[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]





        RECENT DEVELOPMENTS IN PRIVACY PROTECTIONS FOR CONSUMERS

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON TELECOMMUNICATIONS,
                     TRADE, AND CONSUMER PROTECTION

                                 of the

                         COMMITTEE ON COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                            OCTOBER 11, 2000

                               __________

                           Serial No. 106-160

                               __________

            Printed for the use of the Committee on Commerce

                    ------------------------------  


                    U.S. GOVERNMENT PRINTING OFFICE
67-635CC                   WASHINGTON : 2000


                         COMMITTEE ON COMMERCE

                     TOM BLILEY, Virginia, Chairman

W.J. ``BILLY'' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan
MICHAEL G. OXLEY, Ohio               HENRY A. WAXMAN, California
MICHAEL BILIRAKIS, Florida           EDWARD J. MARKEY, Massachusetts
JOE BARTON, Texas                    RALPH M. HALL, Texas
FRED UPTON, Michigan                 RICK BOUCHER, Virginia
CLIFF STEARNS, Florida               EDOLPHUS TOWNS, New York
PAUL E. GILLMOR, Ohio                FRANK PALLONE, Jr., New Jersey
  Vice Chairman                      SHERROD BROWN, Ohio
JAMES C. GREENWOOD, Pennsylvania     BART GORDON, Tennessee
CHRISTOPHER COX, California          PETER DEUTSCH, Florida
NATHAN DEAL, Georgia                 BOBBY L. RUSH, Illinois
STEVE LARGENT, Oklahoma              ANNA G. ESHOO, California
RICHARD BURR, North Carolina         RON KLINK, Pennsylvania
BRIAN P. BILBRAY, California         BART STUPAK, Michigan
ED WHITFIELD, Kentucky               ELIOT L. ENGEL, New York
GREG GANSKE, Iowa                    TOM SAWYER, Ohio
CHARLIE NORWOOD, Georgia             ALBERT R. WYNN, Maryland
TOM A. COBURN, Oklahoma              GENE GREEN, Texas
RICK LAZIO, New York                 KAREN McCARTHY, Missouri
BARBARA CUBIN, Wyoming               TED STRICKLAND, Ohio
JAMES E. ROGAN, California           DIANA DeGETTE, Colorado
JOHN SHIMKUS, Illinois               THOMAS M. BARRETT, Wisconsin
HEATHER WILSON, New Mexico           BILL LUTHER, Minnesota
JOHN B. SHADEGG, Arizona             LOIS CAPPS, California
CHARLES W. ``CHIP'' PICKERING, 
Mississippi
VITO FOSSELLA, New York
ROY BLUNT, Missouri
ED BRYANT, Tennessee
ROBERT L. EHRLICH, Jr., Maryland

                   James E. Derderian, Chief of Staff

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

   Subcommittee on Telecommunications, Trade, and Consumer Protection

               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman

MICHAEL G. OXLEY, Ohio,              EDWARD J. MARKEY, Massachusetts
  Vice Chairman                      RICK BOUCHER, Virginia
CLIFF STEARNS, Florida               BART GORDON, Tennessee
PAUL E. GILLMOR, Ohio                BOBBY L. RUSH, Illinois
CHRISTOPHER COX, California          ANNA G. ESHOO, California
NATHAN DEAL, Georgia                 ELIOT L. ENGEL, New York
STEVE LARGENT, Oklahoma              ALBERT R. WYNN, Maryland
BARBARA CUBIN, Wyoming               BILL LUTHER, Minnesota
JAMES E. ROGAN, California           RON KLINK, Pennsylvania
JOHN SHIMKUS, Illinois               TOM SAWYER, Ohio
HEATHER WILSON, New Mexico           GENE GREEN, Texas
CHARLES W. ``CHIP'' PICKERING,       KAREN McCARTHY, Missouri
Mississippi                          JOHN D. DINGELL, Michigan,
VITO FOSSELLA, New York                (Ex Officio)
ROY BLUNT, Missouri
ROBERT L. EHRLICH, Jr., Maryland
TOM BLILEY, Virginia,
  (Ex Officio)

                                  (ii)


                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Aftab, Parry, Special Counsel, Darby and Darby, P.C..........    76
    Baker, Roger W., Chief Information Officer, U.S. Department 
      of Commerce................................................    33
    Cady, Glee Harrah, Vice President for Global Public Policy, 
      Privada....................................................    72
    Chiang, Larry, Chief Executive Officer, MoneyForMail.com.....    69
    Goodlatte, Hon. Bob, a Representative in Congress from the 
      State of Virginia..........................................    12
    Griffiths, Mike, Chief Technology Officer, Match Logic Inc...    89
    Katzen, Sally, Deputy Director for Management, Office of 
      Management and Budget......................................    28
    Koontz, Linda D., Director, Information Management Issues, 
      U.S. General Accounting Office.............................    24
    Pitofsky, Hon. Robert, Chairman, Federal Trade Commission....    56
    Shaw, Hon. E. Clay, Jr., a Representative in Congress from 
      the State of Florida.......................................    53
    Shen, Andrew, Policy Analyst, Electronic Privacy Information 
      Center.....................................................    93
Material submitted for the record by:
    Armey, Hon. Dick, Majority Leader, U.S. House of 
      Representatives, prepared statement of.....................   106

