employees to uphold these principles is also 
        important to customers and adds an incremental level of trust 
        that we will deliver against our promises.

    Here are a few illustrative verbatim statements from our customers 
that show what Intuit's Data Stewardship Principles mean to them:

   ``This is what makes customers trust them. I like that 
        privacy is paramount & do believe they're committed to 
        this.''--Mike, consumer in San Diego

   ``Customer focused, protecting my data and interests, 
        holding themselves accountable.'' ``I like that these 
        principles are very specific. There is no doubt, or any way to 
        not understand exactly how Intuit intends to treat my 
        information. I like that.''--Jackie, small business owner in 
        Oakland

   ``Because of these principles, I will continue to use their 
        products.''--Darryl, consumer in Denver

   ``A little safer in an unsafe world.''--Erica, consumer in 
        Atlanta

    When customers participate directly in the shaping of Data 
Stewardship Principles, it brings to life the Fair Information Practice 
concepts of Transparency and Individual Participation in profound ways.
    Specifically, we have learned through this process what is 
substantive and meaningful to consumers.
    Third, responsible data use can foster innovation. The world is 
quickly shifting from a paper-based, human-produced, brick-and-mortar-
bound market to one where people understand, appreciate and embrace the 
benefits of truly connected software, platforms and services.
    Consumers' expectations have changed as people are increasingly 
conducting their lives online. `Cloud computing' makes it easier to 
access and use online sites anytime and anywhere an individual chooses. 
Consumers expect to interact online in an ``always on'' environment and 
to have technology make life easier. They demand even greater 
simplicity, such as not having to re-enter their data when they use 
more than one of our products or services. Increasingly, new products 
and services as well as enhancements to existing ones will employ more 
and more sophisticated, rich, real-time interactive use of data, 
directed and prompted by customer actions and expectations of product 
functionality.
    The volume and complexity of data in this new world present 
boundless opportunities to unlock a tremendous amount of data to create 
better experiences and products for customers, all while keeping our 
customers' data safe.
    Intuit's approach to data driven innovation is to responsibly use 
data entrusted to us by our customers to improve their financial lives 
and the products and services we provide them. This data includes 
information about our customers--who they are, where they are and how 
they use our products. By compiling and interpreting this data, we can 
create innovative, easy-to-use products that delight customers by 
helping them make and save money. We're also able to provide customers 
with information that gives them greater insight into their financial 
lives and helps them to achieve their personal and business goals.
    To retain consumer trust in that context, Intuit's vision is that 
privacy and security are central to the concept of customer 
``delight,'' and therefore serve as a competitive advantage.
    For innovation to thrive, we must unlock the power of data under a 
Data Stewardship regime. The essence of Data Stewardship cannot rely on 
just one element of our principles, it must be comprised of all of them 
combined: customer driven innovation coupled with responsible, 
innovative, and compelling data uses. Moreover, as global 
competitiveness evolves beyond the bricks-and-mortar economies of the 
past, and international trade takes on an electronic character in the 
economy of the future, sound business practices and wise public policy 
are critical components of innovation, invention, and full, fair and 
open competition.
    Last but not least, legislation must take into account the need for 
uniformity among various privacy regimes. While so many laws and 
regulations are based on essentially the same principles, multi-state 
and multi-national companies are challenged by the differences among 
them. Some regulations in breach notification, for example, require 
notification of some state agencies; others do not. The notification 
triggers and thresholds are different. And the definitions of important 
terms vary across the landscape.
    In a domestic context, we support a uniform Federal breach 
notification law. Aligning practices across states would provide 
benefits for consumers who purchase from merchants in other states. It 
would also lessen the complexity for merchants, a consistent goal in 
improving the economy.
    In an international context, baseline principles that align with 
the Asia-Pacific Economic Coordination (APEC) Privacy Principles and 
the E.U. Directive would improve multi-national commerce, allowing the 
freer-flow of transactions and data across borders, in a consistent 
trusted manner. This, in turn, would improve the U.S. economy through 
vibrant trade. Intuit agrees that the U.S. Government should continue 
to work toward increased cooperation among privacy enforcement 
authorities around the world and develop a framework for mutual 
recognition of other countries' frameworks. Intuit agrees that the U.S. 
should also continue to support the APEC Privacy Principles Pathfinder 
Project, because it is the best framework to achieve data privacy 
interoperability in the 21st century.
Conclusion
    Once again, Mr. Chairman, Senator Hutchison, members of the 
Committee, thank you again for giving Intuit the opportunity to express 
its thoughts on this important subject. Maintaining customers trust is 
the foundation to building privacy principles. It is with this trust 
that we will learn from the customers about what they really want and 
what is important to them when it comes to their data. In the 21st 
century, customers demand more in a connected world. We must work 
toward the shared goal of protecting consumers while maintaining data 
driven innovation to improve our customers' financial lives, in a 
trusted, real, and fundamental way.
    We look forward to working with you and the Committee toward this 
goal.
                                 ______
                                 
                               Appendix A
                   Intuit Data Stewardship Principles
What we stand for:

   Our customers' privacy (and their customers' and employees') 
        is paramount to us.

   Our customers place a deep trust in Intuit because we hold 
        their most sensitive data . . . therefore, we are a trusted 
        steward of their data.

   Our company values start with Integrity without Compromise, 
        and our privacy principles require that we all be accountable.

How we run our business (what we hold ourselves accountable to):

We will not:

   Without explicit permission, sell, publish or share data 
        entrusted to us by a customer that identifies the customer or 
        any person.

We will:

   Use customer data to help our customers improve their 
        financial lives. We help them make or save money, be more 
        productive, and comply with laws and regulations.

   Use customer data to operate our business, including helping 
        our customers improve their user experience and understand the 
        products and services that are available to help them.

   Give customers choices about our use of data that identifies 
        them.

   Give open and clear explanations about how we use data.

   Publish or share combined, unidentifiable customer data, but 
        only in a way that would not allow the customer or any person 
        to be identified.

   Train our employees about how to keep data safe and secure, 
        and educate our customers about how to keep their and their 
        customers' data safe and secure.

    Senator Kerry. Thank you, Ms. Lawler.
    Mr. Calabrese?

             STATEMENT OF CHRISTOPHER R. CALABRESE,

      LEGISLATIVE COUNSEL, AMERICAN CIVIL LIBERTIES UNION,

                 WASHINGTON LEGISLATIVE OFFICE

    Mr. Calabrese. Thank you, Chairman Kerry, members of the 
Committee. Thank you for the opportunity to testify on behalf 
of the American Civil Liberties Union. We support comprehensive 
protections for American's personal information including a Do 
Not Track mechanism.
    One of the new models of Internet advertising has been to 
target ads at the specific individual in order to make those 
ads more relevant. The result has been a system where Americans 
are routinely tracked as they surf the Internet. Americans 
assume there is no central record of what they do and where 
they go online. However in many instances that is no longer the 
case.
    Behavioral marketers, social networks and other online 
companies are creating profiles of unprecedented depth and 
breadth that reveal the personal aspects of our lives including 
our religious and political beliefs, medical information, 
purchases and reading habits. These profiles can legally be 
shared with anyone including offline companies, employers and 
the government. This data collection is neither benign nor 
anonymous.
    Individual profiles identify our mental health, sexual 
orientation or issues with weight. They may indicate particular 
vulnerabilities.
    Ninety-two-year-old veteran, Richard Guthrie was bilked out 
of more than $100,000 by criminals who identified him from 
marketing lists.
    Cate Reid, a recent high school graduate has been 
identified by advertisers as concerned about her weight. 
``Every time I go on the Internet,'' she says, she sees weight 
loss ads. ``I'm self-conscious about my weight. I try not to 
think about it. Then the ads start me thinking about it.''
    Information that can be used for identity theft is online 
but beyond our control. One reporter asked a company to search 
out information on her armed only with her name and e-mail 
address. She said. ``Within 30 minutes the company had my 
social security number. In 2 hours they knew where I lived, my 
body type, my hometown, my health status.''
    Nor are individual web surfing habits anonymous. Many 
companies now provide a way to directly link your name and 
mailing address to your web surfing habits. Companies know who 
you are online. All of this information is available for sale 
with no controls.
    Of particular concern, of course to the ACLU, is government 
access. Many civil liberties benefits of the Internet, ability 
to read provocative materials, associate with non-mainstream 
groups, voice dissenting opinions are based on the assumptions 
of practical anonymity and freedom from government scrutiny. 
Because of this information collections these assumptions are 
rapidly eroding.
    Law enforcement routinely purchases access to offline 
private data bases full of detailed profiles on each of us with 
no legal process. They could legally do the same with online 
information. In fact online and offline data bases of personal 
information are increasingly linked. But we have no right to 
access those same data bases or control how they're used.
    Solutions exist. The technology may be new but the problems 
are not. Congress and the states have passed many laws to 
protect Americans reading habits and viewing habits in the 
offline world. More than 30 years ago the U.S. Department of 
Health, Education and Welfare crafted basic privacy principles. 
Called the Fair Information Practice Principles they have 
become the basis for comprehensive privacy laws in many 
industrialized nations as well as sector specific laws in the 
United States.
    The Department of Commerce recently called for adoption of 
these principles for the Internet. We endorse the use of fair 
information practices as well. In addition the private sector 
is developing innovative solutions like a Do Not Track 
mechanism.
    These mechanisms need to be backed by the force of law. We 
reject any approach that relies solely on self regulation by 
companies. Self regulation by itself is a failed approach. It 
has allowed the current data collection practices to flourish.
    Consumers want change. Surveys show that 67 percent 
rejected the idea that advertisers should be able to match ads 
based on specific websites consumers visit. And 61 percent 
believe these practices were not justified even if they kept 
costs down and allowed consumers to visit websites for free.
    Ultimately if this information collection is allowed to 
continue unchecked then capitalism could build what the 
government never could, a complete surveillance state online. 
Without government intervention we may soon find the Internet 
has been transformed from a library and a playground to a fish 
bowl. And that we have unwittingly seeded core values of 
privacy and autonomy.
    Thank you.
    [The prepared statement of Mr. Calabrese follows:]

 Prepared Statement of Christopher R. Calabrese, Legislative Counsel, 
     American Civil Liberties Union, Washington Legislative Office
    Good morning Chairman Rockefeller, Ranking Member Hutchison, and 
members of the Committee. Thank you for the opportunity to testify on 
behalf of the American Civil Liberties Union (ACLU) its more than half 
a million members, countless additional activists and supporters, and 
fifty-three affiliates nationwide, about the importance of online 
privacy. We support comprehensive protections for Americans' personal 
information and specifically support a ``Do Not Track'' option for 
online consumers. These protections are crucial for preventing harm to 
consumers and to safeguard Americans' First and Fourth Amendment rights 
online.
I. Introduction
    Rapid technological advances and the lack of an updated privacy law 
have resulted in a system where Americans are routinely tracked as they 
surf the Internet. The result of this tracking--often performed by 
online marketers--is the collection and sharing of Americans' personal 
information with a variety of entities including offline companies, 
employers and the government. As greater portions of our lives have 
moved online, unregulated data collection has become a growing threat 
to our civil liberties.
    As one recent report explains, the Internet has been an engine of 
radical, positive changes in the way we communicate, learn, and 
transact commerce.\1\ The Internet allows us to connect to one another 
and share information in ways we never before could have imagined. Many 
of the civil liberties benefits of the Internet--the ability to access 
provocative materials more readily, to associate with non-mainstream 
groups more easily, and to voice opinions more quickly and at lower 
cost--are enhanced by the assumption of practical anonymity. Similarly, 
consumers are largely unaware of the breadth of information collection 
and the various uses to which it is put.
---------------------------------------------------------------------------
    \1\ Federal Trade Commission (Bureau of Consumer Protection), A 
Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era 
of Rapid Change: A Proposed Framework for Businesses and Policymakers, 
December 1, 2010.
---------------------------------------------------------------------------
    In short, Americans assume that there is no central record of what 
they do and where they go online. However in many instances that is no 
longer the case. Behavioral marketers are creating profiles of 
unprecedented breadth and depth that reveal personal aspects of 
people's lives including their religious or political beliefs, medical 
information, and purchase and reading habits. Even as behavioral 
targeting continues to grow, its practitioners have already 
demonstrated a disturbing ability to track and monitor an individual's 
actions online.
    If this collection of data is allowed to continue unchecked, then 
capitalism will build what the government never could--a complete 
surveillance state online. Without government intervention, we may soon 
find the Internet has been transformed from a library and playground to 
a fishbowl, and that we have unwittingly ceded core values of privacy 
and autonomy.
II. Americans have embraced technology, but they still expect privacy
    Technology has moved rapidly and Americans have adopted these 
changes into their lives:

   Over 50 percent of American adults use the Internet on a 
        typical day.\2\
---------------------------------------------------------------------------
    \2\ Common daily activities include sending or receiving e-mail 
(40+ percent of all American adults do so on a typical day), using a 
search engine (35+ percent), reading news (25+ percent), using a social 
networking site (10+ percent), banking online (15+ percent), and 
watching a video (10+ percent). Pew Internet & American Life Project, 
Daily Internet Activities, 2000-2009, http://www.pewinternet.org/Trend-
Data/Daily-Internet-Activities-20002009.aspx.

   62 percent of online adults watch videos on video-sharing 
        sites,\3\ including 89 percent of those aged 18-29.\4\
---------------------------------------------------------------------------
    \3\ A ``video-sharing site'' or ``video hosting site'' is a website 
that allow users to upload videos for other users to view (and, often, 
comment on or recommend to others). Wikipedia, Video Hosting Service, 
http://en.wikipedia.org/wiki/Video_sharing (as of January 21, 2011). 
YouTube is the most common video-sharing site today.
    \4\ Pew Internet & American Life Project, Your Other Tube: Audience 
for Video-Sharing Sites Soars, July 29, 2009, http://pewresearch.org/
pubs/1294/online-video-sharing-sites-use.

   Over 70 percent of online teens and young adults\5\ and 35 
        percent of online adults have a profile on a social networking 
        site.\6\
---------------------------------------------------------------------------
    \5\ Pew Internet & American Life Project, Social Media & Young 
Adults, Feb. 3, 2010, http://www.pewinternet.org/Reports/2010/Social-
Media-and-Young-Adults.aspx.
    \6\ ``Social networking sites'' allow users to construct a ``semi-
public'' profile, connect with other users of the service, and navigate 
these connections to view and interact with the profiles of other 
users. Danah M. Boyd & Nicole B. Ellison, Social Networking Sites: 
Definition, History, and Scholarship, 13 J. of Comp.-Mediated Comm. 1 
(2007); Pew Internet & American Life Project, Adults & Social Network 
Sites, Jan. 14, 2009, http://www.pewinternet.org/Reports/2009/Adults-
and-Social-Network-Websites.aspx.

   83 percent of Americans own a cell phone and 35 percent of 
        cell phone owners have accessed the Internet via their 
        phone.\7\
---------------------------------------------------------------------------
    \7\ Pew Internet & American Life Project, Internet, Broadband, and 
Cell Phone Statistics, Jan. 5, 2010, http://www.pewinternet.org/
Reports/2010/Internet-broadband-and-cell-phone-statistics.aspx.

    Companies continue to innovate and create new ways for Americans to 
merge technology with daily activities. Google has spent the last 5 
years building a new online book service and sales of digital books and 
devices have been climbing.\8\ Americans increasingly turn to online 
video sites to learn about everything from current news to politics to 
health.\9\ Location-based services\10\ are also a burgeoning 
market.\11\
---------------------------------------------------------------------------
    \8\ See generally ACLU of Northern California, Digital Books: A New 
Chapter for Reader Privacy, Mar. 2010, available at http://
www.dotrights.org/digital-books-new-chapter-reader-privacy.
    \9\ ``More Americans are watching online video each and every month 
than watch the Super Bowl once a year..'' Greg Jarboe, ``125.5 Million 
Americans Watched 10.3 Billion YouTube Videos in September,'' 
SearchEngineWatch.com, Oct. 31, 2009, http://
blog.searchenginewatch.com/091031-110343.
    \10\ ``Location-based services'' is an information service 
utilizing the user's physical location (which may be automatically 
generated or manually defined by the user) to provide services. 
Wikipedia, Location-Based Service, http://en.wikipedia.org/wiki/
Location-based_service (as of January 21, 2011).
    \11\ Recent location-based service Foursquare built a base of 
500,000 users in its first year of operation. Ben Parr, ``The Rise of 
Foursquare in Numbers [STATS],'' Mashable, Mar. 12, 2010, http://
mashable.com/2010/03/12/foursquare-stats/.
---------------------------------------------------------------------------
    However this rapid adoption of new technology has not eliminated 
Americans' expectations of privacy. To the contrary, Americans still 
expect and desire that their online activities will remain private, and 
express a desire for laws that will protect that privacy:

   69 percent of Internet users want the legal right to know 
        everything that a Website knows about them.\12\
---------------------------------------------------------------------------
    \12\ Joseph Turow, et al., Americans Reject Tailored Advertising 4 
(2009), available at http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=1478214.

   92 percent want the right to require websites to delete 
        information about them.\13\
---------------------------------------------------------------------------
    \13\ Id.

---------------------------------------------------------------------------
    And consumers oppose online tracking:

   67 percent rejected the idea that advertisers should be able 
        to match ads based on specific websites consumers visit; \14\ 
        and
---------------------------------------------------------------------------
    \14\ Lymari Morale, ``U.S. Internet Users Ready to Limit Online 
Tracking for Ads,'' USA TODAY, December 21, 2010.

   61 percent believed these practices were not justified even 
        if they kept costs down and allowed consumers to visit websites 
        for free.\15\
---------------------------------------------------------------------------
    \15\ Id.

