[Senate Hearing 112-302]
[From the U.S. Government Publishing Office]
S. Hrg. 112-302
THE STATE OF ONLINE CONSUMER PRIVACY
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
MARCH 16, 2011
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
_____
U.S. GOVERNMENT PRINTING OFFICE
73-308 PDF WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii KAY BAILEY HUTCHISON, Texas,
JOHN F. KERRY, Massachusetts Ranking
BARBARA BOXER, California OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida JOHN ENSIGN, Nevada
MARIA CANTWELL, Washington JIM DeMINT, South Carolina
FRANK R. LAUTENBERG, New Jersey JOHN THUNE, South Dakota
MARK PRYOR, Arkansas ROGER F. WICKER, Mississippi
CLAIRE McCASKILL, Missouri JOHNNY ISAKSON, Georgia
AMY KLOBUCHAR, Minnesota ROY BLUNT, Missouri
TOM UDALL, New Mexico JOHN BOOZMAN, Arkansas
MARK WARNER, Virginia PATRICK J. TOOMEY, Pennsylvania
MARK BEGICH, Alaska MARCO RUBIO, Florida
KELLY AYOTTE, New Hampshire
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
Bruce H. Andrews, General Counsel
Ann Begeman, Republican Staff Director
Brian M. Hendricks, Republican General Counsel
C O N T E N T S
----------
Page
Hearing held on March 16, 2011................................... 1
Statement of Senator Pryor....................................... 1
Prepared statement........................................... 2
Statement of Senator Kerry....................................... 3
Statement of Senator Isakson..................................... 6
Statement of Senator McCaskill................................... 29
Statement of Senator Klobuchar................................... 31
Witnesses
Hon. Jon D. Leibowitz, Chairman, Federal Trade Commission........ 6
Prepared statement of the Federal Trade Commission........... 9
Hon. Lawrence E. Strickling, Assistant Secretary for
Communications and Information, National Telecommunications and
Information Administration, U.S. Department of Commerce........ 16
Prepared statement........................................... 18
Erich Andersen, Deputy General Counsel, Microsoft Corporation.... 34
Prepared statement........................................... 36
John Montgomery, Chief Operating Officer, North America, GroupM
Interaction.................................................... 41
Prepared statement........................................... 43
Ashkan Soltani, Independent Privacy Researcher and Consultant.... 50
Prepared statement........................................... 52
Barbara Lawler, Chief Privacy Officer, Intuit Inc................ 59
Prepared statement........................................... 61
Christopher R. Calabrese, Legislative Counsel, American Civil
Liberties Union, Washington Legislative Office................. 65
Prepared statement........................................... 67
Appendix
Hon. Mark Begich, U.S. Senator from Alaska, prepared statement... 85
Response to written questions submitted to Hon. Jon D. Leibowitz
by:
Hon. Mark Pryor.............................................. 85
Hon. Kay Bailey Hutchison.................................... 87
Response to written questions submitted to Lawrence E. Strickling
by:
Hon. Mark Pryor.............................................. 89
Hon. Mark Begich............................................. 90
Response to written questions submitted to John Montgomery by:
Hon. Kay Bailey Hutchison.................................... 90
Response to written question submitted to Erich D. Andersen by:
Hon. Kay Bailey Hutchison.................................... 92
Hon. John Ensign............................................. 92
Response to written questions submitted to Barbara Lawler by:
Hon. Mark Pryor.............................................. 93
Hon. Mark Begich............................................. 94
Hon. Kay Bailey Hutchison.................................... 94
Hon. John Ensign............................................. 96
Response to written questions submitted to Christopher R.
Calabrese by:
Hon. Mark Begich............................................. 96
Comments on ``The State of Online Privacy'' by Adam Thierer,
Senior Research Fellow, United States Senate, Committee on
Commerce, Science, and Transportation.......................... 98
THE STATE OF ONLINE CONSUMER PRIVACY
----------
WEDNESDAY, MARCH 16, 2011
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:05 a.m. in
room SR-253, Russell Senate Office Building, Hon. Mark Pryor,
presiding.
OPENING STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor [presiding]. I will go ahead and call this to
order. I want to thank everyone for being here. And we have
several witnesses today, and we're going to have a great
hearing. And I want to thank everyone.
First, I want to thank the Commerce Committee staff for
pulling this hearing together. They really have pulled together
an excellent panel, two panels of witnesses.
One thing that Senator Kerry and I were just talking about
is the Senate is supposed to vote at 10:30. And based on Senate
time, we don't know if that means 10:30, 10:45, 11, whatever.
But we're supposed to vote at 10:30. So at some point we're
going to have to swap the gavel back and forth and race and
vote and come back. But we'll try to keep the hearing going
during that time.
Also I know that Senator Kerry has really been a leader on
this type of legislation, looking at privacy concerns and has
been working on a bill and so we would like to hear from him in
just a few moments on that.
What I thought I would do is just give a very brief
statement. And I know that Senator Hutchison is on the way and
other Senators are on the way. We might dispense with the
opening statements for all the Senators, if that's OK, except I
thought I might call on Senator Kerry for just a few moments to
talk about his legislation and then go onto the panel. And once
Senator Hutchison shows up we'll certainly recognize her for
her opening statement.
But let me just say that as we start today I want to
welcome everyone to the Commerce Committee's hearing on ``The
State of Online Consumer Privacy.'' This is a very challenging
endeavor. We want to balance the free Internet, you know, the
ability to access free content and services for all users, with
concerns that are raised about user's privacy and general
information collection practices online.
So consumers can conduct research and read online
newspapers. They can write e-mails and respond to each other in
real time. Some of them will be worried about how their
information is being collected online. Some of them may be
willing to surrender some information in exchange for the free
content. Others don't have any idea this is going on.
So this is a real challenge. As many good things as we can
say about the Internet and how it has really revolutionized
information, and it's been so great in so many ways, privacy is
an area that we need to keep focused on and try to balance
these interests and try to make sure that it's a good place to
be and a good place to conduct business.
So our first panel is going to be the Federal Trade
Commission and the Department of Commerce.
Our second panel we'll hear from consumer advocates,
technology specialists and members of the business community.
Their insights and experience are valuable and very much
appreciated.
I don't know if everyone knows the polling data, but
recently Common Sense Media published some results that said 85
percent of parents say they're more concerned about online
privacy than they were 5 years ago.
Seventy-five percent of parents don't think social
networking sites do a good job of protecting their children's
online privacy.
Ninety-one percent of parents think search engines and
social networking sites should not be able to share kid's
physical location with other companies until parents give
authorization.
So these are just a few of the issues that we'll hear about
today. And that as the Senate Commerce Committee and the Senate
as a whole and the Congress as a whole moves through this
Congress we'll try to work through these issues as best we can.
Again, Senator Hutchison is on the way. And we'll recognize
her in a few moments for her opening statement. But until she
gets here, Senator Kerry would you like to say a few words?
[The prepared statement of Senator Pryor follows:]
Prepared Statement of Hon. Mark Pryor, U.S. Senator from Arkansas
Welcome to the Commerce Committee's hearing on ``The State of
Online Consumer Privacy.''
Today we meet to discuss a challenging endeavor: how to balance a
free Internet--the ability to access free content and services for all
users--with concerns raised about users' privacy and general
information collection practices online.
Consumers can conduct research and read online newspapers. They can
write e-mails and respond to each other in real time. Some of them may
be worried about how their information is being collected online. Some
of them may be willing to surrender some information in exchange for
free content.
I look forward to listening to all sides to determine how best to
negotiate these perspectives: consumers' privacy concerns with a desire
to preserve a robust and thriving Internet experience for all users.
First, we'll hear from the Federal Trade Commission and the
Department of Commerce, both of which recently issued reports on
consumer privacy and data security. I look forward to examining their
findings.
On the second panel, we'll hear from consumer advocates, technology
specialists and members of the business community. Their insights and
experience are valuable and appreciated.
While industry has dedicated much time to developing basic self-
regulatory principles and their efforts are a great starting point,
they alone have not eased peoples' concerns about the collection of
their personal information from on-line sources. And they will not,
alone, prevent abuses from unscrupulous people and organizations.
This is particularly true when it comes to information collected
on-line about kids. The supporting statistics are clear. According to
Common Sense Media:
85 percent of parents say they are more concerned about
online privacy than they were 5 years ago;
75 percent of parents don't think social networking sites do
a good job of protecting children's online privacy;
91 percent of parents think search engines and social
networking sites should not be able to share kids' physical
location with other companies until parents give authorization.
The Federal Trade Commission stressed in its December staff report
the importance of improving transparency and consumer choice in the
online privacy arena.
Incomprehensible privacy policies and user agreements are out.
Better disclosures, better consumer choice and improved safety features
are in.
Of course, one of the most elusive challenges we face as a society
is how to address the seemingly permanent nature of written comments
and information shared on the Internet. In other words, what will new
kinds of information ``sharing'' mean for our children's future--and
for their reputations?
Will they be discriminated against with insurers or future
employers based on financial, health or personal data they disclosed
online when they were teenagers--due to an assumption that the
information they shared would be protected--or based on an assumption
that they were controlling who could see that information?
Is it clearly explained to them that when they download certain
applications or ``apps'' on their phones or computers, they may be
allowing those ``apps'' to access their personal information--or their
specific geographic location at any point in time?
Many people in their teens and twenties now may well opt to share
this kind of information--thinking that the privacy trade-offs are well
worth it--but they should go into those choices with their eyes open.
Behavioral advertising has transformed the advertising industry.
That isn't going to change. In fact, if anything, it will increase as
more and more varied types of retailers and services do business
online.
However, there's an inherent trade-off between free online content
and the sale of personal information that keeps it free. We need to
discuss the proper balance and think about whether this trade-off will
remain relevant into the future.
Finally, one of the most important questions and one I'm focused on
this year is whether we should treat adults and children differently
online and have different requirements for the collection and
dissemination of their information.
These questions will engage the attention of this Committee during
the 112th Congress and for a long time to come. I will be working over
the coming months in an effort to address several of these issues.
And nothing is off the table. I welcome the witnesses with us today
and I look forward to hearing their testimony.
STATEMENT OF HON. JOHN F. KERRY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Kerry. Thank you, Mr. Chairman. I would like to
just for a sec.
First of all thanks for having this hearing with Senator
Rockefeller, I know, wanted to be here, but was unable to be.
And thanks for your leadership and stewardship on these
issues.
I must say I was impressed by the energy and amount of--
we're talking about the social network. It was a hell of a
social network in here before this hearing started.
[Laughter.]
Senator Kerry. A lot of chatter.
As we all know modern technology allows private entities to
observe the activities and actions of Americans on a scale that
is unimaginable. And there's no general law of commerce to
govern that surveillance. And that's why I intend, along with
other colleagues, to propose one, a commercial privacy bill of
rights.
The purpose of the legislation, I want to emphasize, is not
to discourage information sharing but rather to encourage it.
But under a common code of conduct that respects the rights of
both the people sharing the information and the legitimate
organizations collecting and using it on fair terms and
conditions. I think the folks that we've been working with,
many of them here today in the industries, know that throughout
my tenure on this Committee and now as Chair of the
Communications Subcommittee, I have worked hard to protect the
innovation and open architecture of the net.
I've worked hard to fight for net neutrality. I've worked
hard to prevent taxation and other things. So I believe in this
now vital resource for our country in so many ways. But it is
important to recognize that increasingly the American people
have concerns and express those concerns.
Every single app that any one of us applies to our
smartphone or child applies to it is an observational
opportunity for a private company. And, amazingly, Internet
users collectively sent 107 trillion, that's with a ``t,'' e-
mail messages in 2010. Each of those messages is a scanable
entity for key words that indicate the interests or patterns of
the people who send them.
Facebook started 2010 with 350 million users and ended it
with more than 600 million, almost all of which are sharing
information broadly whether they realize it or not. And the
collection and use of information offline from grocery stores
to hotels to airlines has also reached a record high enhancing
the data businesses collect online.
So on the positive side, all of this information sharing is
generating enormous economic activity. And we like that. We
want that. And it encourages all kinds of innovation. And we
want that.
But it's also created new opportunities for unethical
collectors of information, unwilling to abide by fair
information practice principles. And the question can be asked,
why should they? Because, you know, there's no law that
requires that they do. That has understandably generated a lot
of anxiety among Americans about protecting their identity,
protecting their personal information, protecting their habits.
Protecting the choices that they make which they think they're
making in the privacy of their relationship to their keyboard
and to their computer or to their phone or whatever instrument
they're using, iPad, otherwise.
People have asked so what's the problem that this
legislation would seek to solve? Well under current law there
are companies today engaged in the practice of harvesting
information from websites and elsewhere and using and selling
the information without the consent and/or notification or
knowledge of the people to whom that information pertains.
There are also companies engaged in the practice of using and
collecting information that are not building privacy into the
design of their services and as a result they lack the
appropriate procedures and protections to ensure people's
information is secured and being treated fairly. Once a
person's information is collected there are no legal
restrictions on the further distribution other than those that
the collector chooses to impose on themselves.
And lastly, Americans cannot today demand that someone who
has collected their information stop using it.
Each of these activities is a problem that Americans are
asking us to address. Now I've long thought that baseline
privacy protections in law were sort of a matter of common
sense. And over the last 6 months I've reached out to our
colleagues on both sides of the aisle, to privacy experts at
firms, in academia and to the advocacy community with one
simple goal--to figure out why we haven't reached a consensus
on a national standard for the treatment of people's
information and what we can do to establish one.
And let me just say thank you to many of the people here
today. There's been a very positive reaction to this, a
concerted effort. The Obama Administration, the Commerce
Department, others are working diligently to try to help mold
this, shape it. And I've been impressed by the cooperative
atmosphere within which everybody is working.
Many of the companies that have rejected legislation in the
past have made massive investments in privacy protection for
their own customers and at their own firms. A fair share of
them now have Chief Privacy Officers, who care deeply about the
issue. And they've spent a lot of time thinking about it.
These are serious people. Many of them here. Some of them
will testify today. And they believe people's information is
deserving of respect and protection not just because it makes
good business sense to protect your customers but also because
I believe they think it's the right thing to do. And it's in
keeping with a sort of value system and ethic that we share
here in America about individuality and privacy.
The entire goal of the drafting process that we're using to
write a commercial privacy bill of rights is to win pro-
privacy, pro-innovation experts over to the side of
establishing a common code of conduct so that their customers
are not just protected when working with them, but generally
protected in the course of commerce. And I think we all benefit
by that. I believe that gaining these allies will depend on our
willingness to recognize and respect the obvious good that can
come from appropriate collection and the use of data while also
allowing for experimentation and flexibility in the
implementation of privacy practices through the establishment
of safe harbor programs.
So we approach this with a real open mind. And I think
people will acknowledge a fair amount of reasonableness and
flexibility. But we can't let the status quo stand. We can't
continue to allow the collectors of people's information to
dictate the level of privacy protection that Americans will get
when they engage in commerce. And we can't continue to let the
firms that provide no protections, provide misleading
statements in some cases, about protection, about a protection
that they can change at will, at whim, at fancy or allow them
just to send the information along to others without regard to
where it goes or under what conditions that it goes there.
So my--Mr. Chairman, I hope we're going to establish clear
and flexible rules for behavior in our legislation. And if not,
I think everybody understands that enforcement agencies are
going to step up and react against unfair and/or deceptive
practices with cases that will be built sort of individually as
you go along with less clear direction than we could provide if
we do this in a sensible, legislative way. If we don't act, the
world's largest markets will continue to impose on our
innovators their own rules for private e-protection. And I
believe those rules could well wind up being less flexible and
less innovative than what I will be proposing.
So I look forward to working with the witnesses here today.
And I thank you very much, Mr. Chairman, for allowing me to
make that statement.
Senator Pryor. Thank you.
Senator Isakson?
STATEMENT OF HON. JOHNNY ISAKSON,
U.S. SENATOR FROM GEORGIA
Senator Isakson. Thank you, Mr. Chairman. I'll be brief but
I can't help but think as I was listening to Senator Kerry
speak, I ran a company for 22 years and we did about $1.2
million in advertising in various mediums to sell our product.
And we would always pick the medium whether it was TV or radio
or classified newspaper or display in a magazine by trying to
pick the medium we thought the most people would be potential
customers for our product would actually go to. And that
provided anonymity for the potential customer and made me do a
lot of thinking.
What the Internet has done and technology has done it's
allowed that anonymous information that was subject to analysts
and guesses to become a potential commodity that could actually
be sold for purposes other than that determination. So I think
it's at a very appropriate time that the Commerce Committee
look at this, because of the expanse of the Internet, the
expanse of the information and what is taking place in the
revolution that it's brought to American marketing.
So I look forward to being a part of the Committee, a part
of the work. And look forward to working with Senator Kerry,
Senator Pryor and the others on the Committee to find the right
message to send and the right road to go down.
Thank you, Mr. Chairman.
Senator Pryor. Thank you.
Now our first panel here both of these witnesses we have
extraordinary bios and lists of accomplishments that we could
discuss and we will submit for the record.
But what I'd like to do is just simply introduce them as
the Honorable Jon D. Leibowitz, Chairman of the Federal Trade
Commission.
And the Honorable Lawrence E. Strickling, the Administrator
of the National Telecommunications and Information
Administration.
Chairman Leibowitz?
STATEMENT OF HON. JON D. LEIBOWITZ, CHAIRMAN, FEDERAL TRADE
COMMISSION
Mr. Leibowitz. Thank you, Chairman Pryor. And Senator
Kerry, Senator Isakson and let me also mention Senator
Rockefeller, thank you for your leadership on privacy issues as
well as for giving me the opportunity to be here with Larry
Strickling from the Department of Commerce. Our two agencies
have a very long history of cooperation, and we are eager to
build on that as we work together to protect consumer privacy
while ensuring business growth and innovation.
As you know, over the past several decades the FTC has
protected privacy through law enforcement, through education
and through policy efforts. Just this week we announced our
first major enforcement effort aimed at abusive behavioral
marketing practices. We charged the online advertising network
Chitika with violating the FTC Act by offering consumers the
ability to opt-out of targeted advertising but without telling
them that the opt-out vanished in 10 days.
That vanishing opt-out, a 10-day vanishing opt-out, is not
only wrong, it is unacceptable. Consumers deserve meaningful
and not illusory control over what companies do with their
personal information. Chitika has agreed to an order that
requires it to destroy personal data it collected and provide
an opt-out on all ads that's effective for at least 5 years.
This case, and it is the first of many more privacy
enforcement cases you'll see from us, should send a strong
signal to the online ad industry. The FTC will not tolerate
attempts to subvert consumer choice. And overall we have
brought well over 100 spam and spyware cases and 30 data
security cases over the last 10 years.
Turning to the policy front. As I heard in your opening
statements recognizing the real benefits of information
collection, the status quo, as you said, Senator Kerry, isn't
acceptable. We released a report on consumer privacy in
December designed to reduce privacy burdens on both businesses
and consumers alike while ensuring business growth and
continuing Internet innovation. The report made three primary
recommendations.
First, companies need to bake in privacy protections like
data security and accuracy into all of their activities. We
call that privacy by design.
Second, choices about privacy of personal data should be
presented to consumers in a simple way, and at the time they
are making decisions about that data.
And third, transparency needs to be improved. Privacy
notices must be clearer, shorter and more standardized,
otherwise no one will read them. And indeed very few people
actually do.
The comment period on the proposed new framework just
closed and we received 446 comments, which may be a record for
us. And we expect to issue a final report later this year.
To further the idea of simplifying choices for consumers,
the report recommended a Do Not Track mechanism. Now while that
name sounds similar to our Do Not Call registry, which the
government runs, we're looking instead to the private sector to
create a way for consumers to choose whether to allow their
Internet surfing to be monitored. Simply put you should have a
choice, all of us should have a choice about whether third
parties, all invisible to us, can trail us around the Internet
as we shop or search for information about say, a medical
diagnosis.
This goes back to your point about the deanonymization of
information here and over the last 10 years when you're
thinking about the Internet. Do Not Track will give all
Americans a choice about whether to be followed online. More
than that, when data is protected consumers will more readily
trust companies in the marketplace and that encourages business
growth and business innovation.
Now stakeholders have responded very, very positively to
our call for Do Not Track. Two of the largest browser
companies, Microsoft and Mozilla, rolled out new mechanisms to
allow consumers control over the use of their personal
information for online behavioral advertising. The industry has
now demonstrated that Do Not Track is feasible so the
discussion turns to which approach is best.
One promising effort involves an industry coalition
comprised of media and ad marketing companies in an association
known as the Digital Advertising Alliance. The Alliance has
developed an icon which they hope will be deployed industry
wide that will display in targeted advertisements and link to
more information and choices. For my part, I still remain
concerned that the current proposal won't result in a permanent
opt-out for all ad networks. And it doesn't allow consumers to
control collection of their personal data just the blocking of
ads that go back to them.
But many of the Alliance's members want to go further to
protect consumers. My understanding--and actually it's in
today's Wall Street Journal as well--is that there's a sort of
insurgent group of more than 30 companies that wants to
prohibit most types of tracking and embrace the Mozilla header.
And so we're cautiously optimistic that the Alliance is moving
in the right direction.
Mr. Chairman, I ask for unanimous consent for an additional
minute.
Senator Pryor. Sure. Absolutely.
Mr. Leibowitz. So from my perspective I'm sort of agnostic
as to whether the private sector should implement Do Not Track
or if Congress should require it. I think sometimes it's easier
for the private sector to do it. But we do need to make sure
that Do Not Track isn't just an empty slogan but that it really
works for the American people.
There are five critical principles that we believe should
be included in any robust, effective Do Not Track mechanism.
One, Do Not Track should be universal so the consumers
don't have to repeatedly make choices on a company by company
basis.
Two, Do Not Track should be easy to find and easy to use.
Three, any choices offered should be persistent and should
not be deleted if for example, a consumer clears his or her
``cookies'' or turns off a computer.
Four, Do Not Track should not only allow consumers to opt-
out of advertising, it should allow them to opt-out of tracking
all together. And personally, from my perspective, I don't mind
getting targeted ads. I think there's a real benefit to that.
But people ought to be given a choice about whether or not they
want to be tracked.
And finally, it should be effective and enforceable without
technical loopholes.
We hope to continue to see the private sector develop tools
that meet these standards more broadly. We're hopeful that
American businesses will step up their efforts. And we've
started to see them protect consumer privacy by applying the
consensus principles from our report: privacy by design,
transparency and consumer choice. Working together with this
Committee, and with the Department of Commerce, we believe we
can make that happen.
So I thank you for this hearing.
[The prepared statement of Mr. Leibowitz follows:]
Prepared Statement of the Federal Trade Commission
Chairman Rockefeller, Ranking Member Hutchison, and members of the
Committee, I am Jon Leibowitz, Chairman of the Federal Trade Commission
(``FTC'' or ``Commission''). I appreciate the opportunity to present
the Commission's testimony on privacy.\1\
---------------------------------------------------------------------------
\1\ This written statement represents the views of the Federal
Trade Commission. Commissioner Kovacic dissents. His concerns about the
Commission's testimony, and the report by its staff, are set forth in
his statement on the latter. In particular, he believes that the
endorsement of a Do Not Track mechanism by staff (in the report) and
the Commission (in this testimony) is premature. My oral presentation
and responses are my own and do not necessarily reflect the views of
the Commission or of any other Commissioner.
---------------------------------------------------------------------------
Privacy has been an important component of the Commission's
consumer protection mission for 40 years. During this time, the
Commission has employed a variety of strategies to protect consumer
privacy, including law enforcement, regulation, outreach to consumers
and businesses, and policy initiatives.\2\
---------------------------------------------------------------------------
\2\ Information on the FTC's privacy initiatives generally may be
found at http://business.ftc.gov/privacy-and-security.
---------------------------------------------------------------------------
Over the years, the Commission's goal in the privacy arena has
remained constant: to protect consumers' personal information and
ensure that they have the confidence to take advantage of the many
benefits offered by the dynamic and ever-changing marketplace. To meet
this objective, the Commission has periodically re-examined its
approach to privacy to ensure that it keeps pace with advances in
technology and changing business practices as well as to ensure that
incentives for American innovation are maintained. The latest effort in
this process is a Preliminary FTC Staff Report, released in December,
which proposes a framework for protecting consumer privacy in this era
of rapid technological change. This proposed framework is intended to
inform policymakers, including Congress, as they develop solutions,
policies, and potential laws governing privacy, and guide and motivate
industry as it develops more robust and effective best practices and
self-regulatory guidelines.
This testimony begins by describing the Commission's recent efforts
to protect consumer privacy through law enforcement, education, and
policy initiatives. It then sets forth some highlights from the Staff
Report on consumer privacy, and concludes with a discussion of issues
related to a universal choice mechanism for behavioral tracking,
commonly referred to as ``Do Not Track''.
I. The FTC's Efforts to Protect Consumer Privacy
A. Enforcement
The Commission continues to pursue an aggressive and bipartisan
privacy enforcement agenda. In the last 15 years, it has brought 32
data security cases; 64 cases against companies for improperly calling
consumers on the Do Not Call registry; 86 cases against companies for
violating the Fair Credit Reporting Act (``FCRA''); \3\ 97 spam cases;
15 spyware (or nuisance adware) cases; and 15 cases against companies
for violating the Children's Online Privacy Protection Act (``COPPA'').
Where the FTC has authority to seek civil penalties, it has
aggressively done so. It has obtained $60 million in civil penalties in
Do Not Call cases, $21 million in civil penalties under the FCRA, $5.7
million under the CAN-SPAM Act,\4\ and $3.2 million under COPPA. Where
the Commission does not have authority to seek civil penalties, as in
the data security and spyware areas, it has sought such authority from
Congress. In addition, the Commission has brought numerous cases
against companies for violating the FTC Act by making deceptive claims
about the privacy protection they afford to the information they
collect, which has the effect of undermining consumer choices on
privacy. This testimony describes four such cases that the Commission
has brought within the past several months.
---------------------------------------------------------------------------
\3\ 15 U.S.C. �� 1681e-i.
\4\ 15 U.S.C. �� 7701-7713.
---------------------------------------------------------------------------
Just this week, the Commission announced its first online
behavioral advertising case against an online network advertiser,
Chitika, that acts as an intermediary between website publishers and
advertisers. The Commission alleged that Chitika violated the FTC Act
by offering consumers the ability to opt-out of the collection of
information to be used for targeted advertising--without telling them
that the opt-out lasted only 10 days.\5\ The Commission's order
prohibits Chitika from making future privacy misrepresentations. It
also requires Chitika to provide consumers with an effective opt-out
mechanism, link to this opt-out mechanism in its advertisements, and
provide a notice on its website for consumers who may have opted out
when Chitika's opt-out mechanism was ineffective. Finally, the order
requires Chitika to destroy any data that can be associated with a
consumer that it collected during the time its opt-out mechanism was
ineffective.
---------------------------------------------------------------------------
\5\ Chitika, Inc., FTC File No. 102 3087 (Mar. 14, 2011) (consent
order accepted for public comment).
---------------------------------------------------------------------------
Second, earlier this month, the Commission approved a final consent
order in a case involving the social networking service Twitter.\6\ On
one level, Twitter is a traditional data security case--the FTC charged
that serious lapses in the company's data security allowed hackers to
obtain unauthorized administrative control of Twitter. As a result,
hackers had access to private ``tweets'' and non-public user
information and took over user accounts, including among others, those
of President Obama and Rupert Murdoch. On another level, the case
stands for the proposition that social networking services must honor
the commitments they make to keep their users' communications private.
The order prohibits misrepresentations about the extent to which
Twitter protects the privacy of communications, requires Twitter to
maintain reasonable security, and mandates independent, comprehensive
audits of Twitter's security practices.\7\
---------------------------------------------------------------------------
\6\ Twitter, Inc., FTC File No. 092 3093 (Mar. 11, 2011) (consent
order) (resolving allegations that Twitter deceived its customers by
failing to honor their choices to designate certain ``tweets'' as
private).
\7\ Many of the Commission's earliest consumer privacy cases
similarly held companies accountable for their privacy statements and
practices. See, e.g., GeoCities, Inc., FTC Docket No. C-3850 (Feb. 5,
1999) (consent order) (alleging that company misrepresented the
purposes for which it was collecting personal information from both
children and adults); Liberty Fin. Cos., FTC Docket No. C-3891 (Aug.
12, 1999) (consent order) (alleging that site falsely represented that
personal information collected from children, including information
about family finances, would be maintained anonymously); FTC v.
ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan. 10, 2000) (consent
order) (alleging that online auctionsite obtained consumer data from
competitor site and then sent deceptive, unsolicited e-mail messages to
those consumers seeking their business); FTC v. Toysmart.com LLC, 00-
CV-11341-RGS (D. Mass. filed July 10, 2000) (alleging site attempted to
sell personal customer information, despite the representation in its
privacy policy that such information would never be disclosed to a
third party); FTC v. Rennert, No. CV-S-00-0861-JBR (D. Nev. July 24,
2000) (consent order) (alleging that defendants misrepresented their
security practices and how they would use consumer information); Educ.
Research Ctr. of Am., Inc.; Student Marketing Grp., Inc., FTC Docket
No. C-4079 (May 6, 2003) (consent order) (alleging that personal data
collected from students for educational purposes was sold to commercial
marketers); The Nat'l Research Ctr. for College & Univ. Admissions, FTC
Docket No. C-4071 (Jun. 28, 2003) (consent order) (same); Gateway
Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004) (consent order)
(alleging that company rented customer information to list brokers in
violation of its privacy policy); Vision I Props., LLC, FTC Docket No.
C-4135 (Apr. 19, 2005) (consent order) (alleging that a service
provider disclosed customer information in violation of merchant
privacy policies). Sears Holdings Mgmt. Corp., FTC Docket No. C-4264
(Aug. 31, 2009) (consent order).
---------------------------------------------------------------------------
Third, in December, the Commission announced a case against
EchoMetrix, a company selling a software program called Sentry Parental
Controls that enables parents to monitor their children's activities
online. The Commission alleged that EchoMetrix sold certain information
that it collected from children via this software to third parties for
marketing purposes, without telling parents. The Commission's order
prohibits the company from sharing information gathered from its
monitoring software and requires the company to destroy any such
information in its database of marketing information.\8\
---------------------------------------------------------------------------
\8\ FTC v. Echometrix, Inc., No. CV10-5516 (E.D.N.Y. Nov. 30, 2010)
(consent order).
---------------------------------------------------------------------------
Finally, in September, the Commission settled a case against U.S.
Search, a data broker that maintained an online service, which allowed
consumers to search for information about others. The company allowed
consumers to opt-out of having their information appear in search
results, for a fee of $10. Although 4,000 consumers paid the fee and
opted out, their personal information still appeared in search results.
The Commission's settlement requires U.S. Search to disclose
limitations on its opt-out offer, and to provide refunds to consumers
who had previously opted out.\9\
---------------------------------------------------------------------------
\9\ US Search, Inc., FTC File No. 102 3131 (Sept. 22, 2010)
(consent order accepted for public comment).
---------------------------------------------------------------------------
In addition to these privacy enforcement actions, the Commission
has been aggressive on the data security front to ensure that companies
protect the sensitive data they collect about consumers. In February
2011, three companies that resell consumers' credit reports agreed to
settle FTC charges that they did not take reasonable steps to protect
consumers' personal information, which allowed computer hackers to
access more than 1,800 credit reports via their clients' computer
networks. These are the first cases the FTC has brought against credit
report resellers for their failure to ensure that the companies to whom
they provide consumer reports maintain reasonable security.\10\ The
Commission alleged that the resellers violated the FCRA, the Gramm-
Leach-Bliley Safeguards Rule, and Section 5 of the FTC Act. The consent
orders bar the companies from violating these laws, require them to
implement comprehensive information security programs, and require them
to obtain independent audits, every other year for 20 years.
---------------------------------------------------------------------------
\10\ SettlementOne Credit Corp., File No. 082 3208; ACRAnet, Inc.,
File No. 092 3088; and Fajilan and Associates, Inc., File No. 092 3089
(Feb. 3, 2011) (consent orders accepted for public comment).
---------------------------------------------------------------------------
B. Consumer and Business Education
The FTC has done groundbreaking outreach to businesses and
consumers in the area of consumer privacy. For example, the
Commission's well-known OnGuard Online website educates consumers about
spam, spyware, phishing, peer-to-peer (``P2P'') file sharing, social
networking, laptop security, and identity theft.\11\ The FTC has
developed additional resources specifically for children, parents, and
teachers to help children stay safe online. In response to the
Broadband Data Improvement Act of 2008, the FTC produced the brochure
Net Cetera: Chatting with Kids About Being Online to give adults
practical tips to help children navigate the online world.\12\ The
publication includes information about how parents should talk to
children about online privacy, sexting, and cyberbullying. In less than
1 year, the Commission already has distributed more than 7 million
copies of Net Cetera to schools and communities nationwide. The
Commission also offers specific guidance to young people concerning
certain types of Internet services, including, for example, social
networking and video and photo sharing.\13\
---------------------------------------------------------------------------
\11\ See http://www.onguardonline.gov/topics/social-networking-
sites.aspx. Since its launch in 2005, OnGuard Online and its Spanish-
language counterpart Alertaena Linea have attracted nearly 12 million
unique visits.
\12\ See Press Release, FTC, OnGuardOnline.gov Off to a Fast Start
with Online Child Safety Campaign (Mar. 31, 2010), available at http://
www.ftc.gov/opa/2010/03/netcetera.shtm.
\13\ See http://www.onguardonline.gov/topics/social-networking-
sites.aspx; http://www.on
guardonline.gov/topics/net-cetera-mobile-phones.aspx.
---------------------------------------------------------------------------
Most recently, the FTC released a consumer education publication on
the safe use of wi-fi hot spots.\14\ The publication, available on the
FTC and Onguard Online websites, explains that when using wireless
networks, consumers should convey personal information only if it is
encrypted--either through an encrypted website or a secure network. The
piece notes that an encrypted website is one whose URL begins with
``https'', rather than ``http''; it further notes that in order to be
secure, a Wi-Fi network must be password-protected.
---------------------------------------------------------------------------
\14\ See http://www.onguardonline.gov/topics/hotspots.aspx.
---------------------------------------------------------------------------
Business education is also an important priority for the FTC. For
example, the Commission developed a widely-distributed guide to help
small and medium-sized businesses implement appropriate data security
for the personal information they collect and maintain.\15\ The FTC
also develops business education materials to respond to specific
emerging issues, such as a recent brochure on security risks associated
with P2P file-sharing software.\16\
---------------------------------------------------------------------------
\15\ See Protecting Personal Information: A Guide For Business,
available at http://www.ftc
.gov/infosecurity.
\16\ See generally http://business.ftc.gov/privacy-and-security.
---------------------------------------------------------------------------
C. Policy and Rulemaking Initiatives
The Commission's efforts with respect to privacy include public
workshops and reports to examine the implications of new technologies
on consumer privacy. For example, in November 2007, the Commission held
a two-day Town Hall event to discuss the privacy implications of online
behavioral advertising.\17\ Based upon the Town Hall discussions, staff
released for public comment a set of proposed principles to encourage
industry members to improve their behavioral advertising practices.\18\
Thereafter, in February 2009, staff released a report (``OBA Report'')
setting forth the following revised principles based on the comments
received: (1) transparency and consumer control; (2) reasonable
security and limited retention for consumer data; (3) affirmative
express consent for material retroactive changes to privacy policies;
and (4) affirmative express consent for the use of sensitive data.\19\
---------------------------------------------------------------------------
\17\ FTC Town Hall, Ehavioral Advertising: Tracking, Targeting, &
Technology (Nov.1-2, 2007), available at http://www.ftc.gov/bcp/
workshops/ehavioral/index.shtml.
\18\ See FTC Staff, Online Behavioral Advertising: Moving the
Discussion Forward to Possible Self-Regulatory Principles (Dec. 20,
2007), available at http://www.ftc.gov/os/2007/12/P859900stmt.pdf.
\19\ See FTC Staff Report: Self-Regulatory Principles For Online
Behavioral Advertising (Feb. 2009), available at http://www.ftc.gov/os/
2009/02/P085400behavadreport.pdf, at 33-37, 46. The revisions primarily
concerned the principles' scope and application to specific business
models. Id. at 20-30.
---------------------------------------------------------------------------
The Commission also reviews its rules periodically to ensure that
they are appropriately updated in light of changes in the marketplace.
For example, the Commission is currently reviewing its rule
implementing the COPPA and anticipates completing that review in the
coming months.\20\
---------------------------------------------------------------------------
\20\ See http://business.ftc.gov/documents/coppa-rulemaking-and-
rule-reviews; Request for Public Comment on the Federal Trade
Commission's Implementation of the Children's Online Privacy Protection
Rule, 17 Fed. Reg. 17089 (Apr. 5, 2010), available at http://
www.ftc.gov/os/fedreg/2010/april/P104503coppa-rule.pdf.
---------------------------------------------------------------------------
II. Privacy Roundtables and Report
The Commission also recently conducted a series of public
roundtables on consumer privacy,\21\ which took place in December 2009,
and January and March 2010. The roundtables served to explore the
effectiveness of current privacy approaches in addressing the
challenges of the rapidly evolving market for consumer information,
including consideration of the risks and benefits of consumer
information collection and use; consumer expectations surrounding
various information management practices; and the adequacy of existing
legal and self-regulatory regimes to address privacy interests. Staff
issued a preliminary privacy report in December 2010,\22\ which
discusses the major themes that emerged from these roundtables,
including the ubiquitous collection and use of consumer data;
consumers' lack of understanding and ability to make informed choices
about the collection and use of their data; the importance of privacy
to many consumers; the significant benefits enabled by the increasing
flow of information; and the blurring of the distinction between
personally identifiable information and supposedly anonymous or de-
identified information.\23\
---------------------------------------------------------------------------
\21\ See Press Release, FTC, FTC to Host Public Roundtables to
Address Evolving Privacy Issues (Sept. 15, 2009), available at http://
www.ftc.gov/opa/2009/09/privacyrt.shtm.
\22\ See A Preliminary FTC Staff Report on Protecting Consumer
Privacy in an Era of Rapid Change: A Proposed Framework for Businesses
and Policymakers (Dec. 1, 2010), available at http://www.ftc.gov/os/
2010/12/101201privacyreport.pdf. Commissioners Kovacic and Rosch issued
concurring statements available at http://www.ftc.gov/os/2010/12/
101201privacy
report.pdf at Appendix D and Appendix E, respectively.
\23\ Id. at 22-38.
---------------------------------------------------------------------------
At the roundtables, stakeholders across the board emphasized the
need to improve the transparency of businesses' data practices,
simplify the ability of consumers to exercise choices about how their
information is collected and used, and ensure that businesses take
privacy-protective measures as they develop and implement systems that
involve consumer information. At the same time, the roundtable
commenters and participants urged regulators to be cautious about
restricting the exchange and use of consumer data in order to preserve
the substantial consumer benefits made possible through the flow of
information. Based on these comments, the preliminary staff privacy
report proposed a new framework to guide policymakers and industry as
they consider further steps to improve consumer privacy protection.
A. The Proposed Framework
The proposed framework included three main concepts. First, FTC
staff proposed that companies should adopt a ``privacy by design''
approach by building privacy protections into their everyday business
practices. Such protections include providing reasonable security for
consumer data, collecting only the data needed for a specific business
purpose, retaining data only as long as necessary to fulfill that
purpose, safely disposing of data no longer in use, and implementing
reasonable procedures to promote data accuracy. Companies also should
implement and enforce procedurally sound privacy practices throughout
their organizations, including, for example, assigning personnel to
oversee privacy issues, training employees on privacy issues, and
conducting privacy reviews when developing new products and services.
Such concepts are not new, but the time has come for industry to
implement them systematically. Implementation can be scaled, however,
to each company's business operations. For example, the Staff Report
recommended that companies that collect and use small amounts of
nonsensitive consumer data should not have to devote the same level of
resources to implementing privacy programs as companies that collect
vast amounts of consumer data or data of a sensitive nature.
Second, the Commission staff proposed that companies provide
simpler and more streamlined choices to consumers about their data
practices. Under this approach, consumer choice would not be necessary
for a limited set of ``commonly accepted'' data practices, thus
allowing clearer, more meaningful choice with respect to practices of
greater concern. This component of the proposed framework reflects the
concept that consumers reasonably expect companies to engage in certain
practices namely, product and service fulfillment, internal operations
such as assessing the quality of services offered, fraud prevention,
legal compliance, and first-party marketing. Some of these practices,
such as a retailer's collection of a consumer's address solely to
deliver a product the consumer ordered, are obvious from the context of
the transaction, and therefore, consumers' consent to them can be
inferred. Others are sufficiently accepted or necessary for public
policy reasons that companies need not request consent to engage in
them. The Staff Report suggested that by clarifying those practices for
which consumer consent is unnecessary, companies will be able to
streamline their communications with consumers, which will reduce the
burden and confusion on consumers and businesses alike.
For data practices that are not ``commonly accepted,'' consumers
should have the ability to make informed and meaningful choices. To be
most effective, choices should be clearly and concisely described and
offered at a time and in a context in which the consumer is making a
decision about his or her data. Depending upon the particular business
model, this may entail a ``just-in-time'' approach, in which the
company seeks consent at the point a consumer enters his personal data
or before he accepts a product or service. One way to facilitate
consumer choice is to provide it in a uniform and comprehensive way.
Such an approach has been proposed for behavioral advertising, whereby
consumers would be able to choose whether to allow the collection and
use of data regarding their online searching and browsing activities.
This idea is discussed further below.
Third, the Staff Report proposed a number of measures that
companies should take to make their data practices more transparent to
consumers. For instance, in addition to providing the contextual
disclosures described above, companies should improve their privacy
notices so that consumers, advocacy groups, regulators, and others can
compare data practices and choices across companies, thus promoting
competition among companies. The staff also proposed providing
consumers with reasonable access to the data that companies maintain
about them, particularly for non-consumer-facing entities such as data
brokers. Because of the significant costs associated with access, the
Staff Report noted that the extent of access should be proportional to
both the sensitivity of the data and its intended use. In addition, the
Staff Report stated that companies must provide prominent disclosures
and obtain affirmative consent before using data in a materially
different manner than claimed when the data was collected.
Finally, the Staff Report proposed that stakeholders undertake a
broad effort to educate consumers about commercial data practices and
the choices available to them. Increasing consumer understanding of the
commercial collection and use of their information is important to both
empowering consumers to make informed choices regarding their privacy
and facilitating competition on privacy across companies. In addition
to proposing these broad principles, the staff sought comment from all
interested parties to help guide further development and refinement of
the proposed framework through February 18, 2011. Close to 450 comments
were received and staff expects to issue a final report this year.
B. Do Not Track
As noted above, the Staff Report included a recommendation to
implement a universal choice mechanism for behavioral tracking,
including behavioral advertising, often referred to as ``Do Not
Track.'' \24\ Although behavioral tracking benefits consumers by
helping support online content and services and allowing personalized
advertising that many consumers value, the practice remains largely
invisible to most consumers. Some surveys \25\ show that certain
consumers who are aware of the practice are uncomfortable with it.\26\
A recent USA Today/Gallup poll found that 47 percent of consumers would
like to choose which advertisers may deliver them targeted
advertisements and 37 percent would like to receive no targeted
advertisements at all.\27\ In another poll, 80 percent of consumers
supported a Do Not Track option.\28\ In addition, according to a recent
Wall Street Journal article, because of concerns that third-party
tracking may be intrusive, some websites are increasing their scrutiny
of such third-party tracking on their sites.\29\
---------------------------------------------------------------------------
\24\ See FTC Staff Report, supra note 22. See also Rosch concurring
statement, id., in which Commissioner Rosch supported a Do Not Track
mechanism only if it were ``technically feasible'' and implemented in a
fashion that provides informed consumer choice regarding all the
attributes of such a mechanism. To clarify, Commissioner Rosch
continues to believe that a variety of questions need to be answered
prior to the endorsement of any particular Do Not Track mechanism.
\25\ Consumer survey evidence, by itself, has limitations. For
instance, the way questions are presented may affect survey results.
Also, while survey evidence may reveal a consumer's stated attitudes
about privacy, survey evidence does not necessarily reveal what actions
a consumer will take in real-world situations. The Commission does not
endorse the reliability or methodology of any surveys discussed herein.
\26\ See, e.g., Transcript of December 7, 2009, FTC Privacy
Roundtable, Remarks of Alan Westin of Columbia University, at 93-94,
available at http://www.ftc.gov/bcp/workshops/privacy
roundtables/PrivacyRoundtable_Dec2009_Transcript.pdf; Written Comment
of Berkeley Center for Law & Technology, Americans Reject Tailored
Advertising and Three Activities that Enable It, cmt. #544506-00113,
available at http://www.ftc.gov/os/comments/privacyroundtable/544506-
00113.pdf; Written Comment of Craig Wills, Personalized Approach to Web
Privacy Awareness, Attitudes and Actions, cmt. #544506-00119, available
at http://www.ftc.gov/os/comments/privacyroundtable/544506-00119.pdf;
Written Comment of Alan Westin, How Online Users Feel About Behavioral
Marketing and How Adoption of Privacy and Security Policies Could
Affect Their Feelings, cmt. #544506-00052, available at http://
www.ftc.gov/os/comments/privacyroundtable/544506-00052.pdf; see also
Poll: Consumers Concerned About Internet Privacy, Consumers Union,
available at http://www.consumersunion.org/pub/core_tele
com_and_utilities/006189.html.
