b"<html>\n<title> - ELECTRONIC COMMERCE: THE CURRENT STATUS OF PRIVACY PROTECTIONS FOR ONLINE CONSUMERS</title>\n<body><pre>[House Hearing, 106 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n  ELECTRONIC COMMERCE: THE CURRENT STATUS OF PRIVACY PROTECTIONS FOR \n                            ONLINE CONSUMERS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON TELECOMMUNICATIONS,\n                     TRADE, AND CONSUMER PROTECTION\n\n                                 of the\n\n                         COMMITTEE ON COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 13, 1999\n\n                               __________\n\n                           Serial No. 106-39\n\n                               __________\n\n            Printed for the use of the Committee on Commerce\n\n                    ------------------------------  \n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n58-511 CC                   WASHINGTON : 1999\n\n\n                         COMMITTEE ON COMMERCE\n\n                     TOM BLILEY, Virginia, Chairman\n\nW.J. ``BILLY'' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan\nMICHAEL G. OXLEY, Ohio               HENRY A. WAXMAN, California\nMICHAEL BILIRAKIS, Florida           EDWARD J. MARKEY, Massachusetts\nJOE BARTON, Texas                    RALPH M. HALL, Texas\nFRED UPTON, Michigan                 RICK BOUCHER, Virginia\nCLIFF STEARNS, Florida               EDOLPHUS TOWNS, New York\nPAUL E. GILLMOR, Ohio                FRANK PALLONE, Jr., New Jersey\n  Vice Chairman                      SHERROD BROWN, Ohio\nJAMES C. GREENWOOD, Pennsylvania     BART GORDON, Tennessee\nCHRISTOPHER COX, California          PETER DEUTSCH, Florida\nNATHAN DEAL, Georgia                 BOBBY L. RUSH, Illinois\nSTEVE LARGENT, Oklahoma              ANNA G. ESHOO, California\nRICHARD BURR, North Carolina         RON KLINK, Pennsylvania\nBRIAN P. BILBRAY, California         BART STUPAK, Michigan\nED WHITFIELD, Kentucky               ELIOT L. ENGEL, New York\nGREG GANSKE, Iowa                    THOMAS C. SAWYER, Ohio\nCHARLIE NORWOOD, Georgia             ALBERT R. WYNN, Maryland\nTOM A. COBURN, Oklahoma              GENE GREEN, Texas\nRICK LAZIO, New York                 KAREN McCARTHY, Missouri\nBARBARA CUBIN, Wyoming               TED STRICKLAND, Ohio\nJAMES E. ROGAN, California           DIANA DeGETTE, Colorado\nJOHN SHIMKUS, Illinois               THOMAS M. BARRETT, Wisconsin\nHEATHER WILSON, New Mexico           BILL LUTHER, Minnesota\nJOHN B. SHADEGG, Arizona             LOIS CAPPS, California\nCHARLES W. ``CHIP'' PICKERING, \nMississippi\nVITO FOSSELLA, New York\nROY BLUNT, Missouri\nED BRYANT, Tennessee\nROBERT L. EHRLICH, Jr., Maryland\n\n                   James E. Derderian, Chief of Staff\n\n                   James D. Barnette, General Counsel\n\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n   Subcommittee on Telecommunications, Trade, and Consumer Protection\n\n               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman\n\nMICHAEL G. OXLEY, Ohio,              EDWARD J. MARKEY, Massachusetts\n  Vice Chairman                      RICK BOUCHER, Virginia\nCLIFF STEARNS, Florida               BART GORDON, Tennessee\nPAUL E. GILLMOR, Ohio                BOBBY L. RUSH, Illinois\nCHRISTOPHER COX, California          ANNA G. ESHOO, California\nNATHAN DEAL, Georgia                 ELIOT L. ENGEL, New York\nSTEVE LARGENT, Oklahoma              ALBERT R. WYNN, Maryland\nBARBARA CUBIN, Wyoming               BILL LUTHER, Minnesota\nJAMES E. ROGAN, California           RON KLINK, Pennsylvania\nJOHN SHIMKUS, Illinois               THOMAS C. SAWYER, Ohio\nHEATHER WILSON, New Mexico           GENE GREEN, Texas\nCHARLES W. ``CHIP'' PICKERING,       KAREN McCARTHY, Missouri\nMississippi                          JOHN D. DINGELL, Michigan,\nVITO FOSSELLA, New York                (Ex Officio)\nROY BLUNT, Missouri\nROBERT L. EHRLICH, Jr., Maryland\nTOM BLILEY, Virginia,\n  (Ex Officio)\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Anthony, Hon. Sheila F., Commissioner, Federal Trade \n      Commission.................................................    39\n    Cerasale, Jerry, Senior Vice President, Government Affairs, \n      Direct Marketing Association, Inc..........................    99\n    Lewin, Robert, Executive Director, TrustE....................    75\n    Lucas, Steve, Chief Information Officer and Senior Vice \n      President, Industry Government Relations, PrivaSeek........    94\n    Mulligan, Deirdre, Staff Counsel, Center for Democracy and \n      Technology.................................................    79\n    Pitofsky, Hon. Robert, Chairman, Federal Trade Commission....     9\n    Singleton, Solveig, Director of Telecommunications and \n      Technology Studies, Cato Institute.........................    89\n    Swindle, Hon. Orson, Commissioner, Federal Trade Commission..    37\n    Thompson, Hon. Mozelle W., Commissioner, Federal Trade \n      Commission.................................................    45\nMaterial submitted for the record by:\n    Gray, Peter, Chairman, The Internet Consumers Organization, \n      prepared statement of......................................   125\n\n                                 (iii)\n\n  \n\n\n  ELECTRONIC COMMERCE: THE CURRENT STATUS OF PRIVACY PROTECTIONS FOR \n                            ONLINE CONSUMERS\n\n                              ----------                              \n\n\n                         TUESDAY, JULY 13, 1999\n\n              House of Representatives,    \n                         Committee on Commerce,    \n                    Subcommittee on Telecommunications,    \n                            Trade, and Consumer Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10 a.m., in \nroom 2322, Rayburn House Office Building, Hon. W.J. ``Billy'' \nTauzin (chairman) presiding.\n    Members present: Representatives Tauzin, Stearns, Gillmor, \nCox, Deal, Largent, Cubin, Rogan, Shimkus, Pickering, Bliley \n(ex officio), Markey, Boucher, Gordon, Eshoo, Luther, Sawyer, \nand Green.\n    Staff present: Paul Scolese, professional staff member, \nElizabeth Brennan, legislative clerk, Andy Levin, minority \ncounsel, and Bruce Gwinn, minority counsel.\n    Mr. Tauzin. The subcommittee will please come to order. \nToday the subcommittee will hear testimony on the current \nstatus of privacy protection for online consumers. When this \nsubcommittee held a hearing last year on Internet privacy, the \neffort by industry to create a self-regulatory scheme was still \nin its infancy.\n    We heard what the industry planned to do in the coming \nmonths and also criticism that industry was not doing enough \nand that government regulation on privacy might be needed. Let \nme say categorically that it will not necessarily be how the \nInternet is taxed. It will not necessarily be how much money \nflows in electronic commerce. It will certainly be how secure \nelectronic commerce is for consumers and for businesses who \nwish to deal with them over the Internet. It will most \ncertainly be how much privacy is respected and protected on the \nInternet that will determine the future of electronic commerce \nas a vibrant and important part of our Nation's economy. It is \nour hope that we use this hearing today to gauge just how much \nprogress we have made in protecting online privacy since last \nyear's hearing. Today's dialog should allow us an opportunity \nto see where efforts have been successful and where efforts \nhave fallen short. I am hopeful that we can have a healthy \ndebate on whether or not we need government regulation or is \nthe threat of government regulation enough to further progress \nin the industry.\n    I am pleased that we are having the FTC testify before this \nsubcommittee again. The work that the FTC has done on this \nissue has been excellent. We look forward to hearing the \nrecommendations they will make today in public. I know from \nreading an advanced copy of the testimony that the FTC is not \nrecommending legislation at this time to protect online \nprivacy. We will also be hearing from a number of private \nsector witnesses who will speak about industry's efforts to \nprotect the privacy of their customers. We will also hear from \nindustry observers who will speak on the issue of self-\nregulation versus government legislation or regulation.\n    Last Congress, I introduced H.R. 2368, the Data Protection \nAct, which would establish voluntary industry guidelines to \nlimit the collection and use of personal information obtained \nby the Internet. I believed that a private sector approach was \nbest, and I still believe that. As a witness to the ever \nchanging technological advances, enacting government \nregulations at that time would more than likely have been too \ninflexible for the rapidly changing electronic commerce \nindustry.\n    Is that true today? Today's hearing will perhaps give us \nthat answer. The Georgetown Internet privacy policy study which \nwas just released in May gives us a good indication of how far \nindustry has come in self-regulation. I think that the numbers \nare very encouraging, although there is still more that the \nindustry can, should, must do.\n    One area that has not been much discussed is how consumers \ncan gain more control over their own personal information and \nthen release that information only when they believe they will \nreceive some benefit in exchange for that information. It is \nobviously true that some of the software industries are \nproducing software products that would, in fact, enable \nconsumers just that power over their own information. As I \nstated before, personal information does have value.\n    In fact, as the Internet has grown, e-commerce has grown. \nThere is more value in data bases now than there are in the \ncompany assets themselves. Recently, a company announced that \nthey would give free computers with Internet access to the \nfirst 10,000 individuals that applied. In the first few days, \nover a half million people applied for one of those computers. \nThe only catch was that the applicant had to fill out a very \ndetailed application revealing personal information such as \nwhat type of automobile they drove, which magazines they \nsubscribed to; in effect which purchases they liked to make. I \nthink this shows that when consumers get something of value in \nreturn, some people are willing to part with detailed personal \ninformation.\n    Before I close, I want to thank all of our witnesses this \nmorning for agreeing to testify on this most important issue. \nMy friend, Mr. Markey, has just arrived. He and I have \ndedicated ourselves to ensure, along with the chairman of the \nfull committee who is also with us today, that our committee \nwill address thoroughly the issue of online privacy, the \nprivacy of individuals' information, the security of e-commerce \nfor our future. This will be an important step in that effort. \nWe look forward to hearing the testimony today. The Chair \nyields back the balance of his time, and I welcome and \nrecognize as the ranking minority member, Mr. Markey, from \nMassachusetts.\n    Mr. Markey. Thank you, Mr. Chairman, very much. I would \nlike to commend you for calling this hearing today on the \nsubject of online privacy.\n    This hearing coincides with the release of a privacy report \nfrom the Federal Trade Commission which reflects the results of \nan online survey conducted earlier this year by Professor Mary \nCulnan at the Georgetown Business School. In its previous \nreport to Congress, the FTC articulated a number of core \nprinciples for implementing fair information practices in the \nonline environment in order to establish key protections for \nconsumers. The Georgetown survey searched for these key privacy \ncriteria which are comprised of the following items.\n    Notice, ensuring that consumers receive clear conspicuous \nnotice of the personal information practices of the Web site.\n    Choice, giving consumers an effective means granting or \ndenying consent to the privacy practices of the Web site.\n    Access, ensuring that consumers could gain access to the \ninformation collected by a Web site for correction and \ninformation on whether personal data has been reused, \ndisclosed, or sold and to whom.\n    And security, ensuring that information collected by a site \nhas reasonable safeguards to protect security and integrity of \nthe personal data.\n    And five, contact information, ensuring that consumers have \na convenient method by which to contact the Web site manager \nwith questions, suggestions, and complaints.\n    The survey conducted at Georgetown found that less than 10 \npercent of sites collecting personal information had privacy \npolicies embodying these fair information criteria. Just 10 \npercent. This survey is quantitative. It doesn't even measure \nthe quality of the notice disclosure or so-called opt-out or \nopt-in features.\n    Any privacy policy that doesn't incorporate these key \nelements for consumers is a failure. The survey has found that \nonly a very small minority of sites have implemented these key \nprivacy elements. The industry as a whole continues to get a \nfailing grade.\n    The question remaining is how much credit people are \nwilling to give companies for merely taking the course while \nthey fail the subject matter. There is no question that \nconsumer concern over privacy has clearly heightened awareness \nof the issue in the online business community.\n    The fact that many web sites are at least posting their \nprivacy policies is an improvement. Even in a failing group, \nthere is still some star pupils. I want to commend those \ncompanies and individuals associated with online privacy \ninitiatives, seal programs such as TRUSTe and BBBOnLine as well \nas the growing number of companies taking steps to better \ninform consumers and offer comprehensive privacy protections on \ntheir own initiative.\n    I think it is increasingly clear that we need a basic level \nof privacy protections for all Americans online. I believe that \nthere is a role for a privacy marketplace and a role for \nindustry self-regulatory initiatives. No American, however, \nshould be left without any privacy protection in the online \nenvironment.\n    In my view, we should pursue a legal framework which \nshould:\n    1) incorporate elements of industry self-regulation, 2) \nallow technological tools to enhance privacy, and 3) guarantee \nbasic government-backed protections.\n    Less than 2 weeks ago, the House passed H.R. 10, the \nFinancial Services Act. This legislation includes privacy \nprovisions which purport to provide consumers with the core \nprinciples, but with some huge loopholes that must be addressed \nin conference.\n    For instance, we need to address the failure to provide \nconsumers with notice and the right to say no when a consumer's \ninformation is disclosed to affiliates within a bank holding \ncompany rather than an unaffiliated third party. This \nartificial distinction between affiliates and third party \ntransfers of consumer information makes no sense. It is like \noutlawing robbery while legalizing embezzlement. I look forward \nto working with my colleagues on this committee in pursuing \nprivacy protections for consumers in H.R. 10 and for \ncyberspace. I commend Chairman Tauzin for calling this hearing, \nand I look forward to the testimony from our witnesses.\n    Mr. Tauzin. As usual, I thank my friend and the Chair now \nyields to the gentleman from Richmond, Virginia, the chairman \nof the full Committee on Commerce, Mr. Tom Bliley.\n    Chairman Bliley. Thank you, Mr. Chairman, for holding this \nhearing. Protection of personal privacy is one of our most \ntalked about issues facing electronic commerce. All Americans \nhave legitimate concerns about how that personal information \nthey provide to web sites is used by the operator of that Web \nsite. As I have stated many times in the past, I believe that \nensuring safety, security, and privacy of online consumers is \nkey to consumer use and acceptance of the Internet. Without \nthese concerns being met, I believe that consumers may lose \nconfidence in electronic commerce.\n    This committee has been active on the issue of online \nprivacy since the 105th Congress. Online privacy is an issue \nthat I hear about many times from my constituents and also from \nthe many people I speak to in the industry. At the privacy \nhearing that this subcommittee held last year, industry \nwitnesses laid out their plans to protect privacy of consumers. \nAt the time, I supported this effort rather than a Federal \nregulatory approach. Electronic commerce changes so quickly \nthat I am concerned that a government-mandated privacy policy \nwould stifle innovation. We would be imposing a static policy \non a dynamic and constantly changing industry.\n    Since that hearing last year, I have been monitoring the \nprogress industry has made in self-regulation. I think the \nprogress to date has been very good. The recently completed \nGeorgetown privacy study showed impressive results in the \nposting of privacy policy by commercial web sites.\n    Despite these good results, now is not the time for \nindustry to ease up. There is still much more work to be done. \nBricks and mortar businesses that are moving online need to \ntailor their existing privacy policy to the online world. I \nknow that Commissioner Swindle is particularly interested in \nthe needs of small businesses as they move online. Also the \ntrue test of a privacy policy is the remedy to consumers if \ntheir privacy is violated. Their privacy policy is worth little \nif their company can ignore consumers who seek redress.\n    Another area that deserves attention and which I will be \nfollowing closely, is the transfer of personally identifiable \ninformation to third parties. Consumers should be told when \nthird parties may have access to their information and should \nhave the right to refuse the transfer to others of such \ninformation. I know there are some legitimate business uses for \nthe transfer of this information. For example, consumers may \nenjoy knowing about the benefits of getting a discount on a \nrental car when they purchase an airplane ticket online. But \nthere are many consumers who would prefer not to have personal \ninformation about their online reservations or purchases shared \nwith other parties. They should have the right to opt out of \nthe information sharing.\n    Before I close, I would like to make an announcement. Very \nshortly, the Commerce Committee will be posting a privacy \npolicy on the committee Web site. We will be the first \ncommittee in Congress to post a privacy policy so that visitors \nto the committee Web site will know how the committee uses \ninformation they provide during a visit to the committee Web \nsite.\n    I want to thank all of our witnesses today for testifying \non this issue before this subcommittee, and I would also like \nto thank Chairman Pitofsky for all of the work that the FTC has \ndone on this issue. The FTC has been closely following this \nissue and will be publicly releasing their recommendation on \ndealing with online privacy. I understand that the FTC will not \nbe recommending legislation to regulate privacy at this time. I \nwelcome this recommendation, and I look forward to reviewing \nthe full set of recommendations.\n    Thank you, Mr. Chairman, and I yield back what little time \nI may have left.\n    Mr. Tauzin. The Chair thanks Chairman Bliley. The Chair \nwishes to congratulate him on the announcement he has made \ntoday. I know we will all feel a lot more comfortable dealing \nwith the committee online. The Chair is now pleased to \nrecognize the gentlelady from California, Ms. Eshoo, for an \nopening statement.\n    Ms. Eshoo. Thank you, Mr. Chairman, for holding this very \nimportant hearing and I look forward to the testimony and want \nto welcome the members--the chairman and the members of the FTC \nand most especially Robert Lewin, the executive director of \nTRUSTe who is also a constituent of mine. The issue of privacy \nis something that every American cares intensely about.\n    In fact, I think they associate it with being an American. \nIt is a right that they want protected. It is a right that they \nfeel passionately about whether it is the protection of their \nfinancial records, medical records, or certainly going online \nand conducting business with e-commerce. So I think it is very \nimportant today that this hearing takes place. We will be \nmeasuring, by means of this hearing, the progress that has been \nmade since last year, and I look forward to hearing the \nwitnesses. And I yield back the balance of my time.\n    Mr. Tauzin. The Chair thanks the gentlelady, and the \ngentleman from Illinois, Mr. Shimkus, is recognized.\n    Ms. Eshoo. Mr. Chairman, you need some water. Perhaps we \nshould pour some water for the chairman.\n    Mr. Shimkus. Mr. Chairman, I have no opening statements.\n    Mr. Tauzin. Then the Chair recognizes the gentleman from \nCalifornia, Mr. Rogan.\n    Mr. Rogan. Mr. Chairman, thanks. I waive opening statement.\n    Mr. Tauzin. Then the Chair recognizes Mr. Luther.\n    Mr. Luther. Thank you, Mr. Chairman. I certainly want to \nthank you and Mr. Markey for your efforts in putting this \nhearing together today. This is an important issue that is \nreally grabbing the attention of the public. I think we saw \nthis in hearings that we held on the bank financial \nmodernization legislation. And, of course, my home State is \nMinnesota.\n    Minnesota is where we had recent litigation by the attorney \ngeneral against a banking institution. And so I was able to \njudge, to some extent, the public response and reaction to \nthat. And so I think the comments that have been made here by \nMr. Markey and Ms. Eshoo are very appropriate in that this is \nan issue taken very seriously by the American public.\n    I think we are just beginning to see the attention that is \ngoing to be paid to this particular issue. So despite the fact \nthat we didn't win all of the issues that we were pursuing, \nparticularly with the Markey amendment on the financial \nmodernization legislation, I am very pleased to see that we are \nback talking about this issue again.\n    And so again, I commend you and Mr. Markey and the others \nwho are here today for taking on the issue that I think the \npublic wants us to deal with here in Congress: that is, their \nprivacy, who owns their information, how that ought to be dealt \nwith by other people. So thank you again, Mr. Chairman, and I \nyield back.\n    Mr. Tauzin. I thank the gentleman. I suggest that if \nanybody misbehaves in Minnesota that we just put Governor ``The \nBody'' Ventura on them.\n    Mr. Luther. That is right. You will have to take us \nseriously now.\n    Mr. Tauzin. The Chair recognizes the gentleman from \nTennessee, Mr. Gordon, for an opening statement.\n    Mr. Gordon. Mr. Chairman, I would just briefly thank you \nfor having this important meeting and I want to concur with Ms. \nEshoo that this is a very important personal issue for people \nacross the country and also concur with Chairman Bliley, in \nthat if we are going to have full access and use of electronic \ncommerce, then there is going to have to be confidence on the \nnet. This is a good hearing. We need to find where we stand and \nhow we can make this balance and I welcome the panelists.\n    Mr. Tauzin. I thank the gentleman from Tennessee. The Chair \nand I ask unanimous consent that all members might have the \nability to introduce written statements into the record and all \nof the written statements of our witnesses be part of the \nrecord. Without objection it is so ordered.\n    [Additional statements submitted for the record follow:]\nPrepared Statement of Hon. Barbara Cubin, a Representative in Congress \n                       from the State of Wyoming\n    Thank you, Mr. Chairman, for holding this important hearing on \nelectronic commerce.\n    I think it is interesting to note that according to a 1998 World \nWide Web user survey, the most important issue facing the Internet was \nprivacy.\n    However, I think it is even more interesting to note that \ngovernment regulation of the Internet was also one of the most \nimportant issues on the minds of Internet users.\n    The hearing today will help us to more fully understand what \nprivacy rights are being threatened and what, if any, government \nregulations are needed to help protect Internet consumers from having \ntheir right to privacy violated.\n    My preference is that industry work out a way in which to solve the \nprivacy issue.\n    The difficultly comes in policing many of the bad actors out there \nthat essentially make their living garnering and disbursing a \nconsumer's personal information.\n    There is a push under way for Congress to address this problem in \nlieu of an industry solution. We should all know at this point that a \ngovernment solution will never be as good as industry self-governance.\n    The issue of privacy and the public's knowledge of privacy is \ncomplex and unclear.\n    I look forward to hearing from the witnesses and hope to learn more \nabout this issue.\n    I'm also interested in what industry proposals are currently in \nplace and what solutions are currently being looked at to solve this \nproblem.\n    Thank you, Mr. Chairman. I yield back.\n                                 ______\n                                 \n   Prepared Statement of Hon. Thomas C. Sawyer, a Representative in \n                    Congress from the State of Ohio\n    Thank you Mr. Chairman for holding this oversight hearing this \nmorning. I also want to thank the Commissioners from the Federal Trade \nCommission (FTC) for coming to update us on the status of commercial \nwebsites as they relate to online privacy policies.\n    The flexibility of the relatively unregulated environment has \ngreatly contributed to the growth of the Internet. It is becoming clear \nto me that a primary reason for the Internet's success has been because \nof the entrepreneurial spirit of the companies that have helped to make \nit so extraordinary. Throughout this decade, the Internet has grown \nfrom being used by a select few to being used by millions in the United \nStates and internationally for various purposes. The Internet is having \nprofound effect on the traditional ways human discourse and enterprise \nare conducted, and on the way users receive and distribute information.\n    Not long ago, the Department of Commerce estimated that by the end \nof this year electronic commerce in the United States alone could top \n$9 billion. That is a significant increase over last year's figures.\n    Still, the widespread use of the Internet is relatively new; it is \nless than a decade old. No one really knows what its full potential is. \nHowever, one thing is true: if consumers are not confident with using \nthe Internet for fear of privacy invasions, electronic commerce may not \nsoon realize the full measure of its potential.\n    Consumers deserve assurances that their personal information when \nusing the Internet is safe, secure and available only to those they \nauthorize to have such information. On a similar note, consumers should \nhave the ability to review and modify information that is collected \nabout them. These are just basic principles that make good, sound \nbusiness practices.\n    Last year, when the Federal Trade Commission and the Online Privacy \nAlliance came to testify before us, both recommended that Congress not \nenact legislation requiring commercial websites to develop an online \nprivacy policy. However, they promoted self-regulation within the \nindustry as the immediate answer to address privacy concerns. They \nreasoned that companies are different, and a uniform national system of \nstandards may not be adequate.\n    I am encouraged by the fact that the recent Georgetown and Online \nPrivacy Alliance studies shows that more commercial websites have \ndecided to develop and implement online privacy policies. The reports \nshow a dramatic increase from the Federal Trade Commission's previous \nsurvey. I hope that this trend continues. I also want to commend \ncompanies like TRUSTe and BBBOnLine certify that its membership \ncompanies meet certain online privacy standards.\n    While it may still be too early to enact more comprehensive online \nprivacy legislation, there remains much room for improvement. And so \nMr. Chairman, I am glad you have called this very important oversight \nhearing. I hope today's hearing will serve as a reminder that we take \nprivacy very seriously in Internet use, and users have every right to \nkeep their personal information private and confidential. Using the \nInternet does not forgo those basic rights. Finally, Mr. Chairman, as I \nmentioned before, the Internet is rapidly changing and if e-commerce is \ngoing to flourish, then commercial websites need to seriously adopt on-\nline privacy guidelines.\n    Thank you.\n                                 ______\n                                 \nPrepared Statement of Hon. Karen McCarthy, a Representative in Congress \n                       from the State of Missouri\n    Thank you, Mr. Chairman, for holding this hearing today on the very \nimportant subject of online consumer privacy. As we progress deeper \ninto the Information Age, it is vital that we address issues of \nconsumer protection and privacy early and often in order to ensure that \nwe are providing our constituents with the security they need and \ndesire to comfortably deal in the Internet marketplace.\n    Research conducted over the past several years shows that consumers \nare frustrated by the increasing ability of Internet companies to \ngather personal information about consumers, often without the \nconsumers' knowledge or consent. In addition, many people, myself \nincluded, are concerned about the growing use of the Internet for \nfinancial and medical information, and the potential for that highly \nsensitive and personal information to be shared with third parties.\n    I look forward to hearing the testimony of our witnesses today, \nparticularly those from the Federal Trade Commission (FTC), because I \nam eager to work with my colleagues to resolve this issue of personal \nprivacy on the Internet. I hope that we will address consumer concerns \nabout receiving notice when information is being collected or when it \nwill be shared, having choices regarding how that information is used, \nand being assured that their data is indeed secure, yet accessible by \nthe appropriate authorized parties.\n    I am confident that we will be able to achieve a balance between \nconsumer privacy and an open Internet marketplace that offers a wealth \nof opportunity to both entrepreneurs and consumers. Thank you. I yield \nback the balance of my time.\n                                 ______\n                                 \n    Prepared Statement of Hon. John D. Dingell, a Representative in \n                  Congress from the State of Michigan\n    Mr. Chairman, I want to thank you for holding this hearing on the \nprivacy problems consumers face when using the Internet. At the outset, \nlet me welcome Chairman Pitofsky, Commissioner Anthony, Commissioner \nThompson, and Commissioner Swindle to the Committee. I admire the \nimportant work you do in so many areas, and I look forward to hearing \nyour views on what to do about the very serious privacy problems \nconsumers face.\n    The Federal Trade Commission is the federal government's consumer \nprotection agency, and consumer privacy, both on and off the Internet, \nis a matter of growing public concern. Consumers are justifiably \nalarmed that the uncontrolled dissemination of personal data is \naffecting their job opportunities, as well as their ability to qualify \nfor credit cards, mortgages, car loans, insurance, and more.\n    How are we going to make sure that on-line merchants do not violate \nthe consumer's wishes by selling information about drugs or other \nproducts he or she purchases to employers, banks, and other retailers? \nWhat will prevent a bank from ignoring a consumer's instructions and \nselling his or her personal and account information to a telemarketer, \nto a securities firm, or to an insurance company?\n    Consumer privacy problems demand the Commission's special and \nimmediate attention, and I certainly expect the Commission to give this \nproblem the attention it so rightly deserves.\n    Today, the consumer is fighting a losing battle to control the \ndissemination and use of personal medical and financial data. Industry \nhas thus far failed to develop, implement, and enforce safeguards to \ncontrol how personal information may be used by others. Even when \nprivate firms adopt policies that allow consumers to ``opt-out'' or \nrestrict the transfer of their personal data, the consumer's wishes are \ntoo often ignored by banks and others who make huge profits from the \nsale of personal and account data.\n    Last month, the Minnesota State Attorney General brought suit \nagainst several banks in that State for transferring customer personal \nand account data to third parties, despite instructions from some of \ntheir customers not to do this. These banks had a privacy policy. That \nprivacy policy allowed their customers to ``opt-out'' from the transfer \nof personal data to third parties. Yet when customers exercised this \nright to ``opt-out'', their right was ignored. Lest anyone wrongly \nconclude that the problem in Minnesota is unique, the Comptroller of \nthe Currency made a public statement in which he said these same abuses \nare occurring far too frequently throughout the banking industry and \nthat they must be stopped.\n    In the on-line world, these privacy problems are magnified. The \nspecial nature of the Internet demands greater sensitivity by \ngovernment to the privacy rights of individuals, and the Federal Trade \nCommission can and should play a key role in protecting consumers' \ninterests.\n    Again, I look forward to hearing the testimony of the \nCommissioners, and I want to thank them for their participation in this \nhearing.\n\n    Mr. Tauzin. We will now welcome and call forward our first \npanel which will consist of the chairman and members of the \nFederal Trade Commission, beginning with the chairman, the \nHonorable Robert Pitofsky, the Honorable Orson Swindle, the \nHonorable Sheila Anthony, and the Honorable Mozelle Thompson; \nall commissioners of the Federal Trade Commission. Ladies and \nGentlemen, if you would come forward. While you are coming \nforward, let me remind you that at our last hearing last year, \nI asked each of you to give me your letter grade on the \nprogress of the industry of protecting American's privacy \nonline.\n    Each of you at the termination of that hearing gave me your \nletter grade estimate. Let me remind you what they were. Mr. \nSwindle, you gave the industry a rising D. Ms. Anthony, you \ngave the industry a D plus. Mr. Pitofsky, like a good \nprofessor, you gave them an incomplete. Mr. Thompson, you \nwouldn't give a letter grade, but you said there was \nconsiderable room for improvement is the quote we have for you \nlast year. So a rising D, a D plus, an incomplete, and \nconsiderable room for improvement. When you complete your \ntestimony today I would ask you--if you can be thinking about \nit now--give me your latest grade on the industry so that we \ncan track the progress as we would any university.\n    We begin now by welcoming the Chairman of the Federal Trade \nCommission, our friend, Mr. Robert Pitofsky, and we welcome \nyour testimony, Mr. Pitofsky.\n\n   STATEMENTS OF HON. ROBERT PITOFSKY, CHAIRMAN; HON. ORSON \n SWINDLE, COMMISSIONER; HON. SHEILA F. ANTHONY, COMMISSIONER; \n   AND HON. MOZELLE W. THOMPSON, COMMISSIONER, FEDERAL TRADE \n                           COMMISSION\n\n    Mr. Pitofsky. Thank you, Mr. Chairman, Mr. Markey, and \nmembers of the committee. I am delighted to be here again to \ndiscuss what we all agree is a tremendously important question \nand to deliver the Commission's report on online privacy.\n    Incidentally, many things have changed about online \nprivacy. Statistics change over 2, 3, 4 years. But one thing \nhasn't changed. If you ask people who don't do business on the \nInternet, who don't make purchases, what is your reason for not \ndoing so, you will still hear that about 85 percent of the \npeople who avoid buying on the Internet offer as their reason \nthat they don't think that it is a secure transaction. And \nprivacy, of course, is a major element of that.\n    Let me see if I can start by finding some common ground \nhere. We at the Commission and I think members of the committee \nall agree that consumers are entitled to have their privacy \nprotected when they do business on the Internet. And we all \nagree that if we can do it, the best way to get there is \nthrough industry self-regulation because this is such a \ndynamic, changing, vigorous, and new sector of the economy. We \nbegin to see different opinions, however, when you move on to \nsome other questions. And as the opening statements indicated, \nvery reasonable people can differ about how to get there.\n    First, there are differences about how much has been \naccomplished over the last year or so in terms of self-\nregulation and pri-\n\nvacy. And second, and perhaps even more important, how far will \nself-regulation ever go in protecting consumers? Can we ever \nget to an accepted level of protection for consumers on the \nInternet through self-regulation and without some legislation?\n    You may recall that when we were here a year ago, we \ndelivered a report to this committee indicating disappointment \nat the levels of privacy protection that existed then. A key \nfact was that while 90 percent of the firms selling products on \nthe Internet collected personally identifiable private \ninformation, only 14 percent even announced that they had a \nprivacy policy of any sort. And only about 2 percent had the \nbroad range of privacy policies that we call fair information \npractices. I should say that on the busiest web sites, not all, \nbut on the busiest, privacy policies were published in about 44 \npercent of the instances.\n    It is now a year later and a good deal has happened. One \ninteresting development is considerable agreement on \nessentially what are fair information practices. They are \npretty much what Mr. Markey outlined. Notice, consent, because \nif you don't have notice and consent, privacy protection \ndoesn't work at all. If people don't know what their rights are \nand what is going to happen to the information that they give, \nthen you have no privacy at all. Reasonable access such that \nconsumers can find out what sellers are doing with the \ninformation, how they are selling it and whether there are \nerrors in the information. Finally, some security arrangements.\n    Second, there has been a sharp improvement in the level of \nnotice that people are getting on the Internet. I said it was \n14 percent a year ago. The newest Georgetown University study, \nwhich is not exactly comparable to the last study but is pretty \nclose, indicates that we have gone from 14 percent to 66 \npercent of web sites that post privacy policies. Of web sites \nthat have the full range of fair information practices, we have \ngone from 2 percent up to 10 percent.\n    I think that is pretty good in 1 year. We have seen in \nother sectors of the economy that self-regulation doesn't \nhappen overnight. It takes a while. Certainly we have seen \nstrong important steps in the right direction and real \nprogress. We have also seen in the last year the development of \nseal programs by a number of different organizations. They have \nestablished standards for privacy protection and then give out \na seal of approval only to those companies that abide by their \ncommitment to those standards.\n    Now, this is just the beginning. There are a million web \nsites. Altogether there are probably about a thousand firms \nthat have committed to a seal programs. But TRUSTe, Better \nBusiness Bureau OnLine and others do appear to be moving in the \ndirection of seals of approval and in the direction of \nmonitoring whether people abide by their commitment, and to \nenforcing their seal programs. Because of this progress, the \nmajority of the Commission recommends no legislation at this \ntime.\n    That is not to say that all that needs to be done has been \ndone. There is a long way to go before we can say that we are \nat a level at which consumers can be confident that their \nprivacy has been protected. For example, even though 66 percent \npost privacy policies, that still means that 34 percent have no \nprivacy policies whatsoever. And even though 66 percent post \nthe privacy policy, as we have heard, only about 10 percent \ntouch all of the bases that we think are necessary to protect \nprivacy.\n    Therefore, although we don't believe legislation is \nappropriate at this time, we do believe there has been \nconsiderable progress. The FTC certainly is not abandoning the \nfield. We intend to conduct workshops over the next year \nfocussing, for example, on issues like personnel profiling, \ntask forces in which we will work with industry and consumer \ngroups to try to understand particular issues like technology \ndevelopments, and whether there are technological fixes in this \narea.\n    We are going to work with the Department of Commerce on \nconsumer education which in the long run may be one of the more \nimportant ways to get to what I have described as the goal \nline, and we will commit now to monitor this important new \nmarketplace and come back here with a report the next time \naround, about a year from now. We want to let some time go by \nto see if there is continued progress.\n    The next report is going to be different. These reports so \nfar essentially involve counting noses. How many sellers have a \nprivacy policy; how many sellers don't. We want to get at the \nquestion of whether those privacy policies are worth the screen \nthat they appear on. We want to ask qualitative questions. We \nwant to ask about access. We want to ask about security.\n    And we want to ask--if we are going the self-regulation \nroute--we want to ask about monitoring and enforcement. It is \nnot enough to put a privacy policy up there. We have to be \nconfident that people are paying attention to it and are really \ndoing what they say.\n    In conclusion, let me say that I think developments over \nthe year indicate that the idea of giving self-regulation a \nchance was the right approach. The business community deserves \na lot of credit for working hard to produce the changes that \nthey have produced. On the other hand, this progress must \ncontinue. It is not time to declare victory on this issue. I \nwould say this: If the progress does not continue at something \nlike the pace that we have seen in the past year, then I think \nit is time to reconsider a legislative solution. Thank you.\n    [The prepared statement of Hon. Robert Pitofsky follows:]\n  Prepared Statement of Hon. Robert Pitofsky, Chairman, Federal Trade \n                               Commission\n    Mr. Chairman and members of the Subcommittee, I am Robert Pitofsky, \nChairman of the Federal Trade Commission (``FTC'' or ``Commission''). I \nappreciate this opportunity to present the Commission's views on the \nprogress of self-regulation in the area of online privacy.<SUP>1</SUP>\nI. Introduction and Background\n    The FTC's mission is to promote the efficient functioning of the \nmarketplace by protecting consumers from unfair or deceptive acts or \npractices and to increase consumer choice by promoting vigorous \ncompetition. As you know, the Commission's responsibilities are far-\nreaching. The Commission's primary legislative mandate is to enforce \nthe Federal Trade Commission Act (``FTCA''), which prohibits unfair \nmethods of competition and unfair or deceptive acts or practices in or \naffecting commerce.<SUP>2</SUP> With the exception of certain \nindustries, the FTCA provides the Commission with broad law enforcement \nauthority over entities engaged in or whose business affects commerce \n<SUP>3</SUP> and with the authority to gather information about such \nentities.<SUP>4</SUP> Commerce on the Internet falls within the scope \nof this statutory mandate.<SUP>5</SUP>\n    In June 1998 the Commission issued Privacy Online: A Report to \nCongress (``1998 Report''), an examination of the information practices \nof commercial sites on the World Wide Web and of industry's efforts to \nimplement self-regulatory programs to protect consumers' online \nprivacy.<SUP>6</SUP> Based in part on its extensive survey of over 1400 \ncommercial Web sites, the Commission concluded that effective self-\nregulation had not yet taken hold.<SUP>7</SUP> The Commission \nrecommended that Congress adopt legislation setting forth standards for \nthe online collection of personal information from children; and \nindeed, just four months after the 1998 Report was issued, Congress \nenacted the Children's Online Privacy Protection Act of \n1998.<SUP>8</SUP> As required by the Act, on April 20, 1999, the \nCommission issued a proposed Children's Online Privacy Protection Rule, \nwhich implements the Act's fair information practices standards for \ncommercial Web sites directed to children under 13, or who knowingly \ncollect personal information from children under 13.<SUP>9</SUP> \nCommission staff is reviewing comments on the proposed rule and will \nissue a final rule this fall.\n    When the 1998 report was released, there were indications that \nindustry leaders were committed to work toward self-regulatory \nsolutions. As a result, in Congressional testimony last July the \nCommission deferred judgment on the need for legislation to protect the \nonline privacy of consumers generally, and instead urged industry to \nfocus on the development of broad-based and effective self-regulatory \nprograms.<SUP>10</SUP> In the ensuing year, there have been important \ndevelopments both in the growth of the Internet as a commercial \nmarketplace and in consumers' and industry's responses to the privacy \nissues posed by the online collection of personal information. The \nCommission has just issued a new report on these developments, Self-\nRegulation and Online Privacy: A Report to Congress (June 1999) (``1999 \nReport'').<SUP>11</SUP> The 1999 Report assesses the progress made in \nself-regulation to protect consumers' online privacy since last June \nand sets out an agenda of Commission actions in the coming year to \nencourage industry's full implementation of online privacy protections. \nI am pleased to present the 1999 Report's findings to the Committee.\nII. The Current State of Online Privacy Regulation\n    The Commission believes that self-regulation is the least intrusive \nand most efficient means to ensure fair information practices online, \ngiven the rapidly evolving nature of the Internet and computer \ntechnology. During the past year the Commission has been monitoring \nself-regulatory initiatives, and the Commission's 1999 Report finds \nthat there has been notable progress. Two new industry-funded surveys \nof commercial Web sites suggest that online businesses are providing \nsignificantly more notice of their information practices than they were \nlast year. Sixty-six percent of the sites in the Georgetown Internet \nPrivacy Policy Survey (``GIPPS'') <SUP>12</SUP> post at least one \ndisclosure about their information practices.<SUP>13</SUP> Forty-four \npercent of these sites post privacy policy notices.<SUP>14</SUP> \nAlthough differences in sampling methodology prevent direct comparisons \nbetween the GIPPS findings and the Commission's 1998 results, \n<SUP>15</SUP> the GIPPS Report does demonstrate the real progress \nindustry has made in giving consumers notice of at least some \ninformation practices. Similarly, 93% of the sites in the recent study \ncommissioned by the Online Privacy Alliance (``OPA Study'') provide at \nleast one disclosure about their information practices.<SUP>16</SUP> \nThis, too, represents continued progress since last year, when 71% of \nthe sites in the Commission's 1998 ``Most Popular'' sample posted an \ninformation practice disclosure.<SUP>17</SUP>\n    The new survey results show, however, that, despite the laudable \nefforts of industry leaders, significant challenges remain. The vast \nmajority of the sites in both the GIPPS and OPA surveys collect \npersonal information from consumers online.<SUP>18</SUP> By contrast, \nonly 10% of the sites in the GIPPS sample, <SUP>19</SUP> and only 22% \nof the sites in the OPA study, <SUP>20</SUP> are implementing all four \nsubstantive fair information practice principles of Notice/Awareness, \nChoice/Consent, Access/Participation, and Security/\nIntegrity.<SUP>21</SUP> In light of these results, the Commission \nbelieves that further improvement is required to effectively protect \nconsumers' online privacy.\n    In the Commission's view, the emergence of online privacy seal \nprograms is a particularly promising development in self-regulation. \nHere, too, industry faces a considerable challenge. TRUSTe, launched \nnearly two years ago, currently has more than 500 licensees \nrepresenting a variety of industries.<SUP>22</SUP> BBBOnLine, a \nsubsidiary of the Council of Better Business Bureaus, which launched \nits privacy seal program for online businesses last March, currently \nhas 42 licensees and more than 300 applications for \nlicenses.<SUP>23</SUP> Several other online privacy seal programs are \njust getting underway.<SUP>24</SUP> Together, the online privacy seal \nprograms currently encompass only a handful of all Web sites. It is too \nearly to judge how effective these programs will ultimately be in \nserving as enforcement mechanisms to protect consumers' online privacy.\nIII. Conclusion\n    The self-regulatory initiatives discussed above, and described in \ngreater detail in the 1999 Report, reflect industry leaders' \nsubstantial effort and commitment to fair information practices. They \nshould be commended for these efforts. Enforcement mechanisms that go \nbeyond self-assessment are also gradually being implemented by the seal \nprograms. Only a small minority of commercial Web sites, however, have \njoined these programs to date. Similarly, although the results of the \nGIPPS and OPA studies show that many online companies now understand \nthe business case for protecting consumer privacy, they also show that \nthe implementation of fair information practices is not widespread \namong commercial Web sites.