    In sum, while Americans make great use of the Internet, they are 
very concerned about their privacy and specifically troubled by the 
practice of behavioral targeting.
III. The data collected by behavioral marketers forms a personal 
        profile of unprecedented breadth and depth
    Behavioral targeting contravenes many American's expectation of 
privacy and how they should be treated online. Online advertising is 
one of the fastest growing businesses on the Internet and it is based 
on collecting a staggering amount of information about people's online 
activities. Advertising has always been prevalent online, but instead 
of targeting websites--such as advertising shoes on a shoe store site--
advertisers now use personal information to target individuals 
directly.
    They do this using different surveillance tools. The simplest tools 
are cookies. A cookie is a file that a website can put on a user's 
computer when the user visits it so that when the user returns, or 
visits another affiliated site, it remembers certain information about 
the user. Cookies were initially used to help websites remember user 
passwords or contents in shopping bags, but as online marketing grew 
more sophisticated, cookies did too. Advertisers and aggregators 
modified cookies to track people's web page visits, searches, online 
purchases, videos watched, posts on social networking, and so on.
    Another popular and even more invasive tool for tracking is the 
flash cookie. Flash cookies are often used by data aggregators to re-
install a regular cookie that a user had detected and deleted. The 
newest and most aggressive form of tracking is the beacon. Beacons, 
also known as web bugs, are often used by sites that hire third party 
services to monitor user actions. These devices can track a user's 
movements extremely closely; to the point that they can monitor 
keystrokes on a page or movements by a user's mouse. The result of 
these practices is the collection and sale of a wealth of consumer data 
without any legal limits or protections for individuals.
    As targeted ads become increasingly profitable, behavioral 
marketers are growing more ambitious and seeking to form an even more 
complete picture of unsuspecting citizens. The Wall Street Journal 
recently conducted a comprehensive study on the effects of online 
marketing on individual privacy and the results were alarming. The 
study found that the Nation's 50 top websites installed an average of 
64 pieces of tracking technology on user's computers, usually with no 
warning. A dozen sites installed over a hundred. For example, the study 
found that Microsoft's popular website, MSN.com, attached a tracking 
device that identified and stored user's detailed personal information. 
According to the tracking company that created the file, it could 
predict a user's age, zip code, and gender, as well as an estimate of a 
user's income, marital status, family status and home ownership 
status.\16\ These new technologies allow marketers to combine a vast 
amount of information gleaned from different websites over time in 
order to paint an extremely detailed profile of potential consumers. 
Any particular website may have little information and this may not 
alarm some, but when a large number of these data points are 
aggregated, an extremely detailed picture results.
---------------------------------------------------------------------------
    \16\ Angin Win, ``The Web's New Gold Mine: Your Secrets,'' Wall 
Street Journal, July 30, 2010.
---------------------------------------------------------------------------
    In addition, the Wall Street Journal found that tracking technology 
has become so advanced and covert that the website owner is often not 
even aware of its presence. Microsoft, one of the largest developers of 
computer software in the world, said it did not know about the tracking 
devices on its site until informed by the Journal.\17\ If these 
technologies have become as surreptitious as to slip past sophisticated 
website owners, it is completely unreasonable to believe that the 
average user would be able to avoid their spying.
---------------------------------------------------------------------------
    \17\ Id.
---------------------------------------------------------------------------
IV. Identifying individuals and the merger of online and offline 
        identity
    Online and offline data companies are combining forces to get an 
even more detailed profile of consumers and further erode privacy. For 
example, Comscore, a leading provider of website analytic tools, boasts 
that ``online behavioral data can . . . be combined with attitudinal 
research or linked with offline databases in order to diagnose cross-
channel behavior and streamline the media planning process.'' \18\
---------------------------------------------------------------------------
    \18\ Why Comscore?, http://comscore.com/About_comScore/Why_comScore 
(last visited January 21, 2011).
---------------------------------------------------------------------------
    In another example, the data firm Aperture has made the connection 
between online and offline identities by collecting data from offline 
data companies like Experian or Nielsen's Claritas and then combining 
it with a huge database of e-mail addresses maintained by its parent 
company, Datran Media.\19\ According to media reports, many major 
companies are working with Aperture.\20\ ``The line between merging 
online and offline data isn't no-man's land anymore; it's becoming more 
of a common practice,'' said Mike Zaneis, Washington lobbyist for the 
Interactive Advertising Bureau.'' \21\ A variety of services offer to 
merge names and postal addresses with collected IP and e-mail 
addresses.\22\
---------------------------------------------------------------------------
    \19\ Michael Learmonth, ``Holy Grail of Targeting is Fuel for 
Privacy Battle,'' Advertising Age, March 22, 2010.
    \20\ Id.
    \21\ Id.
    \22\ See: http://biz.freshaddress.com/RealTimePostalAppend.aspx. 
For a long list of their clients please see: http://
biz.freshaddress.com/ClientsByName.aspx.
---------------------------------------------------------------------------
    To be clear: such a merger of data is only possible when consumers 
are specifically identified. As described above, markets are using 
personal identifiers like e-mail addresses to connect online browsing 
habits to offline information from other databases. One venture 
capitalistic described it to the Wall Street Journal: ``They're trying 
to find better slices of data on individuals,'' says Nick Sturiale, a 
general partner at Jafco Ventures, which has largely avoided the 
sector. ``Advertisers want to buy individuals. They don't want to buy 
[Web] pages.'' \23\ You can only ``buy individuals'' when you know who 
they are.
---------------------------------------------------------------------------
    \23\ Scott Thrum, ``Online Trackers Rake in Funding,'' Wall Street 
Journal, February 25, 2011 at: http://online.wsj.com/article/
SB10001424052748704657704576150191661959856.html#ixzz
1FYWLkEWm.
---------------------------------------------------------------------------
V. Regulation of behavioral targeting does not threaten the ``Free 
        Internet''
    The ACLU believes the Internet is the most advanced marketplace of 
ideas and one of the greatest tools ever created for advancing 
American's First Amendment rights. We would never endorse any 
regulation that endangered the robustness and variety of this medium. 
Laws protecting personal information and those that would create a ``Do 
Not Track'' mechanism would not harm the Internet or end the provision 
of free products or services.
    Behavioral targeting is different than ``contextual advertising,'' 
another type of online ad service which shows ads to users based on the 
content of the web page they are currently viewing or the web search 
they have just performed. When this pairing of ads to users' interests 
is based only on a match between the content of an ad and a single page 
or search term, a website or advertising network requires no personal 
information about a user beyond an IP address. The practice does not 
raise significant privacy concerns.
    Nor would commonsense regulations necessarily foreclose the use of 
consumer data as part of advertising and services. For example, a 
consumer may want to allow significant data collection by websites with 
whom they already have a relationship. Companies like Google and Amazon 
gather information that has demonstrable benefit to the consumer--by 
providing book recommendations or easy-to-use maps. Consumers may 
welcome targeted ads when they feel in control of their own information 
or may consider it a fair tradeoff for other goods or services.
    Content has been supported for years (and in many cases for decades 
and even centuries) through advertising without the need for detailed 
targeting and tracking of consumers. But studies have demonstrated that 
the vast majority of the revenue from tracking consumers online goes 
not to content providers but rather to the behavioral targeters 
themselves. Industry sources say that 80 percent of the revenue from 
targeting--4 in 5 dollars--went to create and enhance the targeting 
system, not to publishers.\24\ Major publishers like the New York Times 
have endorsed a ``Do Not Track'' mechanism--clearly they are not 
concerned that such a mechanism will harm their ad revenue.\25\
---------------------------------------------------------------------------
    \24\ The Jordan Edmiston Group, M&A Overview and Outlook, Slide 13, 
can be found at: http://www.jegi.com/files/docs/IABMIXX.pdf.
    \25\ ``Protecting Online Privacy,'' New York Times, December 4, 
2010.
---------------------------------------------------------------------------
VI. Access to extensive personal profiles threatens personal privacy 
        and the First and Fourth Amendment
    It is no exaggeration to say that data profiles--which may combine 
records of a person's entire online activity and extensive databases of 
real-world, personally identifiable information--draw a personal 
portrait unprecedented in scope and detail. Because the Internet has 
become intertwined with so many personal facets of our lives, the same 
technology that has provided such tremendous advances also creates the 
possibility of tremendous intrusion by companies and the government.
i. Non-governmental actors
    The harms caused by excessive and invasive data collection are real 
and pressing. They begin with straightforward invasions of privacy. 
Should anyone have the right to know and sell to others the fact that 
you are overweight, or depressed, or gay? \26\ These are all 
commonplace occurrences with marketers and social networking sites 
routinely making and selling these determinations. They have 
significant consequences for consumers who have no say in the 
collection and use of their own information. As the Wall Street Journal 
explains:
---------------------------------------------------------------------------
    \26\ See Testimony of Pam Dixon The Modern Permanent Record and 
Consumer Impacts from the Offline and Online Collection of Consumer 
Information, Before the Subcommittee on Communications, Technology, and 
the Internet, and the Subcommittee on Commerce, Trade, and Consumer 
Protection of the House Committee on Energy and Commerce November 19, 
2009 at http://www.worldprivacyforum.org/pdf/TestimonyofPamDixonfs.pdf; 
Brett Michael Dykes, ``Latest Facebook privacy outrage: ad data outing 
gay users,'' The Upshot, October 22, 2010 at: http://news.yahoo.com/s/
yblog_upshot/20101022/bs_yblog_upshot/latest-facebook-privacy-outrage-
ad-data-outing-gay-users.

        Yahoo's network knows many things about recent high-school 
        graduate Cate Reid. One is that she is a 13- to 18-year-old 
        female interested in weight loss. Ms. Reid was able to 
        determine this when a reporter showed her a little-known 
        feature on Yahoo's website, the Ad Interest Manager, that 
---------------------------------------------------------------------------
        displays some of the information Yahoo had collected about her.

        Yahoo's take on Ms. Reid, who was 17 years old at the time, hit 
        the mark: She was, in fact, worried that she may be 15 pounds 
        too heavy for her 5-foot, 6-inch frame. She says she often does 
        online research about weight loss.

        ``Every time I go on the Internet,'' she says, she sees weight-
        loss ads. ``I'm self-conscious about my weight,'' says Ms. 
        Reid, whose father asked that her hometown not be given. ``I 
        try not to think about it. . . . Then [the ads] make me start 
        thinking about it.'' \27\
---------------------------------------------------------------------------
    \27\ Win article.

    This tracking is ubiquitous around the Internet with tracking 
technology on 80 percent of 1,000 popular sites, up from 40 percent of 
those sites in 2005.\28\
---------------------------------------------------------------------------
    \28\ Id.
---------------------------------------------------------------------------
    In the information age knowledge is power and personal information 
can be used for many other purposes. A data-mining firm called Rapleaf 
has said it can make determinations about creditworthiness and whether 
someone will be a good customer.\29\ A defense attorney attempted to 
access the social networking pages of two teens in order to prove they 
were appropriately denied health care.\30\ One employer demanded access 
to its employee's private Facebook account as part of a background 
check.\31\
---------------------------------------------------------------------------
    \29\ Lucas Conley, ``How Rapleaf Is Data-Mining Your Friend Lists 
to Predict Your Credit Risk,'' FAST COMPANY November 16, 2009 at http:/
/www.fastcompany.com/blog/lucas-conley/advertising-branding-and-
marketing/company-we-keep.
    \30\ Mark Stein, ``Facebook Page? Or Exhibit A in Court?,'' 
Portfolio.com, February 5, 2008 http://www.portfolio.com/views/blogs/
daily-brief/2008/02/05/facebook-page-or-exhibit-a-in-court/.
    \31\ Matt Liebowitz ``Boss Demands Employee's Facebook Password,'' 
MSNBC.com, March 1, 2011 http://www.msnbc.msn.com/id/41743732/ns/
technology_and_science-security/.
---------------------------------------------------------------------------
    When information escapes a consumer's control, it gives power to 
others to make decisions about them that have real consequences for 
their lives. In addition, the lack of control and transparency 
surrounding consumer personal information harms not just consumers but 
the Internet as a whole. Uncertainty over the use or misuse of 
information by third parties retards the adoption of new technologies 
and makes consumers more anxious about revealing personal information.
    Personal information can also reveal weaknesses that unscrupulous 
actors can exploit. Ninety-two year old veteran Richard Guthrie was 
bilked out of more than $100,000 by criminals who identified him from 
marketing lists.\32\ InfoUSA routinely advertised lists of:
---------------------------------------------------------------------------
    \32\  Charles Duhigg, ``Bilking the Elderly, With a Corporate 
Assist,'' New York Times. May 20, 2007 http://www.nytimes.com/2007/05/
20/business/20tele.html?_r=2.

        ``Elderly Opportunity Seekers,'' 3.3 million older people 
        ``looking for ways to make money,'' and ``Suffering Seniors,'' 
        4.7 million people with cancer or Alzheimer's disease. ``Oldies 
        but Goodies'' contained 500,000 gamblers over 55 years old, for 
        8.5 cents apiece. One list said: ``These people are gullible. 
        They want to believe that their luck can change.'' \33\
---------------------------------------------------------------------------
    \33\ Id.

    In other cases thieves purchased access to databases of Americans' 
personal information and used that information to commit identity 
theft.\34\
---------------------------------------------------------------------------
    \34\ Federal Trade Commission, ``ChoicePoint Settles Data Security 
Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for 
Consumer Redress,'' January 26, 2006. http://www.ftc.gov/opa/2006/01/
choicepoint.shtm.
---------------------------------------------------------------------------
    Collection of personal information online turbo-charges this 
process. One reporter asked a company to search out information about 
her online. She disclosed that, armed only with her name and e-mail 
address, ``Within 30 minutes, the company had my Social Security 
number; in 2 hours, they knew where I lived, my body type, my hometown, 
and my health status.'' \35\
---------------------------------------------------------------------------
    \35\ Jessica Bennett, ``What the Internet Knows about You,'' 
Newsweek, October 22, 2010. http://www.newsweek.com/2010/10/22/forget-
privacy-what-the-internet-knows-about-you.html.
---------------------------------------------------------------------------
ii. Governmental actors
    As their contracts with the data aggregator industry demonstrate, 
government and law enforcement agencies have also found these personal 
data profiles irresistible. In 2006 the Washington Post reported that 
the Federal Government and states across the country have developed 
relationships with private companies that collect personal information 
about millions of Americans, including unlisted cell phone numbers, 
insurance claims, driver's license photographs, and credit reports 
through private data aggregators including Accurint, Entersect and 
LexisNexis. In fact, Entersect boasts that it is ``the silent partner 
to municipal, county, state, and Federal justice agencies who access 
our databases every day to locate subjects, develop background 
information, secure information from a cellular or unlisted number, and 
much more.'' \36\
---------------------------------------------------------------------------
    \36\ O'Harrow Jr Robert, Centers Tap into Personal Databases, 
Washington Post, April 2, 2008.
---------------------------------------------------------------------------
    The Central Intelligence Agency (CIA), via its investment arm In-Q-
Tel, has invested in a software company that specializes in monitoring 
blogs and social networks \37\ and the Department of Defense, the CIA, 
and the Federal Bureau of Investigation (FBI) have all purchased use of 
private databases from Choicepoint, one of the largest and most 
sophisticated aggregators of personal data.\38\ In the words of the 
FBI, ``We have the legal authority to collect certain types of 
information'' because ChoicePoint is ``a commercial database, and we 
purchase a lot of different commercial databases. . . . They have 
collated information that we legitimately have the authority to 
obtain.'' \39\
---------------------------------------------------------------------------
    \37\ Noah Shactman, ``U.S. Spies Buy Stake in Firm That Monitors 
Blogs, Tweets,'' Wired, October 19, 2009 at http://www.wired.com/
dangerroom/2009/10/exclusive-us-spies-buy-stake-in-twitter-blog-
monitoring-firm.
    \38\ Shane Harris, ``FBI, Pentagon Pay For Access to Trove of 
Public Records,'' National Journal., Nov. 11, 2005 at http://
www.govexec.com/story--page.cfm?articleid=32802; Robert O'Harrow Jr., 
``In Age of Security, Firm Mines Wealth Of Personal Data,'' Washington 
Post, January 20, 2005, at http://www.washingtonpost.com/wp-dyn/
articles/A22269-2005Jan19.html.
    \39\ Harris, supra n. 16 (quoting FBI spokesman Ed Cogswell).
---------------------------------------------------------------------------
    The government has demonstrated an increasing interest in online 
user data in other ways as well. In 2006 the Department of Justice 
(DOJ) subpoenaed search records from Google, Yahoo!, and other search 
providers in order to defend a lawsuit.\40\ In 2007, Verizon reported 
receiving 90,000 requests per year and in 2009, Facebook told Newsweek 
it was getting 10 to 20 requests each day. In response to increasing 
privacy concerns, Google started to publish the number of times law 
enforcement asked for its customers' information and reported over 
4,200 such requests in the first half of 2010 alone. In the words of 
Chris Hoofnagle, a senior fellow at the Berkeley Center for Law and 
Technology, ``These very large data bases of transactional information 
become honey pots for law enforcement or for litigants.'' \41\ Given 
the government's demonstrated drive to access both online data and 
commercial data bases of personal information, it seems nearly certain 
that law enforcement and other government actors will purchase or 
otherwise access the type of detailed profiles of online behavior 
compiled by behavioral marketers.
---------------------------------------------------------------------------
    \40\ Hiawatha Bray, ``Google Subpoena Roils the Web, U.S. Effort 
Raises Privacy Issues,'' Boston Globe, January 21, 2006 at http://
www.boston.com/news/nation/articles/2006/01/21/
google_subpoena_roils_the_web/.
    \41\ Miguel Helft, ``Google Told to Turn Over User Data of 
Youtube,'' New York Times, July 4, 2008 at http://www.nytimes.com/2008/
07/04/technology/04youtube.html.
---------------------------------------------------------------------------
    Our First Amendment rights to freedom of religion, speech, press, 
petition, and assembly are based on the premise that open and 
unrestrained public debate empowers democracy by enriching the 
marketplace with new ideas and enabling political and social change 
through lawful means. The Fourth Amendment shields private conduct from 
unwarranted government scrutiny. Together the exercise of these rights 
online has allowed the Internet marketplace of ideas to expand 
exponentially.
    Courts have uniformly recognized that government requests for 
records of which books, films, or other expressive materials 
individuals have received implicate the First Amendment and trigger 
exacting scrutiny.\42\ These cases are grounded in the principle that 
the First Amendment protects not only the right of individuals to speak 
and to express information and ideas, but also the corollary right to 
receive information and ideas through books, films, and other 
expressive materials.\43\ Within this protected setting, privacy and 
anonymity are vitally important. Anonymity ``exemplifies the purpose 
behind the Bill of Rights, and of the First Amendment in particular,'' 
because, among other things, it serves as a ``shield from the tyranny 
of the majority.'' \44\ An individual may desire anonymity when 
engaging in First Amendment activities--like reading, speaking, or 
associating with certain groups--because of ``fear of economic or 
official retaliation, . . . concern about social ostracism, or merely . 
. . a desire to preserve as much of one's privacy as possible.'' \45\
---------------------------------------------------------------------------
    \42\ In re Grand Jury Subpoena to Kramerbooks & Afterwords Inc., 26 
Med. L. Rptr. 1599, 1600-01 (D.D.C. 1998) (Dkt. No. 21, Ex. B) 
(requiring government to show compelling interest and a sufficient 
connection between its investigation and its request for titles of 
books purchased by Monica Lewinsky); Tattered Cover, Inc. v. City of 
Thornton, 44 P.3d 1044, 1053 (Colo. 2002) (holding that search of 
bookseller's customer purchase records necessarily intrudes into 
constitutionally protected areas).
    \43\ See, e.g., Va. State Bd. of Pharmacy v. Va. Citizens Consumer 
Council, 425 U.S. 748, 757 (1976) (right to receive advertisements); 
Stanley v. Georgia, 394 U.S. 557, 564 (1969) (films); Bantam Books v. 
Sullivan, 372 U.S. 58, 64 n.6 (1963) (books).
    \44\ McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 357 (1995).
    \45\ Id. at 341-42.
---------------------------------------------------------------------------
    The Supreme Court has also recognized that anonymity and privacy 
are essential to preserving the freedom to receive information and 
ideas through books, films, and other materials of one's choosing. For 
example, in Lamont v. Postmaster General, the Court invalidated a 
postal regulation that required the recipient of ``communist political 
propaganda'' to file a written request with the postmaster before such 
materials could be delivered.\46\ The regulation violated the First 
Amendment because it was ``almost certain to have a deterrent effect . 
. . Any addressee [was] likely to feel some inhibition'' in sending for 
literature knowing that government officials were scrutinizing its 
content.\47\ Forced disclosure of reading habits, the Court concluded, 
``is at war with the `uninhibited, robust, and wide-open' debate and 
discussion that are contemplated by the First Amendment.'' \48\
---------------------------------------------------------------------------
    \46\ Lamont v. Postmaster General, 381 U.S. 301, 302 (1965).
    \47\ Id. at 307.
    \48\ Id. (quoting New York Times Co. v. Sullivan, 376 U.S. 254, 270 
(1964)).
---------------------------------------------------------------------------
    These words ring equally true today in the Information Age, with 
the prevalence of the Internet and other new technologies. Although 
these technological advances provide valuable tools for creating and 
disseminating information, the unprecedented potential for government 
and companies to store vast amounts of personal information for an 
indefinite time poses a new threat to the right to personal privacy and 
free speech. In In re Grand Jury Subpoena to Amazon.com, the district 
court recognized this reality in holding that a grand jury subpoena to 
Amazon requesting the identities of buyers of a certain seller's books 
raised significant First Amendment concerns.\49\ The court explained 
its concern over the chilling effect that would flow from enforcing 
such a subpoena in the age of the Internet, despite its confidence in 
the government's good-faith motives:
---------------------------------------------------------------------------
    \49\ 246 F.R.D. at 572-73

        [I]f word were to spread over the Net--and it would--that [the 
        government] had demanded and received Amazon's list of 
        customers and their personal purchases, the chilling effect on 
        expressive e-commerce would frost keyboards across America. 
        Fiery rhetoric quickly would follow and the nuances of the 
        subpoena (as actually written and served) would be lost as the 
        cyber debate roiled itself to a furious boil. One might ask 
        whether this court should concern itself with blogger outrage 
        disproportionate to the government's actual demand of Amazon. 
        The logical answer is yes, it should: well-founded or not, 
        rumors of an Orwellian Federal criminal investigation into the 
        reading habits of Amazon's customers could frighten countless 
        potential customers into canceling planned online book 
        purchases, now and perhaps forever. . . . Amazon . . . has a 
        legitimate concern that honoring the instant subpoena would 
        chill online purchases by Amazon customers.\50\
---------------------------------------------------------------------------
    \50\ In re Grand Jury Subpoena to Amazon.com, 246 F.R.D. at 573.