\27\ See U.S. Internet Users Ready to Limit Online Tracking for Ads
(Dec. 21, 2010), available at http://www.gallup.com/poll/145337/
internet-users-ready-limit-online-tracking-ads.aspx.
\28\ See News Release, Consumer Watchdog, Americans Favor Broad
Range Of Online Privacy Protections for Consumers (Jul. 27, 2010),
available at http://www.consumerwatchdog.org/newsrelease/consumer-
watchdog-poll-finds-concern-about-g oogles-wi-spy-snooping.
\29\ Jessica Vascellaro, Websites Rein in Tracking Tools, Wall St.
J., Nov. 9, 2010, available at http://online.wsj.com/article/
SB10001424052748703957804575602730678670278.html.
---------------------------------------------------------------------------
In light of the concerns expressed about online tracking, the Staff
Report recommended a Do Not Track mechanism. A robust, effective Do Not
Track system would ensure that consumers can opt-out once, rather than
having to exercise choices on a company-by-company or transaction-by-
transaction basis. Such a universal mechanism could be accomplished
through legislation or potentially through robust, enforceable self-
regulation.
The FTC repeatedly has called on stakeholders to develop and
implement better tools to allow consumers to control the collection and
use of their online browsing data.\30\ Industry participants have begun
to respond to this call. Two major browser vendors, Microsoft and
Mozilla, have recently announced the development of new choice
mechanisms for online behavioral advertising that seek to provide
increased transparency, greater consumer control, and improved ease of
use.\31\ Just as important, the World Wide Web Consortium (W3C) has
accepted a submission by Microsoft to consider a technical standard for
a universal choice mechanism.The W3C announced an April 2011 workshop
to begin the public dialogue with relevant stakeholders regarding how
to incorporate do not track preferences into Internet browsing so
websites can respect a user's preference not to be tracked.\32\
Finally, just last week, Stanford's Center for Internet and Society and
Mozilla jointly submitted a proposal to the Internet Engineering Task
Force outlining a header-based Do Not Track mechanism and discussing
how web services should respond to such a mechanism.\33\
---------------------------------------------------------------------------
\30\ See e.g., Do Not Track: Hearing before the Subcomm. On
Commerce, Trade and Consumer Prot. of the H. Comm. On Energy and
Commerce, 111th Cong. (Dec. 2, 2010), available at http://www.ftc.gov/
os/testimony/101202donottrack.pdf (prepared statement of the FTC,
Commissioner Kovacic dissenting).
\31\ See Press Release, Microsoft, Providing Windows Customers with
More Choice and Control of Their Privacy Online with Internet Explorer
9 (Dec. 7, 2010), available at http://www
.microsoft.com/presspass/features/2010/dec10/12-07ie9privacyqa.mspx;
Mozilla Blog, Mozilla Firefox 4 Beta, now including ``Do Not Track''
capabilities, http://blog.mozilla.com/blog/2011/02/08/mozilla-firefox-
4-beta-now-including-do-not-track-cap abilities/ (Feb. 8, 2011).
\32\ See W3C Blog, Do Not Track at W3C, http://www.w3.org/QA/2011/
02/do_not_
track_at_w3c.html (Feb. 24, 2011).
\33\ See Do Not Track: A Universal Third-Party Web Tracking Opt Out
(Mar. 7, 2011), available at http://tools.ietf.org/html/draft-mayer-do-
not-track-00; see also http://firstpersoncookie.word
press.com/2011/03/09/mozilla-makes-joint-submission-to-ietf-on-d nt/.
---------------------------------------------------------------------------
The online advertising industry has also made progress in this
area. For example, an industry coalition comprised of media and
marketing associations, known as the Digital Advertising Alliance, has
developed self-regulatory guidelines and an opt-out mechanism for
behavioral advertising.\34\ The coalition has developed an icon to
display in or near targeted advertisements that links to more
information and choices and has pledged to implement this effort
industry-wide.\35\ The coalition reports that adoption of the icon and
simplified disclosures grew dramatically at the end of last year.\36\
In addition, Google has developed a browser add-on that can be used to
block targeted advertisements from companies that participate in the
Digital Advertising Alliance.\37\
---------------------------------------------------------------------------
\34\ See Press Release, Interactive Advertising Bureau, Major
Marketing Media Trade Groups Launch Program to Give Consumers Enhanced
Control over Collection and Use of Web Viewing Data for Online
Behavioral Advertising (Oct. 4, 2010), available at http://www.iab.net/
about_the_iab/recent_press_releases/press_release_archive/
press_release/pr-100410; Tony Romm and Kim Hart, Political Intel: FTC
Chairman on Self-Regulatory Ad Effort, POLITICO Forums, http://
dyn.politico.com/members/forums/thread.cfm?catid=24&subcatid=78&
threadid=4611665 (Oct. 11, 2010).
\35\ The coalition has stated that providing consumers with choices
about online advertising is essential to building the trust necessary
for the marketplace to grow. See Interactive Advertising Bureau, supra
note 34.
\36\ See Written Comment of the Direct Marketing Assoc. Responding
to Preliminary Staff Report, cmt. #00449, at 21.
\37\ See Google Chrome Web Store, Keep My Opt-Outs, available at
https://chrome.google.com/webstore/detail/
hhnjdplhmcnkiecampfdgfjilccfpfoe; see also Google Public Policy Blog,
Keep your opt-outs http://googlepublicpolicy.blogspot.com/2011/01/keep-
your-opt-outs.html (Jan. 24, 2011).
---------------------------------------------------------------------------
These recent industry efforts to improve consumer control are
promising, but they are still in the embryonic stage, and their
effectiveness remains to be seen. As industry continues to explore
technical options and implement self-regulatory programs, and Congress
continues to examine Do Not Track, several issues should be considered.
First, any Do Not Track system should be implemented universally, so
that consumers do not have to repeatedly opt-out of tracking on
different sites. Second, the choice mechanism should be easy to find,
easy to understand, and easy to use. Third, any choices offered should
be persistent and should not be deleted if, for example, consumers
clear their cookies or update their browsers. Fourth, a Do Not Track
system should be comprehensive, effective, and enforceable. It should
opt consumers out of behavioral tracking through any means and not
permit technical loopholes.\38\
---------------------------------------------------------------------------
\38\ For example, consumers may believe they have opted out of
tracking if they block third-party cookies on their browsers; yet they
may still be tracked through Flash cookies or other mechanisms.
A Flash cookie, or a Flash local shared object, is a data file that
is stored on a consumer's computer by a website that uses Adobe's Flash
player technology. Like a regular http cookie, a Flash cookie can store
information about a consumer's online activities. Unlike regular
cookies, Flash cookies are stored in an area not controlled by the
browser. Thus, when a consumer deletes or clears the cookies from his
browser using tools provided through the browser, this may not delete
Flash cookies stored on his computer.
Recently, a researcher released a software tool that demonstrates
several technical mechanisms in addition to Flash cookies that websites
can use to persistently track consumers, even if they have attempted to
prevent such tracking through existing tools. See http://samy.pl/
evercookie; see also Tanzina Vega, New Web Code Draws Concerns Over
Privacy Risks, The New York Times, Oct. 10, 2010, available at http://
www.nytimes.com/2010/10/11/business/media/11privacy.html.
---------------------------------------------------------------------------
Finally, it is important to emphasize what is meant by ``tracking''
as stakeholders continue to consider ``Do Not Track'' approaches.
Consumers certainly may want to opt-out of more than targeted
advertising--they may want to opt-out of the creation and use of
behavioral profiles for any secondary purposes. For example, they may
want to be sure that their browsing behavior is not used to make
employment or insurance decisions about them. They may also want to
opt-out of having their browsing behavior sold to data brokers for
unspecified future uses. At the same time, no system that allows for
unrestricted web browsing can or should prohibit information collection
entirely. As noted the Staff Report, information collection is
necessary for fraud prevention and other commonly accepted practices,
such as capping the number of times a consumer sees a particular
advertisement. The limited nature of that collection, however, is
qualitatively different from the collection of information to track and
profile consumers as they browse the web. Given these considerations,
an effective Do Not Track system would go beyond simply opting
consumers out of receiving targeted advertisements; it would opt them
out of collection of behavioral data for all purposes that are not
commonly accepted.
Commission staff will monitor further industry innovation in this
area, which may build upon existing industry initiatives and
incorporate elements of the different mechanisms being proposed today.
III. Conclusion
Thank you for the opportunity to provide the Commission's views. We
look forward to continuing this important dialogue with Congress and
this Committee.
Senator Pryor. Mr. Strickling?
STATEMENT OF HON. LAWRENCE E. STRICKLING, ASSISTANT SECRETARY
FOR COMMUNICATIONS AND INFORMATION, NATIONAL TELECOMMUNICATIONS
AND INFORMATION
ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE
Mr. Strickling. Thank you, Chairman Pryor, Senators Kerry
and Isakson. It's a pleasure to be here today to testify on
behalf of the Department of Commerce to discuss the state of
online consumer privacy. And I welcome the opportunity to
discuss how we can better protect consumer data privacy in this
rapidly evolving Internet economy. And in doing so I'm quite
pleased to testify here today with Chairman Jon Leibowitz of
the Federal Trade Commission.
As the principal advisor to the President on communications
and information policy, the NTIA has been hard at work over the
last 2 years with Secretary Locke's Internet Policy Task Force,
Department of Commerce General Counsel Cam Kerry, and
colleagues throughout the Executive Branch, to conduct a broad
assessment of how well our current policy framework for
consumer data is serving consumers, businesses and other
participants in the Internet economy.
I would also like to thank, in particular, the Federal
Trade Commission for its collaboration with us and its
leadership over the years in addressing this important issue.
To guide the overall agenda of the Internet Policy Task
Force, which includes issues in addition to privacy, we have
focused on two key principles.
The first is the idea of trust. It's imperative for the
sustainability and continued growth of the Internet that we
preserve the trust of all actors on the Internet. And nowhere
is this clearer than in the context of consumer privacy. If
users do not trust that their personal information is safe on
the Internet they'll be reluctant to adopt new services.
Our second principle is that we want to encourage multi-
stakeholder processes to address key Internet issues. We want
stakeholders to come together to deal with these issues in ways
that display the flexibility, speed and efficiency that often
are lacking with more traditional regulatory responses.
These two principles inform the new framework for
addressing online privacy that the Department proposed in its
privacy ``Green Paper'' last December. The key elements of this
framework include the following:
First, we recommended the establishment of a set of Fair
Information Practice Principles as the foundation for the
protection of consumer privacy in the Internet economy. These
principles will set a baseline of consistent, comprehensible
data privacy protection in new and established commercial
contexts.
Second, to promote flexibility and speed to address privacy
issues as they arise, the ``Green Paper'' recommended that the
Department engage actively with industry and consumer groups to
develop enforceable codes of conduct.
And third, consistent with the FTC's existing enforcement
role in the protection of privacy, the ``Green Paper''
recommends strengthening the Commission's authority to enforce
these baseline privacy principles.
We received roughly 100 comments on the ``Green Paper'' and
we are working hard to prepare a final document later this
spring as a statement of Administration policy in this area.
But, as we have reviewed the comments and we continued our
discussions, I can report today that the Administration now
recommends that Congress enact legislation to provide a firm
legal foundation supporting specific aspects of this new
policy.
We specifically recommend that any legislation to provide a
stronger statutory framework to protect consumer privacy should
contain three key elements.
First, it should create baseline consumer data privacy
protections--as Senator Kerry referred to it, a consumer bill
of rights--that are enforceable at law. Specifically, we
support making a comprehensive set of FIPPs the basis of this
law. This set of agreed-upon principles would provide clear
privacy protections for personal data in the commercial context
in which existing privacy laws do not apply or offer adequate
protection.
Second, legislation should provide the FTC with the
authority to enforce any baseline protections. Granting the FTC
explicit authority to enforce baseline privacy principles will
strengthen its role in consumer data privacy protection and
enforcement, resulting in better protection for consumers.
Third, legislation should create a framework that provides
incentives for the development of enforceable codes of conduct
as well as continued innovation around privacy protections.
These codes can allow industry and government to adapt rapidly
to a fast evolving online marketplace. And one incentive we
urge Congress to consider is to give the FTC the authority to
offer a safe harbor for companies that implement codes of
conduct that are consistent with the baseline protections.
This statutory framework is designed to be flexible, to
keep its requirements well-tailored, and to provide a basis for
greater interoperability with other countries' privacy laws.
Working together with Congress, the FTC, the Executive
Office of the President and other stakeholders, I am confident
in our ability to provide consumers with meaningful privacy
protections in the Internet economy, backed by effective
enforcement that could adapt to changes in technology, market
conditions, and consumer expectations. Establishing and
maintaining this dynamic consumer data privacy framework is not
a one shot game, and it will require the ongoing engagement of
all stakeholders. The Department and the Administration are
firmly committed to that engagement.
With or without legislation, the Department and NTIA will
continue to make consumer data privacy a top priority. We will
convene Internet stakeholders to discuss how best to encourage
the development of privacy codes of conduct. The Department
will support the Administration's efforts to encourage global
interoperability by stepping up our engagement in international
policymaking bodies. And we will continue to work with Congress
and all other stakeholders to develop consensus on reforms to
our consumer data privacy policy framework.
I look forward to working with this Committee on this
important issue, starting with answering any questions you have
for me today. Thank you.
[The prepared statement of Mr. Strickling follows:]
Prepared Statement of Hon. Lawrence E. Strickling, Assistant Secretary
for Communications and Information, National Telecommunications and
Information Administration, U.S. Department of Commerce
I. Introduction
Chairman Rockefeller, Ranking Member Hutchison, distinguished
Committee Members, thank you for the opportunity to testify on behalf
of the Department of Commerce (``Department'') to discuss Internet
privacy policy reform. I welcome the opportunity to discuss how we can
better protect consumer data privacy in the rapidly evolving Internet
Age. In doing so, I am pleased to testify here today with Jonathan
Leibowitz, the Chairman of the Federal Trade Commission (FTC).
As the principal advisor to the President on communications and
information policy, the National Telecommunications and Information
Administration (NTIA) has been hard at work over the last 2 years with
Secretary Locke's Internet Policy Task Force and colleagues throughout
the Executive Branch to conduct a broad assessment of how well our
current consumer data privacy policy framework serves consumers,
businesses, and other participants in the Internet economy. Over the
same period of time, the Internet Policy Task Force has engaged,
formally and informally, with a broad array of stakeholders, including
companies, consumer advocates, academic privacy experts, and other
government agencies. We identified privacy as a key issue in
strengthening consumer trust, which, in turn, is critical to realizing
the full potential for innovation and growth of the Internet. Our work
culminated in the release of the Task Force's ``Green Paper'' on
consumer data privacy in the Internet economy on December 16, 2010. The
Green Paper made ten separate recommendations about how to strengthen
consumer data privacy protections in ways that also promote innovation,
but it also brought to light many additional questions.
We sought public comment on these recommendations, and we have been
busy considering the roughly 100 written responses that were filed. One
general conclusion to be drawn from the comments is that the commenters
believe that American consumers should have stronger privacy
protections, and the companies that run our Internet economy should
have clearer rules of the road to guide their uses of data about
consumers.
II. Stakeholders' Perspectives on Our Current Consumer Data Privacy
Framework
The Internet economy is sparking tremendous innovation. During the
past fifteen years, networked information technologies--personal
computers, mobile phones, wireless connections and other devices--have
been transforming our social, political and economic landscape. A
decade ago, going online meant accessing the Internet on a computer in
your home. Today,``going online'' includes smartphones, portable games,
and interactive TVs, with numerous companies developing global
computing platforms in the ``cloud.''
The Internet is also an essential platform for economic growth,
both domestically and globally. Almost any transaction you can think of
is being conducted online--from consumers paying their utility bills
and people purchasing books, movies and clothes, to major corporations
paying their vendors and selling to their customers. According to the
U.S. Census Bureau, domestic online transactions currently total about
$3.7 trillion annually.\1\ Internet commerce is a leading source of job
growth as well, with the number of domestic IT jobs growing by 26
percent from 1998 to 2008, four times faster than U.S. employment as a
whole.\2\ By 2018, IT employment is expected to grow by another 22
percent.\3\
---------------------------------------------------------------------------
\1\ U.S. Census Bureau, Commerce Department, ``E-Stats,'' May 27,
2010, available at http://www.census.gov/econ/estats/2008/
2008reportfinal.pdf.
\2\ Commerce Secretary Gary Locke, Remarks on Cybersecurity and
Innovation, Georgetown University, Washington, D.C. (September 23,
2010).
\3\ Id.
---------------------------------------------------------------------------
As powerful and exciting as these developments are, they also raise
new privacy issues. The large-scale collection, analysis, and storage
of personal information is becoming more central to the Internet
economy. These activities help to make the online economy more
efficient and companies more responsive to their customer needs. Yet
these same practices also give rise to growing unease among consumers,
who are unsure about how data about their activities and transactions
are collected, used, and stored.\4\ A basic element of our current
consumer data privacy framework is the privacy policy. As we mentioned
in the Green Paper, these lengthy, dense, and legalistic documents do
not appear to be effective in informing consumers of their online
privacy choices. Surveys show that most Americans incorrectly believe
that a website that has an online privacy policy is prohibited from
selling personal information it collects from customers.\5\ In
addition, many consumers believe that having a privacy policy
guarantees strong privacy rights, which is not necessarily the case.\6\
---------------------------------------------------------------------------
\4\ According to a recent survey, 83 percent of adults say they are
``more concerned about online privacy than they were 5 years ago.''
Common Sense Media, Online Privacy: What Does It Mean to Parents and
Kids (2010), available at http://www.commonsensemedia.org/sites/
default/files/privacypoll.pdf (last visited March 5, 2011).
\5\ Joseph Turow, Chris Jay Hoofnagle, Deirdre K. Mulligan,
Nathaniel Good & Jens Grossklags, The Federal Trade Commission and
Consumer Privacy in the Coming Decade, 3 I/S: Journal of Law & Policy
723 (2007), available at http://www.is-journal.org/.
\6\ Chris Jay Hoofnagle & Jennifer King, Research Report: What
Californians Understand About Privacy Offline (2008), available at
http://papers.ssrn.com/sol3/papers.cfm?abstract
_id=1133075.
---------------------------------------------------------------------------
The difficulty of understanding a single privacy policy, however,
is modest when compared to the problem of comprehending how personal
data flows in today's online environment. A recent study found that 36
of the 50 most-visited websites state in their privacy policies that
they allow third-party tracking.\7\ This same study found that a few
prominent sites allow more than 20 different third-party tracking
mechanisms in the course of a month. One site even allowed 100 such
mechanisms.\8\ As the study points out, the privacy policy of the site
that an individual actually visits typically does not apply to these
third parties.\9\ In other words, to fully understand the privacy
implications of using a particular site, individuals will often have to
begin by considering the privacy policies of many other entities that
could gain access to data about them.
---------------------------------------------------------------------------
\7\ Joshua Gomez, Travis Pinnick, and Ashkan Soltani, Know Privacy,
at 27, June 1, 2009, available at http://knowprivacy.org/report/
KnowPrivacy_Final_Report.pdf.
\8\ Id. at 26.
\9\ Id.
---------------------------------------------------------------------------
As Americans begin using smartphones and other mobile Internet
devices in addition to, or instead of, laptop and desktop computers,
the difficulties of understanding personal data flow become even more
acute. The small screens that enable us to carry blogs, social
networks, and video around in our pockets pose a new challenge to
presenting consumers with information about personal data collection
and use. These devices may also make location information available,
which opens the door to an amazing array of new applications and
services, but also adds further complexity to consumer data privacy
issues.\10\ Assuring consumers that their privacy interests will be
protected in this rapidly changing environment is our core challenge.
---------------------------------------------------------------------------
\10\ See, e.g., Frank Groeneveld, Barry Borsboom, and Boy van
Amstel, Over-sharing and Location Awareness, Feb. 24, 2010, http://
www.cdt.org/blogs/cdt/over-sharing-and-location-awareness (discussing,
in the context of their project called ``Please Rob Me,'' how adding
location information to information posted on social networking sites
can have unintended consequences).
---------------------------------------------------------------------------
During the Department's outreach to stakeholders, we received
comments from consumer groups, industry, and leading privacy scholars,
all of whom agreed that large proportions of Americans do not fully
understand and appreciate what information is being collected about
them, and how they are able to stop certain practices from taking
place.\11\ Several consumer advocacy and civil liberties groups
expressed these concerns. These groups supported the Department's
overall recommendation to develop stronger privacy protections for
personal data in the commercial setting. One group expressed this
shared view about a basic lack of transparency particularly well:
---------------------------------------------------------------------------
\11\ All comments that the Department received in response to the
Green Paper are available at http://www.ntia.doc.gov/comments/
101214614-0614-01/.
[C]onsumers face a continuum of risk to personal privacy,
ranging from minor nuisances to improper disclosures of
sensitive information and identity theft. Such unscrupulous
practices, carried out without the consumers' knowledge or
consent, lead to diminished consumer trust in Internet data
practices, thus stunting growth and innovation.\12\
---------------------------------------------------------------------------
\12\ Consumers Union, Comment on Department of Commerce Privacy
Green Paper, Jan. 28, 2011, at 2.
Moreover, many consumer groups made a strong economic case for
consumer data privacy reform. Simply put, the inability to distinguish
among companies' privacy practices may lead consumers to conclude that
all companies engage in equally invasive practices. As one group noted,
``even companies willing to adopt the most stringent privacy policies
find that overseas customers are skeptical of those assurances because
of the lack of U.S. privacy laws to back them up.'' \13\
---------------------------------------------------------------------------
\13\ Center for Democracy and Technology, Comment on Department of
Commerce Privacy Green Paper, Jan. 28, 2011, at 3.
---------------------------------------------------------------------------
Interestingly, industry shares these views in many respects. Some
of the leading innovators in the Internet economy see things the same
way. In comments, a leading IT company refuted the argument that
baseline consumer data privacy protections would slow innovation: ``We
disagree with the arguments some have advocated against the adoption of
legislation, particularly that privacy legislation would stifle
innovation and would hinder the growth of new technologies by small
businesses. Instead, we believe that well-crafted legislation can
actually enable small business e-commerce growth.'' \14\ Other
companies reiterated the call for Federal privacy legislation; one
argued that ``dramatic and rapid technological advances are testing how
the fundamental principles that underpin consumer privacy and data
protection law--such as notice, consent, reasonable security, and data
retention--should apply.'' \15\ Another stressed that ``consumer-facing
companies . . . have powerful market incentives to protect user
privacy, and must respond to user demands in order to remain
competitive.'' \16\ To ensure continued consumer trust, this company
``strongly supports the development of a comprehensive privacy
framework for commercial actors . . . that create[s] a baseline for
privacy regulation that is flexible, scalable, and proportional.'' \17\
In short, uncertainty over keeping the trust of consumers online is as
unsettling for some businesses as it is for consumers.
---------------------------------------------------------------------------
\14\ Intel, Comment on Department of Commerce Privacy Green Paper,
Jan. 28, 2011, at 3.
\15\ Microsoft, Comment on Department of Commerce Privacy Green
Paper, Jan. 28, 2011, at 1.
\16\ Google, Comment on Department of Commerce Privacy Green Paper,
Jan. 28, 2011, at 2.
\17\ Id.
---------------------------------------------------------------------------
Commenters were not unanimous in their support for legislation, and
some expressed opposition to enacting baseline consumer data privacy
legislation. Some commenters asserted that legislation is appropriate
only where ``particularly sensitive privacy interests'' are
concerned.\18\ Others argued that a legislative framework would be
``too inflexible,'' \19\ a ``one size fits all'' \20\ collection of
rules that will become ``static.'' \21\ The Department took these
concerns seriously when developing the Green Paper's Dynamic Privacy
Framework for consumer data. A central feature of the Framework is an
emphasis on developing industry-specific, enforceable codes of conduct
that establish how Fair Information Practice Principles (FIPPs) apply
in a given commercial context. And these concerns are reflected in the
contours of the recommendations in this testimony.
---------------------------------------------------------------------------
\18\ Financial Services Forum, Comment on Department of Commerce
Privacy Green Paper, Jan. 28, 2011, at 8.
\19\ American Association of Advertising Agencies et al., Comment
on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 1.
\20\ Direct Marketing Ass'n, Comment on Department of Commerce
Privacy Green Paper, Jan. 28, 2011, at 4; see also American Business
Media, Comment on Department of Commerce Privacy Green Paper, Jan. 28,
2011, at 4; Computer & Communications Industry Association, Comment on
Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 18;
Keller & Heckman, Comment on Department of Commerce Privacy Green
Paper, Jan. 28, 2011 at 1.
\21\ Business Software Alliance, Comment on Department of Commerce
Privacy Green Paper, Jan. 28, 2011, at 4.
---------------------------------------------------------------------------
Thus, based on an initial review of comments, the Department sees a
shared set of principles that could help to inform our efforts to
reform consumer data privacy in the Internet economy. The general
agreement of commenters appears to rest on two tenets. First, to
harness the full power of the Internet age, we need to establish norms
and ground rules that promote innovative uses of information while
respecting consumers' legitimate privacy interests. Second, as we go
about establishing these privacy guidelines, we also need to be careful
to avoid creating an overly complicated regulatory environment.
III. Strengthening Our Consumer Data Privacy Framework Through
Baseline Protections
Exactly three months ago, the Department published its Green Paper,
which contained a set of preliminary policy recommendations to enhance
consumer protection, strengthen online trust, and bolster the Internet
economy. The paper made ten recommendations and sought comment on a set
of additional questions. In response to the paper, the Department
received thoughtful and well-researched comments from over a hundred
stakeholders representing industry, consumer groups, and academia.
Having carefully reviewed all stakeholder comments to the Green
Paper, the Department has concluded that the U.S. consumer data privacy
framework will benefit from legislation to establish a clearer set of
rules for the road for businesses and consumers, while preserving the
innovation and free flow of information that are hallmarks of the
Internet. The Department's privacy Green Paper--much like the staff
report of the Federal Trade Commission (FTC)--highlights the need for
stronger privacy protections for American consumers. As pointed out in
the Commerce report, the United States has a range of data privacy laws
that apply to individual sectors of the economy, such as health care,
consumer credit, and personal finance. But these laws may not offer
protection to some of the data uses associated with consumers'
activities in the Internet economy. An overarching set of privacy
principles on which consumers and businesses can rely could create a
stronger foundation for consumer trust in the Internet by providing
this broadly applicable framework.
Legislation to provide a stronger statutory framework to protect
consumers' online privacy interests should contain three key elements.
First, the Administration recommends that legislation set forth
baseline consumer data privacy protections--that is, a ``consumer
privacy bill of rights.'' Second, legislation should provide the FTC
with the authority to enforce any baseline protections. Third,
legislation should create a framework that provides incentives for the
development of codes of conduct as well as continued innovation around
privacy protections, which could include providing the FTC with the
authority to offer a safe harbor for companies that implement codes of
conduct that are consistent with the baseline protections. This
statutory framework is designed to be flexible, to keep its
requirements well-tailored, and to provide a basis for greater
interoperability with other countries' privacy laws.
A. Enacting a Consumer Privacy Bill of Rights
The Administration urges Congress to enact a ``consumer privacy
bill of rights'' to provide baseline consumer data privacy protections.
Legislation should consider statutory baseline protections for consumer
data privacy that are enforceable at law and are based on a
comprehensive set of FIPPs. Comprehensive FIPPs, a collection of
agreed-upon principles for the handling of consumer information, would
provide clear privacy protections for personal data in commercial
contexts that are not covered by existing Federal privacy laws or
otherwise require additional protection. To borrow from one of the
responses we received, baseline FIPPs are something that consumers
want, companies need, and the economy will appreciate.\22\
---------------------------------------------------------------------------
\22\ See Comment of Hewlett-Packard Co. on Notice of Inquiry, at 2,
June 14, 2010, available at http://www.ntia.doc.gov/comments/100402174-
0175-01/attachments/HP%20Comments%2E
pdf.
---------------------------------------------------------------------------
The Administration recommends that the baseline should be broad and
flexible enough to allow consumer privacy protection and business
practices to adapt as new technologies and services emerge. As noted by
two privacy scholars, ``[b]roadly worded legislation . . . motivates
firms to produce an industry code of conduct as a way to construe and
clarify the statutory scheme. Thus, baseline privacy legislation and
incentives for industry to develop codes of conduct can go hand-in-
hand.'' \23\
---------------------------------------------------------------------------
\23\ Professors Ira Rubinstein and Dennis Hirsch, Comment to the
Department Privacy Green Paper, January 28, 2011, available at http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=D120453B-
FB2B-4034-962C-C0A352328531.
---------------------------------------------------------------------------
Finally, a baseline law holds the promise of making our consumer
data privacy framework more interoperable with international
frameworks. Again, leading Internet innovators support baseline
legislation as a means of achieving this objective. For example, a
leading online company noted that ``FIPPs is a common language used by
many governments worldwide, so use of similar terminology will enhance
opportunities for agreement and practical approaches to data policy.''
\24\ A Web standards organization stated that ``[e]stablishing baseline
commercial data privacy principles contribute[s] to the further
harmonization of the global e-commerce market at least for the
countries attached to the OECD, and improve[s] the transatlantic
relations on online services of all sorts.'' \25\ Other comments, which
represent a wide variety of American companies, consumer advocates, and
academic scholars, also supported this position, often noting that
improving global interoperability could benefit companies by reducing
their compliance burdens overseas.\26\
---------------------------------------------------------------------------
\24\ Yahoo!, Comment to the Department Privacy Green Paper, January
28, 2011, available at http://www.ntia.doc.gov/comments/101214614-0614-
01/comment.cfm?e=F6A50C0B-00CC-44A6-B475-FE218170CA02.
\25\ World Wide Web Consortium, Comment to the Department Privacy
Green Paper, January 28, 2011, available at http://www.ntia.doc.gov/
comments/101214614-0614-01/attachments/ResponseW3C.pdf.
\26\ See, e.g., Professors Ira Rubinstein and Dennis Hirsch,
Comment to the Department Privacy Green Paper, January 28, 2011,
available at http://www.ntia.doc.gov/comments/101214614-0614-01/
comment.cfm?e=D120453B-FB2B-4034-962C-C0A352328531; Intel, Comment to
Department Privacy Green Paper, January 28, 2011, available at http://
www.ntia.doc.gov/comments/101214614-0614-01/attachments/
Intel%20Corp%20Dept%20Commerce%20green%20paper%20
comment.pdf (``Intel supports Federal legislation based on the Fair
Information Practices (FIPs) as described in the 1980 Organization for
Economic Co-Operation and Development (OECD) Privacy Guidelines.'')
---------------------------------------------------------------------------
The Green Paper suggested that comprehensive FIPPs can serve as a
basis for stronger consumer trust while also providing the flexibility
necessary to define more detailed rules that are appropriate for the
relationships and personal data exchanges that arise in a specific
commercial context. The FIPPs that the Green Paper presented for
discussion were transparency, individual participation, purpose
specification, data minimization, use limitation, data quality and
integrity, security, and accountability and auditing. We received many
thoughtful comments on how each of these principles might apply to the
commercial context, and we are continuing to assess whether these
principles provide the right framework for online consumer data
privacy. The Administration looks forward to working further with
Congress and stakeholders to define these baseline protections.
B. Implementing Enforceable Codes of Conduct Developed Through Multi-
Stakeholder Processes
To encourage specific but adaptable rules for businesses and
consumers in the implementation of baseline privacy principles, the
Administration recommends a framework that can promptly address
specific privacy issues as they emerge. In this framework, stakeholders
from the commercial, consumer advocacy and academic sectors, as well as
the FTC and other government agencies would come together to develop
enforceable best practices or codes of conduct based on the principles
in baseline legislation. This process would allow stakeholders to
develop codes of conduct that address privacy issues in emerging
technologies and business practices, without the need for additional
legislation. In this framework, the FTC could have the authority to
provide appropriate incentives, such as a safe harbor, for business to
develop and adopt codes of conduct. Compliance with an approved code of
conduct might be deemed compliance with the statutory FIPPs. Of those
stakeholders that supported legislation, most one telecommunication
company's conclusions that ``[a]s the Green Paper observes, such a safe
harbor provision will reinforce the industry's incentives to develop
self-governance practices that address emerging issues, and to follow
such practices.'' \27\ In addition, legislation should ensure that
stakeholders have appropriate incentives to revise enforceable codes of
conduct as changes in technology, market conditions, and consumer
expectations warrant.
---------------------------------------------------------------------------
\27\ Verizon, Comment to the Department Privacy Green Paper,
January 28, 2011, available at http://www.ntia.doc.gov/comments/
101214614-0614-01/comment.cfm?e=6BFB924F-75DD-4472
-94F3-F76DB8EE0376.
---------------------------------------------------------------------------
This recommendation reflects the Department's view that government
must support policy development processes that are nimble enough to
respond quickly to consumer data privacy issues as they emerge and that
incorporate the perspectives of all stakeholders. Industry, consumer
groups, and civil society, as well as the government, all have vital
roles to play in putting baseline privacy protections into practice in
the United States. A leading IT company captured this multi-stakeholder
perspective well, commenting that ``no single entity can achieve the
goal of building trust . . . as it is clearly a shared responsibility.
There is a role for governments, industry, and Non-Governmental
Organizations/advocacy groups (NGO's) working together to form a
`triangle of trust.' '' \28\ A multi-stakeholder strategy for
implementation ensures that government establishes the base of this
trust triangle. Such a strategy will be critical to ensure that we end
up with a framework that is rational, that provides businesses with
better information about what consumers expect (and vice versa), but
that is also dynamic. Below, I explain in greater detail the leading
role that the Department of Commerce could play in putting this multi-
stakeholder model into practice.
---------------------------------------------------------------------------
\28\ Intel, Comment to Department Privacy Green Paper, January 28,
2011, available at http://www.ntia.doc.gov/comments/101214614-0614-01/
attachments/Intel%20Corp%20Dept%20Comm
erce%20green%20paper%20comment.pdf.
---------------------------------------------------------------------------
C. Strengthening the FTC's Authority
The independent expertise of the FTC is another key element of this
framework. In addition to its leadership in developing consumer data
privacy policy, the FTC plays a vital role as the Nation's independent
consumer privacy enforcement authority. Granting the FTC explicit
authority to enforce baseline privacy principles would strengthen its
role in consumer data privacy policy and enforcement, resulting in
better protection for consumers and evolving standards that can adapt
to a rapidly evolving online marketplace.
D. Establishing Limiting Principles on Consumer Data Privacy
Legislation
As the Committee considers these recommendations, we would also
like to provide our thoughts on limitations that Congress should
observe in crafting consumer data that strengthens consumer privacy
protections and encourages continuing innovation. Legislation should
not add duplicative or overly burdensome regulatory requirements to
businesses that are already adhering to the principles in baseline
consumer data privacy legislation. Legislation should be technology-
neutral, so that it allows firms flexibility in deciding how to comply
with its requirements and encourages business models that are
consistent with baseline principles but use personal data in ways that
we have not yet contemplated. And, domestic privacy legislation should
provide a basis for greater transnational cooperation on consumer
privacy enforcement issues, as well as more streamlined cross-border
data flows and reduced compliance burdens for U.S. businesses facing
numerous foreign privacy laws.
IV. The Department's and NTIA's Next Steps on Internet Privacy Policy
With or without legislation, the Department and NTIA will continue
to make consumer data privacy on the Internet a top priority. We will
convene Internet stakeholders to discuss how best to encourage the
development of privacy codes of conduct. And, the Department will
support the Administration's efforts to encourage global
interoperability by stepping up our engagement in international
policymaking bodies. Finally, we will continue to work with Congress
and all stakeholders to develop consensus on reforms to our consumer
data privacy policy framework.
A. Convening Voluntary Efforts to Define Baseline Privacy Protections
The Department of Commerce can play a leading role in bringing
stakeholders together rapidly to develop enforceable codes of conduct,
in order to provide greater certainty for businesses and necessary
protections for consumers. The Green Paper notes that the Department--
and particularly NTIA--has the necessary expertise and can work with
others in government to convene companies, consumer groups, academics,
and Federal and State government agencies. It will be important to
bring NTIA's experience to bear in these activities, since NTIA can
work with other agencies and provide a center of consumer data privacy
policy expertise. The Department received significant stakeholder
support for the recommendation that it play a central role in convening
stakeholders. A broad array of organizations, including consumer
groups, companies, and industry groups announced their support for the
Department to help coordinate outreach to stakeholders to work together
on enforceable codes of conduct.\29\
---------------------------------------------------------------------------
\29\ See, e.g., Comments of Center for Democracy and Technology;
Comments of Consumers Union; Comments of Microsoft; Comments of
Walmart; Comments of Intel; Comments of Google; Comments of Facebook;
Comments of Interactive Advertising Bureau; and Comments of Yahoo!
---------------------------------------------------------------------------
Indeed, the Department is pleased to be part of an Administration
effort in which this approach to protecting consumer data privacy may
be immediately useful: The National Strategy for Trusted Identities in
Cyberspace (NSTIC).\30\ The NSTIC, which is a separate Administration
initiative being developed in close consultation with the private
sector, and is not part of the legislative proposal discussed in this
testimony, envisions enhancing online privacy and security through
services that provide credentials that improve upon the username and
password schemes that are common online. The NSTIC proposes a system
that would provide individuals the option of obtaining a strong
credential to use in sensitive online transactions. The NSTIC calls for
the participants in this digital identity marketplace to implement
privacy protections that are based on the FIPPs. Developing enforceable
codes of conduct through multi-stakeholder processes is one way that
the Department can work with the private sector to implement these
protections.
---------------------------------------------------------------------------
\30\ For further information, see NIST, About NSTIC, http://
www.nist.gov/nstic/ (last visited Mar. 14, 2011).
---------------------------------------------------------------------------
We thank you, Chairman Rockefeller, for supporting the announcement
that the Department of Commerce will host the National Program Office
to coordinate the Federal activities to implement NSTIC. With the
leadership of the private sector, the Department is ready and willing
to support the implementation of NSTIC by leveraging the tremendous
resources of NTIA and the National Institute of Standards and
Technology.
B. Encouraging Global Interoperability
Consistent with the general goal of decreasing regulatory barriers
to trade and commerce, the Department will work with our allies and
trading partners to reduce barriers to cross-border data flow by
increasing the global interoperability of privacy frameworks. While the
privacy laws across the globe have substantive differences, these laws
are frequently based on similar fundamental values. The Department will
work with our allies to find practical means of bridging differences,
especially those that are often more a matter of form than substance.
The Department will work with other agencies to ensure that global
privacy interoperability builds on accountability, mutual recognition
and reciprocity, and enforcement cooperation principles pioneered in
the Organisation for Economic Cooperation and Development (OECD) and
Asia-Pacific Economic Cooperation (APEC). Agreements with other privacy
authorities around the world (coordinated by key actors in the Federal
Government) could reduce significant business global compliance costs.
C. Developing Further Administration Views on U.S. Internet Policy
Finally, we are working to ensure that our work on consumer data
privacy policy complements and informs other Internet policy
development efforts that are underway in the Department and throughout
the Administration. An invaluable mechanism for making this happen is
the Privacy and Internet Policy Subcommittee of the National Science
and Technology Council. The Subcommittee, which the White House
announced last fall, is chaired by Commerce Department General Counsel
Cameron Kerry and Justice Department's Assistant Attorney General
Christopher Schroeder. The Subcommittee provides a forum for Federal
agencies and key White House offices to coordinate and exchange ideas
on how to promote a broad, visible, forward-looking commitment to a
consistent set of Internet policy principles. These core principles--
all of which apply to the consumer data privacy context--include
facilitating transparency, promoting cooperation, strengthening multi-
stakeholder governance models, and building trust in online
environments.
The Subcommittee has already provided the substantive policy
discussions that led to the legislative reform recommendations that I
am presenting today. The Department of Commerce looks forward to
continuing to work with this Committee.
V. Conclusion
In the end, the Obama Administration's goal is to advance the
domestic and global dialogues in ways that will protect consumers and
innovation, and to provide leadership on information privacy policy,
regulation, and legislation.
Working together with Congress, the FTC, the Executive Office of
the President, and other stakeholders, I am confident in our ability to
provide consumers with meaningful privacy protections in the Internet
economy, backed by effective enforcement, that can adapt to changes in
technology, market conditions, and consumer expectations. Establishing
and maintaining this dynamic consumer data privacy framework is not a
one-shot game; it will require the ongoing engagement of all
stakeholders. The Department and the Administration are firmly
committed to that engagement. The legislative approach that I have
outlined today would lend extremely valuable support to the dynamic
framework that we envision. I welcome any questions you have for me.
Thank you.
Senator Pryor. Thank you.
Chairman Leibowitz, let me start with you if I may. And
that is in your opening statement you mention this new icon
that online advertisers are using. My understanding is that
just came online just, you know, last several weeks at some
point. Are you encouraged by what you see or is it too early to
know if that's going to work?
Mr. Leibowitz. Well I would say we are encouraged by what
we are seeing. I would say the industry has been working in
good faith on this icon notion probably for the last 2 years. I
think you'll have someone testifying on the next panel about
that.
I would say that the pace of moving forward has become far
more rapid since the summer hearings this Committee held and
the House Energy and Commerce Committee held in the fall and
since we released our report in December. So it is promising
from our perspective. The majority of Commissioners would like
to see a Do Not Track mechanism that includes a prohibition on
tracking, not just sending ads back to consumers.
But there are important developments really just in the
last few days, including a number of members of that Digital
Advertising Alliance who would like to see restrictions on
tracking except for fraud purposes. So, yes.
Senator Pryor. Thank you.
Mr. Strickling, I think I saw yesterday, maybe last night,
a story that the White House is talking about a privacy bill of
rights or--do you anticipate that they'll come forward with a
proposal, with a bill or is this more just general concepts
that, you know, we can expect to see from the White House?
Mr. Strickling. Yes, sir. The ``Green Paper'' was put out
in December. And we are currently working to develop a more
complete and what we hope will be an Administration statement
of policy later this spring. What I testified to this morning
is that the Administration is now at the point of recommending
that this be dealt with in legislation.
We will continue to flesh out the particulars as we
complete our overall policy paper. But we're prepared to start
working with this Committee and other Members of Congress on
those specifics now.
Senator Pryor. Thank you.
Mr. Leibowitz, I have some questions for you about Do Not
Track, but I think what I'd like to do is go to Senator Isakson
since the vote just started and allow Senator Isakson to ask
and then Senator Kerry.
Go ahead.
Senator Isakson. Thank you, Mr. Chairman.
Mr. Leibowitz, in your--on page two of your prepared
testimony you have the number of cases you brought over the
last 15 years in various categories, spam, fair credit
reporting act, etcetera, children's protection. Is that volume
by category proportionate to the number of complaints that you
get or is it just?
Mr. Leibowitz. Well, we keep a complaint database, Consumer
Sentinel, and that's one way and a very important way in which
we develop cases. There are other ways as well. It's not a
perfect symmetry, but we like to think it's in proportion to
the need to bring cases. As you know we're a very small agency.
So we try to leverage our limited resources.
But we think we try to go where the harm is or is going to
be. And so we think it's reflective of that. But let me--I'll
get you some consumer complaints.
[The Federal Trade Commission submitted to the Committee,
after this hearing, the Federal Trade Commission Consumer
Sentinel Network Data Book, January-December 2010, published
March 2011. It is available at http://www.ftc.gov/sentinel/
reports/sentinel-annual-reports/sentinel-cy2010.pdf. The
executive summary follows.]
Executive Summary
Consumer Sentinel Network Data Book
January-December 2010
The Consumer Sentinel Network (CSN) contains over 6.1
million complaints dating from calendar year 2006 through
calendar year 2010. There are over 7.8 million do-not-call
complaints from this same time period.
The CSN received over 1.3 million complaints during calendar
year 2010: 54 percent fraud complaints; 19 percent identity
theft complaints; and 27 percent other types of complaints.
Identity theft was the number one complaint category in the
CSN for calendar year 2010 with 19 percent of the overall
complaints, followed by Debt Collection (11 percent); Internet
Services (5 percent); Prizes, Sweepstakes and Lotteries (5
percent); Shop-at-Home and Catalog Sales (4 percent); Impostor
Scams (4 percent); Internet Auction (4 percent); Foreign Money
Offers and Counterfeit Check Scams (3 percent); Telephone and
Mobile Services (3 percent); and Credit Cards (2 percent). The
complete ranking of all thirty complaint categories is listed
on page six of this report.
Fraud
A total of 725,087 CSN 2010 complaints were fraud-related.
Consumers reported paying over $1.7 billion in those fraud
complaints; the median amount paid was $594. Eighty-six percent
of the consumers who reported a fraud-related complaint also
reported an amount paid.