                                 (iii)


 
        RECENT DEVELOPMENTS IN PRIVACY PROTECTIONS FOR CONSUMERS

                              ----------                              


                      WEDNESDAY, OCTOBER 11, 2000

              House of Representatives,    
                         Committee on Commerce,    
                    Subcommittee on Telecommunications,    
                            Trade, and Consumer Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:15 a.m., in 
room 2123, Rayburn House Office Building, Hon. W.J. ``Billy'' 
Tauzin (chairman) presiding.
    Members present: Representatives Tauzin, Gillmor, Cox, 
Shimkus, Ehrlich, Markey, Boucher, Wynn, Luther, Sawyer, Green, 
and McCarthy.
    Staff present: Paul Scolese, majority professional staff; 
Anthony Habib, legislative clerk; and Andy Levin, minority 
counsel.
    Mr. Tauzin. The subcommittee will please come to order.
    Today the subcommittee will hold the hearing on the 
important developments in the efforts to the protect privacy of 
American consumers. Few issues in this industry generate such 
strong emotions as how to deal with the enormous amounts of 
personal information that are collected, distributed, stored 
every day via the Internet.
    Later this morning, we will hear from two of our 
colleagues, Representative Clay Shaw and Representative Bob 
Goodlatte. Representative Shaw will explain to this 
subcommittee his legislation H.R. 4857, the Privacy and 
Identity Protection Act of 2000, which has been reported out of 
the Ways and Means Subcommittee on Social Security and is 
currently awaiting action in this subcommittee.
    In addition the subcommittee will hear from Representative 
Goodlatte about the Lansdowne Privacy Summit which the National 
Chamber Foundation hosted for House Republicans in May of this 
year and what has come from that. I understand that the 
foundation also scheduled a similar session with the House 
Democrats, and unfortunately it got canceled, I believe.
    Representative Goodlatte cohosted, along with my 
colleagues, Chairman Bliley, Representative Ehrlich and myself, 
this privacy summit; and I personally want to thank him for his 
efforts in this endeavor. I also want to thank both of our 
colleagues for coming this morning, for sharing their views 
with us. The subcommittee has been a keen observer for many 
years of this debate, holding hearings on this issue both in 
1998, 1999 and again in 2000.
    Over the last year, we have seen consumer concerns over 
privacy heightened and, as a result, specific Federal 
responses. Congress has adopted two Federal laws to deal with 
specific areas of concern, the Gramm-Leach-Bliley law in which 
financial privacy laws are written, and the Children's Online 
Privacy Protection Act. In addition, Americans have witnessed 
the development of a new private-sector technology and, in 
fact, many technologies to help consumers, as well as voluntary 
standards by industry to self-police, and educate consumers.
    In certain areas, the Federal Government and commercial 
entities have come together to achieve cooperative standards to 
govern their online conduct. Privacy was not created with the 
advent of the Internet. In fact, we have been passing privacy 
laws, I believe, for the past 30 years, but the Internet adds a 
level of dissemination beyond what Americans had ever thought 
possible in many circumstances beyond which they feel 
comfortable.
    While the Internet is still relatively new, the issue of 
privacy, of course, is not. Prior to the adoption of the GLB 
and the COPPA laws, Congress had enacted privacy protections in 
a dozen other circumstances, indeed over that past 30 years, 
with the Fair Credit Reporting Act in 1970 starting that 
process. Sharing personal information did not begin when the 
Internet was established. Many people remember party-line 
telephones and can recall door-to-door salesmen plying their 
wares, using neighborhood directories. Businesses for decades 
have bought and sold their business assets, including their 
valuable information data bases about their customers. Nothing 
new in that.
    As I have said many times before, personal information has 
value to both consumers and an information economy. We live in 
an Internet Information Age and obviously information is the 
lifeblood of that system. A consumer's purchasing patterns, 
online behavior, is indeed valuable information to marketers. 
But at the same time, I believe consumers should have the 
ability to control that information or at least to be 
potentially compensated for giving away personal information if 
it indeed is a valuable asset.
    One of my witnesses who will testify later this morning has 
a business model that operates on consumers being compensated 
for sharing their personal information.
    The issue as we move forward in the coming years are these: 
Has industry done enough to protect consumer privacy, or should 
government step in to establish minimum standards to protect 
against the bad player? And if there are standards that work 
for private industry, should they also be applied to 
government's collection of personal information? After all, I 
can choose whether to give information to a private company, 
but in many government agencies I don't have a choice. I am 
obliged to provide them with personal information. Does the 