    The Internet is, and must remain, the most open marketplace of 
ideas in the history of the world. In order to guarantee this, we must 
provide consumers with the tools they need to control their personal 
information and meaningful mechanisms for assuring privacy and 
protecting the robust rights established by the Constitution.
VII. Solutions exist
    Reasonable and workable solutions exist for grappling with the 
problems of excessive data collection. While the technology is new, the 
problem is not. As the preceding case law demonstrates, as a society we 
have always been concerned about problems like judging or attacking 
individuals based on their reading or viewing habits. That is why 48 
states protect public library reading records by statute.\51\ Congress 
has also recognized the privacy interests of users of expressive 
material and created strong protections in several other contexts. The 
Video Privacy Protection Act prohibits disclosure of video rental 
records without a warrant or court order.\52\ The Cable Communications 
Policy Act similarly prohibits disclosure of cable records absent a 
court order.\53\
---------------------------------------------------------------------------
    \51\ See, e.g., N.Y. C.P.L.R.  4509; Cal. Gov. Code  6267, 
6254(j). The two states that do not have library confidentiality laws 
are Hawaii and Kentucky. However, the Attorney Generals' Offices in 
each state have issued opinions in support of reader privacy. Haw. OIP 
Opinion Letter No. 90-30 (1990) (disclosure of library circulation 
records ``would result in a clear unwarranted invasion of personal 
privacy''); Ky. OAG 82-149 (1982) (``all libraries may refuse to 
disclose for public inspection their circulation records. . . . [W]e 
believe that the privacy rights which are inherent in a democratic 
society should constrain all libraries to keep their circulation lists 
confidential.'').
    \52\ 18 U.S.C.  2710(b)(2)(C), 2710(b)(2)(F), 2710(b)(3).
    \53\ 47 U.S.C.  551(h).
---------------------------------------------------------------------------
    Moreover, more than 30 years ago the U.S. Department of Health, 
Education and Welfare (now the Department of Health and Human 
Services), crafted basic privacy principles to protect personal 
information.\54\ Called the Fair Information Practice Principles 
(FIPPs), they have become the basis for comprehensive privacy laws in 
most of the industrialized world as well as sector specific privacy 
laws in the United States.\55\ In 2008 the Privacy Office of the 
Department of Homeland Security formally adopted them in its analysis 
of DHS programs. And in a recent report, the Department of Commerce 
recommended that the FIPPs as described by DHS be adopted as the basis 
for Internet regulation.\56\
---------------------------------------------------------------------------
    \54\ For a brief history on the principles please see Robert 
Gellman, Fair Information Practices: A Basic History at http://
bobgellman.com/rg-docs/rg-FIPShistory.pdf.
    \55\ Directive 95/46/EC on the protection of individuals with 
regard to the processing of personal data and on the free movement of 
such data, October 24, 1995; Fair Credit Reporting Act (FCRA), 15 
U.S.C.  1681 et seq.
    \56\ Department of Commerce, Commercial Data Privacy and Innovation 
in the Internet Economy: A Dynamic Policy Framework, December 2010.
---------------------------------------------------------------------------
    The FIPPs stand for eight relatively straightforward ideas:

   Transparency: Individuals should have clear notice about the 
        data collection practices involving them.

   Individual Participation: Individuals should have the right 
        to consent to the use of their information.

   Purpose Specification: Data collectors should describe why 
        they need particular information.

   Data Minimization: Information should only be collected if 
        it's needed.

   Use Limitation: Information collected for one purpose 
        shouldn't be used for another.

   Data Quality and Integrity: Information should be accurate.

   Security: Information should be kept secure.

   Accountability and Auditing: Data collectors should know who 
        has accessed information and how it is used.

    While some adjustments will have to be made to conform to new 
technologies, international Internet data collection practices, as well 
as the data collection practices of other sectors of the U.S. economy, 
are already governed by the FIPPs.\57\ To imply as some have done that 
application of these regulations in this case would cause serious harm 
to the Internet and e-commerce seems overstated at best.
---------------------------------------------------------------------------
    \57\ Id.
---------------------------------------------------------------------------
    These protections must be embodied in law, not just in industry 
practice. For years government agencies have called on industry to 
provide privacy protections for consumers. However, as a recent Federal 
Trade Commission report explains, self-regulatory efforts ``have been 
too slow, and up to now have failed to provide adequate and meaningful 
protection.'' \58\ One example illustrates this fact well. In 1999 and 
2000 when behavioral targeting first attracted regulatory attention, an 
industry group, the Network Advertising Initiative (NAI), claimed that 
self-regulation was a solution and that all NAI members would follow a 
common code of conduct.\59\ As regulatory attention faded, so did 
participation in the NAI. By 2003 it had only two members. There is no 
reason to believe that things would be different now.
---------------------------------------------------------------------------
    \58\ Federal Trade Commission (Bureau of Consumer Protection), A 
Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era 
of Rapid Change: A Proposed Framework for Businesses and Policymakers, 
December 1, 2010.
    \59\ World Privacy Forum, Network Advertising Initiative: Failing 
at Consumer Protection and at Self-Regulation, Fall 2007 at: http://
www.worldprivacyforum.org/pdf/WPF_NAI_
report_Nov2_2007fs.pdf.
---------------------------------------------------------------------------
    It is important to note that technology is already moving to help. 
Browser manufacturers are creating technical mechanisms so that web 
surfers can indicate their preference not to be tracked.\60\ If given 
the force of law through the passage of a ``Do Not Track'' law, those 
mechanisms set a solid foundation for beginning to protect personal 
information online.
---------------------------------------------------------------------------
    \60\ Julia Angwin, ``Web Tool on Firefox to Deter Tracking,'' Wall 
Street Journal, January 24, 2011.
---------------------------------------------------------------------------
VIII. Conclusion
    The current online data collection practices create detailed 
profiles on each of us. These practices are neither benign nor 
anonymous. They harm consumers and directly impact their fundamental 
rights. They are also unpopular--even when explicitly tied to the 
provision of free services. Good solutions exist and have been adopted 
in other countries and other parts of the U.S. economy. The Committee 
should look to these solutions like the ``Do Not Track'' mechanism and 
adopt legally enforceable rules to protect consumers and end this 
profiling.

    Senator Kerry. Well that's a pretty far reach.
    [Laughter.]
    Senator Kerry. I mean it's a big concept. So I'm not 
suggesting you're reaching. It's just it's a big statement 
obviously about a potential downside.
    It's just you, us and that's it. That's all that's left. 
I'm sorry.
    [Laughter.]
    Senator Kerry. But I want to probe a few things then we'll 
get you all out of here before too, too long, if I can.
    So Mr. Calabrese, you've sort of drawn this potential 
danger picture, which is appropriate, in front of us. What's 
the appropriate response to that in your judgment?
    Mr. Calabrese. Well I mean we've heard a lot of great 
responses. I mean, I think we can begin with the Do Not Track 
mechanism which again, if backed by law gives people the 
opportunity to sort of opt-out of this state. It's not enough 
on its own.
    Senator Kerry, the principles that you described, the 
ability to give consumers control over their information is 
vital to this as well. I think Do Not Track is a part of that. 
But it's also about sharing information collected by a first 
party. Just because I want a company to collect my information 
doesn't mean I want them to use it for everything. I may want 
to limit that. And that's----
    Senator Kerry. Is there a balance here in your judgment 
between the obviously very important interest that you're 
highlighting and also the commercial, economic interest that we 
all have in maintaining the viability needed to save a growing 
enterprise?
    Mr. Calabrese. Oh, there absolutely is a balance. But we 
need to set--I'm sorry.
    Senator Kerry. No, go ahead.
    Mr. Calabrese. There is a balance. My fear, candidly, is 
that right now there's no legal protection. And there's a great 
deal of incentive.
    I mean Americans are some of the greatest businessmen and 
businesswomen in the world. If you give them an economic 
incentive and say there's an economic incentive to track people 
online. They will do a really good job of it.
    So I think we need to put controls in place to make sure 
that the consumer is part of that process.
    Senator Kerry. And how far do those controls have to go if 
the consumer has knowledge? I mean one of the problems is we've 
learned--I don't know if I have statistics here or not. I don't 
think I do.
    But we have found historically that, you know, people 
consistently say well this is something I'm really super, super 
concerned about but then they tend to engage in practices on 
the Internet itself that sort of belie that a little bit.
    Mr. Calabrese. Sure. Well, I think part of that is they 
really haven't had meaningful choice up to this point. It's 
been sort of a take it or leave it approach. And so it's hard 
to expect people to invest time and energy in something----
    Senator Kerry. I think that a lot of folks at the table 
would disagree that they don't have meaningful choice.
    Mr. Calabrese. Sure. I think they would. By all--but I mean 
the fact that I can't point to a law that says I control my 
personal information makes, you know, makes me--makes it hard 
for me to tell a consumer that they in fact, do have that 
control. I mean, a company's promises are important but not 
enough.
    Senator Kerry. Who else? Anybody want to speak to that, 
sort of the balance?
    Mr. Andersen. I'm happy to speak to it for a moment.
    Senator Kerry. Go ahead, Mr. Andersen.
    Mr. Andersen. Microsoft is obviously involved in online 
advertising. We also provide tools to consumers to help them 
protect themselves from activities that they may view as 
tracking and also spam and things like that as well. So we're 
sort of in a somewhat unique position of having to make sure 
that we're looking at both sides of the equation.
    In the testimony that I submitted we did provide some 
statistics about the incredible growth of online advertising, 
and pointed out that it really is fueling a lot of the content 
available on the Internet today. I do think that it is 
important to make sure that that is kept in mind as one thinks 
about legislation.
    At the same time consumer trust is incredibly important to 
our company. We know that users want to be in control of the 
data that is collected about them and how that data is used as 
well. And so we're endeavoring to make sure that they have the 
tools available to them to make sure that they are in control.
    Senator Kerry. What does that mean, tools available to 
them?
    Mr. Andersen. What I mean by that? I'll give you an example 
from Internet Explorer browser. So we have this feature called 
Tracking Protection that we've introduced this week with 
Internet Explorer. It's available on the product. From the 
menu, you can select a feature called ``tracking protection.'' 
And what that will----
    Senator Kerry. Select that when you download it or do you 
select that every time it comes up? Is there an icon on your--
--
    Mr. Andersen. That's a good question. When you have 
installed the product there are menu items that are available 
to you to choose from.
    Senator Kerry. Is that in the initial installation because 
I know sometimes when you download something you get a whole 
menu of initial installation, you know, some signs that shows 
up more than it does than other times. It can be more bold 
faced than other times. You can miss them sometimes.
    I mean, how does it show up?
    Mr. Andersen. That's correct. It would not be part of your 
installation process. You wouldn't be asked to choose among 
different settings at the beginning of your installation 
process.
    What you would do is after you've installed the product you 
would choose from the menu of different controls that you have 
to place.
    Senator Kerry. Do you have to choose to go to the menu or 
does the menu show up automatically?
    Mr. Andersen. You'd have to choose the menu.
    Senator Kerry. So you'd have to go to the menu.
    Mr. Andersen. Yes, you would.
    Senator Kerry. It wouldn't be like a privacy warning, the 
original warnings where you have to sign up and say, I agree in 
order to proceed forward. There wouldn't be a stop, you can't 
proceed forward until you've answered it.
    Mr. Andersen. That's correct.
    Senator Kerry. So a lot of people say, well, that's not 
really an in your face choice.
    Mr. Andersen. We understand that perspective, obviously. I 
think----
    Senator Kerry. I mean I'm sure that when you really want to 
get somebody's attention you guys know how to do it.
    [Laughter.]
    Mr. Andersen. We've been pretty successful at doing that, 
yes.
    Senator Kerry. So, does this rise to that level or does it 
not?
    Mr. Andersen. Well, it's a good question. I think that what 
we found is that, you know, people want to experience the full 
Internet when they use a browser product. And they want to 
receive the personalization that they're able to get by using 
the full Internet. At the same time there's many people who 
want to have a choice and want to have tools available to them 
that are easy to access to the product to be able to----
    Senator Kerry. No one is denying the choice. It's just a 
question of how boldly it's there. I mean, you know, as you 
said, you know how to get people's attention. Everybody does in 
the business. And things keep popping up and popping up and 
you've got to figure out how the hell to get them away 
sometimes.
    And then there are things that don't pop up. And you can't 
find or they're harder to find. I think that's really at the 
center of this to some degree. There's got to be some sense of, 
you know, fair play and transparency and accountability in 
that.
    Mr. Andersen. Absolutely. It's absolutely a big part of the 
discussion is that at what point along the user experience 
should you be affirmatively giving users a choice to make a 
decision.
    Senator Kerry. Let me ask a blunt question. And maybe Mr. 
Montgomery this is in your area and someone else at the table 
perhaps into it, I'm not sure. In fact before I ask that 
question let me come back to Intuit, if I can.
    Intuit, you were commenting, Ms. Lawler, about the four 
principles that you apply. And they're admirable. They're 
terrific. And you talk about income tax, health, vendor links, 
all these things that you manage.
    But isn't that a very different kind of relationship and 
business than some other businesses. Which therefore makes it 
easier for you to frame this kind of a wow, we're able, you 
know, we're going to protect you because in fact your whole 
thing is the protection of the relationship with the customer. 
A lot of other people may not have that kind of a stake, you 
know.
    People can come and go as long as the traffic is sufficient 
if they're able to track enough of what they're doing. There 
may be, as Senator Isakson said, a sort of a commodity value to 
the information they have that's sufficient to encourage them. 
There may be better economics on that side of the ledger than 
on the other which encourages them therefore to chase that 
information rather than to be as protective as you are.
    Does that make sense the distinction I'm drawing?
    Ms. Lawler. Yes, Senator, it does. Our customers' trust is 
really critical to us. And you talked about the nature of the 
sensitive information that we have and the relationship that we 
have with our customers is that they're using our services and 
products to manage their personal life, their personal 
finances, to manage their businesses online.
    So we have actually gone directly to our customers and 
asked them what's important to them. And understanding that 
while there is that sensitive information there are other 
aspects of their interaction with us that might not be, if it 
was another company treated in the same, more sophisticated 
way----
    Senator Kerry. So might you agree therefore that if you go 
to a retail outlet of some kind, perhaps, they have a different 
interest? And are there different stakes as a result? Would 
there be a different value level of protection as a result of 
the difference in the activity?
    Ms. Lawler. I think this is why we are talking about a 
principles-based approach based on industry sector type of data 
use. So clearly is data more sensitive in a retail environment? 
Maybe somewhat less so, but one of the things that was very 
clear from our customers is that in all contexts whether it is 
more shopping related data or whether it's related to their 
personal finances is that, while they may not read privacy 
policies, they really care about how their data is used. They 
want to understand that through clear, open, transparent 
explanations. And actually the more clear and open you are 
about that, the less they want to be fed with choices on a 
constant basis. What actually mattered to them was something 
that was very contextual and relevant that related to their 
experience.
    So when we think about that and think about our principles-
based approach we would look at something that was flexible 
that worked with our environment but also could be adapted to 
different industries, businesses and sectors of all sizes.
    Senator Kerry. Well I appreciate--I certainly have enormous 
respect for the concept, the data stewardship concept, that 
you've articulated. I think that putting that kind of statement 
out front it's the customers, not ours, is a high standard. And 
we have to sort of figure out, you know, where that applies.
    Mr. Montgomery, you may have a different feeling about that 
a little bit.
    Mr. Montgomery. Not a different feeling at all, sir. I 
think--I think an important question that you asked a little 
earlier which was about very clear notice that information has 
been collected so nothing that is hidden under, you know, under 
a menu. And I think that the self regulation program of which 
Microsoft, by the way, is an important part, has an icon on 
every single advertisement that collects information.
    So the billions of advertisements that go out every week 
that collect information will have an icon on them which will 
allow consumers to click on the icon. It will tell them exactly 
who is collecting information about them.
    Senator Kerry. Is that the icon?
    Mr. Montgomery. That's the icon in a somewhat expanded 
version.
    Senator Kerry. What's the chart underneath it?
    Mr. Montgomery. That's an example of an ad that's actually 
running at the moment. And if you see in the top right hand 
corner. That's a pervasive ad choices icon that consumers would 
click on.
    Once they click on the icon they'll be told a little about 
behavioral advertising, who is collecting information. And with 
one click be able to opt-out. So it's----
    Senator Kerry. Does Verizon get a piece of the action 
today?
    [Laughter.]
    Mr. Montgomery. No, they do not, sir.
    Senator Kerry. OK.
    Mr. Montgomery. So I think it's an important point that you 
raise that it needs to be out there. And we think this is going 
to become like the recycling logo. It's going to build consumer 
trust and at the end----
    Senator Kerry. How does that find its way to there now? Is 
that a one to one relationship with Verizon or how does it 
work?
    Mr. Montgomery. So we're busy rolling out the program to 
our client base. I think that there are more than 100 major 
clients that already subscribe. And clients just simply have to 
give us permission to go ahead. And most of our clients agree 
with it.
    Then there's an underpinning technology that we employ that 
allows us to figure out exactly who is tracking so that we can 
apply a compliance mechanism to the process. So if an 
advertiser doesn't comply we contact them. Then we call them 
out publicly. And ultimately, you know, that information is 
made public and that----
    Senator Kerry. Does that presume our, kind of, consumer 
awareness about that or would there be some sort of a campaign 
that makes people aware? How would you get the word out, so to 
speak?
    Mr. Montgomery. Yes. No, it's a great question. In my 
testimony earlier I talked about a campaign that we've 
developed with the Internet Advertising Bureau called ``Privacy 
Matters.'' And that is already enjoyed over 600 million 
impressions against consumers.
    And we're going to extend that campaign so we can teach 
consumers about what information is collected, the importance 
of behavioral advertising and also the importance of having 
access to free content on the Internet which is fueled by 
advertising.
    Senator Kerry. So do you still accept the notion that--
incidentally, I think it's a terrific step forward and I 
congratulate you for it--but do you still believe that you need 
a baseline law where there's a safe harbor from preemptive 
prescriptive regulation?
    Mr. Montgomery. Sir, what we feel is very, very important 
in this process is that self regulation is given an opportunity 
to work in this process. And if it needs to work with a 
baseline law we will be very happy to cooperate with you in any 
way to refine and ensure compliance around that as long as the 
self regulation can operate within it.
    Senator Kerry. But suppose, I mean, if the FTC were to 
certify that program or similar program like that and it's 
compliant with the fair treatment of people's information given 
the way the net works and the modern technology that's 
available and the low cost of collection and so forth, couldn't 
collectors of information outside of your program wind up doing 
a lot of damage broadly in ways that would be inconsistent with 
what you've said consumers ought to have?
    Mr. Montgomery. Just to clarify, you mean, data trackers--
--
    Senator Kerry. Yes.
    Mr. Montgomery. Who are outside the program?
    Senator Kerry. Precisely.
    Mr. Montgomery. I think that there are bad actors out 
there. And one of the--and we would absolutely support any way 
that we could uncover those bad actors and who are doing 
anything to harm consumers.
    Senator Kerry. Well, since our approach is principles-
based, basically, doesn't that give you the latitude within 
which to be able to move?
    Mr. Montgomery. I think what's important is right now we 
have over 5,000 companies subscribing to the self regulatory 
process. And in that way we've got 5,000 policemen out there 
watching for the bad actors. And we, in fact, interestingly 
last week we discovered some fraudulent practice on the 
Internet and handed it over to the FBI for further 
investigation.
    We hear this all the time amongst our, you know, our member 
base where, you know, they're looking out for that all the 
time. So in summary, we absolutely would work with you in any 
way we could to ensure consumer privacy and continued 
innovation.
    Senator Kerry. Mr. Andersen, we've shared with you, with 
the company, you, the drafts, current drafts, as with several 
of you. And I wonder if you might just share with us your sense 
of sort of where we are in that process now, the direction.
    Mr. Andersen. From our perspective the process is going 
very well. We absolutely appreciate the opportunity to be 
involved in the process. We see the drafting process going in 
the direction we had hoped for which is to establish baseline 
principles in the law that we think are reasonable and we think 
that industry can and should be able to sign up for it. So 
we're very encouraged by it.
    Senator Kerry. Appreciate that.
    Ms. Lawler, what about you?
    Ms. Lawler. We also, excuse me, we also like the direction 
that the proposal is going. We are generally supportive. We 
like the principles-based approach. We like the consideration 
around codes of conduct and safe harbor.
    We look forward to working with you on refining the 
proposal as it moves along.
    Senator Kerry. Do you have a major--is there a major hurdle 
in your judgment?
    Ms. Lawler. I would say that there aren't any major 
hurdles. I think where we would like to work with you would be 
on the level of prescriptiveness of certain areas around notice 
and contacting.
    Senator Kerry. OK. Well we look forward, obviously, to 
working that through with you. And all of, you know, certainly.
    Ms. Lawler. Yes.
    Senator Kerry. Certainly.
    Ms. Lawler. There's very much that we do like in the bill, 
in the proposal.
    Senator Kerry. Good.
    Ms. Lawler. So we think there's a lot there to work with.
    Senator Kerry. Good.
    Ms. Lawler. And in particular, you know, we've talked a lot 
today about concern about bad actors. And you have companies 
represented in this room that are high achievers, you know, set 
very high standards. And I think what a principle based 
approach that is outlined in the proposal currently will also 
help us is really aim at the large mass of businesses, 
organizations in the middle, that may not have the same level 
of resources or expertise in privacy issues that you see at 
this table.
    And so, principles-based approach, using safe harbors as 
described in the proposal, I think is a real positive mechanism 
to bring the large masses into a higher level of privacy 
protection.
    Senator Kerry. Well, we'll work with you on that. I've just 
been noticed that they need me back in the office. So I've got 
to run and do that in a moment.
    I think Colonel Khadafi doesn't believe in privacy or 
something so I've got to go deal with it.
    [Laughter.]
    Senator Kerry. Quick question if I can, Mr. Soltani. I want 
to get--you've talked thoughtfully about the first party entity 
and the website that you are directly interacting with and the 
third party is some entity that the first party allows to 
interact with you and so forth. It makes sense, very logical 
and we get it.
    But we've been struggling a little bit with the cases where 
you have a first party such as Facebook. And then Facebook 
tracks behavior in another site, et cetera. And given that the 
consumer had a first party relationship with Facebook as long 
as notice is provided and choices provided for Facebook to 
acquire the information is that a point somewhere in between 
the first and third party? How do we--we've been struggling 
with this a little bit.
    Mr. Soltani. It's a great question. I believe in that 
context Facebook is a first party and a third party. In the 
context when you go and enter Facebook.com into your URL bar of 
your browser, that's a first party interaction.
    However, in the context where you are on say, the 
Washington Post and there are Facebook widgets, buttons, 
objects on the page, I believe that constitutes a third-party 
widget. The loading of a third-party widget that then results 
in passive data collection I still believe would fall under 
third-party data collection.
    It's a little nuanced since users can also interact with 
that widget. And in the case where users knowingly interact 
with a widget perhaps we can frame it as a first party 
interaction.
    Senator Kerry. So where would the notice have to be? Would 
the notice have to be the first time when you first sign up? 
This can happen? Or does the notice have to occur each time, 
each face page? How does it work?
    Mr. Soltani. Since often these things are tied to 
identifiers I believe perhaps upon the setting of the 
identifier in the first party context the notice could happen. 
So, your ``cookie'' could then be later used to tie that 
activity to the third-party context.
    We also want to be careful here around forced third party 
interactions, i.e., when you go to a website and a video starts 
playing or an ad pops up that you're forced to dismiss, since 
you can actually compel users to require them to interact in a 
third party context.
    I think we still want to frame it around meaningful 
interactions with third party objects that consumers are aware 
of, and we might consider that okay. All other passive data 
collection we would consider third party data collection.
    Senator Kerry. OK. We've got to work that through 
obviously. And see how we can come out of it. But there's 
obviously some, you know, some of this is, you know, does get 
into that nuance.
    Mr. Soltani. Absolutely.
    Senator Kerry. Whatever you want to call it, area. It gets 
tricky. I think the principle that we want to have guide us is 
also to do no harm even as we are protecting people. And I 
think, you know, we're going to try to balance that very, very 
carefully here.
    So we will continue a thoughtful process here of engagement 
with all of you to try. And Danny Sepulveda has been doing a 
superb job, I think, of reaching out and sitting with 
everybody.
    I also want to thank as a slight nepotism here going on. 
But my brother over at the Commerce Department, as General 
Counsel has been involved in this without my instruction or 
engagement at all. They've done this on their own. But I thank 
them for their input which has been helpful in this process, 
enormously helpful.
    And obviously we need to work with the Administration in 
order to figure out where we're going here.
    I hope we can get a product where everybody is standing up 
and saying this is good. This is something we can live with. We 
can work with. And the consumer is really given a set of 
choices and opportunities here that they don't have today to 
make an intelligent guided selection as to where they're 
heading and what's happening to their information.
    And I think we can come out of there without upsetting the 
obvious commercial interests that we all want to encourage and 
that are important to us. So on that note we'll adjourn here 
today. And look forward to trying to get this thing into shape 
where we can get it introduced.
    I'm working, as you know, with Senator McCain, very 
closely. And he's got some interest in this as we go. But I 
hope that we'll get to a point where we can introduce this in 
short order.
    I think we need to do it. I think we need to do it soon. I 
think everybody will benefit by doing this. And I look forward 
to getting this accomplished. So thank you all very, very much 
for being here today.
    We stand adjourned.
    [Whereupon, at 12:09 p.m., the hearing was adjourned.]
                            A P P E N D I X