Sixty percent of all fraud-related complaints reported the
method of initial contact. Of those complaints, 45 percent said
e-mail, while another 11 percent said an Internet website. Only
10 percent of those consumers reported mail as the initial
point of contact.
Colorado is the state with the highest per capita rate of
reported fraud and other types of complaints, followed by
Maryland and Nevada.
Identity Theft
Government documents/benefits fraud (19 percent) was the
most common form of reported identity theft, followed by credit
card fraud (15 percent), phone or utilities fraud (14 percent),
and employment fraud (11 percent). Other significant categories
of identity theft reported by victims were bank fraud (10
percent) and loan fraud (4 percent).
Government documents/benefits fraud increased 4 percentage
points since calendar year 2008; identity theft-related credit
card fraud, on the other hand, declined 5 percentage points
since calendar year 2008.
Forty-two percent of identity theft complainants reported
whether they contacted law enforcement. Of those victims, 72
percent notified a police department. Sixty-two percent
indicated a report was taken.
Florida is the state with the highest per capita rate of
reported identity theft complaints, followed by Arizona and
California.
Mr. Leibowitz. As you know being a member of this
Committee, sometimes you'll see something you'll read about or
a Commissioner will and that will go into the investigative
process. So there are all different ways we bring cases.
Senator Isakson. That is exactly where I was going with my
follow up question. In most federal enforcement agencies the
cases they pursue are in response to complaints from citizens.
But you also--do you also monitor news media and reports and
then follow up based on whether or not it appears to fall under
your responsibility?
Mr. Leibowitz. Sure, we do. And in fact we brought a very
important antitrust case because Senator Klobuchar raised it at
a hearing maybe a year ago. This was on a merger involving a
drug used for children with heart defects. And so it comes from
a lot of places.
You know, we're a very bipartisan agency. All the
Commissioners have ideas of about what we should be doing and
it all is channeled into our investigative and our enforcement
efforts.
Senator Isakson. Where does the volume of penalties, I
mean, $60 million in civil penalties, $21 million in civil
penalties and five. It looks like to me it's about $80 million
in civil penalties you collect over the year. Where does that
money go? Back into the agency or back to the general treasury?
Mr. Leibowitz. It goes back to Treasury. And then more
often we will try to get redress for consumers. One of the
things that we try to obtain in the financial reform
legislation was the ability to get civil penalties for
violations of our standard unfair and deceptive acts or
practices authority. And it didn't make it into the final
legislation.
It was something that Caspar Weinberger actually supported
when he was the FTC Chair back in the early 1970s. And we hope
to come back and revisit that going forward. But as a result,
we have limited fining authority. It usually goes back to
Treasury.
Senator Isakson. I'm assuming based on what I've heard in
the testimony that probably the most effective way to protect
the consumer would be give them a mechanism to protect
themselves. You talked about the icon where you can just
elect----
Mr. Leibowitz. Yes.
Senator Isakson.--whether or not your information can be
shared or not. Do we know if technologically that--I think
technologically anything can be done now, but is that doable?
Mr. Leibowitz. Yes, that is doable. And the only question
is about exactly which way to do it.
Senator Isakson. Thank you, Mr. Chairman.
Senator Pryor. Thank you.
Senator Kerry?
Senator Kerry. Thank you, Mr. Chairman.
Chairman Leibowitz, I want to try--a lot has been discussed
about the Do Not Track proposal. And I want to try to hone in
on it a little bit. Is it your judgment that if a company comes
up with a pretty strict policy which has broad privacy
protections and adequate opt in, et cetera, et cetera, and opt-
out or out, do you think then that the Do Not Track is still
necessary?
Mr. Leibowitz. At this point I think we do, because if
individual companies have individual practices that may support
a baseline consumer or commercial bill of rights here, I think
that is a great idea it may not mean that every company has
that. And I think what we're trying to do, like you, is develop
a baseline for privacy protection for consumers.
So from my perspective a Do Not Track mechanism that's easy
to implement, going back to Senator Isakson's point, could be
an important choice mechanism for consumers and an important
way to protect privacy for consumers who want to limit
tracking.
Senator Kerry. So in terms of the potential harm or
protection depending on which way you look at it, that you're
trying to provide the consumer if you had a Do Not Track it
doesn't mean that they're going to get no advertising like a Do
Not Call means you're not going to get any calls. It simply
means you're not going to get customized advertising. But
you'll still get bombarded by advertising.
Mr. Leibowitz. You will still get advertising. It may not
be targeted. But again, from our perspective----
Senator Kerry. So the analogy to Do Not Call is not an
appropriate one. Would you----
Mr. Leibowitz. Yes, it's very different than Do Not Call.
Senator Kerry. OK.
Mr. Leibowitz. It's very different from Do Not Call. It's
also not government run as we run the Do Not Call list.
Senator Kerry. OK.
So then is there an assumption therefore that if you had a
standard and you had a code and you had a strong privacy
offering that the tracking is per se bad?
Mr. Leibowitz. No, we don't think tracking is per se bad at
all. We think most consumers won't mind being tracked. They get
more personalized advertising.
We just think consumers ought to have the ability to opt
out of that kind of tracking. I mean, the analogy we sometimes
use is if you're walking around a mall, someone shouldn't be
sort of tracking--following you around even if they don't know
who you are and sending e-mails off to the stores in front of
you saying well, that's Jon Leibowitz. He's interested in
buying a Madras jacket in his usual green and red colors.
You know, you should have the right not to be followed
around if you don't want to be followed around.
Senator Kerry. So if a firm has a very strong policy, a
privacy policy and then you have another firm that doesn't have
a very strong kind of policy.
Mr. Leibowitz. Right.
Senator Kerry. You're going to treat them both the same in
the context of the Do Not Track.
Mr. Leibowitz. Well.
Senator Kerry. There's no virtue to having the stronger
policy and therefore allowing the tracking to take place in the
context of that stronger policy.
Mr. Leibowitz. Well, stronger policy outside of Do Not
Track may have many virtues, right? It will include privacy by
design. It will include readable privacy notices. They'll be
transparency. They'll be more choice.
But my sense is that a lot of the most responsible
companies support a Do Not Track notion for third party
cookies. And so I think there's an enormous benefit to having a
baseline FIPPs privacy protection and then negotiated industry
codes. We're working with the Commerce Department on that.
But we also think there's a value in having the ability to
opt-out of targeted advertising or maybe targeted advertising
for just sensitive information like medical searches or
financial information.
Senator Kerry. With respect to the Wall Street Journal
series on the issue of what they know. I assume you followed
that?
What did you draw from that? What came out of that in your
judgment?
Mr. Leibowitz. So let me say a few general things and some
specific things.
So generally, what came out of that--and it was a series of
stories, as you know, last summer, and then many follow-ups.
One is that some companies have very good privacy
practices, but many of them do not. And it results in an
enormous amount of information being collected about consumers
that's invisible to consumers and not on the sites that they're
on, but by cookies and software embedded in consumer's
computers. And so it really was a motivation for us to step up
our enforcement efforts and to write our privacy report.
And then more specifically, we're having a debate about
whether to propose a Do Not Track mechanism. And one of the
issues we had internally in the Commission was: is it
technologically feasible? And of course, one of the stories, as
you know, was about Microsoft having developed this and the
balancing act they did between their privacy advocates and
engineers on the one hand and their marketers. And how they
resolved it was they sort of split the difference.
And so we knew then that Do Not Track was technologically
feasible. And Microsoft to its credit has stepped up and
endorsed the concept since our report.
Senator Kerry. Thank you.
[Laughter.]
STATEMENT OF HON. CLAIRE McCASKILL,
U.S. SENATOR FROM MISSOURI
Senator McCaskill. Thank you, Mr. Chairman.
I--you know when you talk about privacy it's in the same
category as motherhood and apple pie in this country. And I
think we've got a real problem here because what most Americans
don't understand and frankly, what maybe, unfortunately, two
Members of Congress don't understand is we have monetized the
Internet with behavior marketing. It is an amazing amount of
free information that is immediately accessible because of
behaviorally marketing. So I guess, you know, it equals money.
And so I guess my first question is have--does anybody
know? Do either of you know what the cost is going to be in
terms of the economic vibrancy of the Internet for some of the
things that are being considered? And isn't it fair to envision
that a Do Not Track in fairness since behavioral marketing is
money, isn't it fair to think that some of these companies are
going to charge for that?
Mr. Leibowitz. For opting out of tracking?
Senator McCaskill. Yes.
Mr. Leibowitz. We have not seen that yet even in the----
Senator McCaskill. But we haven't passed any laws yet.
Mr. Leibowitz. No, but to their credit, there is a major
group of companies, called the Digital Advertising Alliance,
that's in the process of offering some sort of free opt-out.
Now we think it should go a little further. But no one has
talked about monetizing that.
And I think that's a good thing. And I think it's a
recognition also that businesses understand that if you put
some limits on tracking or you have some privacy protections as
the Commerce Department envisions--and I'm supportive of that
though you don't necessarily need to be--the sky won't fall
down on Internet commerce. It's going to continue. And indeed
if consumers have more trust in the Internet, they're going to
do more business on the Internet too.
Senator McCaskill. Do you think that there is envisioned
where we draw the line? For example, we would never dream of
telling Slim Fast they couldn't advertise on Oprah, right?
Behavioral marketing. They know that there are mostly women
that are watching that show. And they know that most of their
product is consumed by women. And so they are behaviorally
marketing to that segment.
How will we draw the line between what kind of behavioral
marketing is fair and what kind of behavioral marketing invades
privacy?
Mr. Leibowitz. Well, I think you've raised a really
important point. And I don't know if you were here when Senator
Isakson was speaking. He used to run a company. They
advertised. And he pointed out that there's a difference
between advertising on the Internet where you can figure out
things about people, not from classic PI, personal information,
but from the aggregated enormous amounts of information.
And so it's different than advertising on Oprah or
advertising on TV. And that seems to me, that's a point where
we want to ensure privacy protections for consumers. And I
think that the Department--I don't speak for the Department of
Commerce, but I assume that you do.
Mr. Strickling. And I would just add to the comments the
Chairman has made that in our discussions we find a very strong
level of support among industry to create this baseline of
protections. The baseline though, it's fair to call it a bill
of rights. I mean what we have in mind is not unlike the Bill
of Rights, a concise statement of the right that the consumer
has, and then relying on industry, working with consumer
groups, working with other experts in the field, to come up
with these codes of conduct that provide more specificity.
We think, in that regard, we don't have to see the
government drawing some of these very difficult lines and
imposing them as regulation as long as we're providing adequate
oversight of this process by which industry, working with all
stakeholders, develops appropriate codes. We think we can get
to a regime that will greatly improve privacy for consumers and
still meet the needs of businesses who want to continue to see
the growth of the Internet.
Mr. Leibowitz. If I can just follow up briefly. And you're
right. I don't think most American consumers understand where
their information is going, how it's been monetized, how it's
been traded. But in another sort of bedrock level, I think they
get the issues of Internet privacy.
There was a poll by a group called Consumer Watchdog that
found 80 percent of Americans wanted to see a Do Not Track
option. I think Common Sense Media had a poll that you
mentioned, talking about greater concern that parents had over
their kids.
Senator McCaskill. Right.
Mr. Leibowitz. About Internet privacy and safety. Gallup
had a poll that also reflected this. So I think at some level
Americans understand.
Senator McCaskill. I agree. And I don't mean to cut you
off. But I don't want to miss this vote and while I'm going to
try to come back--I just think we've got to be very careful
about the unintended consequences.
We know the good guys are going to try to do this right. We
know the bad guys, it's going to be very hard to regulate them
in a way that makes sense. So what I don't want to do is
handcuff the good guys because with all due respect, I mean,
you know, if we think we're doing a really good job in consumer
oversight of the commerce in this country right now. You know,
I mean, don't get me started on the ads I see on cable TV that
I just need to get my government benefit and all of the things
that are out there that are not being adequately policed.
So I just want to make sure that we don't kill the goose
that laid the golden egg here under the rubric of the very
laudable notion of privacy. I just think that we've got to go
very carefully, make sure that we think about the unintended
consequences and most importantly, think about the bad guys
that aren't going to pay any attention to your code of conduct.
And consumers are going to continue to not have confidence
in the Internet as long as those bad guys are out there. So I
just--I think we've got to be very careful and not go too fast,
too far, without thinking about what may be down the line.
Mr. Strickling. If I could respond quickly to that. I think
the proposal that we've made answers your concern. It would
have legislation that would create a baseline of these fair
information practice principles. And those are some of the
things that the Chairman mentioned earlier, things like
transparency and disclosure, what level of consent.
I'm confident that if, in doing so, the Congress also gives
the FTC the enforcement authority to enforce that they're going
to be able to go after the bad guys based on that baseline. But
what the baseline allows though is the flexibility to the good
guys, as you call them, to craft the more specific protections
that they need to have to allow them to run their businesses.
Senator McCaskill. I agree. I will just tell you that I
have a feeling that, Mr. Leibowitz, that your budget is not
going to grow enormously over the next decade. And you've got
plenty of work to do over there.
And frankly a lot of work that needs to be done that you
can't do now. And if we're going to add to your work load and
at the same time do something that is going to minimize the
amazing things we've done on the Internet, I just think we've
got to make sure America buys into that agreement.
Mr. Leibowitz. Yes, I agree with that.
Senator Pryor. Let me interrupt here just for a second
because this vote is about to close. And Senator, we need to
run over there and vote. So what I'll do is recess this for
just a few moments. Let us go do these two votes. And then
we'll reconvene in just a few minutes.
Thank you.
[Recess.]
Senator Pryor. I'll reconvene the hearing. I want to thank
everyone for being patient with us and we had those two votes.
And my understanding is we have a few Senators on the way back
over. But I know that Senator Klobuchar wanted to ask questions
of this first panel.
So Senator Klobuchar?
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Well, thank you very much, Chairman.
Thank you for holding this hearing. And thank you to our two
witnesses and as well as the second panel.
But thank you, Chairman Leibowitz and Administrator
Strickling. It is great to be here with you on an important
topic. And I wanted to focus a little bit on websites with
teens and children maybe because I walked into my daughter's
room last night and she was webcasting with her friend. And
luckily they were working on their homework. And the interview
she's doing with Senator Murkowski which will be I'm sure,
devastating to Senator Murkowski.
But I wanted to ask you a few questions on this. A recent
Wall Street Journal article examined 50 websites popular with
teens and children to see what tracking tools they installed on
a test computer. As a group the sites used over 4,000 cookies,
beacons and other pieces of tracking technology. That it
actually 30 percent more than were found in a similar analysis
of adult websites which is rather disturbing I think that there
were more of these being used on children's websites.
Can you describe your agency's experiences dealing with
tracking of children and teens online? And what do you think
needs to be done here?
Mr. Leibowitz. Well, I think there's no doubt that there's
an extraordinary amount of monetizing of teen information. As
you know, from your daughter, who I believe is a very
responsible 15 year old. And I know from my children that they
spend a lot of time online.
And so one of the recommendations in our report discusses
the need for a kind of enhanced consent for children. We're
taking comments on that.
But of course one of the other issues with teens is often,
they act impulsively. They put things online that they never
expect will remain there. When a privacy policy of a social
network switches from something that protects privacy to
something that has less privacy protections sometimes kids
don't realize or teens don't realize that a lot of information
that they thought was private will be put online.
So it's a very important issue for us. And we are studying
it.
Senator Klobuchar. OK. Anything you would like to add,
Administrator?
Mr. Strickling. No.
Senator Klobuchar. As we talk about privacy I wondered
Chairman Leibowitz, if the FTC has looked into the issue of
privacy notifications on smartphones. As you can imagine those
are smaller letters and harder to read, yet they access the
same type of information and also have the same kind of privacy
concerns as other larger computer screens.
Mr. Leibowitz. Well, I believe in our report we looked at
mobile phones. We've done a number of hearings on mobile issues
because, you're right. In terms of privacy policies they're
much harder to read. In terms of applications for children, of
course, you wrote to us about a particular application. And we
were glad to see that the alleged malefactors have improved
their app standards.
These are all very, very important issues and particularly
in the mobile space. We're going to try to see how we can
encourage more consumer choice and more transparency. So few
people and certainly so few children understand the terms of
service. You need to have easy-to-understand terms of service
for children or parents who have a lot of information that's
taken from kids and that's placed online--information that
perhaps parents wouldn't want their kids to share, and kids or
teens may not want to share themselves.
Senator Klobuchar. Administrator?
Mr. Strickling. I think what I'd like to say in response to
both of the examples you've given is the fact that it's
impossible for us to predict today what the privacy issue is
going to be 6 months or 12 months from now. And that's why the
framework that the Administration is proposing for legislation
to use codes of conduct that will be prepared by this multi-
stakeholder group of industry is very important because it
gives you the speed and the flexibility to respond to these
types of issues when they arise. If we're chasing after these
issues and trying to write regulations in a more formal way
that perhaps take a year to write, we can't possibly stay up on
the issues that arise.
Senator Klobuchar. So the argument--yes.
Mr. Strickling. And so overall I think this again is
further demonstration of the need to have an industry-based,
actually a full multi-stakeholder process to work on these
codes of conduct and to deal with these issues when they arise.
And indeed that in effect is what, you know, Chairman Leibowitz
and the FTC are doing on an individual issue basis, is
assembling the parties to get them to talk about these issues
and nudging them in the right direction. And I think that's the
appropriate model we want going forward.
Senator Klobuchar. I think that's the name of Cass
Sunstein's book--Nudge.
Mr. Leibowitz. Nudge.
Senator Klobuchar. So that's all----
Mr. Leibowitz. Not noodge, not noodge. Nudge.
Senator Klobuchar. It looks like you want to add something.
But I just want--Chairman Leibowitz, but I wanted to follow up
on that. It would seem to me just one of the problems is, as we
all know under the best circumstance it takes so long for us to
get these laws done. So clearly if we can get these voluntary
codes of conduct that would respect the development of the
technology and also not interfere with the development of the
technology would be key as long as we actually get these
voluntary codes of conduct.
Mr. Chairman?
Mr. Leibowitz. Yes. And I wanted to check to our Bureau
Director to make sure I could say this. We have multiple
investigations going on of inadequate notice on mobile and to
kids. And apparently in one of the investigations we're doing,
the privacy notice on mobile was 151 or 152 clicks or screens
away.
[Laughter.]
Mr. Leibowitz. So I think the reasonable consumer will
not----
Senator Klobuchar. You're kidding. So you mean if they
wanted to find the privacy notice they had to click 152 times
to get to the window that----
Mr. Leibowitz. 106 or 107 because the first time you may
not have to click. But yes.
Senator Klobuchar. OK. Well I get it. Well, thank you for
clarifying that for the record.
[Laughter.]
Senator Klobuchar. Alright. Thank you to both of you. And I
appreciate the way that this is moving. I think it's the right
way. Thank you.
Senator Pryor. Thank you both for joining us today. There
are several Senators who either had to come and go or expressed
an interest in being here. And probably we'll leave the record
open for a couple weeks to allow Senators to ask questions.
We'd appreciate a quick response.
But thank you all for being here today. And I'll go ahead
and introduce our second panel.
Mr. Leibowitz. Thank you, Mr. Chairman.
Senator Pryor. Oh, thank you very much. Thank you.
We'll go ahead and bring up our second panel. And the staff
as always will do a quick switch, switcheroo here. And bring
the second panel forward with their name tags.
And as they are doing this what I'll do is I'll go ahead
and introduce the members of the second panel. And then once
they get situated I'll just call on them as we go down the row.
First would be Erich Andersen, Vice President and Deputy
General Counsel of Microsoft.
Second will be John Montgomery, Chief Operating Officer of
GroupM Interaction.
Third will be Ashkan Soltani, Researcher and Consultant.
Fourth will be Barbara Lawler, Chief Privacy Officer for
Intuit.
And the fifth, last but certainly not least, will be Chris
Calabrese, Legislative Counsel with the American Civil
Liberties Union.
So as we're getting set up here. And I see water is getting
poured and charts are getting established. Just one moment we
will go ahead and call on Mr. Andersen whenever we are ready.
So, Mr. Andersen, go ahead.
STATEMENT OF ERICH D. ANDERSEN,
DEPUTY GENERAL COUNSEL, MICROSOFT CORPORATION
Mr. Andersen. OK. Thank you, Mr. Chairman.
Mr. Chairman and honorable members of the Committee, my
name is Erich Andersen and I'm the Deputy General Counsel of
Microsoft's Windows Division. Thank you for inviting me to
testify today about the state of online privacy. We applaud the
leadership that the Committee has shown on this issue.
I also want to endorse Assistant Secretary Strickling's
call for federal privacy legislation.
Legislation can be an important component of a multipronged
approach to privacy but also includes technology tools,
industry initiatives and consumer education. At Microsoft
consumer trust is vital to our business. And privacy is a
critical component to earning and maintaining that trust. In
all our service offerings we strive to be transparent about our
privacy practices, offer meaningful privacy choices and protect
the security of the data that we store.
In my role for the Windows Division, I've worked with our
software team to develop privacy enhancing features for Windows
and Internet Explorer. We have groups working on similar
efforts throughout Microsoft including for our Bing search
engine, Xbox gaming platform and our advertising services. The
different ways that we engage with consumers give us a unique
perspective on the privacy discussion. In light of our
experience we believe that a combination of technology tools,
industry initiatives, consumer education and legislation is
needed to protect privacy and promote innovation.
Let me briefly explain the importance of technology. At
Microsoft we have implemented privacy by design. We engineer
privacy into our products and services from the outset. And we
consider privacy throughout the product life cycle.
One example of where we put this principle into practice is
the privacy features we've developed for Internet Explorer. The
most recent version of Internet Explorer, IE 9 was released
this week. And it offers a ground breaking new tool called
tracking protection.
This Do Not Track feature allows consumers to decide which
sites can receive their data and blocks content from sites that
they view as engaged in tracking providing consumers with
greater control over their online experiences. We're very proud
that Internet Explorer was the first major browser to respond
to the FTC's recent call for a Do Not Track mechanism. We look
forward to working with all stakeholders to implement Do Not
Track tools in a meaningful way for consumers and businesses
alike.
Industry initiatives can be effective in complementing
technology tools. For instance, we've long partnered with the
Network Advertising Initiative to develop principles governing
online behavioral advertising. We're continuing to collaborate
with members of the Digital Advertising Alliance and others in
the advertising industry to implement guidelines and best
practices to help ensure that consumers understand and can
easily opt-out of behavioral advertising.
The third element of a comprehensive approach to privacy is
consumer education. We agree with the FTC and the Commerce
Department that consumers need a better understanding of data
practices. That's why we provide consumers with clear
information about our own practices and offer choices about
what data will be collected and how it will be used. We've also
partnered with consumer advocates and government agencies to
develop educational materials on consumer privacy and data
security.
The last critical element is federal privacy legislation.
Legislation is needed because the current sectoral approach to
privacy regulation is confusing to consumers and it's costly
for businesses. We believe that legislation should establish a
common set of privacy and security requirements that are not
specific to any one technology, industry or business model.
For particular industries or business models industry
initiatives should co-exist with or should build on top of the
baseline obligations of the law. Online advertising is a
perfect example. Baseline federal privacy requirements around
user notice, control and security can complement industry
initiatives and innovative technology tools.
In conclusion, Microsoft is committed to working with you
to protect consumer privacy in a way that complements technical
and industry based measures and promotes continued innovation.
Thank you for giving us this opportunity to testify today. I
look forward to answering any questions you may have.
[The prepared statement of Mr. Andersen follows:]
Prepared Statement of Erich Andersen, Deputy General Counsel,
Microsoft Corporation
Chairman Rockefeller, Ranking Member Hutchison, and honorable
Members of the Committee, my name is Erich Andersen, and I am Deputy
General Counsel of Microsoft's Windows Division. Thank you for the
opportunity to share Microsoft's views on an issue that needs the
attention of Congress and the work of this Committee: the adoption of
meaningful privacy legislation that protects individuals' privacy while
complementing technological and industry-based measures and promoting
continued innovation. We appreciate the leadership that the Committee
has shown on this issue, and we are committed to working
collaboratively with you, the Federal Trade Commission, the Department
of Commerce, consumer groups, and other stakeholders to achieve this
important balance.
In my role for the Windows Division, I have worked with our
software team to develop privacy-enhancing features and tools for
Windows and Internet Explorer. We have teams working on similar efforts
throughout Microsoft--for instance, in the Bing search team, the online
advertising division, the Xbox group, and our cloud computing group.
Our goal across Microsoft is to build trust with consumers by giving
them the tools they want to make them productive and enrich their
computing experience. Privacy is a critical component of earning and
maintaining that trust. In all of our service offerings, we strive to
be transparent about our privacy practices, offer meaningful privacy
choices, and protect the security of the data we store.
The multiple contexts in which we engage with consumers give us a
unique perspective on the privacy discussion. For example, as a website
operator, an ad network, and a browser manufacturer, we have a deep
understanding of the roles that different participants in the digital
ecosystem play in safeguarding consumer privacy. Also, based on our
longstanding involvement in the privacy debate, we recognize that the
combined efforts of industry and government are required to effectively
balance the need to protect consumers' privacy interests and promote
innovation. In light of our experience, we recommend a multi-pronged
approach that includes legislation, industry self-regulation,
technology tools, and consumer education.
Today, I will explain why we believe that each of these four
elements is important for protecting consumer privacy, and I will
highlight steps that Microsoft has taken in each area. But first I
would like to start with a discussion of how technology has reshaped
consumers' engagement online and their privacy expectations.
I. Protecting Privacy While Enabling Innovation
The explosive growth of the Internet, cloud computing, the
proliferation of computers and handheld mobile devices, and the
expansion of e-commerce, e-government, e-health, and other web-based
services have brought tremendous social and economic benefits. At the
same time, however, technology has fundamentally redefined how, where,
and by whom data is collected, used, and shared. The challenge that
industry and government must address together is how to best protect
consumers' privacy while enabling businesses to develop a wide range of
innovative products and services.
Consider, for example, online advertising. Online advertising is
the fuel that powers the Internet and drives the digital economy. Over
$25 billion was spent on online advertising in 2010.\1\ Millions of
websites are able to offer their content and services for free because
of the revenue they derive from advertising online. For small and
medium-sized businesses in particular, online advertising has created
new opportunities to inform consumers about their products and
services. One study estimates that the advertising-supported Internet
ecosystem is responsible for creating 3.1 million American jobs, and
that the dollar value of these wages totals approximately $300
billion.\2\ Consumers also benefit--not only because online advertising
enables the free services and content they enjoy, but because the ads
they see are more likely to be relevant. Simply put, the richness and
vibrancy of the modern Internet experience is due in large part to the
success of online advertising.
---------------------------------------------------------------------------
\1\ Kristen Schweizer, U.S. Web Advertising Exceeds Newspaper Print
Ads in 2010, eMarketer Says, Bloomberg (Dec. 20, 2010), http://
www.bloomberg.com/news/2010-12-20/u-s-web-ads-exceed-newspaper-print-
ads-in-2010-emarketer-says.html.
\2\ Hamilton Consultants, Inc., Economic Value of the Advertising-
Supported Internet Ecosystem 4 (June 20, 2009), http://www.iab.net/
media/file/Economic-Value-Report.pdf.
---------------------------------------------------------------------------
The collection of data to serve ads on the Internet also has
important privacy implications. When Justice Louis Brandeis famously
defined privacy as ``the right to be let alone'' in 1890,\3\ he could
not have foreseen how technology would revolutionize our world. An
individual planning a trip to Boston can now go online to compare
airfares, book a hotel room, map out restaurant recommendations that
are convenient to her itinerary, and poll her network of friends for
suggestions about things to do during her trip. Every day, people
generate billions of page views, transactions, downloads, and search
queries--a mountain of data, across a myriad of different devices, that
reveals valuable information about users' interests. As one of
Microsoft's senior executives recently recognized, industry can and
must do better in addressing the fact that consumers often do not
understand the ways in which their data is bought, sold, bartered,
exchanged, traded, and used.\4\
---------------------------------------------------------------------------
\3\ Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4
Harv. L. Rev. 193, 193 (1890).
\4\ See Emily Steel, Microsoft Executive Urges Online Ad Industry
to Police Itself, Wall St. J. Digits Blog (Feb. 28, 2011, 6:28 PM),
http://blogs.wsj.com/digits/2011/02/28/microsoft-executive-urges-
online-ad-industry-to-police-itself/ (referencing comments by Rik van
der Kooi, corporate vice president of Microsoft's Advertiser &
Publisher Solutions group, at the annual leadership meeting of the
Interactive Advertising Bureau).
---------------------------------------------------------------------------
In the digital era, privacy is no longer about being ``let alone.''
Privacy is about knowing what data is being collected and what is
happening to it, having choices about how it is collected and used, and
being confident that it is secure. These three principles--
transparency, control, and security--underpin Microsoft's approach to
privacy. They are also essential components of the thoughtful privacy
frameworks recently advanced by the Federal Trade Commission (FTC) and
the Department of Commerce.\5\ We believe that the principles of
transparency, control, and security should inform legislative, self-
regulatory, technological, and educational initiatives to safeguard
consumer privacy.
---------------------------------------------------------------------------
\5\ See generally Fed. Trade Comm'n, Preliminary Staff Report,
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed
Framework for Businesses and Policymakers (Dec. 1, 2010) [hereinafter
FTC Staff Report]; Internet Policy Task Force, Dep't of Commerce,
Commercial Data Privacy and Innovation in the Internet Economy: A
Dynamic Policy Framework (Dec. 16, 2010) [hereinafter Commerce Report].
As we noted in comments filed with the FTC and the Commerce Department,
we applaud the Commission's and Department's efforts to develop a
robust privacy framework that will withstand rapid technological
advances while fostering innovation.
---------------------------------------------------------------------------
II. A Role for Congress and Comprehensive Privacy Legislation
As we focus on what can be improved, it is important to note that
in the past year, significant progress has been made toward protecting
individuals' privacy: technological solutions to empower consumers to
control their personal information are now widely available, consumers
are much more educated about the nature and scope of privacy risks,
enforcement actions have been taken by the FTC, and legitimate industry
practices are becoming better and more consistent. Federal legislation
can be an effective complement to this strategy, providing an
additional layer of protection for consumers and another tool for
enforcement officials.
Historically, Congress has played an active role in protecting
consumers online. Beginning in the late 1990s, Congress passed laws
aimed at specific online harms and revised existing laws to account for
the evolving ways in which technology was being used to collect, use,
and share personal information. Examples include the Children's Online
Privacy Protection Act of 1998, the privacy and security provisions for
financial information in 1999's Gramm-Leach-Bliley Act, the CAN-SPAM
Act of 2003, and the breach notification provisions for protected
health information that were included in 2009's Health Information
Technology for Economic and Clinical Health Act. Congress (and this
Committee in particular) has also scrutinized important privacy-related
issues such as online advertising, data security and breach
notification, privacy in connection with broadband providers, spyware,
and children's online safety.
Although the progress that has been made is notable and should not
be overlooked, our view since 2005 has been that Congress should take
the next step and enact comprehensive Federal privacy legislation. One
of the key problems with the current sectoral approach to privacy
regulations is that it makes compliance a complex and costly task for
many organizations. According to one estimate, by 2009 there were over
300 Federal and state laws relating to privacy.\6\ The sector-specific
approach also creates confusion among consumers, and can result in gaps
in the law for emerging sectors or business models.
---------------------------------------------------------------------------
\6\ Lee Gomes, The Hidden Cost of Privacy, Forbes, June 8, 2009,
available at http://www.forbes.com/forbes/2009/0608/034-privacy-
research-hidden-cost-of-privacy.html.
---------------------------------------------------------------------------
What industry needs is Federal privacy legislation that sets forth
baseline privacy protections for transparency, consumer control, and
security that are not specific to any one technology, industry, or
business model. Privacy protections that apply across sectors would
provide consistent baseline protections for consumers, and simplify
compliance for businesses that increasingly operate across those
sectors. Baseline privacy protections would also promote accountability
by ensuring that all businesses use, store, and share commercial data
in responsible ways, while still encouraging companies to compete on
the basis of more robust privacy practices. In addition, legislation
would create legal certainty by preempting state laws that are
inconsistent with Federal policy.
Microsoft is pleased to see that members in both chambers of
Congress are taking up the issue of comprehensive privacy legislation
in the current congressional session, and we also find it encouraging
that some of these initiatives appear to have early bipartisan support.
As these proposals advance through the legislative process, we note
that any privacy legislation should be crafted with two goals in mind.
First, the legislation must protect consumers' privacy and data
security while enabling innovation and facilitating the productivity
and cost-efficiency offered by new business models and computing
paradigms. Second, the legislation should create privacy protections
that can withstand the rapid pace of technological change so that
consumer data is protected not only today, but also in the decades to
come.
To achieve these two ends, any proposed legislation should be
tested against certain fundamental criteria, among them:
Flexibility. The legislation should permit businesses to
adapt their policies and practices to match the contexts in
which consumer data is used and shared and be sufficiently
flexible to allow technological innovation to flourish.
Certainty. The legislation should provide businesses with
certainty about whether their privacy policies and practices
comply with legal requirements.
Simplified data flows. The legislation should seek to
facilitate the interstate and international data flows that are
necessary to enable more efficient, reliable, and secure
delivery of services, including through harmonizing
international privacy regimes and preempting a patchwork of
state privacy laws.
Technology neutrality. The legislation should avoid
preferences for particular services, solutions, or mechanisms
to provide notice, obtain choice, or protect consumer data.
Focus on substantive outcomes. Instead of imposing
prescriptive rules that may be of limited effect or that may
burden businesses without yielding commensurate privacy
benefits, the legislation should set privacy goals based on
criteria established in current public policy, then permit
businesses to adopt methods and practices to reach those goals
in a manner that best serves their business models,
technologies, and the demands of their customers.
We look forward to continuing to work with this Committee to craft
legislation that meets these criteria.
III. A Role for Industry Self-Regulation and Best Practices
Legislation, while important, is only part of the solution.
Legislation is an appropriate vehicle for setting baseline standards,
but it must work in conjunction with industry self-regulation and best
practices, technology solutions, and consumer education.
Industry self-regulation is a useful complement to legislation for
two reasons. First, self-regulatory efforts can easily be tailored to
the particular context in which data about individuals is collected and
used. Consumers have different privacy expectations depending on
whether they are interacting with retailers, application developers,
social media platforms, search engines, Internet service providers,
publishers, advertisers, ad networks, or data exchanges. Effective
privacy protections should take into account consumers' reasonable
expectations of privacy, and industry self-regulation offers a flexible
tool for doing so. Second, self-regulatory efforts are generally well-
positioned to keep pace with evolving technologies and business models.
There is no question that technology, business models, and consumer
adoption of online services will continue to change--and change
rapidly. A decade ago, few consumers were publicly sharing their
personal photographs and home videos, but today consumers regularly
post these materials on social networking and online video websites
without hesitation because they believe such services are valuable. In
2003 Facebook was just an idea in the mind of a Harvard undergraduate,
but today there are companies whose entire business model is built
around developing applications for Facebook and other social media
platforms.
Given the complex and dynamic nature of the online ecosystem,
crafting workable solutions requires engagement from multiple
stakeholders. Microsoft has a history of working collaboratively with
other companies to develop appropriate solutions that build on the
principles of transparency, control, and security. For example,
Microsoft is a strong supporter of the Self-Regulatory Program for
Online Behavioral Advertising, which includes an educational website
where consumers can learn about online advertising and choose not to
have their information used for behavioral advertising. Additionally,
data security is one of the focal points of the Program: participating
organizations must agree to provide appropriate security for, and limit
their retention of, data collected and used for behavioral advertising.
In our multiple roles as a browser manufacturer, ad network, and
website operator, we are coordinating with the Interactive Advertising
Bureau and other participants in the Self-Regulatory Program to ensure
that this important initiative is effective, enforceable, and broadly
accepted. Consistent with our commitment to responsible industry
leadership, we are also working at the World Wide Web Consortium, the
standards-setting body for the Web, to develop an industry consensus
about technical standards that can implemented across browsers to
enable common tools for consumers to block tracking activities by third
parties.
Transparency, control, and security are also essential concepts in
Microsoft's Privacy Guidelines for Developing Software Products and
Services, which are based on our internal privacy standards. We make
these standards publicly available at http://www.microsoft.com/privacy
for other organizations to use when developing and guiding their own
product development processes. To encourage industry to adopt these
guidelines, we have taught courses for others in industry to educate
them on the standards.
IV. A Role for Technology Solutions
As a technology company, we naturally believe that technology has a
key role to play in protecting consumer privacy. To ensure that we
engineer privacy into our products from the outset and consider privacy
issues throughout the project lifecycle, we have implemented internal
policies and procedures that advance key principles such as
transparency, control, and security.\7\ For example, in individual
business groups such as Windows, Office, and Xbox, we have a three-tier
system of privacy managers, privacy leads, and privacy champs who help
make sure that our products and services comply with our standards and
applicable privacy laws. We also have a dedicated Trustworthy Computing
team that works with business groups across the company to ensure that
their products and services adhere to Microsoft's security and privacy
policies. Although my colleagues in other divisions would be delighted
to provide you with details about our initiatives for Bing, Kinect, and
other products and services, I want to focus on our industry-leading
browser, Microsoft's Internet Explorer.
---------------------------------------------------------------------------
\7\ Both the FTC's proposed framework and legislation currently
moving through Congress recognize the importance of a robust privacy by
design program. We support these efforts to encourage industry to
incorporate privacy protections into their data practices and to
develop comprehensive privacy programs.
---------------------------------------------------------------------------
Internet Explorer has really been a pioneering technology for
protecting consumer privacy online. It was the first browser to
introduce InPrivate Browsing, a feature that prevents a consumer's
browsing history, temporary Internet files, form data, cookies, and
usernames and passwords from being retained by the browser, thereby
leaving virtually no evidence of the consumer's browsing history.
Another feature in Internet Explorer 8, InPrivate Filtering, watches
for third-party content that appears with high frequency across
websites from companies that may be engaged in tracking activities,
while still allowing consumers to view the content on the sites they've
chosen to visit.
The InPrivate features were breakthroughs, but what I would like to
highlight today is that Microsoft was the first of the major browser
manufacturers to respond to the FTC's recent call for a persistent,
browser-based ``Do Not Track'' mechanism.\8\ The version of our browser
that is being released this week, Internet Explorer 9, will offer an
innovative new feature, ``Tracking Protection,'' that allows consumers
to decide which sites can receive their data and filters content from
sites identified as privacy threats. Users will be able to create or
download Tracking Protection Lists that identify websites which are, in
the view of the list creator, trustworthy or untrustworthy. If a site
is listed as a ``do not track'' site on a Tracking Protection List,
Internet Explorer 9 will block third-party content from that site,
unless the user visits the site directly by clicking on a link or
typing its web address. By limiting ``calls'' to third-party websites,
Internet Explorer 9 limits the information these third-party sites can
collect--without relying on the third-party sites to read, interpret,
and honor a do-not-track signal. At the same time, Tracking Protection
Lists can include ``OK to call'' entries that permit calls to specific
sites, which allows consumers to create exceptions in a given list.
---------------------------------------------------------------------------
\8\ See FTC Staff Report 66 (``Commission staff supports a more
uniform and comprehensive consumer choice mechanism for online
behavioral advertising, sometimes referred to as `Do Not Track.' . . .
The most practical method of providing uniform choice for online
behavioral advertising would likely involve placing a setting similar
to a persistent cookie on a consumer's browser and conveying that
setting to sites that the browser visits, to signal whether or not the
consumer wants to be tracked or receive targeted advertisements.'')
---------------------------------------------------------------------------
The Tracking Protection feature is highly customizable and can be
adapted to specific user preferences because anyone on the Web
(including consumer groups and privacy advocates, enterprises, security
firms, and consumers) will be able to create and publish Tracking
Protection Lists--they are simply files that can be uploaded to a
website and made available to others via a link. Tracking Protection
also supports user control: consumers can create or subscribe to more
than one list if they wish, they can subscribe and unsubscribe to lists
as they see fit, and a decision to subscribe to a list or lists will
enable Tracking Protection across all browsing sessions until the
consumer chooses to turn it off. Finally, Tracking Protection was
designed with security in mind: because the Web evolves over time and
third parties might migrate to new domain names, Internet Explorer 9
will automatically check for updates to a consumer's lists on a regular
basis, helping ensure that the lists address the latest privacy and
security threats.
V. A Role for Consumer Education
We agree with the FTC and the Commerce Department that there is a
need for greater consumer education to increase consumer understanding
of data practices and their privacy implications.\9\ At Microsoft, we
recognize that it is crucial to engage and educate consumers, to give
them a voice and build a bridge to mutual understanding and benefit.
That is why we provide consumers with clear information about our own
practices and, where appropriate, offer choices about what data will be
collected and how it will be used.
---------------------------------------------------------------------------
\9\ See FTC Staff Report 78-79; Commerce Report 31-36.
---------------------------------------------------------------------------
Microsoft was one of the first companies to adopt ``layered''
privacy notices. The Microsoft Online Privacy Statement provides
consumers with the most important information about our privacy
practices in a concise, one-page upfront summary with links to
additional layers that describe in more detail our data collection and
use practices, including the concepts of purpose specification and use
limitation. Moreover, as noted above, we offer consumers easy ways to
learn about online behavioral advertising and the privacy practices
associated with the particular advertisements they receive, and to opt-
out of behavioral advertising if they so choose.
We have also partnered with consumer advocates and government
agencies to develop educational materials on consumer privacy and data
security, such as:
National Cyber Security Alliance (NCSA). Microsoft is part
of this nonprofit public-private partnership that offers online
safety and security information to the public on the http://
www.staysafeonline.org website and through educational efforts
such as National Cyber Security Awareness Month.
GetNetWise. Microsoft supports this public education
organization and website (www.getnetwise.org), which offers
Internet users resources for making informed decisions about
safer Internet use.
Internet Keep Safe Coalition (www.ikeepsafe.org). Microsoft
is a part of this partnership of Governors, attorneys general,
public health and educational professionals, law enforcement,
and industry leaders working together for the health and safety
of youth online.
Stop. Think. Connect (http://
safetyandsecuritymessaging.org). Microsoft and a host of other
organizations support this online safety campaign that promotes
greater awareness and safer behavior on the Web.
We believe that such initiatives are important for ensuring that
consumers understand the importance of protecting their privacy and
security online, and are equipped with the tools to do so.
VI. Conclusion
Thank you for extending us an invitation to share our experience
and recommendations with you. We commend the Committee for holding this
hearing today, and we look forward to working with you to craft
meaningful privacy protections that provide transparency, control, and
security in a way that honors individuals' privacy expectations,
complements existing technological and industry-based solutions, and
promotes innovation.
Senator Pryor. Thank you.
Mr. Montgomery?
STATEMENT OF JOHN MONTGOMERY,
CHIEF OPERATING OFFICER, GroupM INTERACTION
Mr. Montgomery. Senator Pryor, members of the Committee,
good morning and thank you for the opportunity to testify.
My name is John Montgomery. I'm the Chief Operating Officer
of the North American operations of GroupM Interaction. GroupM
is the world's leading, full service media investment operation
employing over 17,000 employees in 81 countries. Our clients
are some of the biggest brand advertisers in the world who we
advise on where to place advertisements most effectively.
I begin my remarks where I believe the Committee's
examination should begin with a review of the tremendous
benefits provided by online advertising. While the Internet has
revolutionized our lives in extraordinary and exciting ways and
advertising is the fuel for the Internet economic engine.
Behavioral advertising, also called interest based advertising,
is an essential practice that delivers advertising based on
consumer preferences or interests as inferred from data about
online activities.
For example if a browser's activity suggested the user has
a new baby we can show offers for baby products rather than
retirement homes or sports cars. Consumers find such
advertisements more relevant than random messages and
advertisers are more likely to attract consumers that are
interested in their products and services.
We at GroupM and our clients strongly believe in protecting
consumer privacy. It's not only the right thing to do, but it's
good for business. And I'm excited to share with the Committee
the work that we've done to make sure that the consumers have
both transparency and control to exercise their preferences in
regard to online behavioral advertising.
GroupM has participated in an unprecedented cross industry
effort by leading trade associations and companies that
responds to the FTC's report that calls for self regulation on
online behavioral advertising. This effort is being spearheaded
by the leading associations that collectively represent the key
elements of the Internet ecosystem, more than 5,000 companies
in all. The FTC report set out a roadmap of key elements that
should be included in self-regulation including transparency,
consumer control and data security. And the major component of
the program is the use of an icon that informs consumers that
interest based advertising is occurring.
And to help create this icon GroupM mobilized our market
leading advertising teams to invest the same design, testing,
and market research in this icon as we would use for our
Fortune 500 clients. Let me briefly show you how the principle
works from a consumer's perspective. If I could refer you to
the boards on my right.
Aboutads.info is a simple and effective ``one stop''
platform for consumers to opt-out of having their information
collected and used for behavioral advertising purposes.
Consumers can opt-out with the click of one button with respect
to all participating companies. And GroupM and hundreds of
leading companies are working to advance compliance with the
program.