\n    Based on these facts, the Commission believes that legislation to \naddress online privacy is not appropriate at this time. We also believe \nthat industry faces some substantial challenges. Specifically, the \npresent challenge is to educate those companies which still do not \nunderstand the importance of consumer privacy and to create incentives \nfor further progress toward effective, widespread implementation.\n    First, industry groups must continue to encourage widespread \nadoption of fair information practices. Second, industry should focus \nits attention on the substance of web site information practices, \nensuring that companies adhere to the core privacy principles discussed \nearlier. It may also be appropriate, at some point in the future, for \nthe FTC to examine the online privacy seal programs and report to \nCongress on whether these programs provide effective privacy \nprotections for consumers.\n    Finally, industry must work together with government and consumer \ngroups to educate consumers about privacy protection on the Internet. \nThe ultimate goal of such efforts, together with effective self-\nregulation, will be heightened consumer acceptance and confidence. \nIndustry should also redouble its efforts to develop effective \ntechnology to provide consumers with tools they can use to safeguard \ntheir own privacy online.\n    The Commission has developed an agenda to address online privacy \nissues throughout the coming year as a way of encouraging and, \nultimately, assessing further progress in self-regulation to protect \nconsumer online privacy:\n\n<bullet> The Commission will hold a public workshop on ``online \n        profiling,'' the practice of aggregating information about \n        consumers' preferences and interests gathered primarily by \n        tracking their movements online. The workshop, jointly \n        sponsored by the U.S. Department of Commerce, will examine \n        online advertising firms' use of tracking technologies to \n        create targeted, user profile-based advertising campaigns.\n<bullet> The Commission will hold a public workshop on the privacy \n        implications of electronic identifiers that enhance Web sites' \n        ability to track consumers' online behavior.\n<bullet> In keeping with its history of fostering dialogue on online \n        privacy issues among all stakeholders, the Commission will \n        convene task forces of industry representatives and privacy and \n        consumer advocates to develop strategies for furthering the \n        implementation of fair information practices in the online \n        environment.\n    <bullet> One task force will focus upon understanding the costs and \n            benefits of implementing fair information practices online, \n            with particular emphasis on defining the parameters of the \n            principles of consumer access to data and adequate \n            security.\n    <bullet> A second task force will address how incentives can be \n            created to encourage the development of privacy-enhancing \n            technologies, such as the World Wide Web Consortium's \n            Platform for Privacy Preferences (P3P).\n<bullet> The Commission, in partnership with the U.S. Department of \n        Commerce, will promote private sector business education \n        initiatives designed to encourage new online entrepreneurs \n        engaged in commerce on the Web to adopt fair information \n        practices.\n<bullet> Finally, the Commission believes it is important to continue \n        to monitor the progress of self-regulation, to determine \n        whether the self-regulatory programs discussed in the 1999 \n        Report fulfill their promise. To that end, the Commission will \n        conduct an online survey to reassess progress in Web sites' \n        implementation of fair information practices, and will report \n        its findings to Congress.\n    The Commission is committed to the goal of full implementation of \neffective protections for online privacy in a manner that promotes a \nflourishing online marketplace, and looks forward to working with the \nSubcommittee as it considers the Commission's 1999 Report.\n\n                                ENDNOTES\n\n    <SUP>1</SUP> The Commission vote to issue this testimony was 3-1, \nwith Commissioner Anthony concurring in part and dissenting in part. \nCommissioner Anthony's statement is attached to the testimony. \nCommissioner Swindle's concurring statement is also attached. My oral \ntestimony and responses to questions you may have reflect my own views \nand are not necessarily the views of the Commission or any \nCommissioner.\n    <SUP>2</SUP> 15 U.S.C. Sec. 45 (a).\n    <SUP>3</SUP> The Commission does not have criminal law enforcement \nauthority. Further, certain entities, such as banks, savings and loan \nassociations, and common carriers, as well as the business of insurance \nare wholly or partially exempt from Commission jurisdiction. See \nSection 5 (a) (2) of the FTC Act, 15 U.S.C. Sec. 45 (a) (2), and the \nMcCarran-Ferguson Act, 15 U.S.C. Sec. 1012 (b).\n    <SUP>4</SUP> 15 U.S.C. Sec. 46 (a). However, the Commission's \nauthority to conduct studies and prepare reports relating to the \nbusiness of insurance is limited. According to 15 U.S.C. Sec. 46 (a): \n``The Commission may exercise such authority only upon receiving a \nrequest which is agreed to by a majority of the members of the \nCommittee on Commerce, Science, and Transportation of the Senate or the \nCommittee on Energy and Commerce of the House of Representatives. The \nauthority to conduct any such study shall expire at the end of the \nCongress during which the request for such study was made.''\n    The Commission also has responsibility under approximately forty \nadditional statutes governing specific industries and practices. These \ninclude, for example, the Truth in Lending Act, 15 U.S.C. \nSec. Sec. 1601 et seq., which mandates disclosures of credit terms, and \nthe Fair Credit Billing Act, 15 U.S.C. Sec. Sec. 1666 et. seq., which \nprovides for the correction of billing errors on credit accounts. The \nCommission also enforces over 30 rules governing specific industries \nand practices, e.g., the Used Car Rule, 16 C.F.R. Part 455, which \nrequires used car dealers to disclose warranty terms via a window \nsticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the \nprovision of information to prospective franchisees; and the \nTelemarketing Sales Rule, 16 C.F.R. Part 310, which defines and \nprohibits deceptive telemarketing practices and other abusive \ntelemarketing practices.\n    <SUP>5</SUP> The Commission held its first public workshop on \nonline privacy in April 1995. In a series of hearings held in October \nand November 1995, the Commission examined the implications of \nglobalization and technological innovation for competition issues and \nconsumer protection issues, including privacy concerns. At a public \nworkshop held in June 1996, the Commission examined Web site practices \nin the collection, use, and transfer of consumers' personal \ninformation; self-regulatory efforts and technological developments to \nenhance consumer privacy; consumer and business education efforts; the \nrole of government in protecting online information privacy; and \nspecial issues raised by the online collection and use of information \nfrom and about children. The Commission held a second workshop in June \n1997 to explore issues raised by individual reference services, as well \nas issues relating to unsolicited commercial e-mail, online privacy \ngenerally, and children's online privacy.\n    These efforts have served as a foundation for dialogue among \nmembers of the information industry and online business community, \ngovernment representatives, privacy and consumer advocates, and experts \nin interactive technology. Further, the Commission and its staff have \nissued reports describing various privacy concerns in the electronic \nmarketplace. See, e.g., Individual Reference Services: A Federal Trade \nCommission Report to Congress (December 1997); FTC Staff Report: Public \nWorkshop on Consumer Privacy on the Global Information Infrastructure \n(December 1996); FTC Staff Report: Anticipating the 21st Century: \nConsumer Protection Policy in the New High-Tech, Global Marketplace \n(May 1996).\n    The Commission has also brought enforcement actions under Section 5 \nof the Federal Trade Commission Act to address deceptive online \ninformation practices. In 1998 the Commission announced its first \nInternet privacy case, in which GeoCities, operator of one of the most \npopular sites on the World Wide Web, agreed to settle Commission \ncharges that it had misrepresented the purposes for which it was \ncollecting personal identifying information from children and adults \nthrough its online membership application form and registration forms \nfor children's activities on the GeoCities site. The settlement, which \nwas made final in February 1999, prohibits GeoCities from \nmisrepresenting the purposes for which it collects personal identifying \ninformation from or about consumers, including children. It also \nrequires GeoCities to post a prominent privacy notice on its site, to \nestablish a system to obtain parental consent before collecting \npersonal information from children, and to offer individuals from whom \nit had previously collected personal information an opportunity to have \nthat information deleted. GeoCities, Docket No. C-3849 (Feb. 12, 1999) \n(Final Decision and Order available at http://www.ftc.gov/os/1999/9902/\n9823015d&o.htm).\n    In its second Internet privacy case, the Commission recently \nannounced for public comment a settlement with Liberty Financial \nCompanies, Inc., operator of the Young Investor Web site. The \nCommission alleged, among other things, that the site falsely \nrepresented that personal information collected from children, \nincluding information about family finances, would be maintained \nanonymously. In fact, this information was maintained in identifiable \nform. The consent agreement would require Liberty Financial to post a \nprivacy policy on its children's sites and obtain verifiable consent \nbefore collecting personal identifying information from children. \nLiberty Financial, Case No. 9823522 (proposed consent agreement \navailable at http://www.ftc.gov/os/1999/9905/lbtyord.htm).\n    Since the fall of 1994, the Federal Trade Commission has brought 91 \nlaw enforcement actions against over 200 companies and individuals to \nhalt fraud and deception on the Internet. The FTC has not only attacked \ntraditional schemes that have moved online, like pyramid and credit \nrepair schemes, but in addition, the FTC has brought suit against modem \nhijacking, fraudulent e-mail marketing, and other hi-tech schemes that \ntake unique advantage of the Internet. The Commission pioneered the \n``Surf Day'' concept and has searched the Net in tandem with law \nenforcement colleagues around the world, targeting specific problems \nand warning consumers and new entrepreneurs about what the law \nrequires. The Commission has also posted ``teaser pages'' online, i.e., \nfake scam sites that give consumers education just when they are about \nto fall victim to an Internet ruse.\n    <SUP>6</SUP> The Report is available on the Commission's Web site \nat http://www.ftc.gov/reports/privacy3/index.htm.\n    <SUP>7</SUP> 1998 Report at 41.\n    <SUP>8</SUP> Title XIII, Omnibus Consolidated and Emergency \nSupplemental Appropriations Act, 1999, Pub. L. No. 105-277, 112 Stat. \n2681, ---------- (Oct. 21, 1998), reprinted at 144 Cong. Rec. H11240-42 \n(Oct. 19, 1998). The Act requires, inter alia, that operators of Web \nsites directed to children under 13 or who knowingly collect personal \ninformation from children under 13 on the Internet: (1) provide parents \nnotice of their information practices; (2) obtain prior, verifiable \nparental consent for the collection, use, and/or disclosure of personal \ninformation from children (with certain limited exceptions); (3) upon \nrequest, provide a parent with the ability to review the personal \ninformation collected from his/her child; (4) provide a parent with the \nopportunity to prevent the further use of personal information that has \nalready been collected, or the future collection of personal \ninformation from that child; (5) limit collection of personal \ninformation for a child's online participation in a game, prize offer, \nor other activity to information that is reasonably necessary for the \nactivity; and (6) establish and maintain reasonable procedures to \nprotect the confidentiality, security, and integrity of the personal \ninformation collected.\n    <SUP>9</SUP> 64 Fed. Reg. 22750 (1999) (to be codified at 16 C.F.R. \npt. 312).\n    <SUP>10</SUP> Commission testimony on Consumer Privacy on the World \nWide Web before the House Subcommittee on Telecommunications, Trade and \nConsumer Protection, Committee on Commerce (July 21, 1998) (available \nat http://www.ftc.gov/os/1998/9807/privac98.htm). The Commission also \npresented a legislative model that Congress could consider in the event \nthat then-nascent self-regulatory efforts did not result in widespread \nimplementation of self-regulatory protections. Id. at 5-7.\n    <SUP>11</SUP> A copy of the Report is attached as an appendix. The \nReport is available on the Commission's Web site at www.ftc.gov/\nreports/privacy99/index.html.\n    <SUP>12</SUP> The report is available at http://www.msb.edu/\nfaculty/culnanm/gippshome.html [hereinafter ``GIPPS Report'']. The \nfollowing analysis is based upon the Commission's review of the GIPPS \nReport itself; Commission staff did not have access to the underlying \nGIPPS data.\n    <SUP>13</SUP> GIPPS Report, App. A at 5.\n    <SUP>14</SUP> Id.\n    <SUP>15</SUP> The GIPPS Report discusses findings on the \ninformation practices of 361 Web Sites drawn from a list of the 7,500 \nbusiest servers on the World Wide Web. The list, a ranking of servers \nby number of unique visitors for the month of January 1999, was \ncompiled by Media Metrix, a site traffic measurement company. As larger \nsites are more likely to have multiple servers, the largest sites on \nthe Web had a greater chance of being selected for inclusion in the \nsample drawn for the GIPPS survey. See GIPPS Report, App. A at 2; App. \nB at 9 n.iii. The Commission's 1998 Comprehensive Sample was drawn at \nrandom from all U.S., ``.com'' sites in the Dun & Bradstreet Electronic \nCommerce Registry, with the exception of insurance industry sites. 1998 \nReport, App. A at 2. Unlike the Media Metrix list used in the GIPPS \nsample, the Dun & Bradstreet Registry does not rank sites on the basis \nof user traffic.\n    <SUP>16</SUP> Online Privacy Alliance, Privacy and the Top 100 \nSites: A Report to the Federal Trade Commission at 3, 8 (1999) \n(available at http://www.msb.edu/faculty/culnanm/gippshome.html). The \nfollowing analysis is based upon the Commission's review of the OPA \nStudy report itself; Commission staff did not have access to the \nunderlying OPA Study data.\n    <SUP>17</SUP> 1998 Report at 28.\n    <SUP>18</SUP> Ninety-three percent of the sites in the GIPPS \nsurvey, GIPPS Report, App. A at 3, and 99% of the sites in the OPA \nStudy, OPA Study at 3, 5, collect personal information from consumers.\n    <SUP>19</SUP> The GIPPS results show that thirty-six sites in the \nsample (or 10%) posted at least one survey element, or disclosure, for \neach of the four substantive fair information practices. GIPPS Report \nat 10 and App. A at 12 (Table 8C). Thirty-two of these sites (or 8.9%) \nalso posted contact information. Id. Georgetown University Professor \nMary Culnan, author of the GIPPS Report, reports the number of sites \nposting disclosures for the four substantive fair information practice \nprinciples and for contact information in two additional ways: as a \npercentage of sites in the sample that collect at least one type of \npersonal information (9.5%); and as a percentage of sites in the sample \nthat both collect at least one type of personal information and post a \ndisclosure (13.6%). GIPPS Report, App. A at 12 (Table 8C).\n    <SUP>20</SUP> Twenty-two sites in the OPA Study (or 22%) posted at \nleast one survey element, or disclosure, for each of the four \nsubstantive fair information practices. OPA Study at 9-10 and App. A at \n10 (Table 6C). Nineteen of these sites (or 19%) also posted contact \ninformation. Id. Professor Culnan also reports the number of sites \nposting disclosures for the four substantive fair information practice \nprinciples in two additional ways: as a percentage of sites in the \nsample that collect at least one type of personal information (22.2%); \nand as a percentage of sites in the sample that both collect at least \none type of personal information and post a disclosure (23.7%). OPA \nStudy, App. A at 10 (Table 6C).\n    <SUP>21</SUP> The Commission's 1998 Report discussed the fair \ninformation practice principles developed by government agencies in the \nUnited States, Canada, and Europe since 1973, when the United States \nDepartment of Health, Education, and Welfare released its seminal \nreport on privacy protections in the age of data collection, Records, \nComputers, and the Rights of Citizens. 1998 Report at 7-11. In addition \nto the HEW Report, the major reports setting forth the core fair \ninformation practice principles are: The U.S. Privacy Protection Study \nCommission, Personal Privacy in an Information Society (1977); \nOrganization for Economic Cooperation and Development, OECD Guidelines \non the Protection of Privacy and Transborder Flows of Personal Data \n(1980); U.S. Information Infrastructure Task Force, Information Policy \nCommittee, Privacy Working Group, Privacy and the National Information \nInfrastructure: Principles for Providing and Using Personal Information \n(1995); U.S. Dept. of Commerce, Privacy and the NII: Safeguarding \nTelecommunications-Related Personal Information (1995); The European \nUnion Directive on the Protection of Personal Data (1995); and the \nCanadian Standards Association, Model Code for the Protection of \nPersonal Information: A National Standard of Canada (1996). The 1998 \nReport identified the core principles of privacy protection common to \nthese government reports, guidelines, and model codes: (1) Notice/\nAwareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/\nSecurity; and (5) Enforcement/Redress. 1998 Report at 7-11.\n    The Notice/Awareness principle is the most fundamental: consumers \nmust be given notice of a company's information practices before \npersonal information is collected from them. The scope and content of \nthe notice will vary with a company's substantive information \npractices, but the notice itself is essential. The other core \nprinciples have meaning only if a consumer has notice of an entity's \ninformation practices and his or her rights with respect thereto. Id. \nat 7.\n    The Choice/Consent principle requires that consumers be given \noptions with respect to whether and how personal information collected \nfrom them may be used. Although choice in this context has been \ntraditionally thought of as either ``opt-in'' (prior consent for use of \ninformation) or ``opt-out'' (limitation upon further use of \ninformation), id. at 9, interactive media hold the promise of making \nthis paradigm obsolete through developments in technology. Id. The \nAccess/Participation principle requires that consumers be given \nreasonable access to information collected about them and the ability \nto contest that data's accuracy and completeness. Id.\n    The Integrity/Security principle requires that companies take \nreasonable steps to assure that information collected from consumers is \naccurate and secure from unauthorized use. Id. at 10. Finally, the \neffectiveness of the foregoing privacy protections is dependent upon \nimplementation of the Enforcement/Redress principle, which requires \ngovernmental and/or self-regulatory mechanisms to impose sanctions for \nnoncompliance with fair information practices. Id. at 10-11. The 1998 \nReport assessed existing self-regulatory efforts in light of these fair \ninformation practice principles.\n    <SUP>22</SUP> Information about TRUSTe is taken from materials \nposted on TRUSTe's Web site, http://www.truste.org, and from public \nstatements by TRUSTe staff. Several hundred additional companies have \njoined the TRUSTe program but are not yet fully licensed. See ``TRUSTe \nTestifies Before House Judiciary Committee,'' May 27, 1999 (press \nrelease available at http://www.truste.org/about/about--\ncommittee.html).\n    <SUP>23</SUP> Information about BBBOnline is taken from materials \nposted on the BBBOnline Web site, located at http://www.bbbonline.com, \nand from other public documents and statements by BBBOnLine staff.\n    <SUP>24</SUP> CPA WebTrust, the online privacy seal program created \nby the American Institute of Certified Public Accountants (AICPA) and \nthe Canadian Institute of Chartered Accountants, currently has 19 \nlicensees (program description available at http://\nwww.cpawebtrust.org). The Electronic Software Rating Board's ESRB \nPrivacy Online program was launched on June 1, 1999 (description \navailable at http://www.esrb.org).\n[GRAPHIC] [TIFF OMITTED] T8511.001\n\n[GRAPHIC] [TIFF OMITTED] T8511.002\n\n[GRAPHIC] [TIFF OMITTED] T8511.003\n\n[GRAPHIC] [TIFF OMITTED] T8511.004\n\n[GRAPHIC] [TIFF OMITTED] T8511.005\n\n[GRAPHIC] [TIFF OMITTED] T8511.006\n\n[GRAPHIC] [TIFF OMITTED] T8511.007\n\n[GRAPHIC] [TIFF OMITTED] T8511.008\n\n[GRAPHIC] [TIFF OMITTED] T8511.009\n\n[GRAPHIC] [TIFF OMITTED] T8511.010\n\n[GRAPHIC] [TIFF OMITTED] T8511.011\n\n[GRAPHIC] [TIFF OMITTED] T8511.012\n\n[GRAPHIC] [TIFF OMITTED] T8511.013\n\n[GRAPHIC] [TIFF OMITTED] T8511.014\n\n[GRAPHIC] [TIFF OMITTED] T8511.015\n\n[GRAPHIC] [TIFF OMITTED] T8511.016\n\n[GRAPHIC] [TIFF OMITTED] T8511.017\n\n[GRAPHIC] [TIFF OMITTED] T8511.018\n\n[GRAPHIC] [TIFF OMITTED] T8511.019\n\n[GRAPHIC] [TIFF OMITTED] T8511.020\n\n[GRAPHIC] [TIFF OMITTED] T8511.021\n\n    Mr. Tauzin. Thank you, Mr. Chairman.\n    The Chair is now pleased to welcome for his opening \nstatement Commissioner Orson Swindle.\n\n                   STATEMENT OF ORSON SWINDLE\n\n    Mr. Swindle. Thank you, Mr. Chairman. I appreciate the \nopportunity to speak before the committee and Mr. Markey and \nthe rest of the committee members. I voted to submit ``Self-\nRegulation and Privacy Online: A Report'' to Congress because \nit ultimately reaches what I believe to be the correct and \nobvious conclusion, that no legislative action at this time is \nrequired.\n    I do not believe, however, that the report accurately \nreflects reality. Strangely, the unfavorable 1998 FTC study \nresults are prominently described in the first seven pages of \nthe report while the current and more favorable 1999 Georgetown \nsurvey results are only briefly mentioned in the middle of the \nreport. In my mind, the report is a good example of damning \nwith faint praise.\n    Second, the report overemphasizes the failure of industry \nto sufficiently implement all elements of comprehensive fair \ninformation practices, and I happen to agree with those \npractices, which the Commission first articulated only a year \nago.\n    Third, the report only sparingly mentions the leadership on \nprivacy issues that IBM, Microsoft, Disney, AOL, The Direct \nMarketing Association, privacy seal organizations and many \nothers in the private sector have demonstrated over the past \nyear. The no legislative action recommendation appears at the \nvery end of the report, almost as if the recommendation was \nsome trivial afterthought.\n    The report should have emphasized prominently and in the \nbeginning that cooperative and creative efforts by a public-\nprivate partnership have achieved substantial progress and will \nachieve more progress far more quickly than more laws and more \nregulation. I think significant progress has been made on the \nprivacy issue. However, we must strive for more. We all \nrecognize that.\n    More laws and regulations are not the answers. Industry, \nprivacy and consumer advocates, and the Commission will make \nfurther progress by continuing to work hard and work together. \nI would caution industry that there are many in Congress and \nthe government eager and willing to regulate the industry on \nprivacy matters. Industry, both large and small, must continue \nto lead the way if it wishes to have the freedom to adopt \nprivacy policies and practices in response to market incentives \nrather than government regulation.\n    Last month, the University of Texas Business School \nintroduced a study of the current status of electronic \ncommerce. It was one of the very first attempts to measure this \nthing that we talk about as the Internet economy. According to \nthe study sponsored by Cisco Systems, the Internet economy \ngenerated an estimated $301 billion in revenue in 1998 and was \nresponsible for the creation of over 1.2 million jobs. The \nInternet economy is already bigger than the energy industry, \nthe telecommunications industry, and almost as big as the \nautomobile industry. Retail Internet commerce is tripling \nannually. Obviously, consumers are not inching timidly into \nthis new form of choice in purchasing.\n    As John Chambers, the CEO of Cisco Systems commented, ``We \nneed to be very careful not to rush in and really stifle the \nopportunity this gives our country in terms of job growth and \neconomic growth by applying old world regulations to this new \nworld.'' I could not agree with him more.\n    In our deliberations as law makers and regulators, let us \nremember first, do no harm.\n    Thank you, Mr. Chairman. I look forward to answering \nquestions.\n    [The prepared statement of Hon. Orson Swindle follows:]\n Prepared Statement of Hon. Orson Swindle, Commissioner, Federal Trade \n                               Commission\n    Mr. Chairman, Members of the Committee, thank you for the \nopportunity to testify today.\n    I voted to submit ``Self-Regulation and Privacy Online: A Report'' \n(the ``Report'') to Congress because it ultimately reaches the correct \nand obvious conclusion: no legislative action is necessary at this \nrime.\n    I do not believe, however, that the Report accurately reflects \nreality. Strangely, the unfavorable 1998 FTC Study results are \nprominently described in the first seven pages of the Report, while the \ncurrent and favorable 1999 Georgetown Survey results are only briefly \nmentioned in the middle of the Report. The Report is a good example of \ndamning with faint praise.\n    Second, the Report overemphasizes the failure of industry to \nsufficiently implement all elements of comprehensive ``fair information \npractices,'' which the Commission first articulated in detail only last \nyear.\n    Third, the Report only sparingly mentions the leadership on privacy \nissues that IBM, Microsoft, Disney, AOL, The Direct Marketing \nAssociation, privacy seal orga-\n\nnizations, and many others in the private sector have demonstrated over \nthe past year.\n    The ``no legislative action?'' recommendation appears at the very \nend of the Report, almost as if the recommendation were some trivial \nafterthought. The Report Should have emphasized prominently that \ncooperative and creative efforts by a public-private partnership have \nachieved substantial progress and will achieve more progress far more \nquickly than will more laws and regulations.\n    I think significant progress has been made on the privacy issue. \nHowever, we must strive for more. More laws and regulation are not the \nanswers. Industry, privacy and consumer advocates, and the Commission \nwill make further progress by continuing to work hard and work \ntogether. I would caution industry that there are many in Congress and \ngovernment eager and willing to regulate. Industry, both large and \nsmall, must continue to lead the way if it wishes to have the freedom \nto adopt privacy policies and practices in response to market \nincentives rather than government regulation.\n    Last month, the University of Texas Business School introduced a \nstudy of the current status of electronic commerce--one of the very \nfirst attempts to measure the Internet economy. According to the study, \nsponsored by Cisco Systems, the Internet economy generated an estimated \n$301 billion in revenue in 1998 and was responsible for over 1.2 \nmillion jobs.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ These estimates are based on worldwide sales of Internet-\nrelated products and services by U.S.-based companies.\n---------------------------------------------------------------------------\n    The Internet economy is already bigger than the energy industry \n($230 billion) or the telecommunications industry ($270 billion) and is \nalmost as big as the automobile industry ($350 billion). Retail \nInternet commerce is tripling annually. Obviously, consumers are not \ninching timidly into this new form of choice and purchasing.\n    As John Chambers, CEO of Cisco Systems Inc., commented, ``We need \nto be very careful not to rush in and really stifle the opportunity \nthis gives our country in terms of job growth and economic growth by \napplying old-world regulations to this new world.'' I could not agree \nmore.\n    In our deliberations as lawmakers and regulators, let us remember \nfirst: ``Do no harm.''\n\n    Mr. Tauzin. Thank you, Commissioner Swindle.\n    Now, the Chair is pleased to welcome Commissioner Anthony \nfor her opening statement. Would you please pass the mike to \nher, Mr. Swindle? Thank you. Ms. Anthony.\n\n               STATEMENT OF HON. SHEILA F. ANTHONY\n\n    Ms. Anthony. Mr. Chairman, members of the subcommittee, \nthank you for holding this hearing today on an issue of great \nimportance to the American people. As the commission's report \nstates, only 10 percent of the well-traveled sites on the \nInternet in a recent survey had privacy disclosures that cover \nall four substantive information practices of notice, consent, \naccess, and security.\n    Even among the top 100 most frequently visited Internet \nsites, only some 20 percent have privacy disclosures addressing \nthese four principles. This chart illustrates the substantial \ngap that exists between the online collection of personal \ninformation in which 93 to 99 percent of the surveyed companies \nengaged, and the opportunity of customers, consumers, to \ntransact their online business under notice, consent, access, \nand security. Some industry leaders have taken significant \nefforts to protect online privacy. To name a few, they are \nDisney Online, IBM, Microsoft, AT&T, Eastman Kodak, Dell \nComputer, Fox Broadcasting, the Boston Globe, the San Francisco \nChronicle, the Wall Street Journal, CyberBills, Educational \nCommunications, Inc., and worldtravelcenter.com.\n    Mr. Tauzin. And the Commerce Committee.\n    Ms. Anthony. And the Commerce Committee and the FTC. In \naddition, the seal programs show promise. But some companies \nhave made a business out of collecting, buying and selling \nindividually identifiable information. I was shocked to \ndiscover shortly after I joined the Commission that at least \none of the several information brokers operating in the \nmarketplace had my name, my husband's name, our Social Security \nnumbers, our address, the value of our home, the years in which \nour Social Security numbers were issued, our mothers' maiden \nnames, the address where we lived before coming to Washington \nin 1978, our two daughters' names, their husbands' names, their \nSocial Security numbers, their addresses at every place they \nhad lived, and even our 3-year-old grandchild's name and Social \nSecurity number. I might add there were several mistakes in \nthis report.\n    We in the government, especially those of us who have gone \nthrough a confirmation process or you who have stood through \nelection are accustomed of having your lives laid bare. But \nmost Americans are not and do not want to. The studies of which \nI am aware consistently show a high level of concern about \nonline privacy. For example, a study just released by Harvard, \nMIT, AT&T Labs and the University of California, Irvine, in \nApril found that 87 percent of Internet users were concerned \nabout personal privacy threats. One year ago, these online \nprivacy concerns were held by 81 percent of Internet users. So \nover the years, public concern has increased not decreased as \nshown plainly by this chart.\n    I respectfully disagree with my colleagues in that I \nbelieve the time is ripe for Congress to enact Federal \nlegislation to protect online consumer privacy, at least to the \nextent of providing minimum Federal standards. As a whole, \nindustry progress has been far too slow since the Commission \nfirst began encouraging the adoption of voluntary fair \ninformation practices in 1996.\n    Notice, while an essential first step, is not enough if the \nprivacy policies themselves are toothless. I do believe that \nCongress is the appropriate place for the debate about this \nissue, and I notice that there are several bipartisan online \nprivacy bills pending in both the House and the Senate, at \nleast one, by members of this committee. These bills can serve \nas starting points to craft balanced privacy legislation.\n    I am concerned without widespread implementation of fair \ninformation practices on commercial web sites and absent \neffective privacy protections, several results are inevitable. \nFirst, the dissatisfaction of the American people will grow in \npitch and intensity as it has in the past.\n    Second, a patchwork of State laws to protect online privacy \nwill emerge. Several States, for example California, \nConnecticut, Delaware, Washington, and Maine have moved in that \ndirection. Consider the confusing environment that could result \nfor consumers, online marketers, and the courts under such a \npatchwork.\n    Third, consumer confidence will be undermined which will \nhinder the advancement of electronic commerce and trade. \nSometimes the personal information such as health and financial \ninformation will require heightened security and protection. \nWithout the widespread adoption of fair information practices, \nhowever, not even an across-the-board minimum standard of \nprotection exists.\n    Let me conclude by saying that I am troubled by the results \nof the Georgetown surveys that show much less progress than I \nhad hoped. I am pleased to say the Commission will continue its \ninvolvement in the privacy area, and our report sets out a \nnumber of initiatives for the coming year.\n    Thank you for the opportunity to share my views.\n    [The prepared statement of Hon. Sheila F. Anthony follows:]\n  Prepared Statement of Hon. Sheila F. Anthony, Commissioner, Federal \n                            Trade Commission\n    Mr. Chairman and members of the Subcommittee on Telecommunications, \nTrade, and Consumer Protection, I am delighted to be here this morning, \nand I appreciate your holding this hearing today to address a topic of \nextreme importance to the American people. I will speak briefly about \nonline privacy protection.\n    As the Commission's 1999 report to Congress states, only 10% of \nwell-traveled Internet sites in a recent survey have privacy \ndisclosures that speak to all four substantive fair information \npractice principles of notice, consent, access, and \nsecurity.<SUP>1</SUP> Even among the top 100 most frequently visited \nInternet sites, only some 20% have privacy disclosures addressing these \nfour principles.<SUP>2</SUP>\n---------------------------------------------------------------------------\n    \\1\\ Federal Trade Commission, Self-Regulation and Privacy Online: A \nReport to Congress, 7 n.10. (July 1999) [hereinafter Report].\n    \\2\\ Report at 7 n.42; see FIPs Compliance Gap, chart infra.\n---------------------------------------------------------------------------\n    Last year I was asked to grade the online privacy performance of \nthe industry as a whole. I generously gave industry a D+.<SUP>3</SUP> I \nexpected industry's performance to substantially improve.\n---------------------------------------------------------------------------\n    \\3\\ Statement of the Honorable Sheila F. Anthony before the House \nof Representatives, Committee on Commerce, Subcommittee on \nTelecommunications, Trade, and Consumer Protection (July 21, 1998).\n---------------------------------------------------------------------------\n    Some industry leaders have undertaken significant efforts to \nprotect online privacy, including Disney Online, IBM, Microsoft, AT&T, \nEastman Kodak, Dell Computer, Fox, the Boston Globe, the San Francisco \nChronicle, the Wall Street Journal, CyberBills, Educational \nCommunications, Inc., and Worldtravelcenter.com. In addition, the seal \nprograms show promise. But some companies have made a business out of \ncollecting, buying, and selling individually identifiable information \nonline.\n    I was shocked to discover, shortly after I joined the Commission, \nthat at least one of the several ``information brokers'' operating in \nthe marketplace had my name and my husband's name, our address, the \nvalue of our house, our social security numbers, the year they were \nissued, our mothers' maiden names, the address where we lived before \ncoming to Washington in 1978, our two daughters' names, their husbands' \nnames, their social security numbers, every address where they had \nlived, and even our 3-year-old grandchild's name and social security \nnumber. I might add that there were several mistakes in that report on \nme.\n    We in the government, and especially those of us who have \nexperienced a confirmation process or you who have stood for election, \nknow what it is to have our private lives laid bare. But most Americans \ndo not, nor do they want to.\n    I am disappointed that sufficient progress by industry as a whole \nhas not been made toward the protection of online privacy under a self-\nregulatory approach. Such a lack of progress is surprising, given the \nCommission's clear articulation of fair information practice principles \nin our 1998 Online Privacy Report. Even prior to my arrival at the \nCommission, the Agency had encouraged industry to adopt voluntary fair \ninformation practices.<SUP>4</SUP> Indeed, Secretary of Commerce Brown \nplainly expressed the fair information principles of notice and consent \nas long ago as 1995.<SUP>5</SUP> The self-regulatory environment has \nnot advanced the ball as far as I would have expected. Thus, consumer \nprivacy remains an issue about which 87% of online Americans, including \nme, are extremely concerned.\n---------------------------------------------------------------------------\n    \\4\\ Federal Trade Commission Letter to Senator John McCain 6 n.2 \n(July 31, 1997).\n    \\5\\ Ronald H. Brown, U.S. Department of Commerce, Privacy and the \nNII: Safeguarding Telecommunications-Related Personal Information pt. \nIII.A-B(Oct. 1995), available at National Telecommunications and \nInformation Administration, Privacy and the NII: Safeguarding \nTelecommunications-Related Personal Information (visited June 23, 1999) \n<http://www.ntia.doc.gov/ntiahome/ privwhitepaper.html> at 13-16.\n---------------------------------------------------------------------------\n    Privacy is ``one of our most cherished freedoms.'' <SUP>6</SUP> Too \noften, however, the debate about privacy and the protection of personal \ninformation that is surreptitiously gathered takes on an ethereal \nquality and looks for proof of direct harm. Direct harm is not \nnecessary to justify fair information practices, but is evident, for \nexample, in cases of cyberstalking and identity theft.\n---------------------------------------------------------------------------\n    \\6\\ Statement of President Clinton, Morgan State University (May \n18, 1997), available at The White House, Commencement Address by the \nPresident at Morgan State University (May 18, 1997) http://\nwww.pub.whitehouse. gov/ uri-res/I2R?urn:pdi://oma.eop.gov.us/1997/5/\n19/1.text.1.\n---------------------------------------------------------------------------\n    The American public deeply values its privacy, quite apart from \nnotions of direct harm. The studies of which I am aware consistently \nshow a high level of concern about online privacy. For example, a study \njust released by Harvard, MIT, AT&T Labs, and the University of \nCalifornia-Irvine in April found, as I mentioned earlier, that 87% of \nInternet users were concerned about personal privacy \nthreats.<SUP>7</SUP> One year ago these online privacy concerns were \nheld by 81% of Internet users.<SUP>8</SUP> So, over the years public \nconcern has increased, not decreased.<SUP>9</SUP>\n---------------------------------------------------------------------------\n    \\7\\ Lorrie Faith Cranor et al., Beyond Concern: Understanding Net \nUsers' Attitudes About Online Privacy, Research Technical Report, TR \n99.4.3 (Apr. 14, 1999), available at AT&T Labs, Beyond Concern: \nUnderstanding Net Users' Attitudes About Online Privacy 3, 5-6 (visited \nJune 22, 1999) <http://www.research.att. com/library/trs/TRs/99/99.4/\n99.4.3/report.htm [hereinafter AT&T Labs].\n    \\8\\ See id., available at AT&T Labs, supra note 7, at 4.\n    \\9\\ See Growing Public Concern, chart infra; Cranor, supra note 7, \navailable at AT&T Labs, supra note 7, at 5-6 (1999 figure); Louis \nHarris & Associates, Privacy & American Business, summarized in Privacy \nExchange, Consumers & Credit Reporting 1994 (visited July 6, 1999) \n<http:www.privacyexchange.org/iss/surveys/con--cre. html> at 1 n.1 \n(1993 figure); Louis Harris & Associates, The Road After 1984, \nsummarized in Equifax, Equifax Executive Summary 1990 (visited July 6, \n1999) <http:www.privacyexchange.org/iss/surveys/eqfx.execsum.1990. \nhtml> at 1 (1983 figure); Louis Harris & Associates, Dimensions of \nPrivacy, summarized in Equifax, Equifax Executive Summary 1990, supra, \nat 1 (1978 figure).\n---------------------------------------------------------------------------\n    In reporting on the status of self-regulation and online privacy \nprotection, the Commission has fulfilled its promises to collect \ninformation regarding online privacy and provide a response to the \nCongress.<SUP>10</SUP> I respectfully disagree with my colleagues in \nthat I believe that the time is ripe for Congress to enact federal \nlegislation to protect online consumer privacy, at least to the extent \nof providing minimum federal standards. As a whole, industry progress \nhas been far too slow since the Commission first began encouraging the \nadoption of voluntary fair information practices in 1996.<SUP>11</SUP> \nNotice, while an essential step, is not enough if the privacy practices \nthemselves are toothless. I do believe that Congress is the appropriate \nplace for the debate on the online protection of consumer privacy, and \nI note that several bipartisan online privacy bills are pending in both \nthe House and the Senate, including at least one by members of this \nCommittee. These bills can serve as starting points to craft balanced \nprivacy legislation.\n---------------------------------------------------------------------------\n    \\10\\ See Letter to Senator McCain, supra note 4; Federal Trade \nCommission, Privacy Online: A Report to Congress (June 1998).\n    \\11\\ See Federal Trade Commission, Public Workshop on Consumer \nPrivacy on the Global Information Infrastructure, Staff Rept. (Dec. \n1996).\n---------------------------------------------------------------------------\n    I am concerned that, without widespread implementation of fair \ninformation practices on commercial Web sites and absent effective \nprivacy protections, several results are inevitable. First, the \ndissatisfaction of the American people will grow, as it has in the \npast, in both pitch and intensity.\n    Second, I am concerned that a patchwork of state laws to protect \nonline privacy will emerge. Several states, for example, California, \nConnecticut, Delaware, Washington, and Maine, have moved in that \ndirection.<SUP>12</SUP> Consider the confusing environment that could \nresult for consumers, online marketers, and the courts under such a \nlegal patchwork.<SUP>13</SUP>\n---------------------------------------------------------------------------\n    \\12\\ See, e.g., Conn. H. B. 6895, File No. 608, as amended by House \nAmendment Schedule A (reissued and approved by Legislative Commissioner \non May 7, 1999) (passing law to prohibit state from requiring social \nsecurity numbers of voter registrars); Cal. S.B. 417, Supermarket Club \nCard Disclosure Act of 1999 (heard June 15, 1999 by Assembly Committee \non Consumer Protection, Governmental Efficiency & Economic \nDevelopment); Del. H.B. 100 (House concurred in Senate amendments with \nadditional amendments and forwarded bill to Senate for concurrence on \nJune 17, 1999) (making videography or photography where reasonable \nexpectation of privacy exists a felony); Wash. H.B. 2220 (to House \nCommittee on Criminal Justice and Corrections on Feb. 22, 1999), \namending ch. 9.73 RCW (making visual surveillance where reasonable \nexpectation of privacy exists a misdemeanor); see also Thomas Shapley, \nA Move to Ban Videos that Invade Privacy, Seattle Post-Intelligencer, \nMar. 2, 1999, available at Seattle Post-Intelligencer, Seattle PI-Plus \n(visited June 24, 1999) <http://www.seattle-pi.com/local/peep02. \nshtml>; Maine S.P. 93--L.D. 232--P.L. 17 (interim enactment on Mar. 19, \n1999), amending Sec. 1 20-A MRSA Sec. 6001, as amended by P.L. 1989, c. \n911 Sec. 1.\n    \\13\\ The point about courts goes to establishing a uniform legal \nstandard of a ``legitimate expectation of privacy.'' See, e.g., Smith \nv. Maryland, 442 U.S. 735, 735 (1979).\n---------------------------------------------------------------------------\n    Third, I am concerned that the absence of online privacy \nprotections will continue to undermine consumer confidence and hinder \nthe advancement of electronic commerce and trade, specifically of trade \nwith the European Union and its 320 million consumers. Some types of \npersonal information, such as health and financial information, will \nrequire heightened privacy protections. Without the widescale adoption \nof fair information practices, however, not even an across-the-board \nminimum standard of protection exists.\n    Let me conclude by saying that I am troubled by the results of the \nGeorgetown surveys that show much less progress than I had hoped. I am \npleased to say that the Commission will continue its involvement in the \nprivacy arena, and our report sets out a number of initiatives for the \ncoming year.\n    Thank you for the opportunity to share my views.\n    [GRAPHIC] [TIFF OMITTED] T8511.022\n    \n    [GRAPHIC] [TIFF OMITTED] T8511.023\n    \n    Mr. Tauzin. Thank you, Commissioner Anthony.\n    Following is the Honorable Mozelle Thompson of the Federal \nTrade Commission. Commissioner Thompson.\n\n              STATEMENT OF HON. MOZELLE W. THOMPSON\n\n    Mr. Thompson. Good morning, Mr. Chairman. I also thank the \ncommittee for allowing us to appear this morning.\n    Today we discuss the FTC's latest report on online privacy. \nAlmost exactly a year ago, we appeared before this committee to \ndiscuss the state of that issue. At that time, we noted that \nconsumer's confidence that their personal information would not \nbe misused was a key element for gaining consumer acceptance \nfor the electronic marketplace. Yet we were disappointed about \nindustry progress.\n    I specifically voiced my concerns about coverage, the \nbreadth of total web sites actually posting privacy policies, \nand the development and implementation of enforcement \nmechanisms. Those concerns remain. Now 1 year later, I find the \nrecord of progress mixed.\n    If we are going to be a leader in a global system of \nelectronic commerce and e-commerce is going to continue to lead \nour new economy, we must reach collective understanding on \nprinciples that will provide consumers with the confidence that \nthey need to accept e-commerce as a way of life. I would point \nout that the Commission is already on record in our testimony \nlast July as to the exact elements we consider necessary to \nensure fair information practices.\n    During the past year, industry leaders have expended \nsubstantial effort to build self-regulatory programs. They \nshould be commended for their efforts and encouraged to \nbuildupon them. However, as the Georgetown and OPA studies \nclearly show, while many leading online companies understand \nthe business case for protecting consumer privacy, the \nimplementation of their information practices is not widespread \namong commercial web sites.\n    In fact, a mere 10 percent of the companies in the \nGeorgetown survey have done so. Although the OPA does not audit \nits members for compliance with privacy guidelines, the results \nof its own studies show that only 22 percent of the top 100 web \nsites, most of which are OPA members, have implemented all four \nelements of fair information practices. These findings suggest \nthat even these industry leaders are only slowly rising to the \nchallenge they have set.\n    As our report suggests, the important challenges to be \naddressed include reaching those businesses that have not taken \nsteps to protect consumer privacy, especially small- and \nmedium-sized businesses that will provide the real base for \nreal growth in e-commerce and encouraging widespread adoption \nof all of the information practices including educating \nconsumers about the value of self-regulatory efforts. The \nworkshops and other activities that the Commission has planned \nfor the coming months are designed to help us pinpoint specific \nproblem areas for action. Congressional review of privacy \nissues is also helpful in this regard, and I feel strongly that \nthere is a value to continued hearings and debate about \nlegislative proposals.\n    And so, despite my concerns about the pace of industry \nprogress, I believe it may be more appropriate to defer \ndecision on legislative action until our newly developed agenda \nsheds more light on these issues. I continue to be hopeful that \nindustry can solve this problem. The recent initiatives by IBM, \nMicrosoft, Disney, and others on Internet advertising are steps \nin the right direction. But I would ask the industry redouble \nits efforts to develop effective technological tools that \nconsumers can use to safeguard their own privacy online because \neven well-crafted legislation will not achieve 100 percent \ncompliance. Ideally, easy to use technology will empower \nconsumers by allowing them to predetermine the circumstances \nunder which they will share personal information. I am pleased \nto note that one of our proposed workshops for the coming \nmonths deals specifically with this issue.