                Prepared Statement of Hon. Mark Begich, 
                        U.S. Senator from Alaska
    Thank you to Chairman Rockefeller and Senators Kerry and Pryor for 
their work on this vital issue for Americans. Alaskans value their 
privacy so much there is a right to privacy spelled out in the Alaska 
State Constitution. We don't want the government or private businesses 
invading our privacy.
    Online privacy is one of the most important issues facing consumers 
today. I frequently hear from constituents regarding the privacy 
practices of companies or the impact of the Internet on their lives. 
The Unites States Constitution clearly protects Americans from 
unreasonable searches of their private information without a compelling 
reason, and there's no reason to believe Americans are any more apt to 
tolerate someone pulling private information for financial benefit 
through their actions on the Internet.
    I am particularly concerned about the pervasive nature of tracking 
on children's websites. I have an 8-year-old son who regularly uses the 
Internet and is extremely proficient on computers. My wife and I 
regularly monitor his Internet usage, but I cannot find out what 
companies target him, who has access to that information and to which 
third parties this information is sold. Additionally, what protections 
are in place to ensure he is not unknowingly downloading inappropriate 
or dangerous software? What sort of ``e-dossier'' is already being 
created by my son's Internet usage? Unfortunately, I believe there are 
few if any protections in place for this most vulnerable population.
    We must find a solution that will protect people's online 
experience while enabling the Internet to continue to grow and thrive. 
We cannot accept the ``wild west'' status quo any longer. I look 
forward to working toward a solution in the 112th Congress.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Mark Pryor to 
                         Hon. Jon D. Leibowitz
General Privacy Questions
    Question 1. Based on the FTC's December staff report, could you 
please highlight for the Committee where you see the most harm posed to 
consumers due to a need for better online privacy protections? Where do 
you think are the greatest risks to consumer privacy?
    Answer. The Commission staff continues to be concerned about harms 
that can result from unauthorized disclosure of consumers' information, 
including financial harm such as identity theft; physical harm such as 
stalking; unwarranted intrusions into consumers' time, such as unwanted 
telemarketing calls and spam; and harms that result from the denial of 
employment, insurance, and other goods and services.
    In addition, consumers suffer harm simply from having their 
information used without their informed consent. Consumers that provide 
information believing it is private will lose trust in a company if the 
company makes that information public without the consumer's consent. 
Consumers believing they are simply searching for information about a 
health condition online will lose trust in a company that sells 
information about them without their knowledge. More broadly, consumer 
trust in online services generally is damaged if companies collect and 
use data in ways that consumers do not expect. The loss of consumer 
trust in online services would harm both consumers and business by 
chilling consumers' willingness to participate in online activities and 
electronic commerce.
    The preliminary staff report asked for comment on several 
recommendations to address these harms. For example, to address the 
problem of data falling into the wrong hands--such as identity thieves 
and stalkers, the report recommends that companies not collect 
unnecessary data, maintain better data security for the data they 
maintain, and dispose of the data when they no longer have a legitimate 
business need for it. To avoid collection and use of consumers' data 
without their informed consent, the report makes recommendations on how 
companies can improve transparency and obtain more informed choices.

    Question 2. How can consumers be better educated about privacy 
risks and steps they can take to protect themselves? Do consumers have 
the tools necessary to adequately protect themselves in today's world?
    Answer. The Commission runs educational campaigns to teach 
consumers how to protect their valuable personal information and make 
thoughtful decisions about when it is shared and used. For example, the 
Commission manages the interagency OnGuardOnline.gov campaign, which 
helps computers users avoid fraud, protect their privacy and stay safe 
online. The OnGuardOnline.gov site has information to help parents talk 
to their kids about the value of their personal information and how to 
make responsible choices about where and how to share it. The 
Commission's identity theft information for consumers (FTC.gov/idtheft) 
also provides tips and advice about how to protect sensitive 
information online and off. A wide variety of consumer educational 
materials, including many in Spanish, help consumers deter, detect, and 
defend against identity theft. For example, the FTC publishes a victim 
recovery guide--Take Charge: Fighting Back Against Identity Theft--that 
explains the immediate steps identity theft victims should take to 
address the crime.
    However, the Staff Report noted that companies' privacy practices--
including the collection, use, and transfer of consumer information--
are often not transparent to consumers; therefore collection or use of 
consumer information may occur without their knowledge or consent. In 
such situations, consumer education is not adequate to protect consumer 
privacy, which is why the Preliminary Staff Privacy Report highlights 
the need for some of the burden surrounding privacy protection to shift 
from the consumer to businesses. Thus, the Report asked whether 
industry can do more to help consumers better understand how their 
information is collected and used. As outlined in the Report, industry 
could incorporate privacy protections such as data security, sound 
retention practices, and data accuracy into products and services; 
offer simplified consumer choice; and inject greater transparency about 
data collection and use into business practices.

    Question 3. What do you think FTC oversight would provide that 
self-regulation by the industry could not?
    Answer. As an initial matter, the staff report does not take a 
position on whether its recommendations should be implemented through 
legislation or self-regulation. It is intended to provide guidance to 
industry, Congress, and policymakers as they develop rules of the road 
in this area.
    That said, whether or not legislation gets enacted, self-regulation 
will always play an important role in protecting consumer privacy. The 
Commission staff has supported self-regulation in the past and 
continues to believe that self-regulation can be an effective tool, as 
long as it is comprehensive, robust, effective and enforceable. And 
under Section 5 of the Federal Trade Commission Act, the Commission can 
take enforcement action against companies that break their promises to 
abide by self-regulatory codes of conduct. This is an important 
component of ensuring accountability for self-regulatory programs.

    Question 4. What steps should the industry take to assist citizens 
with knowing what their digital life is like?
    Answer. The Preliminary Staff Privacy Report contained a number of 
recommendations for industry to help people understand how their 
personal information is collected and used. In particular, the Report 
recommended simplifying choices for consumers and increasing 
transparency.
    Recognizing that the current model of lengthy privacy policies was 
ineffective in informing consumers about information practices, the 
Staff Report recommended that businesses simplify choices provided to 
consumers. For example, the staff report indicated that companies do 
not need to provide choice before collecting and using consumers' data 
for commonly accepted practices, such as product fulfillment. For 
practices requiring choice, companies should offer the choice at a time 
and in a context in which the consumer is making a decision about his 
or her data. This will allow the consumer to focus on the choices that 
matter and make more informed decisions.
    The Staff Report also recommended that companies increase the 
transparency of their data practices, by, for example, making privacy 
notices clearer, shorter, and more standardized, to enable better 
comprehension and comparison of privacy practices. The Report also 
recommended that companies consider providing reasonable access to the 
consumer data they maintain, proportionate to the sensitivity of the 
data and the nature of its use.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Kay Bailey Hutchison to 

                         Hon. Jon D. Liebowitz
    Question 1. Chairman Leibowitz, in his concurring statement to the 
FTC report, Commissioner Kovacic expresses the concern that a Do Not 
Track mechanism on the Internet could inherently reduce the quality of 
content provided, by lowering the revenue currently derived from 
advertising and possibly even forcing some online content providers to 
deny free access to those who opt out of tracking.

   Has the Commission examined what the ramifications of do not 
        track could be on the quality of content provided online, 
        particularly of content that is currently provided for free?

   Will you commit to ensuring that this type of analysis will 
        be part of the Commission's analysis before the final report 
        comes out?
    Answer. The Commission recognizes the need for an appropriate 
balance between consumer choice about online tracking and ensuring 
continued innovation in this area. As the Preliminary Staff Privacy 
Report noted, online advertising helps to support much of the content 
available to consumers on the Internet. Although the Commission is 
continuing to evaluate the comments received on its staff report, 
evidence suggests a Do Not Track mechanism for exercising choice about 
behavioral advertising would have minimal impact on the free content 
available on the Internet and on innovation. First, the Preliminary 
Staff Privacy Report noted that certain advertising, such as first 
party marketing and contextual advertising, would not be affected by a 
Do Not Track mechanism. Thus, this type of advertising would continue 
to serve as a source of revenue for content providers.
    Second, recent research from an organization working with the 
advertising industry suggests that if companies provide adequate 
transparency and consumer choice, consumers will choose not to opt out 
in great numbers, because they have a greater degree of trust in 
companies' stewardship of their information. See Evidon (formerly 
Better Advertising), Research: consumers feel better about brands that 
give them transparency and control over ads, http://blog.evidon.com/
2010/11/10/research-consumers-feel-better-about-brands-that-give-them-
transparency-and-control-over-ads/ (Nov. 10, 2010).
    Finally, key industry stakeholders have responded very positively 
to the request for development of a simple, easy to use Do Not Track 
system. Leading browser companies have offered changes to their 
browsers to implement Do Not Track. Mozilla, for example, has 
implemented a Do Not Track header for use by consumers when they browse 
the web, and Microsoft has rolled out a Tracking Protection List 
feature that allows consumers to block the collection of information by 
specified third parties. Apple has announced a do not track tool in a 
test version of its browser. The advertising industry itself also 
appears to recognize the value of offering simplified choice to 
consumers and has ramped up its effort to provide clearer disclosures 
and choice mechanisms after release of our preliminary staff report. 
Indeed, most recently, several of the leading advertising industry 
trade associations have agreed to work closely with Mozilla to 
determine how to incorporate Mozilla's Do Not Track feature into its 
industry self-regulatory effort. I believe these efforts demonstrate 
that improved consumer choice can be consistent with innovation.
    As these developments take place, the Commission is continuing to 
analyze the comments received on the Preliminary Staff Privacy Report, 
including those regarding the potential effects of a Do Not Track 
mechanism on innovation and the availability of free Internet content. 
The Commission also will continue to evaluate information about the 
costs and benefits of any such mechanism.

    Question 2. The Commission's report calls for a ``privacy by 
design'' model that includes the recommendation for companies to only 
collect information needed for a specific business purpose. Some 
comments submitted on the report expressed concern that implementing 
such a restriction could become so specific that it limits innovation 
on new and potentially beneficial uses of data. How do you envision 
such a restriction being implemented in a way that will allow for the 
continued innovation of new products and services necessary to keep 
American companies as leaders in the global online world?
    Answer. The goal of privacy by design is to guide and motivate 
businesses to develop best practices for incorporating privacy into 
their products and services during the early stages of their 
development. Best practices that ensure that privacy solutions are 
compatible with business needs should not restrict innovation and will 
likely be more flexible than government rules. To be clear, the 
principle of privacy by design contemplates that businesses can and 
should collect information for their legitimate business purposes; 
however, as discussed in the Preliminary Staff Privacy Report, the 
concept of privacy by design also means the amount of data collected 
and duration for which such data is retained should be limited by those 
legitimate business needs. This reflects concerns that collected data 
may be retained by companies indefinitely, increasing the risk that the 
data may be compromised through a security vulnerability or put to use 
in ways that consumers never would have expected and to which they 
would object. Staff's recommendation that companies implement a privacy 
by design approach is designed to encourage businesses simply to think 
through the privacy and security risks associated with collecting more 
information than is currently needed from consumers and retaining it 
for longer than necessary. The Commission has recognized these concerns 
in its enforcement program. For example, we have brought data security 
cases against companies that kept shoppers' credit card information, 
long after they had a business need to do so. See e.g., In the Matter 
of BJ's Wholesale Club, Inc., Docket No. C-4148 (Sept. 23, 2005) (final 
consent order). In these cases, the credit card information was 
obtained by hackers. Had the companies taken more care in disposing of 
information they no longer needed, consumer harm could have been 
avoided. Similarly, last year Google collected personal information 
through its Street View cars--the company claims to have inadvertently 
collected that information without any intention of using it. Under the 
Privacy by Design approach recommended in our staff report, Google 
would have tested its systems to ensure that it did not collect data it 
did not need.
    As these examples demonstrate, companies should assess privacy and 
security risks as part of the innovation process and work to address 
them appropriately. For example, although they may determine that 
continued collection of personal data is necessary, they could try to 
anonymize such data to reduce privacy and security risks.
    We have received many comments on the concept of collecting and 
retaining data for a ``specific business purpose,'' which we plan to 
address in the final report in a way that furthers consumer privacy 
interests without impeding innovation.

    Question 3. Chairman Leibowitz, FTC Commissioner Rosch has 
expressed ``serious reservations'' about the new privacy proposal 
advanced in the FTC's staff report. He claims that the current ``harm'' 
model of FTC enforcement has served the Commission well. If the FTC is 
correctly enforcing its statutory responsibilities to ensure disclosure 
of ``material'' privacy policies and to hold companies accountable for 
those policies, consumers already have information to make informed 
decisions about their online privacy.

   If that's the case, why is it necessary to adopt a new, 
        broader regulatory framework for online privacy?

   If privacy policies are too opaque for consumers to 
        understand and if the FTC is concerned that consumers may be 
        misled, why wouldn't rigorous enforcement of the FTC's Section 
        5 deceptive trade practices authority improve the clarity of 
        privacy policies by companies seeking to avoid enforcement 
        actions?
    Answer. First, I note that the report does not propose a new 
regulatory framework--it simply provides a framework for industry best 
practices and potentially, for legislation, if Congress chooses to 
enact it.
    Second, I agree with you that robust enforcement of Section 5 is 
critical. We have recently brought cases against companies like Google, 
Twitter, and Chitika, an online advertising network, alleging that 
their practices were deceptive. We have additional cases in the 
pipeline.
    Third, Section 5 does not generally require companies to disclose 
their information practices. If they choose to make statements about 
privacy, and those statements are deceptive, the Commission may take 
action under Section 5. However, not every long or opaque disclosure 
will be deceptive under Commission precedent. Regardless of the 
threshold for Commission law enforcement actions, we believe that 
stakeholders should work together to improve transparency. Indeed, many 
companies recognize that providing clear disclosures to their consumers 
about their information practices helps them maintain a positive 
relationship with their customers. Companies have an interest in 
promoting that relationship regardless of the prospect of enforcement 
action by the FTC. The Preliminary Staff Privacy Report provides 
businesses with proposals for ways to simplify and improve disclosures, 
and we think those steps would work well in this area while we continue 
to take action against plainly deceptive practices.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Mark Pryor to 
                         Lawrence E. Strickling
    Question 1. From your perspective, what were the two most important 
privacy issues you'd like to highlight in the Department's Commerce 
privacy green paper?
    Answer. The Green Paper examines how the United States can 
strengthen its consumer data privacy framework while ensuring that this 
framework continues to encourage innovation in the digital economy. 
Instead of identifying specific consumer data privacy issues that 
companies and policymakers should address, the Green Paper focuses on 
recommendations that would help to create a policy framework that 
better addresses increasingly intensive uses of personal data in the 
digital economy. Two main issues emerged from this analysis.
    First, consumers and businesses would benefit from the adoption of 
baseline, comprehensive Fair Information Practice Principles (FIPPs) in 
the commercial context. Much of the personal data traversing the 
Internet falls into the gaps between existing Federal privacy statutes. 
There is also evidence that consumers who use the Internet 
misunderstand the legal rules that apply to personal information 
collection and use in the commercial context. These gaps in legal 
protection for personal data leave consumers insecure and uneasy about 
how data about their activities and transactions are collected, stored, 
and used. Widely adopted, comprehensive FIPPs would help to fill these 
gaps and thereby increase consumer trust in the Internet.
    Businesses would also benefit from comprehensive baseline FIPPs. 
Businesses generally recognize that their sustainability depends on 
maintaining consumer trust but find that the rules of the road are hard 
to discern. Applying a set of general principles to commercial 
activities that are not covered by an existing Federal data privacy 
statute would provide businesses with guidance as to what consumers and 
enforcement agencies expect of them.
    Second, fostering innovation within a consumer data privacy policy 
framework requires a flexible approach to implementing privacy 
protections. The Green Paper proposes a framework in which the 
Department of Commerce would convene multi-stakeholder groups--composed 
of representatives from industry, civil society, academia, and other 
government agencies--to define codes of conduct that are enforceable by 
the Federal Trade Commission under its current authority or through any 
additional authority granted through baseline consumer privacy 
legislation. These codes would provide guidance about how to apply 
FIPPs in specific contexts. The multi-stakeholder process envisioned in 
the Green Paper would help to ensure that these codes set forth 
practices that reflect evolving consumer expectations.

    Question 2. What role does consumer trust play in the way users 
exchange information, goods and services over the Internet?
    Answer. Protecting consumer trust in the Internet is a top policy 
imperative of NTIA and the Department of Commerce. Consumer trust is 
essential to nurturing the Internet's growth, and protecting privacy is 
an important part of maintaining consumer trust. When consumers entrust 
personal information to a company that does business on the Internet, 
they expect that the company will handle it in ways that are consistent 
with this relationship. If companies use information in ways that are 
contrary to consumers' expectations, then consumers may be reluctant to 
adopt new Internet services and applications. Finally, consumer trust 
depends on more than privacy. Issues of security, safety, and 
reliability also come into play. Whether making purchases online, 
communicating with family members, or conducting business, consumers 
must know that they have control over their personal information. As 
innovative new applications and services are developed, it is important 
that consumers know that their information is safe and that providers 
have clear rules about how to respect individual privacy.
    Indeed, the Department, in partnership with other Federal agencies 
and the private sector, is leading the implementation of an 
Administration effort to improve consumer trust online: The National 
Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC 
envisions enhancing online privacy and security through services that 
provide credentials that improve upon the user name and password 
schemes that are common online. The NSTIC proposes using technologies 
that would provide individuals the option of obtaining a strong 
credential to use in sensitive online transactions. The NSTIC calls for 
the participants in this digital identity marketplace to implement 
privacy protections that are based on comprehensive FIPPs. Developing 
enforceable codes of conduct through multi-stakeholder processes is one 
way that the Department can work with the private sector to implement 
these protections.