government have a higher standard in play here to protect the 
privacy of my information?
    Well, hopefully this morning will shed some light on these 
matters. While the tremendous amount of attention over the past 
year has been paid to the privacy of consumers in dealing with 
private industry, very little has been paid to the Federal 
Government's collection of personal information. Last time I 
checked, very few consumers indeed were providing information 
to the IRS, strictly voluntarily. Consumers indeed can vote 
with their feet in the private sector and go to another 
business if they don't want to share private information with 
them; but can you refuse to do business with the IRS or the EPA 
or the Medicare program for that matter? And if you do, can you 
refuse to provide them with information they require of you in 
order to do business with them?
    Earlier this year, Representative Dick Armey and I asked 
the GAO to conduct a survey of the privacy policies of Federal 
web sites and then compare it to the fair information practices 
recommended by the FTC for commercial web sites. In short, we 
wanted to see if Federal web sites would fare any better than 
the commercial web sites if they were held to the exact same 
standards that the FTC has held the commercial web sites in 
their reviews. Was the Federal Government ready to practice 
what it has preached?
    Well, from the results of the survey which we will discuss 
today, it appears that the Federal Government does not practice 
what it preaches. Our report is not the only GAO report that 
has produced failing grades for government web sites and data 
bases. The Horn report on data base security and the Lieberman 
report on OMB privacy requirements have also both shown that 
the government is not doing an adequate job of protecting 
America's personal information.
    On just two issues in recent weeks, the government has 
flunked. On the placement of cookies on government web sites 
the results are troubling. Despite OMB memoranda in 1999 and in 
June of 2000 prohibiting the placement of cookies on Federal 
web sites, the practice continues today at the IRS and possibly 
at other government web sites. In fact, we learned in the GAO 
report, I think, that 14 percent of the web sites surveyed 
potentially permit cookies on their Federal web sites. And just 
last Friday, the AP reported that the White House web site 
itself violates COPPA by collecting personal information from 
children.
    While government web sites can hide behind different 
standards, in these two instances they certainly do not live up 
to the spirit of the laws that apply in the commercial world.
    Chairman Pitofsky of the Federal Trade Commission has 
graciously agreed to testify today about the many FTC reports 
and activities in the past year dealing with privacy. We will 
also hear from private-sector witnesses who will discuss online 
profiling, the Children's Online Privacy Protection Act, and 
the use of technology in protecting privacy, and we will hear 
from one entrepreneur with an interesting take on privacy. In 
short, we will be looking at both the government sector and the 
private sector today, and we will examine just how well we 
stack up.
    In short, while there is no obvious time this year for this 
committee to engage in legislation in the remaining days of 
this session, this hearing will be preparatory to activities 
next year in which we will continue our efforts to guarantee 
that both the Federal Government and the private sector respect 
the privacy of American citizens.
    I want to close by inviting you--I understand the web site 
is down this morning, but to visit the EPA web site. Our staff 
visited the EPA web site, I believe yesterday, and discovered 
that there is on the EPA web site a section called Explorers 
Club which invites children to give information about 
themselves to the EPA. Nowhere on this web site is there a 
disclosure that children should first get permission of their 
parents before sharing their private information with a 
government agency. There is something wrong when Federal 
agencies can't obey the law that we impose on private citizens.
    The Chair yields back his time and the Chair recognizes the 
gentleman from Virginia, Mr. Boucher, for an opening statement.
    [The prepared statement of Hon. W.J. ``Billy'' Tauzin 
follows:]
      Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, 
   Subcommittee on Telecommunications, Trade and Consumer Protection
    Today this subcommittee will hold a hearing on important 
developments in the efforts to protect the privacy of American 
consumers. Few issues in this industry generate such strong emotions as 
how to deal with the enormous amounts of personal information that are 
collected, distributed and stored everyday via the Internet.
    This morning we will hear from two of our colleagues Rep. Claw Shaw 
and Rep. Bob Goodlatte. Rep. Shaw will explain to the Subcommittee his 
legislation, H.R. 4857 the Privacy and Identity Protection Act of 2000 
which has been reported out of the Ways & Means Subcommittee on Social 
Security and is currently awaiting action in this Subcommittee.
    In addition, the Subcommittee will hear from Rep. Goodlatte about 
the Lansdowne Privacy Summit which the National Chamber Foundation 
hosted for House Republicans in May of this year and what has come from 