\n    In sum, achieving a robust level of privacy protection will \nrequire cooperation between industry, government, and \nconsumers. While we have chosen to let industry lead in solving \nthis public policy problem, public confidence in electronic \ncommerce will erode if they fail to live up to the challenge. \nUltimately, government officials like us are directly \naccountable to the public, and we must also continue to play a \nrole in shaping solutions. In any case, the FTC will continue \nto pursue its enforcement role against those who deceive \nconsumers by misusing personal data.\n    So has progress been made since the last report to \nCongress? Absolutely. Have we solved the problem of online \nprivacy? No. But I believe that self-regulation will succeed \nonly if industry acts on the specific shortcomings that these \nrecent studies document. Moreover, Congress, the \nadministration, and others must remain vigilant and should not \nforeclose the possibility of legislative and regulatory action \nif we cannot make swift and significant additional progress. \nThank you.\n    [The prepared statement of Mozelle W. Thompson follows:]\n Prepared Statement of Hon. Mozelle W. Thompson, Commissioner, Federal \n                            Trade Commission\n    I am pleased to appear before the Commerce Committee with my fellow \nCommissioners to discuss the FTC's latest report on online privacy. As \nyou are aware, the Commission has spent much time and energy working on \nthis issue, and each of us thought it important to share our individual \nviews and insights.\n    Almost exactly one year ago, we appeared before this Committee to \ndiscuss the state of on-line privacy. At that time, we noted that \nconsumers' confidence that their personal information would not be \nmisused was a key element for gaining consumer acceptance for the \nelectronic marketplace; yet, we were ``disappointed'' about industry \nprogress. I specifically voiced my concerns about coverage (i.e., the \nbreadth of total web sites actually posting privacy policies) and the \ndevelopment and implementation of enforcement mechanisms. Now, one year \nlater (and three years after the FTC first started working with \nindustry on Internet issues), I find the record of progress is mixed.\n    If we are going to be the leader in a global system of electronic \ncommerce, and e-commerce is going to continue to lead our ``New \nEconomy'', we must reach a collective understanding on principles that \nwill provide consumers with the confidence they need to accept e-\ncommerce as a way of life. And I would point out that the Commission is \nalready on record in our testimony of last July as to the exact \nelements that we consider necessary to ensure fair information \npractices.\n    During the past year, industry leaders have expended substantial \neffort to build self regulatory programs. They should be commended for \nthese efforts and encouraged to build upon them. However, as the \nGeorgetown and OPA studies clearly show, while many leading online \ncompanies understand the business case for protecting consumer privacy, \nthe implementation of fair information practices is not widespread \namong commercial web sites. In fact, a mere ten percent of companies in \nthe survey have done so. Although the OPA does not audit its members \nfor compliance with its privacy guidelines, the results of its own \nstudy show that only 22 percent of the top 100 web sites (most of which \nare OPA members) have implemented all four elements of fair information \npractices. These findings suggest that even these industry leaders are \nonly slowly rising to the challenge they have set.\n    As our report suggests, the most important challenges to be \naddressed include:\n\n1) Reaching those businesses which have not taken steps to protect \n        consumer privacy, especially small and medium-sized businesses \n        which will provide the base for real growth in e-commerce; and\n2) Encouraging widespread adoption of all of the fair information \n        practices, including educating consumers about the value of \n        these self-regulatory efforts.\n    The workshops and other activities the Commission has planned for \nthe coming months are designed to help us pinpoint specific problem \nareas for action. Congressional review of privacy issues is also \nhelpful in this regard and I feel strongly that there is a value to \ncontinued hearings and debate about legislative proposals. And so, \ndespite my concerns about the pace of industry progress on privacy, I \nbelieve that it may be more appropriate to defer a decision on \nlegislative action until our newly developed agenda sheds more light on \nthese issues.\n    I continue to be hopeful that industry can solve this problem. \nRecent initiatives by IBM, Microsoft and Disney on Internet advertising \nare steps in the right direction. I would also ask industry to redouble \nits efforts to develop effective technology tools that consumers can \nuse to safeguard their own privacy on line, because even well-crafted \nlegislation will not achieve 100 percent compliance with fair \ninformation practices. Ideally, easy-to-use technology will empower \nconsumers by allowing them to predetermine the circumstances under \nwhich they will share personal information. I am pleased to note that \none of our proposed workshops for the coming months deals specifically \nwith these issues.\n    In sum, achieving a robust level of privacy protection will require \ncooperation between industry, government and consumers. While we have \nchosen to let industry lead in solving this public policy problem, \npublic confidence in electronic commerce will erode if they fail to \nlive up to the challenge. Ultimately, government officials like us are \ndirectly accountable to the public and we must also continue to play a \nrole in shaping solutions to the privacy problem. In any case, the FTC \nwill continue to pursue its enforcement role against those who deceive \nconsumers by misusing their personal information.\n    Has progress been made since our last report to Congress? \nAbsolutely. Have we solved the problem of online privacy? Of course \nnot. But, I believe that self-regulation will succeed only if industry \nacts on the specific shortcomings that these recent studies document. \nMoreover, Congress and the Administration must remain vigilant and \nshould not foreclose the possibility of legislative and regulatory \naction if we cannot make swift and significant additional progress.\n\n    Mr. Tauzin. Thank you, Commissioner Thompson.\n    Let me ask you all quickly now what I had asked you to do \nat the beginning. Starting with you, Mr. Chairman, you gave the \nindustry a considerable room for improve grade last year. What \ndo you give them this year?\n    I am sorry, you gave them an incomplete.\n    Mr. Pitofsky. I have to break it down in two ways. If the \nquestion is how much progress they have made over the last \nyear, I would give them a pretty good grade. I would give them \na B plus, maybe even better than that. If the question is are \nwe there yet, do we have a privacy policy that is acceptable to \nall of us, I would still say they are down around a C, and \nthere is a long way to go.\n    Mr. Tauzin. Let's go to you, Mr. Swindle. You gave them a \nrising D last year.\n    Mr. Swindle. Yes, sir. And I agree with the chairman on his \nassessment and would point out that we will get there. I think \nthe cooperation between industry and consumer privacy groups \nand the FTC in our role as regulators and enforcers, will get \nus there.\n    Mr. Tauzin. You gave them an overall C with a B plus for \nimprovement. Ms. Anthony, you gave them a D plus last time, \nbarely passing.\n    Ms. Anthony. This year I would give the leaders of the \nclass, the industries whose names I mentioned this morning and \nothers who have adopted all four information practices an A. \nThey deserve it. They have stepped up to the plate. Industry as \na whole still gets get a D plus in my view.\n    Mr. Tauzin. Mr. Thompson, you said considerable room for \nimprovement. I have seen that in my report a few times. What \ndoes that mean? Are you prepared to raise that grade?\n    Mr. Thompson. I would give them a C minus. While I still \nthink there are some industry leaders, unfortunately from a \nconsumer's perspective, the industry is going to be judged by \nits totality and not necessarily by its individuals.\n    Mr. Tauzin. The reason I did this, of course, is because it \nkind of--perhaps as we go through these hearings it kind of \ngauges for us where you see the progress of the industry and \nwhere it is currently positioned.\n    Let me first thank Chairman Pitofsky and all of you, the \ncommissioners of the FTC, for the work that you are doing. I \nthink the oversight, consumer education forums, I think are \ncritical elements of industry progress. Much of the progress \nthat I think that you have cited today can be attributed to the \nfact that you are doing such good work, and I want to commend \nyou for it and encourage you.\n    Let me ask you in that regard. In that, 66 percent of the \nsites now have at least some notice policy, that notice may say \nthat we collect no information or it may say we collect it and \nhere is our policy. In regard to that--and Mr. Chairman, you \nsort of agreed with Mr. Markey that the four elements of a good \nnotice policy would be notice, consent, access, and security.\n    Has anyone--the seal organizations or OPA--has anyone ever \nconsidered doing what the old Siskel and Roberts thing used to \ndo with movies? Some kind of rating system, but not a \nGovernment imposed one; a private rating system so that \nconsumers have an easy way of gauging whether or not this is a \ngood privacy policy or a bad one? For example, a four star \nsystem for those that have all four elements or three stars \nthat have all three out of the four?\n    If we are going to have self-regulation, if consumers are \ngoing to look at these notices and make judgments about whether \nthere is a site they want to trust, this is a business they \nwant to deal with, this is a service provider who is literally \nhelping them deal with companies or firms to which they can \ntrust for their information, should there be a simple way for \nthem to gauge how well or how good that industry is, in fact, \nperforming on a privacy policy? Is that a good idea, or is that \nsomething you would encourage in the private industry? Mr. \nPitofsky.\n    Mr. Pitofsky. On your first question, I don't really know \nwhat every one of these seal groups--there must be almost a \nhalf dozen of them now. I think as to most of them, the ones \nthat I know the best, I would grade them on a pass-fail basis. \nEither you get the seal or you don't get the seal. The seal is \nan indication that people are abiding by the information \npractices.\n    Is it a good idea? I'm not sure.\n    I certainly think that the pass/fail with monitoring and \nenforcement is critical. If you want to go further than that, \ntwo stars, three stars, four stars, it wouldn't hurt. The more \ninformation in the marketplace, the better off consumers are. I \nguess I would think it is a good approach. I would be concerned \nabout administration, who is going to make these decisions \nbetween two stars and three stars. It may be that it is easier \nand better and adequate to go pass/fail.\n    Mr. Tauzin. In regards to--Siskel and Ebert. I don't know \nwhy I said Roberts.\n    The concern that some have expressed about the bad players, \nand assuming everybody continues to make progress, but there \nare still some bad players out there who just refuse to put up \na notice policy, refuse to put up any privacy. Some will say, \nwell, then, let the consumer beware. If there is no notice \npolicy, don't deal with those people.\n    Others would say that there ought to be some fallback, some \nsafety net to make sure that those individuals who will not \nagree to be part of the online privacy organization or the \nalliance part of one of the seal programs, there ought to be \nsome sort of fallback requirement for someone who refuses to \nsubmit to self-regulation within the industry.\n    What are your thoughts on that?\n    Mr. Pitofsky. Let me start, and then I will ask my \ncolleagues to pitch in. That is a problem with self-regulation \nin every sector of the economy. No matter how good self-\nregulation is, there are a few sellers who will just ignore it. \nYou don't get 100 percent law enforcement either when you pass \na law, although it can be argued that you can get closer to \nuniversal coverage with a law than with self-regulation.\n    I do believe that once the seals are adopted and effective \nthat buyers will then have the information and they can protect \ntheir own interests. There was a study that came out just last \nweek that says that most people, if they have notice and an \nopportunity to opt out, are content. That is really what they \nwant. We are talking about 85, 86, 87 percent. So most people \nwill be satisfied with that. This is an Alan Westin study that \nwas published last week.\n    So I think giving people information, letting them protect \ntheir own interests, is a pretty good way to go.\n    Mr. Tauzin. Anybody else want to comment on that? Ms. \nAnthony.\n    Ms. Anthony. My comment is that self-regulation doesn't \nneed to end if Federal legislation establishing a basic \nstandard exists. We have self-regulation in a lot of industries \nwhere there is a baseline minimum standard set by the Congress.\n    The seal programs do furnish an impetus to industry, and \nsome comfort for consumers. But at present, it may be difficult \nfor consumers to distinguish among the various seal programs. \nSo that would be my comment. Self-regulation doesn't need to \nend, and the seal programs are a good way to continue.\n    Mr. Tauzin. Anyone else? Mr. Thompson?\n    Mr. Thompson. Sure. I think your question was an important \none, in that is there a core group that you might not be able \nto get to, and how big is it? I think that that is one of the \nthings that we may try to assess because it is important to \nlook at scale here as well. If you take all of the companies \nwho are in seal programs now, who are applying, have the \napplication pending, if you take the companies in the online \nprivacy alliance, and add that all together, you maybe have \n1,000 companies. Now, there are a million Web sites out there. \nIf you assume that only 1 percent actually sell to people, that \nis 10,000.\n    So what we are talking about is how to get the market \nmoving so that there is a condition under which consumers feel \ncomfortable that their privacy is going to be protected. It is \ngoing to take a larger effort on the part of government, \nindustry and consumers alike. So there probably isn't any one \nelement.\n    Mr. Tauzin. Mr. Swindle.\n    Mr. Swindle. Yes, sir. I believe the question had to do \nwith the existence of bad players, people who will perhaps \nrefuse to participate in a voluntary program of seals. I call \nit the bad player assumption, that is, those who do not \nparticipate are bad players. I think that is a highly \nquestionable assumption that everybody who doesn't have a \nprivacy statement is doing something wrong. Commercial Web \nsites are increasing at some indescribable rate right now. So \nthe reality is, we are never, ever going to have everybody \nunder any kind of program, seals or laws or otherwise. That is \njust a reality.\n    With regard to the 10,000 commercial sites versus 1,000 \nseal programs, I think a better way to look at it is to focus \non the sites that people visit the most to do commerce. We can \nnarrow this thing down through survey techniques to discover \nwhere 90 percent of the people are going. If those sites have \nprivacy policies, I think we are accomplishing or getting \ntoward accomplishing our goal. I think the point that I would \nlike to make is first, let's don't assume that anybody who \ndoesn't have a privacy policy is bad. This country is not \nfounded on that principle. Second, if we keep encouraging and \nworking toward it, we will get there.\n    One more point, Mr. Chairman. The problem that I see, when \nyou establish a law that says you will all have it, then you \nhave to enforce it. I am trying to imagine how the FTC or any \nother agency can enforce this. Then, if you do not obey the \nlaw, and it could be that you didn't know you had to and many \npeople like that, then we must punish. That represents a heck \nof a dilemma for us in government, I think.\n    Mr. Tauzin. We will leave that issue, and I will ask my \nlast question, but just to let you know that what is hanging \nout there is a question as to whether or not there is anything \neither the government can do through the FTC or through the \nlegislative process that encourages people to want to be part \nof a self-policing operation, rather than to submit some system \nof either government regulatory authority or what have you. \nThat is sort of hanging out there. I don't think we get to the \nanswer until we know exactly what that universe of bad--so-\ncalled, maybe, bad players is.\n    Last question. The Washington Post, June 27, 1999. Uncle \nSam has all your numbers.\n    Chairman Bliley today, before most of the members got here, \nannounced that our Commerce Committee is posting a privacy \npolicy. The FTC has posted its own privacy policy. I want to \ncommend Chairman Bliley again and commend the FTC for your \nexamples of government agencies, saying what we are going to do \nwith information we obtain in our work in regard to \nconstituents.\n    But, here is the headline and the story in the Washington \nPost, June 27, 1999: As part of a new and aggressive effort to \ntrack down parents for child support, the Federal Government \nhas created a vast, computerized data monitoring system that \nincludes all individuals with new jobs and names and addresses, \nSocial Security numbers and wages of nearly every working adult \nin the United States. Government agencies have long gathered \npersonal information for specific reasons, such as collecting \ntaxes, but never before has a Federal official had the legal \nauthority or technical ability to locate so many Americans \nfound to be delinquent parents or such potential to keep tabs \non Americans accused of nothing.\n    The system was established under the little known part of \nthe law forming welfare reform a few years ago. Starting next \nmonth, the system will reach further. Large banks and other \nfinancial institutions will be obliged to search for data about \ndelinquent parents by name on behalf of the government \nproviding authorities with details about bank accounts, money \nmarkets, mutual funds, other holdings of the parents, et \ncetera.\n    The story goes on to detail about other government data \ncollection systems at the IRS and at other Federal agencies \ndealing with citizens.\n    Mr. Pitofsky, is anybody doing any analysis of how well \nGovernment itself is providing privacy notices and privacy \nprotections in regards to how it gathers information on \ncitizens in this country?\n    Mr. Pitofsky. We have not been investigating collection of \ndata by the government. But I do--now I would like to join my \ncolleague, Shiela Anthony here. I had the same reaction when I \nfirst came to the Commission this time around.\n    It is astonishing how much information is collected in \nvarious ways, and this isn't just an online issue now. We are \ntalking online, off-line, collection of information in a \nvariety of ways. I know Congress is concerned about this. I \nknow that members have been addressing it, and I really do \nthink that this is something that we have to pay attention to.\n    When people realize how much information is available about \nthem for a price, they are shocked at the sort of resume of \ninformation that Commissioner Anthony noted. And we do have to \nkeep an eye on this issue.\n    Often information is collected with what purports to be \ngood reasons, but you never know how it is actually used.\n    Mr. Tauzin. But no one is doing any kind of analysis of \ngovernment collection of data and governments and agencies of \ngovernment's ability or willingness to post any kind of policy \non the use of that data and the collection of that data?\n    Mr. Pitofsky. I don't know about no one. We have not--that \nis a little outside our jurisdiction.\n    Mr. Tauzin. Mr. Swindle.\n    Mr. Swindle. Mr. Chairman, I applaud you bringing up this \nsubject, because when I saw the article back on June 27 or \nwhenever it was, my first reaction was that I was appalled that \nthis kind of an operation could come into existence in today's \nenvironment where we have so many--I mean there are daily \nstories about con-\n\nsumer and privacy advocates, and I think in a great sense \nrightfully, clamoring for something to get better in this \nmatter of protecting people's privacy.\n    I have subsequently been astounded that there has been no \nclamoring on this particular point. In fact, if I recall \ncorrectly, there has only been about a 1-day story on that. It \njust sort of disappeared. If people are concerned about mom and \npop operations selling chile sauce over the Internet not having \na privacy statement, where is the concern about the Federal \nGovernment collecting data on every single person in this \ncountry?\n    Mr. Tauzin. Obviously, it is being collected in many cases \nfor a good purpose. The question is, what can it be used for \nand what are the rules? Mr. Thompson.\n    Mr. Thompson. Just two short points. One is, I don't want \nus to forget that there is still the Privacy Act. It covers the \nFederal Government and contains limits on how we use and share \ninformation about individuals in this country. That is one.\n    Second of all, I am aware that the folks at the Office of \nManagement and Budget are working with agencies right now to \nwork on their Web sites, to post privacy policies. So I know \nthat is an initiative that they are undertaking right now.\n    Mr. Tauzin. Thank you, Mr. Commissioner.\n    The Chair now recognizes the gentleman from Massachusetts, \nMr. Markey.\n    Mr. Markey. Thank you, Mr. Chairman, very much.\n    First of all, with regard to some of the grades that were \ngiven out here today to the online industry, I think we really \nare in the era of great inflation, Mr. Chairman. Giving a B \nplus to this industry and its effort is, from my perspective, \nabsolutely inappropriate. This industry deserves a big, fat F. \nIt is not, as an industry, providing real privacy to consumers \nin our country online. Ninety percent of the industry is \nauditing the course, the Georgetown study makes that clear.\n    Now, if we are going to deal with this realistically, we \nare going to say, I guess that is what I am hearing from some \nof the people out here, that we believe that we really don't \nneed Federal agencies, and if we don't need the Securities and \nExchange Commission, because most people are honest. We don't \nneed the Federal Trade Commission. We can repeal most of the \nstatutes we have empowered them to look at in terms of fraud, \nbecause most people are honest.\n    If we believe that this industry is ever going to reach 100 \npercent compliance, and I guess that is what we are going to \nhear today, that you believe that self-regulation will lead to \n100 percent compliance, then we don't need any laws in most \nareas where the Federal Trade Commission is now empowered, or \nwith the Securities and Exchange Commission, or with the \nFederal Communications Commission. Because as Mr. Swindle is \nsaying, that is not what this country is all about. We don't \nbelieve that people do things wrong. I don't know why anyone \nwould even want to serve on a Commission like this, Mr. \nSwindle, if that is what we believe.\n    Mr. Swindle. Can I respond, sir?\n    Mr. Markey. When I finish, yes.\n    Mr. Swindle. Yes.\n    Mr. Markey. Mr. Pitofsky, do you believe that core privacy \ncriteria of notice, choice, access, and security are a good \nidea, a noble gesture by online sites, or a necessary consumer \nprotection for privacy online?\n    Mr. Pitofsky. Necessary protection.\n    Mr. Markey. Are they essential?\n    Mr. Pitofsky. Yes, I believe they are. The only question is \nhow to get there.\n    Mr. Markey. Is disclosure alone enough protection?\n    Mr. Pitofsky. Well, I think it is the most important of the \nvarious protections, but I don't think it is enough.\n    Mr. Markey. Is it enough?\n    Mr. Pitofsky. I don't think so.\n    Mr. Markey. Okay. Now, in your testimony, Mr. Chairman, on \npage 5 of your testimony, you say, only a small minority, only \na small minority of commercial Web sites, however, have joined \nthese programs, these voluntary programs, to date. They also \nshow that as a study, that the implementation of fair \nimplementation practices is not widespread amongst commercial \nWeb sites.\n    Then your very next sentence says, based on these facts, \nthe Commission believes that legislation to address online \nprivacy is not appropriate at this time.\n    How long will we have to wait, Mr. Chairman, for this \nadministration to take a stand on this issue? How long will it \ntake, deep into, now, the online commerce era for us to realize \nthat most of the participants in this industry won't have a \nprivacy protection policy which is meaningful unless the \nFederal Government puts one on the books to provide that for \nall Americans?\n    Mr. Pitofsky. May I answer a couple of your earlier points \nand then come to how long? As an academic, I have to respond to \nthe question of grade inflation. Remember, all I said was, on \nenergy, effort, commitment, they get a B plus. As far as where \nwe are now, I give them a C, so there is a long way to go.\n    Do I think that we don't need any law because everybody is \nhonest? Of course not. We bring hundreds of cases every year in \nthe antitrust and consumer protection fields. Self-regulation \nonly works when the industry comes to the conclusion that it is \nin their interests to abide by certain principles. That is not \ntrue in many areas of law, and therefore, the government has to \ncrack down. It remains to be seen whether industry will come to \nthe view in this area, as they should, that consumers want, \ncare about, and need privacy, and that it is in industry's \ninterests to make sure it is introduced.\n    How long should we take? You know, the most, I have often \nsaid, the most effective self-regulation program in this \ncountry is the advertising industry's National Advertising \nReview Board. If we had come along 2 years after people started \nthinking about that, and said, forget it, we are going to \nhandle this by law and law alone, you wouldn't have that kind \nof self-regulation. You have to give some time for these \nprograms to develop.\n    I would say--I would say this. We had a good year, good \nprogress; internet industry leadership is committed to self-\nregulation. If we have the same sort of year next year, then I \nwould say that we are going to make vast progress. As a matter \nof fact, at the pace that notice is being made available, you \nwill practically see universal notice within a year.\n    Mr. Markey. Do you believe we are going to reach 100 \npercent compliance next year?\n    Mr. Pitofsky. No.\n    Mr. Markey. The year after?\n    Mr. Pitofsky. No, sir.\n    Mr. Markey. One hundred percent compliance.\n    Mr. Pitofsky. Mr. Markey, I don't think we ever will.\n    Mr. Markey. Okay. Then do we need a law?\n    Mr. Pitofsky. No, I don't think so.\n    Mr. Markey. You don't think we will need a law if there is \nnot going to be 100 percent compliance with protection of \nprivacy in the country?\n    Mr. Pitofsky. As I said earlier, you pass a law and you \nstill won't get 100 percent compliance.\n    Mr. Markey. So your standard is because you cannot get 100 \npercent compliance with any law, then there should be no laws. \nIs that your position?\n    Mr. Pitofsky. No, not at all.\n    Mr. Markey. That is what you just said.\n    Mr. Pitofsky. No.\n    Mr. Markey. That applies to every law, sir, not just \nprivacy.\n    Mr. Pitofsky. Mr. Markey, if I appeared to say that I \nmisspoke. Let me be clear.\n    Mr. Markey. You said that the protections were essential. \nYou said that there would never be 100 percent compliance, and \nyet you say that we shouldn't pass laws just because there \nisn't going to be 100 percent compliance with essential \nprotections which Americans need.\n    Mr. Pitofsky. It is ``just because'' that I have to \nexplain. We are at the dawn of the most impressive new \nmarketing sector of the economy that this country has ever \nseen. It is dynamic. It is fast changing. It is remarkable--the \nextent to which people are becoming committed to doing commerce \non the Internet. In a circumstance like that, you want to stay \nflexible about the nature of regulation that you impose.\n    Mr. Markey. Mr. Chairman, technology is changing rapidly. \nSo what? Are people not entitled to privacy? Are people not \nentitled to protection against fraud, just because technology \nis moving rapidly? Are we to say for the next whole generation \nof e-commerce that we can never pass any laws to protect \npeople's privacy or protect them against fraud or protect their \nchildren online because the technology moves rapidly? I think \nthat it is our responsibility, Mr. Chairman, to move forward in \na way that ensures the protections are put on the books against \npeople who will exploit people just because they are online and \nthey are on no protections.\n    I think this argument that you are making runs completely \ncontrary to the whole history of the Federal Trade Commission \nand its commitment to try to stay apace of the changes which \nare happening with the economy, rather than saying that we \ncan't catch up because it is moving too rapidly. I don't think \nthat is a standard which we can use. Fraud, privacy, and \nprotection of the consumer are standards which are eternal \nregardless of the industrial era, the information era that we \nhappen to be in. I don't think that those are standards which \nwe should say can't be, can't be maintained.\n    In fact, we have it upside down. The people who put privacy \nprotections online, we can sue them for deceptive practices, \nbut if the industry participants don't put any privacy \nprotections on the books, then we don't have any right to go \nagainst them because they haven't deceived anyone, because they \nhave no protections whatsoever.\n    And what you are saying is that the system is broken, but \nwe are going to ask the people who have allowed it to remain \nbroken throughout all of the 1990's to continue to try to \nimprove it even though they have a 90 percent failure rate. I \ndon't believe that the American people, looking at those \nstatistics that were produced earlier in this hearing, indicate \nthat the American people are getting more confident; in fact, I \nbelieve they are getting less confident in this online \nindustry's ability to provide security, be able to provide \nprivacy, to be able to provide access, to be able to provide \nnotice that their information is being compromised.\n    Mr. Tauzin. The gentleman's time has expired.\n    The gentleman had offered to Mr. Swindle a chance to \nrespond to his comments. I think the chairman probably ought to \ndo that.\n    Mr. Swindle. I applaud the Chairman's position on this. I \nthink he did state the case correctly. I don't believe any one \nof us here, and we have obviously different views on how we \nshould approach this, have made statements as Mr. Markey \nalluded to. Each of us has been out meeting with industry and \nattempting to get--encourage industry, and I think we have been \nsuccessful on that from our different perspectives, and I think \nthe Commission is doing good work in that regard.\n    I don't recall anyone saying that is no need for Federal \nagencies, not even the slightest insinuation of such. I \ncertainly didn't. The idea of self-regulation reaching 100 \npercent or a law reaching 100 percent, I think I said in my \nearlier statement, there is no way. We will not get there. \nToday we just got behind again, because there are 100,000 more \nWeb sites out there. We will never catch up with that. That is \nreality.\n    As far as needing a law to get 100 percent, we have the \nFair Credit Reporting Act. We prosecute cases on a monthly \nbasis under that because we have not stopped it, and we will \nnever stop it. I just--I am a little mind-boggled at the idea \nthat we would think that we can pass a law and solve all of \nthese problems.\n    We at the Commission and the staff at the Commission do \nremarkable work in trying to implement and enforce our laws, \nbut we will never get to everyone, all of them. So I can't buy \nthat point.\n    Mr. Markey. Mr. Swindle, we have laws against murder on the \nbooks. We will never catch all of them, but we are not taking \nthe murder statutes off the books.\n    What statutes are you prosecuting people right now under \nthat you are claiming credit for. Obviously you need laws to--\n--\n    Mr. Tauzin. The gentleman's time has expired. He has made \nhis point. We have to move on.\n    The gentleman from Georgia, Mr. Deal.\n    Mr. Deal. I will pass at this time.\n    Mr. Tauzin. Mr. Cox is recognized, from California.\n    Mr. Cox. Thank you. I would like to welcome our panel and \nthank you especially for the report that you have provided to \nus. I would note that Chairman Pitofsky and I spent some time \ntogether a quarter of a century ago when you were my antitrust \nteacher at Harvard Law School. That was when you were 29 and I \nwas 15, and I continue to be educated, and I appreciate it very \nmuch.\n    We are going to hear from the Direct Marketing Association \na little later, and in the testimony that the Direct Marketing \nAssociation has provided to us, they have said that as a \ncondition of membership of the DMA, they are going to require \nthat all companies, including those who market to consumers on \nthe Internet, provide notice to consumers if they transfer data \nto others, and if they provide consumers the ability to opt out \nof such transfers.\n    It seems to me that that provides the essential ingredient \nfor an enforcement system based on the licensure of personal, \nprivate information as if it were a property right. That is to \nsay that in the same way that all of us accept a license when \nwe rip open a package of software or sign a license agreement \nwhen we buy computer products of significance, that we would be \nable to license the provision, the publication of our personal \ninformation by others if we chose to do so, and we would have a \ncause of action for conversion of our private property if we \nchose not to do so. That would require only this in order to \nmake it work, and that is a legal system that protected private \nproperty in that way.\n    Is that a reasonable approach? I would ask any of the panel \nto address that.\n    Mr. Pitofsky. It is consistent with the way people feel \nabout this issue. They don't mind their personal information \nbeing used. They don't mind getting catalogs or receiving \nmaterials as a result of target marketing. What they mind is \nthat happening without their consent. And if we can get there \none way or another, by law or by self-regulation, so that \npeople have that option, have that choice, I think the approach \nthat you describe is one that we would be comfortable with.\n    Mr. Cox. Does any other commissioner wish to comment on \nthat?\n    Mr. Thompson. Sure. I think that notice and opt-out are \nimportant elements, but they are not the only elements. I think \nthat giving consumers, depending on what industry it is, access \nto correct information is also appropriate. I think security is \nimportant. I also think enforcement is important. I am not \nsaying necessarily enforcement by the government, but providing \nmeaningful remedies for consumers who feel that the \nrepresentations that were made by a Web site about how \ninformation was going to be used were not lived up to. That is \nthe kind of confidence people need. I think that it begins with \nthe industries themselves.\n    I think DMA should be saluted for taking a fairly tough \nline with their members. But what is important is that it is \nnot just them, it is everyone, that that has to be an important \ntenet how buyers and sellers deal with each other online. That \nhas to be a part of the climate.\n    So there is a question of how you deal with those who \nchoose not to participate at all. That is a very important \nquestion. But I salute those parts of the industry who really \nunderstand that it is in their best interests, as well as \nconsumers, all of our best interests, to see this part of the \neconomy grow, that they provide that kind of balance.\n    Mr. Cox. And therefore, the shortcoming in the DMA approach \nis that not everyone is a member of DMA, for starters.\n    Mr. Thompson. I think that is one.\n    Mr. Cox. So what we would want is a regime that applies \nacross the board to good actors as well as bad actors.\n    Second, you point out that we need enforcement. I think Mr. \nSwindle's point earlier when you have an increment of 100,000 \nnew Web sites over what period of time?\n    Mr. Swindle. Very short. I am not sure. But it is growing.\n    Mr. Cox. We have, as we all know, these exponential rates \nof growth in Internet usage and the addition of Web sites. The \nnotion that a government agency is going to be able to police \nit fails facially, but what might work is, if consumers have \nthe tools that they need to enforce it, which is why I am \ntalking about this private property notion, if you have an \nenforceable property right and you can go to court and you have \na cause of action, and let us pick out of the air $1,000 \nmaximum statutory damages for an unintentional violation and \n$10,000 for an intentional violation or some reasonable limit \nso that we don't have the next $6 billion jury award in this \narea, you might have a much broader base of enforcement and so-\ncalled voluntary enforcement might get a lot closer to 100 \npercent.\n    Mr. Pitofsky. I think at the end there you put your finger \non the problem. A private right of action is something that \npeople ought to consider. It is a real possibility. On the \nother hand, they also have to consider whether or not you want \nsome Web site that makes some mistake about opt-in or opt-out \nbeing hit with a class action that will just blow them right \nout of that sector of the economy.\n    So it is a fair question to raise; it is not one that we \nhave addressed.\n    Mr. Cox. I assure you that is not my plan. I am working in \nthe other direction.\n    Mr. Pitofsky. There are some reasons for thinking about a \nprivate right of action, but you would want to be careful about \nit.\n    Mr. Cox. I thank the chairman.\n    Mr. Tauzin. The gentleman's time has expired.\n    The gentlewoman from California, Ms. Eshoo is recognized.\n    Ms. Eshoo. Thank you, Mr. Chairman. And thanks, once again, \nto our distinguished witnesses here today. Chairman Pitofsky, \nduring your opening statement, you mentioned that the \nCommission is going to hold a workshop soon on online \nprofiling, which is the practice of collecting information \nabout consumers as their movements are tracked online. It \ndoesn't settle all that well with me. I have a sense of a \nlittle online stalking. But it is the way--I mean in hearing \nit, it is the way I--my sensibilities react that way.\n    But at any rate, would you discuss how this practice works? \nIn particular, do consumers generally have knowledge that their \nmovements are being tracked, and what kind of information is \nable to be--is actually collected in this way?\n    Mr. Pitofsky. Well, one of the reasons for the workshop is \nto try to find answers to the questions you raise.\n    Ms. Eshoo. But there must have been some indications to \nyou; therefore, the workshop?\n    Mr. Pitofsky. Yes. Profiling is it is not limited to just \nonline information. It is a combination of online and offline \ninformation, which produces the kind of body of information \nabout people often available for sale that is very--that is \nvery troubling.\n    On the question of whether people know this is going on, I \ndon't think they do. I think it is being collected without \nnotice. This new medium has an incredible technological ability \nto marshal, analyze, and present data about individuals.\n    How much of that is going on, how it is being handled, \nwhether the information is being marketed and sold, and \nparticularly whether it is being sold in personally \nidentifiable ways, as opposed to aggregate averages, which I \ndon't think anybody is terribly troubled about, that is what \nthe workshop will be about.\n    Ms. Eshoo. I think that this committee in particular would \nvery much like to have a report back from the Commission after \nyou have completed the workshop and what you have pulled out of \nit. I think that we could make, hopefully, some positive use of \nwhatever information flows from that. Because the idea that it \nis personally identifiable and tracked is a form, at least I \nthink could be thought of as a form of online stalking, \nstalking.\n    Do you know of any agency that sells any private \ninformation that comes through it?\n    Mr. Pitofsky. I do not. Anyone?\n    Mr. Swindle. Well, I don't know about Federal agencies, but \nwe know for a fact that State agencies, which are part of the \nproblem too, I guess, they sell information off of driver's \nlicense registration and car registration. That is commonly \ndone in many States from what I understand, and I don't think \nany consumers or citizens gave them the right to do that, but \nthey do it.\n    This phenomena, collection of information is mind-boggling. \nWe are going to be dealing with this for years to come. My \nconcerns are that we deal with it in a manner that is as \npractical as possible without throwing impediments to \ndeveloping this, as the chairman described earlier, perhaps one \nof the most phenomenal changes in the way we do commerce that \nwe have seen in our country's history. If we get overly \nemotional about this and start running around trying to stop \nit, we will very likely overstep our bounds and do more harm \nthan good.\n    Ms. Eshoo. Does the Commission have any ideas about how we \ncan educate people on how private information might be used? \nHave you grappled with that?\n    Mr. Thompson. I think that----\n    Ms. Eshoo. Relative to commerce? You know, obviously within \nthe areas of your jurisdiction.\n    Mr. Thompson. I think the Bureau of Consumer Protection has \nbeen very active in consumer education, but also has been \nworking with groups like the Direct Marketing Association and \nother industry-based initiatives to talk to consumers about how \ntheir information is being used and collected and what choices \nthey have for how that information is shared. I know that on \nour Web site, FTC.gov., there is a privacy page that tells \nconsumers how to get their names off mailing lists and other \nthings.\n    Ms. Eshoo. What you are suggesting is that the Commission \nputs out information on how this can be done technologically?\n    Mr. Thompson. We have brochures and other information \navailable to educate consumers. But what I think is going to be \nimportant here though is what broader initiatives industry, \ntogether with government and consumer groups create to deal \nwith specific problems and specific concerns to let the public \nknow a little bit more.\n    Ms. Eshoo. I have the sense that we are trying to get socks \non an octopus, and I think if we don't--I mean if we really \ndon't come out with something that has clarity for the American \npeople, that maybe the description I just gave will continue. I \ndon't know what these ratings really mean. I mean if we see the \nGood Housekeeping Seal of Approval, that means something to us. \nI guess I can't really describe it, but there is confidence in \nthat. And while we have some markers, I don't have a sense that \npeople know what that is, and I don't think that we can be \nnecessarily self-congratulatory that they are out there if, in \nfact, the representation doesn't give people the kind of \nconfidence that they need.\n    I think the hearing is demonstrating that we have a ways to \ngo so far. I appreciate the work that you are doing. I don't \nthink I have made my mind up about which is the best way to go, \nbut we will keep at it. Thank you.\n    Mr. Tauzin. I thank the gentlewoman.\n    The Chair now recognizes the gentleman from Mississippi, \nMr. Pickering, for a round of questions.\n    Mr. Pickering. Thank you, Mr. Chairman. I appreciate you \nholding this hearing on a very important issue.\n    Mr. Pitofsky, let me ask quickly, under section 5 of the \nFederal Trade Commission act concerning unfair and deceptive \npractices, do you feel like you have the current authority to, \nif progress is not made, to take additional action, not only \nunder fraudulent cases, but to say require certain business \npractices of notice and opt-out, do you have that authority, or \ndo you interpret your authority that broadly?\n    Mr. Pitofsky. We certainly have the authority, when people \nare misled into providing information under false pretenses, \nand we have brought cases, we have brought important cases in \nthat area.\n    The problem arises where the information gatherers say \nnothing. They collect the information and they use it in \nunexpected ways. We have not brought that case. We have put out \nan advisory opinion saying that where that kind of information \nis collected from young people, we believe we clearly have the \nauthority in that area. Where it is collected more generally \nfrom adults, we have not brought that case, and I am not so \nsure that we could win it. But certainly, if they put out a \nprivacy policy, as firms are doing, many firms are doing, and \nthen they don't abide by their own privacy policy, that is \nactionable.\n    Mr. Pickering. This seems to be the crux of the problem. It \nseems like there could be an incentive to have no privacy \npolicy, to put themselves at no liability or at risk of \nviolating, intentionally or unintentionally, their privacy \npolicy. And the question is what incentives can we give, short \nof legislation, that would require all companies to adopt \ncertain practices and certain privacy policies.\n    Mr. Pitofsky. I think you are exactly right. I think an \nincentive is there in the marketplace, and that grows from the \nfact that 85 percent of the people who are not doing business \non the Internet say it is because they don't think it is a \nsecure medium, and the business community has to come around to \nthe view, as I believe many of them have done, many of the best \nplayers, that it is in their interest to protect the privacy of \npeople who do business on the Internet.\n    The other--frankly, the other incentive is, if that \nprogress does not occur as it has been occurring in the past \nyear, then the FTC and this committee and the Congress will \ntake action. We are challenging these folks. We are saying to \nthem, if you don't want legislation, you better move along on \nself-regulation. They have made some progress, I hope it will \ncontinue.\n    Mr. Pickering. Any other comments from the panel as far as \nincentives that we can ensure the progress of self-regulation \nfrom the Internet community and the business community on a \ngoing-forward basis?\n    Mr. Swindle. I would just like to add, I think one of the \nmain things we can do at the Federal Trade Commission is \ncontinue to expand the educational efforts that we have already \nundertaken. Our staff does an excellent job in putting out very \ninformative pieces of information. We have conferences, we \nmentioned, I think it is mentioned in our report of conferences \nto come. I think that process of consumer education will \ncoincide with industry's awareness that this is important. It \nis in their own self interests to do it right.\n    The incentive is profit, and profit comes from satisfied \ncustomers, and that takes you to the next level. The \nmarketplace will demand that we find some level of acceptable \nprivate practice on the part of industry; otherwise, consumers \nwon't go there. Any consumer with one click can leave a Web \nsite if they aren't satisfied with it. And I share with the \nchairman the concern, and I think we all share it, that in \nthese practices where the consumer has no idea that information \nis being collected, and therefore, has no option of choice \nbecause they don't know the problem exists.\n    But, I think that is where we are back to the education \ncycle. The more we inform the public, the more we all become \ninformed as to how this medium is going to work. It is new, we \nare learning every day. Industry is learning, consumers are \nlearning, and certainly we in the Federal Trade Commission are \nlearning, and I think it is that ongoing process that will make \nthis an economic engine that we will all sit back and marvel at \nand we will be quite surprised with it. As I said, consumers \nare not inching slowly to this form of commerce, it is tripling \nevery year, and I think that is an indication that they like \nit.\n    Now, if they hear things that scare them, I hope not \nunnecessarily so, they will back away from certain sites and \nmake reasonable choices.\n    Mr. Thompson. I agree with what has been said. Time is \nreally important here, that if 1 year in Internet time equals 3 \nyears of other time, then we should be concerned about how \nquickly industry progresses.\n    But what I will also say is it has to be a fabric, it has \nto be not just government saying we are going to do X if you do \nsomething bad, it is also industry acting in enlightened self-\ninterest. I think that we all have a stake in seeing that that \noccurs.\n    Now, one of the things--the reason that at least I don't \nthink legislation is appropriate at this time is to measure \nwhat is not being done, what industry resistance there is, is \nit the tail, or is it the hub? That has to be an important \nfactor to know, because that will tell you what is the \nappropriate way to address the problem.\n    The industry leaders do recognize the importance of \nbringing the rest, finally, the rest of the market along. That \nis not only based on consumer education, telling consumers what \nthey should be asking for, but also telling business what are \nthe necessary elements for doing business in this area. I think \nthat what they would find is that if they do a cost-benefit \nanalysis, the amount that they have to gain, even small- and \nmedium-sized businesses of doing a privacy policy is great. But \nthat information has to get out to them.