    Question 3. What do you envision the Department's role will be with 
respect to privacy in the future?
    Answer. We propose in the Green Paper an important role for the 
Department of Commerce in convening stakeholders to develop enforceable 
codes of conduct that implement comprehensive Fair Information Practice 
Principles (FIPPs) that the Obama Administration supports as the 
foundation of Federal legislation in this area. The Green Paper 
outlines a multi-stakeholder process in which the Department would 
convene companies, civil society groups, academics, and the FTC and 
other government agencies to produce enforceable codes of conduct. An 
open development process that includes industry and consumers can help 
align these codes and consumer expectations.
    Another important role for the Department of Commerce is to work 
toward greater interoperability between the U.S. consumer data privacy 
framework and those of our allies and trading partners. Companies would 
benefit from the potential reduction in multiple compliance burdens, 
and U.S. consumers would benefit from more consistent cross-border 
consumer data privacy protections. Both objectives are important to the 
Department of Commerce, and the Department and the Administration are 
committed to working with Congress to develop an appropriate 
legislative approach.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Begich to 
                         Lawrence E. Strickling
    Question. What steps should the industry take to assist Citizens 
with knowing what their digital life is like?
    Answer. Enhancing transparency is one important step that companies 
can take to help consumers understand the role of personal data 
collection and use in the digital economy. As the Department of 
Commerce's Green Paper on consumer data privacy explains, enhanced, 
effective transparency requires providing consumers with information 
that is accessible, clear, salient, and comprehensible. Current 
practices surrounding disclosures of privacy practices generally fall 
short of this standard; the privacy policies that are the primary 
mechanism for explaining what information companies collect and how 
they use are often lengthy, dense, and difficult to comprehend. 
Providing simpler statements of these practices, and providing them at 
times when consumers can act on this information, are ways that 
companies can provide consumers with greater insight into, and control 
over, their digital lives. Online tools or interfaces that allow 
consumers to understand and manage the collection of personal 
information can also provide a link between enhanced transparency and 
enhanced user control.
    The Department of Commerce has also recommended that companies 
regard enhanced transparency as part of a more comprehensive approach 
to handling personal information. To this end, the Green Paper 
encourages the broad adoption of comprehensive Fair Information 
Practice Principles (FIPPs).
                                 ______
                                 
Response to Written Questions Submitted by Hon. Kay Bailey Hutchison to 

                            John Montgomery
    Question 1. Mr. Montgomery, you mention at the beginning of your 
testimony the importance of behavioral advertising to the Internet. Do 
you believe the enactment of baseline privacy principles in the form of 
Federal legislation would have an effect on targeted advertising? If 
so, what would it be? And, in turn, what impact might that have on the 
larger online ecosystem?
    Answer. GroupM supports efforts to promote transparency and choice 
in the marketplace and believes industry self-regulation is the 
appropriate approach for addressing concerns with online advertising 
while ensuring the ad-supported web continues to provide consumers 
benefit and fuel the Internet economy. A major benefit of self-
regulation is its ability to respond quickly to changes in the 
technology, business practices, and consumer preferences. It is this 
adaptive nature of self-regulation that makes it so well suited for the 
complex Internet ecosystem.
    Our business is built on the belief that both consumers and 
companies benefit when advertising provides timely and relevant 
information to those consumers who are most likely to be interested. 
While not deliberate, a law could reduce the relevancy and 
effectiveness of advertising. There is already strong evidence that 
privacy regulations in the European Union have resulted in an average 
65 percent reduction in the effectiveness of online ads.\1\ We have 
concerns that a U.S. law could similarly hinder innovation in the 
advertising and marketing industry, undermining economic support for 
valuable content and services and possibly encouraging higher fees to 
consumers. Inhibiting innovation would restrict growth in one of the 
healthiest industries in a troubled U.S. economy. These conditions 
would discourage venture capital funding for new entries, and in so 
doing, stall job growth in the industry.
---------------------------------------------------------------------------
    \1\ According to a study conducted by Avi Goldfarb and Catherine E. 
Tucker, ``Privacy Regulation and Online Advertising,'' available at 
http://papers.ssrn.com/sol3/papers.cfm?abstract
_id=1600259.

    Question 2. Mr. Montgomery, there has been a lot of discussion 
about whether industry best practices and self-regulatory efforts are 
effective. Many believe that market forces will push companies toward 
such industry-led efforts and that the FTC has the existing legal 
authority to hold companies accountable as good stewards of consumer 
information. Which do you believe is best for consumers: having the 
Federal Government act as a legal backstop to industry-led self-
regulation or having the government set top-down prescriptive rules on 
how to collect and use consumer data? What are some of the advantages 
and concerns with each approach?
    Answer. Industry-led self-regulation is preferred over top-down, 
prescriptive rules imposed by government. GroupM believes self-
regulation is the most effective means for addressing concerns with 
online behavioral advertising. Self-regulatory codes are adaptive and 
may be quickly modified to address changes in consumer preference and 
technology. In addition, this approach helps preserve an environment 
that fosters online innovation, ensures advertising continues to help 
fuel the Internet economic engine, and supports a vibrant, ad-supported 
offering of products and services online that consumers now expect to 
receive for free or at a low cost. GroupM believes that the Digital 
Advertising Alliance's (``DAA'') Self-Regulatory Principles of Online 
Behavioral Advertising (``Principles) are comprehensive yet flexible 
enough to respond to the complex and rapidly evolving online 
advertising ecosystem. The Principles set-forth consumer-friendly 
standards that require participants to provide enhanced transparency 
and consumer choice with respect to the collection and use of data for 
online behavioral advertising purposes.
    The DAA's program has been designed for its participants to self-
police, promote compliance, and, where necessary, report non-compliant 
companies to the appropriate government agencies. This private-public 
collaboration where the Federal Government acts as a legal backstop 
augments the self-regulatory program's credibility and reinforces the 
program's accountability measures.
    The DAA program is backed by independent enforcement programs 
working in concert to monitor and enforce compliance with the 
Principles, as well as manage consumer complaint resolution. These 
accountability programs are live and being administered by the Council 
of Better Business Bureaus (``CBBB'') and the Direct Marketing 
Association (``DMA''). The DMA and CBBB Accountability Programs are 
empowered under the Principles to provide a public report on entities 
that do not come into compliance and to refer such cases to the Federal 
Trade Commission (``FTC''). The FTC through its authority under Section 
5 of the FTC Act can enforce against entities that fail to honor its 
commitment to adhere to the Principles. Through industry self-policing, 
more cops are on the beat, which reduces the burden on the FTC.

    Question 3. While a large portion of the online industry is 
participating in the self-regulatory program, it has not reached 100 
percent. What can be done to increase participation? Is it possible to 
do get full participation through a self-regulatory program?
    Answer. It is very possible to achieve full participation in the 
DAA program. The leading marketing and advertising trade associations, 
representing more than 5,000 companies, have committed to this self-
regulatory approach because they strongly believe in the program's 
purpose. This unprecedented collaborative effort has brought together 
representatives of the entire advertising ecosystem to develop and 
implement principles for the use and collection of data in this 
important area to the economy. Already, over 60 companies are 
participating in the DAA's Consumer Choice Page (http://
www.aboutads.info/choices/) and billions of ad impressions have been 
delivered with the Advertising Option Icon--the icon appearing in or 
near ads or on web pages where data is collected or used for online 
behavioral advertising purpose. This icon is used by participants to 
provide notice concerning online behavioral advertising practices and 
link to a universal choice mechanism.
    The launch of the DAA program is resulting in a change in industry 
practice. Companies are starting to require their partners to adhere to 
the Principles. This is driving participation in the program. In 
addition, the trade associations behind this self-regulatory effort and 
the Accountability Programs are reaching out to companies to promote 
program participation. To help companies with compliance, the DAA has 
selected three companies as approved providers to assist companies with 
implementing the Principles. These approved providers' services help 
companies to provide enhanced notice and choice as required by the 
Principles.
                                 ______
                                 
Response to Written Question Submitted by Hon. Kay Bailey Hutchison to 
                           Erich D. Andersen
    Question. While a large portion of the online industry is 
participating in the self-regulatory program, it has not reached 100 
percent. What can be done to increase participation? Is it possible to 
do get full participation through a self-regulatory program?
    Answer. The online ad industry, led by the Digital Advertising 
Alliance (DAA) and of which Microsoft is a member, is working to 
increase participation in the self-regulatory program. Among the 
efforts to drive participation is increased outreach to companies to 
promote participation and providing assistance to implement the 
program. Through these efforts the DAA believes it is possible to 
achieve full participation in its program.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. John Ensign to 
                           Erich D. Andersen
    Question 1. How would you say the self-regulatory approach is 
working in the marketplace to protect consumers thus far?
    Answer. While still in the early stages of roll-out, the self-
regulatory approach for online advertising is on a sound path. Over 60 
companies, including Microsoft, are already participating in the 
Digital Advertising Alliance's (DAA) Consumer Choice Page resulting in 
an Advertising Option Icon being delivered on billions of online ad 
impressions. The icon not only provides notice to consumers about 
online behavioral advertising practices, but also provides a link to a 
universal choice mechanism. With the leading marketing and advertising 
trade associations backing the self-regulatory approach the expectation 
is that more companies will participate in the Consumer Choice Page.
    The last few months have shown that industry can act quickly and 
effectively. For example, in that short period of time, the three major 
browser vendors have announced do not track tools that offer 
unprecedented privacy protection. Even the FTC has recognized and 
commended the progress industry has made in acting quickly and 
effectively to protect consumer privacy.

    Question 2. Mr. Andersen, you talked about the importance of 
industry self-regulation and best practices. How would your ability to 
protect consumers be compromised if we went in the opposite direction?
    Answer. Our ability to protect consumers would be compromised by 
the adoption of impractical proposals. Legislation becomes 
overregulation if it contains preferences for particular services, 
solutions, or mechanisms to provide notice, obtain choice, or protect 
consumer data, or if it mandates prescriptive rules that may be of 
limited effect or that burden businesses without yielding commensurate 
privacy benefits. Seeking input from interested stakeholders is one way 
to ensure the right balance is struck.

    Question 3. Mr. Andersen, your testimony highlighted the need to 
promote continued innovation in technology and online services. 
Fostering and supporting innovation in the marketplace is a top 
priority of mine, and there is no question that innovation is crucial 
for creating jobs and economic growth. In your view, what is the best 
way to encourage innovation while still protecting consumers' online 
privacy?
    Answer. There are a number of ways to encourage innovation while 
still protecting consumers' online privacy:

   Recognition of the role of self-regulation: while 
        comprehensive privacy legislation may provide a set of baseline 
        protections, self-regulation can build upon those protections 
        and adapt them to specific contexts. Consumers have different 
        privacy expectations depending on whether they are interacting 
        with online retailers, social media services, search engines, 
        or online ad networks. Self-regulatory principles can be 
        tailored to these different contexts. In addition, self-
        regulation can address emerging technologies or business 
        models.

   Ensure there are no technology mandates.

   Allow for ``operational use'' of data. This means that 
        companies would be able to use data to provide the service the 
        user wanted, improve services, protect against fraud, and 
        generally operate their business.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Mark Pryor to 
                             Barbara Lawler
General Privacy Questions
    Question 1. How does on-line information collection usually work?
    Answer. Intuit does not engage in online tracking. However, as a 
technology, online information tracking typically works through the use 
of ``cookies'' which are random, identifiers that have no significance 
on their own. These ``cookies'' may be limited in their duration to a 
particular session that a customer is having with a website, or they 
may persist for longer periods of time. In typical ``first party'' on-
line information collection, these cookies can help a company 
understand several things--the time spent on the site, the pages 
visited (and for how long), the navigation, or ``path'' that the 
visitor took, etc. This information is frequently used to improve the 
performance and usability of a company's website. Information may also 
be collected for ``3rd party'' use--where the kinds of information 
mentioned above may be shared across several different entities, 
typically advertisers, web-site publishers, and companies that help to 
match advertisers to publishers.

    Question 2. How does behavioral advertising differ from contextual 
advertising?
    Answer. Behavioral advertising typically refers to the delivery of 
advertising messages based on the interests inferred from a person's 
on-line behavior, over time. It may include the kinds of searches that 
he/she does; the types of websites visited, etc. The combination of 
these pieces of information can be used to deduce a person's interests, 
in which case advertisements related to those possible interests can be 
shown to the individual.
    Contextual advertising typically involves a ``single point in 
time'' matching of advertising content to someone based on a specific 
action that the individual takes. The classic example is the 
advertisements, or `sponsored links', which show up in the search 
results for a particular search query. For example, if someone were to 
search for information on car tires, he/she will likely see 
advertisements from tire manufacturers/sellers based specifically on 
that search request.

    Question 3. What evidence is there that behavioral advertising is 
effective?
    Answer. There have been some studies done which have shown that 
people are more likely to respond to advertising based on their 
inferred interests, than more general advertising messages unrelated to 
the audience receiving them.

    Question 4. What does online information collection mean for our 
children's reputations?
    Answer. Collection of information on children under 13 is regulated 
by the COPPA. Intuit's products and services are financial in nature 
and not intended to be used by children.
    We recognize the proliferation of social media and the use of it by 
minors. We would expect that companies providing such services would do 
so lawfully, and in a manner respectful of all individuals using such a 
service.

    Question 5. To what extent is geo-location tracking a problem?
    Answer. Geo-location information can be very useful to provide 
specific, highly relevant services to individuals, such as providing 
directions, identifying nearest services, etc. In all cases, however, 
the individual should understand that his/her geo-location information 
is being collected. It should also be retained and used for a very 
limited period of time specifically to provide those relevant services 
to him/her. Once the services have been delivered, the geo-location 
data should be deleted and/or removed from the service.

    Question 6. Is Federal privacy legislation needed? If so, what 
should be the basic elements of any privacy legislation?
    Answer. We see the value in commonsense Federal privacy 
legislations that could set rules of the road for companies to follow 
and clear the field of conflicting state laws. As the digital economy 
has grown over the last decade, self-regulatory approaches have allowed 
many businesses to offer consumers many innovative products and 
services while incorporating meaningful privacy protections in ways 
that fit the company size, structure, culture and industry. High 
performers that are committed to capturing and retaining their 
customers' trust implement a range of self-regulatory approaches, from 
privacy seals to government sponsored codes of conduct (such as the 
Dept. of Commerce Safe Harbor Program). Self-regulatory approaches may 
fall short for new, small start-ups, naive companies or malfeasant 
companies. The same could be said for regulation as well. It's our 
belief that the most effective way to protect consumers and support 
innovation is a principles-based approach, covering Fair Information 
Privacy Practices creates a credible baseline that provides the rules 
of the road.

    Question 7. Should companies be held to higher standards with 
respect to our children and the way their information is handled?
    Answer. The Children's Online Privacy Protection Act (COPPA) sets a 
high standard with respect to children online. The FTC should provide 
rigorous enforcement of COPPA.

    Question 8. Are you concerned about employer or insurance 
discrimination based on information collected about consumers online?
    Answer. We would have to research this issue in order to comment on 
this question.
Other questions
    Question 9. Your testimony demonstrates a strong commitment to 
privacy. Do you believe that Intuit's approach to privacy is generally 
followed by companies operating online? How would you suggest other 
companies integrate privacy protections into their services?
    Answer. Different businesses can offer consumers various innovative 
products and services while incorporating meaningful privacy 
protections in ways that fits the company size, structure, culture and 
industry. High performers like Intuit that are committed to capturing 
and retaining their customers' trust implement a range of self-
regulatory approaches, from privacy seals to government sponsored codes 
of conduct (such as the Dept. of Commerce Safe Harbor Program). Self-
regulatory approaches may fall short for new, small start-ups, naive 
companies or malfeasant companies. It's our belief that the most 
effective way to protect consumers and support innovation is a 
principles-based approach to legislation that creates a baseline that 
provides the rules of the road. We believe that an emphasis on 
education and advocacy through industry sector associations, business 
groups, small business associations and local chambers of commerce. 
This would be necessary for both regulatory and self-regulatory 
approaches.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Begich to 
                             Barbara Lawler
    Question. What steps should the industry take to assist citizens 
with knowing what their digital life is like?
    Answer. We are committed to educating our customers about their 
data stewardship choices and what they can do to protect their personal 
information when interacting with our products. Consumers would benefit 
from additional direct education and communication, such as PSAs 
through mass media, social networks and simple and clear information 
company websites.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Kay Bailey Hutchison to 

                             Barbara Lawler
    Question 1a. Ms. Lawler, your company is engaged in a variety of 
online businesses and is subject to several Federal and state privacy 
regulations. You know as well as anyone that totally unrelated 
companies can be impacted in different ways by the interconnected web 
of privacy laws. I fear that addressing a privacy issue in one area 
could have unexpected ramifications in a totally different area. If 
this Committee considers developing new online privacy legislation, 
what sort of pitfalls should we look out for so that we can avoid such 
unintended consequences?
    Answer. A principles-based legislative approach will have the 
highest probability of success in protecting consumers while providing 
a flexible, level playing field for a wide range of businesses holding 
different types of data for different purposes. This would allow 
organizations to incorporate the necessary types of privacy protections 
for consumers while allowing flexibility on how the protections are 
implemented. It can be the optimal framework for a wide range of 
business, especially small businesses, which are the backbone of the 
American economy. We are specifically concerned about requirements that 
provide risk to innovation and customer delight, that may limit the 
flexibility to try new options and methods of delivering value to our 
customers in a rapid, iterative fashion. Examples include mandates to 
require the use specific technologies or specific procedural mechanics, 
such as very specific requirements regarding how and when notices are 
delivered, worded and formatted; or rules that place too many controls 
on the first party use of data especially those uses that are already 
consistent with consumer understanding and expectations. Specific 
requirements can create overlapping rules for the exact same sets of 
data; or specific words required for contractual agreements with third 
parties can create confusion or inadvertent non-compliance. The 
Committee must also be careful to avoid prescriptive mandates that 
attempt to address one set of concerns with the Internet but could 
unintentionally limit or prevent other elements of the Internet from 
functioning properly--for example, the commendable effort to increase 
transparency and choice related to behavioral tracking and advertising, 
if overly proscribed, could inhibit software as a service applications' 
functionality. As we developed the Intuit Data Stewardship Principles, 
our customers told us in multiple rounds of research that they prefer 
the specificity of simple, plain language--Principles rather than the 
policy-based, business-speak language you or I might think is better.

    Question 1b. Is there an approach we can take to build upon or work 
within existing frameworks, such as HIPPA and Gramm-Leach-Bliley, 
rather than writing another separate statute?
    Answer. At Intuit we have experience with applying different rules 
to overlapping sets of data. Both HIPAA and GLB have their strengths 
and weaknesses; both are based on recognized privacy principles, and 
yet take philosophically different approaches. HIPAA is designed to 
limit data uses and sharing beyond the first party organization, while 
GLB is designed to enable data uses beyond the first party 
organization. And both contain elements of proscriptive requirements, 
notices being a prime example.
    We recommend starting from a fresh perspective that is principles 
based and does not rely on procedural requirements.

    Question 2a. Ms. Lawler, there has been a lot of discussion about 
whether industry best practices and self-regulatory efforts are 
effective. Many believe that market forces will push companies toward 
such industry-led efforts and that the FTC has the existing legal 
authority to hold companies accountable as good stewards of consumer 
information. Which do you believe is best for consumers: having the 
Federal Government act as a legal backstop to industry-led self-
regulation or having the government set top-down prescriptive rules on 
how to collect and use consumer data?
    Answer. We believe the most effective solution would be a middle 
ground between the two: A principles-based legislative approach will 
provide a wide range of businesses holding different types of data for 
different purposes to incorporate the necessary types of privacy 
protections for consumers while allowing flexibility on how the 
protections are implemented. It can be the optimal framework for a wide 
range of business, especially small businesses, which are the backbone 
of the American economy.

    Question 2b. What are some of the advantages and concerns with each 
approach?
    Answer. There is an argument that market forces, policy-maker 
scrutiny, customer expectations are heading in right direction but will 
not fully cover all types of organizations--high performers, edge 
riders and the majority that are unaware. Enforceable self-regulatory 
codes of conduct work for most business--high performers are provided 
opportunity to excel, and those who need rules of the road are still 
able to comply--preserving flexibility and the ability to innovate is 
key. As Congress considers rules of the road, take care to not be 
overly prescriptive--protecting online privacy while sacrificing 
innovation will not help consumers or the competitiveness of the 
American economy.