that. Rep. Goodlatte co-hosted along with my colleagues Chairman 
Bliley, Rep. Ehrlich and myself, the Privacy Summit and I personally 
want to thank him for his efforts in this endeavor.
    I want to thank both of our colleagues for coming this morning and 
sharing their views with us.
    This Subcommittee has been a keen observer of the debate for many 
years--holding hearings on this issue in 1998 and 1999. Over the last 
year we have seen consumer concerns over privacy heightened and as a 
result specific federal responses. This past year we have adopted two 
federal laws to deal with specific areas of concern--the Gramm-Leach-
Bliley law and the Children's On-Line Privacy Protection Act. In 
addition, consumers have witnessed the development of new private 
sector technologies to help consumers as well as voluntary standards by 
industry to self-police and educate consumers. In certain areas, the 
federal government and commercial entities have come together to 
achieve cooperative standards to govern their on-line conduct.
    Privacy was not created with the advent of the Internet, but it 
does add a level of dissemination beyond what Americans had ever 
thought possible and in many circumstances are comfortable with.
    While the Internet is still relatively new, the issue of privacy is 
not. Prior to the adoption of the GLB and COPPA laws, Congress had 
enacted privacy protections in a dozen other circumstances over the 
past thirty years starting with the Fair Credit Reporting Act in 1970. 
The sharing of personal information did not begin when the Internet was 
established--how many people remember party line telephones and can 
recall door to door salesmen plying their wares using neighborhood 
directories. Businesses for decades have bought and sold their business 
assets including the valuable information databases about their 
customers.
    As I have said many times before, personal information has value to 
both consumers and to our economy. We live in an Internet and 
information economy and information is the lifeblood that makes our 
Internet engine run. A consumer's purchasing patterns and online 
behavior is valuable information to marketers, and I believe that 
consumers should have the night to control that information or be 
compensated for giving such personal information to business. One of 
our witnesses who will testify later this morning has a business model 
that operates on consumers being compensated for their private 
information.
    The issue as we move forward in this debate in coming years is 
this: Has industry done enough to protect consumer privacy or should 
government step in an establish minimum standards? There are no simple 
answers. Hopefully this hearing will help shed some light on these 
matters.
    While a tremendous amount of attention over the past year has been 
paid to the privacy of consumers in their dealings with private 
industry, very little has been paid to the federal government's 
collection of personal information.
    Last time I checked, very few consumers have the option of not 
providing a government agency with their personal information. In the 
private sector, consumers can vote with their feet and go to someone 
else if they do not like the privacy policy of a business. Americans 
must deal with the IRS, EPA and the Medicare program and cannot refuse 
to provide personal information.
    Earlier this year, Rep. Dick Armey and I asked the GAO to conduct a 
survey of the privacy policies of Federal websites and compare it to 
the fair information practices recommended by the FTC for commercial 
websites.
    We wanted to see how Federal websites would fare if they were held 
to the same standards as commercial websites.
    Was the Federal government practicing what it preached?
    From the results of the survey, which we will discuss today, it 
appears that the Federal government does not. But our report is not the 
only GAO report that has produced failing grades for government 
websites and databases. The HORN report on database security and the 
LIEBERMAN report on OMB privacy requirements have shown that government 
is not doing an adequate job in protecting American's personal 
information.
     On just two issues in recent weeks the government has flunked. On 
the placement of cookies on government websites the results are 
troubling. Despite OMB Memoranda in 1999 and June 2000 prohibiting the 
placement of cookies, that practice continues today at the IRS and 
possibly at other government websites. And just last Friday the AP 
reported that the White House website itself violates COPPA by 
collecting personal information from children.
    While government websites can hide behind different standards, in 
these two instances they certainly do not live up to the spirit of the 
laws that apply in the commercial world.
    Chairman Pitofsky of the Federal Trade Commission has graciously 
agreed to testify today about the many FTC reports and activities this 
past year dealing with privacy.
    We will also hear from private sector witnesses who will discuss 
online profiling, the Childrens' Online Privacy Protection Act, the use 
of technology in protecting privacy and we will hear from one 
entrepreneur with an interesting take on privacy.
    In closing I want to thank all of the witnesses for their 
attendance today.