\n    Mr. Pickering. Thank you, Mr. Chairman.\n    Mr. Tauzin. The gentleman's time has expired.\n    The gentlewoman from California commented about socks on an \noctopus. That stirred my data banks, and I couldn't remember \nwhere I had heard that phrase. It was Earl K. Long who used it, \nI think. There is a wonderful book entitled Socks on a Rooster \nabout his life. He once said when they tried to put a tuxedo on \nhim at his first inaugural in Louisiana that putting a tuxedo \non Earl K. Long is like putting socks on a rooster, and he \nrefused to wear it. It is a good analogy.\n    The gentleman from Minnesota, Mr. Luther, is recognized.\n    Mr. Luther. Thank you, Mr. Chairman. This really is to any \nmember of the panel. It just seems that if we applied common \nsense, it would tell us that we will, over time, achieve a \ndegree of voluntary compliance; that would be common sense, and \nin the interest of businesses to do this.\n    But it seems like common sense would also tell us--and I \nwould like your thoughts on this--that if companies are \nprofiting from using, selling, and disseminating this \ninformation, they would be very unlikely to be the ones who \nwould voluntarily comply. So in other words, as voluntary \ncompliance goes up, it seems to me that we still would not be \ndealing with the real problem, which is those companies that \nhave a self-interest in not complying, or not either posting or \nadhering to the policy. Isn't that the crux of the problem \nhere? How could we ever expect voluntary compliance from \ncompanies when it is against their self-interests to \nvoluntarily comply? That simply is not going to occur, right? \nThere is nothing to motivate them. So I guess that is where I \nam getting a little lost with some of the comments about \nvoluntary compliance. Even if it increases greatly, we are not \ngoing to be dealing with the ones we want to deal with.\n    Mr. Pitofsky. Let me start. Mr. Luther, it is a fair \nquestion, and it is something that we ought to explore. I am \nnot sure it doesn't work the opposite way. The big companies \nwho gather the kind of information that is valuable enough to \nsell, they are the ones who are complying, the Disneys of the \nworld, the AOLs of the world, the Microsofts and so forth, they \nare the ones who gather vast amounts of information that is \nvaluable to sell and they are the ones who are going along with \nself-regulation.\n    The company that will probably never go along is some \nindividual who has a Web site and is selling chile beans, they \nare not collecting the information, they couldn't sell the \ninformation if they did collect it, it is not going anywhere at \nall. I say that as a hypothesis. I don't know that that is \ntrue.\n    I do know that many--most of the big companies that collect \nthe kind of information that others want have seen it in their \ninterests to go along with self-regulation.\n    Mr. Luther. Well, just to follow up, if I may, aren't there \na lot of examples between those two extremes. That would be my \nresponse to that answer. And in fact, aren't some of the \nexamples in-between exactly what we are trying to deal with \nhere--the people that are truly profiteering today; there is \nnot one reason for them to comply with some voluntary \ncompliance system.\n    And I would add an additional point, and that is how fair \nis it to the legitimate businesses--that are out there \ncompeting on a fair basis--how fair is it to them to be \nundercut, for example, by a business who is making their \nprofits by using that information for some other purpose? I \nmean, legitimate businesses want fair rules that everyone lives \nby; don't they? I would ask that question to anyone on the \npanel.\n    Mr. Swindle. I am having a little difficulty imagining the \nbusiness that is undercutting another business, because that \nbusiness is gathering information to sell to somebody. They \nmight be undercutting another business that does that, but if \nthey are in the business of gathering and selling this \ninformation, you know, wrongfully or without consent, who are \nthey competing against?\n    My concern is that if we choose to legislate, legislation \napplies to the universe. The number of people who are in this \nbusiness that we don't like, the invasion of privacy, and \nselling this information, by comparison to those who are \nlegitimate in every sense of the word, but may not know the \nnecessity to meet this law, we will burden the universe in \norder to capture a few. I just don't think that is the way to \ndo it.\n    Now, the question then comes back, to the Congressman's \noriginal question. How do we get at those few, and they are \nrelatively few, in my mind, how do we get those without \nburdening the rest of the universe. That is the problem, and I \nthink that is something we have to consider and look toward \nresolving. But, passing a law would apply to everybody. Then \nwe, all of a sudden, have to enforce that law against people \nwho, by no evil intent whatsoever are not complying, which, I \nwould suggest, the vast majority of Americans fit that \ncategory. There are bad guys out there, we all recognize that. \nBut now, we have to enforce this law against all who violated \nit, and now we have to penalize them. This doesn't make sense.\n    Mr. Thompson. I appreciate your question, because I think \nit is exactly that kind of a question that we need to find out \na little bit more about. There are large companies who \npresumably should know that this is in their enlightened self-\ninterests that the efforts are clearly not reaching. We need to \nfind out a little bit more about why in order to--if \nlegislation is appropriate, determine what kind of legislation.\n    But I would also be hesitant to talk about legislation if \nit is an all-or-nothing proposition as well. Because in the \nsense that I think when we came last July, we talked about any \nlegislative vehicle at all should at least provide some safe \nharbors for companies who are doing the right thing; for \nindependent industries that are doing the right thing, because \nwe think that those industries should be rewarded and not be \nsubjected to a ``free riders,'' others who are not doing the \nright thing benefits from the industry efforts. So we have to \nget at that. We don't know. I think we need a little bit more \ntime to figure that out.\n    Mr. Luther. Thank you, Mr. Chairman.\n    Mr. Tauzin. The gentleman's time has expired.\n    The gentleman from California, Mr. Rogan, does he have any \nquestions?\n    Mr. Rogan. Mr. Chairman, if I may, just briefly.\n    Mr. Tauzin. The gentleman is recognized.\n    Mr. Rogan. Thank you. I will throw this out to the members \nof the panel. I did have a chance to review the summary \nmaterials on the Georgetown Internet Policy Privacy Survey, and \nI am just wondering, do any of the members of the panel have an \nopinion as to the validity of that survey?\n    It claimed that two-thirds of Web sites surveyed had \nestablished a privacy policy, but when I looked at the universe \nof sites that were examined, there were only 361. That seemed \nlike an awfully small sampling for what must be tens of \nthousands, if not hundreds of thousands of Web sites that are \nout there right now. Has anybody had a chance to review that in \ndepth, and does anybody have any opinion as to whether that is \nan appropriate figure?\n    Mr. Pitofsky. We did spot check the survey. We didn't just \naccept it without reservation, and so far as we could tell, it \nwas a reliable survey conducted in a very professional way.\n    The sample is the sample. I mean it seems to me, when you \nget up to 361 or something like that, you get a fair picture of \nwhat the industry is doing. It may not be perfect, it could be \noff by 3 points either way. But the important thing is that the \nindustry moved from 14 percent notice to 60-something percent \nnotice in 1 year. And we are comfortable that that is a \nreliable count.\n    Ms. Anthony. I was just going to comment that you have to \nrecall that these are the most well-traveled sites, not every \nsite. The sampling was the most well-traveled sites on the \nInternet.\n    Mr. Rogan. Thank you, Ms. Anthony.\n    I have to assume when we look at the explosion on the \nInternet over the last 8 or 9 years, I think I saw a figure \nsometime ago that in 1990 almost nobody was on the Internet and \nby 1999 we have millions and millions of people, and that \nfigure is being added to every day.\n    I have to assume that as each day goes by, and as more and \nmore people are going online, there has to be a lot of consumer \npressure also on businesses to adopt privacy regulations and \nalso to have their privacy rights enforced. Are you finding, as \nyou oversee these issues, that there is an awful lot of that \ndynamic in play?\n    Mr. Pitofsky. Great consumer concern, and in my view, the \nreason why you have so many of the leaders of the industry \nmoving to privacy policies is because they see that it is in \ntheir interests to do so.\n    Mr. Rogan. Yes, Mr. Commissioner.\n    Mr. Thompson. I think just to take a look at who is really \nleading the charge here, we are looking at companies who have \ndecided that it is in their best interests, because first of \nall, it allows them to distinguish themselves in the market \nversus other Web sites who might be selling something, or \ntechnologically based sites that believe that this is an \nimportant part for the technology industry to play a part in.\n    The real question is whether those industry leaders can \nessentially have an influence on all of those who sell, to make \nsure that they know that it is in their best interests to \nconcision the market generally, so that consumers feel that \nconfidence no matter where they go. That is the real challenge \nfor them. So while we have great respect for the industry \nleaders here, the real question is, is there an industry to be \nled?\n    Mr. Rogan. Thank you, Mr. Chairman, thank you, Mr. \nThompson.\n    Mr. Tauzin. The Chair now recognizes the gentleman from \nTennessee, Mr. Gordon.\n    Mr. Gordon. Thank you, Mr. Chairman.\n    Ms. Anthony, I think it is always healthy to have informed \nand thoughtful dissent on the commission, and so I will--on any \nissue, and I will give you a chance in a few minutes if I have \nsome time left if you want to expound on any more on what your \nthoughts are on what type of regulation might be successful.\n    But first let me ask you, Mr. Chairman, in your testimony \nyou said that you thought considerable progress has been made \nwith industry, a long way to go, and there should be no \nlegislation at this time. You said a year from now there should \nbe another report and that you want to get to the goal line.\n    Let me ask you, what is the goal line? You know, when you \ncome here a year from now, what do you think should be the \nvarious benchmarks, and what progress should be made with those \nbenchmarks so that you at that time would either say we need \nlegislation, here it is, or still making progress, and we \ndon't.\n    Mr. Pitofsky. Well, in one sense, if the industry makes as \nmuch progress in the present year as they did last year, we are \ngoing to be pretty close to universal coverage in terms of \nnotice, about putting a policy out there, and that would be \nremarkable. I would like to get beyond simple notice. I want to \nask other questions about access, about security, about \nmonitoring, and about enforcement.\n    I don't think you are ever going to get 100 percent self-\nregulation enforcement, any more than you do with the \nadvertising community or the funeral directors, two of the best \nself-regulation programs that I am aware of. But if you got up \nthere in the 90 percent range, 90-plus percent, and if \nconsumers were aware of what their rights are, and consumers \nwho don't want to deal with the Internet Web site that doesn't \npost a privacy policy can do so in an informed way, I think we \nare pretty close to where we ought to be.\n    Mr. Gordon. I certainly agree that you are not going to get \n100 percent compliance even with the most stringent of laws and \npolice forces out all the time.\n    So you are saying then that there should be 90 percent \ncompliance a year from now?\n    Mr. Pitofsky. I hesitate to draw an arbitrary line, but \ncertainly if you were there, you would have to say that great \nprogress has been made, and we are probably at the point where \nconsumers can protect their own interests.\n    Mr. Gordon. If you are at 90 percent?\n    Mr. Pitofsky. Yes.\n    Mr. Gordon. So what happens if we are at 70 percent next \nyear?\n    Mr. Pitofsky. We will file another report.\n    Mr. Gordon. That would be a failing grade, though?\n    Mr. Pitofsky. That would be very disappointing, since they \nare at 66 percent now. If they get to 70, you would think that \nnot much has been accomplished. But now I want to go back to \nthe point I made in my testimony. Simply counting the notices \non Web sites is not enough. We want to give this committee more \ninformation than that; we want to get behind that number.\n    Now, for example, there are probably some Web sites that \nhave notices that are so small and incomprehensible and \nimpossible to read that the notice is not worth a thing. I want \nto get to that issue.\n    Mr. Gordon. I have one more question. What I would like to \ndo quickly is ask you if you could send to the committee or \nsend to me what the vehicle will be for whatever studies when \nyou come back in a year, and what are those areas that should \nbe studied, and what are those benchmarks. I am not looking for \na specific number, but what should be the range of compliance \nthere?\n    Mr. Pitofsky. I think we should do that, Mr. Gordon, and we \nwill.\n    Mr. Gordon. All right. Mr. Thompson, I have a--I guess it \nis a cliche that all of these answers, or most of these answers \nare wrong. You mentioned earlier in your testimony about \ntechnology where you are going to have a workshop where the \nconsumer can protect himself. I mean how close are we and tell \nus about this technology. Everything is sort of moot if that is \nthe case.\n    Mr. Thompson. I think that that is one of the things we \nwant to find out. That is one of the reasons why we want to \nhave a workshop, because we understand that there are some \ncompanies who are working on various technological ideas that \nwill allow Web site users to capture their own information and \ndecide under what circumstances they give it up to someone \nelse. And I think that is going to be an important innovation. \nI want to see how far they are along. I want to see if that is \nsomething that is going to be effective.\n    I hope that you will let the committee know about that, and \nMr. Chairman, I think that----\n    Mr. Tauzin. Will the gentleman yield? We have a second \npanel----\n    Mr. Thompson. You may hear about that today.\n    Mr. Tauzin. I think we will learn about it during the \nsecond panel. Stick around.\n    I thank the gentleman.\n    Mr. Gordon. In closing, Ms. Anthony, where do you think we \nshould be a year from now--where will those benchmarks be, to \navoid legislation.\n    Ms. Anthony. Last year, when we brought our report to this \ncommittee we set out a legislative framework we thought would \nbe useful in crafting a balanced, protective piece of \nlegislation. Some of the bills pending in the House and the \nSenate have many of those suggestions in them now. I don't \npropose to write legislation for the Congress, and sometimes it \nis difficult for you to do it yourselves, but I do think that \nthe four fair information principles of notice, consent, access \nand security remain, still, the focus and the thrust.\n    Mr. Gordon. Thank you. Thank you, Mr. Chairman.\n    Mr. Tauzin. I thank the gentleman.\n    The gentleman from Florida, Mr. Stearns, is recognized for \na round of questions.\n    Mr. Stearns. Thank you, Mr. Chairman. I thank you for \nholding this hearing, and I welcome the witnesses.\n    I am trying to understand, and this might be appropriate \nfor the second panel, how much business--this is for Mr. \nPitofsky, the chairman, how much business is corporate-to-\ncorporate or business-to-business versus consumer to business?\n    Mr. Pitofsky. Most commerce on the Internet is now \nbusiness-to-business. The consumer segment is growing vastly, \nand I understand in the present year, 1 percent of all consumer \npurchases were on the Internet, and it is growing at an \nincredible pace.\n    Mr. Stearns. So if the majority of the Internet business is \nbusiness-to-business, do these companies set up privacy within \ntheir businesses?\n    Mr. Pitofsky. I don't know the answer to that. I rather \ndoubt that they do, but I don't know, and I could find out and \nsubmit something to you.\n    Mr. Stearns. I think that is important, because these \ncompanies set up their own privacy policies. We have already in \nplace what businesses are doing. We don't have to recreate the \nwheel here. And if the market is doing it itself, the private \npolicy setup through business to business, it is most likely \nthat probably, when we move on a bigger generation of revenues \nusing the consumer to businesses, that same type of trade \npolicy or private policy will also come together.\n    Mr. Pitofsky. We are moving in that direction, but I am not \nsure we are going to get there. I think we have to keep our eye \non this issue and make sure that progress continues.\n    Mr. Stearns. If we offer consumers a choice for privacy on \nthe Internet, do you think they would take that voluntarily? \nThe companies, when they say you are coming to my Web site, if \nyou click here you can have privacy, this kind of privacy, this \ntype of encryption, do you think that is a voluntary way to \ncircumvent the need for you folks or anyone else on my side of \nthe aisle promulgating legislation, Federal legislation?\n    Mr. Pitofsky. If there is a clear and conspicuous \ndisclosure so that people don't have to search around for it \nfrom screen to screen, yes. I believe they would decide one way \nor the other that they don't care that their information, their \nprivate information, is used; or that they do and would opt \nout.\n    Mr. Stearns. Any others that would like to comment on the \nquestion?\n    Mr. Tauzin. If the gentleman would yield, I think it is \nimportant that we keep our eye on how broad the problems are, \nhowever.\n    I don't want to embarrass anybody over this, but there was \na story in the Boston Globe about a public television station \nsharing its list of subscribers with one of the national \npolitical parties. A young boy, Sam Black, is shown in the \narticle as receiving a mailing from that national party because \nhis name was given to them in exchange for other names by a \npublic broadcast station. The station owner is quoted as \nsaying, ``It is standard industry practice for nonprofits like \nWGBH Boston to swap or rent lists of other groups in an effort \nto expand membership.''\n    This is a problem even bigger than the Internet right now. \nWe are going to have to keep an eye on it and see whether or \nnot there are elements of it that at some point need \naddressing. I thank the gentleman for yielding.\n    Mr. Stearns. Thank you, Mr. Chairman.\n    Just reclaiming my time, when I go to the restaurants and I \ngive them my credit card, I don't know the waiter or waitress \nwho takes my credit card. They go behind the back and they run \nit through the machine and come back. I was trying to say, in \nthe private world there doesn't seem to be any outcry of this \nprivacy from the government to institute on the restaurant \nlevel or on the Sears Roebuck level or even when I purchase \nsomething from Lands End.\n    So I was trying to say, if I don't see it there, do I see \nthe need for this Federal legislation on the Internet? Because \nobviously this person who is working at the restaurant could \nmake a copy of my credit card and make a facsimile or something \nof it and use it, yet I don't see that happening.\n    I guess in your opinion, the analogy between the private \nsector and the Internet, is it quite a bit different in your \nopinion, or is it something similar?\n    Mr. Pitofsky. In my view, it is different and deserves more \nattention. Collection of information on the internet is more \nthreatening to individual privacy. First of all, on the \nInternet you could accumulate information in a way that is not \npossible in a restaurant or a mall. You can marshal it, analyze \nit, or sell it to people in a way that is valuable to them, but \nis an intrusion to you.\n    Second, when you go into the restaurant and you think about \nordering the salmon, but then you order the steak, the only \nreference that they have is what you actually bought. On the \nInternet, the technology allows people to accumulate \ninformation on what you thought about doing, your browsing \nactivities. That includes books, that includes music, that \nincludes all sorts of things that people are sensitive about.\n    So I do think that the Internet is different. I do think \nthat privacy is important. The only question that I have is \nwhat is the best way to get there since it is a particularly \nsensitive area.\n    Mr. Stearns. Mr. Chairman, I think my concluding comment \nwould be what I think a recent report talked about, that most \npeople in the Internet, the consumers, are not buying, they are \njust browsing. But you point out that simply browsing offers an \navenue to sell what they are browsing to other people. In fact, \nif you go on Hot Mail or Yahoo Mail, you can check off the \nthings that you are interested in and you will get information \nsent to you every day. It just comes rolling in. So that whole \nprocess is revealing your market tastes. So the consumers have \nthe right to decide, but they certainly don't want that \ninformation sold.\n    But I think this hearing is very important for all of us to \nunderstand. This is a first step. So I appreciate this time to \nquestion you.\n    Thank you, Mr. Chairman.\n    Mr. Tauzin. I thank the gentleman.\n    The Chair now recognizes the gentleman from Virginia, Mr. \nBoucher.\n    Mr. Boucher. Thank you very much, Mr. Chairman. I want to \ncommend you for organizing this discussion today on what is a \nvery timely and important subject and also for inviting this \ndistinguished panel of witnesses, the members of the Federal \nTrade Commission, whom I would like to welcome. I want to \ncompliment each you for the excellent groundwork that you have \ndone in the area of online privacy protection.\n    Having complimented you for that, however, I will have to \nexpress a measure of surprise at the conclusion that you have \ngenerally reached that no new Federal legislation is necessary \nat this time. In opposing the passage of legislation, Chairman \nPitofsky, you have cited the progress that has been made by the \nindustry in protecting online privacy due in significant part \nto the participation by the industry and third-party seal \nprograms, the five or so programs in existence today. Yet it is \nmy information that only some 1,000 or perhaps less of the Web \nsites currently are participating in third-party seal programs; \nand we also--that, by the way, is among Web sites that may \nnumber more than a million. I don't know how many there are--I \ndoubt if you do either--but I am told there are at least a \nmillion, or perhaps 1.5 million or 2 million.\n    Then we also have the study from Georgetown that shows a \nbroader survey of Web sites that was taken, that only 10 \npercent of the Web sites surveyed have a practice that complies \nwith the four fair information practices that I think we all \nagree are important. So you have determined that or it has been \ndetermined that there are only about a thousand Web sites that \nare a part of third-party seal programs, and only 10 percent of \nall Web sites surveyed are complying with these four fair \npractices.\n    Now, given that fact, I am frankly appalled by the \nrecommendation that we not act now. I believe that there are \nthings that we can do that would even enjoy industry support. \nFor example, I have introduced a bill, along with my Virginia \ncolleague, Bob Goodlatte, with whom I have the privilege of \nchairing the House Internet Caucus, that would establish a \ndisclosure and opt-out policy, so that everyone who visits a \nWeb site would have the opportunity of knowing what information \nthat Web site collects from the visitor. That visitor would \nalso have the opportunity to know how the Web site uses that \ninformation. If the Web site disseminates that information to \nany third parties, the circumstances and the identity of the \ndistributees would also be noted. And then the Web site visitor \nwould have an opportunity to opt out, to not participate in a \nfur-\n\nther visitation of that Web site and to do so with the \nprivilege of not having any personal information about him \ncollected.\n    Our bill also, by the way, gives the FTC full authority to \nenforce those provisions under section 5 of the Federal Trade \nAct. I can tell you that in constructing this provision, we had \nextensive discussions with the industry and I think broadly the \nindustry would support an approach such as this. And so why \nwould it not be wise at this time to act before the situation \ngets beyond our control before the other 90 percent of Web \nsites that don't comply with these fair information practices \ncollect so much information that there is nothing that we can \ndo about it? Why don't we act now?\n    I know that I am asking you to support of repeat your \npositions, but perhaps with this new orientation, you will \nprovide a different answer. I hope so.\n    Mr. Pitofsky.\n    Mr. Pitofsky. Mr. Boucher, I know of your bill and I \nbelieve in many ways it is a constructive compromise between \npeople who would very heavily regulate the industry and those, \nlike us, who want to give self-regulation more of a chance.\n    Just two quick points: One, if the bill is limited to \ndisclosure and opt-out, the chances are that we will have \naccomplished that in a year or so anyway. When we say that only \n10 percent have all of the information, fair information \npractices, most of those people don't have the access and the \nsecurity provisions that would not be covered by your bill.\n    Second, the seal profession. It is true that the seal \nprograms have hardly scratched the surface. But the Better \nBusiness Bureau seal program only started about 6 months ago. \nIt is a little tough to criticize them because they have only \ngotten a relatively few people to be members.\n    Then third, my concern is that if we settle for disclosure \nand opt out as your bill provides, and not ask for more, that \nis all that we are ever going to get. I think consumers are \nentitled to more than that, and by keeping the pressure on with \nrespect to self-regulation, we may be able to get--we should be \nable to get more than disclosure and opt-out.\n    Mr. Boucher. I agree that we can get more than disclosure \nand opt-out. I would not propose that enacting our statutory \noffering be an alternative for a continued industry self-\nregulation.\n    I think there will be substantial pressure from Internet \nusers for a better set of privacy protections that go beyond \nmere disclosure and opt-out, but enacting disclosure and opt-\nout at this point in time would at least make sure that every \nInternet user immediately would have the opportunity to know \nwhat information about him is collected and how that \ninformation is used. If he disagrees with that, he would have \nthe opportunity to opt out without having anything collected.\n    It seems to me that that is a fundamental assurance that we \nought to provide the American public. I agree, we ought to do \nmore, but we ought to do at least that much. I think that we \ncan do that much statutorily with industry support during the \ncourse of this conference.\n    Let me ask you one other question. I know that you are \nfamiliar with the discussions that are taking place between the \nEuropean Union and our U.S. Department of Commerce. The \nEuropean Union has a very extensive directive that confers upon \nEuropean citizens extensive privacy rights in the online \nenvironment, going essentially to the four industry practices \nthat you would recommend here for self-regulation. But as a \nmatter of law, that would be provided in Europe. The directive \ntakes another step and says that data flows can be interrupted \nwith respect to Europeans accessing Web sites in any nation \nthat does not have a comparable level of privacy protection. We \nare very concerned that unless there is an agreement in the \nEuropean Union that whatever we do offers that comparable level \nof privacy protection, that there would be an interruption of \ndata flows when Europeans visit American Web sites.\n    Now, the discussions on creating the safe harbor and giving \nEuropeans an opportunity of saying that we have an equivalent \nlevel of protection, aren't going very well. This very been \nunder way for more than a year. They have been recessed. There \nis no conclusion in sight. I am wondering if we enacted at \nleast a disclosure and opt-out policy if we might not be able \nthen to give the Europeans a basis to say that a comparable \nlevel of protection exists here.\n    Do you have any thoughts about that and would that change \nyour view of whether we ought to act now legislatively?\n    Mr. Pitofsky. I am going to ask Commissioner Thompson, who \nhas been our delegate to some of these meetings, to address \nthat.\n    I agree with you that it is a matter of great concern. \nNegotiations have been conducted by the Department of Commerce \nin this matter. Whether they are going to--whether we are going \nto have a serious problem or not remains to be seen. From what \nI understand, the issues that are outstanding--and I am not \nclose to the negotiations--would not be fully settled by a \ndisclosure and opt-out provision. There are other complicated \nissues as well.\n    Let me turn to my colleague, Commissioner Thompson.\n    Mr. Thompson. I think the Chairman is right. There are a \nvariety of issues that have to be resolved on the European \nside. But you are also right in noting that the concerns that \nthe Europeans have about how we treat data in the United States \nis very important to us. It is not just notice and opt-out, but \nalso the other elements. I think that they support the four \nelements that we have discussed and want to know what \nmeaningful remedies their consumers will have in the United \nStates.\n    Now, notwithstanding that, a legislative vehicle isn't \nalways the most effective way to get at those protections if \nthere is an effective framework for self-regulation. Now, there \nare certain parts of the industry that are leading in that \ncharge and certain companies who we have talked about earlier \nwho will satisfy that pretty clearly. The real question is, how \ncan that be transferred into the broad base of companies that \nwe and the Europeans want to see here in the United States have \nthose protections. That has been the challenge and that is \ngoing to be the challenge that Ambassador Aaron is going to \nhave to convince the Europeans of.\n    Mr. Boucher. Well, thank you very much. I appreciate that \ncomment, Commissioner Thompson, and I want to thank each of \nthese witnesses again for the work that you have done in this \nimportant field and we all look forward to continuing our \ndiscussions with you.\n    Thank you, Mr. Chairman.\n    Mr. Tauzin. I thank the gentleman. Before we dismiss this \nvery esteemed panel, I would like to give any member who wants \nto make a final question or comment a chance to do so. We will \nfirst start with the ranking member, Mr. Markey, for a final \nthought or comment or question.\n    Mr. Markey. The point that I was--thank you, Mr. Chairman, \nvery much.\n    In the securities marketplace, the so-called ``crown jewel \nof capitalism,'' the engine of the capital formation process, \nwe have self-regulatory organizations. They are called the New \nYork Stock Exchange, the National Association of Securities \nDealers, and the regional exchanges like the Boston Stock \nExchange.\n    In the futures market, we also have SROs, self-regulatory \norganizations, the Chicago Mercantile Exchange, the Chicago \nBoard of Trade, and the New York Mercantile Exchange.\n    The securities self-regulatory organizations are subject to \nsupervision and oversight by the Securities and Exchange \nCommission. And the futures self-regulatory organizations are \nsubject to the jurisdiction of the commodities futures trading \ncommission. The SEC and the CFTC must approve all of the SRO's \nrules before they can take effect. They can direct them to \nadopt, modify or eliminate their rules, and they can inspect \nand examine their regulatory and enforcement programs to \nascertain their adequacy and protect the public interest, \nassure the protection of investors and the maintenance of fair \nand orderly markets. And they do all of this without \ncompromising the dynamism and the innovation in our Nation's \nfinancial markets which are technology driven, fast-paced, \nglobal and constantly changing.\n    So if we are talking about self-regulatory organizations \nlike the securities and futures self-regulatory organizations, \nthat is one thing. But if we are talking about SROs without \nFederal oversight and enforcement over them, then there is no \naccountability and no assurance that consumers will be \nprotected. That is not self-regulation; that is self-delusion. \nWe cannot operate in a world in which an industry which is so \npotentially invasive of every family's life can go completely \non the honor system when there are so many powerful financial \ninterests that could drive some of them in the opposite \ndirection.\n    I might add I think at the end of the day that this whole \nnotion that ``dot com'' means that you have huge debts, no real \nprofits but maybe 5 or 10 years from now you might be able to \nshow some profit was undermined if you saw it last week by an \nInternet site called C/Net. They were taking $800 million of \ntheir own money and were going to invest it in an advertising \ncampaign. Their stock valuation dropped by about 15 percent \nbecause no one had ever seen a mode like this where an Internet \ncompany had actually made money, was investing it in a \ntraditional business sense, and as a result, people were \nbeginning to lose confidence. Maybe it is that people don't \nwant to go online, that is, middle-class America, largely \nbecause they are not sure that their privacy is going to be \nprotected, that their security is going to be protected. Maybe, \nat the end of the day, in the same way that the Federal Trade \nCommission Act was originally put on the books says, the \nIndustrial Age had been moving so fast that it was necessary to \nbegin to catch up with it, that maybe the confidence that was \nnecessary to be instilled in this marketplace that these \ncompanies can actually turn a profit would be related to their \nsense as ordinary middle-class families, that they should trust \nit, that they should believe in it. Right now, we see again \nfrom these polls that that is not the case.\n    So my request to you would be that you look at these issues \nagain, you set a deadline in the near term for the industry and \nfor yourselves. But understand that the information you have \ngiven us today heightens the likelihood that we need to \nlegislate, not undermine it. I think it should leave you with \nthe same result in terms of how you view your responsibilities \nat the Federal Trade Commission.\n    Thank you, Mr. Chairman.\n    Mr. Tauzin. The gentleman's time has expired.\n    Mr. Pitofsky, do you want to respond quickly?\n    Mr. Pitofsky. Very briefly.\n    I could not agree more that the mix between law and self-\nregulation addresses complicated issues. We want to be sure as \nwe proceed that we get it right. I know that that is what you \nare asking us to do, to investigate carefully.\n    On the other hand, this is not an area where internet \nsellers are completely unregulated, where there is no \noversight. We recommended legislation with respect to privacy \nof kids and we bring cases under section 5 challenging \ninvasions of privacy all of the time. So it is not totally \nunregulated. The question of where self-regulation is \nappropriate and where law is appropriate is exactly what we \nwould like to try to address and we will continue to address \nand provide our thoughts to the committee.\n    Mr. Tauzin. Does any other member wish to make--the \ngentlelady from California.\n    Ms. Eshoo. Thank you, Mr. Chairman.\n    You just mentioned, Mr. Chairman, you touched on the issue \nof children. You testified last year that legislative action \nwas appropriate for protecting the privacy of children, and we \npassed the Children'S Online Privacy Protection Act. Your \nagency has written rules to implement it, though I understand \nthey have yet to take effect.\n    Do you have any information on whether companies have \nimproved their online protections for children in anticipation \nof these rules kicking in, and do you consider your actions in \nthis area to be a success? Would you grade companies higher, \ngive them a higher grade in the area of children's privacy than \nin the area of adult protections?\n    Mr. Pitofsky. My reaction is an impression rather than a \ncareful study. I do believe that there has been some \nimprovement and some recognition on the part of companies, \npartly because some of the suits that the FTC has brought. \nThose suits that asked for the toughest remedies did involve \ninvasion of privacy, using kids to disclose family finances. So \nwe have cracked down there. There has been a lot of publicity. \nMy impression is, things have improved, but I really don't have \na statistical analysis available.\n    Ms. Eshoo. I think that what you could provide our \ncommittee with could be instructive in this area because it \nseems to me what has been interwoven in this hearing is, there \nis a nexus between setting the standard and then compliance \nwith it. On the one hand, it is voluntary, and on the other, it \nhas been legislatively directed. Perhaps we could be able to \nlearn from the two. I don't know when you could bring something \nlike that forward, but I would certainly be interested in it.\n    Mr. Tauzin. I thank the gentlelady.\n    Mr. Pitofsky. The best regulation combines the two: \nlegislation in appropriate areas and self-regulation in \nappropriate areas.\n    Ms. Eshoo. Could I just follow up very quickly? Is it your \nsense overall, though, that the reason that you are saying that \nyou don't believe it is appropriate for legislative action now \nis that it is too early or you just don't believe that there \nshould be any legislative action in the adult privacy \nprotection area?\n    Mr. Pitofsky. It is not the latter. It is too early and the \nsector is too fast-moving. You want to measure the target \naccurately before you try for legislation. I think at least at \nthis point things are moving in the right direction and it is \npremature.\n    Ms. Eshoo. Thank you.\n    Mr. Tauzin. Anyone else?\n    Mr. Boucher.\n    Mr. Boucher. Mr. Pitofsky, I want to revisit with you \nbriefly the question of how long we do have to wait. In \nanswering that question, let me just point out with regard to \nTRUSTe we have now waited 2 years. And TRUSTe now certifies a \ntotal of 500 sites, 500 out of more than a million. With regard \nto the CPA WebTrust, we have now waited for 2 years and the \nWebTrust certifies 19 sites out of more than a million. And in \nInternet time, 2 years is not a short period of time. We all \nhave waited substantially with regard to these two programs.\n    And then the Better Business Bureau, which admittedly is \nsomewhat newer, 3 months old, only has 42 sites out of a \nmillion. Where are we going to be this time next year? When are \nwe going to know that we have achieved success, and how long \ncan we afford to wait?\n    Mr. Pitofsky. I will just repeat what I said before. If \nthere is as much progress this year as last year, then I think \nthat we are on the right track and we are going to get to a \nplace where all of us agree that we ought to be. If the \nprogress falls off, if we find they put on a good show this \nyear to head off legislation and nothing more happens, I will \nbe up here, speaking for myself and I hope my colleagues would \njoin me, in recommending that there be legislation, because the \nproblem is not being solved.\n    Mr. Boucher. Well, Mr. Pitofsky, I thank you. I would only \npoint out that I think there is some legislation that we can \npass this year that the industry would not head off--in fact, \nwould support--that would provide a certain set of guarantees \nthat the public does not have today. Thank you.\n    Mr. Tauzin. The Chair thanks the gentleman.\n    Let me wrap up by making a couple of comments. First of \nall, we have learned a good deal at this hearing. We thank you \nvery much for your contributions. While this hearing was \nentitled The Current Status of Privacy Protections for Online \nConsumers, I think my friend from Massachusetts and others on \nthe committee will agree with me that privacy concerns are \nbroader than even the online privacy concerns.\n    I made the point about the public broadcast station \ninappropriately trading or renting, selling something, its \nlist, inappropriately to political parties. But in that regard \nit is clear from the testimony today that this thing is still \nvery much in flux.\n    I read somewhere that only 15 percent of the Web sites are \neven identified on most search engines. There are a lot of Web \nsites out there. Many of them obviously are not even available \nto a lot of us through the search engines. I might mention to \nmembers that if you have a Web site and you haven't posted your \nown notice, today might be a good time to do it. I have \ninstructed my staff to put together a notice and hopefully one \nthat will be identified as an appropriate one with approach \nsafeguards for people that visit our site.\n    In that regard, the other thing that we learned, as Mr. \nStearns pointed out, is that most of the business today, most \nof the e-commerce is still business to business, but that a \nhuge and growing sector is going to be direct consumer \ninteraction with businesses in e-commerce. While that is only 1 \npercent of our commerce today, that is obviously going to grow \nvery rapidly. So getting this right as we watch the industry \nmake its attempts at self-regulation is going to be important.\n    Finally, let me point out to all of my friends on this side \nof the panel and the other side, that while it might be very \ninappropriate for us to try to put socks on this octopus, that \nit may be very appropriate at some point to make it very \nuncomfortable to go barefooted on the Internet. And at some \npoint we may indeed wish to proceed with legislation to say to \nthose who would not agree to proper self-enforcement, self-\nregulatory mechanisms that there is some fall-back, some safety \nnet, to protect online consumers in that world.\n    I think that is sort what have we have been talking about \ntoday, at what point do we do that and at what time do we do \nthat. In large measure, we are going to continue to rely upon \nthe good work, Mr. Pitofsky, that you and your agency are doing \nin gathering information and reporting to us. I would encourage \nyou to continue that good work and continue to report to us on \nthe progress that is being made or the lack thereof. I finally \nwould like to send a strong signal to the industry again that \nthis hearing was designed not simply to catch up on progress, \nbut also as a strong message to continue that progress in the \nhopes that whenever we do get to the stage where we have to \ndecide whether to make it uncomfortable to go barefooted that \nthat is a minimal government approach rather than a larger one. \nThat is our hope and I think that is the purpose and intent of \nthis hearing.\n    I would again encourage the industry to continue its \nefforts to try to find the mechanisms that work so that we have \nless concern here at this level and certainly at your level, \nMr. Pitofsky. Thank you very much for your testimony today. \nAgain, as always, we deeply appreciate your service to the \ncountry. Thank you very much.\n    Mr. Pitofsky. Thank you, Mr. Chairman.\n    Mr. Tauzin. We would now call up our second panel of \nwitnesses. And they will include Mr. Robert Lewin, Executive \nDirector of TRUSTe just mentioned a minute ago, of California. \nMs. Deirdre Mulligan, Staff Counsel for the Center for \nDemocracy and Technology; Ms. Solveig Singleton, Director of \nTelecommunications and Technology Studies for the CATO \nInstitute; and Mr. Steve Lucas, Chief Information Officer and \nSenior Vice President, PrivaSeek, one of those efforts at \nsoftware protections for consumers; and Mr. Jerry Cerasale, \nSenior Vice President, Government Affairs, Direct Marketing \nAssociation, Inc.\n    Ladies and gentlemen, if you would take your seats. What we \nmight want to do--why don't you move to the center and we will \nget the staff to move the nameplates. If you move to the \ncenter, I think we probably would have a more productive \nsession with you. I would ask staff to appropriately move the \nnameplates, and we can get started as soon as our committee \nsettles down and we can ask our guests to take their seats.\n    Thank you very much. By unanimous consent, as you heard \nearlier, your written statements will be made a part of the \nrecord, so I would appreciate it if you did not read them to \nus. We have them in front of us. I would very much appreciate \nit if you would toss them aside right now and just kind of \ndialog with us. Give us the high points of your written \ntestimony and any other comments that you want to make within a \ngeneral 5-minute rule, which is the time allotted for witnesses \nand for members here at this hearing.\n    We will begin with Mr. Robert Lewin, Executive Director of \nTRUSTe. Mr. Lewin.\n\nSTATEMENTS OF ROBERT LEWIN, EXECUTIVE DIRECTOR, TRUSTe; DEIRDRE \n MULLIGAN, STAFF COUNSEL, CENTER FOR DEMOCRACY AND TECHNOLOGY; \n     SOLVEIG SINGLETON, DIRECTOR OF TELECOMMUNICATIONS AND \n    TECHNOLOGY STUDIES, CATO INSTITUTE; STEVEN LUCAS, CHIEF \n    INFORMATION OFFICER AND SENIOR VICE PRESIDENT, INDUSTRY \n  GOVERNMENT RELATIONS, PrivaSEEK; AND JERRY CERASALE, SENIOR \n     VICE PRESIDENT, GOVERNMENT AFFAIRS, DIRECT MARKETING \n                       ASSOCIATION, INC.\n\n    Mr. Lewin. Thank you, Mr. Chairman. My name is Bob Lewin, \nand I am the Executive Director of TRUSTe. I would like to \nstart of again by thanking the chairman and the members of the \ncommittee for the opportunity to talk with you today.\n    As you know, TRUSTe is an Internet privacy seal program \n,operating independent from government and industry. Our goal \nfrom the beginning was to develop a program that was \nunderstandable by consumers, but did have teeth to ensure \ncompliance. I will talk more about this.\n    We feel that in the TRUSTe's seal that we have done this. \nWhen we developed the TRUSTe program in 1996, consumer privacy \nconcern was barely a blip on the industry radar. But at that \ntime several studies had pointed to the general distrust that \nthe medium, primarily stemming from the fact that participation \nwould compromise personal privacy, has raised the issue to the \nlevel that it is now. However, it is a complex problem as has \nalready been pointed out.\n    How do you regulate business practices in a global medium \nthat is constantly changing where you have rapid growth? What \nwe tried to do with the TRUSTe privacy seal program is develop \na solution that brings together government pressure with the \ndiscipline of self-regulation. That solution is what we call \nself-governance. Self-governance is a three-dimensional \nsolution that applies and leverages various degrees of pressure \nfrom consumers, from government, and from the industry to \nimplement the appropriate practices. Under that framework of \nself-governance, industry doesn't act alone; rather, it acts in \nconcert with existing laws and mores.\n    With the TRUSTe program, if you draw the analogy with the \nGood Housekeeping Seal of Approval, which I understand is \ncelebrating its 100th anniversary this year, just to keep it in \nprospective, perhaps that characterization is perhaps a little \nmisleading. TRUSTe, we believe, is a more robust tool. There \nare few reasons to illustrate this. First, by displaying the \nseal, we go beyond just illustrating the commitment to the Web \npublisher to disclose privacy practices. But we provide \nconsumers with an immediate and easy access to those policies \nwith a click of the mouse.\n    Second, we have continually raised the minimum requirements \nfor the program. When we started the program, all we had to do \nwas ask a licensee to post a privacy policy. Today we require \nall new and renewing licensees to be in compliance with the \nFTC's fair information practices, all of the points that were \ntalked about earlier.\n    Third, we work closely with respective licensees. We talk \nabout Internet time, but the implementation of these times \nstill involves people and the changes that are required within \nthe organization. That time sometimes does not operate at the \nInternet speed that we all seem to have become accustomed to \nwhen we talk about technology. By providing consumers with more \nthan a seal, by consistently raising the bar, and by being \nproactive in our advice to the Web sites, we have--we feel that \nwe have become a leading facilitator of trusting relationships \nonline.\n    We talked about the Georgetown Internet privacy survey. \nSuffice it to say that progress has been made. However, you \nlook at that information depending on what side of the argument \nyou are on, there has been some progress. Is it enough? Do we \nneed to do more? Absolutely. Nobody disputes that. But progress \nhas definitely been there.\n    Speaking for TRUSTe, in July 1997 we had 15 licensees. \nToday we are well past 100--800, sorry--well past 800. The \nacceleration in the number of licensees each month is \ntremendous. We will be by the end of this year well past 1,500 \nif the trends continue as they have been.