    Question 3. While a large portion of the online industry is 
participating in the self-regulatory program, it has not reached 100 
percent. What can be done to increase participation? Is it possible to 
do get full participation through a self-regulatory program?
    Answer. We believe that a good approach is an emphasis on education 
and advocacy through industry sector associations, business groups, 
small business associations and local chambers of commerce. This would 
be necessary for both regulatory and self-regulatory approaches.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. John Ensign to 
                             Barbara Lawler
    Question 1. How would you say the self-regulatory approach is 
working in the marketplace to protect consumers thus far?
    Answer. As the digital economy has grown over the last decade, 
self-regulatory approaches have allowed many businesses to offer 
consumers many innovative products and services while incorporating 
meaningful privacy protections to protect their customers in ways that 
fit the company size, structure, culture and industry. High performers 
that are committed to capturing and retaining their customers' trust 
implement a range of self-regulatory approaches, from privacy seals to 
government sponsored codes of conduct (such as the Dept. of Commerce 
Safe Harbor Program). Self-regulatory approaches may fall short for 
new, small start-ups, naive companies or malfeasant companies. The same 
could be said for regulation as well. It's our belief that the most 
effective way to protect consumers and support innovation is a 
principles-based approach to legislation that creates a baseline that 
provides the rules of the road.

    Question 2. Ms. Lawler in your testimony you cite the value of 
principles-based privacy legislation working in tandem with self-
regulatory approaches and codes of conduct, highlighting the importance 
of enabling industry flexibility.
    Answer. A principles-based legislative approach will provide a wide 
range of businesses holding different types of data for different 
purposes the ability to incorporate the necessary types of privacy 
protections for consumers while allowing flexibility on how the 
protections are implemented. It can be the optimal framework for a wide 
range of businesses, especially small businesses, which are the 
backbone of the American economy.

    Question 3. In your opinion, what would be the effect of over-
prescriptive, one-size-fits-all regulation on your ability to protect 
the online privacy of consumers?
    Answer. Intuit's approach is to provide our customers a high 
integrity, trusted end-to-end experience that ultimately results in 
customer delight. Proscriptive, one-size-fits-all approaches tend to 
emphasize form over functional value to consumers (when was the last 
time you read the mandatory financial institution or HIPAA privacy 
notice?). Such an approach would force us to focus on procedural 
compliance first and customer delight and innovation second. Our 
priority lies with providing our customers with innovative ways to 
solve their financial problems while making sure their data is 
protected.

    Question 4. Can you give me specific examples of what types of 
industry regulation you would consider over-prescriptive?
    Answer. We are specifically concerned about requirements that 
provide risk to innovation and ultimately hurt our ability to meet our 
customer' needs, and limit the flexibility to try new options and 
methods of delivering value to our customers in a rapid, iterative 
fashion. Examples include mandates requiring the use of specific 
technologies or specific procedural mechanics, such as very specific 
requirements about how and when notices are delivered, how they are 
worded and formatted, or specific words required for contractual 
agreements with third parties. As we developed the Intuit Data 
Stewardship Principles, our customers told us in multiple rounds of 
research that they prefer the specificity of simple, plain language 
Principles rather than the policy-based, business-speak language you or 
I might think is more descriptive.

    Question 5. In your view, what is the best way to encourage 
innovation while still protecting consumers' online privacy?
    Answer. We believe that the best way is through a principles-based 
approach that could work in tandem with self-regulatory approaches and 
enforceable codes of conduct, which provide consistent guidance to all 
types and sizes of organizations, fill the gaps between existing 
regulations. The principles-based approach is especially critical to 
allow for flexible application by small businesses.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Mark Begich to 
                        Christopher R. Calabrese
    Question 1. What steps should the industry take to assist citizens 
with knowing what their digital life is like?
    Answer. While industry can take some limited steps to protect 
consumers, the best way to improve public knowledge about digital life 
is for Congress to grant consumers control over their own personal 
information. If consumers had enforceable rights, they would educate 
themselves about how to use them. In the current system, there is no 
advantage to consumers in learning key facts about their digital life 
such as the entities that hold personal information or the tools used 
to monitor web tracking. No matter how educated consumers become, they 
can't do anything practical or beneficial with their knowledge. They 
can only participate online in a ``take it or leave it'' way. They have 
no power to limit data sharing, access personal profiles, or delete 
records. Consumers will only take the time to learn about the use of 
their information if it is worth their time and effort to do so. That 
means giving them the tools to police their own profiles and limit data 
sharing. My written statement elaborates in much more detail on the 
full range of enforceable rights the ACLU believes should be available 
to consumers.
    Given that reality, one useful step industry could take is to work 
with the Federal Trade Commission (FTC) to reduce the complexity of 
their privacy policies. Because the FTC can only penalize companies 
that engage in unfair and deceptive practices, companies have 
incentives to avoid providing clear notice to consumers because that 
notice could be used to create enforceable rights against them. 
Instead, they largely write bloated privacy policies that describe 
company practices in such detail and legalistic jargon as to be 
incomprehensible to consumers. If companies commit to providing 
simplified policies with common language and definitions that can be 
compared between companies (like nutrition labels on food), it would be 
a helpful consumer education tool.
    Similarly, companies could commit in simple terms to honoring any 
do not track preference stated by a consumer and insuring that all 
advertisers on their site do the same. ``Do not track'' should be 
understood to mean no tracking or storage of information at all, not 
simply a ban on behaviorally targeted ads. Such a mechanism would also 
give consumers incentive to learn about their rights.
    Ultimately both of these tools are limited compared to the real 
explosion of consumer education and understanding that could be created 
if consumers were actually given enforceable control over their 
information through a legislative mandate.

    Question 2. Mr. Calabrese, I appreciate your comments regarding the 
invasion of privacy currently occurring on the Internet. Besides your 
recommendation for a ``Do Not Track'' method for browsers what else 
could we do to improve the experience of Internet users?
    Answer. The best way to improve the experience of Internet users is 
to increase their trust in the system. As Internet use is increasing so 
is consumer awareness and fear of expanding information collection. 
Many new web applications use and share a great deal of personal 
information. Social networking sites, location based services, online 
retail services, and a variety of other sites all rely on a willingness 
of consumers to share personal information. These websites and 
applications can only reach their full potential if consumers can share 
this information secure in the knowledge that they retain control over 
it.
    There is evidence that these fears are affecting consumers. 
According the Federal Communications Commission's National Broadband 
Plan, 22 percent of people don't use the Internet because of discomfort 
with computers and concern ``about all the bad things that can happen 
if [they] use the Internet.'' According to Gallup polling conducted for 
USA Today, 61 percent of consumers opposed web tracking even if they 
kept costs down and allowed consumers to visit websites for free.
    Efforts to protect consumer privacy must be backed by the 
government, not simply created by industry. For years, government 
agencies have called on industry to provide privacy protections for 
consumers. However, as the FTC report explains in its recent report on 
privacy, self-regulatory efforts ``have been too slow, and up to now 
have failed to provide adequate and meaningful protection.'' Though 
industry has taken some steps, there is still no widespread adoption of 
provisions allowing consumer control and only a limited legally 
enforceable basis for relying on them.

    Question 2a. Are there different recommendations for those websites 
targeting children?
    Answer. We believe Congress should work toward providing a high 
level of protection to everyone's privacy online--adult and child 
alike. Strong protections that allow consumer control over sharing of 
personal information would benefit both children and adults. Within 
this framework, it might be necessary to provide heightened protection 
for children. For example, many advocates have called for special 
protections for sensitive information such as information related to a 
person's financial accounts, medical records or sexual orientation. 
Information on children could be placed in that category as well to 
assure that it receives the highest level of protection possible.

    Question 2b. What about applications on phones?
    Answer. Internet use on mobile phones raises two additional 
issues--location tracking and device identification. Mobile devices 
constantly record and track an individual's physical movements and the 
devices themselves often contain unique identifying numbers that cannot 
be easily changed. This allows more robust and persistent tracking both 
in the physical and Internet space. This information can be gathered 
both by cell phone providers and applications running on those phones.
    As of December 2009, more than 90 percent of the overall population 
of the United States subscribed to cell phone service--an estimated 
285.6 million people. While cell phones are best known as devices used 
to make voice calls and send text messages, they are also capable of 
being used as tracking devices. As a result, cell phone technology has 
given many parties including the government, marketers, and employers 
an unprecedented new surveillance tool. The technical capacity now 
exists to track any one of the Nation's hundreds of millions of cell 
phone owners, for 24 hours a day, for as long as it likes. Whether it 
is a visit to a therapist or liquor store, church or gun range, many 
individuals' locations will be available either in real time or months 
later. Because of the sensitivity and invasiveness of location records, 
many advocates, including the ACLU argue for high standards for access 
to this information including a warrant based on probable cause for law 
enforcement access.
    An example of the pervasiveness of this location tracking was 
recently described by the New York Times. According to the article a 
German lawmaker, Malte Spitz, gained access from his cell phone 
provider to all the location information associated with him (such 
access is required under German law). Using that information he was 
able to map his movements for 6 months. In another example, New York 
City attempted to fire an employee using cell phone records as evidence 
he was leaving work early.
    Consumers are concerned about this intrusion. In a recent poll, 49 
percent of respondents said they would be more comfortable with 
location-based services if they could more easily and clearly manage 
who sees their location information; 84 percent were concerned about 
the sharing of their location data without their consent; 84 percent 
were concerned about identity or data theft; and 83 percent were 
concerned about loss of privacy.
                                 ______
                                 

      Comments on ``The State of Online Privacy,'' March 16, 2011

    Adam Thierer, Senior Research Fellow, U.S. Senate, Committee on 
                 Commerce, Science, and Transportation

  Published by the Mercatus Center, George Mason University and also 
   available at http://mercatus.org/sites/default/files/publication/
           comments-senate-hearing-state-online-privacy.pdf.

    As the Commerce Committee continues its exploration of online 
privacy issues, it is important that it ask some hard questions about 
the wisdom of imposing a comprehensive new regulatory regime on the 
Internet, which the Obama Administration appears to now favor. The 
Federal Trade Commission (FTC) \1\ and Department of Commerce (DoC) \2\ 
both released new privacy ``frameworks'' late last year and seem 
determined to move America toward a more ``European-ized'' conception 
of privacy regulation.\3\
---------------------------------------------------------------------------
    \1\ Federal Trade Commission, Protecting Consumer Privacy in an Era 
of Rapid Change (December 2010), http://www.ftc.gov/os/2010/12/
101201privacyreport.pdf.
    \2\ U.S. Department of Commerce, Commercial Data Privacy and 
Innovation in the Internet Economy: A Dynamic Policy Framework, U.S. 
Department of Commerce Internet Policy Task Force (December 2010).
    \3\ Adam Thierer, ``Obama Admin's `Let's-Be-Europe' Approach to 
Privacy Will Undermine U.S. Competitiveness,'' Technology Liberation 
Front, January 5, 2011, http://techliberation.com/2011/01/05/obama-
admins-lets-beeurope-approach-to-privacy-will-undermine-u-s-
competitiveness/.
---------------------------------------------------------------------------
    Here are a few questions that should be put to the FTC and DoC 
officials, or those who support the direction they are taking us:

   Before implying that we are experiencing ``market failure,'' 
        why hasn't either the FTC or DoC conducted a thorough review of 
        online privacy policies to evaluate how well organizational 
        actions match up with promises made in those policies?

   To the extent any sort of internal cost-benefit analysis was 
        done internally before the release of these reports, has an 
        effort been made to quantify the potential size of the hidden 
        ``privacy tax'' that new regulations like ``Do Not Track'' 
        could impose on the market?

   Has the impact of new regulations on small competitors or 
        new entrants in the field been considered? Has any attempt been 
        made to quantify how much less entry/innovation would occur as 
        a result of such regulation?

   Were any economists from the FTC's Economics Bureau 
        consulted before the new framework was released? Did the DoC 
        consult any economists?

   Why do FTC and DoC officials believe that citing 
        unscientific public opinions polls from regulatory advocacy 
        organizations serves as a surrogate for serious cost-benefit 
        analysis or an investigation into how well privacy policies 
        actual work in the marketplace?

   If they refuse to conduct more comprehensive internal 
        research, have the agencies considered contracting with 
        external economists to build a body of research looking into 
        these issues (as the Federal Communications Commission did in a 
        decade ago in its media ownership proceeding)?

   Has either agency attempted to determine consumer's 
        ``willingness to pay'' for increased privacy regulation?

   Has either agency explored the potential free speech issues 
        that are at stake here since increased privacy regulation could 
        potentially infringe legitimate First Amendment rights?

   More generally, where is the ``harm'' \4\ and aren't there 
        plenty of voluntary privacy-enhancing tools out there that 
        privacy-sensitive users can tap to shield their digital 
        footsteps, if they feel so inclined?
---------------------------------------------------------------------------
    \4\ Berin Szoka and Adam Thierer, ``Targeted Online Advertising: 
What's the Harm & Where Are We Heading? Progress on Point 16.2, 
(Washington, D.C.: The Progress & Freedom Foundation, February 13, 
2009), http://www.pff.org/issues-pubs/pops/2009/
pop16.2targetonlinead.pdf.

    These are just some of the many of these questions explored in my 
recent filing to the Federal Trade Commission in its proceeding on 
Protecting Consumer Privacy in an Era of Rapid Change.\5\ Because of 
the unique focus on the so-called ``Do Not Track'' mechanism as a 
potential silver-bullet solution to online privacy concerns, I am 
attaching the portion of my filing discussing the potential costs of 
such a mandated solution.
---------------------------------------------------------------------------
    \5\ Adam Thierer, Public Interest Comment on Protecting Consumer 
Privacy in an Era of Rapid Change86 (Arlington, VA: Mercatus Center at 
George Mason University), February 18, 2011, http://mercatus.org/
publication/public-interest-comment-protecting-consumer-privacy-era-
rapid-change. Also see, see Adam Thierer, ``Unappreciated Benefits of 
Advertising and Commercial Speech,'' Mercatus on Policy 86 (Arlington, 
VA: Mercatus Center at George Mason University), January 2011, http://
mercatus.org/publication/unappreciatedbenefits-advertising-and-
commercial-speech.
---------------------------------------------------------------------------
How a Mandatory ``Do Not Track'' Regime Creates Potential Risks to 
        Consumers, Culture, Competition, and Global Competitiveness
    More tailored forms of online advertising and the ``tracking'' 
technologies which make them possible are coming under increasing 
scrutiny today. Some of this can be attributed to a general 
unfamiliarity with how online advertising works and the role personal 
information and data collection play in the process.\6\ Although, as 
noted above, no clear case of harm has been established, some privacy 
fundamentalists who oppose virtually any form data collection have 
elevated this concern to near ``techno-panic'' levels and are now 
demanding regulation.\7\ As noted below, a variety of tools--such as, 
browser cookie controls or third-party plug-ins--already exist that can 
help consumers block targeted ads or limit data collection. But the 
Commission, likely inspired by regulatory advocates' claims of the 
complexity of those voluntary systems, is now pushing for additional 
steps to simplify or speed up the process. Hence, a ``Do Not Track'' 
mechanism has become the preferred universal fix, and one that the 
Commission is now pushing upon the marketplace. Do Not Track would 
demand that websites honor a machine-readable header indicating that 
the user did not want to be ``tracked.'' In theory, this will allow 
privacy-sensitive web surfers to signal to websites that they would 
like to opt-out of any targeted advertising or not have any information 
about them collected when visiting sites. The potential costs of such a 
regime will be explored in this section.
---------------------------------------------------------------------------
    \6\ ``Exaggerated fears are particular common regarding new 
technologies.''.'' Kent Walker, ``The Costs of Privacy,'' 25 Harvard 
Journal of Law & Public Policy, no 87, (Fall 2001), 126. A recent 
report by the U.K. government noted that ``New media are often met by 
public concern about their impact on society and anxiety and 
polarisation of the debate can lead to emotive calls for action.'' 
Safer Children in a Digital World, Byron Review on Children and New 
Technology, Department for Children, Schools and Families, [U.K.] task 
force report, March 2008, 3, http://www.dfes.gov.uk/byronreview/pdfs/
Final%20Report%20Bookmarked.pdf.
    \7\ ``The privacy problem has morphed . . . into the latest terror 
of the digital ago, surpassing earlier shibboleths,'' argues Larry 
Downes. . . .'' Larry Downes, ``A Market Approach to Privacy Policy,'' 
in Berin Szoka and Adam Marcus, eds., The Next Digital Decade: Essays 
on the Future of the Internet (Washington, D.C.: TechFreedom, 2011), 
510. Also see generally Adam Thierer, ``Parents, Kids & Policymakers in 
the Digital Age: Safeguarding Against `Techno-Panics,' '' Inside ALEC, 
July 2009, 16-17, http://www.alec.org/am/pdf/Inside_July09.pdf.
---------------------------------------------------------------------------
1. Potential Direct Cost to Consumers
    The Commission poses a variety of questions regarding how a Do Not 
Track regime may be implemented and what its potential impact might 
be.\8\ How many consumers would opt-out? How many would be willing to 
pay site subscriptions? How would it impact online publishers and 
advertisers? And so on. The truth is, nobody knows the answers to these 
questions, and the Commission has made no attempt to conduct a serious 
cost-benefit analysis of such a regime. Importantly, opinion polls 
cannot predict with accuracy how things will turn out once such a 
regime takes effect because consumer and marketplace reactions to real-
world developments are more complex and nuanced than artificial surveys 
or experiments.\9\
---------------------------------------------------------------------------
    \8\ Federal Trade Commission, Protecting Consumer Privacy, A-4.
    \9\ See, e.g., Berin Szoka, ``Privacy Polls v. Real-World Trade-
Offs,'' 5 Progress Snapshot 10 (Washington, D.C.: The Progress & 
Freedom Foundation, October 8, 2009), http://www.pff.org/issues-pubs/
ps/2009/ps5.10-privacy-pollstradeoffs.html; Downes, ``A Market Approach 
to Privacy Policy,'' 514.
---------------------------------------------------------------------------
    What we do know is that online advertising today allows consumers 
to enjoy a veritable cornucopia of innovative, and mostly free, sites 
and services. Government regulation could ``break'' the implicit online 
quid pro quo currently governing online sites and services--that 
consumers enjoy a bevy of free content and services in exchange for 
tolerating ads and data collection--by creating what appears to be a 
cost-free choice option for consumers. That choice, however, will be 
anything but costless.
    Lauren Weinstein, co-founder of People For Internet Responsibility 
(PFIR), worries that the ``ability [of Do Not Track concepts] to cause 
major collateral damage to the Internet ecosystem of free Web services 
is being unwisely ignored or minimized by many Do Not Track 
proponents.'' \10\ Weinstein is correct. There is no free lunch. While 
well-intentioned, government regulation that attempts to create a cost-
free opt-out for data collection and targeted online advertising will 
likely have damaging unintended consequences. In terms of direct costs 
to consumers, Do Not Track could result in higher prices for service as 
paywalls go up or, at a minimum, advertising will become less relevant 
to consumers and, therefore, more ``intrusive'' in other ways.
---------------------------------------------------------------------------
    \10\ Lauren Weinstein, ``Risks in Mozilla's Proposed Firefox `Do 
Not Track' Header Thingy,'' Lauren Weinstein blog, January 24, 2010, 
http://lauren.vortex.com/archive/000803.html.
---------------------------------------------------------------------------
    Why might less relevant advertising represent a cost to consumers? 
It comes down to the value of their time and the benefits of relevant 
advertising to them. Ben Kunz, director of strategic planning at 
Mediassociates, a media planning and Internet strategy firm, argues 
that Do Not Track ``won't stop online ads'' but will instead simply 
lead to ``tons of banners and videos everywhere online. They'll simply 
be less relevant.'' \11\ The Wall Street Journal agrees, noting: 
``While many supporters of Do Not Track imagine that the opt-out would 
reduce the ads they see, the opposite would more likely occur, causing 
advertisers to blanket more media and use more intrusive techniques to 
reach the same number of potential customers.'' \12\ When Google 
recently announced it would be offering a ``Keep My Opt-Outs'' 
extension to its Chrome web browser to come into line with the FTC's 
desire for more Do Not Track mechanisms, the company also noted that 
``once you install the Keep My Opt-Outs extension, your experience of 
online ads may change: You may see the same ads repeatedly on 
particular websites, or see ads that are less relevant to you.'' \13\ 
Thus, Do Not Track ``will stop marketers from serving up ads for 
products you may actually want,'' Kunz notes.\14\ This represents a 
direct cost to consumers in terms of the hassle of unwanted, intrusive 
(or ``spammy'') advertising.
---------------------------------------------------------------------------
    \11\ Ben Kunz, ``The $8 Billion Do Not Track Prize,'' Bloomberg 
Businessweek, December 22, 2010, http://www.businessweek.com/
technology/content/dec2010/tc20101222_392883.htm.
    \12\ ``The Internet Browsing Cops,'' January 21, 2011, http://
online.wsj.com/article/SB1000
1424052748704723104576061900000013690.html.
    \13\ Sean Harvey and Rajas Moonka, ``Keeping Your Opt-Outs,'' 
Google Public Policy Blog, January 24, 2010, http://
googlepublicpolicy.blogspot.com/2011/01/keep-your-opt-outs.html.
    \14\ Kunz, ``The $8 Billion Do Not Track Prize.''
---------------------------------------------------------------------------
    But it is the potential for prices to rise for online content and 
services that is the most important direct cost to consumers. If 
paywalls go up and subscriptions are required as a result of the new Do 
Not Track regime, Corey Kronengold of Digiday suggests the response of 
users could take one of two forms: \15\
---------------------------------------------------------------------------
    \15\ Corey Kronengold, ``Taking Issue: The Value of Privacy,'' 
Digiday, December 16, 2010, http://www.digidaydaily.com/stories/taking-
issue-the-value-of-privacy.