Two other major elements of our implementation effort are
education and enforcement. GroupM has partnered with the
Interactive Advertising Bureau on a ``Privacy Matters''
education campaign to inform consumers about how they can
manage their online experience and to explain how advertising
supports the Internet. To date more than 600 million
impressions are being delivered as part of this campaign.
And finally I want to emphasize that companies will be held
accountable for complying with the principles just as the FTC
recommended. All of us in advertising have a strong incentive
to maintain accountability in order to foster consumer trust.
The principles are enforceable through programs being
administered by the Direct Marketing Association and the
Council of Better Business Bureaus. These organizations have
long-standing effective and respected compliance programs that
they are leveraging to cover the principles. Any company that
claims to comply but fails to do so could face FTC enforcement
for deceptive acts or practices.
And whilst our program--whilst our progress has been
exciting, our work continues. One of the major benefits of
industry self regulation is the ability to respond quickly to
changes to technology and business practices. For example
recently, some policymakers have raised concerns that data
collected for advertising purposes could be used as a basis for
employment, credit or health insurance eligibility decisions.
I want to emphasize that these are hypothetical concerns
that do not reflect actual business practice. But nevertheless
industry is stepping forward to address these concerns. And
we're expanding our guidelines to clarify and ensure that such
practices are prohibited and will never occur.
The self regulatory principles owe much to the guidance of
federal policymakers which have strengthened our independent
commitment to consumer privacy and uniform choice. Now as you
proceed in this dialogue it's vitally important to avoid mixed
messages to consumers that could inhibit them from exercising
their choice to the self-regulatory tool that's already
available. We have to ensure that there's a single standard to
make it simple for consumers. We do not want to add confusion
to an already complex arena. Now I want to make it clear that
we are working with a browser company such as Microsoft and
Firefox and even Chrome, who are a part of the coalition to
incorporate self-regulation and Do Not Track together.
So in conclusion, we believe that the program creates the
right framework that encourages both innovation and privacy
bringing the benefits for online services and privacy
protection to consumers. Thank you, and I look forward to any
questions.
[The prepared statement of Mr. Montgomery follows:]
Prepared Statement of John Montgomery, Chief Operating Officer,
North America, GroupM Interaction
I. Introduction
Chairman Rockefeller, Ranking Member Hutchison, and members of the
Committee, good morning and thank you for the opportunity to speak at
this important hearing.
My name is John Montgomery and I am the Chief Operating Officer for
the North American operations of GroupM Interaction (``GroupM'').
Headquartered in New York City, GroupM is the world's leading full-
service media investment management operation, employing over 17,000
employees in 81 countries. GroupM is the parent company of WPP's
market-leading media communications agencies, including Maxus, MEC,
Mindshare and Mediacom. Our clients are major global companies with
brands that are household names. In the simplest terms, we advise
clients on how to use advertising and where to place advertisements
most effectively. Our business is built on the belief that both
consumers and companies benefit when advertising provides timely and
relevant information to those consumers who are most likely to be
interested. While this philosophy is not new or unique to the Internet,
online advertising has given us new tools to help our clients.
We at GroupM strongly believe in protecting consumer privacy. It is
not only the right thing to do, but it is also good for business. We
want to build consumer trust in the online experience, and therefore we
believe that consumers should be able to choose whether and how their
data is collected or used for online behavioral advertising. Our
clients also want to provide these choices to maintain the confidence
of their customers. Global companies work hard every day to protect
their brands, and they recognize that their customers may have
different preferences about online advertising.
My testimony today will describe how we have worked successfully
with other industry leaders to give consumers these choices, and to
create easy, uniform, and effective tools for them to exercise their
choices. Our contributions illustrate the industry-wide collaboration
and support behind this self-regulatory effort, which are truly
impressive given our highly competitive marketplace.
II. Online Advertising Benefits Consumers and the Economy
I begin my remarks where I believe the Committee's examination
should begin--with a review of the tremendous benefits provided by
online advertising, especially behavioral advertising.
It is impossible to overstate the economic importance of the
Internet today. Even in difficult times, e-commerce has continued to
grow, thrive, and employ millions of Americans. The Internet is now the
focus and a symbol of the United States' famed innovation, ingenuity,
inventiveness, and entrepreneurial spirit, as well as the venture
funding that follows. The Internet has already revolutionized our
lives, and it continues to evolve in extraordinary and exciting ways.
And as the Department of Commerce recently concluded, thus far the
United States' approach to Internet policy has enabled the digital
economy to flourish.\1\
---------------------------------------------------------------------------
\1\ Department of Commerce Internet Policy Task Force, Commercial
Data Privacy and Innovation in the Internet Economy: A Dynamic Policy
Framework at 1 (December 2010) (hereinafter ``Commerce Policy
Framework''), available at http://www.commerce.gov/sites/default/files/
documents/2010/december/iptf-privacy-green-paper.pdf.
---------------------------------------------------------------------------
Advertising helps to fuel the Internet economic engine. Revenues
from online advertising support and facilitate e-commerce and subsidize
the cost of content and services that consumers value, such as online
newspapers, blogs, social networking sites, e-mail, and phone services.
Because of advertising support, consumers can access a wealth of online
resources for free or at a low cost. These resources have transformed
our daily lives. Imagine parents who discover their child is sick at
two o'clock in the morning. They can go online to look up basic medical
information or find directions to the nearest doctor's office or
emergency room. The Internet is now so established that we tend to take
these resources for granted, but in fact they are largely supported by
advertising.
Online advertising is equally vital to established businesses and
new start-up companies. A study commissioned by the Interactive
Advertising Bureau estimated that some three million Americans are
employed due to the advertising-supported Internet.\2\ Online
advertising also fosters competition by making it easier for emerging
businesses to reach potential customers. In turn, these entrepreneurs
spur existing market leaders to continue innovating.
---------------------------------------------------------------------------
\2\ Hamilton Consultants, Inc. with Professors John Deighton and
John Quelch, Economic Value of the Advertising-Supported Internet
Ecosystem, at 4 (June 10, 2009), available at http://www.iab.net/media/
file/Economic-Value-Report.pdf.
---------------------------------------------------------------------------
Behavioral advertising is an essential form of online advertising.
As the Committee knows, behavioral advertising, also called interest-
based advertising, is delivered based on consumer preferences or
interests as inferred from data about online activities. Consumers are
likely to find behavioral advertisements more relevant than random
messages, and advertisers are more likely to attract consumers that are
interested in their products and services. For example, if a browser's
activity suggests that the user has a new baby, we can show offers for
baby products rather than retirement homes or sports cars. Websites
also benefit because behavioral advertising garners better responses,
allowing websites to earn more revenue--and support more content and
services--for fewer advertisements.
At the same time, we recognize and respect that some consumers may
prefer not to receive behavioral advertising. I am excited to share
with the Committee the work we have done to make sure that consumers
have both transparency and control to exercise their preferences in
regard to online behavioral advertising.
III. Industry Self-Regulatory Principles Follow the Federal Trade
Commission Roadmap
In February 2009, after an extended deliberative process, the
Federal Trade Commission published a Staff Report that called upon
industry to ``redouble its efforts'' to create self-regulation of
online behavioral advertising.\3\ The report set out a roadmap of
several key elements that should be included in self-regulation, such
as transparency, consumer control, and data security. The Commission
also made clear that consumer tools to exercise choice should be easy
to use, effective, uniform, and ubiquitous.
---------------------------------------------------------------------------
\3\ Federal Trade Commission Staff Report, Self-Regulatory
Principles for Online Behavioral Advertising at 47 (February 2009),
available at http://www.ftc.gov/os/2009/02/P085400behav
adreport.pdf.
---------------------------------------------------------------------------
In the two years since the Commission's Staff Report, GroupM is
pleased to have participated in an unprecedented cross-industry effort
by leading trade associations and companies to respond to the Federal
Trade Commission's endorsement of self-regulation. This effort has been
spearheaded by the American Association of Advertising Agencies, the
Association of National Advertisers, the Interactive Advertising
Bureau, and the Direct Marketing Association, and also includes the
American Advertising Federation, the Network Advertising Initiative,
and other leading industry associations that represent components of
the Internet ecosystem. These associations and the companies
participating in the self-regulatory effort collectively account for
the vast majority of online behavioral advertising. Following the
roadmap set out by the Commission, we have worked diligently to develop
standards, launch innovative tools, and educate consumers to make sure
they have the choices they deserve.
In July 2009, just 5 months after the Federal Trade Commission's
guidance, our coalition announced a groundbreaking set of Self-
Regulatory Principles for Online Behavioral Advertising.\4\ The
Principles apply across the entire online advertising ecosystem. They
address all of the key elements called for in the Federal Trade
Commission's 2009 Staff Report, namely:
---------------------------------------------------------------------------
\4\ American Association of Advertising Agencies, Association of
National Advertisers, Direct Marketing Association, Interactive
Advertising Bureau, and Council of Better Business Bureaus, Self-
Regulatory Principles for Online Behavioral Advertising (July 2009),
available at http://www.aboutads.info/resource/download/seven-
principles-07-01-09.pdf.
---------------------------------------------------------------------------
Consumer education,
Enhanced notice of data practices,
Innovative choice mechanisms,
Data security,
Sensitive data protection,
Consent for retroactive material policy changes, and
Enforcement.
The Self-Regulatory Principles prescribe expectations for companies
in each of these areas. They provide uniform definitions for key terms
and include detailed Commentary to aid compliance.
GroupM believes that the Self-Regulatory Principles are
comprehensive yet flexible enough to respond to the complex and rapidly
evolving online advertising ecosystem. Most importantly, they are
supported by all of the major industry stakeholders. We were pleased,
therefore, that the Commerce Department's recent draft framework on
privacy and innovation also favors voluntary and enforceable industry
codes like our initiative.\5\
---------------------------------------------------------------------------
\5\ Commerce Policy Framework at 5, 41-44.
---------------------------------------------------------------------------
IV. Implementing Self-Regulation: Uniform Choice, Consumer Education,
and Enforcement
Since releasing the Principles in July 2009, GroupM and other
industry leaders have made significant investments in implementing the
Principles across the Internet. A timeline of milestones is attached
(Attachment 1). The development and launch of our Advertising Option
Icon has been a key focus of this implementation phase, and I am very
proud of GroupM's important contributions in this area. Advertisers who
are adopting this icon for their advertisements are finding that the
icon enhances a company's brand relating to its privacy stance. The
icon is a win-win for consumers and businesses.
The Federal Trade Commission made clear, and we agree, that
consumers should get notice of behavioral advertising practices that is
uniform, ubiquitous, and ``just in time'' to make decisions. For
uniformity, we also agreed that this notice should use a special
graphic icon that would be memorable to consumers. To assist in the
creation of this icon, GroupM mobilized our market-leading advertising
teams to invest the same design, testing, and market research in this
icon that we would use for our Fortune 500 clients. Our work was the
basis for the Advertising Option Icon (Attachment 2), a simple but
attention-grabbing graphic that we hope will become as universally
familiar and recognizable as the recycling logo.
To make sure this notice is ubiquitous and ``just in time,'' as
recommended by the Federal Trade Commission, we reached the innovative
solution of embedding the icon where data is collected and used for
online behavioral advertising.
Let me briefly review how the Principles work from a consumer's
perspective:
First, an advertisement covered by the Principles is
identified with the Advertising Option Icon, which appears in
the advertisement right where the consumer will notice it
(Attachment 3). The icon launched last December and has already
been served in billions of advertisements, and we expect to
reach the milestone of one trillion impressions by the end of
this year.
Clicking the Advertising Option Icon brings up a brief
statement about online behavioral advertising, with a link to
more information and opt-out choices.
Interested consumers can click this link to visit
AboutAds.info, an industry- sponsored website that provides
consumer education (Attachment 4) and, most importantly,
consumer choice (Attachment 5).
AboutAds.info is a simple and effective ``one stop'' platform for
consumers to opt-out of having their information collected and used for
behavioral advertising purposes. Consumers can opt-out with respect to
all participating companies, or they can pick and choose which
companies may collect and use their data.
The Federal Trade Commission has recently referred to this type of
process as a ``Do Not Track'' system. We believe that our program
provides ``uniform notice and choice.'' Regardless of what terminology
is used, our self-regulatory tools meet all of the policy goals that
the Commission has publicly set forth. As implementation proceeds, no
matter where consumers go online, they will see one memorable icon that
leads to the same familiar and easy-to-use choice mechanism.
Companies can easily implement this uniform process and become
compliant with the Self-Regulatory Principles by working with
``approved providers'' Evidon, TRUSTe, and DoubleVerify, which offer
technical solutions for compliance. GroupM is working with Evidon to
advance compliance in all of our offerings and agencies. Hundreds of
leading companies are already compliant or in the process of complying.
Two other major elements of our implementation effort are education
and enforcement. GroupM is strongly committed to consumer education and
has made significant investments in this area. Our goal is to build
consumer trust by helping consumers to understand and exercise their
choices.
First, we have partnered with the Interactive Advertising Bureau on
the ``Privacy Matters'' educational campaign to inform consumers about
how they can manage their online experience and to explain how
advertising supports the Internet. For this campaign, we used catchy
and controversial slogans like ``Advertising Is Creepy'' to appeal to
the consumers most interested in learning more. As part of this
unparalleled effort, the Interactive Advertising Bureau's online
publisher members have delivered close to 600 million online public
service announcements. These announcements link to the ``Privacy
Matters'' website (http://www.iab.net/privacymatters/), which features
fun educational modules on advertising practices and safe Web browsing.
Through January 2011, the results of this campaign have been excellent,
with a click-through-rate that is substantially out-performing the
standard range for public service campaigns.
GroupM has also supported the industry coalition effort to
publicize the Self-Regulatory Principles and associated tools for
businesses and consumers. This multifaceted campaign, which supplements
the consumer notice provided by the Advertising Option Icon, has
included the launch of the AboutAds.info website, community outreach by
the participating trade associations, a series of educational webinars
to assist businesses with coming into compliance with the Principles,
and the delivery of additional online public service announcements.
Finally, I want to emphasize that companies will be held
accountable for complying with the Principles, just as the Federal
Trade Commission recommended. The Principles are enforceable through
programs being administered by the Direct Marketing Association and the
Council of Better Business Bureaus.\6\ These organizations have
longstanding, effective, and respected compliance programs that they
are leveraging to cover the Principles. The Council of Better Business
Bureaus has created a new program and hired additional employees to
administer the Principles. All of us in the advertising industry have a
strong incentive to maintain accountability in order to foster consumer
trust. In addition, any company that claims to comply, but fails to do
so, could face Federal Trade Commission enforcement for deceptive acts
or practices.
---------------------------------------------------------------------------
\6\ Direct Marketing Association Press Release, ``DMA Launches
Enforcement for Online Behavioral Advertising'' (January 31, 2011);
Council of Better Business Bureaus Press Release, ``Council Steps Up
Enforcement of Interest-Based Advertising,'' (March 7, 2011).
---------------------------------------------------------------------------
V. The Future of Self-Regulation
As I explained, the Self-Regulatory Principles include all of the
elements set out in the Federal Trade Commission's 2009 roadmap. Less
than 2 years after the Principles were announced, and thanks to strong
investment by the business community, our implementation phase is
gaining strong momentum. Every day, we are adding more members to the
compliance programs, putting more Advertising Option Icons out on the
Internet, and reaching more consumers with uniform notice and choice.
While our progress has been exciting, our work continues. One of
the major benefits of industry self-regulation is its ability to
respond quickly to changes in technology and business practices. For
example, some policymakers have raised concerns that data collected for
advertising purposes could be used as a basis for employment, credit,
or health insurance eligibility decisions.\7\ I want to emphasize that
these are hypothetical concerns that do not reflect actual business
practices. Nevertheless, industry is stepping forward to address these
concerns and we are expanding our guidelines to clarify and ensure that
such practices are prohibited and will never occur. This type of
adaptability is essential to avoid stifling innovation in the complex
and dynamic Internet environment. We welcome additional input from
policymakers and we are committed to examining any future concerns that
may arise.
---------------------------------------------------------------------------
\7\ Representative Jackie Speier, ``Do Not Track Our Online Data,''
Politico (March 4, 2011), available at http://www.politico.com/news/
stories/0311/50614.html; Jon Leibowitz, ``FTC Chairman: `Do Not Track'
Rules Would Help Web Thrive--Online commerce and personal privacy are
not incompatible,'' U.S. News (January 3, 2011), available at http://
www.usnews.com/opinion/articles/2011/01/03/ftc-chairman-do-not-track-
rules-would-help-web-thrive-jon-leibow
itz.
---------------------------------------------------------------------------
The Self-Regulatory Principles owe much to the guidance of Federal
policymakers, which has strengthened our independent commitment to
consumer privacy and uniform choice. As we proceed in this dialogue, it
is vitally important to avoid confusing or mixed messages to consumers
that could inhibit them from exercising their choices through the self-
regulatory tool that is already available. It is equally important to
maintain incentives for the business community, which has already
invested so much in self-regulation, to come into compliance with the
Principles. GroupM and our partners look forward to continuing our
efforts and working cooperatively with the Committee, the Federal Trade
Commission, and the Department of Commerce as we move forward with
implementing the Self-Regulatory Principles for Online Behavioral
Advertising and discussing these important issues. We believe that this
program creates the right framework that encourages both innovation and
privacy, bringing the benefits of online services and privacy
protection to consumers.
***
Thank you for inviting me to share GroupM's perspective on ``The
State of Online Consumer Privacy.'' I look forward to answering any
questions that the Committee may have.
______
Attachment 1: Timeline of Industry Effort to Develop and Implement
Self-Regulatory Principles for Online Behavioral Adverting
December 2007 Federal Trade Commission staff releases proposed
principles to guide the development of industry
self-regulation in the area of online behavioral
advertising.April 2008 Industry leaders file comments on Federal Trade
Commission's proposals and convene task force to
examine existing self- regulatory efforts.October 2008 Industry coalition begins drafting new self-
regulatory guidelines.February 2009 Federal Trade Commission releases final Staff
Report on Self-Regulatory Principles for Online
Behavioral AdvertisingJuly 2009 After building support among industry
stakeholders, coalition releases cross-industry
Self-Regulatory Principles for Online Behavioral
Advertising (``Principles'') that correspond to
the guidelines in the FTC staff report.August 2009 Coalition turns to enforcement, operational
implementation, and educational planning.November 2009 Interactive Advertising Bureau and Network
Advertising Initiative lead effort to develop
technical specifications for implementing
enhanced notice through a link in or around an
advertisement.December 2009 Coalition launches ``Privacy Matters'' education
campaign, which has been designed to educate
consumers about how they can manage their online
experience and to help consumers better
understand and appreciate how online advertising
supports the Internet.January 2010 Coalition announces intention to provide enhanced
notice to consumers through a link/icon embedded
in online behavioral advertisements (or, if such
notice is not delivered, on the Web page where
the behavioral advertisement occurs).March 2010 Coalition commences effort to operationalize the
Principles, including providing business
education webinars, trademarking distinctive
Advertising Option Icon, and developing an
industry- wide Website to deliver consumer
education, provide information concerning parties
engaged in online behavioral advertising, and
offer consumer choice.October 2010 AboutAds.info Website launches. Companies may
register to use the Advertising Option Icon and
acquire specific technical guidance for the
icon's implementation and use.
Coalition selects the first ``approved provider''
to offer technical solutions for compliance with
the Principles.November 2010 Coalition launches consumer-facing AboutAds,info
Consumer Opt-Out Page, where consumers may easily
opt-out of some or all of the interest-based
advertisements they receive.December 2010 Coalition selects two additional ``approved
provider'' vendors.January 2011 Direct Marketing Association enforcement program
goes into effect.February 2011 Principles and Communication Advisory Committee
convenes to consider application of the
Principles to mobile platforms, as well as ways
to encourage international adoption of the icon
and standards consistent with the Principles.March 2011 Council of Better Business Bureaus enforcement
program goes into effect.
Accountability program selects vendor to provide
technical platform to monitor participating
companies' compliance with the Principles.
Attachment 2. Advertising Option Icon
Attachment 3. Sample Advertisement with Embedded Advertising Option
Icon
Attachment 4. About Ads.info Home Page
Attachment 5. AboutAds.info Uniform Consumer Choice Page
______
Senator Pryor. Thank you.
Mr. Soltani?
STATEMENT OF ASHKAN SOLTANI,
INDEPENDENT PRIVACY RESEARCHER AND CONSULTANT
Mr. Soltani. Thank you. Senator Pryor and distinguished
members of the Committee, thank you for the opportunity to
testify about online consumer privacy and the state of web
tracking. My name is Ashkan Soltani. I'm a technology
researcher and consultant specializing in privacy and security
on the Internet.
As background I served for a year as a technologist in the
Division of Privacy and Identity Protection at the Federal
Trade Commission. I was also the primary technical consultant
on the Wall Street Journal's ``What they know'' series. I
should note the opinions here are my own and don't reflect the
views of my previous employers.
In my testimony I will describe findings from my research
about the pervasiveness of online tracking. I will discuss the
extent to which consumers can control unwanted tracking. I will
conclude with a description of the proposed Do Not Track
mechanisms.
The practice of using third party services is very common
on the web today. In 2009 I co-authored a study where we found
an average of 12 third party trackers on the top 100 most
visited websites. One site used roughly 100 different trackers.
That means when a user visits that website 100 unseen entities
are notified of that visit.
The very reason why online tracking is effective and why it
raises privacy concerns is that the third-party entities can
monitor user's behavior across multiple, unrelated websites. In
our study one advertising service could track a user's web
browsing activity down to approximately 90 percent of the
websites we've examined. This company is not alone in its
reach. Widgets from a single social networking company
currently gather data across several million websites. These
companies that were positioned to infer a great deal more than
just the user's interests in automobiles or sporting goods.
This unique vantage point enables them to collect the vast
majority of a user's web browsing activity.
It's important to point out that online tracking is not
limited to desktop computers. Mobile devices and smartphones
raise unique privacy concerns because people always have them
on their persons. Application and services running on these
devices may have the ability to access precise location
information providing third parties with intimate details about
a user's habits.
Every major web browser includes a patchwork of privacy-
enhancing technologies that are not enabled by default and that
are often difficult to configure. Worse yet, even when properly
configured online tracking companies have consistently devised
ways to circumvent their function. As a result browser vendors
and thus consumers are losing this game of privacy Whack-a-
Mole.
Many ad services seek to temper privacy concerns by
offering users a way to opt-out of behavioral advertising.
However these opt-outs typically only allow users to opt out of
receiving targeted ads not opt out of the underlying tracking
fully. I don't think this is what most consumers would expect.
Finally, not all companies that engage in online tracking
offer an opt-out. By my count only about a quarter of the
online trackers I'm aware of have existing opt-out mechanisms.
Today's consumer choice mechanisms fail to provide users
with meaningful control. Advocates and industry have been
working to establish an easy to use tool to control online
tracking commonly referred to as Do Not Track. Two separate but
complementary approaches have been now advanced. And while I
won't discuss them in technical detail here, I'm happy to
answer any questions you might have about them.
To conclude, online tracking is pervasive on the Internet
and it's an issue that's often difficult for users to
understand. Even when they do realize they are being tracked
there's often very little that can be done. Consumers need more
transparency into who is tracking them online, what information
is being collected and how this information is being used,
shared and sold.
There is a clear need for better privacy controls to
prevent unwanted tracking. And industry has not delivered. To
be effective privacy protections online will likely require
both technology and policy working in tandem.
Thank you for inviting me today. And I hope that my
testimony here is helpful. I'm grateful that the Committee has
invited a technologist to participate since these issues can be
deeply technical in nature. I look forward to helping you
understand these nuances that make online tracking such an
interesting and yet complex issue.
I'm happy to answer any questions.
[The prepared statement of Mr. Soltani follows:]
Prepared Statement of Ashkan Soltani,\1\
Independent Privacy Researcher and Consultant
---------------------------------------------------------------------------
\1\ My oral and written testimony here today to the Committee
represents my own personal views, and does not reflect the views of any
of the organizations I have consulted or worked for in the past.
---------------------------------------------------------------------------
Chairman Rockefeller, Ranking Member Hutchison, and the
distinguished members of the Committee, thank you for the opportunity
to testify about online consumer privacy and the state of tracking on
the Web today.
My name is Ashkan Soltani. I am a technology researcher and
consultant specializing in consumer privacy and security on the
Internet. I have more than 15 years of experience as a technical
consultant to Internet companies and Federal Government agencies. I
received my Master's degree in Information Science from the University
of California at Berkeley, where I conducted extensive research and
published two major reports on the extent and means of online tracking.
Last year, I served as a staff technologist in the Division of Privacy
and Identity Protection at the Federal Trade Commission on
investigations related to Internet technology and consumer privacy. I
have also worked as the primary technical consultant on the Wall Street
Journal's What They Know series investigating Internet privacy issues
on the ground.
I have been asked to testify about the current state of online
tracking from a technical perspective. I will describe the basics of
how online tracking works and discuss some of my research that
demonstrates how pervasive tracking is online today. I will then
discuss the extent to which consumers are actually aware that they are
being tracked online and whether they are able to meaningfully control
unwanted tracking with existing industry-provided and browser-based
mechanisms. Finally, I will discuss the Do Not Track proposals in light
of these findings.
A. How Online Tracking Works
As an illustrative example to explain how consumers are tracked
online, we can step through a typical Web browsing session. A user
wants to look up information about cholesterol on WebMD, so he types
``www.webmd.com'' into his browser's location bar and navigates to a
specific page on WebMD's site focused on cholesterol. The browser
contacts the WebMD server to retrieve the contents of the page. Much of
the page's content will be provided directly by WebMD itself, but some
of the content may originate from other entities, such as an
advertisement provided by an online advertising service such as
Google's DoubleClick. As a result, although the browser's location bar
will show ``www.webmd.com,'' many other third party entities may have a
presence on the website, and often it is unclear to the user which
content comes from which provider.
A useful analogy may be to imagine a picture frame that has slots
to display a number of different photos. WebMD provides the ``frame''
and a few of the ``photos,'' while the rest of the ``photos'' are
provided by third parties that WebMD has partnered with. This practice
of embedding content from third party entities is nearly universal on
the Web today. As I will explain below, it is primarily these third
party entities that are capable of tracking users as they browse the
Web.
In this example, the WebMD page on cholesterol includes a third
party online advertisement that is displayed at the top of the page. As
the web browser fetches the ad, two things relevant to tracking
typically occur. First, the company providing advertisements can
attempt to uniquely identify the browser using a variety of technical
mechanisms, which I will discuss below. The simplest and most common
technique is to use a browser cookie. In this context, a cookie is a
file containing a unique identifier that is placed on the user's
computer by the third party ad service and is transmitted back to the
service upon each subsequent ad request.\2\ Second, the ad service can
record detailed information about this interaction. The ad service may
log the date and time of the ad request, which ad was displayed, and
perhaps the details about the content of the WebMD page on which the ad
was shown. Most importantly, the ad service can link all this
information to the unique identifier, and collect this information
together in a consumer data base.
---------------------------------------------------------------------------
\2\ Cookies are text files that can store various types of
information. For the purposes of tracking, they typically contain
unique descriptors such as user=1234567890 or e-mail=john.doe
@host.com.
---------------------------------------------------------------------------
Some time later, the user checks the weather by browsing to
``www.weather.com.'' It turns out that the same third party ad service
used by WebMD is also providing ads for the Weather Channel's site. As
an ad loads in the margins of the Washington, D.C. forecast page, the
ad service can again uniquely identify the user's browser, using the
same cookie file that was previously stored. The ad service can now tie
the user's browsing activity between the two sites together--the same
browser that previously accessed health information about cholesterol
also looked up the weather forecast in Washington, D.C. As the user
continues to browse, this ad service can continue to follow the user's
activity on the websites on which it has a presence. These activities
are the essence of online tracking.
Web browsing interactions are generally described as being in one
of two categories, first party or third party. A first party is
typically defined as an entity whose site the user knowingly visits and
whose Web address appears in the browser's location bar--in the
scenario above, WebMD and then later, the Weather Channel. Users
typically interact with a first party by directly typing its Web
address into the location bar or by browsing to it from another site,
for instance, by following a link from a search engine or a social
network.
A third party is an entity that provides content that is included
on a first party site, like the ad service in our earlier scenario.
While some third party interactions are visible to the user, such as a
displayed ad or an embedded video, it may not be clear that this
content is being provided by someone other than the site they are
visiting. However, other third party interactions may be invisible to
the user. For example, a ``web bug'' is an imperceptible image placed
on first party sites, but operated by third parties, for the express
purpose of invisibly tracking users.\3\ These third party tracking
objects can only appear on a site with the knowledge and consent of the
first party. As an example, ads from Google DoubleClick will only
appear on Weather Channel pages if the Weather Channel explicitly
decides to include DoubleClick on its site.
---------------------------------------------------------------------------
\3\ Web bugs are sometimes also referred to as tracking pixels or
web beacons. Web bugs are typically used to provide websites with
information that will help them understand and optimize web usage, and
typically track users.
---------------------------------------------------------------------------
Note also that the same business entity can be both a first party
or a third party, depending on the context. For instance, if a user
browses directly to ``www.youtube.com'' to watch online videos, YouTube
is a first party. But, if a first party site such as CNN.com embeds a
YouTube video into one of its stories, YouTube is now a third party.
In our scenario, the ad service uses a standard browser cookie to
link together two separate user interactions--one on WebMD and the
other on the Weather Channel. Even though the cookie by itself does not
usually identify the user by name, third party trackers are able to
build a ``browsing profile'' that consists of data from numerous Web
interactions over time from the same user.\4\ This browsing profile has
the potential to reveal quite a bit of information about the user's
real world identity.\5\
---------------------------------------------------------------------------
\4\ Of course, some browsers may be shared by multiple users, but
often browsers will be used primarily by a single user. This is
particularly salient in the case of mobile phones, where the sharing of
devices is less common.
\5\ Each data point may also reveal the time of each site access
and in many cases the user's approximate geographic location based on
his IP address. More advanced tracking techniques on a single page may
be able to determine exactly how the user moves his mouse on the page
or what text on the page gets highlighted and copied.
---------------------------------------------------------------------------
Despite some claims that these collected browsing profiles are
``anonymous,'' recent computer science research suggests that it is
often quite easy to re-identify datasets that contain user
information.\6\ As the number of data points in a browsing profile
increases, so too does the possibility that it can eventually be re-
identified to reveal the user's actual identity, such as a name, e-mail
address, or other personally identifiable information. For example,
when a user purchases a product online, the merchant could decide to
share the user's e-mail address--collected in the billing process--with
a third-party ad service that is present on the purchase page. This
issue can also arise with the use of social networks, whereby
identifying information may leak to third party ad services.\7\
---------------------------------------------------------------------------
\6\ Narayanan, A., & Shmatikov, V. (2008). How to Break Anonymity
of the Netflix Prize Dataset. In Proc. of 29th IEEE Symposium on
Security and Privacy, Oakland, CA, May 2008, pp. 111-125. and Ohm, P.
Broken Promises of Privacy: Responding to the Surprising Failure of
Anonymization (2009, August 13). University of Colorado Law Legal
Studies Research Paper No. 09-12. Available at SSRN: http://ssrn.com/
abstract=1450006.
\7\ Krishnamurthy, B. and Willis, C. (2009). On the leakage of
personally identifiable information via online social networks. In
Proceedings of the 2nd ACM workshop on Online social networks (WOSN
`09). ACM, New York, NY, USA, 7-12. DOI=10.1145/1592665.1592668 from
http://doi.acm.org/10.1145/1592665.1592668.
---------------------------------------------------------------------------
1. The State of Online Tracking
The practice of using third party services to add tracking and
other functionality to a website is quite common. In our Berkeley
KnowPrivacy study, we found an average of 12 trackers present on each
of the top 100 most popular websites, with one having as many as 100
different trackers over the course of a month.\8\ This means that when
a user visits that website, potentially 100 entities--nearly all unseen
by the user--will learn about the visit.
---------------------------------------------------------------------------
\8\ Gomez, J., Pinnick, T., and Soltani, A. (2009, June 1).
KnowPrivacy available at http://knowprivacy.org/report/
KnowPrivacy_Final_Report.pdf, p.26.
---------------------------------------------------------------------------
The very reason why online tracking is both effective and why it
raises privacy concerns is that third party entities can track
consumers across multiple unrelated first party websites. In our
Berkeley study, we also found that some third party trackers have an
extensive ``reach'' across a large number of first party sites. One
advertising company was able to monitor activity on 91 of the top 100
most popular sites, as well as 88 percent of 350,000 sites sampled in
our dataset, as of March 2009.\9\ In 2010, a leading social network
announced that their third party sharing widgets were present on 2.5
million websites\10\ and growing at a rate of 10,000 sites per day.\11\
In both these examples, the presence of third party objects generates a
steady stream of data that flows to a single entity. These uniquely
pervasive positions give these companies the capacity to infer a great
deal more than just a user's interest in automobiles or sporting goods.
Their tracking technologies reach the vast majority of every user's Web
browsing activity.
---------------------------------------------------------------------------
\9\ Id. p. 27.
\10\ Constine, J. (2011, February 27). All of Facebook's Like
Buttons on Third-Party Sites Now Publish a Full News Feed Story. Inside
Facebook--Tracking Facebook and the Facebook Platform for Developers
and Marketers from http://www.insidefacebook.com/2011/02/27/like-
button-full-story/.
\11\ Parr, B. (2010, October 26). 10,000 Websites Integrate with
Facebook Every Day. Social Media News and Web Tips--Mashable--The
Social Media Guide. from http://mashable.com/2010/10/26/10000-websites-
integrate-with-facebook-every-day/.
---------------------------------------------------------------------------
It is important to point out that online tracking is not limited to
Web browsers. Consumers are connecting to the Internet using a variety
of devices that extend beyond what we consider a typical PC-and-browser
setup. Mobile phones, televisions, set top boxes (such as a Tivo or a
cable box), video game consoles and even some automobiles are now
equipped with Internet connectivity and can leverage Web services which
include online advertisement. Some of these platforms also allow
applications written by third parties, the most prominent example being
``app stores'' on mobile smartphones.\12\ Mobile devices, in
particular, raise unique privacy concerns because consumers carry them
nearly all of the time.\13\ As such, applications and services running
on the phone may have the ability to access precise geolocation
information, using GPS technology, to learn even more intimate details
about a consumer's physical habits.
---------------------------------------------------------------------------
\12\ The Wall Street Journal reported that 47 of the 101 third
party mobile applications tested transmitted location to third parties.
56 of the same apps transmitted unique device identifiers (UDIDs) which
act similar to permanent cookies, and which users currently have no
control over. See Thurm, S. (2011, December 17). IPhone and Android
Apps Breach Privacy--WSJ.com. The Wall Street Journal from http://
online.wsj.com/article/SB1.
\13\ Three in five mobile phone owners say they carry their phones
at all times, even inside the home. See: Stanton, D. (2008, September
8). New Study Shows Mobile Phones Merging New, Established Roles.
Knowledge Networks from http://www.knowledgenetworks.com/news/releases/
2008/091808_mobilephones.html.
---------------------------------------------------------------------------
2. Existing Privacy Tools are Easily Circumvented
Every major Web browser includes privacy enhancing technologies
that can be used by consumers to limit the extent to which they are
tracked online. Unfortunately, these built-in tools, which include
``private browsing modes'' and cookie controls, only protect users from
some tracking technologies, and do not provide consumers with the
privacy protections they may reasonably expect.\14\
---------------------------------------------------------------------------
\14\ Soghoian, C. (2010, December 9). Why Private Browsing Modes Do
Not Deliver Real Privacy, Internet Architecture Board, Web Privacy
Workshop, from http://www.iab.org/about/workshops/privacy/papers/
christopher_soghoian.pdf.
---------------------------------------------------------------------------
As one example, cookie blocking features in the major Web browsers
do not always work in the same way, and even sophisticated users do not
fully understand these intricacies.\15\ This may cause consumers to
have misplaced beliefs about the extent browsers are protecting them
from tracking. But even when consumers do understand how these features
work, sites have consistently devised new ways to track users and evade
the protections of existing privacy tools.
---------------------------------------------------------------------------
\15\ Not all browsers implement third party cookie blocking in the
same way. Typically browsers allow third party cookies by default but
if a user elects to configure their browser to block third party
cookies, 3 of the 4 major browsers allow the third party cookies to be
read if they were previously set, such as in a first party context.
This is a small technical nuance, but it allows certain players to
proceed as normal with regards to online tracking and potentially cause
confusion for consumers as to the degree their privacy is protected.
Additionally, it significantly effects whether certain players, i.e.,
those that consumers have a first party relationship with, receive a
competitive advantage over the lesser known websites.
---------------------------------------------------------------------------
In a study called KnowPrivacy published by my Berkeley colleagues
and I in 2009,\16\ we found that several ad services had deployed a new
stealthy technique to resurrect tracking cookies, even after the user
had used the available cookie deletion tools built into his browser. Ad
services developed a way to ``remember'' the cookie file using another
technology--Adobe's Flash Player--such that they could restore the
cookie later, even after the user deleted it. This tracking
technology--commonly called Flash cookies--is even more difficult for
users to manage with existing privacy tools, when compared to standard
cookie controls.\17\
---------------------------------------------------------------------------
\16\ Soltani, A., Canty, S., Mayo, Q., Thomas, L., and Hoofnagle,
C., Flash Cookies and Privacy (2009 August 10). Available at SSRN
http://ssrn.com/abstract=1446862.
\17\ Adobe has denounced the use of its Flash technology in order
to restore tracking cookies. Although not yet widely deployed, the
company has recently taken steps to work with major browser vendors in
order to move Flash cookie privacy controls directly into the browser
settings and allow users to manage them in a similar way as standard
cookies. See Albanesius, C. (2011, March 8). Adobe Flash Player 10.3
Beta Adds Greater Control Over'Flash Cookies' PC Magazine. from http://
www.pcmag.com/article2/0,2817,2381650,00.asp.
---------------------------------------------------------------------------
Further, some ad services have shifted to new, cutting-edge
tracking techniques, many of which are beyond the control of
consumers.\18\ While these are less well known, they are no less
powerful--and in some cases more powerful--in their ability to track
users' browsing activities. From a technical perspective, browser
vendors--and thus consumers--are losing the game of privacy Whack-a-
Mole. The ongoing development of new, hidden tracking techniques is far
outpacing the ability of browser vendors to develop and deploy adequate
defenses. As a result, consumers and the privacy controls available to
them will likely fail to keep up.
---------------------------------------------------------------------------
\18\ In the past year, I have confirmed tracking by third party
companies on widely used websites using mechanisms including but not
limited to browser fingerprinting (http://radar.oreilly.com/2011/03/
device-identification-bluecava.html), cache cookies (http://www.
wired.com/epicenter/2009/08/flash-cookie*researchers-spark-quantcast-
change/), CSS history profiling (http://blogs.forbes.com/kashmirhill/
2010/11/30/history-sniffing-how-youporn-checks-what-other-porn-sites-
youve-visited-and-ad-networks-test*the-quality-of-their-data/), domain
masquerading (http://doi.acm.org/10.1145/1592665.1592668), UDIDs
(http://online.wsj.com/article/
SB10001424052748704694004576020083703574602.html), and HTML5 storage
(http://www.wired.com/threatlevel/2010/09/html5-safari-exploit/) to
track consumers in ways that are difficult or even impossible to
control.
---------------------------------------------------------------------------
B. Existing Consumer ``Notice and Choice'' Mechanisms
The current system of industry self-regulation stresses two
complementary approaches regarding online tracking: notice, though
privacy policies and in-ad enhancements, and choice, through ad
preference managers and industry-provided opt-out tools.
1. Privacy Policies
For more than a decade, websites have routinely included privacy
policies, typically linked to from the bottom of the front page. These
documents are often long and difficult to read--most likely because
they are written by lawyers, for lawyers--and have not helped consumers
to stay informed about the degree of tracking online.\19\ Research has
also shown that the majority of Americans incorrectly believe that the
phrase ``privacy policy"--and its mere presence on websites--signifies
that their information will be kept private.\20\
---------------------------------------------------------------------------
\19\ McDonald, A. and Cranor, L. (2008) The Cost of Reading Privacy
Policies. I/S: A Journal of Law and Policy for the Information Society
2008 Privacy Year in Review issue. [Paper originally presented at TPRC
2008, Sept 26-28, 2008, Arlington, VA.] and Privacy Leadership
Initiative. Privacy Notices Research Final Results. Conducted by Harris
Intereactive, (2001 Dec) from http://www.ftc.gov/bcp/workshops/glb/
supporting/harris%20results.pdf.
\20\ Turow, J., Mulligan, D., and Hoofnagle C. (2007 Oct),
Consumers Fundamentally Misunderstand the Online Advertising
Marketplace, from http://groups.ischool.berkeley.edu/samuel
sonclinic/files/annenberg_samuelson_advertising.pdf.
---------------------------------------------------------------------------
While there is much data to suggest that consumers do not actually
read or understand privacy policies, even if they did, many existing
privacy policies often provide confusing or even conflicting
information. In our KnowPrivacy study, we found that, among the top 50
most popular websites, many sites that claim to not share information
with ``third parties'' later disclaim that they do share information
with ``affiliates'', which sometimes number well over 2000
companies.\21\
---------------------------------------------------------------------------
\21\ Of the top 50 sites, all stated they collect IP address, 48
collect contact information such as name and e-mail address, and 39
collect click stream information. Bank of America had over 2,300
``affiliates''. See Gomez et al. p 24 (previously cited) and
KnowPrivacy, http://knowprivacy.org/profiles/bankofamerica.
---------------------------------------------------------------------------
2. Enhanced Notice for Online Ads
One emerging self-regulatory measure is ``enhanced'' or ``robust''
notice for online ads. The purpose of enhanced notice is to increase
transparency--directly within the ad--into why the particular ad was
chosen and what the attached terms and policies are. Although this is a
commendable step forward, the question is how many users will notice.
One self-regulatory firm noted that, during the first few months of the
industry's initiative, the notice on only 0.004 percent of ``enhanced''
ads were clicked by users actually clicked through to the detailed
explanatory text.\22\ While the initiative is in its early days, this
calls into question whether enhanced notice will be sufficient to
deliver meaningful transparency.
---------------------------------------------------------------------------
\22\ Evidon served over 11 billion impressions in their first full
scale months. Among those who click on the icon (on .004 percent of ads
served), about 3 percent of users opt-out of one or more provider. See
Smith, S. (2011, March 11). MediaPost Publications Browsing Privacy's
Next Steps 03/11/2011 from http:// www.mediapost.com/publications/
?fa=Articles.showArticle&art_aid.
---------------------------------------------------------------------------
3. Ad Preferences Managers
The advertising industry has also created online tools that allow
users to view and modify marketing inferences made about them within
``ad preferences managers.'' For example, an ad preferences tool may
show the inferences made about the user's demographic information (such
as age, income range, education, or geographic location), shopping
interests (such as sports, technology, or politics), or even
significant life events (such as ``getting married soon'' or ``having a
baby'') based on the user's browsing activity. In many cases, these
tools also allow consumers to opt-out of certain consumer marketing
sectors from which they do not wish to receive targeted ads.
Like enhanced notice, ad preference managers improve transparency
into the online ad serving ecosystem. But, these managers only present
a high-level summary of the information collected by the ad service.
Given their vantage point, third party ad services have the capability
to make inferences or use the data for other, non-advertising-related
purposes, that are not shown in the ad preference managers.\23\ I'm not
implying that specific companies are engaged in this practice, just
that collection, retention, and correlation of this behavioral data
provides the capacity for this these inferences to be made. More
transparency is needed--outside the realm of online targeted ads--about
the information that is collected by third parties and how they are
used.
---------------------------------------------------------------------------
\23\ Similar to sports and shopping habits, a user's browsing
habits could allow an observer to make inferences about a users race,
sex, sexual orientation, health status, financial health, and political
affiliation, even though these categories are typically excluded from
online preference managers.
---------------------------------------------------------------------------
4. Cookie-based Choice Mechanisms
In addition to notice and transparency, many ad services provide
users with the ability to opt-out. Currently, most opt-outs work using
special opt-out cookies--one for each ad service--stored in the user's
Web browser. The cookie-based opt-outs have been plagued by a number of
problems, some of which have been addressed in recent years and others
which persist today.
Once consumers realize they are being tracked, they must then begin
the process of obtaining opt-out cookies from each tracking company.
One self-regulatory technology firm has identified 600 companies
involved in collecting or using tracking data about customers on their
sample of 7 million domains.\24\ Another lists 323 tracking companies
publicly.\25\ Given the value of this marketplace and the speed with
which new entrants emerge, I suspect the actual number of companies
engaged in tracking may be actually be even larger. Even still,
identifying 600 hidden trackers and obtaining an opt-out is daunting
task for even the most sophisticated privacy-conscious consumer.
---------------------------------------------------------------------------
\24\ Steel, E. (2011, March 4). Council of Better Business Bureaus
to Enforce Online Tracking Principles * Digits. WSJ Blogs--WSJ from
http://blogs.wsj.com/digits/2011/03/04/council-to-enforce-online-
tracking-principles/.