\n    Now, while again we say there is significant progress, \nthere is still a lot to do. First of all, since we have a solid \nfoundation, now we want to spend more time and we will be \nfocusing more time on consumer education. Last fall we did the \nPrivacy Partnership, which was a grass-roots advertising \nprogram focused on educating online consumers on their privacy \nrights. It was led by an unprecedented bringing together of the \nlarge portal sites. That privacy partnership was the biggest \nonline advertising campaign ever. It had approximately 200 \nmillion banner ads that attracted 1 million people within a 3-\nweek period of time.\n    Second, widespread consumer education and ubiquity is a \npriority, but our focus must be on guaranteeing the safety of \nthe most vulnerable Web user, children. Last fall we launched \nthe TRUSTe Children Privacy Seal Program in anticipation of the \nFTC's and Congress' move in this area. We have now--that has a \nhigher level of privacy than is required for sites that are \ndirected toward children. We enforce those through our program.\n    Last, our goal was to create a globally recognized privacy \nseal program. Now, with the rise of the European privacy \ndirective and the implications of U.S. Business, it is critical \nto make our seal global, not just local, local being North \nAmerica. To that end, we have recently expanded our program and \nappointed a European director, and we also have sites in Europe \nwith the TRUSTe seal. By focusing our attention on consumer \neducation, child protection and international expansion, we are \nmaking progress in not only getting ubiquity of the TRUSTe \nseal, but we are succeeding in creating a safer online \nenvironment.\n    I would like to conclude by thanking the chairman and \nmembers of the committee for giving us the opportunity to \nupdate you on where we are, but more importantly, where we are \ngoing. We are happy with the results from the FTC because it \ndoes demonstrate that progress has been made. But we also \nrecognize that we have a lot more to do and we are committed to \nmaking it happen. Thank you.\n    [The prepared statement of Robert Lewin follows:]\n     Prepared Statement of Robert Lewin, Executive Director, TRUSTe\n    Thank you, Mr. Chairman. My name is Bob Lewin. I am the executive \ndirector of TRUSTe. I want to start off by thanking you, Mr. Chairman, \nand the members of the Committee for the invitation to speak today.\n    As many of you know, TRUSTe is an Internet privacy seal program \noperating independent from industry and government. For more than two \nyears, we have been working to address consumer privacy concerns by \nproviding Web businesses with the TRUSTe Privacy Seal, a symbol which \neffectively communicates a site's privacy practices and provides \nconsumers with a powerful oversight mechanism. Our goal from the \nbeginning was to establish a program easy enough for a consumer to \nunderstand, but with ``teeth'' to ensure compliance. With the TRUSTe \nseal, that is exactly what we accomplished.\n    I would like to spend a little time today talking to you about the \nTRUSTe program and where it is headed. I would also like to talk to you \nabout how our program fits into the overall self-governance model and \nhow that framework is proving to be the most effective way of ensuring \nthe healthy growth of this new medium.\n    When we began development of the TRUSTe program in 1996, consumer \nprivacy concern was barely a blip on the Industry's radar. But at the \ntime several studies pointed to a general distrust in the medium, \nemanating largely from the fear that participation would compromise \npersonal privacy. We understood, though, that this was only the tip of \nthe iceberg and that the lack of trust would have staggering \nimplications to the success of Internet commerce. Simply put, just as \ntrust is critical to the healthy growth of communities, the absence of \ntrust can cripple economic growth.\n    However, we were confounded by a complex problem: how do you \nregulate business practices on a global medium that is constantly \nchanging and fast growing? It was clear to us that the answer was not \nin what many called self-regulation, defined by most as industry being \ngiven free-rein to act on its own accord. Similarly, we believed that \ngovernment oversight in the form of laws and statutes wouldn't work \nwithin the global and evolving framework of the Internet.\n    What we created with the TRUSTe privacy seal program was a solution \nthat melds the weight of government pressure with the discipline of \nself-regulation. That solution is called self-governance. Self-\ngovernance is three-dimensional system that leverages a variety of \npressure points (from consumers to government to industry) to implement \nappropriate practice. Under the framework of self-governance, industry \ndoesn't act alone; rather, it acts in concert with existing laws and \nmores. [Some would say that this is the Internet's version of Checks \nand Balances].\n    Perhaps the brightest sign that the self-governance framework is \nworking is the success of privacy seal programs, such as TRUSTe. I'd \nlike to take a few minutes to describe our program, give you an \noverview of how the program is doing, and tell you where TRUSTe is \nheaded.\n    In many ways, the TRUSTe program is the online privacy version of \nthe Good Housekeeping Seal of Approval. Although even that \ncharacterization is a little misleading. TRUSTe is, in fact, a far more \nrobust tool. There are a few reasons that best illustrate this.\n    First, displaying the TRUSTe seal goes beyond illustrating the \ncommitment of the Web publisher to disclose privacy practices. TRUSTe \nprovides consumers with immediate and easy access to the actual privacy \npolicies by just the click of a mouse.\n    Second, the TRUSTe seal itself has raised its minimum standards of \nprivacy practices disclosure. When we started the program we required \nonly that TRUSTe licensee sites post privacy policies. Today, we \nrequire all of our new and renewing licensees to be in accordance with \nthe Federal Trade Commission's standards for fair information \npractices.\n    Third, TRUSTe works closely with prospective licensees on the front \nend to ensure that their privacy practices are in-line with consumer \ndemand. We invest a lot of our own resources to provide counsel to Web \nsites on how they can better develop trusted relationships online.\n    By providing consumers with more than just a seal, by consistently \nraising the bar of entry, and by pro-active counsel to prospective \nlicensees, the TRUSTe privacy seal program has become a leading \nfacilitator of trusted relationships online.\n    By every metric available, the self-governance model is working. \nAccording to the Georgetown Internet Privacy Policy survey, nearly two-\nthirds of all commercial Web sites are posting some kind of privacy \ndisclosure. When you take that into context with previous benchmarks, \nthe figure is staggering. While direct comparisons with the results of \nlast year's FTC study cannot be made, the fact that 67 percent of sites \nnow post privacy disclosures suggests significant progress has been \nmade. And while we recognize that not all of these disclosures are as \ncomprehensive as they could be, the TRUSTe program gives businesses the \ntools and the help they need to develop their privacy policies so that \nthey are in line with fair information practices.\n    Progress can most clearly be seen in the success of the TRUSTe \nprogram.\n    To give you an idea of TRUSTe's growth, in July 1997 we had a total \nof 15 licensees. Today, that number has risen to more than 800. In \nfact, more than 90 percent of Web users are on TRUSTe approved sites \neach month. Looking to the future, our internal projections show that \nwe will have more than 1500 licensees by the end of the year.\n    Privacy seal programs illustrate a self-governance model that \nallows an industry to impose rules on itself while, at the same time, \nexposing itself to outside scrutiny. If a TRUSTe licensee is found to \nhave violated its agreement with us, not only can we sue them for \ncontract violation, but the Federal Trade Commission can take action as \nwell. Beyond that, sites found in violation of the licensing agreement \nare likely to suffer reputation stains that can jeopardize their market \nposition.\n    But while a significant amount of progress has been made, there are \nstill (to quote the poet) miles to go before we sleep.\n    First, now that we have built a solid foundation, our efforts \nmoving forward will be focused on consumer education. In fact, we are \nalready off to a good start. Last Fall TRUSTe formed the Privacy \nPartnership, a grassroots advertising campaign aimed at educating \nonline consumers about their privacy rights. Led by an unprecedented \nunion of all of the Internet portal sites, the Privacy Partnership has \nbecome the biggest online advertising campaign, ever.\n    Second, while widespread consumer education and ubiquity is a \npriority, our focus must be on guaranteeing the safety of the most \nvulnerable Web users: children. Last fall we launched the TRUSTe \nchildren's privacy seal, a special symbol that holds higher privacy \nstandards for Web sites that target kids. In the next year, we will be \nplacing emphasis on promoting this new seal to child-oriented sites.\n    Lastly, our goal from the outset was to create a globally \nrecognized privacy seal that was suitable for the global Internet \nmedium. With the rise of the European Privacy Directive and its \nimplications to U.S. business, it is critical to make the TRUSTe seal \napplicable globally, not just locally. To that end, TRUSTe recently \nexpanded its program by appointing an interim European director. We \nwill continue to build that program out, as well as look to other \nregions for growth.\n    By focusing our efforts on consumer education, children's privacy \nand international expansion, we are making progress in not only gaining \nubiquity for the TRUSTe privacy seal, but we are succeeding in creating \na safer online environment for everyone.\n    I want to conclude by thanking you, Mr. Chairman, for inviting me \nhere today. Online self-governance has become a distinct characteristic \nof the Internet. Privacy seal programs and the quick mobilization by \nthe online community to address consumer privacy concerns indicate that \nthe self-governance model is working. But we need to realize that self-\ngovernance, like the medium itself, is in its nascent stages.\n    The vision of self-governance is a result of the democratic quality \nof the Internet, where the law is defined largely by the engagement and \nparticipation of each community member. That requires the participation \nof all members of the Web community, from the media to businesses to \nadvocacy groups, in educating consumers about their privacy rights \nonline and what road signs to for on the Web. It also requires the \nengagement of public policy decision-makers in scrutinizing the \nactivity of the online world. But, at the same time, it is critical now \nmore than ever to not pass unnecessary regulations that will stand in \nthe way of the healthy growth of this medium.\n    Based on the initial success of the TRUSTe program, the rise in \npopularity of e.commerce and the validating benchmarks of specific Web \nstudies, we are well on our way to creating a safer and consumer \nempowering environment on the Web.\n    I would now be happy to answer any of your questions. Thank you.\n\n    Mr. Tauzin. Thank you very much, Mr. Lewin.\n    Now, Ms. Deirdre Mulligan, Staff Counsel for the Center for \nDemocracy and Technology.\n\n                  STATEMENT OF DEIRDRE MULLIGAN\n\n    Ms. Mulligan. Thank you again for the opportunity to be \nhere there. There is a little bit of a Groundhog Day feeling, \nhaving been here last year at this time, and I hope that my \ncomments are substantially different, although I think that we \nare looking in many ways at a similar dilemma as in ``Are we \nthere yet?'' and how best do we get there.\n    I would just like to emphasize three points before \ndiverging from my written remarks. One, the Internet is \nincredibly unique and offers us unique opportunities. \nLiterally, as you pointed out, as Mr. Cox pointed out, it \noffers some unique challenges to protecting privacy. Nowhere \ncan individuals be traced and monitored like this anywhere in \nthe off-line world. And I think that is probably the most \nimportant thing that the FTC has continued to bring to this \ndiscussion.\n    In their efforts, which I think have focused really on \nfairness when we talk about privacy, what do companies do with \ninformation, how much control do individuals have over \ninformation and now they are starting, having read through some \nof their reports, to diverge into some of the more tricky \nissues in the online arena. Unique identifiers, the issues \nposed by something like the Pentium III PSN; are we all going \nto have a digital dog tag as we wander around the Internet--\nonline profiling, how much information is out there, what is \nbeing used, how it is being used. Is law enforcement, for \nexample, gaining access to this data?\n    A report that the FTC delivered to you last year, 2 years \nago now, in the individual reference services group identified \nthat, in fact, private sector data is in fact very often used \nby law enforcement agencies. So talking about the flow of data \nback and forth between the public and private sectors is an \nimportant place that we need to look at.\n    The second is that privacy is a very complex value, and \nwhat the FTC has focused on over the past 4 years now has been \nthe fairness component. There are other issues as the committee \nhas pointed out earlier today. Individual expectations of \nprivacy don't exist just vis-a-vis the private sector. They \nalso are very alive and well, as we know, from things like the \nrejection of the know-your-customer rules, reactions to unique \nhealth identifiers vis-a-vis the government. In fact, we have \nbeen looking at what the government is doing about privacy \nprotections and privacy protections on the World Wide Web. Two \nmonths ago, we actually did a survey of government privacy \npolicies, what are they saying at Web sites, and found that \nabout a third of them were not posting policies. There has \nsince been some direction from OMB to actually step up.\n    I think the appointment by the White House of someone to \nlook at privacy issues is another very positive step. We see \nprivacy emerging as a much more important piece of both the \nadministration and of the FTC's agenda as a consumer protection \nissue.\n    However, I want to step back and say, imagine if tomorrow \nwhen you woke up and you got out of bed and you walked down the \nstreet that you found out that cash had disappeared. When you \nwent to buy your cup of coffee and your newspaper, when you \nwent to buy your half-smoked or grilled cheese or whatever it \nmight be at lunch, and perhaps the antacid and the Rogaine, \neverything that you purchased you were buying with your credit \ncard. And that you also found out that every business that you \nwent into, that 90 percent of them, perhaps more, before you \neven made a purchase, they were actually asking you for \ninformation before you actually made a purchase.\n    And in addition, a large majority of them when you walked \ninto the store asked you, as a condition of shopping, to place \nthis teeny-tiny newfangled camera called a ``cookie'' on your \nshoulder, because they want to get a sense of what you are \ndoing. For good purposes, they want to improve how they are \nstocking their shelves, et cetera, but basically they want to \nmonitor what it is that you are doing. Perhaps they don't know \nwho you are, but they certainly care a lot about your \npreferences. Do you want the salmon or the filet mignon? How \nlong did it take you to make up your mind?\n    In addition, you found out that later on in those \npractices, that information that was being stored in the \nprivate sector did become fodder for a Kenneth Starr, who is \ninterested in what books you purchased; or the Drug Enforcement \nAgency, recently interested in what people are buying at the \ngrocery store, how many little plastic bags are you purchasing, \nthat this private information that is being collected within \nthe private sector is bleeding back into our government \nactions.\n    I think that many of us would feel like the American public \nhas said they do. The figures of 87 percent of the people being \nconcerned in the online environment is exactly because this is \nthe kind of environment that I think people feel like they \nface.\n    Now, I think the Internet is a wonderful place. I think \ntechnology has an enormous opportunity to help consumers \nprotect their privacy, strong encryption, which this committee \nhas been very powerful in working toward, their basic \npractices--TRUSTe, the Better Business Bureau OnLine, all of \nthem are moving in the right direction. There is certainly a \ncandle that is burning and some of the bugs are flocking to the \ncandle and some of them run away.\n    I think the question is always, how do we get to the bad \nactors? Unfortunately, I think that I feel as though we are in \na similar position as we were last year. There has been much \nmore progress. There are many more companies that are beginning \nto say things about privacy, and the leaders have taken some \nvery bold steps, saying that we are not going to spend \nadvertising dollars at Web sites that don't put in privacy \npolicies; that is a very clear market incentive and it's the \nkind of thing that we need from leaders. However, when I look \nat a figure of 10 percent, and I look at 66 percent and I say, \nhow do we get that 10 percent to be 100 percent, I have to say \nthat I think we need the government also to play a role.\n    I think that working together through a combination of \ntechnology, self-regulation, and legislation that we can \nprovide the comprehensive privacy protections that we need. But \nI think there is a lot of discussion that needs to happen, as \nthe rulemaking going on in the Children's Online Protection Act \nright now highlights. Very difficult issues: When is data \nidentifiable; access to information, how do we do it; when is \ninformation identifiable; when do people need to get access to \nit.\n    So this is not--I am very pleased that the FTC is going to \ncontinue to work on these hard issues. I certainly would \nwelcome your future efforts to look at these hard issues, but I \ncertainly think that the government has a role to play in this \narea.\n    [The prepared statement of Deirdre Mulligan follows:]\n   Prepared Statement of Deirdre Mulligan, Staff Counsel, Center for \n                        Democracy and Technology\n                              i. overview\n    The Center for Democracy and Technology (CDT) is pleased to have \nthis opportunity to testify about privacy in the online environment. \nCDT is a non-profit, public interest organization dedicated to \ndeveloping and implementing public policies to protect and advance \ncivil liberties and democratic values on the Internet. One of our core \ngoals is to enhance privacy protections for individuals in the \ndevelopment and use of new communications technologies. We thank the \nchairman and Representatives Markey and Boucher for holding this \nhearing and for their commitment to seeking policies that support both \ncivil liberties and a vibrant Internet.\n    CDT wishes to emphasize three points this morning:\n\n<bullet> The Internet presents new challenges and opportunities for the \n        protection of privacy. Our policies must be grounded in an \n        understanding of the medium's unique attributes and its unique \n        potential to promote democratic values.\n<bullet> Privacy is a complex value. In the context of this discussion, \n        we believe Congress should focus on ensuring that individuals' \n        long-held expectations of autonomy, fairness, and \n        confidentiality are respected as daily activities move online. \n        These expectations exist vis-a-vis both the public and the \n        private sectors.\n        By autonomy, we mean the individual's ability to browse, seek \n            out information, and engage in a range of activities \n            without being monitored and identified.\n        Fairness requires policies that provide individuals with \n            control over information that they provide to the \n            government and the private sector. The concept of fairness \n            is embodied in the Code of Fair Information Practices \n            <SUP>1</SUP>--long-accepted principles specifying that \n            individuals should be able to ``determine for themselves \n            when, how, and to what extent information about them is \n            shared.'' <SUP>2</SUP> The Code also requires that those \n            who collect and use personal information do so in a manner \n            that respects individuals' privacy interests. Self-\n            regulatory efforts designed for the online environment are \n            gradually moving closer to the standards for privacy \n            protection set out in the Code of Fair Information \n            Practices. However, legislation, as well as robust self-\n            regulation, is both inevitable and necessary to ensure \n            privacy protection is the rule rather than the exception on \n            the Internet.\n---------------------------------------------------------------------------\n    \\1\\ The Code of Fair Information Practices as stated in the \nSecretary's Advisory Comm. on Automated Personal Data Systems, Records, \nComputers, and the Rights of Citizens, U.S. Dept. of Health, Education \nand Welfare, July 1973:\n    There must be no personal data record-keeping systems whose very \nexistence is secret.\n    There must be a way for an individual to find out what information \nabout him is in a record and how it is used.\n    There must be a way for an individual to prevent information about \nhim that was obtained for one purpose from being used or made available \nfor other purposes without his consent.\n    There must be a way for the individual to correct or amend a record \nof identifiable information about him.\n    Any organization creating, maintaining, using, or disseminating \nrecords of identifiable personal data must assure the reliability of \nthe data for their intended use and must take precautions to prevent \nmisuse of the data. Id. at xx\n    The Code of Fair Information Practices as stated in the OECD \nguidelines on the Protection of Privacy and Transborder Flows of \nPersonal Data http://www.oecd.org/dsti/sti/ii/secur/prod/PRIV--EN.HTM\n    1. Collection Limitation Principle: There should be limits to the \ncollection of personal data and any such data should be obtained by \nlawful and fair means and, where appropriate, with the knowledge or \nconsent of the data subject.\n    2. Data quality: Personal data should be relevant to the purposes \nfor which they are to be used, and, to the extent necessary for those \npurposes, should be accurate, complete and kept up-to-date.\n    3. Purpose specification: The purposes for which personal data are \ncollected should be specified not later than at the time of data \ncollection and the subsequent use limited to the fulfillment of those \npurposes or such others as are not incompatible with those purposes and \nas are specified on each occasion of change of purpose.\n    4. Use limitation: Personal data should not be disclosed, made \navailable or otherwise used for purposes other than those specified in \naccordance with the ``purpose specification'' except: (a) with the \nconsent of the data subject; or (b) by the authority of law.\n    5. Security safeguards: Personal data should be protected by \nreasonable security safeguards against such risks as loss or \nunauthorized access, destruction, use, modification or disclosure of \ndata.\n    6. Openness: There should be a general policy of openness about \ndevelopments, practices and policies with respect to personal data. \nMeans should be readily available of establishing the existence and \nnature of personal data, and the main purposes of their use, as well as \nthe identity and usual residence of the data controller.\n    7. Individual participation: An individual should have the right: \n(a) to obtain from a data controller, or otherwise, confirmation of \nwhether or not the data controller has data relating to him; (b) to \nhave communicated to him, data relating to him: within a reasonable \ntime; at a charge, if any, that is not excessive; in a reasonable \nmanner; and, in a form that is readily intelligible to him; (c) to be \ngiven reasons if a request made under subparagraphs (a) and (b) is \ndenied, and to be able to challenge such denial; and, (d) to challenge \ndata relating to him and, if the challenge is successful to have the \ndata erased, rectified completed or amended.\n    8. Accountability: A data controller should be accountable for \ncomplying with measures which give effect to the principles stated \nabove.\n    \\2\\ Alan Westin. Privacy and Freedom (New York: Atheneum, 1967), 7.\n---------------------------------------------------------------------------\n        In terms of confidentiality, we need a strong Fourth Amendment \n            in cyberspace. But confidentiality protections--both \n            technical and legal--are growing increasingly porous as \n            technology changes and more information resides outside of \n            the home on networks. It is time to update and strengthen \n            the Electronic Communications Privacy Act. Further, our \n            laws protecting privacy will have limited impact in the \n            global environment. For that reason, to ensure that \n            citizens and businesses have the ability to protect their \n            sensitive information and communications, the government \n            must change its policy course on encryption.\n<bullet> Preserving these core elements of privacy on the Internet \n        requires a thoughtful, multi-faceted approach combining self-\n        regulatory, technological, and legislative components.\n                 ii. what makes the internet different?\n    CDT focuses much of its work on the Internet because we believe \nthat it, more than any other medium, has characteristics--\narchitectural, economic, and social--that are uniquely supportive of \ndemocratic values. Because of its decentralized, open, and interactive \nnature, the Internet is the first electronic medium to allow every user \nto ``publish'' and engage in commerce. Users can reach and create com-\n\nmunities of interest despite geographic, social, and political \nbarriers. As the World Wide Web grows to fully support voice, data, and \nvideo, it will become in many respects a virtual ``face-to-face'' \nsocial and political milieu.\n    But while the First Amendment potential of the Internet is clear, \nand recognized by the Supreme Court, the impact of the Internet on \nindividual privacy is less certain. Will the online environment erode \nindividual privacy--building in national identifiers, tracking devices, \nand limits on autonomy? Or will it breathe new life into privacy--\nproviding protections for individuals' long held expectations of \nprivacy?\n    The Internet poses both challenges and opportunities to protecting \nprivacy. The Internet accelerates the trend toward increased \ninformation collection that is already evident in our offline world. \nThe trail of transactional data left behind as individuals use the \nInternet is a rich source of information about their habits of \nassociation, speech, and commerce. When aggregated, these digital \nfingerprints reveal a great deal about an individual's life. The global \nflow of personal communications and information coupled with the \nInternet's distributed architecture presents challenges for the \nprotection of privacy. However, Anonymizers, anonymous remailers, and \nother privacy-enhancing tools allow individuals to create zones of \nprivacy--limiting who knows what about them and protecting their \nsensitive communications from prying eyes. Computer code and products \nare becoming increasingly critical to the protection of privacy in this \ndistributed environment. With privacy-enhancing tools users will be \nempowered to control their personal information in new ways.\n    As we move swiftly toward a world of electronic democracy, \nelectronic commerce and indeed electronic living, it is critical to \nconstruct a framework of privacy protection that fits with the unique \nopportunities and risks posed by the Internet. But as Congress has \ndiscovered in its attempts to regulate speech, this medium deserves its \nown analysis. Laws developed to protect interests in other media should \nnot be blindly imported. To create rules that map onto the Internet, we \nmust fully understand the characteristics of the Internet and their \nimplications for privacy protection. We must also have a shared \nunderstanding of what we mean by privacy. Finally we must assess how to \nbest use the various tools we have for implementing policy--law, \ncomputer code, industry practices, and public education--to achieve the \nprotections we seek.\n    iii. the erosion of privacy and the path towards its restoration\n    There are several core ``privacy expectations'' that individuals \nhave long held vis-a-vis both the government and the private sector, \nthe protection of which should carry over to interactions on the \nInternet. Surveys of Internet users, and would-be Internet users, \nreveal a high level of concern with threats to privacy online. Surveys \nsuggest that concern over privacy is keeping individuals off the \nInternet <SUP>3</SUP>, retarding the growth of e-commerce <SUP>4</SUP>, \nand leading individuals to engage in privacy-protective behaviors such \nas providing false information.<SUP>5</SUP> A recent survey of Internet \nusers found that 87% are concerned about threats to their personal \nprivacy.<SUP>6</SUP>\n---------------------------------------------------------------------------\n    \\3\\ A 1998 Business Week Survey found that privacy was the number \none reason individuals are choosing to stay off the Internet, coming in \nwell ahead of cost, concerns with complicated technology, and concerns \nwith unsolicited commercial email. Business Week, March 16, 1998.\n    \\4\\ A TRUSTe and Boston Consulting Group survey conducted in 1997 \nfound that privacy concerns were leading users to limit their \nengagement in electronic commerce.\n    \\5\\ Id. and see footnote 6.\n    \\6\\ Beyond Concern: Understanding Net Users Attitudes About Online \nPrivacy, AT&T, 1999.\n---------------------------------------------------------------------------\n    The remainder of our testimony will discuss the three critical \nprivacy expectations of autonomy, fairness, and confidentiality, \nexplore the changes in technology and policies that threaten them, and \nfinally outline a plan for their restoration.\nA. The Expectation of Autonomy\n    1. Why is it at risk? Imagine walking through a mall where every \nstore, unbeknownst to you, placed a sign on your back. The signs tell \nevery other store you visit exactly where you have been, what you \nlooked at, and what you purchased. Something very close to this is \npossible on the Internet.\n    When individuals surf the World Wide Web, they have a general \nexpectation of anonymity, more so than in the physical world where an \nindividual may be observed by others. As documented in several surveys, \nindividuals value their anonymity and will take steps, such as \nproviding false information and refusing to register, to protect \nit.<SUP>7</SUP> Online, individuals often believe that if they have not \naffirmatively disclosed information about themselves, then no one knows \nwho they are or what they are doing. But, contrary to this belief, the \nInternet generates an elaborate trail of data detailing every stop a \nperson makes. The individual's employer may capture this data trail if \nshe logs on at work, and it is captured by the Web sites the individual \nvisits. This transactional or click stream data can provide a \n``profile'' of an individual's online life.\n---------------------------------------------------------------------------\n    \\7\\ The 8th annual poll of the Grahpics, Visualization, and \nUsability Center at the Georgia Institue of Technology found that in \norder to protect their privacy, significant numbers of people falsify \ninformation online. Particularly, users report regularly falsifying \nregistration information. The most common reason for not registering is \nthe lack of a statement about how the information will be used. In \naddition, the GVU study showed that users would rather not access a \nsite than reveal information. (1998)\n    The survey Beyond Concern: Understanding Net Users Attitudes About \nOnline Privacy found that individuals were reluctant to provide \nidentifying information such as credit card numbers but were more \nwilling to provide information that did not identify them. AT&T (1999)\n---------------------------------------------------------------------------\n    Two recent examples highlight the manner in which individuals' \nexpectation of autonomy is increasingly challenged in the online \nenvironment. (1) The introduction of the Pentium III processor equipped \nwith a unique identifier (Processor Serial Number) threatens to greatly \nexpand the ability of Web sites to surreptitiously track and monitor \nonline behavior. The PSN could become something akin to the Social \nSecurity Number of the online world--a number tied inextricably to the \nindividual and used to validate one's identity throughout a range of \ninteractions with the government and the private sector. (2) The Child \nOnline Protection Act (COPA), passed in October, requires Web sites to \nprohibit minors' access to material considered ``harmful to minors.'' \nToday, when an individual walks into a convenience store to purchase an \nadult magazine, they may be asked to show some identification to prove \ntheir age. Under the COPA, an individual will be asked not only to show \ntheir identification, but also to leave a record of it and their \npurchase with the online store. Such systems will create records of \nindividuals' First Amendment activities, thereby conditioning adult \naccess to constitutionally protected speech on a disclosure of \nidentity. This poses a Faustian choice to individuals seeking access to \ninformation--protect privacy and lose access or exercise First \nAmendment freedoms and forego privacy.\n2. The Path to Individual Autonomy Online\n    While the global, distributed environment of the Internet raises \nchallenges to our traditional methods of implementing policy, the \nspecifications, standards, and technical protocols that support the \noperation of the Internet offer a new way to implement policy \ndecisions. In the area of autonomy, focusing on standards and \napplications is crucial. By building systems that respect individuals \nvaried needs for identification, pseudonymity, and anonymity--building \na digital wallet with cash, credit cards, a metro fare card, and a \ndriver's license--will help build an online environment that promotes \nautonomy. By building privacy into the architecture of the Internet, we \nhave the opportunity to advance public policies in a manner that scales \nwith the global and decentralized character of the network. As Larry \nLessig repeatedly reminds us, ``(computer) code is law.''\n    Accordingly, we must promote specifications, standards and products \nthat protect privacy. A privacy-enhancing architecture must \nincorporate, in its design and function, individuals' expectations of \nprivacy. For example, a privacy-friendly architecture would provide \nindividuals the ability to ``walk'' through the digital world, browse, \nand even purchase without disclosing information about their identity, \nthereby preserving their autonomy. Of course, it would also provide \nindividuals the opportunity to create relationships that are \nidentifiable--or at least authenticated--for engaging in activities \nsuch as banking. This would be coupled with policies that allow \nindividuals to control when, how, and to whom personal data collected \nduring interactions is used or disclosed.\n    While there is much work to be done in designing a privacy-\nenhancing architecture, some substantial steps toward privacy \nprotection have occurred. Positive steps to leverage the power of \ntechnology to protect privacy can be witnessed in tools like the \nAnonymizer, Crowds, and Onion Routing, which shield individuals' \nidentity during online interactions, and encryption tools such as \nPretty Good Privacy that allow individuals to protect their private \ncommunications during transit. Coupled with rules such as those found \nin the Government Paperwork Elimination Act of 1998, which established \nprivacy protections governing personal information collected when the \npublic uses electronic signature systems,<SUP>8</SUP> technology may \nevolve in ways that support individuals' interest in autonomy.\n---------------------------------------------------------------------------\n    \\8\\ Many such systems gather sensitive information in the course of \nproviding and guaranteeing an electronic signature.\n---------------------------------------------------------------------------\n    The law prohibits companies that collect such information from \nusing or disclosing it without the permission of the person involved. \nAuthored by Senators Leahy and Abraham, this marks the first attempt to \ncraft a legislative approach to dealing with the potential erosion of \nprivacy created by electronic signature use.\nB. The Expectation of Fairness and Control Over Personal Information\n    1. Who controls the data? When individuals provide information to a \ndoctor, a merchant, or a bank, they expect that those professionals/\ncompanies will collect only information necessary to perform the \nservice and use it only for that purpose. The doctor will use it to \ntend to their health, the merchant will use it to process the bill and \nship the product, and the bank will use it to manage their account--end \nof story. Unfortunately, current practices, both offline and online, \nfoil this expectation of privacy. Much of the concern with privacy in \nelectronic commerce stems from a lack of privacy rules in various \nsectors of the economy, such as financial and health, that handle a \ntreasure trove of sensitive information on individuals.\n    Whether it is medical information, or a record of a book purchased \nat the bookstore, or information left behind during a Web site visit, \ninformation is routinely collected without the individual's knowledge \nand used for a variety of other purposes without the individual's \nknowledge--let alone consent.\n    Focusing on the online environment, we now have information from \ntwo studies assessing the state of privacy notices on the World Wide \nWeb. Last June, the Federal Trade Commission's ``Privacy Online: A \nReport to Congress'' found that despite increased pressure, businesses \noperating online continued to collect personal information without \nproviding even a minimum of consumer protection. The report looked only \nat whether Web sites provided users with notice about how their data \nwas to be used; there was no discussion of whether the stated privacy \npolicies provided adequate protection. The survey found that, while 92% \nof the sites surveyed were collecting personally identifiable \ninformation, only 14% had some kind of disclosure of what they were \ndoing with personal data.\n    The newly released Georgetown Internet Privacy Policy Survey \nprovides new data. The Survey was designed to provide an update on the \nstate of privacy policies on the World Wide Web. The study shows that \ndefinite progress has been made in making many more Web sites privacy-\nsensitive, but substantive privacy protections are still far from \nubiquitous on the World Wide Web. While more Web sites are mentioning \nprivacy, only 9.5% provide the types of notices required by the Online \nPrivacy Alliance, the Better Business Bureau and TRUSTe. Indeed, fair \ninformation practices on the Web appear to remain the exception, not \nthe rule.\n    The Georgetown Survey shows that, spurred by surveys documenting \nconsumer concern and anxiety, and the work of individual companies \n<SUP>9</SUP> and industry self-regulatory entities such as TrustE, the \nOnline Privacy Alliance, and the Better Business Bureau, an increased \nnumber of Web sites are providing consumers with some information about \nwhat personal information is collected (44%), and how that information \nwill be used (52%). Companies posting fuller information about their \ndata handling <SUP>10</SUP> are more likely to make them accessible to \nconsumers. Many have a link to such statements from the home page \n(79.7%).<SUP>11</SUP>\n---------------------------------------------------------------------------\n    \\9\\ For example, IBM recently stated that it would limit its \nadvertising to Web sites that post privacy notices.\n    \\10\\ The report calls these ``privacy policies'' as compared to \n``information practice statements.'' ``Privacy policies'' are a more \ncomprehensive description of a site's practices that are located in a \nsingle place and accessible through an icon or hyperlink. A site may \nhave a ``privacy policy'' by this definition but still not have a \nprivacy policy that meets the elements set out by the FTC or various \nindustry self-regulatory initiatives for an adequate privacy policy.\n    \\11\\ In response to the question, ``Is a Privacy Policy Notice easy \nto find?'' surfers in the 1998 survey answered yes for approximately \n1.2% of Web sites. FTC Report, Appendix C Q19.\n---------------------------------------------------------------------------\n    However, on important issues such as access to personal information \nand the ability to correct inaccurate information, the Georgetown \nSurvey shows that only 22% and 18% respectively of these highly \ntrafficked Web sites provide consumers with notice. On the important \nissue of providing individuals with the capacity to control the use and \ndisclosure of personal information, the survey finds that 39.5% of \nthese busy Web sites say that consumers can make some decision about \nwhether they are re-contacted for marketing purposes--most likely an \n``opt-out''--and fewer still, 25%, say they provide consumers with some \ncontrol over the disclosure of data to third parties.<SUP>12</SUP>\n---------------------------------------------------------------------------\n    \\12\\ This number is generated using the data from Q32 (number of \nsites that say they give consumers choice about having collected \ninformation disclosed to outside third parties)--64--and dividing it by \n256 (the total survey sample (364) minus the number of sites that \naffirmatively state they do not disclose data to third-parties (Q29A) \n(69) and the number of sites that affirmatively state that data is only \ndisclosed in the aggregate (Q30) (39)).\n---------------------------------------------------------------------------\n    Overall, the Georgetown survey reveals that, at over 90% of the \nmost frequently trafficked Web sites,<SUP>13</SUP> consumers are not \nbeing adequately informed about how their personal information is \nhandled.<SUP>14</SUP> At the same time the survey found that over 90% \nof these same busy consumer-oriented Web sites are collecting personal \ninformation.<SUP>15</SUP> In fact, the survey revealed an increase in \nthe number of Web sites collecting sensitive information such as credit \ncard numbers (up 20%), names (up 13.3%), and even Social Security \nNumbers (up 1.7%).\n---------------------------------------------------------------------------\n    \\13\\ Only 9.5% of the most frequently visited Web sites and 14.7% \nof those that collect information had privacy policies containing \ncritical information called for by the FTC, the Administration, and \nrequired by the Online Privacy Alliance, TrutstE and the BBB Online, \nabout notice; choice; access; security; and contact information.\n    \\14\\ Last years survey found approximately 2% or Web sites that \ncollected data, and less than 1% of all Web sites, had adequate \nnotices.\n    \\15\\ 92.9% are collecting some type of personal information.\n---------------------------------------------------------------------------\n    Thus, while many companies appear to be making an effort to address \nsome privacy concerns, the results from the consumer perspective appear \nto be a quilt of complex and inconsistent statements. The number of \nsites that provide consumers with the types of notices required by the \nOnline Privacy Alliance, the Better Business Bureau and TrustE, and \ncalled for by the Federal Trade Commission and the Administration, is \nstill relatively small (9.5%).\n    The posting of privacy notices is not just a private sector issue. \nIn a recent CDT study of federal agency Web sites, we found that just \nover one-third of federal agencies had a ``privacy notice'' link from \nthe agency's home page. Eight other sites had privacy policies that \ncould be found after following a link or two and on 22 of the sites \nsurveyed we could not find a privacy policy at all.\n    The lack of widespread adherence to Fair Information Practices is \nundermining consumer confidence. A recent survey by the National \nConsumers League found that the majority of online users are not \ncomfortable providing credit card (73%), financial (73%), or personal \ninformation (70%) to businesses online.<SUP>16</SUP> Due to privacy \nconcerns 42% of those who use the Internet are using it solely to \ngather information, while a smaller 24% actually venture to purchase \ngoods online.<SUP>17</SUP> A second study found that 58% of consumers \ndo not consider financial transactions online to be safe, and 77% do \nnot believe it is safe to provide a credit card number through a \ncomputer.<SUP>18</SUP> Privacy has been rightly identified by the \nFederal Trade Commission, Congress, the business community, and \nadvocacy organizations as a critical consumer protection issue in e-\ncommerce.\n---------------------------------------------------------------------------\n    \\16\\ Consumers and the 21st Century, National Consumers League \n(1999).\n    \\17\\ Id.\n    \\18\\ National Technology Readiness Survey, conducted by Rockridge \nAssociates (1999).\n---------------------------------------------------------------------------\n    2. Establish Rules That Give Individuals Control Over Personal \nInformation During Commercial Interactions. We must adopt enforceable \nstandards, both self-regulatory and legislative, to ensure that \ninformation provided for one purpose is not used or redisclosed for \nother purposes without the individual's consent. All such efforts \nshould focus on the Code of Fair Information Practices developed by the \nDepartment of Health, Education and Welfare in 1973. The challenge of \nimplementing privacy practices on the Internet is ensuring that they \nbuild upon the medium's real-time and interactive nature to foster \nprivacy and that they do not unintentionally impede other beneficial \naspects of the medium. Implementing privacy protections on the global \nand decentralized Internet is a complex task that will require new \nthinking and innovative approaches.\n    The Georgetown Survey supports our belief hat a combination of \nmeans--self-regulation, technology, and legislation--are required to \nprovide privacy protections on the Internet. The study, as discussed \nabove, shows that some progress has been made in making many more Web \nsites privacy sensitive, but substantive privacy protections are still \nfar from ubiquitous on the World Wide Web. Because many Web sites need \nbaseline policy guidance and because self-enforcement mechanisms, while \nemerging, may not always provide a viable remedy, we believe that \nlegislation is both inevitable and necessary to ensure consumers' \nprivacy on the Internet.\n    To achieve real privacy on the Internet, we will need more than \nbetter numbers, redoubled efforts by industry, or a legislative mantra. \nWe will need a good-faith concerted effort by industry, consumer and \nprivacy advocates, and policymakers to develop real and substantive \nanswers to a number of difficult policy issues involving the scope of \nidentifiable information, the workings of consent and access \nmechanisms, and the structure of effective remedies that protect \nprivacy without adversely affecting the openness and vitality of the \nInternet.\n    As the Federal Trade Commission's rulemaking under the Children's \nOnline Privacy Protection Act and industry's various efforts at self-\nregulation show, these issues are not easy. But armed with the findings \nof the Georgetown Internet Privacy Policy Survey, we believe interested \nparties are in a position to move forward on a three pronged approach--\nexpanded self-regulation, work to develop and deploy privacy-enhancing \ntechnologies such as P3P, and legislation--all require a serious \ndialogue on policy and practice options for resolving difficult issues \nin this promising medium.\n    In its testimony last July, the Federal Trade Commission stated \nthat, ``. . . unless industry can demonstrate that it has developed and \nimplemented broad-based and effective self-regulatory programs by the \nend of this year, additional governmental authority in this area would \nbe appropriate and necessary.'' <SUP>19</SUP> Despite the considerable \neffort of Congress, the Federal Trade Commission, the Administration \nand industry to encourage and facilitate an effective self-regulatory \nsystem to protect consumer privacy, based on the survey results we do \nnot believe that one has yet emerged. Like Commissioner Anthony, we \nbelieve that industry leadership and self-regulatory programs are a \ncritical component of a privacy framework for the Internet but that \nlegislation is also necessary to establish a baseline and ensure \nconsumers are protected from bad actors.\n---------------------------------------------------------------------------\n    \\19\\ Last years survey found approximately 2% or Web sites that \ncollected data, and less than 1% of all Web sites, had adequate \nnotices. Privacy Online: A Report to Congress, Federal Trade \nCommission, June 1998.