        1. Users (especially those who are highly privacy sensitive) 
        might gladly accept the trade-off and pay something more for 
        those sites and services instead of having data collected or 
---------------------------------------------------------------------------
        ads served; or,

        2. Users might revolt against the resulting paywalls, 
        subscriptions, micropayment schemes, tiered services, etc, and 
        demand government intervention in the name of ``fairness.'' We 
        might even hear talk of ``gouging'' and calls for price 
        regulation, even though developers would have no choice but to 
        raise prices to cover costs in the absence of advertising 
        support.

    Some mix of the two could be the end result, but the latter 
scenario seems far more likely. ``If we move too far one way, the 
people supplying the free content will get together and say we aren't 
going to supply the content for free,'' says Dilip DaSilva, chief 
executive of Exponential Interactive, owner of the Tribal Fusion online 
advertising network. ``It's not like the publishers will offer free 
content to people who visit their site but don't want ads tracking 
them.'' \16\
---------------------------------------------------------------------------
    \16\ Quoted in Tanzina Vega and Verne Kopytoff, ``In Online Privacy 
Plan.''
---------------------------------------------------------------------------
    Of course, there is nothing wrong with online sites and service 
providers charging for what they offer consumers, but, as Kronegold 
suggests, if regulation moves the marketplace in that direction 
unnaturally, many consumers will likely have a problem with it since 
they have grown accustomed to an abundance of ``free'' online services. 
It is impossible to determine what prices online providers might seek 
to charge for their services, but anything more than the $0.00 they 
currently charge will likely come as a shock to many consumers. As 
discussed in the following section, it will also have profound 
repercussions on the broader availability of much content and many of 
the services consumers take for granted. In this sense, Do Not Track 
becomes a ``privacy tax'' on consumers, requiring them to pay for 
things they previous received inexpensively, or for free.\17\
---------------------------------------------------------------------------
    \17\ ``We might better think of a privacy tax--we pay the regular 
price unless we want to keep information about our food, alcohol, and 
pharmaceutical purchases from the market; to keep our habits to 
ourselves, we pay extra.'' Hal Abelson, Ken Ledeen, and Harry Lewis, 
Blown to Bits: Your Life, Liberty, and Happiness After the Digital 
Explosion (Upper Saddle River, NJ: Addison-Wesley, 2008), 11.
---------------------------------------------------------------------------
    There are other costs associated with the process of creating 
paywalls and setting prices that will be borne by online content 
providers and consumers, as Commissioner William Kovacic noted in his 
statement on the Commission's privacy report:

        Setting prices is costly; if willingness to pay to avoid 
        tracking varies substantially, the informational requirements 
        to set access prices will be large. For a number of content 
        providers, a price-for-content model is likely to provide less 
        revenue than monetization via advertising; that most websites 
        choose an ad-driven model rather than a direct fee model 
        suggests that the former is a more efficient means than the 
        latter to monetize content in most circumstances. At the 
        margin--which may be large--forcing firms away from their 
        revealed-preferred method of monetization may reduce revenue 
        and hence degrade quality. In discussing whether website 
        content might be degraded by consumers choosing not to be 
        tracked, how, if at all, should such risks impact the 
        Commission's analysis? \18\
---------------------------------------------------------------------------
    \18\ Concurring Statement of Commissioner Kovacic, in Federal Trade 
Commission, Protecting Consumer Privacy, D-4.

    How much content will go behind paywalls? Dan Castro of the 
---------------------------------------------------------------------------
Information Technology & Innovation Foundation fears much will:

        If a Do Not Track list ever became widely implemented companies 
        could respond by simply blocking access to those sites for 
        users who opt out, just as some sites today block users who use 
        ad-blocking software or do not register on a site. Users who 
        currently opt out of targeted advertising but continue to use 
        the content or service which the advertising pays for are 
        essentially free riders. They are the minority of users who are 
        benefiting from the willingness of the majority to divulge some 
        personal information in exchange for free or reduced-price 
        content. It is this exchange that enables the U.S. Internet 
        ecosystem to be so robust and largely free of charge to the 
        average user. Privacy advocates rarely acknowledge the harm to 
        advertising revenues that would result from a large number of 
        consumers signing up for Do Not Track.\19\
---------------------------------------------------------------------------
    \19\ Daniel Castro, ``Policymakers Should Opt Out of `Do Not 
Track','' Information Technology & Innovation Foundation, November 
2010, 3, www.itif.org/files/2010-do-not-track.pdf.

    Another alternative short of paywalls would be interstitial pop-ups 
warning consumers they must first disable Do Not Track before they are 
allowed to use portions of the site, or perhaps any of it.\20\ In other 
words, sites may seek to formalize the previously unwritten quid pro 
quo of information as currency. Some Do Not Track regulatory advocates 
try to assuage such concerns by pointing to the existence of widespread 
online website registration or site ``login'' procedures today, which 
do not generally require user to disable settings (such as cookie-
blocking or ad-blocking) or pay anything before using site content/
services. For example, Arvind Narayanan of Stanford University argues:
---------------------------------------------------------------------------
    \20\ Ironically, depending on how such permission systems are 
structured, this may actually end up forcing consumers to reveal more 
information about themselves to many sites as a condition of access 
content or services on those sites.

        I do not believe that disabling DNT as a requirement for 
        service will become anywhere near as prevalent as logging in as 
        a requirement for service. I bring up login only to make the 
        comforting observation there seems to be a healthy equilibrium 
        between sites that require login always, some of the time, or 
        never.\21\
---------------------------------------------------------------------------
    \21\ Arvind Narayanan, `` `Do Not Track' Explained,'' 33 Bits of 
Entropy, September 30, 2010, http://33bits.org/2010/09/20/do-not-track-
explained.

    Ultimately, however, this observation provides little comfort since 
it ignores the fact that Do Not Track could be preemptively breaking 
business models on an unprecedented scale, thus forcing vast numbers of 
online publishers to make uncomfortable trade-offs going forward if 
they wish to provide the current level of service or expanded options. 
Narayanan may end up being correct and a highly tiered, permission-
based Internet may not be erected. But, as the next section notes, that 
is a risky bet and one that could have profound consequences for the 
future online content and the richness of its culture.
2. Potential Indirect Costs/Impact on Content & Culture
    Direct monetary cost to consumers is not the only issue here. The 
indirect impact of regulation on content and culture must also be 
considered.
    While targeted online advertising only accounted for $1.1 billion 
in 2010, it has been growing at healthy 20 percent clip, estimates 
eMarketer.\22\ ``Factor in the use of data to determine marketing 
efficiencies and that figure could be as high as $7 billion to $8 
billion of the $25 billion online ad spend,'' says Katy Bachman of 
AdWeek.\23\ Larry Ponemon, Chairman of the Ponemon Institute, which 
studies privacy and security issues, told the New York Times that 
``Privacy fears are definitely having an economic impact'' on the 
market, especially the uncertain legal and regulatory environment and 
the threat of regulation.\24\ A May 2010 Ponemon Institute survey of 
senior marketing executives with 90 diverse organizations that were 
actively engaged in online marketing found that:
---------------------------------------------------------------------------
    \22\ David Hallerman, ``Audience Ad Targeting: Data and Privacy 
Issues,'' eMarketer, February 2010, http://www.emarketer.com/Reports/
All/Emarketer_2000636.aspx.
    \23\ Katy Bachman, ``(Ad) Apocalypse Soon,'' AdWeek, December 19, 
2010, http://www.ad
week.com/aw/content_display/esearch/
e3i9f75082f2f627711694ca34d9b326105.
    \24\ Quoted in Steve Lohr, ``Privacy Concerns Limit Online Ads, 
Study Says,'' New York Times, April 30, 2010, http://
bits.blogs.nytimes.com/2010/04/30/privacy-concerns-limit-online-ads-
study-says.

        63 percent of those we surveyed said behavioral advertising 
        generated their greatest return on investment. Yet 98 percent 
        told us that, because of consumers' privacy fears, their 
        companies are curtailing investments in online behavioral 
        targeting. These companies are willing to sacrifice the revenue 
        they believe they can generate through an online campaign 
        rather than risk the potential hit to brand reputation for 
        being as aggressive as they would like to be. Overall that 
        curtailment has kept more than $600 million out of the 
        behavioral targeting industry.\25\
---------------------------------------------------------------------------
    \25\ Larry Ponemon, ``Fear and Loathing in Online Advertising,'' 
Ponemon Institute blog, May 3, 2010, http://www.ponemon.org/blog/post/
fear-and-loathing-in-online-advertising.

    This matters because it represents foregone investment in new forms 
of content, culture, and services. Media economists and industry 
experts have long realized that advertising is the great sustainer of 
media.\26\ Advertising benefits society by subsidizing the creation of 
news, information, and entertainment. ``Advertisers are critical to the 
success of commercial media because they provide the primary revenue 
stream that keeps most of them viable,'' argues Robert G. Picard, 
author of The Economics and Financing of Media Companies.\27\ Mary 
Alice Shaver of the University of Central Florida puts this support in 
context: ``Advertising revenues pay for virtually all broadcast media, 
70 percent to 80 percent of support for newspapers and an equally high 
percentage for magazines.'' \28\
---------------------------------------------------------------------------
    \26\ For a summary, see Adam Thierer, ``Unappreciated Benefits of 
Advertising and Commercial Speech,'' Mercatus on Point 86 (Arlington, 
VA: Mercatus Center at George Mason University), January 2011, http://
mercatus.org/publication/unappreciated-benefits-advertising-and-
commercial-speech.
    \27\ Robert G. Picard, The Economics and Financing of Media 
Companies (Bronx, NY: Fordham University Press, 2002), 122.
    \28\ Mary Alice Shaver, ``The Economics of the Advertising 
Industry,'' in Alison Alexander, et. al., Media Economics: Theory and 
Practice (Mahwah, NJ: Lawrence Erlbaum Associates, Third Edition, 
2004), 250.
---------------------------------------------------------------------------
    Importantly, advertising is proving increasingly to be the only 
business model with any real staying power for many media and 
information-producing sectors. Pay-per-view mechanisms, micropayments, 
and even subscription-based business models are all languishing.\29\ 
Consequently, the overall health of modern media marketplace and the 
digital economy--and the aggregate amount of information and speech 
that can be produced or supported by those sectors--is fundamentally 
tied up with the question of whether policymakers allow the advertising 
marketplace to evolve in an efficient, dynamic fashion.\30\ In this 
sense, it is not hyperbole to say that an attack on advertising is 
tantamount to an attack on media itself.\31\
---------------------------------------------------------------------------
    \29\ To some extent, these are all just variations of a fee-for-
service business model. ``Micropayments,'' for example, would require a 
small payment for each media unit accessed or downloaded, such as $1 
per news article or song.
    \30\ Much of the valuable information content available on the 
Internet, and so many of the useful services we use every day, is 
free,'' explains Larry Downes, ``not because of some utopian dream of 
inventors or even because of the remarkably low transactions costs of 
the digital economy. The content is free because the costs of the 
services--blogs, stock quotes, even home movies posted on YouTube--are 
underwritten by advertisers. If we don't read and respond to ads, we'll 
have to pay for these services some other way,'' he notes. Downes, The 
Laws of Disruption, 83-4.
    \31\ See Adam Thierer, Berin Szoka, and W. Kenneth Ferree, Comments 
of the Progress & Freedom Foundation in the Matter of the Federal 
Communications Commission's Examination of the Future of Media and 
Information Needs of Communities In a Digital Age, The Progress & 
Freedom Foundation, May 5, 2010, 28-38, http://www.pff.org/issues-pubs/
testimony/2010/2010-05-05-
Comments_in_FCC_Future_of_Media_proceeding.pdf.
---------------------------------------------------------------------------
    A March 2010 study on ``The Value of Behavioral Targeting,'' 
conducted by Howard Beales on behalf of the Network Advertising 
Initiative, demonstrates how this could be the case.\32\ Beales, the 
former Director of the Bureau of Consumer Protection at the FTC, found 
that advertising rates are significantly higher for behaviorally 
targeted ads, with the average return on behaviorally targeted 
advertising being just over twice that of other advertising. The reason 
that greater return on investment is important, Beales notes, is 
because:
---------------------------------------------------------------------------
    \32\ Howard Beales, ``The Value of Behavioral Targeting,'' Network 
Advertising Initiative, March 2010, www.networkadvertising.org/pdfs/
Beales_NAI_Study.pdf.

        Advertising using behavioral targeting is more successful than 
        standard run of network advertising, creating greater utility 
        for consumers from more relevant advertisements and clear 
        appeal for advertisers from increased ad conversion. Finally, a 
        majority of network advertising revenue is spent acquiring 
        inventory from publishers, making behavioral targeting an 
        important source of revenue for online content and services 
        providers as well as third party ad networks.\33\
---------------------------------------------------------------------------
    \33\ Ibid., 1.

    This illustrates how more effective advertising can cross-subsidize 
and sustain online content and culture. More and better advertising 
means more and better content and services will be made available to 
consumers. Beales concluded his study by noting: ``Increasingly, 
advertising is the financing mechanism that makes online content and 
services possible as well. As content traditionally provided offline 
(such as newspapers) continues to move to the Internet, the link 
between online advertising and content is likely to become increasingly 
vital to the provision of information and services that we have long 
taken for granted.'' \34\
---------------------------------------------------------------------------
    \34\ Ibid., 18.
---------------------------------------------------------------------------
    With these insights in mind, it is peculiar that the Commission 
ignores the connection between this proceeding and another FTC 
proceeding which poses the question, ``How Will Journalism Survive the 
Internet Age?'' \35\ That is a fair question for the FTC to ask, and 
one that the Federal Communications Commission has also been pondering 
in a series of workshops on ``The Future of Media.'' \36\ What the 
Commission proposes in this proceeding certainly will not help matters 
any and it begs the question: If not advertising, then what will 
sustain online media, digital age culture, and social networking 
services going forward? \37\
---------------------------------------------------------------------------
    \35\ Federal Trade Commission, ``How Will Journalism Survive the 
Internet Age?'' Workshop Series, 2010, http://www.ftc.gov/opp/
workshops/news/index.shtml. All filing made to the Commission in the 
proceeding are located here: http://www.ftc.gov/os/comments/newsmedia
workshop/index.shtm.
    \36\ Federal Communications Commission, ``Future of Media,'' http:/
/reboot.fcc.gov/future
ofmedia.
    \37\ Castro goes even further, arguing that ``If the goal of the 
initiative is to restrict targeted advertising, it would be better for 
Congress to just ban Internet advertising outright and develop a 
`Corporation for Public Internet' to fund Internet content and 
applications.'' Castro, ``Policymakers Should Opt Out of `Do Not 
Track','' 4.
---------------------------------------------------------------------------
    John Battelle is blunter in his assessment of how damaging this 
move could be to online culture:

        don't come crying to me when you realize that in opting out of 
        our marketing-driven world, you've also opted out of, well, a 
        pretty important part of our ongoing cultural conversation, one 
        that, to my mind, is getting more authentic and transparent 
        thanks to digital platforms. And, to my mind, you've also opted 
        out of being a thinking person capable of filtering this stuff 
        on your own, using that big ol' bean which God, or whoever you 
        believe in, gave you in the first place. Life is a 
        conversation, and part of it is commercial. We need to buy 
        stuff, folks. And we need to sell stuff too.\38\
---------------------------------------------------------------------------
    \38\ John Battelle, ``Thurs. Signal: Go On, Opt Out. Just Don't 
Come Cryin' To Me . . .'' Federated Media Publishing, December 1, 2010, 
http://www.federatedmedia.net/blog/2010/12/thurs-signal-go-on-opt-out-
just-don't-come-cryinto-me.

    This is a simplified explanation of the value exchange that drives 
the Internet, but Battelle is correct that if heavy-handed regulation 
replaces common sense or the current online quid pro quo of 
information-forservices, then something must give. While the idea of a 
cost-free opt-out model for the all online data collection/advertising 
may sound seductive to some, it is vital to take into account the 
opportunity costs of such regulation. The real world is full of trade-
offs and there is no such thing as a free lunch.
3. Competition & Market Structure
    The Commission does not need to be reminded that it was created in 
large part to safeguard competition. This proceeding, however, 
threatens to tip the balance in favor of existing technologies or 
market players over future ones.\39\ AdWeek's Katy Bachman argues that:
---------------------------------------------------------------------------
    \39\ ``Regulation that disfavors one technology or business model 
would also deter entry, thwart innovation, and limit competition and 
choice in the sale of online advertising.'' Joan Gillman, Testimony 
before the House Energy & Commerce Committee, Hearing on Do Not Track 
Legislation: Is Now the Right Time? December 2, 2010, 5, http://
energycommerce.house.gov/hearings/Testimony.aspx?TID=4184.

        Heavy-handed privacy legislation could actually curb 
        competition by crippling ad networks that serve ads to niche 
        Websites dependent on advertising to fund content. Websites 
        would have to resort to pay models in a medium where free 
        content is the norm. No doubt the big brands would still draw 
        contextual advertising, but that would come at the expense of 
        new, emerging brands, thus squelching competition in a space 
        that has thrived on it.\40\
---------------------------------------------------------------------------
    \40\ Katy Bachman, ``(Ad) Apocalypse Soon,'' AdWeek, December 19, 
2010, http://www.ad
week.com/aw/content_display/esearch/
e3i9f75082f2f627711694ca34d9b326105.

    Similarly, Tanzina Vega and Verne Kopytoff of The New York Times 
---------------------------------------------------------------------------
have noted that:

        The Federal Trade Commission's proposed privacy mechanism could 
        cause a major shift in the online advertising industry, as 
        companies that have relied on consumers' browsing history try 
        to make up for what could be billions in lost revenue.

        If the vast majority of online users chose not to have their 
        Internet activity tracked, the proposed ``do not track'' system 
        could have a severe effect on the industry, some experts say. 
        It would cause major harm to the companies like online 
        advertising networks, small and midsize publishers and 
        technology companies like Yahoo that earn a large percentage of 
        their revenue from advertising that is tailored to users based 
        on the sites they have visited.

        Under a situation where many users opt out of being tracked, 
        other companies, like Google, may take a much smaller hit 
        because the vast majority of its revenue comes through search 
        ads that would not be affected by a do-not-track mechanism. 
        Microsoft, which also sells display advertising through its ad 
        network, could also survive a hit to user data collection since 
        it earns revenue from sources other than advertising, including 
        software and gaming, experts say.\41\
---------------------------------------------------------------------------
    \41\ Tanzina Vega and Verne Kopytoff, ``In Online Privacy Plan, the 
Opt-Out Question Looms,'' New York Times, December 5, 2010, http://
www.nytimes.com/2010/12/06/business/media/06privacy.html.