\25\ PrivacyChoice Tracker Index (Mar 14 2011) from http://
www.privacychoice.org/companies/all.
---------------------------------------------------------------------------
Seeking to ease the process of obtaining opt-out cookies, industry
self-regulatory groups such as the Network Advertising Initiative (NAI)
have created one-stop websites where consumers can obtain opt-out
cookies for multiple firms. However, these opt-out sites do not
comprehensively cover all online tracking since only a fraction of
approximate 600 companies discussed are covered.\26\ This problem
exists in the mobile space as well. Currently, nine of the 16 mobile ad
companies do not offer an opt-out,\27\ and data collected on mobile
phones may be particularly sensitive, since it is often accompanied by
hardware identifiers that users cannot change or geographic location
information.
---------------------------------------------------------------------------
\26\ At the time of this writing, the NAI opt-out (http://
www.networkadvertising.org/managing/optout.asp) currently allows
consumers to opt-out of behavioral advertising by 68 member companies.
AboutAds opt-out applies to 61 companies (http://www.aboutads.info/
choices/) and even the most comprehensive list of trackers, offered by
the independent group PrivacyChoice only allows opt-out of 160 (http://
www.privacychoice.org/privacymark).
\27\ Brock, J. (2011, March 16). Mobile Tracking Privacy: Three
thoughts. PrivacyChoice Blog. from http://blog.privacychoice.org/
?p=2882.
---------------------------------------------------------------------------
Most importantly, even when opt-outs are available, many firms only
allow the user to opt-out of the receipt of targeted advertising, not
the online tracking itself. Advertisers continue to collect and retain
data in order to build a profile on the user, even in the presence of
an opt-out cookie.
Finally, cookie-based opt-out mechanisms are inherently brittle.
Users are frequently taught to delete their browser cookies on a
periodic basis to better protect their online privacy. But, when the
user clears her browser cookies, she will also inadvertently clear her
opt-out cookies, which will--counter-intuitively--opt the user back in
to tracking.
C. Do Not Track Proposals
Last July, this Committee held a hearing on the topic of online
privacy during which the idea of ``Do Not Track'' was discussed. Ever
since, there has been a significant amount of public discussion and
debate regarding the possibility of a Do Not Track mechanism. While the
name--Do Not Track--sounds much like the highly successful Do Not Call
list,\28\ the only substantive similarity is that they both give
consumers a single point of control to express their privacy
preferences. While consumers can register their phone number in a FTC
registry for Do Not Call, the single point of control for Do Not Track
is likely to be a preference setting in the consumer's Web browser or
mobile platform.
---------------------------------------------------------------------------
\28\ The Do Not Call list is an FTC enforced initiative based on
legislation that creates a centralized registry of numbers that
telemarketers may not call, under monetary penalty.
---------------------------------------------------------------------------
Two primary technical approaches to Do Not Track have been proposed
and implemented by major Web browser vendors. The first method is
called the header approach, and the second is called the blocking
approach. Two browser vendors have already taken steps to include these
mechanisms in upcoming releases of their products.\29\
---------------------------------------------------------------------------
\29\ Mozilla's Firefox 4.0 and Microsoft's Internet Explorer 9
(MSIE9) have announced support for the header mechanism. MSIE9 also
supports the blocking method as well via their Tracker Protection Lists
product.
---------------------------------------------------------------------------
1. The Header Approach
In the header approach, the consumer can toggle a Do Not Track
setting in his Web browser privacy preferences. When this setting is
enabled, the browser transmits a special signal to each remote server
that the consumer has expressed his preference to not be tracked.\30\
The idea is to give users the ability to send a clear, persistent and
technology-neutral signal to websites regarding their tracking
preference. Of course, in order this mechanism to be effective, it will
depend upon a clear set of rules defining what websites should do when
they receive this signal.
---------------------------------------------------------------------------
\30\ Current proposals involve sending a Do Not Track signal using
a browser header within the HTTP protocol.
---------------------------------------------------------------------------
Under this approach, the onus is on the server to agree to respect
the consumer's preference. It is possible that the server could ignore
the user's request and continue to engage in tracking anyway, even once
best practices are established. Thus, consumers will need a method to
verify that servers are complying with the header, so they can keep
firms honest about their commitment to respect user tracking
preferences. Publisher sites and U.S. brands that advertise could
choose to favor ad services that respect the header preference.
2. The Blocking Approach
In the blocking approach, the consumer maintains (perhaps with the
help of a trusted third party) a list of servers that are known to
engage, or are suspected of engaging, in unwanted tracking behavior.
Once a user has enabled this feature, his Web browser will
automatically block all connections to the servers on the list which
could also result in the blocking the display of advertisement.
As opposed to the header approach, the responsibility to prevent
tracking is solely on the consumer, that is, to obtain an up-to-date
list of suspected tracking servers and to block them. Servers are under
no express obligation to abstain from tracking, so if one is not
blocked by a consumer's browser, it is free to continue tracking as
usual.
One concern with this approach is that it is sometimes difficult
for consumers-at-large to determine whether a domain is engaging in
tracking behavior and whether to add that domain to the block list.
Additionally, there are many technical mechanisms that exist today that
could be used to circumvent such blocking measures.\31\
---------------------------------------------------------------------------
\31\ In particular, domains can ``spoof'' the first party
transactions that are whitelisted in browsers, or effectively act as
first parties. This means that they are bypassing any third party-
specific controls used in the browser. See Krishnamurthy et. al.,
(previously cited).
---------------------------------------------------------------------------
3. Other Considerations
For any consumer choice mechanism to work, we need to clearing
define what ``tracking'' means and what obligations are placed on
tracking companies when consumers elect to opt-out of tracking.
Consumer groups and privacy researchers have published proposals that
attempt to define ``tracking,'' \32\ but the online advertising
industry has not yet committed to respect the header nor follow any of
the proposed definitions. For example, some in the industry have
suggested that, like the current opt-out system, third parties be
allowed permitted to continue to collect information. Others have
proposed that third party services should refrain from collecting and
retaining any information about consumers if they elect to not be
tracked. This latter approach, while more privacy-preserving, may
impact advertisers' abilities to deliver even non-targeted
advertisements and includes numerous exceptions to tracking which may
defeat the spirit of a privacy mechanism.
---------------------------------------------------------------------------
\32\ What Does `Do Not Track' Mean? ``A Scoping Proposal'' by the
Center for Democracy & Technology (2011, Jan 31) from http://cdt.org/
files/pdfs/CDT-DNT-Report.pdf.
---------------------------------------------------------------------------
A potential way forward may be to agree upon a definition of
``tracking'' that balances these conflicting priorities. One of the key
components that enables tracking today is the use of unique
identifiers. As such, it may be wise to consider a definition of
tracking that focuses on these identifiers, in which third party
services make a good faith effort to strip any unique identifiers
associated with the user, browser or client device making the Web
request once the request has been processed and the service delivered.
By focusing on the identifiers, these companies would then be free to
retain the remaining data associated with the user's request, providing
that it cannot be re-identified (following current best practices in
the space). This approach will likely be good for both business and
consumers, since it allows businesses to observe how their websites are
being used and secure their servers, while preventing the creation of
individual profiles.
Finally, it is important to consider whether creating more
effective choice mechanisms for consumers may have perverse effects and
ultimately drive websites to predicate access to content based on
whether or not a consumer has consented to tracking. Websites could
require that consumers allow tracking by third parties the website is
affiliated with in order to gain access to it's content. In our
original example, WebMD could require that their affiliates, such as
DoubleClick, be allowed to track consumers in order to gain access to
useful health information on the website. This trend could potentially
favor large first parties over smaller, independent sites or allow
companies to engage in even more invasive tracking upon receiving
affirmative consent. This is not a reason to abandon efforts to improve
consumer choice, but certainly a reason for Congress to consider the
issue carefully.
D. Conclusion
My research has shown that online tracking is pervasive. It is
likely to be much more extensive than users might reasonably expect as
they casually browse the Web. Many of these third party tracking
activities are carefully tucked away from the view of the average user,
and even in cases where the user realizes he is being tracked, the
privacy tools he has available are often ineffective at stopping the
most advanced forms of tracking.
Consumers need more transparency into who is tracking them online,
what data is being collected, and how this data is being used, shared
or sold. Today's technical defenses to online tracking are not able to
stop the leading tracking technologies, and consumers often do not have
meaningful ways to control them. To be effective, privacy protections
for consumers online will likely require both a technical and policy
component, working in tandem, and I believe these discussions here
today are a great step in making that union a reality.
Internet-related debate involves issues that are deeply technical
in nature and I am grateful that this Congressional committee has
allowed technologists to participate. Thank you for inviting me to
testify here today, and I look forward to helping the committee
understand the technical issues that make online tracking such an
interesting, yet complex, issue. I will be happy to answer any further
questions.
Senator Kerry [presiding]. Thanks. Who's next?
Ms. Lawler?
STATEMENT OF BARBARA LAWLER,
CHIEF PRIVACY OFFICER, INTUIT INC.
Ms. Lawler. Good morning. And thank you to the members of
the Committee for the opportunity to comment on the state of
online privacy. My name is Barbara Lawler and I'm the Chief
Privacy Officer at Intuit. I ask that my full statement be put
into the record due to time constraints.
Senator Kerry. Without objection it will be.
Ms. Lawler. Intuit's mission is to improve people's
financial lives so profoundly they cannot imagine going back to
the old way of doing things. It is through this mission that we
approach the current privacy debate. Intuit is a unique
corporation adhering to various regulatory data privacy regimes
in the U.S. including financial and health care privacy and the
privacy of tax return information.
Additionally, we touch over 50 million people through our
products. These people can trust us with their most sensitive
data, their Federal and state income tax return information,
their individual purchase transactions, bill payments and
health information, their business accounts including employee
payroll, accounts receivable, vendor lists, inventory and other
business data. As more technology solutions move to the cloud,
customers place more trust in us as we handle their sensitive
data.
At Intuit, we developed data stewardship principles that
express how we think about how we use data, and offer
guardrails to guide our judgment. The central concept of data
stewardship is simple. It's our customer's data, not ours. We
are and will be held accountable for the information entrusted
to us.
As you think about privacy legislation we encourage you to
consider four things.
One, a principles-based approach.
Two, a focus on customers.
Three, data-driven innovation.
And four, global uniformity.
First, we see the value in comprehensive, principles-based
privacy legislation. Because we adhere to various privacy
regimes, this idea could work in tandem with self-regulatory
approaches, codes of conduct and best practices. A principles-
based approach is not prescriptive but enables flexibility to
offer data driven solutions within existing sector specific
privacy laws. A principles-based approach could fill the gaps
that exist between different sector approaches while at the
same time blending with them.
It's also more likely to be received and effectively
adapted by all businesses of all sizes. It is more likely to be
understood by the public it seeks to protect. And a principles-
based approach is more likely to achieve consensus over time in
the international context which will be essential to global
competitiveness in the emerging digital economy.
Such an approach could set forth a minimum set of
requirements for business and provide a fundamental core level
of consistency for businesses and consumers. Codes of conduct
based on context, industry sector, technology platform and
other data use drivers would build on top of a privacy
baseline. Codes of conduct can serve as the framework and
support for co-regulatory safe harbor programs.
Second, any relevant data regime must be focused on the
customer. At Intuit, customers are the heart of everything we
do. What we learn through extensive customer research is that
it's not about what we think is best for business or what we
think should be done. It's about keeping what's important to
the customer at the heart of the principles.
Third, responsible data use can foster innovation.
Consumers' expectations have changed as people are increasingly
conducting their lives online. The volume and complexity of
data in this new connected world presents boundless
opportunities to unlock a tremendous amount of data to create
better experiences and products for customers. Intuit's
approach to data-driven innovation is to responsibly use data
entrusted to us by our customers to improve their financial
lives and the products and services we provide them.
Last but not least, legislation must take into account the
need for uniformity among various privacy regimes. In
developing privacy principles there needs to be a uniform
approach. While so many laws and regulations are based on
essentially the same principles, multi-state and multinational
companies are challenged by the differences among them.
The essence of data stewardship cannot rely on just one
element of our principles. It must be comprised of all of them
combined: uniform principles-based legislation, customer driven
innovation coupled with responsible, innovative and compelling
data uses.
Thank you again for giving Intuit the opportunity to
express its thoughts on this important subject. We look forward
to working with you as you evaluate privacy legislation and to
answering any questions you may have.
[The prepared statement of Ms. Lawler follows:]
Prepared Statement of Barbara Lawler, Chief Privacy Officer, Intuit
Inc.
Good morning and thank you Chairman Rockefeller, Ranking Member
Hutchison, and members of the Committee for providing Intuit the
opportunity to share our point of view on the best way to protect
consumer privacy in the technology-driven, Internet era. We applaud the
Committee for its attention to this important issue.
Today, I'm here to talk to you about how Intuit views online
consumer privacy. Intuit is in a unique position to comment on the
current privacy debate. Not only do we have a unique perspective given
the nature of our comprehensive business portfolio and compliance with
privacy regimes, but fifty million people trust us with their most
sensitive data. I will be talking today about the creation of Intuit's
Data Stewardship Principles, the process of how we developed these
principles, and what we learned from this process, as well as the
principles themselves.
As you think about comprehensive privacy legislation, we encourage
you to focus on four things:
1. principles-based privacy
2. customers
3. data driven innovation
4. global uniformity
About Intuit
Intuit was founded in Silicon Valley nearly thirty years ago. Our
mission is to improve people's financial lives so profoundly, they
cannot imagine going back to the old way of doing things.
We started small with Quicken personal finance software,
simplifying the common household dilemma of balancing the family
checkbook. Today, we are one of the Nation's leading providers of tax,
financial management and online banking solutions for consumers and
small businesses, and the accountants, financial institutions and
healthcare providers that serve them. We employ nearly 8,000 people,
our revenues top $3.5 billion and we're recognized by Fortune Magazine
as one of America's most-admired software companies and one of the
country's best places to work.
We have always believed that with our success comes the
responsibility to give back. Part of delivering on our mission is
serving as an advocate and resource for economic empowerment among
lower income individuals and entrepreneurs. We have a track record of
more than a decade of philanthropy that enables eligible lower income,
disadvantaged and underserved individuals and small businesses to
benefit from our tools and resources for free.
Through it all we remain committed to creating new and easier ways
for consumers and businesses to tackle life's financial chores with the
help of technology. We help our customers make and save money, comply
with laws and regulations, and give them more time to live their lives
and grow their businesses.
Our flagship products and services, including QuickBooks, Quicken,
Mint.com and TurboTax, simplify small business management, payment and
payroll processing, personal finance, and tax preparation and filing.
We serve half of the accounting firms in the country, helping them be
more productive with tax preparation software. And we help community
banks and credit unions grow by providing on-demand solutions and
services that make it easier for consumers and businesses to manage
their money.
The innovation and customer driven focus that inspired these
breakthroughs leads us to uncover other unmet needs and large problems
to solve. For example, we are working to simplify the way millions of
Americans manage their health and medical expenses. Today, doctor's
offices are paper-based, inefficient and need a way to reduce costs and
delight their patients who are increasingly demanding online solutions.
Our Intuit Health Patient Portal offering is a secure, online way for
doctors and their patients to communicate and complete key tasks.
Patients can request appointments and prescription refills, pay bills,
complete forms, receive lab results, and exchange messages with their
doctor. As a result, doctors are able to reduce costs, delight
patients, and qualify for Meaningful Use stimulus funding.
With all of these offerings, we help improve the lives of fifty
million people, worldwide.
We're able to do this because our customers entrust us with their
most sensitive data--fifty million people trust us with their Federal
and state income tax return information; their individual purchase
transactions, bill payments, and health information; and their business
accounts, including employee payroll, accounts receivable, vendor
lists, inventory and other business data.
We are widely recognized and respected for our strong privacy and
security practices. Maintaining our customers' trust is critical to
maintaining our business and competitive advantage. We do not view
customer privacy and security as an exercise in compliance but as part
of our value proposition.
Intuit products span a range of sector-specific regulatory data
privacy regimes in the US, including Gramm Leach Bliley Act, Fair
Credit Reporting Act/Fair and Accurate Credit Transactions Act, IRC
7216--the privacy of individuals' personal tax information, Health
Insurance Portability and Accountability Act; and self-regulatory
regimes including PCI Data Security Standards, the U.S.-E.U. Safe
Harbor Program and the TRUSTe Privacy Seal Program.
Given the nature of our comprehensive business, providing solutions
for a range of tax, accounting, personal finance and health care needs,
Intuit is in a unique position to comment and shape the online privacy
debate.
Intuit's Data Stewardship Philosophy
As more solutions move to the cloud, customers place trust in us as
we handle their most sensitive data. Data Stewardship expresses how we
think about the use of data, and offers guardrails to guide our
judgment. Just as we talk with our customers about product development,
we also talk about their expectations around privacy. They've told us
explicitly that they expect us to be stewards of their data, using it
responsibly and with integrity, for their benefit, while keeping it
private and secure.
The central concept of Data Stewardship is that it is the
customers' data, not ours. Because we hold their most sensitive data,
customers place a deep trust in us. Our customers have told us this
directly through our extensive, consumer research. They care deeply how
their data is used, they want clear and open explanations and to have
contextual, relevant choices about those uses. They expect us to be
accountable to keep our promises. Ethical data stewardship increases
customers' confidence and trust.
To ensure that our nearly 8,000 employees are clear about how we
manage and respect information entrusted to us, we have created a set
of company-wide data stewardship principles.\1\ These principles,
derived directly from Intuit's core operating values--especially
Integrity without Compromise--are intended to guide our mindset and
behavior in all that we do. They reflect and reinforce that we're an
organization that is accountable for its actions.
---------------------------------------------------------------------------
\1\ See Appendix A for a list of our Data Stewardship Principles.
---------------------------------------------------------------------------
Intuit's Data Stewardship Principles
When we apply our Data Stewardship Principles to leveraging data,
they enable us to support Intuit's growth strategies while meeting and
exceeding our customers' expectations about how we use their data to
benefit them and run our business to provide the products and services
that serve them.
We are and will be accountable for the information entrusted to us.
By design, our Data Stewardship Principles align closely with globally
recognized fair information practices, including those for online
privacy developed in the late 1990s and to their originating concepts,
the Organization for Economic Cooperation and Development (OECD)
privacy principles. As we have learned, we believe these Principles
carry the most weight and meaning to actual consumers, based on an
extensive research process we will describe below.
As you think about comprehensive privacy legislation, we encourage
you to focus on four things:
1. principles-based privacy
2. customers
3. data driven innovation
4. global uniformity
First, we see the value in comprehensive principles-based privacy
legislation. We believe there is value in the idea of baseline,
principle-based privacy legislation that could work in tandem with
self-regulatory approaches and codes of conduct. The Intuit Data
Stewardship Principles represent our own internal code of conduct for
data. A principles-based approach is not prescriptive but enables
flexibility to offer data driven solutions within existing sector-
specific privacy laws and, most importantly, is technology-neutral.
A principle-based approach could fill the gaps and crevices that
exist between the differing sector approaches, while at the same time
blending with them. It is also more likely to be received and
effectively adapted by businesses of all sizes, including small
businesses not actively engaged in the privacy landscape. It is more
likely to be understood by the public it seeks to protect. And a
principle-based approach is more likely to achieve consensus over time
in the international context, which will be essential to global
competitiveness in the emerging digital economy. Such an approach could
set forth a minimum set of requirements for business, and provide a
fundamental, core level of consistency for businesses and consumers.
Codes of conduct, based on context, industry/sector, technology
platform or other data use drivers would build on top of a privacy
baseline. Codes of conduct can serve as the framework and support for
co-regulatory safe harbor programs.
Second, any relevant data regime must be focused on the customer.
As we enter this important discussion, it is necessary to further
emphasize the importance of both respect for the consumer participation
and control of information and the value and benefit of continued
innovation, in particular where the future of economic growth is
going--data driven innovation. The key to our success and to ensuring
balance among these interests is earning the customers' trust.
At Intuit, customers are at the heart of everything we do. We were
founded on the idea of customer driven innovation, a mindset and
methodology to uncover important, unsolved problems. Many companies
talk about customer focus, customer innovation, but the level of
commitment to this, and the rigor we put behind it, differentiates us.
For nearly thirty years, our passion for inventing products to
solve important problems and perfecting those products to delight our
customers, through direct customer feedback and observation, has made
Intuit the first choice in financial software for consumers and small
businesses. We have an instituted practice within our Corporation
called ``follow me homes'' in which representatives from the
Corporation spend a few hours with our customers to not only receive
feedback on our products but to also identify key customer needs to
amend our product. The Corporation commits to over 10,000 employee
hours of ``follow me homes'' per year--with our CEO committing to
approximately sixty hours per year himself. We supplement ``follow-me-
homes'' with direct customer research, and by bringing customers into
special ``labs'' or focus groups to evaluate and give feedback on the
customer experience and usability of our products and services. Our
respect for the customer is reflected in the policies and practices
that have driven our business. Trusted data stewardship is central to
that commitment and to our success.
The development of our Data Stewardship Principles is kept
customers as our central focus: as our established practices suggest,
we took our customers along with us on the journey to define our
principles about the use of data in a way that reflects the needs,
concerns and values of those customers. We took draft Data Stewardship
Principles directly to our customers and asked them for their feedback,
on both the concepts and words, on intent and practice, with real-world
customer experience and expectations. Over the period of the last year
alone, we conducted two rounds of quantitative, statistically valid
surveys that cut across multiple customer bases and product lines to
get feedback and learn if Data Stewardship and Privacy mattered to
them, which principles and how much. We conducted four rounds of
qualitative customer focus group sessions to dive deeper into the
subtleties of transparency, choice, data use cases and security.
Staying true to customer driven innovation, we iterated and refined
the Data Stewardship Principles over the course of the customer
research process. After several rounds of input and iteration, the
Principles have been extremely well received. Let me share some of the
insights from the more than 100 consumers and small businesses we
talked to in focus groups:
Customers may not read privacy policies but care deeply
about how their data is used.
Consumers are smarter than some give them credit for--they
are aware of a wide range of data uses, to benefit them
directly and for necessary internal business operations.
While a majority of our customers already have a positive
impression of Intuit, the Data Stewardship Principles further
build trust.
Across all research studies, the principle around not
selling or sharing personal data is the most important.
The more transparent (meaning open, simple and clear) the
company is, the more customer trust increases and the
customers' need for detailed and frequent or repetitive choice
mechanisms appears to decrease.
Training employees to uphold these principles is also
important to customers and adds an incremental level of trust
that we will deliver against our promises.
Here are a few illustrative verbatim statements from our customers
that show what Intuit's Data Stewardship Principles mean to them:
``This is what makes customers trust them. I like that
privacy is paramount & do believe they're committed to
this.''--Mike, consumer in San Diego
``Customer focused, protecting my data and interests,
holding themselves accountable.'' ``I like that these
principles are very specific. There is no doubt, or any way to
not understand exactly how Intuit intends to treat my
information. I like that.''--Jackie, small business owner in
Oakland
``Because of these principles, I will continue to use their
products.''--Darryl, consumer in Denver
``A little safer in an unsafe world.''--Erica, consumer in
Atlanta
When customers participate directly in the shaping of Data
Stewardship Principles, it brings to life the Fair Information Practice
concepts of Transparency and Individual Participation in profound ways.
Specifically, we have learned through this process what is
substantive and meaningful to consumers.
Third, responsible data use can foster innovation. The world is
quickly shifting from a paper-based, human-produced, brick-and-mortar-
bound market to one where people understand, appreciate and embrace the
benefits of truly connected software, platforms and services.
Consumers' expectations have changed as people are increasingly
conducting their lives online. `Cloud computing' makes it easier to
access and use online sites anytime and anywhere an individual chooses.
Consumers expect to interact online in an ``always on'' environment and
to have technology make life easier. They demand even greater
simplicity, such as not having to re-enter their data when they use
more than one of our products or services. Increasingly, new products
and services as well as enhancements to existing ones will employ more
and more sophisticated, rich, real-time interactive use of data,
directed and prompted by customer actions and expectations of product
functionality.
The volume and complexity of data in this new world present
boundless opportunities to unlock a tremendous amount of data to create
better experiences and products for customers, all while keeping our
customers' data safe.
Intuit's approach to data driven innovation is to responsibly use
data entrusted to us by our customers to improve their financial lives
and the products and services we provide them. This data includes
information about our customers--who they are, where they are and how
they use our products. By compiling and interpreting this data, we can
create innovative, easy-to-use products that delight customers by
helping them make and save money. We're also able to provide customers
with information that gives them greater insight into their financial
lives and helps them to achieve their personal and business goals.
To retain consumer trust in that context, Intuit's vision is that
privacy and security are central to the concept of customer
``delight,'' and therefore serve as a competitive advantage.
For innovation to thrive, we must unlock the power of data under a
Data Stewardship regime. The essence of Data Stewardship cannot rely on
just one element of our principles, it must be comprised of all of them
combined: customer driven innovation coupled with responsible,
innovative, and compelling data uses. Moreover, as global
competitiveness evolves beyond the bricks-and-mortar economies of the
past, and international trade takes on an electronic character in the
economy of the future, sound business practices and wise public policy
are critical components of innovation, invention, and full, fair and
open competition.
Last but not least, legislation must take into account the need for
uniformity among various privacy regimes. While so many laws and
regulations are based on essentially the same principles, multi-state
and multi-national companies are challenged by the differences among
them. Some regulations in breach notification, for example, require
notification of some state agencies; others do not. The notification
triggers and thresholds are different. And the definitions of important
terms vary across the landscape.
In a domestic context, we support a uniform Federal breach
notification law. Aligning practices across states would provide
benefits for consumers who purchase from merchants in other states. It
would also lessen the complexity for merchants, a consistent goal in
improving the economy.
In an international context, baseline principles that align with
the Asia-Pacific Economic Coordination (APEC) Privacy Principles and
the E.U. Directive would improve multi-national commerce, allowing the
freer-flow of transactions and data across borders, in a consistent
trusted manner. This, in turn, would improve the U.S. economy through
vibrant trade. Intuit agrees that the U.S. Government should continue
to work toward increased cooperation among privacy enforcement
authorities around the world and develop a framework for mutual
recognition of other countries' frameworks. Intuit agrees that the U.S.
should also continue to support the APEC Privacy Principles Pathfinder
Project, because it is the best framework to achieve data privacy
interoperability in the 21st century.
Conclusion
Once again, Mr. Chairman, Senator Hutchison, members of the
Committee, thank you again for giving Intuit the opportunity to express
its thoughts on this important subject. Maintaining customers trust is
the foundation to building privacy principles. It is with this trust
that we will learn from the customers about what they really want and
what is important to them when it comes to their data. In the 21st
century, customers demand more in a connected world. We must work
toward the shared goal of protecting consumers while maintaining data
driven innovation to improve our customers' financial lives, in a
trusted, real, and fundamental way.
We look forward to working with you and the Committee toward this
goal.
______
Appendix A
Intuit Data Stewardship Principles
What we stand for:
Our customers' privacy (and their customers' and employees')
is paramount to us.
Our customers place a deep trust in Intuit because we hold
their most sensitive data . . . therefore, we are a trusted
steward of their data.
Our company values start with Integrity without Compromise,
and our privacy principles require that we all be accountable.
How we run our business (what we hold ourselves accountable to):
We will not:
Without explicit permission, sell, publish or share data
entrusted to us by a customer that identifies the customer or
any person.
We will:
Use customer data to help our customers improve their
financial lives. We help them make or save money, be more
productive, and comply with laws and regulations.
Use customer data to operate our business, including helping
our customers improve their user experience and understand the
products and services that are available to help them.
Give customers choices about our use of data that identifies
them.
Give open and clear explanations about how we use data.
Publish or share combined, unidentifiable customer data, but
only in a way that would not allow the customer or any person
to be identified.
Train our employees about how to keep data safe and secure,
and educate our customers about how to keep their and their
customers' data safe and secure.
Senator Kerry. Thank you, Ms. Lawler.
Mr. Calabrese?
STATEMENT OF CHRISTOPHER R. CALABRESE,
LEGISLATIVE COUNSEL, AMERICAN CIVIL LIBERTIES UNION,
WASHINGTON LEGISLATIVE OFFICE
Mr. Calabrese. Thank you, Chairman Kerry, members of the
Committee. Thank you for the opportunity to testify on behalf
of the American Civil Liberties Union. We support comprehensive
protections for American's personal information including a Do
Not Track mechanism.
One of the new models of Internet advertising has been to
target ads at the specific individual in order to make those
ads more relevant. The result has been a system where Americans
are routinely tracked as they surf the Internet. Americans
assume there is no central record of what they do and where
they go online. However in many instances that is no longer the
case.
Behavioral marketers, social networks and other online
companies are creating profiles of unprecedented depth and
breadth that reveal the personal aspects of our lives including
our religious and political beliefs, medical information,
purchases and reading habits. These profiles can legally be
shared with anyone including offline companies, employers and
the government. This data collection is neither benign nor
anonymous.
Individual profiles identify our mental health, sexual
orientation or issues with weight. They may indicate particular
vulnerabilities.
Ninety-two-year-old veteran, Richard Guthrie was bilked out
of more than $100,000 by criminals who identified him from
marketing lists.
Cate Reid, a recent high school graduate has been
identified by advertisers as concerned about her weight.
``Every time I go on the Internet,'' she says, she sees weight
loss ads. ``I'm self-conscious about my weight. I try not to
think about it. Then the ads start me thinking about it.''
Information that can be used for identity theft is online
but beyond our control. One reporter asked a company to search
out information on her armed only with her name and e-mail
address. She said. ``Within 30 minutes the company had my
social security number. In 2 hours they knew where I lived, my
body type, my hometown, my health status.''
Nor are individual web surfing habits anonymous. Many
companies now provide a way to directly link your name and
mailing address to your web surfing habits. Companies know who
you are online. All of this information is available for sale
with no controls.
Of particular concern, of course to the ACLU, is government
access. Many civil liberties benefits of the Internet, ability
to read provocative materials, associate with non-mainstream
groups, voice dissenting opinions are based on the assumptions
of practical anonymity and freedom from government scrutiny.
Because of this information collections these assumptions are
rapidly eroding.
Law enforcement routinely purchases access to offline
private data bases full of detailed profiles on each of us with
no legal process. They could legally do the same with online
information. In fact online and offline data bases of personal
information are increasingly linked. But we have no right to
access those same data bases or control how they're used.
Solutions exist. The technology may be new but the problems
are not. Congress and the states have passed many laws to
protect Americans reading habits and viewing habits in the
offline world. More than 30 years ago the U.S. Department of
Health, Education and Welfare crafted basic privacy principles.
Called the Fair Information Practice Principles they have
become the basis for comprehensive privacy laws in many
industrialized nations as well as sector specific laws in the
United States.
The Department of Commerce recently called for adoption of
these principles for the Internet. We endorse the use of fair
information practices as well. In addition the private sector
is developing innovative solutions like a Do Not Track
mechanism.
These mechanisms need to be backed by the force of law. We
reject any approach that relies solely on self regulation by
companies. Self regulation by itself is a failed approach. It
has allowed the current data collection practices to flourish.
Consumers want change. Surveys show that 67 percent
rejected the idea that advertisers should be able to match ads
based on specific websites consumers visit. And 61 percent
believe these practices were not justified even if they kept
costs down and allowed consumers to visit websites for free.
Ultimately if this information collection is allowed to
continue unchecked then capitalism could build what the
government never could, a complete surveillance state online.
Without government intervention we may soon find the Internet
has been transformed from a library and a playground to a fish
bowl. And that we have unwittingly seeded core values of
privacy and autonomy.
Thank you.
[The prepared statement of Mr. Calabrese follows:]
Prepared Statement of Christopher R. Calabrese, Legislative Counsel,
American Civil Liberties Union, Washington Legislative Office
Good morning Chairman Rockefeller, Ranking Member Hutchison, and
members of the Committee. Thank you for the opportunity to testify on
behalf of the American Civil Liberties Union (ACLU) its more than half
a million members, countless additional activists and supporters, and
fifty-three affiliates nationwide, about the importance of online
privacy. We support comprehensive protections for Americans' personal
information and specifically support a ``Do Not Track'' option for
online consumers. These protections are crucial for preventing harm to
consumers and to safeguard Americans' First and Fourth Amendment rights
online.
I. Introduction
Rapid technological advances and the lack of an updated privacy law
have resulted in a system where Americans are routinely tracked as they
surf the Internet. The result of this tracking--often performed by
online marketers--is the collection and sharing of Americans' personal
information with a variety of entities including offline companies,
employers and the government. As greater portions of our lives have
moved online, unregulated data collection has become a growing threat
to our civil liberties.
As one recent report explains, the Internet has been an engine of
radical, positive changes in the way we communicate, learn, and
transact commerce.\1\ The Internet allows us to connect to one another
and share information in ways we never before could have imagined. Many
of the civil liberties benefits of the Internet--the ability to access
provocative materials more readily, to associate with non-mainstream
groups more easily, and to voice opinions more quickly and at lower
cost--are enhanced by the assumption of practical anonymity. Similarly,
consumers are largely unaware of the breadth of information collection
and the various uses to which it is put.
---------------------------------------------------------------------------
\1\ Federal Trade Commission (Bureau of Consumer Protection), A
Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era
of Rapid Change: A Proposed Framework for Businesses and Policymakers,
December 1, 2010.
---------------------------------------------------------------------------
In short, Americans assume that there is no central record of what
they do and where they go online. However in many instances that is no
longer the case. Behavioral marketers are creating profiles of
unprecedented breadth and depth that reveal personal aspects of
people's lives including their religious or political beliefs, medical
information, and purchase and reading habits. Even as behavioral
targeting continues to grow, its practitioners have already
demonstrated a disturbing ability to track and monitor an individual's
actions online.
If this collection of data is allowed to continue unchecked, then
capitalism will build what the government never could--a complete
surveillance state online. Without government intervention, we may soon
find the Internet has been transformed from a library and playground to
a fishbowl, and that we have unwittingly ceded core values of privacy
and autonomy.
II. Americans have embraced technology, but they still expect privacy
Technology has moved rapidly and Americans have adopted these
changes into their lives:
Over 50 percent of American adults use the Internet on a
typical day.\2\
---------------------------------------------------------------------------
\2\ Common daily activities include sending or receiving e-mail
(40+ percent of all American adults do so on a typical day), using a
search engine (35+ percent), reading news (25+ percent), using a social
networking site (10+ percent), banking online (15+ percent), and
watching a video (10+ percent). Pew Internet & American Life Project,
Daily Internet Activities, 2000-2009, http://www.pewinternet.org/Trend-
Data/Daily-Internet-Activities-20002009.aspx.
62 percent of online adults watch videos on video-sharing
sites,\3\ including 89 percent of those aged 18-29.\4\
---------------------------------------------------------------------------
\3\ A ``video-sharing site'' or ``video hosting site'' is a website
that allow users to upload videos for other users to view (and, often,
comment on or recommend to others). Wikipedia, Video Hosting Service,
http://en.wikipedia.org/wiki/Video_sharing (as of January 21, 2011).
YouTube is the most common video-sharing site today.
\4\ Pew Internet & American Life Project, Your Other Tube: Audience
for Video-Sharing Sites Soars, July 29, 2009, http://pewresearch.org/
pubs/1294/online-video-sharing-sites-use.
Over 70 percent of online teens and young adults\5\ and 35
percent of online adults have a profile on a social networking
site.\6\
---------------------------------------------------------------------------
\5\ Pew Internet & American Life Project, Social Media & Young
Adults, Feb. 3, 2010, http://www.pewinternet.org/Reports/2010/Social-
Media-and-Young-Adults.aspx.
\6\ ``Social networking sites'' allow users to construct a ``semi-
public'' profile, connect with other users of the service, and navigate
these connections to view and interact with the profiles of other
users. Danah M. Boyd & Nicole B. Ellison, Social Networking Sites:
Definition, History, and Scholarship, 13 J. of Comp.-Mediated Comm. 1
(2007); Pew Internet & American Life Project, Adults & Social Network
Sites, Jan. 14, 2009, http://www.pewinternet.org/Reports/2009/Adults-
and-Social-Network-Websites.aspx.
83 percent of Americans own a cell phone and 35 percent of
cell phone owners have accessed the Internet via their
phone.\7\
---------------------------------------------------------------------------
\7\ Pew Internet & American Life Project, Internet, Broadband, and
Cell Phone Statistics, Jan. 5, 2010, http://www.pewinternet.org/
Reports/2010/Internet-broadband-and-cell-phone-statistics.aspx.
Companies continue to innovate and create new ways for Americans to
merge technology with daily activities. Google has spent the last 5
years building a new online book service and sales of digital books and
devices have been climbing.\8\ Americans increasingly turn to online
video sites to learn about everything from current news to politics to
health.\9\ Location-based services\10\ are also a burgeoning
market.\11\
---------------------------------------------------------------------------
\8\ See generally ACLU of Northern California, Digital Books: A New
Chapter for Reader Privacy, Mar. 2010, available at http://
www.dotrights.org/digital-books-new-chapter-reader-privacy.
\9\ ``More Americans are watching online video each and every month
than watch the Super Bowl once a year..'' Greg Jarboe, ``125.5 Million
Americans Watched 10.3 Billion YouTube Videos in September,''
SearchEngineWatch.com, Oct. 31, 2009, http://
blog.searchenginewatch.com/091031-110343.
\10\ ``Location-based services'' is an information service
utilizing the user's physical location (which may be automatically
generated or manually defined by the user) to provide services.
Wikipedia, Location-Based Service, http://en.wikipedia.org/wiki/
Location-based_service (as of January 21, 2011).
\11\ Recent location-based service Foursquare built a base of
500,000 users in its first year of operation. Ben Parr, ``The Rise of
Foursquare in Numbers [STATS],'' Mashable, Mar. 12, 2010, http://
mashable.com/2010/03/12/foursquare-stats/.
---------------------------------------------------------------------------
However this rapid adoption of new technology has not eliminated
Americans' expectations of privacy. To the contrary, Americans still
expect and desire that their online activities will remain private, and
express a desire for laws that will protect that privacy:
69 percent of Internet users want the legal right to know
everything that a Website knows about them.\12\
---------------------------------------------------------------------------
\12\ Joseph Turow, et al., Americans Reject Tailored Advertising 4
(2009), available at http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=1478214.
92 percent want the right to require websites to delete
information about them.\13\
---------------------------------------------------------------------------
\13\ Id.
---------------------------------------------------------------------------
And consumers oppose online tracking:
67 percent rejected the idea that advertisers should be able
to match ads based on specific websites consumers visit; \14\
and
---------------------------------------------------------------------------
\14\ Lymari Morale, ``U.S. Internet Users Ready to Limit Online
Tracking for Ads,'' USA TODAY, December 21, 2010.
61 percent believed these practices were not justified even
if they kept costs down and allowed consumers to visit websites
for free.\15\
---------------------------------------------------------------------------
\15\ Id.
In sum, while Americans make great use of the Internet, they are
very concerned about their privacy and specifically troubled by the
practice of behavioral targeting.
III. The data collected by behavioral marketers forms a personal
profile of unprecedented breadth and depth
Behavioral targeting contravenes many American's expectation of
privacy and how they should be treated online. Online advertising is
one of the fastest growing businesses on the Internet and it is based
on collecting a staggering amount of information about people's online
activities. Advertising has always been prevalent online, but instead
of targeting websites--such as advertising shoes on a shoe store site--
advertisers now use personal information to target individuals
directly.
They do this using different surveillance tools. The simplest tools
are cookies. A cookie is a file that a website can put on a user's
computer when the user visits it so that when the user returns, or
visits another affiliated site, it remembers certain information about
the user. Cookies were initially used to help websites remember user
passwords or contents in shopping bags, but as online marketing grew
more sophisticated, cookies did too. Advertisers and aggregators
modified cookies to track people's web page visits, searches, online
purchases, videos watched, posts on social networking, and so on.
Another popular and even more invasive tool for tracking is the
flash cookie. Flash cookies are often used by data aggregators to re-
install a regular cookie that a user had detected and deleted. The
newest and most aggressive form of tracking is the beacon. Beacons,
also known as web bugs, are often used by sites that hire third party
services to monitor user actions. These devices can track a user's
movements extremely closely; to the point that they can monitor
keystrokes on a page or movements by a user's mouse. The result of
these practices is the collection and sale of a wealth of consumer data
without any legal limits or protections for individuals.
As targeted ads become increasingly profitable, behavioral
marketers are growing more ambitious and seeking to form an even more
complete picture of unsuspecting citizens. The Wall Street Journal
recently conducted a comprehensive study on the effects of online
marketing on individual privacy and the results were alarming. The
study found that the Nation's 50 top websites installed an average of
64 pieces of tracking technology on user's computers, usually with no
warning. A dozen sites installed over a hundred. For example, the study
found that Microsoft's popular website, MSN.com, attached a tracking
device that identified and stored user's detailed personal information.
According to the tracking company that created the file, it could
predict a user's age, zip code, and gender, as well as an estimate of a
user's income, marital status, family status and home ownership
status.\16\ These new technologies allow marketers to combine a vast
amount of information gleaned from different websites over time in
order to paint an extremely detailed profile of potential consumers.
Any particular website may have little information and this may not
alarm some, but when a large number of these data points are
aggregated, an extremely detailed picture results.
---------------------------------------------------------------------------
\16\ Angin Win, ``The Web's New Gold Mine: Your Secrets,'' Wall
Street Journal, July 30, 2010.
---------------------------------------------------------------------------
In addition, the Wall Street Journal found that tracking technology
has become so advanced and covert that the website owner is often not
even aware of its presence. Microsoft, one of the largest developers of
computer software in the world, said it did not know about the tracking
devices on its site until informed by the Journal.\17\ If these
technologies have become as surreptitious as to slip past sophisticated
website owners, it is completely unreasonable to believe that the
average user would be able to avoid their spying.
---------------------------------------------------------------------------
\17\ Id.
---------------------------------------------------------------------------
IV. Identifying individuals and the merger of online and offline
identity
Online and offline data companies are combining forces to get an
even more detailed profile of consumers and further erode privacy. For
example, Comscore, a leading provider of website analytic tools, boasts
that ``online behavioral data can . . . be combined with attitudinal
research or linked with offline databases in order to diagnose cross-
channel behavior and streamline the media planning process.'' \18\
---------------------------------------------------------------------------
\18\ Why Comscore?, http://comscore.com/About_comScore/Why_comScore
(last visited January 21, 2011).
---------------------------------------------------------------------------
In another example, the data firm Aperture has made the connection
between online and offline identities by collecting data from offline
data companies like Experian or Nielsen's Claritas and then combining
it with a huge database of e-mail addresses maintained by its parent
company, Datran Media.\19\ According to media reports, many major
companies are working with Aperture.\20\ ``The line between merging
online and offline data isn't no-man's land anymore; it's becoming more
of a common practice,'' said Mike Zaneis, Washington lobbyist for the
Interactive Advertising Bureau.'' \21\ A variety of services offer to
merge names and postal addresses with collected IP and e-mail
addresses.\22\
---------------------------------------------------------------------------
\19\ Michael Learmonth, ``Holy Grail of Targeting is Fuel for
Privacy Battle,'' Advertising Age, March 22, 2010.
\20\ Id.
\21\ Id.
\22\ See: http://biz.freshaddress.com/RealTimePostalAppend.aspx.
For a long list of their clients please see: http://
biz.freshaddress.com/ClientsByName.aspx.
---------------------------------------------------------------------------
To be clear: such a merger of data is only possible when consumers
are specifically identified. As described above, markets are using
personal identifiers like e-mail addresses to connect online browsing
habits to offline information from other databases. One venture
capitalistic described it to the Wall Street Journal: ``They're trying
to find better slices of data on individuals,'' says Nick Sturiale, a
general partner at Jafco Ventures, which has largely avoided the
sector. ``Advertisers want to buy individuals. They don't want to buy
[Web] pages.'' \23\ You can only ``buy individuals'' when you know who
they are.
---------------------------------------------------------------------------
\23\ Scott Thrum, ``Online Trackers Rake in Funding,'' Wall Street
Journal, February 25, 2011 at: http://online.wsj.com/article/
SB10001424052748704657704576150191661959856.html#ixzz
1FYWLkEWm.
---------------------------------------------------------------------------
V. Regulation of behavioral targeting does not threaten the ``Free
Internet''
The ACLU believes the Internet is the most advanced marketplace of
ideas and one of the greatest tools ever created for advancing
American's First Amendment rights. We would never endorse any
regulation that endangered the robustness and variety of this medium.
Laws protecting personal information and those that would create a ``Do
Not Track'' mechanism would not harm the Internet or end the provision
of free products or services.
Behavioral targeting is different than ``contextual advertising,''
another type of online ad service which shows ads to users based on the
content of the web page they are currently viewing or the web search
they have just performed. When this pairing of ads to users' interests
is based only on a match between the content of an ad and a single page
or search term, a website or advertising network requires no personal
information about a user beyond an IP address. The practice does not
raise significant privacy concerns.