    Mr. Boucher. Thank you, Mr. Chairman. I want to begin by 
complimenting you on your handling of the delicate and complex 
matter of establishing a Federal privacy policy respecting the 
practices of web sites that collect information from the 
Internet-using public. The chairman has properly taken a 
cautious and deliberative approach toward the development of 
legislation in this sensitive area. In my view, the time for 
legislation has now arrived.
    With the hearing today, I urge the subcommittee to begin 
the process of developing a federally assured baseline set of 
guarantees for personal privacy with respect to the information 
collected by web sites through the use of cookies placed on the 
hard drives of web site visitors. The requirements which 
Congress should enact are straightforward and would be in the 
nature of minimum guarantees that would be applicable to all 
web sites. I suggest that our legislation contain the following 
five elements: First, each web site should provide a clear 
notice of what information is collected from the Internet-using 
public and how that information is used. If the information is 
used internally within the web site, that fact should be 
stated. If there are circumstances under which the information 
is transferred to third parties, that fact should also be 
stated and those circumstances listed.
    Second, after reviewing the policy, the web site visitors 
should be able to limit the information about them which is 
collected, and in practical terms that may mean that he would 
depart the web site with no information being collected, a 
practice that we commonly would refer to as an opt-out.
    Third, the Federal Trade Commission should be directed by 
statute to create a mechanism to assure compliance with these 
basic privacy guarantees.
    Fourth, the legislation should declare that the policy is 
the national policy and preempt any State requirements that are 
more onerous or inconsistent or in conflict with the national 
guarantees as assured in the statute.
    And, fifth, the Federal Trade Commission should be 
instructed to review web site practices on an ongoing basis and 
recommend any additional legislative steps that may be 
appropriate.
    I would suggest that a number of benefits would flow from 
the passage of this set of minimum statutory guarantees. First, 
it would assure that all web sites, whether privately operated 
or operated by a government agency, respect privacy. The larger 
commercial sites are presently members of self-regulatory 
organizations and generally respect the privacy policies 
announced by the SROs. Smaller web sites in large numbers do 
not belong to SROs, and government agencies have observed a 
privacy policy in a truly voluntary way, which has been 
somewhat inconsistent, as the chairman has suggested. In our 
view, all sites should be covered by a minimum Federal 
guarantee.
    Second, the legislation would establish only a minimum set 
of guarantees and web sites could then offer higher levels of 
privacy protection and market that enhanced privacy as a 
competitive difference, and so offering greater levels of 
privacy would then become a competitive asset in the 
marketplace.
    Third, this basic privacy guarantee would encourage the 
growth and development of the Internet by creating the 
confidence in Internet users that their privacy is being 
protected.
    And, forth, we can assure that the law is efficient and 
workable by prevent a patchwork of inconsistent or conflicting 
State requirements from arising.
    The Federal Trade Commission has called on the Congress to 
act and it is time for the Congress to accept that invitation. 
And I believe that we can do so with a large consensus of 
support from the private sector. Over the course of the last 
several months, I have watched that consensus grow, and it is 
in support of the kinds of steps that I am recommending that we 
take this morning.
    I want to welcome to the subcommittee today my friend and 
Virginia colleague, Bob Goodlatte, with whom I have the 
privilege of cochairing the House Internet Caucus. Eighteen 
months ago, Mr. Goodlatte and I put forward legislation which 
closely resembles the recommendations that I have made this 
morning. Our Internet Caucus has also been active over the 
course of the last year. We have conducted a technology 
demonstration to demonstrate various technical means of 
protecting personal privacy for Internet users. We have also 
conducted two widely attended workshops on the question of 
protecting Internet user privacy. And now we are planning to 
take our activities to the next level.
    During the coming days we intend to establish a working 
group of interested Members of the House and Senate, primarily 
composed, I suppose, of Members of the Internet Caucus, but 
anyone is certainly welcome to participate. And our goal in 
establishing this working group will be to help in developing a 
broad consensus in support of the elements that should comprise 
our privacy legislation during the course of the next Congress. 
It is our hope that the consensus-building process will include 
consultation with the industry and with the Federal Trade 
Commission, and we hope to achieve the consensus that we are 
seeking within a matter of just several months so that by 
January, recommendations can be in hand that enjoy the support 
of a broad consensus within the stakeholder community and among 
Members of Congress.
    I look forward to working with the interested members of 
this subcommittee and with my friend, Mr. Goodlatte, and the 
members of the Internet Caucus as we consider the best means of 
enhancing privacy protections for the Internet-using public.
    Mr. Chairman, I want to commend you for this timely 
hearing. I frankly wish it was a little bit better attended 
because it truly is an important subject. And I want to commend 
you also for the careful and thoughtful way in which you have 
addressed it, and I look forward to working with you as we seek 
to assure that the Internet-using public, truly has its privacy 
protected. Thank you.
    Mr. Tauzin. I thank the gentleman and, believe me, I feel 
very similar about the gentleman's involvement. I pledge to him 
that, as I did privately, we are going to work very closely 
over the next several months in preparing for some very serious 
work on this issue next session. I thank the gentleman.
    The Chair recognizes the gentleman from Illinois, Mr. 
Shimkus, for an opening statement.
    Mr. Shimkus. Thank you, Mr. Chairman. I will be brief. I do 
believe, as many of us do, the big issue of the new millennium 
will be privacy, and it is a great issue because it really 
brings the political spectrum of the far left and the far right 
together as teammates really trying to address the concerns of 
the good government types that want to create new efficiencies 
for government to provide services with the possibility of 
accepting and storing personal data.
    So this is a great time to have this hearing. I am 
concerned about the policies and statements that we enact as 
the Federal law, but I am more concerned that we follow those 
policies and statements which it seems--because those of us who 
are not that technology expert, you know, unfortunately we are 
a very trustful Nation, we trust everybody. And so if an agency 
says this information is not going to be used and they ask for 
information, well, we think oh, good for them. But the 
information is still being gathered and stored.
    I hope that this debate stirs up the whole issues that I 