    ``In a setting where first-party advertising is allowable but 
third-party marketing is not, substantial advantages may be created for 
large incumbent firms,'' argue Avi Goldfarb and Catherine Tucker.\42\ 
``For example, if a large website or online service were able to use 
its data to market and target advertising, it will be able to continue 
to improve and hone its advertising, while new entrants will find it 
difficult to challenge the incumbent's predominance by compiling other 
data or collecting their own data,'' they conclude.\43\
---------------------------------------------------------------------------
    \42\ Avi Goldfarb and Catherine Tucker, ``Comments on `Information 
Privacy and Innovation in the Internet Economy,''' Comments to the U.S. 
Department of Commerce, January 24, 2011, 4, http://www.ntia.doc.gov/
comments/101214614-0614-01/attachments/NTIA_comments_2011
_01_24.pdf.
    \43\ Ibid.
---------------------------------------------------------------------------
    And Kunz fears that ``the `Long Tail' of niche content is going to 
get crushed'' since ``thousands of small websites may disappear as 
dollars flow to consolidated publishing centers.'' ``Do Not Track will 
send billions of dollars to the big online publishers, hurting the 
little sites you might find most interesting. The second point is 
painful. It could really harm you, too, dear consumer, if you read 
things online other than The New York Times, Bloomberg, or 
iVillage.com.'' \44\ This should hardly be surprising since economists 
have long recognized that ``advertising typically benefits new entrants 
and small firms more than it does large, established firms,'' \45\ and 
that is likely to be the case for targeted online advertising since it 
would be the easiest way for niche sites to find interested consumers 
and advertisers.
---------------------------------------------------------------------------
    \44\ Kunz, ``The $8 Billion Do Not Track Prize.''
    \45\ Thomas M. Lenard and Paul H. Rubin, Privacy and the Commercial 
Use of Personal Information (Washington, D.C.: The Progress & Freedom 
Foundation, 2002), xxii.
---------------------------------------------------------------------------
    Thus, the risk exists that a Do Not Track mandate could steer 
markets in unnatural, inefficient directions by erecting new barriers 
to entry or directly picking technological winners and losers.\46\ If 
so, the Commission will have failed in its mission to safeguard 
competition and improve consumer welfare.
---------------------------------------------------------------------------
    \46\ As the National Cable and Telecommunications Association 
(NCTA) noted in comments to the Department of Commerce: ``In a nascent 
and highly dynamic market characterized by rapid technological change 
such as online advertising, any regulation that favors or disfavors one 
technology or business model over another could seriously thwart 
innovation and the development of new business models that could 
benefit consumers, content providers, and advertisers, by prematurely 
locking market participants into one sanctioned approach. Moreover, 
limiting online advertising to specified designated permissible 
techniques would deter new entry, and limit competition.'' National 
Cable and Telecommunications Association, Reply Comments to the U.S. 
Department of Commerce, January 28, 2011, 10-11. http://
www.ntia.doc.gov/comments/10121
4614-0614-01/comment.cfm?e=17AF54FD-5201-474A-8EB8-E8B6071AEDEC.
---------------------------------------------------------------------------
4. International Competitiveness
    Some advocates of intervention on this front do not hide their 
desire to move the United States in a direction the European Union has 
followed with ``data directives'' and more stringent forms of privacy 
regulation. But America's refusal thus far to walk down that more 
regulatory path offers scholars the chance to evaluate Europe's more-
restrictive approach and study whether America's lead in the global 
digital marketplace might be tied to its more ``hands-off'' approach to 
online regulation. A recent study by Goldfarb and Tucker found that 
``after the [European Union's] Privacy Directive was passed [in 2002], 
advertising effectiveness decreased on average by around 65 percent in 
Europe relative to the rest of the world.'' \47\ They argue that 
because regulation decreases ad effectiveness, ``this may change the 
number and types of businesses sustained by the advertising-supporting 
Internet.'' Regulation of advertising and data collection for privacy 
purposes, it seems, can affect the global competitiveness of online 
firms.
---------------------------------------------------------------------------
    \47\ Avi Goldfarb and Catherine Tucker, ``Privacy Regulation and 
Online Advertising,'' 57 Management Science 1, (January 2011), 57-71, 
http://papers.ssrn.com/sol3/papers.cfm?abstract_
id=1600259.
---------------------------------------------------------------------------
    This is what makes talk of ``harmonization'' among privacy regimes 
so dangerous. It threatens to undermine America's competitive advantage 
in the global digital arena. It is hard to find many European 
counterparts that rival Google, Amazon, Apple, Facebook, eBay, 
Microsoft, or other market leaders. Why is it that the information 
technology sector has thrived in America and that U.S. companies are 
leaders in many of their respective sectors across the globe? Might it 
be precisely because the U.S. did not follow others down the path of 
``data directives'' and heavy handed, top-down regulation of the 
Internet more generally? ``If applied to American companies, these 
European laws would restrict the breakneck innovation of the commercial 
web,'' argues the NetChoice Coalition.\48\ And Yahoo! correctly 
summarizes:
---------------------------------------------------------------------------
    \48\ Steve DelBianco and Braden Cox, NetChoice Reply Comments on 
Department of Commerce Green Paper, January 28, 2011, 7, http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=1EA98542-
23A4-4822-BECD-143CD23BB5E9.

        It is no coincidence that the U.S. is the birthplace of most of 
        the widely used global websites and online services. Our legal 
        frameworks encourage innovation through reasonable liability 
        regimes, controls on harmful uses of information, promotion of 
        a diversity of online voices, security requirements based on 
        the sensitivity of the data, and a light regulatory hand that 
        favors and recognizes complementary roles for industry self-
        regulation.\49\
---------------------------------------------------------------------------
    \49\ Anne Toth, Comment of Yahoo! on Commercial Data Privacy and 
Innovation in the Internet Economy, January 28, 2011, 2, http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=F6A50C0B-
00CC-44A6-B475-FE218170CA02.

    The Department of Commerce's recent privacy green paper says 
America should look to ``prevent conflicting policy regimes from 
serving as a trade barrier.'' \50\ But should the U.S. impose 
burdensome new regulations on American companies to achieve that goal? 
Would we really be better off if all U.S. firms and policy more closely 
resembled the E.U. in this regard?
---------------------------------------------------------------------------
    \50\ Department of Commerce, Commercial Data Privacy and 
Innovation, 20.
---------------------------------------------------------------------------
    Some privacy advocates posit the need for greater 
``interoperability'' or harmonization of privacy policies 
internationally to facilitate smoother online commercial interactions 
or data flows. Yet, the Commerce Department's recent privacy green 
paper notes that ``a considerable amount of global commerce takes place 
on the Internet [and] global online transactions currently total an 
estimated $10 trillion annually'' and is growing. Still, it continues 
on to claim that ``the lack of cross-border interoperability in privacy 
principles and regulations creates barriers to cross-border data flow 
and significant compliance costs for companies,'' \51\ and repeats the 
argument for harmonization.
---------------------------------------------------------------------------
    \51\ Ibid.
---------------------------------------------------------------------------
    There are three problems with that theory. First, it assumes that 
the benefits of regulatory harmonization--which, to be perfectly clear, 
would arrive in the form of increased regulation on U.S. operators--
would outweigh the cost of complying with those new rules.
    Second, there is no reason that harmonization could not work in the 
opposite direction. If the Commerce Department, the FTC and other U.S. 
lawmakers want to promote U.S. trade, exports, commerce, and global 
competitiveness, the proper way to ``leveling the playing field'' in 
this context should be the same as it is in relation to speech policy 
or trade law: the rest of the world should follow America's lead; the 
U.S. should absolutely not regulate up to achieve parity with theirs.
    Which raises a final problem with the argument for harmonization of 
privacy regimes through increased regulation on U.S. businesses: it 
sets a horrible precedent. At least thus far this has not been the 
approach the U.S. Government has taken in most other Internet policy 
contexts, and with good reason. Consider this in the context of speech 
controls. When policymakers in Europe and other regions or countries 
stifle free speech and expression online, America's response has not 
been to mimic them but, rather, to lead by example. That is, when 
confronted with conflicting regulatory regimes abroad, our response has 
usually been to proudly boast to the world that we have the more 
sensible approach to Internet regulation, which is to say, it should be 
tightly limited so as not to stifle speech or commerce. Some critics 
might label this ``American exceptionalism,'' but it is really just 
common sense if we hope to promote the international competitiveness of 
U.S. online businesses and remain a global leader in this arena.
5. ``Silver-Bullet'' Solutions Rarely Adapt or Scale Well
    Finally, there is the more general normative problem of the 
Commission seeking a simple solution to a complex ``problem'' such as 
online privacy protection. Do Not Track fits into a long line of 
proposed silver-bullet solutions that would mandate a ``universal'' 
solution to a complicated economic or social issue.
    When it comes to such information control efforts, there aren't 
many good examples of simple fixes or silver-bullet solutions that have 
worked, at least not very long. Consider the illusive search for a 
solution to online pornography. The PICS/ICRA experience is instructive 
in this regard. PICS and ICRA refer to the W3C's Platform for Internet 
Content Selection \52\ and Internet Content Rating Association.\53\ For 
a time, there was hope that voluntary metadata tagging and content 
labeling could be used to screen objectionable content on the Internet. 
But the sheer volume of material to be dealt with made that task almost 
impossible. The effort has been abandoned now.\54\ Of course, it is 
true that effort did not have a government mandate behind it to 
encourage more widespread adoption, but even if it would have, it is 
hard to believe that all pornography or other objectionable content 
would have been labeled and screened properly.
---------------------------------------------------------------------------
    \52\ http://www.w3.org/PICS.
    \53\ http://www.fosi.org/icra.
    \54\ http://www.icra.org.
---------------------------------------------------------------------------
    In a similar way, The CAN-SPAM Act aimed to curtail the flow of 
unsolicited e-mail across digital systems and, yet, failed to do so. 
Private filtering efforts have helped stem the flow to some extent, but 
have not eliminated the problem altogether. Royal Pingdom estimates 
that in 2010 89.1 percent of all e-mails were spam.\55\ ``Spam pages,'' 
are also a growing concern. In January 2011, Blekko, a new search 
engine provider, created a ``Spam Clock'' to track new spam pages and 
found 1 million new spam pages were being created every hour.\56\
---------------------------------------------------------------------------
    \55\ Royal Pingdom, ``Internet 2010 in Numbers,'' January 12, 2011, 
http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers.
    \56\ http://www.spamclock.com. Also see, Danny Sullivan, ``Blekko 
Launches Spam Clock To Keep Pressure On Google,'' Search Engine Land, 
January 7, 2011, http://searchengine
land.com/blekko-launches-spam-clock-tokeep-pressure-on-google-60634.
---------------------------------------------------------------------------
    Similar problems await information control efforts in the privacy 
realm, even if a mandated Do Not Track mechanism required the re-
engineering of web browser architecture and/or standards. ``It's a 
single response to an overly-simplifies set of choices we encounter on 
the web,'' notes the NetChoice Coalition, which represents e-commerce 
companies.\57\ Also, Do Not Track ``does not address mobile or app 
data, nor any data created outside a traditional web browser,'' notes 
Michael Fertik, CEO of Reputation.com.\58\ ``At the same time, the 
growth in technology and understanding can render current solutions 
inadequate. A privacy rule to limit behavioral advertising today might 
not work in the future when more data is available and there are more 
powerful algorithms to process it,'' he says. ``There is no reliable 
way of ensuring this technology is being used, however,'' says Sidney 
Hill of Tech News World. ``Ensuring compliance with antitracking rules 
will become even more difficult as more users turn to mobile devices as 
their primary means of connecting to the Web.'' \59\
---------------------------------------------------------------------------
    \57\ Steve DelBianco and Braden Cox, NetChoice Reply Comments on 
Department of Commerce Green Paper, January 28, 2011, 14, http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=1EA98542-
23A4-4822-BECD-143CD23BB5E9.
    \58\ Michael Fertik, Comments of Reputation.com, Inc. to the U.S. 
Department of Commerce, January 28, 2011, 12, http://
www.reputation.com/blog/2011/01/31/reputation-com-comments-commerce-
department-privacy-greenpaper.
    \59\ Sidney Hill, ``Internet Tracking May Not Be Worth the 
Headaches,'' Tech News World, December 29, 2010, http://
www.technewsworld.com/story/Internet-Tracking-May-Not-Be-Worth-the-
Headaches-71543.html.
---------------------------------------------------------------------------
    Importantly, Do Not Track would not slow the ``arms race'' in this 
arena as some seem to hope or suggest.\60\ If anything, as noted in 
more detail below, a Do Not Track mandate will speed up that arms race 
and have many other unintended consequences.\61\ Complex definitional 
questions also remain unanswered, such as how define and then limit 
``tracking'' in various contexts, as well as how to enforce such a 
regime. Lauren Weinstein summarizes some of the most obvious issues:
---------------------------------------------------------------------------
    \60\ Some examples: ``The header-based Do Not Track system appeals 
because it calls for an armistice in the arms race of online 
tracking.'' Rainey Reitman, ``Mozilla Leads the Way on Do Not Track,'' 
Deeplinks, Electronic Frontier Foundation, January 24, 2011, https://
www.eff.org/deeplinks/2011/01/mozilla-leads-the-way-on-do-not-track. 
Similarly, Chris Soghoian argues that ``opt out mechanisms . . . 
[could] finally free us from this cycle of arms races, in which 
advertising networks innovate around the latest browser privacy 
control.'' Christopher Soghoian, ``What the U.S. Government Can Do To 
Encourage Do Not Track,'' Slight Paranoia, January 27, 2011, http://
paranoia.dubfire.net/2011/01/what-us-government-can-do-to-
encourage.html. Finally, Arvind Narayanan of Stanford University argues 
that Do Not Track, ``is a way to move past the arms race between 
tracking technologies and defense mechanisms, focusing on the actions 
of the trackers rather than their tools.'' Arvind Narayanan, ``'Do Not 
Track' Explained,'' 33 Bits of Entropy, September 30, 2010, http://
33bits.org/2010/09/20/do-not-track-explained.
    \61\ ``Too often, well-intentioned efforts to regulate technology 
are far worse than the imagined evils they were intended to prevent.'' 
Abelson, Ledeen, and Lewis, Blown to Bits, 159.

        Sending out a new ``Do Not Track'' header--even beyond basic 
        associated technical requirements at the client and server 
        ends--and even if there's agreement on how that header is 
        defined--tells you nothing about what actually happens to that 
        header after being sent by the client browser. How does the 
        user who sends such a header actually confirm that they're 
        ``not being tracked'' as a result? And how do they know that 
        continued tracking isn't caused by a technical issue that 
        prevented the header from ever being received and processed by 
---------------------------------------------------------------------------
        the destination server?

        Perhaps the header line was ``eaten'' by an intermediate proxy 
        server (it's quite common for proxies not to pass along all 
        headers). Or maybe the header reached a server that simply 
        hadn't been modified to recognize it yet. Or did the header 
        reach a server in some jurisdiction (say, outside of the U.S.) 
        that wouldn't even be ``required'' to know about that new 
        header? And so on.

        You can't just send a Do Not Track header and expect meaningful 
        results. In practice, you end up having to build an entire 
        confirmation apparatus of some sort--and even then it's likely 
        to be a mess. Without confirmation, you can send out whatever 
        headers you wish, but when you don't get the results you 
        expect, what does that mean? Who knows? This all gets very 
        complicated, very quickly.\62\
---------------------------------------------------------------------------
    \62\ Lauren Weinstein, ``Risks in Mozilla's Proposed Firefox ``Do 
Not Track'' Header Thingy,'' Lauren Weinstein blog, January 24, 2010, 
http://lauren.vortex.com/archive/000803.html.

    Moreover, in light of the global nature of online commerce and 
speech, Do Not Track will not scale as well as advocates hope.\63\ 
Castro says:
---------------------------------------------------------------------------
    \63\ ``Many behavioral targeting companies are based outside the 
US--making legislation ineffective,'' says Doug Wolfgram, CEO of 
IntelliProtect, an online privacy management company. Quoted in Tony 
Bradley, ``Why Browser `Do Not Track' Features Will Not Work,'' 
Computerworld, February 10, 2011, http://news.idg.no/cw/
art.cfm?id=ACE91A0E-1A64-6A71-CE2572C981C0204A.

        Another problem with Do Not Track is that it does not scale 
        well on the global Internet. As described above, to be 
        effective, the proposal would require a Federal mandate calling 
        for substantive modifications to networking protocols, web 
        browsers, software applications and other Internet devices. 
        Besides raising costs for consumers, it is unclear how 
        effective such a mandate would be outside of the U.S. borders 
        or how well the proposal would be received by international 
        standard bodies.\64\
---------------------------------------------------------------------------
    \64\ Castro, ``Policymakers Should Opt Out of `Do Not Track','' 3.

    Again, as noted previously, the regulatory experience with spam, 
objectionable content, and copyrighted content suggest serious 
challenges lie ahead because of the borderless nature of online 
activity /commerce.
6. Implications of This New Regime in Other Contexts
    A final danger with the FTC's proposed Do Not Track information 
control regime is that it could also establish a precedent for other 
forms of Internet regulation. If, in the context of privacy policy, 
``opt-in'' becomes the new default norm or mechanisms such as Do Not 
Track become the preferred top-down mandate, similar regulatory norms 
might be expected in other contexts. Why not mandatory ``opt-in'' for 
other types of speech or content? For example, should the presence of 
potentially objectionable content across digital networks be used as an 
excuse for greater regulation of the Internet?
    That is not the way things currently work, of course. At least in 
the United States, we demand that personal and parental responsibility 
be the first and primary line of defense against unwanted 
communications or content. Why should it be any different when it comes 
to ``privacy'' concerns? \65\
---------------------------------------------------------------------------
    \65\ The Cato Institute's Jim Harper argues: ``Privacy is not a 
gift from politicians or an entitlement that can be demanded from 
government. Privacy is a product of personal responsibility. Like moral 
living, privacy is the product of careful consideration and concerted 
effort by individuals. To be sure, protecting privacy can be hard. It 
involves knowledge, vigilance, and constant trade-offs.'' Harper, 
``Understanding Privacy,'' 5.
---------------------------------------------------------------------------
    Consider how things work in the context of speech and content 
regulation, American jurisprudence has become a fairly settled matter: 
people (or parents) are expected to take responsibility for unwanted 
information flows in their lives (or the lives of their children). 
Under current law, it is assumed that the many user empowerment tools 
on the market (filters, monitoring software, other parental control 
technologies) constitute a so-called ``less-restrictive means'' of 
controlling content when compared to government regulation.
    Many privacy advocates--such as ACLU, the Center for Democracy & 
Technology, and the Electronic Frontier Foundation--vociferously 
endorse this ``less-restrictive means'' test or ``educate and empower'' 
paradigm in the free speech context. Generally speaking, when it comes 
to speech regulation, they rightly argue ``household standards'' (user-
level controls) should trump ``community standards'' (government 
regulation). And in Court they repeatedly employ the ``less-restrictive 
means'' test to counter government efforts to regulate information 
flows.
    When it comes to privacy, however, many of them abandon this 
vision. For some reason, when the topic of debate shifts from concerns 
about potentially objectionable content to the free movement of 
personal information, personal responsibility and self-regulation 
become the last option, not the first. What is most troubling about 
this is that those advocates could be unwittingly undermining the power 
of the ``less restrictive means'' test more generally, which is a 
vitally important barrier to greatly enhanced government control of 
cyberspace. That is, when privacy advocates ignore, downplay, or 
denigrate user empowerment tools, they are essentially saying self-help 
is the right answer in one context, but not the other.
    That is a shame because, as discussed below, self-help tool work 
well in both contexts. And the same arguments used against private 
parental empowerment technologies are often trotted out in opposition 
to privacy controls. Can privacy tools be confusing at times or 
difficult to set up? Yes, they can, but no more so that parental 
control tools. Are privacy tools as effective as parental control 
tools? In some ways privacy tools are actually more effective because 
in the case of parental controls, the person you are attempting to 
``protect'' (namely, kids) often have a stronger incentive to evade/
defeat those tools. Moreover, privacy-enhancing controls can be very 
effective--perhaps even too effective--at shutting down unwanted 
information flows. Whether it is ad-blocking tools, cookie controls, or 
encryption techniques, these tools can actually be far more effective 
blocks on information flows than, say, Internet filters meant to block 
porn or hate speech, which is also more subjective by nature.
    Of course, no technological empowerment tool or solution is 
perfect. But as the Supreme Court held in United States v. Playboy, 
empowerment tools need not be perfect to be preferable to government 
regulation. ``Government cannot ban speech if targeted blocking is a 
feasible and effective means of furthering its compelling interests,'' 
the Court held.\66\ Moreover, ``It is no response that voluntary 
blocking requires a consumer to take action, or may be inconvenient, or 
may not go perfectly every time. A court should not assume a plausible, 
less restrictive alternative would be ineffective; and a court should 
not presume parents, given full information, will fail to act.'' \67\
---------------------------------------------------------------------------
    \66\ United States v. Playboy Entertainment Group, 529 U.S. 803, 
815 (2000).
    \67\ Ibid., 824.
---------------------------------------------------------------------------
    Again, the exact same principle should hold for privacy regulation 
\68\ Why not expect those especially privacy-sensitive users who object 
to targeted online advertising to do something about it? To the extent 
effective self-help privacy tools exist, they provide a means of 
solving policy problems that is not only ``less restrictive'' than 
government regulation but generally more effective and customizable as 
well. Why settle for one-size-fits-all solutions of incomplete 
effectiveness when users can quite easily and effectively manage their 
own privacy? Indeed, those who advocate personal responsibility and 
industry self-regulatory approaches to free speech and child protection 
issues should be advancing the same position with regards to privacy.
---------------------------------------------------------------------------
    \68\ Chapman University Law Professor Tom Bell has argued the same 
principle should hold in both contexts. Tom W. Bell, ``Internet Privacy 
and Self-Regulation: Lessons from the Porn Wars,'' Briefing Paper 65 
(Washington, D.C.: Cato Institute, August 9, 2001), http://
www.cato.org/pub_display.php?pub_id=1504.
---------------------------------------------------------------------------