Nor would commonsense regulations necessarily foreclose the use of
consumer data as part of advertising and services. For example, a
consumer may want to allow significant data collection by websites with
whom they already have a relationship. Companies like Google and Amazon
gather information that has demonstrable benefit to the consumer--by
providing book recommendations or easy-to-use maps. Consumers may
welcome targeted ads when they feel in control of their own information
or may consider it a fair tradeoff for other goods or services.
Content has been supported for years (and in many cases for decades
and even centuries) through advertising without the need for detailed
targeting and tracking of consumers. But studies have demonstrated that
the vast majority of the revenue from tracking consumers online goes
not to content providers but rather to the behavioral targeters
themselves. Industry sources say that 80 percent of the revenue from
targeting--4 in 5 dollars--went to create and enhance the targeting
system, not to publishers.\24\ Major publishers like the New York Times
have endorsed a ``Do Not Track'' mechanism--clearly they are not
concerned that such a mechanism will harm their ad revenue.\25\
---------------------------------------------------------------------------
\24\ The Jordan Edmiston Group, M&A Overview and Outlook, Slide 13,
can be found at: http://www.jegi.com/files/docs/IABMIXX.pdf.
\25\ ``Protecting Online Privacy,'' New York Times, December 4,
2010.
---------------------------------------------------------------------------
VI. Access to extensive personal profiles threatens personal privacy
and the First and Fourth Amendment
It is no exaggeration to say that data profiles--which may combine
records of a person's entire online activity and extensive databases of
real-world, personally identifiable information--draw a personal
portrait unprecedented in scope and detail. Because the Internet has
become intertwined with so many personal facets of our lives, the same
technology that has provided such tremendous advances also creates the
possibility of tremendous intrusion by companies and the government.
i. Non-governmental actors
The harms caused by excessive and invasive data collection are real
and pressing. They begin with straightforward invasions of privacy.
Should anyone have the right to know and sell to others the fact that
you are overweight, or depressed, or gay? \26\ These are all
commonplace occurrences with marketers and social networking sites
routinely making and selling these determinations. They have
significant consequences for consumers who have no say in the
collection and use of their own information. As the Wall Street Journal
explains:
---------------------------------------------------------------------------
\26\ See Testimony of Pam Dixon The Modern Permanent Record and
Consumer Impacts from the Offline and Online Collection of Consumer
Information, Before the Subcommittee on Communications, Technology, and
the Internet, and the Subcommittee on Commerce, Trade, and Consumer
Protection of the House Committee on Energy and Commerce November 19,
2009 at http://www.worldprivacyforum.org/pdf/TestimonyofPamDixonfs.pdf;
Brett Michael Dykes, ``Latest Facebook privacy outrage: ad data outing
gay users,'' The Upshot, October 22, 2010 at: http://news.yahoo.com/s/
yblog_upshot/20101022/bs_yblog_upshot/latest-facebook-privacy-outrage-
ad-data-outing-gay-users.
Yahoo's network knows many things about recent high-school
graduate Cate Reid. One is that she is a 13- to 18-year-old
female interested in weight loss. Ms. Reid was able to
determine this when a reporter showed her a little-known
feature on Yahoo's website, the Ad Interest Manager, that
---------------------------------------------------------------------------
displays some of the information Yahoo had collected about her.
Yahoo's take on Ms. Reid, who was 17 years old at the time, hit
the mark: She was, in fact, worried that she may be 15 pounds
too heavy for her 5-foot, 6-inch frame. She says she often does
online research about weight loss.
``Every time I go on the Internet,'' she says, she sees weight-
loss ads. ``I'm self-conscious about my weight,'' says Ms.
Reid, whose father asked that her hometown not be given. ``I
try not to think about it. . . . Then [the ads] make me start
thinking about it.'' \27\
---------------------------------------------------------------------------
\27\ Win article.
This tracking is ubiquitous around the Internet with tracking
technology on 80 percent of 1,000 popular sites, up from 40 percent of
those sites in 2005.\28\
---------------------------------------------------------------------------
\28\ Id.
---------------------------------------------------------------------------
In the information age knowledge is power and personal information
can be used for many other purposes. A data-mining firm called Rapleaf
has said it can make determinations about creditworthiness and whether
someone will be a good customer.\29\ A defense attorney attempted to
access the social networking pages of two teens in order to prove they
were appropriately denied health care.\30\ One employer demanded access
to its employee's private Facebook account as part of a background
check.\31\
---------------------------------------------------------------------------
\29\ Lucas Conley, ``How Rapleaf Is Data-Mining Your Friend Lists
to Predict Your Credit Risk,'' FAST COMPANY November 16, 2009 at http:/
/www.fastcompany.com/blog/lucas-conley/advertising-branding-and-
marketing/company-we-keep.
\30\ Mark Stein, ``Facebook Page? Or Exhibit A in Court?,''
Portfolio.com, February 5, 2008 http://www.portfolio.com/views/blogs/
daily-brief/2008/02/05/facebook-page-or-exhibit-a-in-court/.
\31\ Matt Liebowitz ``Boss Demands Employee's Facebook Password,''
MSNBC.com, March 1, 2011 http://www.msnbc.msn.com/id/41743732/ns/
technology_and_science-security/.
---------------------------------------------------------------------------
When information escapes a consumer's control, it gives power to
others to make decisions about them that have real consequences for
their lives. In addition, the lack of control and transparency
surrounding consumer personal information harms not just consumers but
the Internet as a whole. Uncertainty over the use or misuse of
information by third parties retards the adoption of new technologies
and makes consumers more anxious about revealing personal information.
Personal information can also reveal weaknesses that unscrupulous
actors can exploit. Ninety-two year old veteran Richard Guthrie was
bilked out of more than $100,000 by criminals who identified him from
marketing lists.\32\ InfoUSA routinely advertised lists of:
---------------------------------------------------------------------------
\32\ Charles Duhigg, ``Bilking the Elderly, With a Corporate
Assist,'' New York Times. May 20, 2007 http://www.nytimes.com/2007/05/
20/business/20tele.html?_r=2.
``Elderly Opportunity Seekers,'' 3.3 million older people
``looking for ways to make money,'' and ``Suffering Seniors,''
4.7 million people with cancer or Alzheimer's disease. ``Oldies
but Goodies'' contained 500,000 gamblers over 55 years old, for
8.5 cents apiece. One list said: ``These people are gullible.
They want to believe that their luck can change.'' \33\
---------------------------------------------------------------------------
\33\ Id.
In other cases thieves purchased access to databases of Americans'
personal information and used that information to commit identity
theft.\34\
---------------------------------------------------------------------------
\34\ Federal Trade Commission, ``ChoicePoint Settles Data Security
Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for
Consumer Redress,'' January 26, 2006. http://www.ftc.gov/opa/2006/01/
choicepoint.shtm.
---------------------------------------------------------------------------
Collection of personal information online turbo-charges this
process. One reporter asked a company to search out information about
her online. She disclosed that, armed only with her name and e-mail
address, ``Within 30 minutes, the company had my Social Security
number; in 2 hours, they knew where I lived, my body type, my hometown,
and my health status.'' \35\
---------------------------------------------------------------------------
\35\ Jessica Bennett, ``What the Internet Knows about You,''
Newsweek, October 22, 2010. http://www.newsweek.com/2010/10/22/forget-
privacy-what-the-internet-knows-about-you.html.
---------------------------------------------------------------------------
ii. Governmental actors
As their contracts with the data aggregator industry demonstrate,
government and law enforcement agencies have also found these personal
data profiles irresistible. In 2006 the Washington Post reported that
the Federal Government and states across the country have developed
relationships with private companies that collect personal information
about millions of Americans, including unlisted cell phone numbers,
insurance claims, driver's license photographs, and credit reports
through private data aggregators including Accurint, Entersect and
LexisNexis. In fact, Entersect boasts that it is ``the silent partner
to municipal, county, state, and Federal justice agencies who access
our databases every day to locate subjects, develop background
information, secure information from a cellular or unlisted number, and
much more.'' \36\
---------------------------------------------------------------------------
\36\ O'Harrow Jr Robert, Centers Tap into Personal Databases,
Washington Post, April 2, 2008.
---------------------------------------------------------------------------
The Central Intelligence Agency (CIA), via its investment arm In-Q-
Tel, has invested in a software company that specializes in monitoring
blogs and social networks \37\ and the Department of Defense, the CIA,
and the Federal Bureau of Investigation (FBI) have all purchased use of
private databases from Choicepoint, one of the largest and most
sophisticated aggregators of personal data.\38\ In the words of the
FBI, ``We have the legal authority to collect certain types of
information'' because ChoicePoint is ``a commercial database, and we
purchase a lot of different commercial databases. . . . They have
collated information that we legitimately have the authority to
obtain.'' \39\
---------------------------------------------------------------------------
\37\ Noah Shactman, ``U.S. Spies Buy Stake in Firm That Monitors
Blogs, Tweets,'' Wired, October 19, 2009 at http://www.wired.com/
dangerroom/2009/10/exclusive-us-spies-buy-stake-in-twitter-blog-
monitoring-firm.
\38\ Shane Harris, ``FBI, Pentagon Pay For Access to Trove of
Public Records,'' National Journal., Nov. 11, 2005 at http://
www.govexec.com/story--page.cfm?articleid=32802; Robert O'Harrow Jr.,
``In Age of Security, Firm Mines Wealth Of Personal Data,'' Washington
Post, January 20, 2005, at http://www.washingtonpost.com/wp-dyn/
articles/A22269-2005Jan19.html.
\39\ Harris, supra n. 16 (quoting FBI spokesman Ed Cogswell).
---------------------------------------------------------------------------
The government has demonstrated an increasing interest in online
user data in other ways as well. In 2006 the Department of Justice
(DOJ) subpoenaed search records from Google, Yahoo!, and other search
providers in order to defend a lawsuit.\40\ In 2007, Verizon reported
receiving 90,000 requests per year and in 2009, Facebook told Newsweek
it was getting 10 to 20 requests each day. In response to increasing
privacy concerns, Google started to publish the number of times law
enforcement asked for its customers' information and reported over
4,200 such requests in the first half of 2010 alone. In the words of
Chris Hoofnagle, a senior fellow at the Berkeley Center for Law and
Technology, ``These very large data bases of transactional information
become honey pots for law enforcement or for litigants.'' \41\ Given
the government's demonstrated drive to access both online data and
commercial data bases of personal information, it seems nearly certain
that law enforcement and other government actors will purchase or
otherwise access the type of detailed profiles of online behavior
compiled by behavioral marketers.
---------------------------------------------------------------------------
\40\ Hiawatha Bray, ``Google Subpoena Roils the Web, U.S. Effort
Raises Privacy Issues,'' Boston Globe, January 21, 2006 at http://
www.boston.com/news/nation/articles/2006/01/21/
google_subpoena_roils_the_web/.
\41\ Miguel Helft, ``Google Told to Turn Over User Data of
Youtube,'' New York Times, July 4, 2008 at http://www.nytimes.com/2008/
07/04/technology/04youtube.html.
---------------------------------------------------------------------------
Our First Amendment rights to freedom of religion, speech, press,
petition, and assembly are based on the premise that open and
unrestrained public debate empowers democracy by enriching the
marketplace with new ideas and enabling political and social change
through lawful means. The Fourth Amendment shields private conduct from
unwarranted government scrutiny. Together the exercise of these rights
online has allowed the Internet marketplace of ideas to expand
exponentially.
Courts have uniformly recognized that government requests for
records of which books, films, or other expressive materials
individuals have received implicate the First Amendment and trigger
exacting scrutiny.\42\ These cases are grounded in the principle that
the First Amendment protects not only the right of individuals to speak
and to express information and ideas, but also the corollary right to
receive information and ideas through books, films, and other
expressive materials.\43\ Within this protected setting, privacy and
anonymity are vitally important. Anonymity ``exemplifies the purpose
behind the Bill of Rights, and of the First Amendment in particular,''
because, among other things, it serves as a ``shield from the tyranny
of the majority.'' \44\ An individual may desire anonymity when
engaging in First Amendment activities--like reading, speaking, or
associating with certain groups--because of ``fear of economic or
official retaliation, . . . concern about social ostracism, or merely .
. . a desire to preserve as much of one's privacy as possible.'' \45\
---------------------------------------------------------------------------
\42\ In re Grand Jury Subpoena to Kramerbooks & Afterwords Inc., 26
Med. L. Rptr. 1599, 1600-01 (D.D.C. 1998) (Dkt. No. 21, Ex. B)
(requiring government to show compelling interest and a sufficient
connection between its investigation and its request for titles of
books purchased by Monica Lewinsky); Tattered Cover, Inc. v. City of
Thornton, 44 P.3d 1044, 1053 (Colo. 2002) (holding that search of
bookseller's customer purchase records necessarily intrudes into
constitutionally protected areas).
\43\ See, e.g., Va. State Bd. of Pharmacy v. Va. Citizens Consumer
Council, 425 U.S. 748, 757 (1976) (right to receive advertisements);
Stanley v. Georgia, 394 U.S. 557, 564 (1969) (films); Bantam Books v.
Sullivan, 372 U.S. 58, 64 n.6 (1963) (books).
\44\ McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 357 (1995).
\45\ Id. at 341-42.
---------------------------------------------------------------------------
The Supreme Court has also recognized that anonymity and privacy
are essential to preserving the freedom to receive information and
ideas through books, films, and other materials of one's choosing. For
example, in Lamont v. Postmaster General, the Court invalidated a
postal regulation that required the recipient of ``communist political
propaganda'' to file a written request with the postmaster before such
materials could be delivered.\46\ The regulation violated the First
Amendment because it was ``almost certain to have a deterrent effect .
. . Any addressee [was] likely to feel some inhibition'' in sending for
literature knowing that government officials were scrutinizing its
content.\47\ Forced disclosure of reading habits, the Court concluded,
``is at war with the `uninhibited, robust, and wide-open' debate and
discussion that are contemplated by the First Amendment.'' \48\
---------------------------------------------------------------------------
\46\ Lamont v. Postmaster General, 381 U.S. 301, 302 (1965).
\47\ Id. at 307.
\48\ Id. (quoting New York Times Co. v. Sullivan, 376 U.S. 254, 270
(1964)).
---------------------------------------------------------------------------
These words ring equally true today in the Information Age, with
the prevalence of the Internet and other new technologies. Although
these technological advances provide valuable tools for creating and
disseminating information, the unprecedented potential for government
and companies to store vast amounts of personal information for an
indefinite time poses a new threat to the right to personal privacy and
free speech. In In re Grand Jury Subpoena to Amazon.com, the district
court recognized this reality in holding that a grand jury subpoena to
Amazon requesting the identities of buyers of a certain seller's books
raised significant First Amendment concerns.\49\ The court explained
its concern over the chilling effect that would flow from enforcing
such a subpoena in the age of the Internet, despite its confidence in
the government's good-faith motives:
---------------------------------------------------------------------------
\49\ 246 F.R.D. at 572-73
[I]f word were to spread over the Net--and it would--that [the
government] had demanded and received Amazon's list of
customers and their personal purchases, the chilling effect on
expressive e-commerce would frost keyboards across America.
Fiery rhetoric quickly would follow and the nuances of the
subpoena (as actually written and served) would be lost as the
cyber debate roiled itself to a furious boil. One might ask
whether this court should concern itself with blogger outrage
disproportionate to the government's actual demand of Amazon.
The logical answer is yes, it should: well-founded or not,
rumors of an Orwellian Federal criminal investigation into the
reading habits of Amazon's customers could frighten countless
potential customers into canceling planned online book
purchases, now and perhaps forever. . . . Amazon . . . has a
legitimate concern that honoring the instant subpoena would
chill online purchases by Amazon customers.\50\
---------------------------------------------------------------------------
\50\ In re Grand Jury Subpoena to Amazon.com, 246 F.R.D. at 573.
The Internet is, and must remain, the most open marketplace of
ideas in the history of the world. In order to guarantee this, we must
provide consumers with the tools they need to control their personal
information and meaningful mechanisms for assuring privacy and
protecting the robust rights established by the Constitution.
VII. Solutions exist
Reasonable and workable solutions exist for grappling with the
problems of excessive data collection. While the technology is new, the
problem is not. As the preceding case law demonstrates, as a society we
have always been concerned about problems like judging or attacking
individuals based on their reading or viewing habits. That is why 48
states protect public library reading records by statute.\51\ Congress
has also recognized the privacy interests of users of expressive
material and created strong protections in several other contexts. The
Video Privacy Protection Act prohibits disclosure of video rental
records without a warrant or court order.\52\ The Cable Communications
Policy Act similarly prohibits disclosure of cable records absent a
court order.\53\
---------------------------------------------------------------------------
\51\ See, e.g., N.Y. C.P.L.R. � 4509; Cal. Gov. Code �� 6267,
6254(j). The two states that do not have library confidentiality laws
are Hawaii and Kentucky. However, the Attorney Generals' Offices in
each state have issued opinions in support of reader privacy. Haw. OIP
Opinion Letter No. 90-30 (1990) (disclosure of library circulation
records ``would result in a clear unwarranted invasion of personal
privacy''); Ky. OAG 82-149 (1982) (``all libraries may refuse to
disclose for public inspection their circulation records. . . . [W]e
believe that the privacy rights which are inherent in a democratic
society should constrain all libraries to keep their circulation lists
confidential.'').
\52\ 18 U.S.C. �� 2710(b)(2)(C), 2710(b)(2)(F), 2710(b)(3).
\53\ 47 U.S.C. � 551(h).
---------------------------------------------------------------------------
Moreover, more than 30 years ago the U.S. Department of Health,
Education and Welfare (now the Department of Health and Human
Services), crafted basic privacy principles to protect personal
information.\54\ Called the Fair Information Practice Principles
(FIPPs), they have become the basis for comprehensive privacy laws in
most of the industrialized world as well as sector specific privacy
laws in the United States.\55\ In 2008 the Privacy Office of the
Department of Homeland Security formally adopted them in its analysis
of DHS programs. And in a recent report, the Department of Commerce
recommended that the FIPPs as described by DHS be adopted as the basis
for Internet regulation.\56\
---------------------------------------------------------------------------
\54\ For a brief history on the principles please see Robert
Gellman, Fair Information Practices: A Basic History at http://
bobgellman.com/rg-docs/rg-FIPShistory.pdf.
\55\ Directive 95/46/EC on the protection of individuals with
regard to the processing of personal data and on the free movement of
such data, October 24, 1995; Fair Credit Reporting Act (FCRA), 15
U.S.C. � 1681 et seq.
\56\ Department of Commerce, Commercial Data Privacy and Innovation
in the Internet Economy: A Dynamic Policy Framework, December 2010.
---------------------------------------------------------------------------
The FIPPs stand for eight relatively straightforward ideas:
Transparency: Individuals should have clear notice about the
data collection practices involving them.
Individual Participation: Individuals should have the right
to consent to the use of their information.
Purpose Specification: Data collectors should describe why
they need particular information.
Data Minimization: Information should only be collected if
it's needed.
Use Limitation: Information collected for one purpose
shouldn't be used for another.
Data Quality and Integrity: Information should be accurate.
Security: Information should be kept secure.
Accountability and Auditing: Data collectors should know who
has accessed information and how it is used.
While some adjustments will have to be made to conform to new
technologies, international Internet data collection practices, as well
as the data collection practices of other sectors of the U.S. economy,
are already governed by the FIPPs.\57\ To imply as some have done that
application of these regulations in this case would cause serious harm
to the Internet and e-commerce seems overstated at best.
---------------------------------------------------------------------------
\57\ Id.
---------------------------------------------------------------------------
These protections must be embodied in law, not just in industry
practice. For years government agencies have called on industry to
provide privacy protections for consumers. However, as a recent Federal
Trade Commission report explains, self-regulatory efforts ``have been
too slow, and up to now have failed to provide adequate and meaningful
protection.'' \58\ One example illustrates this fact well. In 1999 and
2000 when behavioral targeting first attracted regulatory attention, an
industry group, the Network Advertising Initiative (NAI), claimed that
self-regulation was a solution and that all NAI members would follow a
common code of conduct.\59\ As regulatory attention faded, so did
participation in the NAI. By 2003 it had only two members. There is no
reason to believe that things would be different now.
---------------------------------------------------------------------------
\58\ Federal Trade Commission (Bureau of Consumer Protection), A
Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era
of Rapid Change: A Proposed Framework for Businesses and Policymakers,
December 1, 2010.
\59\ World Privacy Forum, Network Advertising Initiative: Failing
at Consumer Protection and at Self-Regulation, Fall 2007 at: http://
www.worldprivacyforum.org/pdf/WPF_NAI_
report_Nov2_2007fs.pdf.
---------------------------------------------------------------------------
It is important to note that technology is already moving to help.
Browser manufacturers are creating technical mechanisms so that web
surfers can indicate their preference not to be tracked.\60\ If given
the force of law through the passage of a ``Do Not Track'' law, those
mechanisms set a solid foundation for beginning to protect personal
information online.
---------------------------------------------------------------------------
\60\ Julia Angwin, ``Web Tool on Firefox to Deter Tracking,'' Wall
Street Journal, January 24, 2011.
---------------------------------------------------------------------------
VIII. Conclusion
The current online data collection practices create detailed
profiles on each of us. These practices are neither benign nor
anonymous. They harm consumers and directly impact their fundamental
rights. They are also unpopular--even when explicitly tied to the
provision of free services. Good solutions exist and have been adopted
in other countries and other parts of the U.S. economy. The Committee
should look to these solutions like the ``Do Not Track'' mechanism and
adopt legally enforceable rules to protect consumers and end this
profiling.
Senator Kerry. Well that's a pretty far reach.
[Laughter.]
Senator Kerry. I mean it's a big concept. So I'm not
suggesting you're reaching. It's just it's a big statement
obviously about a potential downside.
It's just you, us and that's it. That's all that's left.
I'm sorry.
[Laughter.]
Senator Kerry. But I want to probe a few things then we'll
get you all out of here before too, too long, if I can.
So Mr. Calabrese, you've sort of drawn this potential
danger picture, which is appropriate, in front of us. What's
the appropriate response to that in your judgment?
Mr. Calabrese. Well I mean we've heard a lot of great
responses. I mean, I think we can begin with the Do Not Track
mechanism which again, if backed by law gives people the
opportunity to sort of opt-out of this state. It's not enough
on its own.
Senator Kerry, the principles that you described, the
ability to give consumers control over their information is
vital to this as well. I think Do Not Track is a part of that.
But it's also about sharing information collected by a first
party. Just because I want a company to collect my information
doesn't mean I want them to use it for everything. I may want
to limit that. And that's----
Senator Kerry. Is there a balance here in your judgment
between the obviously very important interest that you're
highlighting and also the commercial, economic interest that we
all have in maintaining the viability needed to save a growing
enterprise?
Mr. Calabrese. Oh, there absolutely is a balance. But we
need to set--I'm sorry.
Senator Kerry. No, go ahead.
Mr. Calabrese. There is a balance. My fear, candidly, is
that right now there's no legal protection. And there's a great
deal of incentive.
I mean Americans are some of the greatest businessmen and
businesswomen in the world. If you give them an economic
incentive and say there's an economic incentive to track people
online. They will do a really good job of it.
So I think we need to put controls in place to make sure
that the consumer is part of that process.
Senator Kerry. And how far do those controls have to go if
the consumer has knowledge? I mean one of the problems is we've
learned--I don't know if I have statistics here or not. I don't
think I do.
But we have found historically that, you know, people
consistently say well this is something I'm really super, super
concerned about but then they tend to engage in practices on
the Internet itself that sort of belie that a little bit.
Mr. Calabrese. Sure. Well, I think part of that is they
really haven't had meaningful choice up to this point. It's
been sort of a take it or leave it approach. And so it's hard
to expect people to invest time and energy in something----
Senator Kerry. I think that a lot of folks at the table
would disagree that they don't have meaningful choice.
Mr. Calabrese. Sure. I think they would. By all--but I mean
the fact that I can't point to a law that says I control my
personal information makes, you know, makes me--makes it hard
for me to tell a consumer that they in fact, do have that
control. I mean, a company's promises are important but not
enough.
Senator Kerry. Who else? Anybody want to speak to that,
sort of the balance?
Mr. Andersen. I'm happy to speak to it for a moment.
Senator Kerry. Go ahead, Mr. Andersen.
Mr. Andersen. Microsoft is obviously involved in online
advertising. We also provide tools to consumers to help them
protect themselves from activities that they may view as
tracking and also spam and things like that as well. So we're
sort of in a somewhat unique position of having to make sure
that we're looking at both sides of the equation.
In the testimony that I submitted we did provide some
statistics about the incredible growth of online advertising,
and pointed out that it really is fueling a lot of the content
available on the Internet today. I do think that it is
important to make sure that that is kept in mind as one thinks
about legislation.
At the same time consumer trust is incredibly important to
our company. We know that users want to be in control of the
data that is collected about them and how that data is used as
well. And so we're endeavoring to make sure that they have the
tools available to them to make sure that they are in control.
Senator Kerry. What does that mean, tools available to
them?
Mr. Andersen. What I mean by that? I'll give you an example
from Internet Explorer browser. So we have this feature called
Tracking Protection that we've introduced this week with
Internet Explorer. It's available on the product. From the
menu, you can select a feature called ``tracking protection.''
And what that will----
Senator Kerry. Select that when you download it or do you
select that every time it comes up? Is there an icon on your--
--
Mr. Andersen. That's a good question. When you have
installed the product there are menu items that are available
to you to choose from.
Senator Kerry. Is that in the initial installation because
I know sometimes when you download something you get a whole
menu of initial installation, you know, some signs that shows
up more than it does than other times. It can be more bold
faced than other times. You can miss them sometimes.
I mean, how does it show up?
Mr. Andersen. That's correct. It would not be part of your
installation process. You wouldn't be asked to choose among
different settings at the beginning of your installation
process.
What you would do is after you've installed the product you
would choose from the menu of different controls that you have
to place.
Senator Kerry. Do you have to choose to go to the menu or
does the menu show up automatically?
Mr. Andersen. You'd have to choose the menu.
Senator Kerry. So you'd have to go to the menu.
Mr. Andersen. Yes, you would.
Senator Kerry. It wouldn't be like a privacy warning, the
original warnings where you have to sign up and say, I agree in
order to proceed forward. There wouldn't be a stop, you can't
proceed forward until you've answered it.
Mr. Andersen. That's correct.
Senator Kerry. So a lot of people say, well, that's not
really an in your face choice.
Mr. Andersen. We understand that perspective, obviously. I
think----
Senator Kerry. I mean I'm sure that when you really want to
get somebody's attention you guys know how to do it.
[Laughter.]
Mr. Andersen. We've been pretty successful at doing that,
yes.
Senator Kerry. So, does this rise to that level or does it
not?
Mr. Andersen. Well, it's a good question. I think that what
we found is that, you know, people want to experience the full
Internet when they use a browser product. And they want to
receive the personalization that they're able to get by using
the full Internet. At the same time there's many people who
want to have a choice and want to have tools available to them
that are easy to access to the product to be able to----
Senator Kerry. No one is denying the choice. It's just a
question of how boldly it's there. I mean, you know, as you
said, you know how to get people's attention. Everybody does in
the business. And things keep popping up and popping up and
you've got to figure out how the hell to get them away
sometimes.
And then there are things that don't pop up. And you can't
find or they're harder to find. I think that's really at the
center of this to some degree. There's got to be some sense of,
you know, fair play and transparency and accountability in
that.
Mr. Andersen. Absolutely. It's absolutely a big part of the
discussion is that at what point along the user experience
should you be affirmatively giving users a choice to make a
decision.
Senator Kerry. Let me ask a blunt question. And maybe Mr.
Montgomery this is in your area and someone else at the table
perhaps into it, I'm not sure. In fact before I ask that
question let me come back to Intuit, if I can.
Intuit, you were commenting, Ms. Lawler, about the four
principles that you apply. And they're admirable. They're
terrific. And you talk about income tax, health, vendor links,
all these things that you manage.
But isn't that a very different kind of relationship and
business than some other businesses. Which therefore makes it
easier for you to frame this kind of a wow, we're able, you
know, we're going to protect you because in fact your whole
thing is the protection of the relationship with the customer.
A lot of other people may not have that kind of a stake, you
know.
People can come and go as long as the traffic is sufficient
if they're able to track enough of what they're doing. There
may be, as Senator Isakson said, a sort of a commodity value to
the information they have that's sufficient to encourage them.
There may be better economics on that side of the ledger than
on the other which encourages them therefore to chase that
information rather than to be as protective as you are.
Does that make sense the distinction I'm drawing?
Ms. Lawler. Yes, Senator, it does. Our customers' trust is
really critical to us. And you talked about the nature of the
sensitive information that we have and the relationship that we
have with our customers is that they're using our services and
products to manage their personal life, their personal
finances, to manage their businesses online.
So we have actually gone directly to our customers and
asked them what's important to them. And understanding that
while there is that sensitive information there are other
aspects of their interaction with us that might not be, if it
was another company treated in the same, more sophisticated
way----
Senator Kerry. So might you agree therefore that if you go
to a retail outlet of some kind, perhaps, they have a different
interest? And are there different stakes as a result? Would
there be a different value level of protection as a result of
the difference in the activity?
Ms. Lawler. I think this is why we are talking about a
principles-based approach based on industry sector type of data
use. So clearly is data more sensitive in a retail environment?
Maybe somewhat less so, but one of the things that was very
clear from our customers is that in all contexts whether it is
more shopping related data or whether it's related to their
personal finances is that, while they may not read privacy
policies, they really care about how their data is used. They
want to understand that through clear, open, transparent
explanations. And actually the more clear and open you are
about that, the less they want to be fed with choices on a
constant basis. What actually mattered to them was something
that was very contextual and relevant that related to their
experience.
So when we think about that and think about our principles-
based approach we would look at something that was flexible
that worked with our environment but also could be adapted to
different industries, businesses and sectors of all sizes.
Senator Kerry. Well I appreciate--I certainly have enormous
respect for the concept, the data stewardship concept, that
you've articulated. I think that putting that kind of statement
out front it's the customers, not ours, is a high standard. And
we have to sort of figure out, you know, where that applies.
Mr. Montgomery, you may have a different feeling about that
a little bit.
Mr. Montgomery. Not a different feeling at all, sir. I
think--I think an important question that you asked a little
earlier which was about very clear notice that information has
been collected so nothing that is hidden under, you know, under
a menu. And I think that the self regulation program of which
Microsoft, by the way, is an important part, has an icon on
every single advertisement that collects information.
So the billions of advertisements that go out every week
that collect information will have an icon on them which will
allow consumers to click on the icon. It will tell them exactly
who is collecting information about them.
Senator Kerry. Is that the icon?
Mr. Montgomery. That's the icon in a somewhat expanded
version.
Senator Kerry. What's the chart underneath it?
Mr. Montgomery. That's an example of an ad that's actually
running at the moment. And if you see in the top right hand
corner. That's a pervasive ad choices icon that consumers would
click on.
Once they click on the icon they'll be told a little about
behavioral advertising, who is collecting information. And with
one click be able to opt-out. So it's----
Senator Kerry. Does Verizon get a piece of the action
today?
[Laughter.]
Mr. Montgomery. No, they do not, sir.
Senator Kerry. OK.
Mr. Montgomery. So I think it's an important point that you
raise that it needs to be out there. And we think this is going
to become like the recycling logo. It's going to build consumer
trust and at the end----
Senator Kerry. How does that find its way to there now? Is
that a one to one relationship with Verizon or how does it
work?
Mr. Montgomery. So we're busy rolling out the program to
our client base. I think that there are more than 100 major
clients that already subscribe. And clients just simply have to
give us permission to go ahead. And most of our clients agree
with it.
Then there's an underpinning technology that we employ that
allows us to figure out exactly who is tracking so that we can
apply a compliance mechanism to the process. So if an
advertiser doesn't comply we contact them. Then we call them
out publicly. And ultimately, you know, that information is
made public and that----
Senator Kerry. Does that presume our, kind of, consumer
awareness about that or would there be some sort of a campaign
that makes people aware? How would you get the word out, so to
speak?
Mr. Montgomery. Yes. No, it's a great question. In my
testimony earlier I talked about a campaign that we've
developed with the Internet Advertising Bureau called ``Privacy
Matters.'' And that is already enjoyed over 600 million
impressions against consumers.
And we're going to extend that campaign so we can teach
consumers about what information is collected, the importance
of behavioral advertising and also the importance of having
access to free content on the Internet which is fueled by
advertising.
Senator Kerry. So do you still accept the notion that--
incidentally, I think it's a terrific step forward and I
congratulate you for it--but do you still believe that you need
a baseline law where there's a safe harbor from preemptive
prescriptive regulation?
Mr. Montgomery. Sir, what we feel is very, very important
in this process is that self regulation is given an opportunity
to work in this process. And if it needs to work with a
baseline law we will be very happy to cooperate with you in any
way to refine and ensure compliance around that as long as the
self regulation can operate within it.
Senator Kerry. But suppose, I mean, if the FTC were to
certify that program or similar program like that and it's
compliant with the fair treatment of people's information given
the way the net works and the modern technology that's
available and the low cost of collection and so forth, couldn't
collectors of information outside of your program wind up doing
a lot of damage broadly in ways that would be inconsistent with
what you've said consumers ought to have?
Mr. Montgomery. Just to clarify, you mean, data trackers--
--
Senator Kerry. Yes.
Mr. Montgomery. Who are outside the program?
Senator Kerry. Precisely.
Mr. Montgomery. I think that there are bad actors out
there. And one of the--and we would absolutely support any way
that we could uncover those bad actors and who are doing
anything to harm consumers.
Senator Kerry. Well, since our approach is principles-
based, basically, doesn't that give you the latitude within
which to be able to move?
Mr. Montgomery. I think what's important is right now we
have over 5,000 companies subscribing to the self regulatory
process. And in that way we've got 5,000 policemen out there
watching for the bad actors. And we, in fact, interestingly
last week we discovered some fraudulent practice on the
Internet and handed it over to the FBI for further
investigation.
We hear this all the time amongst our, you know, our member
base where, you know, they're looking out for that all the
time. So in summary, we absolutely would work with you in any
way we could to ensure consumer privacy and continued
innovation.
Senator Kerry. Mr. Andersen, we've shared with you, with
the company, you, the drafts, current drafts, as with several
of you. And I wonder if you might just share with us your sense
of sort of where we are in that process now, the direction.
Mr. Andersen. From our perspective the process is going
very well. We absolutely appreciate the opportunity to be
involved in the process. We see the drafting process going in
the direction we had hoped for which is to establish baseline
principles in the law that we think are reasonable and we think
that industry can and should be able to sign up for it. So
we're very encouraged by it.
Senator Kerry. Appreciate that.
Ms. Lawler, what about you?
Ms. Lawler. We also, excuse me, we also like the direction
that the proposal is going. We are generally supportive. We
like the principles-based approach. We like the consideration
around codes of conduct and safe harbor.
We look forward to working with you on refining the
proposal as it moves along.
Senator Kerry. Do you have a major--is there a major hurdle
in your judgment?
Ms. Lawler. I would say that there aren't any major
hurdles. I think where we would like to work with you would be
on the level of prescriptiveness of certain areas around notice
and contacting.
Senator Kerry. OK. Well we look forward, obviously, to
working that through with you. And all of, you know, certainly.
Ms. Lawler. Yes.
Senator Kerry. Certainly.
Ms. Lawler. There's very much that we do like in the bill,
in the proposal.
Senator Kerry. Good.
Ms. Lawler. So we think there's a lot there to work with.
Senator Kerry. Good.
Ms. Lawler. And in particular, you know, we've talked a lot
today about concern about bad actors. And you have companies
represented in this room that are high achievers, you know, set
very high standards. And I think what a principle based
approach that is outlined in the proposal currently will also
help us is really aim at the large mass of businesses,
organizations in the middle, that may not have the same level
of resources or expertise in privacy issues that you see at
this table.
And so, principles-based approach, using safe harbors as
described in the proposal, I think is a real positive mechanism
to bring the large masses into a higher level of privacy
protection.
Senator Kerry. Well, we'll work with you on that. I've just
been noticed that they need me back in the office. So I've got
to run and do that in a moment.
I think Colonel Khadafi doesn't believe in privacy or
something so I've got to go deal with it.
[Laughter.]
Senator Kerry. Quick question if I can, Mr. Soltani. I want
to get--you've talked thoughtfully about the first party entity
and the website that you are directly interacting with and the
third party is some entity that the first party allows to
interact with you and so forth. It makes sense, very logical
and we get it.
But we've been struggling a little bit with the cases where
you have a first party such as Facebook. And then Facebook
tracks behavior in another site, et cetera. And given that the
consumer had a first party relationship with Facebook as long
as notice is provided and choices provided for Facebook to
acquire the information is that a point somewhere in between
the first and third party? How do we--we've been struggling
with this a little bit.
Mr. Soltani. It's a great question. I believe in that
context Facebook is a first party and a third party. In the
context when you go and enter Facebook.com into your URL bar of
your browser, that's a first party interaction.
However, in the context where you are on say, the
Washington Post and there are Facebook widgets, buttons,
objects on the page, I believe that constitutes a third-party
widget. The loading of a third-party widget that then results
in passive data collection I still believe would fall under
third-party data collection.
It's a little nuanced since users can also interact with
that widget. And in the case where users knowingly interact
with a widget perhaps we can frame it as a first party
interaction.
Senator Kerry. So where would the notice have to be? Would
the notice have to be the first time when you first sign up?
This can happen? Or does the notice have to occur each time,
each face page? How does it work?
Mr. Soltani. Since often these things are tied to
identifiers I believe perhaps upon the setting of the
identifier in the first party context the notice could happen.
So, your ``cookie'' could then be later used to tie that
activity to the third-party context.
We also want to be careful here around forced third party
interactions, i.e., when you go to a website and a video starts
playing or an ad pops up that you're forced to dismiss, since
you can actually compel users to require them to interact in a
third party context.
I think we still want to frame it around meaningful
interactions with third party objects that consumers are aware
of, and we might consider that okay. All other passive data
collection we would consider third party data collection.
Senator Kerry. OK. We've got to work that through
obviously. And see how we can come out of it. But there's
obviously some, you know, some of this is, you know, does get
into that nuance.
Mr. Soltani. Absolutely.
Senator Kerry. Whatever you want to call it, area. It gets
tricky. I think the principle that we want to have guide us is
also to do no harm even as we are protecting people. And I
think, you know, we're going to try to balance that very, very
carefully here.
So we will continue a thoughtful process here of engagement
with all of you to try. And Danny Sepulveda has been doing a
superb job, I think, of reaching out and sitting with
everybody.
I also want to thank as a slight nepotism here going on.
But my brother over at the Commerce Department, as General
Counsel has been involved in this without my instruction or
engagement at all. They've done this on their own. But I thank
them for their input which has been helpful in this process,
enormously helpful.
And obviously we need to work with the Administration in
order to figure out where we're going here.
I hope we can get a product where everybody is standing up
and saying this is good. This is something we can live with. We
can work with. And the consumer is really given a set of
choices and opportunities here that they don't have today to
make an intelligent guided selection as to where they're
heading and what's happening to their information.
And I think we can come out of there without upsetting the
obvious commercial interests that we all want to encourage and
that are important to us. So on that note we'll adjourn here
today. And look forward to trying to get this thing into shape
where we can get it introduced.
I'm working, as you know, with Senator McCain, very
closely. And he's got some interest in this as we go. But I
hope that we'll get to a point where we can introduce this in
short order.
I think we need to do it. I think we need to do it soon. I
think everybody will benefit by doing this. And I look forward
to getting this accomplished. So thank you all very, very much
for being here today.
We stand adjourned.
[Whereupon, at 12:09 p.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Hon. Mark Begich,
U.S. Senator from Alaska
Thank you to Chairman Rockefeller and Senators Kerry and Pryor for
their work on this vital issue for Americans. Alaskans value their
privacy so much there is a right to privacy spelled out in the Alaska
State Constitution. We don't want the government or private businesses
invading our privacy.
Online privacy is one of the most important issues facing consumers
today. I frequently hear from constituents regarding the privacy
practices of companies or the impact of the Internet on their lives.
The Unites States Constitution clearly protects Americans from
unreasonable searches of their private information without a compelling
reason, and there's no reason to believe Americans are any more apt to
tolerate someone pulling private information for financial benefit
through their actions on the Internet.
I am particularly concerned about the pervasive nature of tracking
on children's websites. I have an 8-year-old son who regularly uses the
Internet and is extremely proficient on computers. My wife and I
regularly monitor his Internet usage, but I cannot find out what
companies target him, who has access to that information and to which
third parties this information is sold. Additionally, what protections
are in place to ensure he is not unknowingly downloading inappropriate
or dangerous software? What sort of ``e-dossier'' is already being
created by my son's Internet usage? Unfortunately, I believe there are
few if any protections in place for this most vulnerable population.
We must find a solution that will protect people's online
experience while enabling the Internet to continue to grow and thrive.
We cannot accept the ``wild west'' status quo any longer. I look
forward to working toward a solution in the 112th Congress.
______
Response to Written Questions Submitted by Hon. Mark Pryor to
Hon. Jon D. Leibowitz
General Privacy Questions
Question 1. Based on the FTC's December staff report, could you
please highlight for the Committee where you see the most harm posed to
consumers due to a need for better online privacy protections? Where do
you think are the greatest risks to consumer privacy?
Answer. The Commission staff continues to be concerned about harms
that can result from unauthorized disclosure of consumers' information,
including financial harm such as identity theft; physical harm such as
stalking; unwarranted intrusions into consumers' time, such as unwanted
telemarketing calls and spam; and harms that result from the denial of
employment, insurance, and other goods and services.
In addition, consumers suffer harm simply from having their
information used without their informed consent. Consumers that provide
information believing it is private will lose trust in a company if the
company makes that information public without the consumer's consent.
Consumers believing they are simply searching for information about a
health condition online will lose trust in a company that sells
information about them without their knowledge. More broadly, consumer
trust in online services generally is damaged if companies collect and
use data in ways that consumers do not expect. The loss of consumer
trust in online services would harm both consumers and business by
chilling consumers' willingness to participate in online activities and
electronic commerce.
The preliminary staff report asked for comment on several
recommendations to address these harms. For example, to address the
problem of data falling into the wrong hands--such as identity thieves
and stalkers, the report recommends that companies not collect
unnecessary data, maintain better data security for the data they
maintain, and dispose of the data when they no longer have a legitimate
business need for it. To avoid collection and use of consumers' data
without their informed consent, the report makes recommendations on how
companies can improve transparency and obtain more informed choices.
Question 2. How can consumers be better educated about privacy
risks and steps they can take to protect themselves? Do consumers have
the tools necessary to adequately protect themselves in today's world?
Answer. The Commission runs educational campaigns to teach
consumers how to protect their valuable personal information and make
thoughtful decisions about when it is shared and used. For example, the
Commission manages the interagency OnGuardOnline.gov campaign, which
helps computers users avoid fraud, protect their privacy and stay safe
online. The OnGuardOnline.gov site has information to help parents talk
to their kids about the value of their personal information and how to
make responsible choices about where and how to share it. The
Commission's identity theft information for consumers (FTC.gov/idtheft)
also provides tips and advice about how to protect sensitive
information online and off. A wide variety of consumer educational
materials, including many in Spanish, help consumers deter, detect, and
defend against identity theft. For example, the FTC publishes a victim
recovery guide--Take Charge: Fighting Back Against Identity Theft--that
explains the immediate steps identity theft victims should take to
address the crime.
However, the Staff Report noted that companies' privacy practices--
including the collection, use, and transfer of consumer information--
are often not transparent to consumers; therefore collection or use of
consumer information may occur without their knowledge or consent. In
such situations, consumer education is not adequate to protect consumer
privacy, which is why the Preliminary Staff Privacy Report highlights
the need for some of the burden surrounding privacy protection to shift
from the consumer to businesses. Thus, the Report asked whether
industry can do more to help consumers better understand how their
information is collected and used. As outlined in the Report, industry
could incorporate privacy protections such as data security, sound
retention practices, and data accuracy into products and services;
offer simplified consumer choice; and inject greater transparency about
data collection and use into business practices.
Question 3. What do you think FTC oversight would provide that
self-regulation by the industry could not?
Answer. As an initial matter, the staff report does not take a
position on whether its recommendations should be implemented through
legislation or self-regulation. It is intended to provide guidance to
industry, Congress, and policymakers as they develop rules of the road
in this area.
That said, whether or not legislation gets enacted, self-regulation
will always play an important role in protecting consumer privacy. The
Commission staff has supported self-regulation in the past and
continues to believe that self-regulation can be an effective tool, as
long as it is comprehensive, robust, effective and enforceable. And
under Section 5 of the Federal Trade Commission Act, the Commission can
take enforcement action against companies that break their promises to
abide by self-regulatory codes of conduct. This is an important
component of ensuring accountability for self-regulatory programs.
Question 4. What steps should the industry take to assist citizens
with knowing what their digital life is like?
Answer. The Preliminary Staff Privacy Report contained a number of
recommendations for industry to help people understand how their
personal information is collected and used. In particular, the Report
recommended simplifying choices for consumers and increasing
transparency.