\n---------------------------------------------------------------------------\n    Last year, the Federal Trade Commission offered a legislative \noutline that embodied a framework, similar to the one we suggest, \nbuilding upon the strengths of both the self-regulatory and regulatory \nprocesses. This year several bills have been introduced on a wide range \nof privacy issues. Senators Burns and Wyden,<SUP>20</SUP> and Leahy \n<SUP>21</SUP> have introduced proposals as have Representatives \nGoodlatte and Boucher,<SUP>22</SUP> and Vento.<SUP>23</SUP> We \nanticipate additional proposals from Senators Kohl, Torricelli, Dewine, \nand Hatch, and Representative Markey. Historically, for privacy \nlegislation to be successful, it must garner the support of at least a \nsection of the industry. To do so, it generally must build upon the \nwork of some industry members--typically binding bad actors to the \nrules being followed by industry leaders--or be critically tied to the \nviability of a business service or product as with the Video Privacy \nProtection Act and the Electronic Communications Privacy Act.\n---------------------------------------------------------------------------\n    \\20\\ The Online Privacy Protection Act of 1999 (S. 809), introduced \non April 15, 1999, by Senators Burns (R-MT) and Wyden (D-OR).\n    \\21\\ Electronic Rights for the Twenty-First Century Act of 1999 (E-\nRIGHTS) (S. 854), introduced on April 21, 1999 by Senator Leahy (D-VT).\n    \\22\\ Internet Growth and Development Act of 1999 (H.R. 1685), \nintroduced on May 5, 1999 by Representatives Boucher (D-VA) and \nGoodlatte (R-VA).\n    \\23\\ Consumer Internet Privacy Protection Act of 1999 (H.R. 313), \nintroduced on January 6, 1999, by Representative Vento (DFL-MN).\n---------------------------------------------------------------------------\n    Several companies have staked out leadership positions on the issue \nof online privacy and several self-regulatory programs have formed to \ndrive industry best practices online. Numerous surveys have documented \nthat consumers are concerned about their privacy in e-commerce. In \naddition, work is underway to develop the tools necessary to implement \nfair information practices on the World Wide Web. The World Wide Web \nConsortium's Platform for Privacy Preferences (``P3P'') is a promising \ndevelopment. The P3P specification will allow individuals to query Web \nsites for their policies on handling personal information and to allow \nWeb sites to easily respond. While P3P does not drive the specific \npractices, it is a standard designed to promote openness about \ninformation practices, to encourage Web sites to post privacy policies \nand to provide individuals with a simple, automated method to make \ninformed decisions. Through settings on their Web browsers, or through \nother software programs, users will be able to exercise greater control \nover the use of their personal information. Regardless of how policies \nare established, an Internet-centric method of communicating about \nprivacy is part of the solution.\n    As Congress moves forward this year, we look forward to working \nwith you and all interested parties to ensure that fair information \npractices are incorporated into business practices on the World Wide \nWeb. Both legislation and self-regulation are only as good as the \nsubstantive policies they embody. As we said at the start, crafting \nmeaningful privacy protections that map onto the Internet requires us \nto resolve several critical issues. While consensus exists around at \nleast four general principles (a subset of the Code of Fair Information \nPractices)--notice of data practices; individual control over the \nsecondary use of data; access to personal information; and, security \nfor data--the specifics of their implementation and the remedies for \ntheir violation must be explored. We must wrestle with difficult \nquestions: When is information identifiable? How is it accessed? How do \nwe create meaningful and proportionate remedies that address the \ndisclosure of sensitive medical information as well as the disclosure \nof inaccurate marketing data? For the policy process to successfully \nmove forward these hard issues must be more fully resolved. We look \nfor-\n\nward to working with the Committee to explore these issues and develop \na framework for privacy protection in the online environment. The \nleadership of Internet-savvy members of this Committee and others will \nbe critical as we seek to provide workable and effective privacy \nprotections for the Internet.\nC. The Expectation of Confidentiality\n    1. Who has access to records in cyberspace? When individuals send \nemail they expect that only the intended recipient will read it. In \npassing the Electronic Communications Privacy Act in 1986, Congress \nreaffirmed this expectation. Unfortunately, it is once again in danger.\n    While United States law provides email the same legal protection as \na first class letter, the technology leaves unencrypted email as \nvulnerable as a postcard. Compared to a letter, an email message is \nhandled by many independent entities and travels in a relatively \nunpredictable and unregulated environment. To further complicate \nmatters, the email message may be routed, depending upon traffic \npatterns, overseas and back, even if it is a purely domestic \ncommunication. While the message may effortlessly flow from nation to \nnation, the privacy protections are likely to stop at the border.\n    Email is just one example. Today our diaries, medical records, and \nconfidential documents are more likely to be out in the network than \nstored in our homes. As our wallets become ``e-wallets'' housed \nsomewhere out on the Internet rather than in our back-pockets, the \nconfidentiality of our personal information is at risk. The advent of \nonline datebooks, and products such as Novell's ``Digital Me'', and \nsites such as Wellmed.com <SUP>24</SUP> which invite individuals to \ntake advantage of the convenience of the Internet to manage their \nlives, financial information, and even medical records raise \nincreasingly complex privacy questions. While the real ``me'' has \nFourth and Fifth Amendment protections from the government, the \n``Digital Me'' is increasingly naked in cyberspace.\n---------------------------------------------------------------------------\n    \\24\\ WellMed.com is a proprietary Online Health Management System \nwhich works by collecting personal health information from individuals, \nanalyzing that information to develop unique health profiles which are \nused for a variety of purposes. One service is HealthNow!--``an online \npersonal health record enabling secure, confidential, and private \nstorage, management, and maintenance of health information by \nindividuals and their families. HealthNow affords easy access of \nmedical records from one central location anytime and anywhere the need \narises.''\n---------------------------------------------------------------------------\n    2. Protecting the Privacy of Communications and Information. \nIncreasingly, our most important records are not ``papers'' in our \n``houses'' but ``bytes'' stored electronically at distant ``virtual'' \nlocations for indefinite periods of time and held by third parties. The \nInternet, and digital technology generally, accelerate the collection \nof information about individuals' actions and communications. Our \ncommunications, rather than disappearing, are captured and stored on \nservers controlled by third parties. Daily interactions such as our \nchoice of articles at a news Web site, our search and purchase of an \nairline ticket, and our use of an online date book, such as Yahoo's \ncalendar, leave detailed information in the hands of third-parties. \nWith the rise of networking and the reduction of physical boundaries \nfor privacy, we must ensure that privacy protections apply regardless \nof where information is stored.\n    Under our existing law, there are now essentially four legal \nregimes for access to electronic data: 1) the traditional Fourth \nAmendment standard for records stored on an individual's hard drive or \nfloppy disks; 2) the Title III-Electronic Communications Privacy Act \nstandard for records in transmission; 3) the standard for business \nrecords held by third parties, available on a mere subpoena to the \nthird party with no notice to the individual subject of the record; and \n4) a statutory standard allowing subpoena access and delayed notice for \nrecords stored on a remote server, such as the diary of a student \nstored on a university server, or personal correspondence stored on a \ncorporate server.\n    As the third and fourth categories of records expand because the \nwealth of transactional data collected in the private sector grows and \npeople find it more convenient to store records remotely, the legal \nambiguity and lack of strong protection grows more significant and \nposes grave threats to privacy in the digital environment.\n    Congress took the first small step towards recognizing the changing \nnature of transactional data with amendments to the Electronic \nCommunications Privacy Act enacted as part of the Communications \nAssistance for Law Enforcement Act of 1994 (``CALEA''). But the ongoing \nand accelerating increase in transactional data and the detail it \nreveals about individuals' lives suggests that these changes are \ninsufficient to protect privacy.\n    Moreover, the Electronic Communications Privacy Act must be updated \nto provide a consistent level of protection to communications and \ninformation regardless of where they are stored and how long they have \nbeen kept. Senator Leahy's recently introduced legislation is an effort \nto restore 4th Amendment protections to our personal papers. \nTechnologies that invite us to live online will quickly create a pool \nof personal data with the capacity to reveal an individual's travels, \nthoughts, purchases, associations, and communications. We must raise \nthe legal protections afforded to this growing body of detailed data \nregardless of where it resides on the network.\n                             iv. conclusion\n    No doubt, privacy on the Internet is in a fragile state. It is \nclear that our policy framework did not envision the Internet as we \nknow it today, nor did it foresee the pervasive role information \ntechnology would play in our daily lives. Our legal framework for \nprotecting individual privacy in electronic communications, while built \nupon constitutional principles buttressed by statutory protections, \nreflects the technical and social ``givens'' of specific moments in \nhistory. Crafting privacy protections in the electronic realm has \nalways been a complex endeavor. Reestablishing protections for \nindividuals' privacy in this new environment requires us to focus on \nboth the technical aspects of the Internet and on the practices and \npolicies of those who operate in the online environment.\n    However, there is new hope for its restoration. Providing a web of \nprivacy protection to data and communications as they flow along \nnetworks requires a unique combination of tools--legal, policy, \ntechnical, and self-regulatory. We believe that legislation is an \nessential element of the online privacy framework. Whether it is \nsetting limits on government access to personal information, ensuring \nthat a new technology protects privacy, or developing legislation--none \nwill happen without discussion, debate, and deliberation. Providing \nprotections for individual privacy is essential for a flourishing and \nvibrant online community and marketplace. We thank the Committee for \nthe opportunity to share our views and look forward to working with the \nmembers and staff and other interested parties to foster privacy \nprotections for the Digital Age.\n\n    Mr. Tauzin. Thank you, Ms. Mulligan.\n    Next will be Ms. Solveig Singleton, Director of \nTelecommunications and Technology Studies for CATO.\n    Ms. Singleton.\n\n                 STATEMENT OF SOLVEIG SINGLETON\n\n    Ms. Singleton. Thank you, Mr. Chairman. My name is Solveig \nSingleton. I am a lawyer at the CATO Institute.\n    What I would like to do today is raise some key questions \nabout the interest in Federal standards for privacy. And \nessentially, as some of you may know, my answers to those \nquestions are very controversial, but I hope that we can all \nagree that the questions themselves are important and that the \nsheer number of these questions should give Federal regulators \npause before they move toward Federal privacy standards.\n    The first point that I would like to make is that \nessentially there has never been a serious philosophical debate \nabout whether privacy in this sense that we are talking about \ntoday is a right or whether it is a complex mix of preferences \nand questions of business ethics. That is to say, it is pretty \nclear that Americans have a right of privacy against the \ngovernment; that is guaranteed by the fourth amendment to the \nUnited States Constitution. But the default rule in the private \nsector has generally been that people and businesses feel free \nto communicate information about real people and real events to \nother businesses. There are exceptions to that rule, but I \nthink that even in the case of a new technology like the \nInternet, it is very important to have this philosophical \ndebate about the free flow of information versus controls on \nthat information before we move ahead.\n    Another point is that I think one of the unarticulated \nassumptions behind the interest in Federal standards for \nprivacy has been that targeted marketing, which consumers tend \nto be very suspicious of is, in fact, an activity that they \nshould be suspicious of and there is harm that they need to be \nprotected from, so if it is a casualty of Federal privacy \nstandards, we don't need to worry very much.\n    But I think there is actually a lot of empirical research \nthat has been done on the role that advertising plays in \nenhancing competition, in giving consumers more choices and \nessentially in getting them information that they wouldn't get \notherwise. While that information may seem to be biased, it is \nbetter to get biased information from 12 different companies \nthan to get no information at all or just a trickle of \ninformation.\n    Let me think. What is another one?\n    I would also like to underscore that based on survey data, \nthe approach to the privacy problem has started at the FTC with \nthe strong view that something needs to be done about this in \norder for consumers to have trust in electronic commerce and, \nin addition, that there is reason to believe that businesses \nwill not respond to this consumer demand on their own.\n    But I think that there has been very little discussion sort \nof at an economics level of exactly why it is that there would \nbe consumer demand that somehow businesses would not respond \nto. If you look at the high-tech marketplace, you see an awful \nlot of businesses offering and catering to very many strange \nand diverse consumer tastes. It is possible that they are going \nto be stubborn about privacy if consumers really demand it, but \nit seems unlikely.\n    So I guess looking at the electronic privacy marketplace, \nif you see not everyone is coming on board with a privacy \nstandard right away, maybe that is just they are being perverse \nand stubborn in some way; but maybe also it is because, in \nfact, that in their real-world experience, the consumer demand \nfor privacy, while it might be something that they strongly \nexpress in surveys, simply does not materialize in their real-\nworld experience. So it is important to question the \nassumptions that we are making as we go forward with this \ndebate, just in case those assumptions were not in fact very \naccurate.\n    In following up with this point, I will make the quick \npoint that if we were talking about a question like cable rate \nderegulation, the committee wouldn't sort of even begin to \nconsider going forward if what the FTC had to offer them was a \nsurvey of consumers saying that consumers wanted lower cable \nrates, which I am sure they do. But clearly the question is a \nlot more complicated than that. So I think that surveys can \nonly be a very small part of this picture. There are a lot of \nholes in our understanding of what is going on with electronic \ncommerce. I have laid out some alternative studies in my \nwritten testimony, including evidence about the cost savings to \nconsumers, the impact on competition and so on.\n    I can see that I should wrap up pretty quickly. I will just \nsay finally that another important question relates to bad \nactors. I think it is very important that when you look at the \nenormous experimentation that is going on out there in the \nbusiness world, you don't automatically put somebody in the \ncategory of a bad actor simply because he has not posted a \nprivacy policy.\n    I will now conclude. Thank you.\n    [The prepared statement of Solveig Singleton follows:]\n   Prepared Statement of Solveig Singleton, Director of Information \n                      Studies, The Cato Institute\n    Mr. Chairman, my name is Solveig Singleton and I am a lawyer at the \nCato Institute. In keeping with the truth in testimony rules, I note \nthat the Cato Institute does not receive any money at all from the \nfederal government, nor has it in the past.\n    Today I will raise some key questions about the push for more \nfederal standards on privacy, and propose some answers. In a sense, the \nmost valuable thing I have to offer will be the questions--it's hard to \ndo the answers justice in a short period of time. But I hope we can all \nagree that the questions I raise are serious ones. The persistence and \nnature of these questions in itself should give Congress pause before \nit regulates.\n    Essentially, I'll make these points:\n\n<bullet> Strange assumptions about business ethics and markets underlie \n        the push for federal standards.\n<bullet> Huge holes remain in our understanding of the economics of e-\n        commerce and of the economic benefits of the free flow of \n        information.\n<bullet> The standards by which self-regulation has been judged have \n        often been quite unreasonable.\n                    privacy premises about morality\n    One key assumption behind the privacy movement is that we know that \ncustomers ought to have notice and consent about how information about \nthem arising from a transaction should be used, as a matter of right.\n    But does this really make sense? Ordinarily, we are free to make \nall kinds of observations about other people without their consent \n(this is how journalists make their living). If two people interact in \na transaction, why should one party have a right to exclude the other \nfrom using the information arising from it? If I buy a lawnmower from \nSears, there's two entities involved in the transaction--me, and Sears. \nWhy should I have a sole claim on the information relating to that \nevent? In a country that takes the free flow of information seriously, \nwhy should I have the right to veto Sear's decision if it's managers \nchoose to tell another business about that transaction--communicating \ninformation about real people and real events?\n    In the context of e-commerce, especially with sensitive \ninformation, some businesses will give notice or experiment with more \nsophisticated privacy options to retain customer loyalty--just as it \nhas been vital for doctors to respect their patients' confidentiality. \nBut this is a complex matter of business ethics--the one-size-fits-all \napproach won't work. Privacy is a preference that will vary from person \nto person, place to place, and over time. In some contexts it will \nmatter to consumers and business. In others, it will not.\n    In this country, with its long tradition of respect for business \nand for the free flow of information, the assumption that the secondary \nuse of information collected from web sites ought to be sending us into \na frenzy of moral outrage is very peculiar. To illustrate this point, a \nstory ran in the New York Times about Vice President Al Gore's ``Write \nto the Vice President'' web site. Somebody noticed that this site \ncollected the names, addresses, grades, schools, and ages of children \nwithout requiring parental consent. Since then, its been changed. My \npoint is about Al Gore's web master. I'm sure when his web master was \ndesigning that web page it did not even occur to him that asking for \nthis information without getting consent was anything other than a \nnormal, natural thing to do. This illustrates just how new this is, how \nodd the tone of moral outrage that marks the movement towards federal \nstandards on privacy. It is removed from centuries of normal human \nexperience.\n    The debate about privacy is not just a debate of right versus \neconomics. It is a debate about the free flow of information versus \ncontrols on that information. Furthermore, the default rules for how \nhuman beings exchange information about one another favor the freedom \nof information--with privacy being by special arrangement. Generally, \nhuman beings are free to make observations about other human beings, \nand record and report these--so long as they do not violate a \nconfidentiality agreement, hack into someone's web site, or break into \ntheir house. Usually our pri-\n\nvacy rights have been bounded by property right and contract \nobligations, with a handful of narrow privacy torts available at common \nlaw.\n                     privacy premises about markets\n    A key unarticulated assumption behind the push for federal privacy \nstandards is that is that marketing exploits consumers and is not \nuseful to them--so we don't need to worry much if our regulation \nstrangles targeted marketing. This is the old-fashioned view. But \nempirical research has established that marketing play a crucial role \nin getting information into the hands of consumers. Some of the \ninformation conveyed through advertising is biased (that's the point, \nand everyone knows it), but biased information from a variety of \nsources is far better than none. Advertising plays a key role in \nheightening competition, lowering prices, and improving choice and \nquality; more targeting simply means it can play that role at a lower \ncost. Consumers do not need to be protected from these things.\n    There's another peculiar assumption here, and that is the idea that \nsomehow broad privacy protections (as opposed to just good security \npractices) are vital to the growth of electronic commerce, but somehow \ne-commerce companies are so silly that they won't move forward and give \nconsumers what they want on their own. Now if you start with that \nassumption and look at the world--yes, you see a lot of movement \ntowards privacy seal programs--but not everyone is there yet. And a lot \nof people then think, oh, there must be some kind of market failure. \nBut what if the initial assumption isn't true? What if the data we have \non what consumers want, which we get from prompting them in a survey, \nis not that reliable?\n    These are the questions we should be asking, especially when we \nlook out at the world and see electronic commerce taking off. \nEspecially when there seems to be no reason in principle, looking at \nthe economics of the matter, for entrepreneurs to perversely ignore any \naspect of consumer demand. Given the benefits that consumers have \ngotten from high-tech businesses in the last decade, the vast \ndiversification of markets in response to a million variations on \ncustomer tastes, the view that business would not respond to privacy \npreferences is an extraordinarily bizarre view. If they are not \nresponding across the board, maybe its because demand isn't strong \nacross the board.\n            privacy: reviewing empirical evidence on privacy\n    We ought to look more closely at the type of evidence being \ncollected and considered in the privacy debate. Frankly, the empirical \nwork done so far has been dazzlingly shallow.\n    A good bit of that information comes from self-reported data on \nsurveys, from asking consumers ``do you care about privacy?'' Now, who \nwould say ``no'' in answer to this question? Is the respondent \ndistinguishing privacy from security issues? From spam? Even if they \nare, talk is cheap. Real preferences are revealed by consumer's \nactions, when they must consider the time and cost of actually \nobtaining what the survey offers them for free. Self-reporting is \nsimply not that reliable--try wandering around among some of the \ntourists assembled in the mall for the Fourth of July and ask them if \ntheir kids are smarter or dumber than average. As Chet Thompson of \nProdigy once noted, ``Market surveys told Prodigy that people wanted to \ndo their grocery shopping by computer. They didn't.''\n    Here are some other studies that ought to be performed in order to \nbetter judge the impact on consumers of federal privacy standards:\n\n<bullet> A study of whether businesses that have not posted privacy \n        policies have experienced similar rates of growth to those who \n        have.\n<bullet> A study of the impact on small business and startups of top-\n        down privacy regulation.\n<bullet> A study of how businesses, especially startups, use \n        information to enter new markets & to develop new products.\n<bullet> A study of the cost saving obtained by doing targeted rather \n        than direct marketing.\n<bullet> A study, not of the number of sites that post privacy policies \n        in absolute terms--but of the number of sites that post such \n        polices as compared to the number that posted such policies a \n        year ago, a year and a half ago, 2 years ago. What is the rate \n        of increase?\n    What all these studies have in common is that they all reflect \nactual behaviors and costs, not hypothetical preferences. (One caveat; \nin emphasizing these holes in our understanding I do not mean to imply \nthat an empirical finding, for example, that consumers really do want \nprivacy, would justify regulation--the conflict in principle between \nprivacy and the free flow of information is still inescapable, as is \nthe need for evidence of market failure).\n    Imagine if Congress to address the question of cable rate \nderegulation simply by directing the FCC to ask consumers if they would \nprefer lower cable prices. Clearly, that would be disastrous. Yet we \nsee some policymakers cheerfully considering privacy regulation for \nelectronic commerce largely on the basis of survey data, as if \nregulating the Internet is a casual thing, like tossing off a Christmas \nmailing.\n                        judging self-regulation\n    I will leave it to other presenters to present figures about how \nthe use of privacy seal programs has grown, and to describe those \nprograms. I am going to talk about how to assess these programs. It's \nimportant to start with realistic expectations.\nWhat should the goals of self-regulation be?\n    The goals of a system of self-regulation should be evolve over time \nin the marketplace. One characteristic of demands made on e-commerce \nmerchants respecting privacy ``self-regulation'' has been that the \ngoals of the regulation are assumed to be known. Regulators have \ninsisted that a system of self-regulation must ensure that customers \nhave notice of how their data is being used, that they have a choice \nabout whether it is not be collected or not, and so on.\n    In the real world, however, no one really knows what state of \naffairs ``ought'' to obtain with respect to privacy. The question of \nwhen human beings will need to reveal information to gain trust, will \nbe willing to offer trust without information, and will need to respect \nconfidentiality to gain trust is a bafflingly complex question.\n    The goals of systems of self-regulation will evolve and change over \ntime, and will vary widely across the e-commerce marketplace. \nEntrepreneurs will make informed guesses about privacy policies to \nallay their customer's fears (if any) of doing business online. Some \nentrepreneurs will get it wrong, and lose ground; others will get it \nright, succeed, and be imitated by late-comers. But entrepreneurs must \nbe permitted to take their cues from the results of engaging in the \nmarketplace, not from top-down commands.\nHow long should self-regulation take?\n    What is a market? A market is a device for processing information. \nThe economist Bastiat once commented that it is a miracle that Paris \ngot fed every morning. For that to happen, Parisians' diverse tastes in \nbreakfast foods must somehow become known to myriad bakers, cafe's, \nbutchers, and grocers. Parisian consumers must obtain the knowledge \nthat bread is available at the bakery, not at the tailors. The local \nneeds of bakers and grocers must somehow become known to farmers and \nmiddlemen scattered around the countryside. Through the price system \nand other mechanisms, markets harness local knowledge and subjective \ntastes, setting in motion a process that results in the populace of \nParis' being fed--all without any central planning or direction. This \nis extraordinary. Indeed, as we learn from our experience with \ncommunist economies (as economists Ludwig Von Mises and F.A. Hayek \npredicted decades ago), central planning cannot begin to coordinate the \ndistribution of resources as effectively as the chaotic, decentralized \nmarket.\n    Understanding that a market is a bottom-up learning process helps \nus to expect that establishing systems of self-regulation will longer \nthan a year, two years, or three years. The embryonic privacy seals \nprograms we see now will ultimately be supplemented by gated ``safe'' \ncommunities online (such as AOL and E-bay), and intelligent ``bots'' \nand infomediaries to guide consumers through, and other technological \nand business innovations. The process will never really end.\nWhat if not everyone participates?\n    FTC Commissioner Orson Swindle pointed out recently that the \ngoalposts for privacy regulation are moving. A year ago, the concern \nwas we would not have thriving e-commerce if we don't solve the privacy \nproblem. Well, electronic commerce took off, and there's a lot of \nprogress with the privacy problem. So the wording has changed. Now, we \ncan hear that e-commerce will never rise to it's full potential, \nbecause the market hasn't moved fast enough. Maybe the idea is that if \nthe trained seal balances the ball on his nose the first time, we'll \njust keep adding balls and sooner or later they'll fall off and then \nwe'll call that a market failure.\n    Given the vast numbers of start-ups, wild experiments, and small \nbusinesses that will be the next generation of pioneers in e-commerce, \nit would be unlikely that all of them will automatically concede the \nimportance of having a privacy seal on their sites, unless and until \nthey see significant indication of customer demand for it. Perhaps some \nsites that participate will have some sinister purpose in mind, but \nmost of them will simply be ordinary businesses who simply don't share \nthe vision of a privacy imperative. A lot of them will be \nnoncommercial, amateur sites, or sites that are borderline commercial \nor noncommercial.\n    It would be a grave mistake to assume that because a business \ndoesn't have a seal or post a notice, it ought to become a target of \nregulation. Lacking a privacy policy simply isn't even close to being \nevidence that that site poses a danger to consumers, in any real sense. \nTreating these sites as legitimate enforcement targets would be wrong, \nand deeply insulting to hundreds of honest entrepreneurs. And it \ncreates some serious practical problems, too. Enforcement efforts will \nbe far, far more effective if they can be targeted against actual \nperpetrators of identity theft, fraud, and so on. Requiring enforcers \nto disperse their focus to hundreds of sites simply because those sites \ndon't have a seal would be an incredible waste of time.\n    What about bad actors? Sites that actually do perpetrate fraud or \nscams of some sort? There are many laws already against fraud and \ndeceptive practices.\n    Self-regulation that arises as a natural outgrowth of consumer \ndemand is truly voluntary and decentralized. Kosher food labels are a \ngood example, offering consumers a choice of many different standards--\nor none at all. But for many quality and customer service issues, no \nthird party standards or oversight at all are necessary for ``self-\nregulation.'' That is, true market-based self-regulation blurs into no \nregulation at all, with each company ``regulating'' itself according to \ninternal standards of customer or client service and no third party \noversight. Bad service is checked by competition.\n    Ultimately, we might see nearly as many different privacy policies \nas there are e-commerce companies. A system of privacy ``self-\nregulation'' imposed uniformly on the market might well tend to \ncollapse over time (rather as the Comics Code has) in any sector where \nthere is little consumer demand for confidentiality. In some cases, no \nthird-party rating systems would be able to capture the extraordinary \nvariety of patterns of customer preferences that emerge.\n                conclusion: what is minimal regulation?\n    Given the flurry of concern about privacy, even legislators and \nbusinesses worried about the impact on electronic commerce are almost \nready to concede the need for ``minimal regulation''--just requiring \nsites to post their policies, that's all. But from my standpoint that's \ntoo radical a step, both unnecessary and not well informed. What kind \nof enforcement mechanism would we create? Do we really want to penalize \nthe honest owner of a 50 year-old hardware store in Peoria because he \nput up his web site without a privacy notice? Why should enforcement \nresources be devoted to this? For once, the Cato Institute's position \nisn't the radical one. Things are working fine as they are; leave the \nInternet alone.\n\n    Mr. Tauzin. Thank you, Ms. Singleton.\n    Next will be Mr. Steve Lucas, Chief Information Officer for \nPrivaSeek.\n    Steve.\n\n                    STATEMENT OF STEVEN LUCAS\n\n    Mr. Lucas. Thank you, Chairman Tauzin and members of the \nsubcommittee. I would like to thank you for inviting me here \ntoday to share my views on the issue of online privacy. Again, \nmy name is Dr. Steven Lucas. I am the Senior Vice President of \nPrivaSeek. We are a Colorado-based Internet company that was \nfounded in late 1998. As you know, the issues of consumer \nprivacy both online and off-line have received a tremendous \namount of attention. We commend Congress, and the subcommittee \nin particular, for directing attention to this issue.\n    In the 1890's, Supreme Court Justice Louis Brandeis defined \nprivacy as the right to be left alone. A century later and a \nnew millennium upon us has brought us fully into a new digital \neconomy that is driven by information as one of the principal \nmeans of the creation of wealth. What now seriously addresses \nthe concept of privacy is the right to control personal \ninformation as an inherent property right of the person. This \nargument and the resulting actions to recognize this right are \ncritical to individual prosperity in a democratic society.\n    About a year ago, I think that no one would deny that the \nstate of online privacy practices was, at best, marginal. I \nthink that few would deny that since that time industry has \nmade substantial progress in terms of its efforts to improve \nthe state of consumer privacy protection. Privacy organizations \nlike TRUSTe have successfully recruited online companies. They \nhave participated in seal programs. They have launched Web-\nbased consumer education programs aimed at providing consumer \neducation about privacy rights and also the data collection \npractices of the sites that they visit. So trade associations, \nas mentioned, have also announced codes of fair information \npractices.\n    Recent survey results also bear out the fact that a growing \nproportion of the online industry are posting privacy \npractices. We were proud to be a sponsor of the Georgetown \nPrivacy Policy Survey. This survey did demonstrate, although \nthe results were not what we would hope, that there has been \nsome improvement in this area. I think the proliferation of Web \nsite privacy statements over the past year signifies that \nonline companies are realizing the need for, as well as the \ninitial benefits derived from ensuring that consumer privacy \ninformation is protected in the online environment.\n    While this is all great progress, I think what we really \nneed to do is ask ourselves the question of where do we go from \nhere. I think it is critical that further action be taken by \nindustry to ensure that privacy policies are comprehensive, \nthat they meet all of the fair information requirements. The \nfocus of my testimony today is going to be on a nonregulatory \nsolution to promoting privacy protection for online consumers.\n    Currently, many companies, including PrivaSeek, are \ndeveloping new technologies that are capable of ensuring \nprivacy protection for online information. Like PrivaSeek, \nthese companies believe that technological solutions provide \nthe most effective, efficient, and safest means of protecting \nintensive online data without unnecessarily hindering the \ngrowth of the electronic marketplace or the ability of \nconsumers to control and gain value from their privacy \npractices.\n    PrivaSeek is the first ``consumer infomediary'' dedicated \nto establishing a new global consumer-centric marketplace that \nis based on principles that consumers establish the rules for \nthe collection and use of their information. As PrivaSeek's \nfirst major initiative in March of this year, we announced our \n``Persona'' technology. After several months of testing, I am \npleased to announce that yesterday we released the first \ncommercial version of our Persona product called Persona Valet.\n    Persona acts as a negotiator of information between the \nconsumer and the marketplace. It is based on the fundamental \nnotion that individuals own their personal information and \nshould be in control of it online. This includes the ability to \ntrack the use of their information and to control under what \ncircumstances information is shared with sites that request it.\n    When consumers visit PrivaSeek's site, no information is \ncollected from them. If they choose to be a PrivaSeek member, \nthey can then create an online Persona which includes \ninformation like their name, their address and a preferred way \nthat PrivaSeek can contact them.\n    They can then decide to provide additional information such \nas e-mail address, phone numbers, interests and hobbies, \nelectronic commerce information such as credit card information \nand shipping addresses.\n    Then consumers are asked to define their personal use \npreferences for all of the information that they provide us. By \nsetting their own preferences, they control the information \nthat is provided and under what circumstances the information \ncan be shared with PrivaSeek-approved partners. Consumer \ninformation is never disclosed to anyone without prior consent. \nAdditionally, consumers can change their personalized set of \nprivacy preferences at any time by accessing their account and \nchanging the conditions that govern how PrivaSeek will manage \ntheir data. At the end of the day, though, it is the consumer \nwho chooses how personal information is utilized.\n    We also provide consumers with a tool that allows them to \nautomatically complete forms that may be necessary to complete \ne-commerce transactions or to complete forms that may be \nrequired for services and registration on the Web.\n    Since we were also created to assist consumers in keeping \ntheir personal information secure, security is naturally one of \nthe company's primary concerns. We rely on state-of-the-art \ntechnology at all points of information collection, \ntransmission, and storage to ensure that the security and the \nintegrity of the consumer's data is never compromised. \nAdditionally, the information is stored in what we call the \n``Persona WebVault'' which is maintained in a facility with a \nlong history of being able to manage sensitive information with \naudited data and physical security practices available.\n    Privacy partners go through a very rigorous approval \nprocess that includes a comprehensive privacy policy \nassessment. If an organization is approved, it has to sign a \ncontract with PrivaSeek requiring the organization to abide by \nthe information controls established by the consumer in their \nPersona. Under this contract, the company agrees to follow the \nconsumer's specific instructions with regard to the \ninformation. For example, if the consumer doesn't want the \ninformation to be used for internal marketing purposes, that \ninformation is never transferred nor can the site use it.\n    In the event that the organization violates that contract \nin any way, we will immediately remove them as a PrivaSeek \ncertified partner and we will immediately take legal action \nagainst the company.\n    The Persona technology enables the consumer to \nautomatically safeguard their personal information and their \nidentity on the Web. It also allows them to gain value from it. \nIt allows consumers to access their data and privacy \npreferences from any device that is connect to the Web.\n    In light of the emergence of viable and innovative \ntechnological solutions, as well as the increasing adherence of \nWeb sites to self-regulatory programs, we believe that a \nlegislative mandate governing privacy protection would be \npremature at this time. Considerable time and effort and \nresources have been devoted to the development of new \ntechnologies designed to safeguard consumer data in terms of \nprivacy and products, as well as tools like the certificates \nand certification technology.\n    Just as Congress and the FTC have provided a grace period \nfor online companies to demonstrate their commitment to widely \naccepted information practices, so too should these \ntechnologies be provided with an opportunity for the \ndeployment, recognition and trust of both consumers and the \nonline marketplace, the technologies that go a long way to \nbuilding an environment conducive to the recognition of the \nright to privacy.\n    We believe that the work by PrivaSeek and organizations \nlike the World Wide Web consortium and their P3P effort are \nalso important. However, it is also our view that a new system \nof laws and governance may be needed to help the transition by \nbuilding a legal framework that recognizes these rights.\n    We consider ourselves a new intermediary, but at the same \ntime we also have to consider that the government may have to \nassume the role as the ultimate consumer intermediary through \nits use of regulatory authority and by working with industry to \ncreate an environment that is based on the critical vision of \nour future society.\n    Again, we thank you for the opportunity to appear today and \nwe look forward to working with you and members of the \ncommittee in the future.\n    [The prepared statement of Steven Lucas follows:]\nPrepared Statement of Dr. Steven Lucas, Senior Vice President, Industry \n   Government Relations & Chief Information Officer, PrivaSeek, Inc.\n    Chairman Tauzin and Members of the Subcommittee, I would like to \nthank you for inviting me here today to share my views on the issue of \nonline privacy. My name is Steve Lucas, and I am the Chief Information \nOfficer and Senior Vice President of Industry Government Relations at \nPrivaSeek. Headquartered just outside of Denver, Colorado, PrivaSeek is \nan Internet start-up founded in late 1998.\n    As you know, the issue of consumer privacy--both online and \noffline--has received a tremendous amount of attention over the past \nyear. PrivaSeek commends Congress, and this Subcommittee in particular, \nfor directing its attention to this increasingly important issue.\n    One year ago, the state of online privacy practices was by most \naccounts marginal. The Federal Trade Commission's (``FTC'') 1998 \n``March Sweeps'' of 1,400 Web sites revealed that only 14% of sites had \nprivacy policies posted on the site that contained information \nconcerning what information was collected and how it was used. \nProponents of government regulation of online privacy practices saw the \nresults as clear evidence of the need for comprehensive legislation, \nwhile critics argued that the survey results were inaccurate and/or \ninconclusive at best. Regardless of the particular pundit's \nperspective, the net effect was an overwhelming impression that \nindustry was doing a less than acceptable job of protecting online \nconsumer data.\n    I think that few would deny that, since that time, industry has \nmade significant strides in terms of its efforts to improve the state \nof consumer privacy protection online. Privacy organizations such as \nTRUSTe have not only successfully recruited online companies to \nparticipate in their rigorous and resource-intensive online ``seal'' \nprograms, but also have launched Web-based consumer education programs \naimed at heightening Internet users' awareness of their own privacy \nrights, as well as appropriate data collection practices of Web sites \nthat they visit. Also, several trade associations have instituted codes \nof conduct governing fair information practices, and, at the same time, \nmany individual Web sites are voluntarily posting privacy statements.\n    Recent survey results also bear out the fact that a growing portion \nof the online industry recognizes the importance of embracing \nresponsible privacy practices. Privaseek was proud to be one of the \nsponsors of the Georgetown University Internet Privacy Policy Survey \nthat was conducted at the request of the FTC. This survey was released \nin June of this year and revealed a dramatic rise in the number of Web \nsites posting comprehensive privacy statements. Specifically, of the \nsample drawn from the 7,500 most popular sites, more than 65% had \nposted privacy poli-\n\ncies. Additionally, of the 100 most popular sites surveyed, 94% \ncontained privacy disclosures. The proliferation of Web site privacy \nstatements over the past year signifies that online companies are \nrealizing both the need for, as well as the mutual benefits derived \nfrom, ensuring that consumer privacy information is protected in the \nonline environment.\n    While all of this is in fact great progress, the question before us \ntoday is where do we go from here? It is critical that further action \nbe taken by industry to ensure that privacy policies are comprehensive, \nmeeting all of the tenets of fair information practices. There are six \nkey elements to this action. First, sites should provide notice of \ntheir information practices, including what information they collect \nfrom consumers and how they use it. Second, they should also offer \nconsumers choices as to how the information is used, and seek consent \nfor the intended uses. Third, sites should not disclose personally \nidentifiable information about consumers to third parties without \nconsumers' consent. Fourth, sites should offer consumers access to the \ninformation collected about them and an opportunity to correct \ninaccuracies. Fifth and sixth, sites should contain information about \ntheir security measures and consumer recourse options. All of this \ninformation should be easy to find and easy for the consumer to \nunderstand.\n    As was demonstrated last summer in the GeoCities case,<SUP>1</SUP> \nas well as more recently in the Liberty Financial matter,<SUP>2</SUP> \nthe FTC currently has the tools necessary to take action against \ncompanies that may violate consumers' online privacy. Thus, widely \nadopted self-regulatory programs, operating in conjunction with the \nFTC's existing Section 5 enforcement authority, provide effective \nmechanisms to ensure the protection of personal data online. And, they \nultimately deliver benefits for both businesses and consumers in the \nevolving digital economy.\n---------------------------------------------------------------------------\n    \\1\\ In the Matter of Geocities, FTC. File No. 9823015.\n    \\2\\ In the Matter of Liberty Financial Companies, FTC File No. \n9823522.\n---------------------------------------------------------------------------\n    The focus of my testimony today is on another non-regulatory option \nfor promoting privacy protection for online consumers. Currently, many \ncompanies, including PrivaSeek, are developing new technologies that \nare capable of ensuring privacy protection for online information. Like \nPrivaSeek, these companies believe that technological solutions provide \nthe most effective, efficient, and safest means of protecting sensitive \nonline data without unnecessarily hindering either the growth of the \nelectronic marketplace or the ability of consumers to control and gain \nvalue from their privacy preferences.\n    PrivaSeek is the first ``consumer infomediary'' dedicated to \nestablishing a new global consumer-centric marketplace based on \nprinciples where consumers establish the rules for the collection and \nuse of their information. As PrivaSeek's first major initiative, in \nMarch of this year, we announced our ``Persona'' technology. After \nseveral months of testing, we are pleased to announce that yesterday, \nwe released the first commercial version of the Persona product, called \nPersona Valet.\n    Persona acts as a negotiator of information between the individual \nconsumer and the marketer's Web site. Persona is premised on the \nfundamental notion that individual consumers own their personal \ninformation and should be in control of it online. This includes the \nability to track the use of their information and to control under what \ncircumstances information is shared with sites that request it.\n     When consumers visit the PrivaSeek Web site, no information is \ncollected from them. If they choose to become a PrivaSeek member, they \nthen create an online ``Persona'' which includes information such as \ntheir name, address, and the preferred method for PrivaSeek to contact \nthem. This limited information is used to create the user's Persona \nAccount.\n    The consumer may decide to provide additional information such as \nemail address, phone numbers, interests and hobbies, and electronic \ncommerce information such as credit card numbers and shipping \naddresses.