think our Founding Fathers would be very proud of: the debate 
of personal privacy, actually privacy rights which would be 
similar to property rights, in that there are some--they are 
part of the fabric of our national culture--that I think we 
have lost through the technology age and information age that 
we need to get back to some privacy rights issues.
    Again, I think the Founding Fathers would be pleased about 
this debate, and we have a lot of work to do. I appreciate this 
hearing and I look forward to being engaged with my friends 
from Virginia and members of this committee as we move forward 
in the next Congress. I yield back my time.
    Mr. Tauzin. The Chair recognizes the gentleman from Ohio, 
Mr. Sawyer.
    Mr. Sawyer. Thank you, Mr. Chairman. I can't help but think 
our Founding Fathers would be proud but flabbergasted by this 
debate. I want to join with my colleagues in thanking the 
chairman for this hearing today. As he suggested, many 
businesses and many other kinds of entities have long collected 
information about Americans for a variety of purposes, but 
today the users of individual reference services and lockup 
services operate computerized data bases on personalized 
information that have expanded the concept beyond what most 
Americans have ever really seriously thought about, but they 
will be thinking about them a great deal more in the future.
    Most of us are familiar with the story Thomas Friedman 
likes to tell. The New York columnist checked into a hotel with 
his wife and children and, as children are wont, they wanted to 
go to the hotel pool right away. So they jumped into their 
swimsuits, went downstairs and got in the pool. When it came 
time to get out of the pool and go back to their rooms, they 
discovered that he had left the hotel key in the room. And so, 
dripping wet, with little more than a bathing suit and a towel, 
he went up to the front desk and asked the check-in clerk if he 
could get an extra room key. And the clerk said, ``I am sorry; 
if you don't have any identification with you, we can't do 
that.''
    Then he said, ``I will call my manager.'' And the manager 
came out and said, ``Mr. Friedman, I really could not do that 
in good conscience. Plus you wouldn't want me to give your key 
to someone who simply came up in a bathing suit and said that 
he was you.''
    In the meantime he is standing there, he is working with 
the computer. The manager said, ``But wait, can tell you what 
room you are in.'' He said, ``When are your kids birthdays?'' 
He said, ``Here's your key.'' Friedman said, ``Why did you do 
that?'' The manager said, ``Because you stayed here 9 months 
ago and we have all of this information and a whole lot more 
about you.'' And he said, ``Thank you very much.''
    Friedman was gratified, but he was dumbfounded by the level 
of information and the depth of knowledge they had about him as 
a product of simply having checked into the hotel on a previous 
occasion.
    That is chilling information, and it is a remarkable 
example of why the hearing that we are having today is 
important. I appreciate the comments about the relationship 
between information gathered by Federal agencies and those 
gathered by businesses over the course of the last couple of 
days, Mr. Chairman.
    Ironically, I have rejoined a discussion that I have been 
involved in for the last dozen years about data sharing across 
government agencies. Those are efforts over the last 210 years 
to gain access to private individual information gathered as a 
product of the Census that has never been violated in the 210-
year history of this Nation.
    If we are looking for principal examples of the fundamental 
ideas behind which we might seek to guard information, we could 
do no better than to turn to the kind of repeated efforts that 
have been made to penetrate the Census, and the efforts that 
the census has made to guard against that. Even as we learned 
last spring, in times of war when efforts were made to 
individually identify Japanese Americans living in the United 
States, United States citizens, and that effort was directly 
resisted as a product of the work of the census.
    Personal information is our single most valued possession 
and the work that we are doing here today could not be more 
important. I thank you for that and yield back the balance of 
my time.
    Mr. Tauzin. By the way, that hotel has new personal data on 
Mr. Friedman: the fact that he loses his key.
    The gentleman from Maryland, Mr. Ehrlich.
    Mr. Ehrlich. Real briefly, real brief. Everyone said really 
what I can say. This is a timely issue. It is an emerging 
issue. It has always been a second-tier issue, now rapidly 
becoming a first-tier issue in American politics. If there is 
any doubt for anybody in this room that this issue is very 
important to them, let me assure you that there should be no 
doubts, because the chairman and I regularly have conversations 
about this. We have already had one conference, to be followed 
by many more conferences and hearings, and hopefully a good 
piece of legislation. And I yield back.
    Mr. Tauzin. I thank my friend and also thank him for 
cohosting the conference with Chairman Bliley and Mr. Goodlatte 
and I. And, as you know, we will hear about that conference a 
little later, but again I want to thank the gentleman for his 
personal involvement because it is going to take a lot of 
members' involvement for us to unravel all these issues by next 
year.
    The Chair welcomes and recognizes Mr. Luther for an opening 
statement.
    Mr. Luther. Thank you, Mr. Chairman. Thank you for holding 
this important final subcommittee hearing.
    I want to thank you and Mr. Markey and Mr. Boucher for your 
leadership on this subcommittee and on this issue, and I am 
pleased to hear you say that this hearing will only be the 
beginning on this issue and that hopefully in the next Congress 
we can deal very substantively with this particular issue for 
the benefit of America's consumers.
    Last November I was pleased to join Representative Markey 
in introducing H.R. 3321, the Electronic Privacy Bill of 
Rights, which would require web site operators to comply with 
the so-called Fair Information Practice Principles.
    I would also be remiss if I didn't mention this morning the 
great work of my colleague and friend, Congressman Bruce Vento 
of Minnesota, who passed away yesterday morning. Bruce 
introduced two online privacy bills, and I want to recognize 
him for his hard work on behalf of the American consumer on 
this issue and on so many other issues through his lifetime.
    Mr. Tauzin. Would the gentleman yield? I wonder, Mr. 
Luther, if we might ask all our friends for a moment of silence 
in memory of Mr. Vento. He was indeed a dear friend of many of 
us, and his passing is very hard on many of us. We ask you all 
now to join us in a moment of silence.
    [Moment of silence.]
    Mr. Tauzin. Thank you. Mr. Luther.
    Mr. Luther. Thank you, Mr. Chairman.
    In light of both the FTC and GAO studies that report that 
an unacceptably low percentage of web sites comply with the 
fair information practices, I look forward to hearing our 
panelists' opinions. Hopefully their testimony will provide 
insight as to what we as a committee and as a Congress can do 
to protect the American consumer from this wholesale collection 
and distribution of personal information.
    Thank you, Mr. Chairman and I yield back.
    Mr. Tauzin. Thank you, Mr. Luther.
    [Additional statements submitted for the record follow:]
    Prepared Statement of Hon. Paul E. Gillmor, a Representative in 