Recognizing that the current model of lengthy privacy policies was
ineffective in informing consumers about information practices, the
Staff Report recommended that businesses simplify choices provided to
consumers. For example, the staff report indicated that companies do
not need to provide choice before collecting and using consumers' data
for commonly accepted practices, such as product fulfillment. For
practices requiring choice, companies should offer the choice at a time
and in a context in which the consumer is making a decision about his
or her data. This will allow the consumer to focus on the choices that
matter and make more informed decisions.
The Staff Report also recommended that companies increase the
transparency of their data practices, by, for example, making privacy
notices clearer, shorter, and more standardized, to enable better
comprehension and comparison of privacy practices. The Report also
recommended that companies consider providing reasonable access to the
consumer data they maintain, proportionate to the sensitivity of the
data and the nature of its use.
______
Response to Written Questions Submitted by Hon. Kay Bailey Hutchison to
Hon. Jon D. Liebowitz
Question 1. Chairman Leibowitz, in his concurring statement to the
FTC report, Commissioner Kovacic expresses the concern that a Do Not
Track mechanism on the Internet could inherently reduce the quality of
content provided, by lowering the revenue currently derived from
advertising and possibly even forcing some online content providers to
deny free access to those who opt out of tracking.
Has the Commission examined what the ramifications of do not
track could be on the quality of content provided online,
particularly of content that is currently provided for free?
Will you commit to ensuring that this type of analysis will
be part of the Commission's analysis before the final report
comes out?
Answer. The Commission recognizes the need for an appropriate
balance between consumer choice about online tracking and ensuring
continued innovation in this area. As the Preliminary Staff Privacy
Report noted, online advertising helps to support much of the content
available to consumers on the Internet. Although the Commission is
continuing to evaluate the comments received on its staff report,
evidence suggests a Do Not Track mechanism for exercising choice about
behavioral advertising would have minimal impact on the free content
available on the Internet and on innovation. First, the Preliminary
Staff Privacy Report noted that certain advertising, such as first
party marketing and contextual advertising, would not be affected by a
Do Not Track mechanism. Thus, this type of advertising would continue
to serve as a source of revenue for content providers.
Second, recent research from an organization working with the
advertising industry suggests that if companies provide adequate
transparency and consumer choice, consumers will choose not to opt out
in great numbers, because they have a greater degree of trust in
companies' stewardship of their information. See Evidon (formerly
Better Advertising), Research: consumers feel better about brands that
give them transparency and control over ads, http://blog.evidon.com/
2010/11/10/research-consumers-feel-better-about-brands-that-give-them-
transparency-and-control-over-ads/ (Nov. 10, 2010).
Finally, key industry stakeholders have responded very positively
to the request for development of a simple, easy to use Do Not Track
system. Leading browser companies have offered changes to their
browsers to implement Do Not Track. Mozilla, for example, has
implemented a Do Not Track header for use by consumers when they browse
the web, and Microsoft has rolled out a Tracking Protection List
feature that allows consumers to block the collection of information by
specified third parties. Apple has announced a do not track tool in a
test version of its browser. The advertising industry itself also
appears to recognize the value of offering simplified choice to
consumers and has ramped up its effort to provide clearer disclosures
and choice mechanisms after release of our preliminary staff report.
Indeed, most recently, several of the leading advertising industry
trade associations have agreed to work closely with Mozilla to
determine how to incorporate Mozilla's Do Not Track feature into its
industry self-regulatory effort. I believe these efforts demonstrate
that improved consumer choice can be consistent with innovation.
As these developments take place, the Commission is continuing to
analyze the comments received on the Preliminary Staff Privacy Report,
including those regarding the potential effects of a Do Not Track
mechanism on innovation and the availability of free Internet content.
The Commission also will continue to evaluate information about the
costs and benefits of any such mechanism.
Question 2. The Commission's report calls for a ``privacy by
design'' model that includes the recommendation for companies to only
collect information needed for a specific business purpose. Some
comments submitted on the report expressed concern that implementing
such a restriction could become so specific that it limits innovation
on new and potentially beneficial uses of data. How do you envision
such a restriction being implemented in a way that will allow for the
continued innovation of new products and services necessary to keep
American companies as leaders in the global online world?
Answer. The goal of privacy by design is to guide and motivate
businesses to develop best practices for incorporating privacy into
their products and services during the early stages of their
development. Best practices that ensure that privacy solutions are
compatible with business needs should not restrict innovation and will
likely be more flexible than government rules. To be clear, the
principle of privacy by design contemplates that businesses can and
should collect information for their legitimate business purposes;
however, as discussed in the Preliminary Staff Privacy Report, the
concept of privacy by design also means the amount of data collected
and duration for which such data is retained should be limited by those
legitimate business needs. This reflects concerns that collected data
may be retained by companies indefinitely, increasing the risk that the
data may be compromised through a security vulnerability or put to use
in ways that consumers never would have expected and to which they
would object. Staff's recommendation that companies implement a privacy
by design approach is designed to encourage businesses simply to think
through the privacy and security risks associated with collecting more
information than is currently needed from consumers and retaining it
for longer than necessary. The Commission has recognized these concerns
in its enforcement program. For example, we have brought data security
cases against companies that kept shoppers' credit card information,
long after they had a business need to do so. See e.g., In the Matter
of BJ's Wholesale Club, Inc., Docket No. C-4148 (Sept. 23, 2005) (final
consent order). In these cases, the credit card information was
obtained by hackers. Had the companies taken more care in disposing of
information they no longer needed, consumer harm could have been
avoided. Similarly, last year Google collected personal information
through its Street View cars--the company claims to have inadvertently
collected that information without any intention of using it. Under the
Privacy by Design approach recommended in our staff report, Google
would have tested its systems to ensure that it did not collect data it
did not need.
As these examples demonstrate, companies should assess privacy and
security risks as part of the innovation process and work to address
them appropriately. For example, although they may determine that
continued collection of personal data is necessary, they could try to
anonymize such data to reduce privacy and security risks.
We have received many comments on the concept of collecting and
retaining data for a ``specific business purpose,'' which we plan to
address in the final report in a way that furthers consumer privacy
interests without impeding innovation.
Question 3. Chairman Leibowitz, FTC Commissioner Rosch has
expressed ``serious reservations'' about the new privacy proposal
advanced in the FTC's staff report. He claims that the current ``harm''
model of FTC enforcement has served the Commission well. If the FTC is
correctly enforcing its statutory responsibilities to ensure disclosure
of ``material'' privacy policies and to hold companies accountable for
those policies, consumers already have information to make informed
decisions about their online privacy.
If that's the case, why is it necessary to adopt a new,
broader regulatory framework for online privacy?
If privacy policies are too opaque for consumers to
understand and if the FTC is concerned that consumers may be
misled, why wouldn't rigorous enforcement of the FTC's Section
5 deceptive trade practices authority improve the clarity of
privacy policies by companies seeking to avoid enforcement
actions?
Answer. First, I note that the report does not propose a new
regulatory framework--it simply provides a framework for industry best
practices and potentially, for legislation, if Congress chooses to
enact it.
Second, I agree with you that robust enforcement of Section 5 is
critical. We have recently brought cases against companies like Google,
Twitter, and Chitika, an online advertising network, alleging that
their practices were deceptive. We have additional cases in the
pipeline.
Third, Section 5 does not generally require companies to disclose
their information practices. If they choose to make statements about
privacy, and those statements are deceptive, the Commission may take
action under Section 5. However, not every long or opaque disclosure
will be deceptive under Commission precedent. Regardless of the
threshold for Commission law enforcement actions, we believe that
stakeholders should work together to improve transparency. Indeed, many
companies recognize that providing clear disclosures to their consumers
about their information practices helps them maintain a positive
relationship with their customers. Companies have an interest in
promoting that relationship regardless of the prospect of enforcement
action by the FTC. The Preliminary Staff Privacy Report provides
businesses with proposals for ways to simplify and improve disclosures,
and we think those steps would work well in this area while we continue
to take action against plainly deceptive practices.
______
Response to Written Questions Submitted by Hon. Mark Pryor to
Lawrence E. Strickling
Question 1. From your perspective, what were the two most important
privacy issues you'd like to highlight in the Department's Commerce
privacy green paper?
Answer. The Green Paper examines how the United States can
strengthen its consumer data privacy framework while ensuring that this
framework continues to encourage innovation in the digital economy.
Instead of identifying specific consumer data privacy issues that
companies and policymakers should address, the Green Paper focuses on
recommendations that would help to create a policy framework that
better addresses increasingly intensive uses of personal data in the
digital economy. Two main issues emerged from this analysis.
First, consumers and businesses would benefit from the adoption of
baseline, comprehensive Fair Information Practice Principles (FIPPs) in
the commercial context. Much of the personal data traversing the
Internet falls into the gaps between existing Federal privacy statutes.
There is also evidence that consumers who use the Internet
misunderstand the legal rules that apply to personal information
collection and use in the commercial context. These gaps in legal
protection for personal data leave consumers insecure and uneasy about
how data about their activities and transactions are collected, stored,
and used. Widely adopted, comprehensive FIPPs would help to fill these
gaps and thereby increase consumer trust in the Internet.
Businesses would also benefit from comprehensive baseline FIPPs.
Businesses generally recognize that their sustainability depends on
maintaining consumer trust but find that the rules of the road are hard
to discern. Applying a set of general principles to commercial
activities that are not covered by an existing Federal data privacy
statute would provide businesses with guidance as to what consumers and
enforcement agencies expect of them.
Second, fostering innovation within a consumer data privacy policy
framework requires a flexible approach to implementing privacy
protections. The Green Paper proposes a framework in which the
Department of Commerce would convene multi-stakeholder groups--composed
of representatives from industry, civil society, academia, and other
government agencies--to define codes of conduct that are enforceable by
the Federal Trade Commission under its current authority or through any
additional authority granted through baseline consumer privacy
legislation. These codes would provide guidance about how to apply
FIPPs in specific contexts. The multi-stakeholder process envisioned in
the Green Paper would help to ensure that these codes set forth
practices that reflect evolving consumer expectations.
Question 2. What role does consumer trust play in the way users
exchange information, goods and services over the Internet?
Answer. Protecting consumer trust in the Internet is a top policy
imperative of NTIA and the Department of Commerce. Consumer trust is
essential to nurturing the Internet's growth, and protecting privacy is
an important part of maintaining consumer trust. When consumers entrust
personal information to a company that does business on the Internet,
they expect that the company will handle it in ways that are consistent
with this relationship. If companies use information in ways that are
contrary to consumers' expectations, then consumers may be reluctant to
adopt new Internet services and applications. Finally, consumer trust
depends on more than privacy. Issues of security, safety, and
reliability also come into play. Whether making purchases online,
communicating with family members, or conducting business, consumers
must know that they have control over their personal information. As
innovative new applications and services are developed, it is important
that consumers know that their information is safe and that providers
have clear rules about how to respect individual privacy.
Indeed, the Department, in partnership with other Federal agencies
and the private sector, is leading the implementation of an
Administration effort to improve consumer trust online: The National
Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC
envisions enhancing online privacy and security through services that
provide credentials that improve upon the user name and password
schemes that are common online. The NSTIC proposes using technologies
that would provide individuals the option of obtaining a strong
credential to use in sensitive online transactions. The NSTIC calls for
the participants in this digital identity marketplace to implement
privacy protections that are based on comprehensive FIPPs. Developing
enforceable codes of conduct through multi-stakeholder processes is one
way that the Department can work with the private sector to implement
these protections.
Question 3. What do you envision the Department's role will be with
respect to privacy in the future?
Answer. We propose in the Green Paper an important role for the
Department of Commerce in convening stakeholders to develop enforceable
codes of conduct that implement comprehensive Fair Information Practice
Principles (FIPPs) that the Obama Administration supports as the
foundation of Federal legislation in this area. The Green Paper
outlines a multi-stakeholder process in which the Department would
convene companies, civil society groups, academics, and the FTC and
other government agencies to produce enforceable codes of conduct. An
open development process that includes industry and consumers can help
align these codes and consumer expectations.
Another important role for the Department of Commerce is to work
toward greater interoperability between the U.S. consumer data privacy
framework and those of our allies and trading partners. Companies would
benefit from the potential reduction in multiple compliance burdens,
and U.S. consumers would benefit from more consistent cross-border
consumer data privacy protections. Both objectives are important to the
Department of Commerce, and the Department and the Administration are
committed to working with Congress to develop an appropriate
legislative approach.
______
Response to Written Question Submitted by Hon. Mark Begich to
Lawrence E. Strickling
Question. What steps should the industry take to assist Citizens
with knowing what their digital life is like?
Answer. Enhancing transparency is one important step that companies
can take to help consumers understand the role of personal data
collection and use in the digital economy. As the Department of
Commerce's Green Paper on consumer data privacy explains, enhanced,
effective transparency requires providing consumers with information
that is accessible, clear, salient, and comprehensible. Current
practices surrounding disclosures of privacy practices generally fall
short of this standard; the privacy policies that are the primary
mechanism for explaining what information companies collect and how
they use are often lengthy, dense, and difficult to comprehend.
Providing simpler statements of these practices, and providing them at
times when consumers can act on this information, are ways that
companies can provide consumers with greater insight into, and control
over, their digital lives. Online tools or interfaces that allow
consumers to understand and manage the collection of personal
information can also provide a link between enhanced transparency and
enhanced user control.
The Department of Commerce has also recommended that companies
regard enhanced transparency as part of a more comprehensive approach
to handling personal information. To this end, the Green Paper
encourages the broad adoption of comprehensive Fair Information
Practice Principles (FIPPs).
______
Response to Written Questions Submitted by Hon. Kay Bailey Hutchison to
John Montgomery
Question 1. Mr. Montgomery, you mention at the beginning of your
testimony the importance of behavioral advertising to the Internet. Do
you believe the enactment of baseline privacy principles in the form of
Federal legislation would have an effect on targeted advertising? If
so, what would it be? And, in turn, what impact might that have on the
larger online ecosystem?
Answer. GroupM supports efforts to promote transparency and choice
in the marketplace and believes industry self-regulation is the
appropriate approach for addressing concerns with online advertising
while ensuring the ad-supported web continues to provide consumers
benefit and fuel the Internet economy. A major benefit of self-
regulation is its ability to respond quickly to changes in the
technology, business practices, and consumer preferences. It is this
adaptive nature of self-regulation that makes it so well suited for the
complex Internet ecosystem.
Our business is built on the belief that both consumers and
companies benefit when advertising provides timely and relevant
information to those consumers who are most likely to be interested.
While not deliberate, a law could reduce the relevancy and
effectiveness of advertising. There is already strong evidence that
privacy regulations in the European Union have resulted in an average
65 percent reduction in the effectiveness of online ads.\1\ We have
concerns that a U.S. law could similarly hinder innovation in the
advertising and marketing industry, undermining economic support for
valuable content and services and possibly encouraging higher fees to
consumers. Inhibiting innovation would restrict growth in one of the
healthiest industries in a troubled U.S. economy. These conditions
would discourage venture capital funding for new entries, and in so
doing, stall job growth in the industry.
---------------------------------------------------------------------------
\1\ According to a study conducted by Avi Goldfarb and Catherine E.
Tucker, ``Privacy Regulation and Online Advertising,'' available at
http://papers.ssrn.com/sol3/papers.cfm?abstract
_id=1600259.
Question 2. Mr. Montgomery, there has been a lot of discussion
about whether industry best practices and self-regulatory efforts are
effective. Many believe that market forces will push companies toward
such industry-led efforts and that the FTC has the existing legal
authority to hold companies accountable as good stewards of consumer
information. Which do you believe is best for consumers: having the
Federal Government act as a legal backstop to industry-led self-
regulation or having the government set top-down prescriptive rules on
how to collect and use consumer data? What are some of the advantages
and concerns with each approach?
Answer. Industry-led self-regulation is preferred over top-down,
prescriptive rules imposed by government. GroupM believes self-
regulation is the most effective means for addressing concerns with
online behavioral advertising. Self-regulatory codes are adaptive and
may be quickly modified to address changes in consumer preference and
technology. In addition, this approach helps preserve an environment
that fosters online innovation, ensures advertising continues to help
fuel the Internet economic engine, and supports a vibrant, ad-supported
offering of products and services online that consumers now expect to
receive for free or at a low cost. GroupM believes that the Digital
Advertising Alliance's (``DAA'') Self-Regulatory Principles of Online
Behavioral Advertising (``Principles) are comprehensive yet flexible
enough to respond to the complex and rapidly evolving online
advertising ecosystem. The Principles set-forth consumer-friendly
standards that require participants to provide enhanced transparency
and consumer choice with respect to the collection and use of data for
online behavioral advertising purposes.
The DAA's program has been designed for its participants to self-
police, promote compliance, and, where necessary, report non-compliant
companies to the appropriate government agencies. This private-public
collaboration where the Federal Government acts as a legal backstop
augments the self-regulatory program's credibility and reinforces the
program's accountability measures.
The DAA program is backed by independent enforcement programs
working in concert to monitor and enforce compliance with the
Principles, as well as manage consumer complaint resolution. These
accountability programs are live and being administered by the Council
of Better Business Bureaus (``CBBB'') and the Direct Marketing
Association (``DMA''). The DMA and CBBB Accountability Programs are
empowered under the Principles to provide a public report on entities
that do not come into compliance and to refer such cases to the Federal
Trade Commission (``FTC''). The FTC through its authority under Section
5 of the FTC Act can enforce against entities that fail to honor its
commitment to adhere to the Principles. Through industry self-policing,
more cops are on the beat, which reduces the burden on the FTC.
Question 3. While a large portion of the online industry is
participating in the self-regulatory program, it has not reached 100
percent. What can be done to increase participation? Is it possible to
do get full participation through a self-regulatory program?
Answer. It is very possible to achieve full participation in the
DAA program. The leading marketing and advertising trade associations,
representing more than 5,000 companies, have committed to this self-
regulatory approach because they strongly believe in the program's
purpose. This unprecedented collaborative effort has brought together
representatives of the entire advertising ecosystem to develop and
implement principles for the use and collection of data in this
important area to the economy. Already, over 60 companies are
participating in the DAA's Consumer Choice Page (http://
www.aboutads.info/choices/) and billions of ad impressions have been
delivered with the Advertising Option Icon--the icon appearing in or
near ads or on web pages where data is collected or used for online
behavioral advertising purpose. This icon is used by participants to
provide notice concerning online behavioral advertising practices and
link to a universal choice mechanism.
The launch of the DAA program is resulting in a change in industry
practice. Companies are starting to require their partners to adhere to
the Principles. This is driving participation in the program. In
addition, the trade associations behind this self-regulatory effort and
the Accountability Programs are reaching out to companies to promote
program participation. To help companies with compliance, the DAA has
selected three companies as approved providers to assist companies with
implementing the Principles. These approved providers' services help
companies to provide enhanced notice and choice as required by the
Principles.
______
Response to Written Question Submitted by Hon. Kay Bailey Hutchison to
Erich D. Andersen
Question. While a large portion of the online industry is
participating in the self-regulatory program, it has not reached 100
percent. What can be done to increase participation? Is it possible to
do get full participation through a self-regulatory program?
Answer. The online ad industry, led by the Digital Advertising
Alliance (DAA) and of which Microsoft is a member, is working to
increase participation in the self-regulatory program. Among the
efforts to drive participation is increased outreach to companies to
promote participation and providing assistance to implement the
program. Through these efforts the DAA believes it is possible to
achieve full participation in its program.
______
Response to Written Questions Submitted by Hon. John Ensign to
Erich D. Andersen
Question 1. How would you say the self-regulatory approach is
working in the marketplace to protect consumers thus far?
Answer. While still in the early stages of roll-out, the self-
regulatory approach for online advertising is on a sound path. Over 60
companies, including Microsoft, are already participating in the
Digital Advertising Alliance's (DAA) Consumer Choice Page resulting in
an Advertising Option Icon being delivered on billions of online ad
impressions. The icon not only provides notice to consumers about
online behavioral advertising practices, but also provides a link to a
universal choice mechanism. With the leading marketing and advertising
trade associations backing the self-regulatory approach the expectation
is that more companies will participate in the Consumer Choice Page.
The last few months have shown that industry can act quickly and
effectively. For example, in that short period of time, the three major
browser vendors have announced do not track tools that offer
unprecedented privacy protection. Even the FTC has recognized and
commended the progress industry has made in acting quickly and
effectively to protect consumer privacy.
Question 2. Mr. Andersen, you talked about the importance of
industry self-regulation and best practices. How would your ability to
protect consumers be compromised if we went in the opposite direction?
Answer. Our ability to protect consumers would be compromised by
the adoption of impractical proposals. Legislation becomes
overregulation if it contains preferences for particular services,
solutions, or mechanisms to provide notice, obtain choice, or protect
consumer data, or if it mandates prescriptive rules that may be of
limited effect or that burden businesses without yielding commensurate
privacy benefits. Seeking input from interested stakeholders is one way
to ensure the right balance is struck.
Question 3. Mr. Andersen, your testimony highlighted the need to
promote continued innovation in technology and online services.
Fostering and supporting innovation in the marketplace is a top
priority of mine, and there is no question that innovation is crucial
for creating jobs and economic growth. In your view, what is the best
way to encourage innovation while still protecting consumers' online
privacy?
Answer. There are a number of ways to encourage innovation while
still protecting consumers' online privacy:
Recognition of the role of self-regulation: while
comprehensive privacy legislation may provide a set of baseline
protections, self-regulation can build upon those protections
and adapt them to specific contexts. Consumers have different
privacy expectations depending on whether they are interacting
with online retailers, social media services, search engines,
or online ad networks. Self-regulatory principles can be
tailored to these different contexts. In addition, self-
regulation can address emerging technologies or business
models.
Ensure there are no technology mandates.
Allow for ``operational use'' of data. This means that
companies would be able to use data to provide the service the
user wanted, improve services, protect against fraud, and
generally operate their business.
______
Response to Written Questions Submitted by Hon. Mark Pryor to
Barbara Lawler
General Privacy Questions
Question 1. How does on-line information collection usually work?
Answer. Intuit does not engage in online tracking. However, as a
technology, online information tracking typically works through the use
of ``cookies'' which are random, identifiers that have no significance
on their own. These ``cookies'' may be limited in their duration to a
particular session that a customer is having with a website, or they
may persist for longer periods of time. In typical ``first party'' on-
line information collection, these cookies can help a company
understand several things--the time spent on the site, the pages
visited (and for how long), the navigation, or ``path'' that the
visitor took, etc. This information is frequently used to improve the
performance and usability of a company's website. Information may also
be collected for ``3rd party'' use--where the kinds of information
mentioned above may be shared across several different entities,
typically advertisers, web-site publishers, and companies that help to
match advertisers to publishers.
Question 2. How does behavioral advertising differ from contextual
advertising?
Answer. Behavioral advertising typically refers to the delivery of
advertising messages based on the interests inferred from a person's
on-line behavior, over time. It may include the kinds of searches that
he/she does; the types of websites visited, etc. The combination of
these pieces of information can be used to deduce a person's interests,
in which case advertisements related to those possible interests can be
shown to the individual.
Contextual advertising typically involves a ``single point in
time'' matching of advertising content to someone based on a specific
action that the individual takes. The classic example is the
advertisements, or `sponsored links', which show up in the search
results for a particular search query. For example, if someone were to
search for information on car tires, he/she will likely see
advertisements from tire manufacturers/sellers based specifically on
that search request.
Question 3. What evidence is there that behavioral advertising is
effective?
Answer. There have been some studies done which have shown that
people are more likely to respond to advertising based on their
inferred interests, than more general advertising messages unrelated to
the audience receiving them.
Question 4. What does online information collection mean for our
children's reputations?
Answer. Collection of information on children under 13 is regulated
by the COPPA. Intuit's products and services are financial in nature
and not intended to be used by children.
We recognize the proliferation of social media and the use of it by
minors. We would expect that companies providing such services would do
so lawfully, and in a manner respectful of all individuals using such a
service.
Question 5. To what extent is geo-location tracking a problem?
Answer. Geo-location information can be very useful to provide
specific, highly relevant services to individuals, such as providing
directions, identifying nearest services, etc. In all cases, however,
the individual should understand that his/her geo-location information
is being collected. It should also be retained and used for a very
limited period of time specifically to provide those relevant services
to him/her. Once the services have been delivered, the geo-location
data should be deleted and/or removed from the service.
Question 6. Is Federal privacy legislation needed? If so, what
should be the basic elements of any privacy legislation?
Answer. We see the value in commonsense Federal privacy
legislations that could set rules of the road for companies to follow
and clear the field of conflicting state laws. As the digital economy
has grown over the last decade, self-regulatory approaches have allowed
many businesses to offer consumers many innovative products and
services while incorporating meaningful privacy protections in ways
that fit the company size, structure, culture and industry. High
performers that are committed to capturing and retaining their
customers' trust implement a range of self-regulatory approaches, from
privacy seals to government sponsored codes of conduct (such as the
Dept. of Commerce Safe Harbor Program). Self-regulatory approaches may
fall short for new, small start-ups, naive companies or malfeasant
companies. The same could be said for regulation as well. It's our
belief that the most effective way to protect consumers and support
innovation is a principles-based approach, covering Fair Information
Privacy Practices creates a credible baseline that provides the rules
of the road.
Question 7. Should companies be held to higher standards with
respect to our children and the way their information is handled?
Answer. The Children's Online Privacy Protection Act (COPPA) sets a
high standard with respect to children online. The FTC should provide
rigorous enforcement of COPPA.
Question 8. Are you concerned about employer or insurance
discrimination based on information collected about consumers online?
Answer. We would have to research this issue in order to comment on
this question.
Other questions
Question 9. Your testimony demonstrates a strong commitment to
privacy. Do you believe that Intuit's approach to privacy is generally
followed by companies operating online? How would you suggest other
companies integrate privacy protections into their services?
Answer. Different businesses can offer consumers various innovative
products and services while incorporating meaningful privacy
protections in ways that fits the company size, structure, culture and
industry. High performers like Intuit that are committed to capturing
and retaining their customers' trust implement a range of self-
regulatory approaches, from privacy seals to government sponsored codes
of conduct (such as the Dept. of Commerce Safe Harbor Program). Self-
regulatory approaches may fall short for new, small start-ups, naive
companies or malfeasant companies. It's our belief that the most
effective way to protect consumers and support innovation is a
principles-based approach to legislation that creates a baseline that
provides the rules of the road. We believe that an emphasis on
education and advocacy through industry sector associations, business
groups, small business associations and local chambers of commerce.
This would be necessary for both regulatory and self-regulatory
approaches.
______
Response to Written Question Submitted by Hon. Mark Begich to
Barbara Lawler
Question. What steps should the industry take to assist citizens
with knowing what their digital life is like?
Answer. We are committed to educating our customers about their
data stewardship choices and what they can do to protect their personal
information when interacting with our products. Consumers would benefit
from additional direct education and communication, such as PSAs
through mass media, social networks and simple and clear information
company websites.
______
Response to Written Questions Submitted by Hon. Kay Bailey Hutchison to
Barbara Lawler
Question 1a. Ms. Lawler, your company is engaged in a variety of
online businesses and is subject to several Federal and state privacy
regulations. You know as well as anyone that totally unrelated
companies can be impacted in different ways by the interconnected web
of privacy laws. I fear that addressing a privacy issue in one area
could have unexpected ramifications in a totally different area. If
this Committee considers developing new online privacy legislation,
what sort of pitfalls should we look out for so that we can avoid such
unintended consequences?
Answer. A principles-based legislative approach will have the
highest probability of success in protecting consumers while providing
a flexible, level playing field for a wide range of businesses holding
different types of data for different purposes. This would allow
organizations to incorporate the necessary types of privacy protections
for consumers while allowing flexibility on how the protections are
implemented. It can be the optimal framework for a wide range of
business, especially small businesses, which are the backbone of the
American economy. We are specifically concerned about requirements that
provide risk to innovation and customer delight, that may limit the
flexibility to try new options and methods of delivering value to our
customers in a rapid, iterative fashion. Examples include mandates to
require the use specific technologies or specific procedural mechanics,
such as very specific requirements regarding how and when notices are
delivered, worded and formatted; or rules that place too many controls
on the first party use of data especially those uses that are already
consistent with consumer understanding and expectations. Specific
requirements can create overlapping rules for the exact same sets of
data; or specific words required for contractual agreements with third
parties can create confusion or inadvertent non-compliance. The
Committee must also be careful to avoid prescriptive mandates that
attempt to address one set of concerns with the Internet but could
unintentionally limit or prevent other elements of the Internet from
functioning properly--for example, the commendable effort to increase
transparency and choice related to behavioral tracking and advertising,
if overly proscribed, could inhibit software as a service applications'
functionality. As we developed the Intuit Data Stewardship Principles,
our customers told us in multiple rounds of research that they prefer
the specificity of simple, plain language--Principles rather than the
policy-based, business-speak language you or I might think is better.
Question 1b. Is there an approach we can take to build upon or work
within existing frameworks, such as HIPPA and Gramm-Leach-Bliley,
rather than writing another separate statute?
Answer. At Intuit we have experience with applying different rules
to overlapping sets of data. Both HIPAA and GLB have their strengths
and weaknesses; both are based on recognized privacy principles, and
yet take philosophically different approaches. HIPAA is designed to
limit data uses and sharing beyond the first party organization, while
GLB is designed to enable data uses beyond the first party
organization. And both contain elements of proscriptive requirements,
notices being a prime example.
We recommend starting from a fresh perspective that is principles
based and does not rely on procedural requirements.
Question 2a. Ms. Lawler, there has been a lot of discussion about
whether industry best practices and self-regulatory efforts are
effective. Many believe that market forces will push companies toward
such industry-led efforts and that the FTC has the existing legal
authority to hold companies accountable as good stewards of consumer
information. Which do you believe is best for consumers: having the
Federal Government act as a legal backstop to industry-led self-
regulation or having the government set top-down prescriptive rules on
how to collect and use consumer data?
Answer. We believe the most effective solution would be a middle
ground between the two: A principles-based legislative approach will
provide a wide range of businesses holding different types of data for
different purposes to incorporate the necessary types of privacy
protections for consumers while allowing flexibility on how the
protections are implemented. It can be the optimal framework for a wide
range of business, especially small businesses, which are the backbone
of the American economy.
Question 2b. What are some of the advantages and concerns with each
approach?
Answer. There is an argument that market forces, policy-maker
scrutiny, customer expectations are heading in right direction but will
not fully cover all types of organizations--high performers, edge
riders and the majority that are unaware. Enforceable self-regulatory
codes of conduct work for most business--high performers are provided
opportunity to excel, and those who need rules of the road are still
able to comply--preserving flexibility and the ability to innovate is
key. As Congress considers rules of the road, take care to not be
overly prescriptive--protecting online privacy while sacrificing
innovation will not help consumers or the competitiveness of the
American economy.
Question 3. While a large portion of the online industry is
participating in the self-regulatory program, it has not reached 100
percent. What can be done to increase participation? Is it possible to
do get full participation through a self-regulatory program?
Answer. We believe that a good approach is an emphasis on education
and advocacy through industry sector associations, business groups,
small business associations and local chambers of commerce. This would
be necessary for both regulatory and self-regulatory approaches.
______
Response to Written Questions Submitted by Hon. John Ensign to
Barbara Lawler
Question 1. How would you say the self-regulatory approach is
working in the marketplace to protect consumers thus far?
Answer. As the digital economy has grown over the last decade,
self-regulatory approaches have allowed many businesses to offer
consumers many innovative products and services while incorporating
meaningful privacy protections to protect their customers in ways that
fit the company size, structure, culture and industry. High performers
that are committed to capturing and retaining their customers' trust
implement a range of self-regulatory approaches, from privacy seals to
government sponsored codes of conduct (such as the Dept. of Commerce
Safe Harbor Program). Self-regulatory approaches may fall short for
new, small start-ups, naive companies or malfeasant companies. The same
could be said for regulation as well. It's our belief that the most
effective way to protect consumers and support innovation is a
principles-based approach to legislation that creates a baseline that
provides the rules of the road.
Question 2. Ms. Lawler in your testimony you cite the value of
principles-based privacy legislation working in tandem with self-
regulatory approaches and codes of conduct, highlighting the importance
of enabling industry flexibility.
Answer. A principles-based legislative approach will provide a wide
range of businesses holding different types of data for different
purposes the ability to incorporate the necessary types of privacy
protections for consumers while allowing flexibility on how the
protections are implemented. It can be the optimal framework for a wide
range of businesses, especially small businesses, which are the
backbone of the American economy.
Question 3. In your opinion, what would be the effect of over-
prescriptive, one-size-fits-all regulation on your ability to protect
the online privacy of consumers?
Answer. Intuit's approach is to provide our customers a high
integrity, trusted end-to-end experience that ultimately results in
customer delight. Proscriptive, one-size-fits-all approaches tend to
emphasize form over functional value to consumers (when was the last
time you read the mandatory financial institution or HIPAA privacy
notice?). Such an approach would force us to focus on procedural
compliance first and customer delight and innovation second. Our
priority lies with providing our customers with innovative ways to
solve their financial problems while making sure their data is
protected.
Question 4. Can you give me specific examples of what types of
industry regulation you would consider over-prescriptive?
Answer. We are specifically concerned about requirements that
provide risk to innovation and ultimately hurt our ability to meet our
customer' needs, and limit the flexibility to try new options and
methods of delivering value to our customers in a rapid, iterative
fashion. Examples include mandates requiring the use of specific
technologies or specific procedural mechanics, such as very specific
requirements about how and when notices are delivered, how they are
worded and formatted, or specific words required for contractual
agreements with third parties. As we developed the Intuit Data
Stewardship Principles, our customers told us in multiple rounds of
research that they prefer the specificity of simple, plain language
Principles rather than the policy-based, business-speak language you or
I might think is more descriptive.
Question 5. In your view, what is the best way to encourage
innovation while still protecting consumers' online privacy?
Answer. We believe that the best way is through a principles-based
approach that could work in tandem with self-regulatory approaches and
enforceable codes of conduct, which provide consistent guidance to all
types and sizes of organizations, fill the gaps between existing
regulations. The principles-based approach is especially critical to
allow for flexible application by small businesses.
______
Response to Written Questions Submitted by Hon. Mark Begich to
Christopher R. Calabrese
Question 1. What steps should the industry take to assist citizens
with knowing what their digital life is like?
Answer. While industry can take some limited steps to protect
consumers, the best way to improve public knowledge about digital life
is for Congress to grant consumers control over their own personal
information. If consumers had enforceable rights, they would educate
themselves about how to use them. In the current system, there is no
advantage to consumers in learning key facts about their digital life
such as the entities that hold personal information or the tools used
to monitor web tracking. No matter how educated consumers become, they
can't do anything practical or beneficial with their knowledge. They
can only participate online in a ``take it or leave it'' way. They have
no power to limit data sharing, access personal profiles, or delete
records. Consumers will only take the time to learn about the use of
their information if it is worth their time and effort to do so. That
means giving them the tools to police their own profiles and limit data
sharing. My written statement elaborates in much more detail on the
full range of enforceable rights the ACLU believes should be available
to consumers.
Given that reality, one useful step industry could take is to work
with the Federal Trade Commission (FTC) to reduce the complexity of
their privacy policies. Because the FTC can only penalize companies
that engage in unfair and deceptive practices, companies have
incentives to avoid providing clear notice to consumers because that
notice could be used to create enforceable rights against them.
Instead, they largely write bloated privacy policies that describe
company practices in such detail and legalistic jargon as to be
incomprehensible to consumers. If companies commit to providing
simplified policies with common language and definitions that can be
compared between companies (like nutrition labels on food), it would be
a helpful consumer education tool.
Similarly, companies could commit in simple terms to honoring any
do not track preference stated by a consumer and insuring that all
advertisers on their site do the same. ``Do not track'' should be
understood to mean no tracking or storage of information at all, not
simply a ban on behaviorally targeted ads. Such a mechanism would also
give consumers incentive to learn about their rights.
Ultimately both of these tools are limited compared to the real
explosion of consumer education and understanding that could be created
if consumers were actually given enforceable control over their
information through a legislative mandate.
Question 2. Mr. Calabrese, I appreciate your comments regarding the
invasion of privacy currently occurring on the Internet. Besides your
recommendation for a ``Do Not Track'' method for browsers what else
could we do to improve the experience of Internet users?
Answer. The best way to improve the experience of Internet users is
to increase their trust in the system. As Internet use is increasing so
is consumer awareness and fear of expanding information collection.
Many new web applications use and share a great deal of personal
information. Social networking sites, location based services, online
retail services, and a variety of other sites all rely on a willingness
of consumers to share personal information. These websites and
applications can only reach their full potential if consumers can share
this information secure in the knowledge that they retain control over
it.
There is evidence that these fears are affecting consumers.
According the Federal Communications Commission's National Broadband
Plan, 22 percent of people don't use the Internet because of discomfort
with computers and concern ``about all the bad things that can happen
if [they] use the Internet.'' According to Gallup polling conducted for
USA Today, 61 percent of consumers opposed web tracking even if they
kept costs down and allowed consumers to visit websites for free.
Efforts to protect consumer privacy must be backed by the
government, not simply created by industry. For years, government
agencies have called on industry to provide privacy protections for
consumers. However, as the FTC report explains in its recent report on
privacy, self-regulatory efforts ``have been too slow, and up to now
have failed to provide adequate and meaningful protection.'' Though
industry has taken some steps, there is still no widespread adoption of
provisions allowing consumer control and only a limited legally
enforceable basis for relying on them.
Question 2a. Are there different recommendations for those websites
targeting children?
Answer. We believe Congress should work toward providing a high
level of protection to everyone's privacy online--adult and child
alike. Strong protections that allow consumer control over sharing of
personal information would benefit both children and adults. Within
this framework, it might be necessary to provide heightened protection
for children. For example, many advocates have called for special
protections for sensitive information such as information related to a
person's financial accounts, medical records or sexual orientation.
Information on children could be placed in that category as well to
assure that it receives the highest level of protection possible.
Question 2b. What about applications on phones?
Answer. Internet use on mobile phones raises two additional
issues--location tracking and device identification. Mobile devices
constantly record and track an individual's physical movements and the
devices themselves often contain unique identifying numbers that cannot
be easily changed. This allows more robust and persistent tracking both
in the physical and Internet space. This information can be gathered
both by cell phone providers and applications running on those phones.
As of December 2009, more than 90 percent of the overall population
of the United States subscribed to cell phone service--an estimated
285.6 million people. While cell phones are best known as devices used
to make voice calls and send text messages, they are also capable of
being used as tracking devices. As a result, cell phone technology has
given many parties including the government, marketers, and employers
an unprecedented new surveillance tool. The technical capacity now
exists to track any one of the Nation's hundreds of millions of cell
phone owners, for 24 hours a day, for as long as it likes. Whether it
is a visit to a therapist or liquor store, church or gun range, many
individuals' locations will be available either in real time or months
later. Because of the sensitivity and invasiveness of location records,
many advocates, including the ACLU argue for high standards for access
to this information including a warrant based on probable cause for law
enforcement access.
An example of the pervasiveness of this location tracking was
recently described by the New York Times. According to the article a
German lawmaker, Malte Spitz, gained access from his cell phone
provider to all the location information associated with him (such
access is required under German law). Using that information he was
able to map his movements for 6 months. In another example, New York
City attempted to fire an employee using cell phone records as evidence
he was leaving work early.
Consumers are concerned about this intrusion. In a recent poll, 49
percent of respondents said they would be more comfortable with
location-based services if they could more easily and clearly manage
who sees their location information; 84 percent were concerned about
the sharing of their location data without their consent; 84 percent
were concerned about identity or data theft; and 83 percent were
concerned about loss of privacy.
______
Comments on ``The State of Online Privacy,'' March 16, 2011
Adam Thierer, Senior Research Fellow, U.S. Senate, Committee on
Commerce, Science, and Transportation
Published by the Mercatus Center, George Mason University and also
available at http://mercatus.org/sites/default/files/publication/
comments-senate-hearing-state-online-privacy.pdf.
As the Commerce Committee continues its exploration of online
privacy issues, it is important that it ask some hard questions about
the wisdom of imposing a comprehensive new regulatory regime on the
Internet, which the Obama Administration appears to now favor. The
Federal Trade Commission (FTC) \1\ and Department of Commerce (DoC) \2\
both released new privacy ``frameworks'' late last year and seem
determined to move America toward a more ``European-ized'' conception
of privacy regulation.\3\
---------------------------------------------------------------------------
\1\ Federal Trade Commission, Protecting Consumer Privacy in an Era
of Rapid Change (December 2010), http://www.ftc.gov/os/2010/12/
101201privacyreport.pdf.
\2\ U.S. Department of Commerce, Commercial Data Privacy and
Innovation in the Internet Economy: A Dynamic Policy Framework, U.S.
Department of Commerce Internet Policy Task Force (December 2010).
\3\ Adam Thierer, ``Obama Admin's `Let's-Be-Europe' Approach to
Privacy Will Undermine U.S. Competitiveness,'' Technology Liberation
Front, January 5, 2011, http://techliberation.com/2011/01/05/obama-
admins-lets-beeurope-approach-to-privacy-will-undermine-u-s-
competitiveness/.
---------------------------------------------------------------------------
Here are a few questions that should be put to the FTC and DoC
officials, or those who support the direction they are taking us:
Before implying that we are experiencing ``market failure,''
why hasn't either the FTC or DoC conducted a thorough review of
online privacy policies to evaluate how well organizational
actions match up with promises made in those policies?
To the extent any sort of internal cost-benefit analysis was
done internally before the release of these reports, has an
effort been made to quantify the potential size of the hidden
``privacy tax'' that new regulations like ``Do Not Track''
could impose on the market?
Has the impact of new regulations on small competitors or
new entrants in the field been considered? Has any attempt been
made to quantify how much less entry/innovation would occur as
a result of such regulation?
Were any economists from the FTC's Economics Bureau
consulted before the new framework was released? Did the DoC
consult any economists?
Why do FTC and DoC officials believe that citing
unscientific public opinions polls from regulatory advocacy
organizations serves as a surrogate for serious cost-benefit
analysis or an investigation into how well privacy policies
actual work in the marketplace?
If they refuse to conduct more comprehensive internal
research, have the agencies considered contracting with
external economists to build a body of research looking into
these issues (as the Federal Communications Commission did in a
decade ago in its media ownership proceeding)?
Has either agency attempted to determine consumer's
``willingness to pay'' for increased privacy regulation?
Has either agency explored the potential free speech issues
that are at stake here since increased privacy regulation could
potentially infringe legitimate First Amendment rights?
More generally, where is the ``harm'' \4\ and aren't there
plenty of voluntary privacy-enhancing tools out there that
privacy-sensitive users can tap to shield their digital
footsteps, if they feel so inclined?
---------------------------------------------------------------------------
\4\ Berin Szoka and Adam Thierer, ``Targeted Online Advertising:
What's the Harm & Where Are We Heading? Progress on Point 16.2,
(Washington, D.C.: The Progress & Freedom Foundation, February 13,
2009), http://www.pff.org/issues-pubs/pops/2009/
pop16.2targetonlinead.pdf.
These are just some of the many of these questions explored in my
recent filing to the Federal Trade Commission in its proceeding on
Protecting Consumer Privacy in an Era of Rapid Change.\5\ Because of
the unique focus on the so-called ``Do Not Track'' mechanism as a
potential silver-bullet solution to online privacy concerns, I am
attaching the portion of my filing discussing the potential costs of
such a mandated solution.
---------------------------------------------------------------------------
\5\ Adam Thierer, Public Interest Comment on Protecting Consumer
Privacy in an Era of Rapid Change86 (Arlington, VA: Mercatus Center at
George Mason University), February 18, 2011, http://mercatus.org/
publication/public-interest-comment-protecting-consumer-privacy-era-
rapid-change. Also see, see Adam Thierer, ``Unappreciated Benefits of
Advertising and Commercial Speech,'' Mercatus on Policy 86 (Arlington,
VA: Mercatus Center at George Mason University), January 2011, http://
mercatus.org/publication/unappreciatedbenefits-advertising-and-
commercial-speech.
---------------------------------------------------------------------------
How a Mandatory ``Do Not Track'' Regime Creates Potential Risks to
Consumers, Culture, Competition, and Global Competitiveness
More tailored forms of online advertising and the ``tracking''
technologies which make them possible are coming under increasing
scrutiny today. Some of this can be attributed to a general
unfamiliarity with how online advertising works and the role personal
information and data collection play in the process.\6\ Although, as
noted above, no clear case of harm has been established, some privacy
fundamentalists who oppose virtually any form data collection have
elevated this concern to near ``techno-panic'' levels and are now
demanding regulation.\7\ As noted below, a variety of tools--such as,
browser cookie controls or third-party plug-ins--already exist that can
help consumers block targeted ads or limit data collection. But the
Commission, likely inspired by regulatory advocates' claims of the
complexity of those voluntary systems, is now pushing for additional
steps to simplify or speed up the process. Hence, a ``Do Not Track''
mechanism has become the preferred universal fix, and one that the
Commission is now pushing upon the marketplace. Do Not Track would
demand that websites honor a machine-readable header indicating that
the user did not want to be ``tracked.'' In theory, this will allow
privacy-sensitive web surfers to signal to websites that they would
like to opt-out of any targeted advertising or not have any information
about them collected when visiting sites. The potential costs of such a
regime will be explored in this section.