\n    Consumers are also asked to establish their personalized set of \nusages for their information. By setting their own preferences, they \ncontrol what information is provided and under what circumstances the \ninformation may be shared with PrivaSeek-approved partners. A \nconsumer's information is never disclosed to anyone without prior \nconsent. Additionally, consumers can change their personalized set of \nprivacy preferences at any time by accessing their account and making \nchanges to the conditions that govern how PrivaSeek will manage their \ndata. At the end of the day, it is the consumer who chooses how \npersonal information is utilized.\n    Persona Valet provides consumers with a useful tool for \naccomplishing routine tasks like shopping online and managing personal \ninformation on the Internet. When consumers surf or shop the Web, Valet \nautomatically saves them time and effort by automatically completing \nforms that may be required to register for a service or make a \npurchase.\n    Since PrivaSeek was created to assist consumers in keeping their \npersonal information private, security is naturally one of the \ncompany's primary concerns. PrivaSeek relies on state-of-the-art \ntechnology at all points of information collection, transmission, and \nstorage to ensure that the security and integrity of consumers' \ninformation is not compromised. By virtue of a digitally encrypted \nsecret password and network firewalls that prevent unauthorized access \nto a consumer's individual profile, the consumer has exclusive access \nto information in their Persona. Additionally, the information is \nstored in the ``Persona WebVault,'' which is maintained at a facility \nwith a long history of safeguarding sensitive information with audited \ndata and physical security practices.\n    PrivaSeek partners, including online merchants and content vendors, \ngo through a rigorous approval process that includes a comprehensive \nprivacy assessment by a team of third party privacy experts. If an \norganization is approved, it must sign a contract with PrivaSeek \nrequiring the organization to abide by the information controls \nspecified in the consumer's Persona. Under this contract, the company \nagrees to follow the consumer's specific instructions with regard to \nthis information. If a consumer does not wish to have the information \nused for internal marketing purposes, the merchant may not use that \ninformation without violating the contract. If the organization in any \nway violates its contract with PrivaSeek, it will be dropped \nimmediately as a PrivaSeek-approved partner, and PrivaSeek will take \nlegal action against the company.\n    Thus, the Persona technology not only enables consumers to \nautomatically safeguard their personal information and identity on the \nWeb, but to actually gain value from it. It also saves consumers \nprecious time and effort by keeping track of passwords and purchases \nand by automatically entering a consumer's personal information in \nonline forms. The Persona technology provides a secure method of \nstoring data that can easily be audited by a third party. It also \nallows consumers to access their data and privacy preferences from any \ndevice that is connected to the Web.\n    In light of the emergence of viable and innovative technological \nsolutions, as well as the increasing adherence by Web sites to self-\nregulatory programs, PrivaSeek believes that a legislative mandate \ngoverning online privacy protection would be premature at this time. \nConsiderable time, effort, and resources have been devoted to the \ndevelopment of new technologies designed to safeguard consumer data, \nboth in terms of privacy enhancing products, as well as certification \ntools such as digital authentication technology. Just as Congress and \nthe FTC have provided a grace period for online companies to \ndemonstrate their commitment to widely accepted fair information \npractices, so, too, should these promising technologies be afforded an \nadequate opportunity for deployment, recognition, trust, and use both \nby consumers and the online marketplace.\n    Again, thank you for the opportunity to appear before you today. We \nlook forward to working with you in the future and serving as a \nresource to Members and staff of this Subcommittee, as well as to all \nmembers of the House of Representatives.\n\n    Mr. Tauzin. Thank you, Mr. Lucas.\n    Finally, Mr. Jerry Cerasale, Senior VP for Government \nAffairs, Direct marketing association here in Washington, DC.\n    Jerry.\n\n                   STATEMENT OF JERRY CERASALE\n\n    Mr. Cerasale. Thank you, Mr. Chairman. It is a pleasure to \nbe back here again.\n    Specifically, I would like to direct you and your staff to \npage 8 of my testimony and you can find the Web address of the \nDMA's privacy policy generator, you can answer a few questions, \nand you can get a privacy policy all printed out for you and \nput it on your Web site.\n    Mr. Tauzin. I may just call upon you.\n    Mr. Cerasale. As you know, the DMA represents over 4,500 \ncompanies in the United States and in 54 foreign countries. So \nthese companies have a vital interest in commerce over the \nInternet both in the United States and globally.\n    I would like to just quote one thing from my testimony. It \nis the DMA's privacy principles and guidance for marketing \nonline. ``All marketers operating online sites, whether or not \nthey collect personal information from individuals, should make \navailable their information practices to consumers in a \nprominent place. Marketers sharing personal information that is \ncollected online should furnish individuals with an opportunity \nto prohibit the disclosure of such information.''\n    I think that is where the DMA is right at the moment in \nmoving forward. We are pleased with the results of the \nGeorgetown study. We are not ecstatic, but it is a lot better \nthan it was a year ago. I can have a little bit bigger smile on \nmy face this year than last year.\n    We still have a long way to go, but in response to Mr. \nBoucher's statements about his idea of notice and opt-out, and \nhow pervasive it is and where it hits, the Georgetown study of \nthe top 100 sites showed that 94 percent had notice and 83 \npercent had notice and personal choice. Those 400 sites \nrepresent 94 percent of all the hits on the Internet. So if \nyou--if you multiply 94 percent times 83 percent you get 80 \npercent of their hits on the Internet were at sites that gave \nnotice of what they do with information and some personal \nchoice to the individual. That is not 100 percent, but it is a \nlong ways toward going there from the 14 percent that we had a \nyear ago.\n    We think at the DMA that the keys are notice and choice for \nthe individuals. Security, one of the major items in the \nprinciples that the FTC has stated, is an important factor for \nall businesses that are working online. As we see from these \nviruses that come floating through, it is important for \nbusinesses to have significant security in their systems to try \nto protect their own business systems. So that is an important \nfactor. It is true that any business site that is doing any \nsales on the Internet must collect personal information. You \neither have to--if you are selling information that you can \ndistribute online, you have to have an e-mail address. There \nhas to be some means for getting payment or you have to have \nsome physical address from which to send the product.\n    So it is important for all marketers to have a policy up \nand give some personal choice. That is what we are working \ntoward, which is why at the beginning of this month we started \na Privacy Promise in which all members of the DMA must give \nnotice of what they do and the opportunity to opt out no matter \nwhat medium that is used for marketing or else they will be \nlosing their membership in the DMA. Staff is now working to \nexamine that and preparing cases for a board meeting in October \nof this year as we move forward, and we will make that public.\n    I again appreciate the opportunity to be here. I will \nanswer any questions. Thank you very much.\n    [The prepared statement of Jerry Cerasale follows:]\nPrepared Statement of Jerry Cerasale on Behalf of the Direct Marketing \n                           Association, Inc.\n                            i. introduction\n    Good morning, Mr. Chairman, and thank you for the opportunity to \nappear before your subcommittee as it examines online privacy. I am \nJerry Cerasale, Senior Vice President of Government Affairs for The \nDirect Marketing Association, Inc. (``The DMA''). The DMA's vast \nmembership includes the leaders of the current economic explosion of \nthe Internet and electronic commerce. For this reason, The DMA has been \nworking diligently to encourage development of a global medium that \ncontinues to flourish and provides our customers with the best possible \nexperience in their Internet transactions.\n    Last year I testified before this subcommittee and urged that \nCongress continue to create space to allow time for self-regulation \ndevelop. I am pleased to report that this self-regulatory framework has \ndeveloped significantly since that hearing. Mr. Chairman, based on our \nextensive experience in this area, The DMA is convinced that self-\nregulation and technological innovations are the most effective methods \nfor establishing privacy protection in the borderless world of the \nInternet, and must continue to be the cornerstone of any domestic or \nglobal approach for ensuring privacy online.\n    As demonstrated by the May Georgetown Internet Privacy Policy \nSurvey (``Georgetown study''), significant progress has been made since \nthe survey the Federal Trade Commission conducted on online privacy \nlast year. This progress is particularly encouraging given the \nmultitude of new self-regulatory programs that continue to be developed \nand implemented. Industry self-regulatory principles, consumer choice \ntechnologies, and an extensive educational campaign are creating a \nprivacy regime that is both flexible and effective--requirements for \nthe Information Age.\n    There are three main topics I wish to focus on in my testimony \ntoday that I believe will put into perspective the state of online \nprivacy today. First, I will discuss in more detail the results of the \nGeorgetown study. Second, I will briefly describe the principles that \nThe DMA believes are essential to protecting privacy online. Finally, I \nwill describe several of the ongoing efforts that the DMA is engaged in \nto empower consumers.\n ii. progress from industry self-regulatory efforts is significant and \n            contributes to the growth of electronic commerce\nA. The Growth of Electronic Commerce is Extraordinary\n    One of the reasons often cited for the importance of protecting \nprivacy on the Internet is that unless individuals are protected on the \nInternet, they will be hesitant to embrace electronic commerce. All \nevidence continues to indicate that consumers are comfortable engaging \nin transactions on the Internet, as electronic commerce continues to \ngrow at an unprecedented rate. The personalization and interactivity \nunique to the Internet provide an attractive forum for individuals to \nengage in commercial transactions.\n    For DMA members, the main use of information collected over the \nInternet is for marketing purposes. For example, a site may remember \nthat I purchased a particular product there previously and direct me to \nthe same section of its online store. This type of personalization is \none of the unique attributes of the Internet. Any ``harm'' associated \nwith the collection and use of information in such contexts is minimal, \nand outweighed by the beneficial uses of the information, such as \nimproving the visitor's experience at the site through personalization. \nThe DMA believes that the Congress should be particularly hesitant to \nenact laws that may disrupt the exponential growth of the Internet.\n    The Department of Commerce's The Emerging Digital Economy II \nreleased in June states that from 1998 to 1999 the number of web users \nworld-wide increased by 55 percent. In early 1998 it was estimated that \nInternet retailing might reach $7 billion by 2000. Actual estimates for \n1998 alone range from $7 billion and $15 billion, far exceeding all \nexpectations, with forecasts now projected to be $40 billion to $80 \nbillion by 2002. We anticipate that these numbers will continue to \ngrow.\nB. The Georgetown Internet Privacy Policy Survey indicates that vast \n        improvement in the privacy practices of Internet companies is \n        occurring.\n    The Georgetown study indicates that privacy self-regulation on the \nInternet is working. No longer are the discussions surrounding Internet \nprivacy focused on whether self-regulation provides an appropriate \nframework for protecting privacy online, rather the discussions are now \nfocusing on the details of the policies, such as the breadth and \ncontent of the notices.\n    The significant improvement shown in the Georgetown study is a \nresult of the hard work of The DMA, the Online Privacy Alliance (of \nwhich The DMA is a member), BBBOnLine, TRUSTe and others. The study \nshows that 94 percent of the top 100 web sites have posted a privacy \npolicy notice or an information practices statement. When considered in \nlight of the fact that 98 percent of all Internet users visit the more \npopular sites, it is clear that meaningful and effective privacy \npractices do already exist online for consumers. Moreover, there has \nbeen a significant increase in the number of policies posted in the \npast year. In fact, close to 66 percent of all sites now post privacy \npolicies, up from 14 percent in last year's Federal Trade Commission \nsurvey.\n    To be certain, this is just the beginning. Although the Georgetown \nstudy indicates significant progress in the number of privacy policies \non web sites, there is still room for improvement. The study showed \nthat most of the sites surveyed do not yet include all of the elements \nset out in the Online Privacy Alliance principles. This is \nunderstandable because some of the seal programs are just recently, \nafter much development, beginning to accept applicants to their \nprograms. We expect that as companies participate in and implement \nthese seal programs, the quality and content of the notices will \nimprove.\n  iii. the dma's privacy principles and guidance for marketing online\nA. Privacy Principles and Guidance for Marketing Online\n    While The DMA recognizes that that there is still work to be done \nto educate companies as to the principles that should be included in \nprivacy policies, we are very encouraged by the result in the \nGeorgetown study indicating that 93.5 percent of the top 100 sites that \ncollect information and post a privacy disclosure provide notice, with \n83 percent of these sites providing privacy choices for consumers. The \nDMA believes that notice and choice are the most significant principles \nfor online privacy protection as together they empower consumers to \ndetermine the uses of their information.\n    The DMA has developed Privacy Principles and Guidance for Marketing \nOnline in order to explain and highlight the issues unique to online \nand Internet marketing. The primary feature of these guidelines is \nnotice and opt-out.\n        ``All marketers operating online sites, whether or not they \n        collect personal information from individuals, should make \n        available their information practices to consumers in a \n        prominent place. Marketers sharing personal information that is \n        collected online should furnish individuals with an opportunity \n        to prohibit the disclosure of such information.''\n    On July 1, The DMA's Privacy Promise went into effect. It requires \nall members, as a condition of membership, to provide their customers \nwith notice and the ability to opt out of the use of customer \ninformation for marketing purposes. The Privacy Promise includes the \nprovision of notice and opt-out on the Internet set out in the \nMarketing Online Principles to which I just referred.\n    I also would like to mention that last fall The DMA supported the \npassage of the Children's Online Privacy Protection Act. The DMA \nsupported this legislation because we believe that young children \npresent a special case. Unlike adults, children may not fully \nunderstand choices regarding privacy. Based in part on existing \nguidelines developed and followed by The DMA, this legislation contains \nstrong protections for children, prohibiting the collection or \ndistribution of personally identifiable information from children under \n13 without prior parental consent or direct parental notification. The \nDMA is currently working with the Federal Trade Commission as it \ndevelops regulations to implement this Act.\nB. Enforcement of Online Privacy Protections\n    The DMA has been at the forefront of enforcing effective, \nresponsible self-regulatory codes governing the uses and transfer of \ninformation by the direct marketing industry for many years, long \nbefore the growth of the Internet. As a result of its extensive \nmembership, The DMA has enjoyed great success obtaining broad \ncompliance with its various codes and guidelines. The cornerstone of \nthe industry's self-regulatory codes is The DMA's Guidelines for \nEthical Business Practice. These guidelines apply to marketing in all \nmedia including the Internet.\n    Through its Committee on Ethical Business Practice, a peer-review \nprogram, The DMA responds to cases of alleged Guideline violations \nbrought to its attention by an array of sources--business, consumers, \npublic officials, and the media. This peer-review process is effective. \nMost cases are resolved through cooperation with the Committee and its \nrecommendations. Members that do not resolve complaints cooperatively \nare also subject to review by The DMA Ethics Policy Committee with the \npotential for suspension, expulsion, or censure.\n    The DMA has initiated a process which reveals all cases and their \nresolution. Furthermore, where the subject company has not committed to \nfollow guidelines after review, its name is publicly disclosed. In \ninstances where violations of law are also found, the Committee refers \nmatters to the appropriate law enforcement agencies.\n    Moreover, privacy principles adopted by individual companies and \nheld out to the public also are subject to enforcement by the FTC and \nstate attorneys general. By publicly posting policies as required by \nthe Privacy Promise and consistent with criteria set out in the OPA \nguidelines, companies become subject to deceptive practices enforcement \nactions under existing federal and state consumer protection law if \nthey do not comply with their stated policies. Thus, this self-\nregulatory framework is far more than a system of voluntary compliance.\n     iv. the dma and others continue to develop and implement self-\n   regulatory regimes that empower consumers regarding online privacy\nA. The E-mail Preference Service\n    The DMA will soon launch an e-mail preference service that will \nallow individuals to remove their e-mail addresses from marketing lists \nin a manner similar to The DMA's long standing telephone and mail \npreference services. This ambitious undertaking is aimed at empowering \nconsumers to control unsolicited commercial e-mail, while creating room \nfor the many societal benefits of legitimate marketing in the \ninteractive economy. Once this e-mail preference service is up and \nrunning, participation in it also will be a requirement of DMA \nmembership.\nB. Public Education\n    The DMA has a vital interest in educating its members and the \ngeneral public about the responsibilities of people who collect and use \ndata, as well as educating consumers about the process. Through \neducation, individuals will better understand the potential benefits of \ninteractivity, as well as the choices they have to control information \nthat they submit. Therefore, The DMA has developed a Web page devoted \nto privacy and launched its Privacy Action Now initiative.\n    The DMA has made a special effort to empower children, parents, \neducators and librarians by establishing its http://www.cybersavvy.org \nWeb page for them and providing them with tools, information, and \nresources to ensure safe Web surfing. Additionally, we have produced a \n``hard copy'' version of the Web site, Get CyberSavvy. Get CyberSavvy \nhas the distinction of being awarded first place honors for excellence \nin consumer education by the National Association of Consumer Affairs \nAdministrators.\nC. Technology Solutions\n    In light of the unique characteristics of the Internet, technology \nwill play an important role in helping users determine and enforce the \nways that information about them is used and collected. The DMA and \nmarketers have been, and continue to be, instrumental in the \ndevelopment of this important technology by encouraging, supporting, \nindeed helping to develop and promote, such software. Under this \napproach, it will be the individual users, rather than industry or the \ngovernment, who will determine the uses of their personal information.\n    Over the past two years, The DMA has been involved in an initiative \nthat supports this concept, the Platform for Privacy Principles or P3P. \nThis initiative, undertaken by the World Wide Web Consortium, is \ndeveloping a ``negotiation'' approach for protecting privacy. A broad \ncoalition of information providers, advertising and marketing \nspecialists, software developers, credit services, telecommunications \ncompanies, and consumer and online advocates are working together on \nP3P to achieve a technological solution that will protect privacy \nwithout hindering the development of the Internet as a civic and \ncommercial channel. P3P allows a user to agree to or modify the privacy \npractices of a web site, and be fully informed of the site's practices \nbefore interacting with or disclosing information to a site. There also \nhave been several announcements by companies in the last few months of \nother commercial products that will empower consumers with respect to \nprivacy online. As technology continues to improve, so will consumer \nempowerment tools.\n    The DMA also has created and made available from its Web site a \ntechnical tool that allows companies to create and post effective \nprivacy policies. This Privacy Policy Generator (http://www.the-\ndma.org/policy.html) enables companies to develop customized privacy \npolicies for posting on their web sites based on the companies' \npolicies regarding the collection, use, and sharing of personal \ninformation. The utility of this tool, and the ease with which it is \nused, is demonstrated by the hundreds of companies that have used it \nand have sent policies to The DMA for review.\n                             v. conclusion\n    The DMA believes that self-regulation is the most effective means \nof protecting privacy on the Internet. The Georgetown study indicates \nthat significant progress has been made and the self-regulatory \nframework is working. The DMA realizes that this is only the beginning. \nWe continue to explore and develop innovative approaches to protecting \nprivacy on this extraordinary medium. The approach that we are taking \nis allowing electronic commerce to flourish, while at the same time \nenabling the development of a privacy regime that is flexible for the \ninformation age. We congratulate the Chairman for his continued \ninterest in the exploration of these issues, and look forward to \nworking with the Subcommittee.\n\n    Mr. Tauzin. Thank you very much. The Chair recognizes \nhimself for a round of questions.\n    First, let me point out that the issues that are raised in \nthe Information Age on the one hand have some parallel in the \nBrick and Mortar Age. You sort of made the case, Ms. Mulligan. \nToday when we go to grocery stores and banks, the camera is \nmonitoring us. Those cameras can watch us browsing through the \nstore. And I assume someone sitting back in the back room with \na monitor can keep records, if they want to, on what shelves we \nstop at and what activities we engage in in those stores. There \nare no notices on the bank doors or the store doors saying, you \nwill be monitored while you are inside. There is no notice on \nthe walls of these halls in the Rayburn Building that there are \ncameras all over the place. I assume somewhere in the Capitol \nPolice offices there are monitors where Capitol Police can \nmonitor your movements in this building and perhaps even \nmicrophones that can pick up conversations. I am not sure. It \nwould be interesting to find out.\n    When you fill out a mail order form you are sending all \nkinds of information into the mail order world. When you fill \nout--how many questionnaires have you filled out this year? I \nhave filled out a bunch already. I will fill out a lot more \nbefore the year is over.\n    How many reports do we file every year, Mr. Markey, \ndetailing personal information? One of the witnesses on the \nlast panel is married to a former Member of the Congress. I \nassume a lot of that information she is concerned about being \nin the public domain was obtained from public records because \nher husband had to file it as a Member of Congress.\n    In the real world, there is a lot of information going out, \na lot of monitoring and a lot of things happening without \nnotice to consumers, without the right to opt out. So the \nquestions that are posed online have a parallel in the real \nworld.\n    What is interesting is the difference here. The difference \nis the enormous power of the Internet to gather that \ninformation. I think Chairman Pitofsky put his finger on it \nwhen he said that the Internet has the power now to detail what \nwe are thinking about doing, not just what we are doing, in \nmuch larger ways and to create a profile of behavior, our \nthoughts, even now. Not just our preference, but what we might \nconsider preferring. Quite a different ball game for consumers \nto have to walk into. You put your finger on it again, Ms. \nMulligan. If you and I had to, every time we used cash, to fill \nout a questionnaire about our preferences, talk about what we \nlooked at buying or thought about buying before we paid cash, \nand somebody had a big information portfolio on our family and \nour purchasing history, we would be less likely to go shopping \nat a store that required all of that.\n    Do any of you know what percentage of transactions, \nfinancial transactions, in America are done with cash today?\n    Ms. Mulligan. There are some statistics. I think Alan \nGreenspan----\n    Mr. Tauzin. The number I had was 2 percent.\n    Ms. Mulligan. It is 2 percent of the value, but actually \nmany of the actual transactions--meaning large purchases, of \ncourse, tend to be made with credit cards. But the actual \nnumber of transactions, a quarter into the telephone, the 35 \ncents into the telephone, the quarter into the newspaper \nvending machine----\n    Mr. Tauzin. The number of transactions is a lot higher. But \nin value, I think it is about 2 percent when you consider all \nof the mortgages, the checks, the credit cards, all of the \nforms of secured transactions we engage in. Two percent is \ncash. That is a lot that is being done in a recorded way \nsomewhere, some kind of transaction. The point I am making is \nthere are parallels and yet there are big differences in the \nInformation Age.\n    The second point a number of you made--Ms. Singleton, you \npointed it out and, Mr. Cerasale, you made it, too--this is an \nInformation Age. The basis of the argument is the capacity of \nthe Information Age to function. Be careful how we balance the \nso-called private rights to information and the private \nproperty right and the capacity of an Information Age to \nfunction with our information. We all jealously guard our \nprivate information, so it is a delicate cut. How can we set it \nup in a commercial world where it works to the consumer's \nsatisfaction and yet still works? It is a good one.\n    Ms. Singleton, you raised the question. Do we look at \nactual experience and learn from it or just assume? And there \nare some good things here.\n    I wanted to ask you--before I do that, Mr. Lucas, you gave \nus a good example of a technology your company is developing \nthat I can use, as a consumer going online, to protect my \npersonal information. You are not the only one. There are other \ncompany doing that, right?\n    Mr. Lucas. That is correct.\n    Mr. Tauzin. Doesn't Novell have a similar software product? \nAnd I assume other companies do, too, that I can't think of \nright now.\n    Mr. Lucas. There are other companies that have started----\n    Mr. Tauzin. Your point is, lots of companies are building \nsoftware products that I can eventually purchase and use in \nconnection with seals and partnerships to know that I am in \ncontrol of my information online; is that correct?\n    Mr. Lucas. There are several companies----\n    Mr. Tauzin. And your point is, they ought to be given a \nchance to see whether consumers like them or want them; or in a \nreal world, Ms. Singleton, I believe they are important enough \nto invest in and to use on the Internet, right?\n    Mr. Lucas. That is correct.\n    Mr. Tauzin. Mr. Lewin, you testified that your numbers are \ngrowing in TRUSTe in terms of companies signing up. You said \nabout 1,500. What percent of transactions, how much traffic is \ninvolved in the companies that you are engaged in?\n    Mr. Lewin. Right. By using a survey conducted by Media \nMetrics, which is a recognized industry to ``keep track of the \nnumber of hits,'' if you will, at each of the sites, it is \nestimated that during the course of a month that the sites that \ncarry the TRUSTe seal, about 90 percent of the users hit a \nTRUSTe-sealed site each month.\n    Mr. Tauzin. So it is significant. You have got your seal \nprogram going, you have got your marketing enforcement. Are you \ngoing to be part of our direct marketing group? You have got to \nobey these rules; if you don't, I will kick you out. I assume \nthat you kick people out or sue them in court on your contracts \nif they violate, right?\n    Mr. Lewin. We have those options. Fortunately, to date, \neverybody has recognized the value and we have not had to do \nthat.\n    Mr. Tauzin. The Better Business Bureau has its own seal. I \nsaw a whole list of other seals in the commission's report.\n    Here is my question. How do I know which one of these seals \nand which one of these operations I can trust? TRUSTe sounds \nlike I can trust it, but how do I know? The Better Business \nBureau has a reputation; I assume I can rely on that to some \ndegree. But how do I know which one of these is going to be not \nonly a good seal organization, but one that is monitoring the \noperations of its members to ensure that they are following the \npolicy they agreed to, and two, they are taking the trouble of \nbringing suits or investigating and kicking them out of the \norganization if they fail to follow the policy?\n    How will I know that as a consumer, Mr. Lewin?\n    Mr. Lewin. I will speak from our point of view.\n    The best way we have of demonstrating that is to do just as \nwe demonstrate it. We have a watchdog process whereby any \nconsumer that has a complaint against one of our licensed sites \nconveys that complaint to us. The first thing that we do is to \nensure that the site itself has had an opportunity to respond \nto that. If they have not, we investigate it.\n    If indeed we find that there is a violation of the privacy \npolicy, we contact that Web site and make sure it is remedied. \nIf they do not remedy that situation, which again has not \noccurred, we will throw them out of the program and if \nnecessary, based on the contract that we have with that site, \nwe will take legal action or turn them over to the State, local \nagencies, whatever is appropriate.\n    Mr. Tauzin. How do consumers know that you are going to do \nall of that?\n    Mr. Lewin. Again, that is a good question. With the Privacy \nPartnership program, we had some very great success in \nincreasing awareness. We need to continue doing that. That is \none the key points that I mentioned in my prepared article, my \nstatement.\n    Mr. Tauzin. Mr. Cerasale, let me wrap it up with you.\n    How do I know that the Direct Marketing Association is \ngoing to properly monitor its members and make sure they are \nfollowing the new policy that you just put out on privacy? How \ndo I feel comfortable in dealing with one of your member firms \nthat you are watching them and you are going to kick them out \nif they misbehave or misuse my information?\n    Mr. Cerasale. Two things. One, of course, is to actually do \nsomething, get the information out, public.\n    The second thing is the DMA's privacy policy says you have \nto give them notice and you have to give them an opportunity to \nopt out. Those are two things that have to appear on the Web \nsite. As we said before, once you are on the Web site and you \nsay, here is what I do and here is what I promise to do and you \ndon't do it; we also have FTC jurisdiction through section 5 \nviolation coming so that it is not just a seal on a DMA member \nand I follow the Privacy Promise, but you also have to have a \nnotice and give choice to the consumer and then once you do \nthat, you have to follow it in that means.\n    Mr. Tauzin. Which is at least more than you got in the \nhallways of the Rayburn Building.\n    The gentleman from Massachusetts, Mr. Markey.\n    Mr. Markey. Thank you, Mr. Chairman.\n    Mr. Lewin, when a Web site has violated your privacy policy \nand you say you boot them out, you then say that--and then we \nnotify the State or other jurisdictions that could take action \nagainst them.\n    Mr. Lewin. If applicable, yes.\n    Mr. Markey. What if I was in a State that had no laws?\n    Mr. Lewin. Again, if the violation was to our license \nagreement that we had with the site, then we would pursue that. \nMy comment was----\n    Mr. Markey. What does the consumer get? You could sue them \nbecause they violated your trust, but what about the consumer? \nWhat right do they have to any restitution because their \nprivacy was violated under your program?\n    Mr. Lewin. That is a good point. During this entire \nwatchdog process, as we call it, we keep the consumer informed \nof what is going on, what the problem was, et cetera, et \ncetera, et cetera. If there is something that caused enough \nharm to the consumer that it required some type of legal \naction, justified by that individual, then obviously they can \naccomplish that.\n    Mr. Markey. What if the State had no laws on the books, Mr. \nLewin, and the consumer is out $100,000, they believed that \ntheir privacy has been compromised and their reputation is \nruined? Where do they go if the State has no laws? What can you \ndo for this individual?\n    Mr. Markey. What can you do for this individual?\n    Mr. Lewin. In your hypothetical situation, we just bring \nthe, No. 1, the remedy, so that it does not occur again. If it \nis against a----\n    Mr. Markey. But that is corporate. I am talking about the \nindividual. Where does a--where does an ordinary person go? Do \nthey go to you, Mr. Lewin, do you help them get their privacy \nprocess back?\n    Mr. Lewin. No.\n    Mr. Markey. Do they go to you to get money back, will you \nbring the suit?\n    Mr. Lewin. No.\n    Mr. Markey. You say go to the States, if applicable. Should \nthere be laws at the State level for people to go to gain \nremedies because their privacy, their families' secrets have \nbeen compromised in a way that harmed the family?\n    Mr. Lewin. From what I have observed in the press so on and \nso forth, there seem to be enough or sufficient and local and \nState laws dealing with the kinds of situations that may create \nwhat you are kind of postulating.\n    Mr. Markey. Do you think every State in the union has \nsufficient laws on the books so that the people can gain----\n    Mr. Lewin. I don't know that for a certain.\n    Mr. Markey. They do not, Mr. Lewin, let me tell you they \ndo--that is why we are here at the Federal level because they \ndo not. So notwithstanding with your good efforts, and they are \ngood ef-\n\nforts, I want to congratulate you and companies like yours for \nyour programs. But at the end of the day, you can't get them \nback their reputation, you can't get them back what the family \nlost. And the States can't get them back what they lost because \nthey don't have laws either.\n    And the question is, where do you go, which office do you \ngo to. Who do you--what rights do you rely upon, Mr. Lewin? And \nwhat we are hearing today is that we don't have any place to \ngo. Although your program is a very good step, and I think \npeople should avail themselves of it. But at the end of the \nday, there is a certain kind of--to me the way I view this \nwhole revolution is that it empowers individuals, it gives \nevery one of us the ability to be able to act, that is to \ngreatness of the system.\n    And here at the end of the day, while all of this power, \ntheoretically comes to me, I don't have any privacy rights. I \ndon't have any security rights. I don't have any place to go to \nenforce them. I am told that it is a one-way street, you know, \nthat there are no laws which are passed or which are going be \nto passed. And that is what really--what troubles me, Mr. \nLewin, although you are the best that is in--that has been \ninserted to substitute for that, but even with that, as you \nsay, there would be no place for anyone to go to get the relief \ntheir family needs.\n    Thank you, Mr. Chairman.\n    Mr. Tauzin. Thank you very much. With the gentleman's \nindulgence, I was looking for this while I was doing my round, \nbut I wanted to point it out to you. The Discover magazine \nawards new technology winners each year, one of their awards \nwinners this year is called Video in a Chip. Look at these \ncameras out here, you can tell when they are watching you, they \nare pretty big devices.\n    You guys have got to lug them in and out of here. New \ndevelopments, today's video cameras generate pictures from \ncharge couple devices from CCDs which provide greater picture \nbut require a pile of support circuitry, they cannot sit on the \nsame chip. But guess what, the one-chip camera has been \ndeveloped, Lucent Technologies, using the same CMOS materials \nin the personal computer, Mark Leonities and his colleagues at \nLucent agree that every secret agent's dream contraption, a \nvideo camera the size of a cigarette lighter, a lot easier to \ncarry guys, but also a lot more intrusive in the lives of \nAmericans.It is not just online privacy. It is some big issues \nhere.\n    The gentleman from Illinois, Mr. Shimkus.\n    Mr. Shimkus. Thank you, Mr. Chairman. Mr. Lewin, I just \nwant to follow-up on some of my colleagues questions from the \nCommonwealth of Massachusetts. Do you have any--I mean these \nwere postulated as hypotheticals. Do you have any real world \nstories of--based upon people who are involved in your entity \nwith the business relationship with you that have had problems \nand have had to go through some of the hurdles that the \ngentleman mentioned.\n    Mr. Lewin. Not as they relate to the issues of privacy that \nwe are talking about here. We have been made aware because \npeople visiting a Web site that have had some difficulties and \nsee our trustmark has sent us some complaints outside of the \npreview of the area that we are talking about in privacy, but \nthat is the only----\n    Mr. Shimkus. That has only been external requests, you \ndon't have anybody that is dealing with your product who have \ncomplained about loss of information?\n    Mr. Lewin. No. If there had been a complaint, cases that \nwere valid, and approximately 80 percent of the cases that we \nget--come to watchdog process deal with some misunderstanding \nthat the particular consumer with the Web site, something \nwasn't clear, so on and so forth. In those cases that were \nvalid, of which there were--when you boil it down, there are \nonly about four cases, it was in two of those cases, there was \njust simply a bug in what the Web site thought was happening, \nbut indeed something else was happening, and once it was called \nto their attention, they fixed it, recognized their problem and \nproceeded.\n    In one case, it was known, but it was a misunderstanding \nand it was fixed. And in the last case, that was also a similar \nsituation.\n    Mr. Shimkus. Let me just throw out a question for the panel \nas a whole. As I hear this, and I heard the information on cash \ntransaction, is it impossible in this day and age to be \nanonymous?\n    Ms. Mulligan. I will take a first stab at that. I think \nmany of us enjoy a whole lot of ``anonymity,'' that we don't \nreally appreciate. When you walk down the street, you may pass \na lot of people and they may observe you, but very few of them \nare taking a picture, recording, following. And so the \nexperience of the individual is a whole lot of--I actually \nthink probably a more powerful term and something I think many \nAmericans really resonate is autonomy, a lot of us experience a \nlot of autonomy in freedom to do a lot of things without the \nfear that everything we are doing is recorded and monitored.\n    And if you think about the Privacy Act which governs what \ninformation the government can collect about us, one of the \nthings that puts limits on was their collection of their \ninformation about our First Amendment activities because there \nwas this notion that in order for us to, as a society, debate, \nexplore issues, have a robust participatory dialog about what \nappropriate policies were, we needed to have some protection \nfrom government surveillance, and so that there is a--you know, \nthere is a real recognition of the importance of autonomy, \nanonymity, and I think many of us experience it in lots of \ndifferent ways during the day, but there is a growing sense, \nand I think things like the piece that was pointed to in the \nWashington Post about the government has your number, the kind \nof growing lookup services industry that provides a wealth of \ndata about individuals, not for marketing purposes but many \nother purposes, there is a sense that many of the footprints \nthat we leave both in the online and offline world don't become \npermanent; they don't disappear.\n    Mr. Shimkus. Mr. Lucas, would you like to comment?\n    Mr. Lucas. I would like to comment about the technology \nthat is available for anonymity. I would just like to caution \nthe committee when people present the fact that they are \nanonymous to be careful. There is a different between anonymity \nand what is called factual anonymity.\n    Anonymity for example when someone--when a technology \nclaims that they have an application on a PC that talks to a \nWeb site, but things like IP addresses are transferred, that is \nnot anony-\nmous. I would also remind that there is a recent project at MIT \nwhere they took the personal identifiable information from the \nstudents and the faculty there and just kept people's date of \nbirth and zip code. Having that information alone and combining \nthat with offline data sources, they were able to identify--\nremember you were talking about medical information--they were \nable to successfully correlate back over 80 percent of the \npeople to a personal identifiable record.\n    When you talk about anonymity, I think consumers nowadays--\n40 percent of the data that is submitted to the Web is \nfalsified. And I think that the reason that consumers do that \nis they feel that this presents a layer of anonymity between \nthem and the site and it truly isn't anonymous. So from a \ntechnology perspective, there are technologies out there that \nprovide what you would consider to be factual anonymity, but \nnot all that claim they are anonymous do that.\n    Mr. Shimkus. Did you want to add?\n    Mr. Cerasale. Well, I never sought a Social Security number \nfor my children until I couldn't claim them as an exemption on \nmy taxes without doing it. So my children received Social \nSecurity numbers then. It is very difficult in this world today \nto survive without health insurance and you can't really be \nanonymous in health insurance. So I think that the thing of \nwhat you think of total anonymity is virtually impossible in \nthe United States today, but that doesn't mean that there are \nthings that what--parts of your life that you do think you can \nbe anonymous.\n    Mr. Shimkus. I agree. Because when I was hearing the debate \non cash transactions we just went through the hurdles earlier \nof this Congress on know your customer law that was being \nportrayed in the banking industry. And even if you want to \noperate under full cash transaction type basis, the desire to \nhave access to that information by the government on cash \ntransactions also hurts your ability to be somewhat anonymous. \nAnd that is--I think that is the reason why we are struggling \nwith this issue, this technology is just amazing.\n    And I think more than just information, it is the easy \naccess of the information that makes it much more of concern to \nboth spectrums, from those who are the most liberal to those \nwho are most conservative, there seems to be a tremendous \nconsensus of trying to protect our freedom of our own \ninformation.\n    With that, I yield back the balance of my time.\n    Mr. Tauzin. I thank the gentleman. I point out that there \nis great conflict though, the fact that only 2 percent of the \ntotal volume of financial activity is in cash also is important \nto know that inside that 2 percent is most of the illegal \nactivity. People don't go around using credit cards to do \nillegal sorts of things. And, you know, so you have got that \nconflict between government's ability to deal with the illegal \nactivities and your right to keep information private, trying \nto be anonymous sometimes. Pretty tough balancing act we are \ngoing to have to do here.\n    The gentlelady from California, Ms. Eshoo.\n    Ms. Eshoo. Thank you, Mr. Chairman. I guess the illegal \ncash activities are still not attracted by the mileage that is \noffered by using a credit card. I often think that is one of \nthe main attractions for using it for everything. My mother is \nstill appalled that I would use a credit card to buy groceries; \nshe just can't believe that.\n    Mr. Tauzin. Do you remember the story about Jerry Springer?\n    Ms. Eshoo. The cash transaction.\n    Mr. Tauzin. If the gentlelady remembers the story about \nJerry Springer. What did he did, used a check, I think, in a \nhouse of illegal prostitution. This kind of thing is rare, but \nit happens.\n    Ms. Eshoo. I am glad it was you that brought up Jerry \nSpringer, I am talking about my mother, you are talking about \nJerry Springer. At any rate, this has really been an \ninstructive panel. And I once again want to welcome my \nconstituent, Mr. Lewin, and each one of you that has \ncontributed to this.\n    I have a thousand questions really swimming around in my \nmind on this. One of the things that comes to mind is that \nwithout good consumer education, I think that the seal on a Web \nsite is really going to get lost in the increasing barrage of \nbanter ads and logos and all the advertising. I mean you look \nat these sites and, you know, your eye is just drawn--or it is \na challenge to your eyes, because you are drawn to so many \nthings that are blinking and waving and trying to get your \nattention.\n    So I really don't know what kind of further efforts are \nbeing made and maybe Mr. Lewin can tell us something about \nthat.\n    And I am also curious, has anyone ever ripped off your \nseal; and if they have, how do you find out, and once you find \nout what do you do?\n    And what do people pay for these services? Is it the same \nnationally or is there competition between you and the Better \nBusiness Bureau. And how do you advertise; how do you get the \nword out?\n    Mr. Lewin. Okay.\n    Ms. Eshoo. Does the FTC get anything out of it?\n    Mr. Lewin. Wait a minute.\n    Ms. Eshoo. I told you I have a thousand questions.\n    Mr. Lewin. It was an overload to my mind there. Let me try \nto address my questions. If I miss one, please remind me. First \nof all, regarding how the site pays TRUSTe for the use of the \nseal, that is based solely on the company's revenue. In the--it \nstarts at $299 for the year, and then it goes up to $4,999.\n    Ms. Eshoo. And others do approximately the same?\n    Mr. Lewin. Yes, they are approximately the same, that is \ncorrect. I should point out that 85 percent of our sites are \n$10 million or less. So the word is getting out to the small \nsites, okay, it is not just a big site phenomena. People that \nare getting into the activity of establishing their servers and \nso forth want to do the right thing, and I want to emphasize \nthat, they want to do the right thing. And when people do \nsomething wrong. I am talking about the Web site now, on the \nWeb site, it is typically out of ignorance, they just don't \nknow, or they didn't have the information and so they come to \nus and seek advice.\n    To address your question about have people tried to rip our \nseal off, yes. We know of now 7 cases and 4 of the cases \nhappened prior to last month and 3 just recently happened.\n    Ms. Eshoo. How did you know?\n    Mr. Lewin. How we find out is through a couple of \nmechanisms. We are beta testing some technology that goes out \nand searches the Web looking for graphics. And it comes back \nwith the identification of the Web site, what is called the \nURL, we match that against our authorizing licensee list and if \nwe don't have a match, a-ha, our attorneys have an opportunity \nto write a letter, which indicates that----\n    Ms. Eshoo. You don't need an attorney to do that.\n    Mr. Lewin. It looks more impressive if you have all the \nnames on the top of the paper.\n    Ms. Eshoo. I know; I am just teasing.\n    Mr. Lewin. In all four cases, it stopped. They took the \nseal off. To be fair, in three of those cases because they sent \nus a signed agreement, they thought that they can put the seal \nup. That is not the case, that is the beginning of the process, \nbecause they have to talk to one of our account executives, as \nthey are called, that guides them through the actual creation \nof the privacy statement, and only after they bless it are they \nauthorized to put the seal on, if it says everything that \nshould be said.\n    And the one case was just somebody who they thought they \ncould get away with it. The other three cases, the letters have \nalready been written, and we anticipate that they will be \nresolved. But if somebody--if somebody ignored our letters or \ndidn't take action, we would pursue it to the fullest extent, \nbecause what we offer is credibility. If we lose credibility, \nwe lose everything. And so we pursue that vigorously.