                    Congress from the State of Ohio

    Mr. Chairman, I want to thank you for calling this important 
hearing today on the matter of protecting consumer privacy. Public 
opinion is strongly behind the need to safeguard personal information. 
I believe this issue is important and I am pleased that our committee 
is spending some time to look into this issue.
    During our committee's most recent foray into the issue of privacy, 
during the Gramm-Leach-Bliley financial services law, we learned just 
how complex an issue this is. I was pleased to be one of the active 
members of this panel on the privacy issue and think our work in this 
arena has just begun.
    Privacy laws, in themselves, are not new things. However, with 
emerging Internet technologies, I believe it is crucial that Internet 
users and consumers can feel safe that the information that they are 
transmitting is being protected from others. I like to draw the 
parallel on this subject from Federal wire-tapping laws that our nation 
passed to protect telephone customers from unwanted parties. In the 
same way, we must ensure the integrity of the lines carrying Internet 
conversations.
    I come from the perspective that a person's information is his or 
her own. And, that when a person decides to give up some of their 
individual data, it is for a specific and intended purpose. I do not 
believe it is up to the merchant to decide how and when a person's 
information should be used, especially if it falls outside of the 
initial transaction that precipitated the need for the person's data.
    I look forward to the testimony of our witnesses. I am especially 
interested in listening to the Government Accounting Office's 
assessment of the present situation, as well as the thoughts of the 
Federal Trade Commission. As most members of the panel know, while the 
FTC lacks the authority to regulate operators of commercial websites, 
it has been busy looking into this matter and issuing reports a 
direction it believes is the most appropriate from containing 
unwarranted releases of personal information. I believe this will be a 
good starting point for our most recent discussions.
    Again, Mr. Chairman, I want to thank you for calling this hearing 
and your diligent work on this matter. I pledge my support and help to 
you in working on future legislation to ensure the privacy rights of 
all Americans.
                                 ______
                                 
 Prepared Statement of Hon. Tom Bliley, Chairman, Committee on Commerce

    Good morning and thank you Mr. Tauzin for holding this hearing 
today.
    Two and one half years ago, when this subcommittee held its first 
hearing on Internet privacy, many of us in Washington were just 
starting to learn what the issue of online privacy was all about.
    Consumers were just learning how companies collected information 
from them and how the companies used it.
    Businesses were just starting to become aware how important an 
issue privacy was to their consumers and finally government was 
starting to understand the public policy issues surrounding online 
privacy and electronic commerce.
    Looking back all those months, I think we have made great progress. 
Consumers are more aware of how to protect their privacy as they go 
online--whether through the use of new privacy protecting software or 
by knowing what to look for in a privacy policy.
    Businesses also understand how important it is for their customers 
to feel safe, secure and private while online.
    Industry groups like the Online Privacy Alliance have been working 
on tough industry guidelines and they have made excellent progress 
toward effective self-regulation.
    But this said, there is still more for industry to do such as: 
ensuring that consumers do have the choice to ``opt-out'' of providing 
personal information and working with outside auditors to ensure 
privacy policies are being adhered to and the consumers have recourse 
if they believe their privacy has been violated.
    I have said throughout this debate that I believe self-regulation 
is a better approach than government regulation. Government regulation 
by its nature is slower to respond than the marketplace and much less 
flexible and could place a serious competitive burden on the dynamic 
Internet economy.
    Before I close, I would like to leave some advice for the future 
Congresses that discuss and debate this issue.
    My policy toward the Internet economy has been simple--``First do 
no harm.'' It is a policy I hope that will continue in Congress and in 
this Committee.
    Privacy is a complex issue and Congress should not act hastily but 
rather carefully and deliberately on this issue. Over-regulation of the 
engine of growth of our economy would be foolhardy and imposing rigid 
regulations that don't take into account new privacy protection 
technology would be short sighted.
    On that note, it is important to keep in mind that slightly 
altering the current privacy restrictions can have a dramatic impact on 
the business plans of Internet companies. Today, much of the 
information on web sites is free, driven by advertising. Putting 
burdensome privacy restrictions could fundamentally change this 
structure and move us towards a pay-site world. We must be cautious. We 
must know the effects of any changes that are proposed--not just on 
privacy but also on Internet functionality and operations.
    Thank you Mr. Tauzin and I yield back the balance of my time.
                                 ______
                                 
  Prepared Statement of Hon. Gene Green, a Representative in Congress 
                        from the State of Texas

    Mr. Chairman: I want to thank you for holding this important 
hearing on consumer privacy issues.
    Mr. Chairman, as American consumers venture onto the Internet to 
browse for information or to purchase one of the millions of products 
available online, they do so with a belief that their time on the 
Internet will be anonymous.
    Unfortunately, that is not necessarily the case.
    Sophisticated computer programs have been developed that allow 
companies to track consumers as they surf the Internet.
    What I find most disturbing about this practice is that the level 
of detail that can be acquired about a consumer's personal habits and 
preferences is staggering.
    Fortunately, most of this data is still anonymous and is being 
collected without the detailed personal information that would allow 
direct marketers to bombard you at home with advertisements for 
products you viewed while on the Internet.
    However, the technology already exists to tie your name, address, 
social security number, and other personal information traits to you 
while you are online and that is where the true privacy battle must be 
joined.
    The Internet is a tool of convenience, but to use that tool 
consumers should not be forced to relinquish their right to privacy.
    I will introduce legislation today that allows e-businesses to 
collect and compile customer information acquired through normal 
business transactions so long as it is for internal use only.
    This legislation will explicitly prohibit the anonymous tracking 
and merging of personal data with site the individual has visited 
online.
    While I do not believe we can make shopping online as anonymous as 
buying something at the mall with cash, that should be our goal.
    I believe the fastest way to hurt the growth of the Internet is to 
have American consumers lose faith in their ability to control their 
personal information.
    The FTC has taken a step in the right direction in outlining what 
commercial Internet sites should consider having as a boilerplate 
privacy policy.
    The four FTC principals of notice, consent, access, and security 
each are important components to ensuring online privacy.
    It is my hope that in the next Congress we will begin to outline 
the basic protections that all consumers can expect when they transact 
business or just surf the Internet.
    I commend the many e-businesses that have understood the need to 
develop and update their privacy policies. These e-businesses are 
responding to the concerns of their customers and are in turn 
safeguarding their future business.
    Mr. Chairman, I look forward to hearing from the witnesses and I 
yield back the balance of my time.
                                 ______
                                 