---------------------------------------------------------------------------
\6\ ``Exaggerated fears are particular common regarding new
technologies.''.'' Kent Walker, ``The Costs of Privacy,'' 25 Harvard
Journal of Law & Public Policy, no 87, (Fall 2001), 126. A recent
report by the U.K. government noted that ``New media are often met by
public concern about their impact on society and anxiety and
polarisation of the debate can lead to emotive calls for action.''
Safer Children in a Digital World, Byron Review on Children and New
Technology, Department for Children, Schools and Families, [U.K.] task
force report, March 2008, 3, http://www.dfes.gov.uk/byronreview/pdfs/
Final%20Report%20Bookmarked.pdf.
\7\ ``The privacy problem has morphed . . . into the latest terror
of the digital ago, surpassing earlier shibboleths,'' argues Larry
Downes. . . .'' Larry Downes, ``A Market Approach to Privacy Policy,''
in Berin Szoka and Adam Marcus, eds., The Next Digital Decade: Essays
on the Future of the Internet (Washington, D.C.: TechFreedom, 2011),
510. Also see generally Adam Thierer, ``Parents, Kids & Policymakers in
the Digital Age: Safeguarding Against `Techno-Panics,' '' Inside ALEC,
July 2009, 16-17, http://www.alec.org/am/pdf/Inside_July09.pdf.
---------------------------------------------------------------------------
1. Potential Direct Cost to Consumers
The Commission poses a variety of questions regarding how a Do Not
Track regime may be implemented and what its potential impact might
be.\8\ How many consumers would opt-out? How many would be willing to
pay site subscriptions? How would it impact online publishers and
advertisers? And so on. The truth is, nobody knows the answers to these
questions, and the Commission has made no attempt to conduct a serious
cost-benefit analysis of such a regime. Importantly, opinion polls
cannot predict with accuracy how things will turn out once such a
regime takes effect because consumer and marketplace reactions to real-
world developments are more complex and nuanced than artificial surveys
or experiments.\9\
---------------------------------------------------------------------------
\8\ Federal Trade Commission, Protecting Consumer Privacy, A-4.
\9\ See, e.g., Berin Szoka, ``Privacy Polls v. Real-World Trade-
Offs,'' 5 Progress Snapshot 10 (Washington, D.C.: The Progress &
Freedom Foundation, October 8, 2009), http://www.pff.org/issues-pubs/
ps/2009/ps5.10-privacy-pollstradeoffs.html; Downes, ``A Market Approach
to Privacy Policy,'' 514.
---------------------------------------------------------------------------
What we do know is that online advertising today allows consumers
to enjoy a veritable cornucopia of innovative, and mostly free, sites
and services. Government regulation could ``break'' the implicit online
quid pro quo currently governing online sites and services--that
consumers enjoy a bevy of free content and services in exchange for
tolerating ads and data collection--by creating what appears to be a
cost-free choice option for consumers. That choice, however, will be
anything but costless.
Lauren Weinstein, co-founder of People For Internet Responsibility
(PFIR), worries that the ``ability [of Do Not Track concepts] to cause
major collateral damage to the Internet ecosystem of free Web services
is being unwisely ignored or minimized by many Do Not Track
proponents.'' \10\ Weinstein is correct. There is no free lunch. While
well-intentioned, government regulation that attempts to create a cost-
free opt-out for data collection and targeted online advertising will
likely have damaging unintended consequences. In terms of direct costs
to consumers, Do Not Track could result in higher prices for service as
paywalls go up or, at a minimum, advertising will become less relevant
to consumers and, therefore, more ``intrusive'' in other ways.
---------------------------------------------------------------------------
\10\ Lauren Weinstein, ``Risks in Mozilla's Proposed Firefox `Do
Not Track' Header Thingy,'' Lauren Weinstein blog, January 24, 2010,
http://lauren.vortex.com/archive/000803.html.
---------------------------------------------------------------------------
Why might less relevant advertising represent a cost to consumers?
It comes down to the value of their time and the benefits of relevant
advertising to them. Ben Kunz, director of strategic planning at
Mediassociates, a media planning and Internet strategy firm, argues
that Do Not Track ``won't stop online ads'' but will instead simply
lead to ``tons of banners and videos everywhere online. They'll simply
be less relevant.'' \11\ The Wall Street Journal agrees, noting:
``While many supporters of Do Not Track imagine that the opt-out would
reduce the ads they see, the opposite would more likely occur, causing
advertisers to blanket more media and use more intrusive techniques to
reach the same number of potential customers.'' \12\ When Google
recently announced it would be offering a ``Keep My Opt-Outs''
extension to its Chrome web browser to come into line with the FTC's
desire for more Do Not Track mechanisms, the company also noted that
``once you install the Keep My Opt-Outs extension, your experience of
online ads may change: You may see the same ads repeatedly on
particular websites, or see ads that are less relevant to you.'' \13\
Thus, Do Not Track ``will stop marketers from serving up ads for
products you may actually want,'' Kunz notes.\14\ This represents a
direct cost to consumers in terms of the hassle of unwanted, intrusive
(or ``spammy'') advertising.
---------------------------------------------------------------------------
\11\ Ben Kunz, ``The $8 Billion Do Not Track Prize,'' Bloomberg
Businessweek, December 22, 2010, http://www.businessweek.com/
technology/content/dec2010/tc20101222_392883.htm.
\12\ ``The Internet Browsing Cops,'' January 21, 2011, http://
online.wsj.com/article/SB1000
1424052748704723104576061900000013690.html.
\13\ Sean Harvey and Rajas Moonka, ``Keeping Your Opt-Outs,''
Google Public Policy Blog, January 24, 2010, http://
googlepublicpolicy.blogspot.com/2011/01/keep-your-opt-outs.html.
\14\ Kunz, ``The $8 Billion Do Not Track Prize.''
---------------------------------------------------------------------------
But it is the potential for prices to rise for online content and
services that is the most important direct cost to consumers. If
paywalls go up and subscriptions are required as a result of the new Do
Not Track regime, Corey Kronengold of Digiday suggests the response of
users could take one of two forms: \15\
---------------------------------------------------------------------------
\15\ Corey Kronengold, ``Taking Issue: The Value of Privacy,''
Digiday, December 16, 2010, http://www.digidaydaily.com/stories/taking-
issue-the-value-of-privacy.
1. Users (especially those who are highly privacy sensitive)
might gladly accept the trade-off and pay something more for
those sites and services instead of having data collected or
---------------------------------------------------------------------------
ads served; or,
2. Users might revolt against the resulting paywalls,
subscriptions, micropayment schemes, tiered services, etc, and
demand government intervention in the name of ``fairness.'' We
might even hear talk of ``gouging'' and calls for price
regulation, even though developers would have no choice but to
raise prices to cover costs in the absence of advertising
support.
Some mix of the two could be the end result, but the latter
scenario seems far more likely. ``If we move too far one way, the
people supplying the free content will get together and say we aren't
going to supply the content for free,'' says Dilip DaSilva, chief
executive of Exponential Interactive, owner of the Tribal Fusion online
advertising network. ``It's not like the publishers will offer free
content to people who visit their site but don't want ads tracking
them.'' \16\
---------------------------------------------------------------------------
\16\ Quoted in Tanzina Vega and Verne Kopytoff, ``In Online Privacy
Plan.''
---------------------------------------------------------------------------
Of course, there is nothing wrong with online sites and service
providers charging for what they offer consumers, but, as Kronegold
suggests, if regulation moves the marketplace in that direction
unnaturally, many consumers will likely have a problem with it since
they have grown accustomed to an abundance of ``free'' online services.
It is impossible to determine what prices online providers might seek
to charge for their services, but anything more than the $0.00 they
currently charge will likely come as a shock to many consumers. As
discussed in the following section, it will also have profound
repercussions on the broader availability of much content and many of
the services consumers take for granted. In this sense, Do Not Track
becomes a ``privacy tax'' on consumers, requiring them to pay for
things they previous received inexpensively, or for free.\17\
---------------------------------------------------------------------------
\17\ ``We might better think of a privacy tax--we pay the regular
price unless we want to keep information about our food, alcohol, and
pharmaceutical purchases from the market; to keep our habits to
ourselves, we pay extra.'' Hal Abelson, Ken Ledeen, and Harry Lewis,
Blown to Bits: Your Life, Liberty, and Happiness After the Digital
Explosion (Upper Saddle River, NJ: Addison-Wesley, 2008), 11.
---------------------------------------------------------------------------
There are other costs associated with the process of creating
paywalls and setting prices that will be borne by online content
providers and consumers, as Commissioner William Kovacic noted in his
statement on the Commission's privacy report:
Setting prices is costly; if willingness to pay to avoid
tracking varies substantially, the informational requirements
to set access prices will be large. For a number of content
providers, a price-for-content model is likely to provide less
revenue than monetization via advertising; that most websites
choose an ad-driven model rather than a direct fee model
suggests that the former is a more efficient means than the
latter to monetize content in most circumstances. At the
margin--which may be large--forcing firms away from their
revealed-preferred method of monetization may reduce revenue
and hence degrade quality. In discussing whether website
content might be degraded by consumers choosing not to be
tracked, how, if at all, should such risks impact the
Commission's analysis? \18\
---------------------------------------------------------------------------
\18\ Concurring Statement of Commissioner Kovacic, in Federal Trade
Commission, Protecting Consumer Privacy, D-4.
How much content will go behind paywalls? Dan Castro of the
---------------------------------------------------------------------------
Information Technology & Innovation Foundation fears much will:
If a Do Not Track list ever became widely implemented companies
could respond by simply blocking access to those sites for
users who opt out, just as some sites today block users who use
ad-blocking software or do not register on a site. Users who
currently opt out of targeted advertising but continue to use
the content or service which the advertising pays for are
essentially free riders. They are the minority of users who are
benefiting from the willingness of the majority to divulge some
personal information in exchange for free or reduced-price
content. It is this exchange that enables the U.S. Internet
ecosystem to be so robust and largely free of charge to the
average user. Privacy advocates rarely acknowledge the harm to
advertising revenues that would result from a large number of
consumers signing up for Do Not Track.\19\
---------------------------------------------------------------------------
\19\ Daniel Castro, ``Policymakers Should Opt Out of `Do Not
Track','' Information Technology & Innovation Foundation, November
2010, 3, www.itif.org/files/2010-do-not-track.pdf.
Another alternative short of paywalls would be interstitial pop-ups
warning consumers they must first disable Do Not Track before they are
allowed to use portions of the site, or perhaps any of it.\20\ In other
words, sites may seek to formalize the previously unwritten quid pro
quo of information as currency. Some Do Not Track regulatory advocates
try to assuage such concerns by pointing to the existence of widespread
online website registration or site ``login'' procedures today, which
do not generally require user to disable settings (such as cookie-
blocking or ad-blocking) or pay anything before using site content/
services. For example, Arvind Narayanan of Stanford University argues:
---------------------------------------------------------------------------
\20\ Ironically, depending on how such permission systems are
structured, this may actually end up forcing consumers to reveal more
information about themselves to many sites as a condition of access
content or services on those sites.
I do not believe that disabling DNT as a requirement for
service will become anywhere near as prevalent as logging in as
a requirement for service. I bring up login only to make the
comforting observation there seems to be a healthy equilibrium
between sites that require login always, some of the time, or
never.\21\
---------------------------------------------------------------------------
\21\ Arvind Narayanan, `` `Do Not Track' Explained,'' 33 Bits of
Entropy, September 30, 2010, http://33bits.org/2010/09/20/do-not-track-
explained.
Ultimately, however, this observation provides little comfort since
it ignores the fact that Do Not Track could be preemptively breaking
business models on an unprecedented scale, thus forcing vast numbers of
online publishers to make uncomfortable trade-offs going forward if
they wish to provide the current level of service or expanded options.
Narayanan may end up being correct and a highly tiered, permission-
based Internet may not be erected. But, as the next section notes, that
is a risky bet and one that could have profound consequences for the
future online content and the richness of its culture.
2. Potential Indirect Costs/Impact on Content & Culture
Direct monetary cost to consumers is not the only issue here. The
indirect impact of regulation on content and culture must also be
considered.
While targeted online advertising only accounted for $1.1 billion
in 2010, it has been growing at healthy 20 percent clip, estimates
eMarketer.\22\ ``Factor in the use of data to determine marketing
efficiencies and that figure could be as high as $7 billion to $8
billion of the $25 billion online ad spend,'' says Katy Bachman of
AdWeek.\23\ Larry Ponemon, Chairman of the Ponemon Institute, which
studies privacy and security issues, told the New York Times that
``Privacy fears are definitely having an economic impact'' on the
market, especially the uncertain legal and regulatory environment and
the threat of regulation.\24\ A May 2010 Ponemon Institute survey of
senior marketing executives with 90 diverse organizations that were
actively engaged in online marketing found that:
---------------------------------------------------------------------------
\22\ David Hallerman, ``Audience Ad Targeting: Data and Privacy
Issues,'' eMarketer, February 2010, http://www.emarketer.com/Reports/
All/Emarketer_2000636.aspx.
\23\ Katy Bachman, ``(Ad) Apocalypse Soon,'' AdWeek, December 19,
2010, http://www.ad
week.com/aw/content_display/esearch/
e3i9f75082f2f627711694ca34d9b326105.
\24\ Quoted in Steve Lohr, ``Privacy Concerns Limit Online Ads,
Study Says,'' New York Times, April 30, 2010, http://
bits.blogs.nytimes.com/2010/04/30/privacy-concerns-limit-online-ads-
study-says.
63 percent of those we surveyed said behavioral advertising
generated their greatest return on investment. Yet 98 percent
told us that, because of consumers' privacy fears, their
companies are curtailing investments in online behavioral
targeting. These companies are willing to sacrifice the revenue
they believe they can generate through an online campaign
rather than risk the potential hit to brand reputation for
being as aggressive as they would like to be. Overall that
curtailment has kept more than $600 million out of the
behavioral targeting industry.\25\
---------------------------------------------------------------------------
\25\ Larry Ponemon, ``Fear and Loathing in Online Advertising,''
Ponemon Institute blog, May 3, 2010, http://www.ponemon.org/blog/post/
fear-and-loathing-in-online-advertising.
This matters because it represents foregone investment in new forms
of content, culture, and services. Media economists and industry
experts have long realized that advertising is the great sustainer of
media.\26\ Advertising benefits society by subsidizing the creation of
news, information, and entertainment. ``Advertisers are critical to the
success of commercial media because they provide the primary revenue
stream that keeps most of them viable,'' argues Robert G. Picard,
author of The Economics and Financing of Media Companies.\27\ Mary
Alice Shaver of the University of Central Florida puts this support in
context: ``Advertising revenues pay for virtually all broadcast media,
70 percent to 80 percent of support for newspapers and an equally high
percentage for magazines.'' \28\
---------------------------------------------------------------------------
\26\ For a summary, see Adam Thierer, ``Unappreciated Benefits of
Advertising and Commercial Speech,'' Mercatus on Point 86 (Arlington,
VA: Mercatus Center at George Mason University), January 2011, http://
mercatus.org/publication/unappreciated-benefits-advertising-and-
commercial-speech.
\27\ Robert G. Picard, The Economics and Financing of Media
Companies (Bronx, NY: Fordham University Press, 2002), 122.
\28\ Mary Alice Shaver, ``The Economics of the Advertising
Industry,'' in Alison Alexander, et. al., Media Economics: Theory and
Practice (Mahwah, NJ: Lawrence Erlbaum Associates, Third Edition,
2004), 250.
---------------------------------------------------------------------------
Importantly, advertising is proving increasingly to be the only
business model with any real staying power for many media and
information-producing sectors. Pay-per-view mechanisms, micropayments,
and even subscription-based business models are all languishing.\29\
Consequently, the overall health of modern media marketplace and the
digital economy--and the aggregate amount of information and speech
that can be produced or supported by those sectors--is fundamentally
tied up with the question of whether policymakers allow the advertising
marketplace to evolve in an efficient, dynamic fashion.\30\ In this
sense, it is not hyperbole to say that an attack on advertising is
tantamount to an attack on media itself.\31\
---------------------------------------------------------------------------
\29\ To some extent, these are all just variations of a fee-for-
service business model. ``Micropayments,'' for example, would require a
small payment for each media unit accessed or downloaded, such as $1
per news article or song.
\30\ Much of the valuable information content available on the
Internet, and so many of the useful services we use every day, is
free,'' explains Larry Downes, ``not because of some utopian dream of
inventors or even because of the remarkably low transactions costs of
the digital economy. The content is free because the costs of the
services--blogs, stock quotes, even home movies posted on YouTube--are
underwritten by advertisers. If we don't read and respond to ads, we'll
have to pay for these services some other way,'' he notes. Downes, The
Laws of Disruption, 83-4.
\31\ See Adam Thierer, Berin Szoka, and W. Kenneth Ferree, Comments
of the Progress & Freedom Foundation in the Matter of the Federal
Communications Commission's Examination of the Future of Media and
Information Needs of Communities In a Digital Age, The Progress &
Freedom Foundation, May 5, 2010, 28-38, http://www.pff.org/issues-pubs/
testimony/2010/2010-05-05-
Comments_in_FCC_Future_of_Media_proceeding.pdf.
---------------------------------------------------------------------------
A March 2010 study on ``The Value of Behavioral Targeting,''
conducted by Howard Beales on behalf of the Network Advertising
Initiative, demonstrates how this could be the case.\32\ Beales, the
former Director of the Bureau of Consumer Protection at the FTC, found
that advertising rates are significantly higher for behaviorally
targeted ads, with the average return on behaviorally targeted
advertising being just over twice that of other advertising. The reason
that greater return on investment is important, Beales notes, is
because:
---------------------------------------------------------------------------
\32\ Howard Beales, ``The Value of Behavioral Targeting,'' Network
Advertising Initiative, March 2010, www.networkadvertising.org/pdfs/
Beales_NAI_Study.pdf.
Advertising using behavioral targeting is more successful than
standard run of network advertising, creating greater utility
for consumers from more relevant advertisements and clear
appeal for advertisers from increased ad conversion. Finally, a
majority of network advertising revenue is spent acquiring
inventory from publishers, making behavioral targeting an
important source of revenue for online content and services
providers as well as third party ad networks.\33\
---------------------------------------------------------------------------
\33\ Ibid., 1.
This illustrates how more effective advertising can cross-subsidize
and sustain online content and culture. More and better advertising
means more and better content and services will be made available to
consumers. Beales concluded his study by noting: ``Increasingly,
advertising is the financing mechanism that makes online content and
services possible as well. As content traditionally provided offline
(such as newspapers) continues to move to the Internet, the link
between online advertising and content is likely to become increasingly
vital to the provision of information and services that we have long
taken for granted.'' \34\
---------------------------------------------------------------------------
\34\ Ibid., 18.
---------------------------------------------------------------------------
With these insights in mind, it is peculiar that the Commission
ignores the connection between this proceeding and another FTC
proceeding which poses the question, ``How Will Journalism Survive the
Internet Age?'' \35\ That is a fair question for the FTC to ask, and
one that the Federal Communications Commission has also been pondering
in a series of workshops on ``The Future of Media.'' \36\ What the
Commission proposes in this proceeding certainly will not help matters
any and it begs the question: If not advertising, then what will
sustain online media, digital age culture, and social networking
services going forward? \37\
---------------------------------------------------------------------------
\35\ Federal Trade Commission, ``How Will Journalism Survive the
Internet Age?'' Workshop Series, 2010, http://www.ftc.gov/opp/
workshops/news/index.shtml. All filing made to the Commission in the
proceeding are located here: http://www.ftc.gov/os/comments/newsmedia
workshop/index.shtm.
\36\ Federal Communications Commission, ``Future of Media,'' http:/
/reboot.fcc.gov/future
ofmedia.
\37\ Castro goes even further, arguing that ``If the goal of the
initiative is to restrict targeted advertising, it would be better for
Congress to just ban Internet advertising outright and develop a
`Corporation for Public Internet' to fund Internet content and
applications.'' Castro, ``Policymakers Should Opt Out of `Do Not
Track','' 4.
---------------------------------------------------------------------------
John Battelle is blunter in his assessment of how damaging this
move could be to online culture:
don't come crying to me when you realize that in opting out of
our marketing-driven world, you've also opted out of, well, a
pretty important part of our ongoing cultural conversation, one
that, to my mind, is getting more authentic and transparent
thanks to digital platforms. And, to my mind, you've also opted
out of being a thinking person capable of filtering this stuff
on your own, using that big ol' bean which God, or whoever you
believe in, gave you in the first place. Life is a
conversation, and part of it is commercial. We need to buy
stuff, folks. And we need to sell stuff too.\38\
---------------------------------------------------------------------------
\38\ John Battelle, ``Thurs. Signal: Go On, Opt Out. Just Don't
Come Cryin' To Me . . .'' Federated Media Publishing, December 1, 2010,
http://www.federatedmedia.net/blog/2010/12/thurs-signal-go-on-opt-out-
just-don't-come-cryinto-me.
This is a simplified explanation of the value exchange that drives
the Internet, but Battelle is correct that if heavy-handed regulation
replaces common sense or the current online quid pro quo of
information-forservices, then something must give. While the idea of a
cost-free opt-out model for the all online data collection/advertising
may sound seductive to some, it is vital to take into account the
opportunity costs of such regulation. The real world is full of trade-
offs and there is no such thing as a free lunch.
3. Competition & Market Structure
The Commission does not need to be reminded that it was created in
large part to safeguard competition. This proceeding, however,
threatens to tip the balance in favor of existing technologies or
market players over future ones.\39\ AdWeek's Katy Bachman argues that:
---------------------------------------------------------------------------
\39\ ``Regulation that disfavors one technology or business model
would also deter entry, thwart innovation, and limit competition and
choice in the sale of online advertising.'' Joan Gillman, Testimony
before the House Energy & Commerce Committee, Hearing on Do Not Track
Legislation: Is Now the Right Time? December 2, 2010, 5, http://
energycommerce.house.gov/hearings/Testimony.aspx?TID=4184.
Heavy-handed privacy legislation could actually curb
competition by crippling ad networks that serve ads to niche
Websites dependent on advertising to fund content. Websites
would have to resort to pay models in a medium where free
content is the norm. No doubt the big brands would still draw
contextual advertising, but that would come at the expense of
new, emerging brands, thus squelching competition in a space
that has thrived on it.\40\
---------------------------------------------------------------------------
\40\ Katy Bachman, ``(Ad) Apocalypse Soon,'' AdWeek, December 19,
2010, http://www.ad
week.com/aw/content_display/esearch/
e3i9f75082f2f627711694ca34d9b326105.
Similarly, Tanzina Vega and Verne Kopytoff of The New York Times
---------------------------------------------------------------------------
have noted that:
The Federal Trade Commission's proposed privacy mechanism could
cause a major shift in the online advertising industry, as
companies that have relied on consumers' browsing history try
to make up for what could be billions in lost revenue.
If the vast majority of online users chose not to have their
Internet activity tracked, the proposed ``do not track'' system
could have a severe effect on the industry, some experts say.
It would cause major harm to the companies like online
advertising networks, small and midsize publishers and
technology companies like Yahoo that earn a large percentage of
their revenue from advertising that is tailored to users based
on the sites they have visited.
Under a situation where many users opt out of being tracked,
other companies, like Google, may take a much smaller hit
because the vast majority of its revenue comes through search
ads that would not be affected by a do-not-track mechanism.
Microsoft, which also sells display advertising through its ad
network, could also survive a hit to user data collection since
it earns revenue from sources other than advertising, including
software and gaming, experts say.\41\
---------------------------------------------------------------------------
\41\ Tanzina Vega and Verne Kopytoff, ``In Online Privacy Plan, the
Opt-Out Question Looms,'' New York Times, December 5, 2010, http://
www.nytimes.com/2010/12/06/business/media/06privacy.html.
``In a setting where first-party advertising is allowable but
third-party marketing is not, substantial advantages may be created for
large incumbent firms,'' argue Avi Goldfarb and Catherine Tucker.\42\
``For example, if a large website or online service were able to use
its data to market and target advertising, it will be able to continue
to improve and hone its advertising, while new entrants will find it
difficult to challenge the incumbent's predominance by compiling other
data or collecting their own data,'' they conclude.\43\
---------------------------------------------------------------------------
\42\ Avi Goldfarb and Catherine Tucker, ``Comments on `Information
Privacy and Innovation in the Internet Economy,''' Comments to the U.S.
Department of Commerce, January 24, 2011, 4, http://www.ntia.doc.gov/
comments/101214614-0614-01/attachments/NTIA_comments_2011
_01_24.pdf.
\43\ Ibid.
---------------------------------------------------------------------------
And Kunz fears that ``the `Long Tail' of niche content is going to
get crushed'' since ``thousands of small websites may disappear as
dollars flow to consolidated publishing centers.'' ``Do Not Track will
send billions of dollars to the big online publishers, hurting the
little sites you might find most interesting. The second point is
painful. It could really harm you, too, dear consumer, if you read
things online other than The New York Times, Bloomberg, or
iVillage.com.'' \44\ This should hardly be surprising since economists
have long recognized that ``advertising typically benefits new entrants
and small firms more than it does large, established firms,'' \45\ and
that is likely to be the case for targeted online advertising since it
would be the easiest way for niche sites to find interested consumers
and advertisers.
---------------------------------------------------------------------------
\44\ Kunz, ``The $8 Billion Do Not Track Prize.''
\45\ Thomas M. Lenard and Paul H. Rubin, Privacy and the Commercial
Use of Personal Information (Washington, D.C.: The Progress & Freedom
Foundation, 2002), xxii.
---------------------------------------------------------------------------
Thus, the risk exists that a Do Not Track mandate could steer
markets in unnatural, inefficient directions by erecting new barriers
to entry or directly picking technological winners and losers.\46\ If
so, the Commission will have failed in its mission to safeguard
competition and improve consumer welfare.
---------------------------------------------------------------------------
\46\ As the National Cable and Telecommunications Association
(NCTA) noted in comments to the Department of Commerce: ``In a nascent
and highly dynamic market characterized by rapid technological change
such as online advertising, any regulation that favors or disfavors one
technology or business model over another could seriously thwart
innovation and the development of new business models that could
benefit consumers, content providers, and advertisers, by prematurely
locking market participants into one sanctioned approach. Moreover,
limiting online advertising to specified designated permissible
techniques would deter new entry, and limit competition.'' National
Cable and Telecommunications Association, Reply Comments to the U.S.
Department of Commerce, January 28, 2011, 10-11. http://
www.ntia.doc.gov/comments/10121
4614-0614-01/comment.cfm?e=17AF54FD-5201-474A-8EB8-E8B6071AEDEC.
---------------------------------------------------------------------------
4. International Competitiveness
Some advocates of intervention on this front do not hide their
desire to move the United States in a direction the European Union has
followed with ``data directives'' and more stringent forms of privacy
regulation. But America's refusal thus far to walk down that more
regulatory path offers scholars the chance to evaluate Europe's more-
restrictive approach and study whether America's lead in the global
digital marketplace might be tied to its more ``hands-off'' approach to
online regulation. A recent study by Goldfarb and Tucker found that
``after the [European Union's] Privacy Directive was passed [in 2002],
advertising effectiveness decreased on average by around 65 percent in
Europe relative to the rest of the world.'' \47\ They argue that
because regulation decreases ad effectiveness, ``this may change the
number and types of businesses sustained by the advertising-supporting
Internet.'' Regulation of advertising and data collection for privacy
purposes, it seems, can affect the global competitiveness of online
firms.
---------------------------------------------------------------------------
\47\ Avi Goldfarb and Catherine Tucker, ``Privacy Regulation and
Online Advertising,'' 57 Management Science 1, (January 2011), 57-71,
http://papers.ssrn.com/sol3/papers.cfm?abstract_
id=1600259.
---------------------------------------------------------------------------
This is what makes talk of ``harmonization'' among privacy regimes
so dangerous. It threatens to undermine America's competitive advantage
in the global digital arena. It is hard to find many European
counterparts that rival Google, Amazon, Apple, Facebook, eBay,
Microsoft, or other market leaders. Why is it that the information
technology sector has thrived in America and that U.S. companies are
leaders in many of their respective sectors across the globe? Might it
be precisely because the U.S. did not follow others down the path of
``data directives'' and heavy handed, top-down regulation of the
Internet more generally? ``If applied to American companies, these
European laws would restrict the breakneck innovation of the commercial
web,'' argues the NetChoice Coalition.\48\ And Yahoo! correctly
summarizes:
---------------------------------------------------------------------------
\48\ Steve DelBianco and Braden Cox, NetChoice Reply Comments on
Department of Commerce Green Paper, January 28, 2011, 7, http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=1EA98542-
23A4-4822-BECD-143CD23BB5E9.
It is no coincidence that the U.S. is the birthplace of most of
the widely used global websites and online services. Our legal
frameworks encourage innovation through reasonable liability
regimes, controls on harmful uses of information, promotion of
a diversity of online voices, security requirements based on
the sensitivity of the data, and a light regulatory hand that
favors and recognizes complementary roles for industry self-
regulation.\49\
---------------------------------------------------------------------------
\49\ Anne Toth, Comment of Yahoo! on Commercial Data Privacy and
Innovation in the Internet Economy, January 28, 2011, 2, http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=F6A50C0B-
00CC-44A6-B475-FE218170CA02.
The Department of Commerce's recent privacy green paper says
America should look to ``prevent conflicting policy regimes from
serving as a trade barrier.'' \50\ But should the U.S. impose
burdensome new regulations on American companies to achieve that goal?
Would we really be better off if all U.S. firms and policy more closely
resembled the E.U. in this regard?
---------------------------------------------------------------------------
\50\ Department of Commerce, Commercial Data Privacy and
Innovation, 20.
---------------------------------------------------------------------------
Some privacy advocates posit the need for greater
``interoperability'' or harmonization of privacy policies
internationally to facilitate smoother online commercial interactions
or data flows. Yet, the Commerce Department's recent privacy green
paper notes that ``a considerable amount of global commerce takes place
on the Internet [and] global online transactions currently total an
estimated $10 trillion annually'' and is growing. Still, it continues
on to claim that ``the lack of cross-border interoperability in privacy
principles and regulations creates barriers to cross-border data flow
and significant compliance costs for companies,'' \51\ and repeats the
argument for harmonization.
---------------------------------------------------------------------------
\51\ Ibid.
---------------------------------------------------------------------------
There are three problems with that theory. First, it assumes that
the benefits of regulatory harmonization--which, to be perfectly clear,
would arrive in the form of increased regulation on U.S. operators--
would outweigh the cost of complying with those new rules.
Second, there is no reason that harmonization could not work in the
opposite direction. If the Commerce Department, the FTC and other U.S.
lawmakers want to promote U.S. trade, exports, commerce, and global
competitiveness, the proper way to ``leveling the playing field'' in
this context should be the same as it is in relation to speech policy
or trade law: the rest of the world should follow America's lead; the
U.S. should absolutely not regulate up to achieve parity with theirs.
Which raises a final problem with the argument for harmonization of
privacy regimes through increased regulation on U.S. businesses: it
sets a horrible precedent. At least thus far this has not been the
approach the U.S. Government has taken in most other Internet policy
contexts, and with good reason. Consider this in the context of speech
controls. When policymakers in Europe and other regions or countries
stifle free speech and expression online, America's response has not
been to mimic them but, rather, to lead by example. That is, when
confronted with conflicting regulatory regimes abroad, our response has
usually been to proudly boast to the world that we have the more
sensible approach to Internet regulation, which is to say, it should be
tightly limited so as not to stifle speech or commerce. Some critics
might label this ``American exceptionalism,'' but it is really just
common sense if we hope to promote the international competitiveness of
U.S. online businesses and remain a global leader in this arena.
5. ``Silver-Bullet'' Solutions Rarely Adapt or Scale Well
Finally, there is the more general normative problem of the
Commission seeking a simple solution to a complex ``problem'' such as
online privacy protection. Do Not Track fits into a long line of
proposed silver-bullet solutions that would mandate a ``universal''
solution to a complicated economic or social issue.
When it comes to such information control efforts, there aren't
many good examples of simple fixes or silver-bullet solutions that have
worked, at least not very long. Consider the illusive search for a
solution to online pornography. The PICS/ICRA experience is instructive
in this regard. PICS and ICRA refer to the W3C's Platform for Internet
Content Selection \52\ and Internet Content Rating Association.\53\ For
a time, there was hope that voluntary metadata tagging and content
labeling could be used to screen objectionable content on the Internet.
But the sheer volume of material to be dealt with made that task almost
impossible. The effort has been abandoned now.\54\ Of course, it is
true that effort did not have a government mandate behind it to
encourage more widespread adoption, but even if it would have, it is
hard to believe that all pornography or other objectionable content
would have been labeled and screened properly.
---------------------------------------------------------------------------
\52\ http://www.w3.org/PICS.
\53\ http://www.fosi.org/icra.
\54\ http://www.icra.org.
---------------------------------------------------------------------------
In a similar way, The CAN-SPAM Act aimed to curtail the flow of
unsolicited e-mail across digital systems and, yet, failed to do so.
Private filtering efforts have helped stem the flow to some extent, but
have not eliminated the problem altogether. Royal Pingdom estimates
that in 2010 89.1 percent of all e-mails were spam.\55\ ``Spam pages,''
are also a growing concern. In January 2011, Blekko, a new search
engine provider, created a ``Spam Clock'' to track new spam pages and
found 1 million new spam pages were being created every hour.\56\
---------------------------------------------------------------------------
\55\ Royal Pingdom, ``Internet 2010 in Numbers,'' January 12, 2011,
http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers.
\56\ http://www.spamclock.com. Also see, Danny Sullivan, ``Blekko
Launches Spam Clock To Keep Pressure On Google,'' Search Engine Land,
January 7, 2011, http://searchengine
land.com/blekko-launches-spam-clock-tokeep-pressure-on-google-60634.
---------------------------------------------------------------------------
Similar problems await information control efforts in the privacy
realm, even if a mandated Do Not Track mechanism required the re-
engineering of web browser architecture and/or standards. ``It's a
single response to an overly-simplifies set of choices we encounter on
the web,'' notes the NetChoice Coalition, which represents e-commerce
companies.\57\ Also, Do Not Track ``does not address mobile or app
data, nor any data created outside a traditional web browser,'' notes
Michael Fertik, CEO of Reputation.com.\58\ ``At the same time, the
growth in technology and understanding can render current solutions
inadequate. A privacy rule to limit behavioral advertising today might
not work in the future when more data is available and there are more
powerful algorithms to process it,'' he says. ``There is no reliable
way of ensuring this technology is being used, however,'' says Sidney
Hill of Tech News World. ``Ensuring compliance with antitracking rules
will become even more difficult as more users turn to mobile devices as
their primary means of connecting to the Web.'' \59\
---------------------------------------------------------------------------
\57\ Steve DelBianco and Braden Cox, NetChoice Reply Comments on
Department of Commerce Green Paper, January 28, 2011, 14, http://
www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=1EA98542-
23A4-4822-BECD-143CD23BB5E9.
\58\ Michael Fertik, Comments of Reputation.com, Inc. to the U.S.
Department of Commerce, January 28, 2011, 12, http://
www.reputation.com/blog/2011/01/31/reputation-com-comments-commerce-
department-privacy-greenpaper.
\59\ Sidney Hill, ``Internet Tracking May Not Be Worth the
Headaches,'' Tech News World, December 29, 2010, http://
www.technewsworld.com/story/Internet-Tracking-May-Not-Be-Worth-the-
Headaches-71543.html.
---------------------------------------------------------------------------
Importantly, Do Not Track would not slow the ``arms race'' in this
arena as some seem to hope or suggest.\60\ If anything, as noted in
more detail below, a Do Not Track mandate will speed up that arms race
and have many other unintended consequences.\61\ Complex definitional
questions also remain unanswered, such as how define and then limit
``tracking'' in various contexts, as well as how to enforce such a
regime. Lauren Weinstein summarizes some of the most obvious issues:
---------------------------------------------------------------------------
\60\ Some examples: ``The header-based Do Not Track system appeals
because it calls for an armistice in the arms race of online
tracking.'' Rainey Reitman, ``Mozilla Leads the Way on Do Not Track,''
Deeplinks, Electronic Frontier Foundation, January 24, 2011, https://
www.eff.org/deeplinks/2011/01/mozilla-leads-the-way-on-do-not-track.
Similarly, Chris Soghoian argues that ``opt out mechanisms . . .
[could] finally free us from this cycle of arms races, in which
advertising networks innovate around the latest browser privacy
control.'' Christopher Soghoian, ``What the U.S. Government Can Do To
Encourage Do Not Track,'' Slight Paranoia, January 27, 2011, http://
paranoia.dubfire.net/2011/01/what-us-government-can-do-to-
encourage.html. Finally, Arvind Narayanan of Stanford University argues
that Do Not Track, ``is a way to move past the arms race between
tracking technologies and defense mechanisms, focusing on the actions
of the trackers rather than their tools.'' Arvind Narayanan, ``'Do Not
Track' Explained,'' 33 Bits of Entropy, September 30, 2010, http://
33bits.org/2010/09/20/do-not-track-explained.
\61\ ``Too often, well-intentioned efforts to regulate technology
are far worse than the imagined evils they were intended to prevent.''
Abelson, Ledeen, and Lewis, Blown to Bits, 159.
Sending out a new ``Do Not Track'' header--even beyond basic
associated technical requirements at the client and server
ends--and even if there's agreement on how that header is
defined--tells you nothing about what actually happens to that
header after being sent by the client browser. How does the
user who sends such a header actually confirm that they're
``not being tracked'' as a result? And how do they know that
continued tracking isn't caused by a technical issue that
prevented the header from ever being received and processed by
---------------------------------------------------------------------------
the destination server?
Perhaps the header line was ``eaten'' by an intermediate proxy
server (it's quite common for proxies not to pass along all
headers). Or maybe the header reached a server that simply
hadn't been modified to recognize it yet. Or did the header
reach a server in some jurisdiction (say, outside of the U.S.)
that wouldn't even be ``required'' to know about that new
header? And so on.
You can't just send a Do Not Track header and expect meaningful
results. In practice, you end up having to build an entire
confirmation apparatus of some sort--and even then it's likely
to be a mess. Without confirmation, you can send out whatever
headers you wish, but when you don't get the results you
expect, what does that mean? Who knows? This all gets very
complicated, very quickly.\62\
---------------------------------------------------------------------------
\62\ Lauren Weinstein, ``Risks in Mozilla's Proposed Firefox ``Do
Not Track'' Header Thingy,'' Lauren Weinstein blog, January 24, 2010,
http://lauren.vortex.com/archive/000803.html.
Moreover, in light of the global nature of online commerce and
speech, Do Not Track will not scale as well as advocates hope.\63\
Castro says:
---------------------------------------------------------------------------
\63\ ``Many behavioral targeting companies are based outside the
US--making legislation ineffective,'' says Doug Wolfgram, CEO of
IntelliProtect, an online privacy management company. Quoted in Tony
Bradley, ``Why Browser `Do Not Track' Features Will Not Work,''
Computerworld, February 10, 2011, http://news.idg.no/cw/
art.cfm?id=ACE91A0E-1A64-6A71-CE2572C981C0204A.
Another problem with Do Not Track is that it does not scale
well on the global Internet. As described above, to be
effective, the proposal would require a Federal mandate calling
for substantive modifications to networking protocols, web
browsers, software applications and other Internet devices.
Besides raising costs for consumers, it is unclear how
effective such a mandate would be outside of the U.S. borders
or how well the proposal would be received by international
standard bodies.\64\
---------------------------------------------------------------------------
\64\ Castro, ``Policymakers Should Opt Out of `Do Not Track','' 3.
Again, as noted previously, the regulatory experience with spam,
objectionable content, and copyrighted content suggest serious
challenges lie ahead because of the borderless nature of online
activity /commerce.
6. Implications of This New Regime in Other Contexts
A final danger with the FTC's proposed Do Not Track information
control regime is that it could also establish a precedent for other
forms of Internet regulation. If, in the context of privacy policy,
``opt-in'' becomes the new default norm or mechanisms such as Do Not
Track become the preferred top-down mandate, similar regulatory norms
might be expected in other contexts. Why not mandatory ``opt-in'' for
other types of speech or content? For example, should the presence of
potentially objectionable content across digital networks be used as an
excuse for greater regulation of the Internet?
That is not the way things currently work, of course. At least in
the United States, we demand that personal and parental responsibility
be the first and primary line of defense against unwanted
communications or content. Why should it be any different when it comes
to ``privacy'' concerns? \65\
---------------------------------------------------------------------------
\65\ The Cato Institute's Jim Harper argues: ``Privacy is not a
gift from politicians or an entitlement that can be demanded from
government. Privacy is a product of personal responsibility. Like moral
living, privacy is the product of careful consideration and concerted
effort by individuals. To be sure, protecting privacy can be hard. It
involves knowledge, vigilance, and constant trade-offs.'' Harper,
``Understanding Privacy,'' 5.
---------------------------------------------------------------------------
Consider how things work in the context of speech and content
regulation, American jurisprudence has become a fairly settled matter:
people (or parents) are expected to take responsibility for unwanted
information flows in their lives (or the lives of their children).
Under current law, it is assumed that the many user empowerment tools
on the market (filters, monitoring software, other parental control
technologies) constitute a so-called ``less-restrictive means'' of
controlling content when compared to government regulation.
Many privacy advocates--such as ACLU, the Center for Democracy &
Technology, and the Electronic Frontier Foundation--vociferously
endorse this ``less-restrictive means'' test or ``educate and empower''
paradigm in the free speech context. Generally speaking, when it comes
to speech regulation, they rightly argue ``household standards'' (user-
level controls) should trump ``community standards'' (government
regulation). And in Court they repeatedly employ the ``less-restrictive
means'' test to counter government efforts to regulate information
flows.
When it comes to privacy, however, many of them abandon this
vision. For some reason, when the topic of debate shifts from concerns
about potentially objectionable content to the free movement of
personal information, personal responsibility and self-regulation
become the last option, not the first. What is most troubling about
this is that those advocates could be unwittingly undermining the power
of the ``less restrictive means'' test more generally, which is a
vitally important barrier to greatly enhanced government control of
cyberspace. That is, when privacy advocates ignore, downplay, or
denigrate user empowerment tools, they are essentially saying self-help
is the right answer in one context, but not the other.
That is a shame because, as discussed below, self-help tool work
well in both contexts. And the same arguments used against private
parental empowerment technologies are often trotted out in opposition
to privacy controls. Can privacy tools be confusing at times or
difficult to set up? Yes, they can, but no more so that parental
control tools. Are privacy tools as effective as parental control
tools? In some ways privacy tools are actually more effective because
in the case of parental controls, the person you are attempting to
``protect'' (namely, kids) often have a stronger incentive to evade/
defeat those tools. Moreover, privacy-enhancing controls can be very
effective--perhaps even too effective--at shutting down unwanted
information flows. Whether it is ad-blocking tools, cookie controls, or
encryption techniques, these tools can actually be far more effective
blocks on information flows than, say, Internet filters meant to block
porn or hate speech, which is also more subjective by nature.
Of course, no technological empowerment tool or solution is
perfect. But as the Supreme Court held in United States v. Playboy,
empowerment tools need not be perfect to be preferable to government
regulation. ``Government cannot ban speech if targeted blocking is a
feasible and effective means of furthering its compelling interests,''
the Court held.\66\ Moreover, ``It is no response that voluntary
blocking requires a consumer to take action, or may be inconvenient, or
may not go perfectly every time. A court should not assume a plausible,
less restrictive alternative would be ineffective; and a court should
not presume parents, given full information, will fail to act.'' \67\
---------------------------------------------------------------------------
\66\ United States v. Playboy Entertainment Group, 529 U.S. 803,
815 (2000).
\67\ Ibid., 824.
---------------------------------------------------------------------------
Again, the exact same principle should hold for privacy regulation
\68\ Why not expect those especially privacy-sensitive users who object
to targeted online advertising to do something about it? To the extent
effective self-help privacy tools exist, they provide a means of
solving policy problems that is not only ``less restrictive'' than
government regulation but generally more effective and customizable as
well. Why settle for one-size-fits-all solutions of incomplete
effectiveness when users can quite easily and effectively manage their
own privacy? Indeed, those who advocate personal responsibility and
industry self-regulatory approaches to free speech and child protection
issues should be advancing the same position with regards to privacy.
---------------------------------------------------------------------------
\68\ Chapman University Law Professor Tom Bell has argued the same
principle should hold in both contexts. Tom W. Bell, ``Internet Privacy
and Self-Regulation: Lessons from the Porn Wars,'' Briefing Paper 65
(Washington, D.C.: Cato Institute, August 9, 2001), http://
www.cato.org/pub_display.php?pub_id=1504.
---------------------------------------------------------------------------