\n    And as to your other question.\n    Mr. Tauzin. She asked what the FTC have to do with your----\n    Mr. Lewin. Oh, thank you. We stay involved with what goes \non with the FTC, and I guess the model I would like to use is \nwith the Children's Privacy Seal that we put together, once \nwe--in our discussions with the FTC saw what was going on and \nwe attend their workshops and so on and so forth, we try to \nanticipate what is going to happen, so we alert our licensees \nthat are--that have Web sites that are focused on children 13 \nyears or under to start making these changes, to start looking \nat this, to give them the lead time necessary and to make them \nready when indeed that is enacted.\n    The other thing that we do is we respond to their requests \nfor information. In cases that have been drawn to their \nattention if there is any information that we have that they \nfeel might be appropriate, then we will work with the \nappropriate parties at the FTC.\n    Ms. Eshoo. I think in so many of the things that have been \nexpressed by the panelists, and including the previous panel is \nthat we have made some progress, we have made some progress and \nthe progress that has been made, the innards of it have some \nweight to them. But it seems to be that overall in this area of \nonline privacy protection, et cetera, et cetera, that right now \nit is really more the exception than it is the rule.\n    And it is startling to me, because everything else is in \ndirect contrast to that on the Internet. I mean it is the speed \nof lightening; it is incredible. If you just keep layering on \nthe statistics of the usage and its importance, I mean one can \njust go on and on.\n    And I am so struck with the fact that this remains a \npremature baby that doesn't--is not gaining weight the way it \nshould. I mean this is really in the incubator. So I don't know \nif it would be prudent for the Congress to say by such and such \na date, this is the progress that needs to be made.\n    I mean we are dealing with that in terms of medical \nprivacy; if we don't act by a certain date, then the Secretary \nof HHS will then write the regulation or the language for it. \nBut it seems to me that it is an area that either the private \nsector is going to make grow and grow rapidly or we need a \nFederal nudge here.\n    I don't know. Does anyone want to add anything to that?\n    Ms. Singleton. Let me add something quickly. I think \nactually the contrast between sort of what has been called for \nin privacy and what is actually developed. On the one hand, if \nyou continue to operate from the same assumptions that you \nstarted with, then it looks like okay the Federal Government \nhas to start doing something.\n    Ms. Eshoo. And what I really didn't understand in your \nopening testimony though what your assumptions were. I think \nyou were questioning the assumptions on which----\n    Ms. Singleton. Yes, exactly. I mean it is very difficult \nfor me to lay out my thinking about privacy in a concise \nmanner, but I do think that it is really important to go back \nwhen things are not working the way you expected them to work \nand say maybe this isn't quite as simple a question as we \nthought. Maybe there are costs to consumers as well as \nbenefits.\n    Ms. Eshoo. This is not just a philosophic debate and \ndiscussion about assumptions. We know that there are areas that \nare already protected, and we are trying to be delicate and \nprudent and maybe even bring some wisdom as to how we shift \nthat architecture that is already in place to this new medium.\n    Ms. Mulligan, did you want to add something?\n    Ms. Singleton. I am sorry I hadn't quite finished.\n    Ms. Eshoo. But you are on my time though.\n    Ms. Singleton. I am sorry.\n    Ms. Mulligan. I think it is an important question and, you \nknow, the analysis that the FTC provided is okay we have some \nprogress here access, much less progress; security, less \nprogress; the whole pie, do you want the whole thing? We are \ntalking still 10 percent, how do we get from here to there. I \nhave to tell you the TRUSTe program, the DMA line, the \nstandards in those programs are becoming much more like the \nfair information practices that are embodied in the Privacy Act \nor the OECD guidelines which are kind of the international \ndiscussion, and I think there is an enormous amount of buy-in \non what the principles are, and the real question is, how do \nyou get ubiquity.\n    And I believe that ubiquity is going to come through \nincreased focus by the FTC, increased self-regulatory efforts, \nbut also a focus on how to get the people who aren't paying the \nattention in the room, and I think that Congress has \ntraditionally played that role of how do you get the bad \nactors, how do you get the free riders, the people who are \nmaking a dollar off of information and really aren't interested \nin putting themselves under the FTC's, you know, spotlight by \nsaying anything, because if they don't say anything, chances \nare nobody is going to come after them.\n    Ms. Eshoo. Thank you very much. Thank you, Mr. Chairman.\n    Mr. Tauzin. Thank the gentlelady.\n    The gentleman from Ohio, Mr. Sawyer, is recognized.\n    Mr. Sawyer. Thank you, Mr. Chairman. I was just struck by \nthe notion of the Federal nudge. I was wondering whether that \nmay be filed in technical terms between a resolution and an \nunfunded mandate.\n    Mr. Tauzin. Does it get an H.R. Or an HS? I am not sure.\n    Mr. Sawyer. I assume that many moons ago you passed the \npoint at which we were offered the opportunity to submit our \nstatements for the record.\n    Mr. Tauzin. Yes. That has been by unanimous consent.\n    Mr. Sawyer. I welcome the opportunity to undertake that.\n    Mr. Lewin, you have talked a lot about the kinds of things \nthat the people whose sites you provide certification to their \nobligations and responsibility, do you face a particular \nliability having certified a site and then having found it to \nbe not in compliance with the standards which you certify?\n    Mr. Lewin. The--well, in our agreements we indemnify in \nterms of, you know, our trustmark and what we do and so on and \nso forth. If I understand your question correctly, and please \ntell me if I don't, are we liable if the Web site does \nsomething dastardly to a consumer and we should have caught it; \nis that the question?\n    Mr. Sawyer. That is essentially it, yes.\n    Mr. Lewin. No.\n    Mr. Sawyer. I assume you prefer not to be?\n    Mr. Lewin. Right, right. And I think that the issues are \npretty clear. There could be changes that occur on a daily \nbasis. What have you. Although we do monitor sites on a \nquarterly basis. And we do what we call seeding, which we track \ninformation as if we were a consumer of that Web site. And, \ntherefore, if we get information from a--to one of our seeding \naddresses, we know where it came from and then we, you know, \nshould that have happened, yes or no. And it is a very \niterative process.\n    Mr. Sawyer. You have talked about looking for failures. Do \nyou monitor Web sites----\n    Mr. Lewin. Yes.\n    Mr. Sawyer. [continuing] that are actively in play? How do \nyou go about that?\n    Mr. Lewin. Yes. Currently that is done on--by our account \nexecutives and it is actually looking at the Web site in, No. 1 \nensuring that there are no changes or if there were changes, \nare they similar to their business operating practices and so \nforth. We are also exploring technology now, as Dr. Lucas has \nalready pointed out, that we are exploring to do some of that \nin a more automated fashion so we can do it on a more regular \nbasis, and that is something that I am confident between now \nand the end of the year that you will see substantial progress \nin.\n    We also, by the way, provide what we call wizards which \nare--privacy wizards which allow an organization to quickly set \nup a privacy seal if they take certain defaults so on and so \nforth. And if they want--the more tailoring they do, the longer \nit takes. But we try to automate as much as possible the \nknowledge that we have gained by doing these licensees over and \nover again in various industries.\n    Mr. Sawyer. You had mentioned that most of the failures to \ncomply were inadvertent; were they errors?\n    Mr. Lewin. Yes.\n    Mr. Sawyer. Have you encountered those that were willful?\n    Mr. Lewin. There was one case where the organization \nthought it was okay to do what they were doing. We disagreed, \nand as part of our escalation process, we called an outside \nauditor and in our program, Price Waterhouse, Coopers and KPMG \nto conduct the survey to verify our findings, and that was done \nat the licensee's expense which is part of our agreement, which \nwas not a trivial expense. Once it was verified that indeed \nthat was a problem the licensee recognized that they were at \nfault, and they changed their practice.\n    Mr. Sawyer. Mr. Cerasale, will you soon be offering an \nopportunity for consumers to remove their names from E-mail \nlists?\n    Mr. Cerasale. Yes, we will, similar to our telephone and \nmail or physical mail preference.\n    Mr. Sawyer. I assume that that is far from being a more \nonerous task, considering it is actually probably made easier \nby the medium that you are dealing in----\n    Mr. Cerasale. Well----\n    Mr. Sawyer. [continuing] by comparison to paper?\n    Mr. Cerasale. Actually trying to get it done electronically \nvery quickly has proved to be some problem with making \neverything mesh computer to computer which is what has been \nslower. It will--it should be easier for a consumer to be able \nto mesh and get through to get on that E-mail preference list.\n    Mr. Sawyer. Do other organizations similar to yours \nundertake the same kind of thing?\n    Mr. Cerasale. I don't believe so. I think from our review, \nour history with the telephone preference service and the mail \npreference service, we look like we are the only ones working \non that E-mail preference service.\n    Mr. Sawyer. Do you see that as a comparative advantage to \nthe DMA or should, in terms of the gentlelady from California, \nothers be given a Federal nudge to follow your example?\n    Mr. Cerasale. Well, they can actually--you would not have \nto be a DMA member to get that--to get that list, to use the \nlist. We have a fee that we charge companies to use it to help \ncover our costs, but you don't have to be a DMA member to do \nit.\n    Mr. Sawyer. Thank you very much. Mr. Chairman, Ms. \nSingleton, did you want to finish up a thought that you were \nunable to complete on the gentlelady's California time?\n    Ms. Singleton. I think I would just like to reiterate that \nthere are still an enormous number of open questions in this \ndebate. A lot of information that has not been collected about \nthe way information is used in the economy and how that \nbenefits consumers in particular. And I think that particularly \nwhen things aren't going as expected, it is really important to \nquestion whether there is really a simple issue at all.\n    Mr. Sawyer. I think that is precisely the point that the \nchairman was making. Thank you, Mr. Chairman.\n    Mr. Tauzin. Thank the gentleman. The gentleman from \nCalifornia, Mr. Cox, is recognized.\n    Mr. Cox. Thank you. I have essentially two questions. One \nis the degree to which we can have agreement on the kinds of \ninformation that would be especially harmful to restrict the \ncollection of, and when we are talking about people's medical \ninformation, for example, we get to sort of the core what we \nthink we ought to have a privacy interest in protecting.\n    But there are other things about what we do that presumably \nthe marketplace as a whole and we as individual consumers have \nan interest in making sure there is commerce in so that stores \nhave what we want when we go visit them and so on.\n    So my first question really is what is it that we would be \nvery well advised not to put on a list of things along with \npersonal medical information that would we sort of presume we \nought to keep private?\n    And the second thing is the extent to which, and I \nparticularly want to address this question to Ms. Singleton, to \nwhich we ought to look to sort of 19th century legal traditions \nof private property rights to help us. To what extent can \nproperty rights take care of this debate as against move \noverarching government regulation which I think has sort of \ngoing after people one at a time on a case-by-case basis with \never more detailed regulations to try and fix problems \nspecifically rather than generally.\n    And I leave it to any member of the panel to address the \nfirst question. Is there some information that we really should \nnot think about restricting because it will subvert the \nmarketplace?\n    Ms. Mulligan. I would like to actually link the two of them \ntogether. Generally when we talk about privacy, it is not \nnecessarily about restricting specific pieces of informations, \nit is about giving the individuals to make decisions when they \ndisclose information how it is used beyond the use of they \ndisclosed it for. So, of course, medical information, most \nindividuals are going to want that to flow freely between them \nand their doctor. And they are going to want it to kind of stay \nin that confined environment.\n    So the question is how do you ensure that? You can \ncertainly ensure it through a property right. But I think what \ngenerally has been put in place since the 1970's in a variety \nof sectors of the economy whether it is government information, \nvideo rental records, the Fair Credit Reporting Act, is the \nnotion of the way in which we protect a piece of property that \nI have willingly given to you for a specific purpose is to say \nthat you have some obligations now about how you handle that \ndata, and if you want to disclose it to the chairman, you get \nmy permission or you allow me to opt out depending on how \nsensitive the data is, you take on some obligations to protect \nit, to make sure it doesn't get corrupted.\n    Mr. Cox. So a license basically----\n    Ms. Mulligan. Yeah, the notion of a property right is \nreally, it is the core that underlies what we call the code of \nfair information practices, they are not intentioned at all, \nand it is just kind of a bundle of rights and how do we best \npreserve those. And I think you can certainly do it through a \ncase-by-case litigation giving individuals property interests.\n    I think there hasn't been a very thorough review of \ndifferent statutes on the books and different common law models \nto figure out which actually best drive practices in the \nmarketplace. We don't know that, and which actually provide the \nmost suitable remedies to consumers and which actually provide \nthe best enforcement mechanisms. So the FTC must be an \nexcellent place for ensuring general compliance; but as \nRepresentative Markey said, when an individual is harmed, am I \ngoing to get a specific redress from the FTC? Well, no, I might \nget that under a private right of action, but as far as \nensuring compliance, if it is my name that has been resold, \nthere may not be a whole lot of, you know, interests in my \ngoing to court.\n    There is a lot of barriers to nationally pursuing that \naction. So in thinking about how you structure a means----\n    Mr. Cox. Although if we gave people access to even small \nclaims court, anybody that was trafficking in that kind of \ninformation would be hit by a thousand bee stings, they would \nprobably want to correct the behavior.\n    Ms. Mulligan. Absolutely, I think there is a whole host of \nways you can go about looking at this. And I think one of the \nthings that people call for legislation, we are not calling--\nthere is a need to think about, which--I certainly listened to \nwhat Ms. Singleton is saying. There are questions you need to \nanswer.\n    Mr. Cox. Ms. Singleton, do you want to address that?\n    Ms. Singleton. Yes, I will take each question sort of point \nby point. I guess my first question is that there certainly is \ngoing to be areas where people are a lot more sensitive about \nthe information than others. In some of those areas might be, \nfor example, including religious preferences, sexual \npreferences and so on.\n    On the other hand, even in those areas, I think we have to \nact very carefully, because if you were to decide, for example, \nthat religious information was something that would be \nsensitive, does that necessarily mean that we need regulation? \nAnd I think there it would be not necessarily and, in \nparticular, it would be really important to look at if you got \na new kosher foods company starting up and you want to enter \nthat marketplace, and you are looking to identify your first \ncustomers; if that information is not available to you, you may \nnever get off the ground.\n    So even once we have identified a sensitive sector, that is \nnot necessarily going to sort of help decide whether or not \nthere should be a Federal standard. I think on the property \nrights context, there is two parts to my answer, one is to say \nthat if you look at the common law often, and back at the 19th \ncentury cases, often you will find a right to privacy tied in \nvery close to a violation of physical property rights.\n    And, for example, in the 19th century, invasion of privacy \nwas often sort of bundled into a nuisance suit if somebody had \nbuilt a building too close together.\n    Mr. Cox. Referring to the 19th century, what I really mean \nis 19th century property rights what we consider to be property \nin the 19th century, intellectual property wasn't a big deal \nback then, if you take those notions even physical property as \nthey were bequeathed to us in the 19th and 18th centuries, and \nyou use that as the model in the 21st century, my question is, \nis that promising?\n    Ms. Singleton. Okay, got it. I think there the closest \nanalogies we can look to would be what other property rights \nand information exist, and these would include copyright, \npatent, and, to some extent, defamation. And I think that those \nsuggest that there can be property rights of information, but \neven in those areas the Internet has raised some really \nimportant new issues. And traditionally also those property \nrights and information have been relatively narrow, I mean, \nthat is to say, particularly in patent law, for example, you \nknow, it is time limited, it is limited to certain relatively \ntechnical information that is not generally in the public \ndomain. So I think that sort of having a default rule that \nsuddenly a large category of information that relates to people \nis a property right that wasn't before is potentially going to \ncause some problems.\n    Mr. Cox. Well, Mr. Chairman, I thank you. I would just also \nmention that I got a chance to meet with the bankers from GOSS \nbank, which was a big Soviet bank, I probably talked to some of \nthem, probably 1990, before the collapse of the Soviet empire, \nand we were having a conversation through an interpreter, and I \nspeak some Russian, and I got involved with the interpreter and \nwe have quickly figured out they it didn't have a word for \nmortgage, you know, the big bankers in the Soviet Union, and \nwhat I was trying to say was the No. 1 sort of startup capital \nfor small business in America was the mortgage, and they needed \nto have land title registry and all the things we never think \nabout in this country in order to get small business started up \nthere, and what was then the Soviet Union, what quickly became \nRussia.\n    I think we need to remember that without a basis in law \nthat free market actors cannot contract privately with one \nanother properly, so we need to pay some attention whether or \nnot we are importing these concepts from our forebearers in the \n21st century. And I thank you for being generous with the time.\n    Mr. Tauzin. Interesting. My visit to St. Petersburg \nconfirmed that, a wonderful free market and little booths on \nthe streets where they are selling products, right behind them \nare all the buildings owned by the public which are empty. I \nwondered what had gone on there, that is the people's building. \nNobody can conduct commerce in there. It is really strange. No \nword for mortgage.\n    Mr. Cox. I am sure they have one now.\n    Mr. Tauzin. I am sure they have got one now.\n    Final comments. Mr. Markey.\n    Mr. Markey. Thank you, Mr. Chairman, very much. I am very \nintrigued by this whole notion of private right of action. And \nI think we need a lot of discussion about it, not just in this \ncontext, but also in the financial service industry context. I \nthink if an individual had the ability to go to court in order \nto vindicate their privacy rights with no class action \npossible, the limitation on damages which could be received, I \nthink that would go a long way toward helping to make sure that \nthere was a cleansing of the industry.\n    And I hope that in the financial services industry context \nperhaps we can talk about that, it was part of my underlying \namendment a couple of weeks ago that I finally paired down to \nits essential elements, but I think a private right of action \nis something that we might be able to agree with on a \nbipartisan basis.\n    Can I ask, Ms. Mulligan, in conclusion, if I could, are we \nasking the wrong question, when we focus so much of our \ndiscussion on mere disclosure requiring consumers to find, to \nclick on, and then read a privacy notice on each Web site when \nthey surf? It is a very cumbersome thing. In the era of the \nWorld Wide Web, you can just keep moving. And just define \nprivacy policy and read it could be a half a day.\n    It seems like an analog answer to a digital question, you \nknow, how do we--how do we deal with these issues in this new \nera? You know, are we thinking in terms that reflect the new \ntechnology on the speed with which people can move from site to \nsite; and as a result, we have to think outside of the old \ntraditional boxes?\n    Ms. Mulligan. I think both yes and no. I think we have to \nimport the old principles, and I think, as you said, no notice \nisn't enough and very clearly if you look at industry \nstandards, BBBOnLine, TRUSTe, the Federal Trade Commission's \nproposals, your proposals and the financial services----\n    Mr. Markey. How can P3P help?\n    Ms. Mulligan. Absolutely. I think there is a role for \ntechnology to automate the disclosure. You know, we don't have \na Schumer box for the information age, the hope is.\n    Mr. Markey. A what box?\n    Ms. Mulligan. We don't need a disclosure box for the \ninformation age, what we need is a technology that helps \nindividuals, a Markey box.\n    Mr. Markey. I am afraid to pursue it. This is live in the \nSenate as well.\n    Ms. Mulligan. I am sorry. What we need is a technology \npiece that is going to enable consumers to talk about privacy, \nwhether it is self-regulation or it is legislation, it is a \nwild Web, there is many Web sites. We have jurisdiction issues \nleft and right, and the technology is going to be a critical \npiece, whether it is providing individuals with anonymity or \nfactual anonymity or giving them the ability through something \nlike the platform for privacy preferences being developed at \nthe World Wide Web consortium to figure out what a privacy \nstatement says and whether or not it abides by what they think \nthey want their information to be handled.\n    Mr. Markey. Without a minimal standard, Ms. Mulligan, how \ncan we expect the marketplace to ever know what it is that is \nexpected of it? How do we reach that point absent any \nlegislation passing that can then be pointed to as the \nexpectation that each industry, each company would have to \nreach?\n    Ms. Mulligan. Well, I think, like you, I believe that there \nis the need for some baseline legislation, and so I am not \nsaying that we don't need that, I think we clearly do. But in \nthe absence of that, I think that consumers can be empowered \nthrough technology to do some self-policing about where they \ndisclose information, how they disclose information to avail \nthemselves of technology, and to look for businesses who have \nput themselves out in front to say that we are doing the right \nthing.\n    But I do think that self-regulatory efforts and technology \nthat are grounded upon a shared baseline of policy is going to \nbe the most successful in the end.\n    Mr. Markey. I want to thank you, Ms. Mulligan, and all of \nyou. This was an excellent panel. I want to thank you, Mr. \nChairman, I really enjoyed today's hearing, and I think you \nreally helped put a spotlight on a lot of the nuances of this \nissue which we are going to need to understand if we are going \nto move forward.\n    I, of course, hope that we do move forward. But this \nhearing is indispensable in our understanding, and I hope that \nwe can begin to work together toward crafting some bipartisan \nlegislation that can deal with these issues.\n    Thank you, Mr. Chairman.\n    Mr. Tauzin. Thank my friend. Any other further comments.\n    Mr. Sawyer. Thank you, Mr. Chairman. Let me just go back to \na point Ms. Mulligan made and it has nothing to do with the \nSchumer box. Ms. Mulligan in your testimony, you made a \ncompelling analogy to walking through a mall, and the notion \nthat either a mall or each of the shops within it could stick \nan identifier on your back as you walk through.\n    How does personal discipline with regard to giving out \ninformation apply to that capacity to profile based simply on \nplaces that you have perhaps not even walked into, but simply \nlooked in the window as you can in traversing global \ncommunication systems that exist today?\n    Ms. Mulligan. I think as Chairman Pitofsky said earlier, \nthere are really unique ways in which digital technology can \ncollect and analyze information. We don't have a lot of real \nworld analogies, while the camera, you know, in the Rayburn \nhalls may get glimpses of us as we walk by, it is not actually \nmonitoring everything that we do, it is not our own personal \ncamera.\n    And I think that, you know, consumer education is certainly \npart of it, because some of the information that is collected \nis collected through very useful purposes, when you go to a Web \nsite where you have been, can be very helpful.\n    Mr. Sawyer. Helping to whom?\n    Ms. Mulligan. It can be useful to you as a consumer at \ntimes.\n    Mr. Sawyer. It might be. But I can make great use out of \nadvertising, advertising that comes in and is available to \neveryone and comes from one direction and is one way. But when, \nin fact, I am providing the information that allows me to be \ntargeted in ways that I am unaware of, even ways that may not \nparticularly identify me but make me vulnerable to a \ndiminishment of my autonomy and anonymity, that does affect me \nin ways that I can't possibly effect or affect by virtue of \npersonal discipline.\n    Ms. Mulligan. Yeah, I think that is part of the reason that \nit is important that the FTC is going to continue to look at \nissues like profiling and identifiers. There are areas that may \nnot specifically hit on individual privacy as in information \nthat is identifiable, but that still give Representative Eshoo \nand you this uneasy feeling that someone is monitoring my \nactivities and making decisions about me, even though they \ndon't know it is me, and that is another component of privacy. \nAnd I think it is one that we have just begun to touch on.\n    Mr. Sawyer. And the cross-referencing of information may, \nin fact, make it possible to identify you or a very small \nfraction of a universe out of perhaps a worldwide population. \nIt is virtually the way that law enforcement has worked for the \nlast 200 years by cross-referencing information until specific \nindividual or small number of individuals can be identified in \nways that are inescapably demonstrable, that holds up in court, \nit will certainly hold up in commerce.\n    Thank you, Mr. Chairman.\n    Mr. Tauzin. Thank you. We were just musing that we got a \ncross-referencing you can almost figure out who voted for you \nand who didn't vote for you.\n    Let me ask finally, is there anything wrong legally, \nmorally with my posting a Web site that says upfront, come \nvisit with me here, share information with me, I will not \nprotect your privacy? Anything legally, morally wrong with me, \nif people want to come and visit with me and use my Web site \nshare my Web site with me?\n    Mr. Cerasale. As long as you don't hide it. You don't have \nto make sure you can display it, and know it is fair.\n    Mr. Tauzin. Ms. Singleton, you raised the issue, it is the \nright of privacy in the private sector as opposed to other \npersonals in our society as sacred as it was constitutionally \nagainst government? Is it such that I can surrender it by \nagreeing you to take any information you want about me as long \nas I am told up front that you are going to do that; is that \nokay? Mr. Lewin?\n    Mr. Lewin. Well, you have given notice, you have given them \nthe choice, you have stated it very explicitly, the issue may \nbecome how clear is it. I mean how clear in your language are \nyou making it to that individual, to that average consumer \ncoming to your site, this is indeed what you are going to do \nand that is where the key issue is.\n    Mr. Tauzin. In other words, is it a right we need to define \nand is it waiverable and under what circumstances? It is kind \nof what it boils down to; is that right?\n    Mr. Cox. I want you to yield on that, because it is \ntechnologically impossible now, and there is a race in software \nto see who is ahead of whom in terms of getting there first. \nBut is it possible right now for somebody to collect \ninformation on you before you even get around to reading their \nprivacy notice?\n    Mr. Tauzin. Yes.\n    Mr. Cox. What we want to make sure of is that we don't hang \na lot on this issue of opt-in or opt-out, that it is basically \nthe opting that matters, we don't want silence to be consent. \nWe want people to know what they are doing and there has got to \nbe some evidence that there is an agreement.\n    Mr. Tauzin. Mr. Lucas, would your technology do that?\n    Mr. Lucas. The technology--we believe that it is kind of \nironic on the Web page that we talk a lot about relationships \nthat we are trying to establish, relationships with consumers. \nI may be a little old fashioned, but I believe you have to ask \npermission from a person in order to have a relationship with \nthem. I think the laws that prohibit it any other way.\n    I think it is also ironic that we can spend millions and \nmillions of dollars as an industry to determine information \nabout a consumer, but when companies are asked to step up to \nproviding access to information that they have about a consumer \nthat becomes either too expensive or too complicated or there \nis some excuse. I think that one of the biggest issues that we \nneed to provide to the consumers is the issue of access and the \nissue of being able to control whether a site can do profiling \non them. You are absolutely right.\n    Mr. Tauzin. The right to correct bad information; we have \ngot to get to that sooner or later.\n    Mr. Lucas. Absolutely. If we are talking about the European \nUnion directive that was mentioned earlier, one of the basic \nproblems that we had in the negotiations is over the issue of \naccess, and it has never been over the real issue of access, \nand that is it is really a technology issue it is \nauthentication. I can't think of a worst privacy violation than \nsomeone coming to a site and saying they are an individual and \nnot being able to authenticate. But that really hasn't been the \nstrongest issue. It has been a reluctance, it has been a \nliability, it has been all different kinds of issues. So I \nthink, yes, we have to provide access, we have to provide \nconsumers to opt-out of profiling.\n    Mr. Tauzin. Last night, I got into a marvelous book, The \nRising Tide, which I have been meaning to read, I finally got \ninto it last night. It details a marvelous conflict between two \nenormously powerful people, one, the head of Bureau of \nEngineers and the other a great engineer himself, over whether \nto--how--or how, rather, to open up the mouth of the \nMississippi River for the whole country to commerce.\n    The fight was over whether to dredge one of the passes, the \nsouthwest pass, a little at a time with dredges that kept \nbreaking down, or the incredible idea, the other gentleman had \nI think his name was Eades, the other guy was Humphreys, I \nthink, his idea was to put jetties out to channel the flow of \nthe river out--off the continental shelf so that rush of the \nriver itself would open up and clean up the river itself to \ncommerce.\n    This was right after the great war of northern aggression \nagainst the south, the river was all blocked up at that time. \nThey built the jetties, immediately commerce, the port of New \nOrleans, it just skyrocketed second only to the port of New \nYork, eventually it eclipsed New York in tonnage.\n    The question is sort of parallel here. We don't know the \nanswer yet, is the rush of consumers to electronic commerce \nbeing inhibited because we haven't addressed all of these \nquestions? Do we need to address them in front of that rush, in \norder to open it up? Or, as in the case of those jetties, to \nget it all flowing, set some policy down that everybody knows \nand feels comfortable with, or is it as the Commission seems to \nbelieve, or some of the Commission at least, that indeed \nconsumers are rushing to electronic commerce options and making \ntheir own decisions about how much commerce they want to do on \nit?\n    In short, can we know how much electronic commerce would be \noccurring if we had adopted policies upfront on privacy and \nsecurity as opposed to letting the marketplace work themselves, \ncan we know and how do we know? Mr. Lucas.\n    Mr. Lucas. I don't think we can--I don't think there has \nbeen a number that is been assigned to it, but I can tell you \nif you refer to some of the surveys that have been by people \nlike Dr. Alan Westin, it is clear that over 80 percent of the \nconsumers who are asked what is the No. 1 reason they don't \nparticipate in electronic commerce is the lack of control \nover--and if you talk to consumers, my experience has been it \nis not the initial collection of information, because as was \nmentioned before, there are millions of con-\n\nsumers that went to a site and gave out the most detailed \ninformation for the chance of winning a PC valued under $500. \nWhat consumers have told us over and over again, it is the \nsecondary use of information.\n    If they go to an e-commerce site and buy a widget, they \ndon't want that information sold or transferred to anyone else \nwithout their permission.\n    Mr. Tauzin. Ms. Singleton raises the issue, and I will give \neverybody a chance to come back if you like to, but raises a \nquestion as to whether or not those statistics, those surveys \nare really replicated in the real world, and the virtual world \nin this case, in effect, consumers knowing now that they have--\ncan go to a seal organization, knowing that they can use the \ntechnology very simply, knowing that there are in place more \nand more notice of privacy rights, more and more protections \nfor them.\n    Are they in fact still not choosing to engage in electronic \ncommerce? What are they waiting for, if they now know all of \nthese things are coming into place so rapidly as the Commission \nseem to imply to us today, any one of you? Mr. Cerasale.\n    Mr. Cerasale. I think there are some parallels we can go \nback to look at. Today, outside of electronic commerce, looking \nat remote sales, that means you don't go in a face-to-face \npurchase, 40 percent of Americans do not--have never purchased \nremotely before the Internet. So you have a situation where \nonly 60 percent of Americans feel that they either want to or \nhave a credit card to be able to do it or a checking account to \nbe able to purchase remotely and not deal with cash.\n    So that is--we are not certain exactly why and we are \ntrying to look out, trying to find out why is it that 40 \npercent don't participate, so that you are never going to get \nall of the consumers even on the Net as you get online.\n    The second item is, that 15 years ago, even though they had \ntelephone payment of credit cards to L.L. Bean, 15 years ago, \n95 percent of all of their sales were through the mail, a check \ncoming into the mail, the people were not confident to give \nL.L. Bean their credit card number. Now, it is 97, 98 percent \ncredit cards, and that is not looking at what is happening with \ntheir significant growth in their online commerce.\n    So that it took time, even with a trusted name, for the \nAmericans to feel comfortable to give out a credit card number. \nSo I think that part of what is happening today in the slowness \nin the Internet is that people haven't used it, people are a \nlittle bit worried, they are going to wait to hear that their \nfriend used it, had no problem with it, and so forth.\n    I can tell you the first time that I ever used the \nInternet, to press the button to send the Boston Red Sox my \nDiscover card number, I sat there for 10 minutes before I hit \nthe enter button. I got the tickets, it was a great game they \nactually won, and----\n    Mr. Tauzin. Was it doubts about the security or the Red \nSox?\n    Mr. Cerasale. It was the doubt--it was before August, so it \nwas okay. So those things, I think those things are in place. I \ndo--that doesn't diminish what Professor Westin has found and \nso forth, but I think there is a reluctance in something new \nfor Americans to sit back and wait and listen to the grapevine \nand see what it is.\n    Mr. Tauzin. Let's wrap it up, Mr. Lewin.\n    Mr. Lewin. Just a quick note, and to emphasize the points \nalready made, one of the key issues facing a lot of \norganizations that are now Web enabling some of their \nactivities, their commerce activity, is the issue that we are \ngoing--there has been some progress made in the online world \nthat is taking this date and blending it with information that \nthey have collected through other mechanisms, registration \ncards and what have you, and what is the offline world. And now \ndealing with the issue of how do I take the rules that I \nestablished here and the decisions made by people and apply \nthem to all of the legacy information that they have lying \naround is really a key issue for a lot of these organizations. \nAnd how to reconcile those, and what to do with it is something \nthat is very much on their minds right now. And it is something \nthat has to be paid attention to.\n    Mr. Tauzin. Interesting. Anyone left with a question? Do we \nbuild the policy jetties now and open up the river, or do we \nlet the industry dredge it out one dredge at a time?\n    Ms. Mulligan. Just on statistics of the causal effect, how \ndo we know is it because people are anxious because of privacy, \nand the National Consumers League Survey, which is actually \nmentioned in my testimony, found that 42 percent of individuals \nwho are using the Internet were only using it to surf for \ninformation, were not making purchases, with a much smaller 24 \npercent actually making purchases and citing privacy concerns.\n    And I think, you know, you can't completely extrapolate \nthere, but that is 50 percent of the people who could \npotentially be engaged in online commerce are picking up the \nphone or perhaps sending in a check.\n    Mr. Tauzin. So there is some evidence out there of \nreluctance still.\n    Ms. Singleton.\n    Ms. Singleton. I think one thing, I noted this in my \nwritten testimony also, there is a couple holes in the \nempirical information here. One would be what the rate of \ngrowth are of companies who have posted a privacy policy as \ncompared to the rate of growth of similarly situated companies \nthat have not. Now, it is important to compare similarly \nsituated companies so you are not comparing AT&T to Joe's \nHardware Store in Peoria, but I think that is one area.\n    Another thing to do is to look at the rate of growth of in \ncommerce through--say, communities like America Online that has \ngot sort of the whole regulatory fabric in there as a private \ncommunity and to look at that and to compare it to rates of \ngrowth to e-commerce generally.\n    Mr. Tauzin. Thank you very much. Any final, final thoughts?\n    Mr. Markey. To Mr. Cerasale, Red Sox tickets, $24; Popcorn, \n$2; parking, $10; e-commerce, $1 trillion; privacy protections, \npriceless. That is where we are, Mr. Cerasale, trying to put a \nprice on it.\n    Mr. Tauzin. I thought you said Red Sox tickets----\n    Mr. Markey. Half an hour before the game, outside of \nFenway, they will all be priceless. There are some very wealthy \npeople paying a lot of money.\n    Mr. Tauzin. Did you see McGwuire last night? Wasn't that \namazing?\n    Mr. Cox. We have one little baseball thread hanging here \nand that is the distinction between the privacy policies of the \nBoston Red Sox on the one hand and the notion, fanciful or \notherwise, of consumers that something might go on in \ncyberspace between their computer and the Boston Red Sox \nterminal.\n    The development of secure connections is very important. I \nthink that everybody is willing to trust the Boston Red Sox, \nnot everybody, but most----\n    Mr. Markey. Our fondest and deepest----\n    Mr. Cox. [continuing] right at the window if you are there \npicking up your ticket at will-call, but it is this sort of \ncyberspace issue that maybe as I send my credit card number to \nthe Red Sox over the telephone lines it is being routed \nsomewhere that I don't know about and pirates are going to take \nthat information.\n    Mr. Markey. More likely the Yankees.\n    Mr. Cox. It is impossible to avoid these metaphors. Before \nwe switch back from baseball to the Mississippi Delta, I think \nI had better yield back.\n    Mr. Tauzin. I thank you all. This has been very \nenlightening, and we appreciate your testimony and your \ncontributions. The hearing stands adjourned.\n    [Whereupon, at 2:14 p.m., the subcommittee was adjourned.]\n    [Additional material submitted for the record follows:]\n   Prepared Statement of Peter J. Gray, Chairman, Internet Consumers \n                              Organization\n    The Internet Consumers Organization (ICO) is pleased to submit this \nstatement on privacy for the hearing record. ICO provides policymakers \nand other interested parties with fair and balanced policy positions on \nissues of importance to both Internet consumers and providers of online \nproducts and services. Our objective is to help shape a progressive \nenvironment for the Internet, and to conduct research and education \nprograms to enhance consumer confidence in using the Internet for e-\ncommerce and other purposes. ICO is incorporated in the District of \nColumbia as a non-profit organization.\n    In the privacy arena, the rationale for public policy appears to be \nbased on a series of assumptions that rely heavily on public attitude \npolls, media exposure of abuses, potential threats to personal privacy, \nlaws and regulations of other countries, and misinterpretation of \nstatistical data and anecdotal information. To get a better reading on \nprivacy issues, and to help make informed decisions about privacy \nprotection, it is useful to examine the following key assumptions and \ncompare them to the reality of the consumer marketplace:\n    Assumption: Consumers are universally concerned about the privacy \nof their personal information.\n    Reality: Some people are more privacy-sensitive than others; some \ncare most about protecting sensitive information, like medical records; \nothers don't seem to care, and are willing to trade-off their privacy \nfor free or lower-cost products or services, or other benefits.\n    Assumption: Consumers who say they are concerned about their \nprivacy will refrain from using the Internet.\n    Reality: People often behave or act differently from what they say \nor believe. This is a form of cognitive dissonance that may explain the \ndiscrepancy between the Louis Harris polls, where 81% of Net consumers \nexpressed concerns about privacy, and the explosive growth in Internet \nusage. What's really happening? The Pew Research Center found that \nAmericans' daily Internet usage rose from 4% in 1995 to 25% in 1998. \nMedia Metrix reported a 15% increase in monthly Internet users, from \nabout 54 million in May 1997 to 62 million in May 1998. Forrester \nResearch found that over \\3/4\\ of online households now surf the Web.\n    Assumption: Privacy concerns are keeping consumers who use the \nInternet away from using e-commerce to purchase goods and services.\n    Reality: The facts don't bear this out. The Department of Commerce \nreports that online sales grew from about $3 billion in 1997 to $9 \nbillion in 1998. Forrester Research estimates that 26% of online users \nmade regular purchases on the Web in 1998. Jupiter Communications found \nthat the number of people buying something on the Net grew from 10 \nmillion in 1997 to 17 million last year, and it projects U.S. online \nsales to be about $12 billion in 1999. The Institute for the Future \nforecasts e-commerce sales to consumers will exceed $1 trillion by \n2010. Polls show that women are more concerned about privacy than men, \nyet they buy more online than men do, according to a recent survey by \nCommerceNet and Nielsen.\n    Assumption: Most consumers are worried about unauthorized access to \ntheir e-mail messages.\n    Reality: Forrester Research shows that over 80% of online users \nregularly send e-mail messages, still the most frequent use of the \nInternet. Most of these users are not worried about the privacy of \ntheir e-mails, since they don't attempt to encrypt their messages or \nuse anonymous identities.\n    Assumption: Consumers consider Internet privacy as more important \nto them than convenience, security, reliability, cost, value, choices, \ncustomer service, speed of access and other benefits.\n    Reality: Some may value privacy more highly than other factors, but \nothers may not. Individuals have a hierarchy of needs and preferences, \nwhich may change over time. Someone shopping for the lowest cost \nairfare available may be willing to divulge a degree of personal \ninformation in order to get the ticket. Someone else who pays bills \nonline may value security and reliability of the service more highly \nthan privacy. Researchers surfing the Web may be primarily interested \nin speed of access to resource information. System intrusions, computer \nviruses and worms, unauthorized access to personal files and fraud, may \nlower consumer confidence and become more important deterrents to e-\ncommerce than privacy.\n    Assumption: Consumers will not do business with companies that \ndon't have privacy policies or privacy seals posted on their websites.\n    Reality: Most people want to deal with companies that they trust \nand have confidence in. Good privacy policies and practices are an \nimportant element of trust. But, good customer service, fair and prompt \ndispute resolution, excellent product quality and other factors are \nalso important elements of trust. BizRate.com found that the level and \nquality of customer service, on-time delivery, product representation, \nand shipping and handling were rated higher than privacy in determining \nconsumers' likelihood of repeat purchases from an online merchant.\n    Assumption: Consumers trust governments over businesses to protect \ntheir privacy.\n    Reality: There have been notable privacy lapses by both federal and \nstate government organizations, such as the IRS, Social Security \nAdministration, state motor vehicle bureaus, health care and other \nagencies that created public distrust and outrage. Federal, state and \nlocal governments should be required to disclose and enforce their \nprivacy policies to protect the confidentiality of citizens' \ninformation.\n    Assumption: Self-regulation by industry will prevent enactment of \nonline privacy legislation.\n    Reality: Industry self-regulation demonstrates the willingness and \nability of responsible companies to earn the public's trust. But, self-\nregulatory initiatives tend to postpone or dampen, rather than prevent \nthe enactment of privacy laws, because some companies fail to self-\nregulate. Still, new laws are not the panacea for assuring general \nonline privacy protection. Targeted legislation may be desirable in \nsome specific instances (e.g. to protect sensitive medical records from \nunauthorized access without the consumer's knowledge or consent).\n    Assumption: People have no control over their personal privacy in \ncyberspace, and they are powerless to protect themselves from privacy \nintrusions.\n    Reality: Informed consumers have the ability to control their \nonline privacy by using technological means to protect their personal \ninformation. They can seek out companies that have good privacy \npolicies, disable cookies and refuse to provide certain information \nabout themselves. A partnership between the private sector, government \nagencies, and non-profit consumer organizations should be formed to \neducate and inform consumers on how best to protect their privacy.\n    Assumption: People object to company practices that involve the \ncollection and use of personal information about them.\n    Reality: A recent Vanderbilt University study found that over 72% \nof Web users would provide personal information to companies that \ndisclose how the information would be used. If a company with a good \nprivacy policy discloses it to the public, and uses information it \ncollects to provide consumers with benefits, consumers are more likely \nto allow such information to be used to suggest products or services \nbased on their personal preferences. A good example of a responsible \nprivacy policy that engenders consumer trust is that of Amazon.com.\n    In conclusion, there is a need to critically examine the \nassumptions that drive and shape privacy policy in the U.S. Legislation \nand regulations are not the panacea for comprehensive online privacy \nprotection. Instead, a combination of legislation targeted to address \nspecific abuses, enforcement of existing laws and regulations, industry \nself-regulation with oversight, consumer education, application of \ntechnological solutions and consumer actions to protect themselves, \nwill help to protect online privacy.\n\n\n                            <all-mark>\x1a\n</pre></body></html>\n"