Prepared Statement of Hon. Karen McCarthy, a Representative in Congress 
                       from the State of Missouri

    Thank you Chairman Tauzin and Ranking Member Markey for holding 
this important hearing on recent developments in privacy protections 
for consumers. It is vital that we address issues of consumer 
protection and privacy in the information age to ensure that we are 
providing the public with the security it needs and desires to deal 
comfortably in the Internet marketplace.
    Research done over the last several years indicates that consumers 
are frustrated by the increase by website operators in gathering and 
disseminating personal information, often without an individual's 
knowledge. Technologies such as cookies and click streaming enable 
website operators to collect personal information about visitors to 
websites, then sell information regarding an individual's Internet 
research. My constituents do not want their personal data collected by 
either commercial or government websites.
    I hope the panelists address what level of privacy individuals and 
organizations can reasonably expect in our digital world. Consumers 
want to be able to surf the Internet without having their viewing and 
purchasing habits tracked. Marketers seek to better tailor their 
advertisements as well as provide consumers with more personally 
tailored products and services. We need to determine how to assure 
privacy in a medium where incredible amounts of data reside.
    I am looking forward to the testimony of witnesses today. I would 
like to hear from all of them on what they believe the best way is to 
strike a balance between the privacy desires of consumers and the 
marketing desires of commercial website operators. Do all of the 
witnesses believe that government must step in to establish minimum 
protections as the Federal Trade Commission has suggested? Can industry 
self-regulate itself? What do we do about bad actors in the system? 
Should government websites be held to the same standard as commercial 
websites?
    It is my hope that both industry and government can reach a 
consensus on what the best policies are to provide consumers with the 
privacy protections they desire while giving online businesses the 
ability to better tailor their marketing.
    I am also interested to hear from the witnesses on the 
implementation process for the Children's Online Privacy Protection 
Act. Does the Federal Trade Commission need to revise some its rules 
pertaining to the Children's Online Privacy Protection Act? Are the 
concerns of children's website operators regarding their ability to 
comply with the Act legitimate? Should Congress amend the law to 
subject federal websites to the provisions of the Act?
    Thank you Mr. Chairman. I yield back the balance of my time.

    Mr. Tauzin. The Chair is now pleased to welcome our first 
witness, indeed our good friend from the Judiciary Committee 
who I think spends more time here than he does with his own 
committee, the honorable gentleman from Virginia, Mr. Bob 
Goodlatte. Bob, I spoke last night at midnight with your 
Chairman, Mr. Hyde, and he was kind enough to get on the phone 
with his staff last night and work out the final details of the 
Firestone recall bill that we passed last night, and I again 
wanted to thank all of you members of the Judiciary Committee 
for the excellent cooperation your committee provided our 
committee in resolving the technical areas of common concern in 
the bill and for waiving referral to the Judiciary Committee.
    Again, if you will extend my thanks on behalf of the 
Commerce Committee to other members of the Judiciary Committee, 
I would deeply appreciate it. As you know, the bill passed last 
night and is now on the way to the Senate. Again, we are very 
grateful for the work of our good friend Mr. Goodlatte on the 
Judiciary Committee. You are recognized sir.

 STATEMENT OF HON. BOB GOODLATTE, A REPRESENTATIVE IN CONGRESS 
                   FROM THE STATE OF VIRGINIA

    Mr. Goodlatte. Thank you, Mr. Chairman. I want to thank you 
and other members of the Commerce Committee for similar 
cooperation and coordination of legislation that these 
committees share on many occasions, and you've been very 
helpful to us. We very much appreciate that, and I will pass 
your remarks to Chairman Hyde on to my colleagues on the 
Judiciary Committee.
    I also want to thank you for allow me to testify today. I 
do want to know how many appearances are required before I can 
get a guest member status, but I do very much appreciate the 
opportunity to testify on this very important issue, which I 
must also thank you for your leadership on this. You were very 
instrumental in organizing the retreat which you have 
referenced which Congressman Ehrlich, Chairman Bliley and 
myself were privileged to cohost with you. I felt that it was a 
very, very productive retreat for Republican Members, and while 
this hearing is bipartisan in nature and we intend to work with 
our Democratic friends on this issue as well, that retreat 
which heard from experts in industry, academia and various 
think tanks on this increasingly important issue, yielded I 
think some very substantive results. I can say with confidence 
that it was a success and I think members learned a great deal 
about the issues. We discussed what the main privacy concerns 
of our constituents are, including unsolicited direct mail 
marketing, the collection of personal information on the 
Internet, the disclosure of personal financial information by 
financial institutions and identity theft and other criminal 
uses of personal information for fraudulent purposes.
    We also learned about the complexities of how information 
is used by commercial entities and that any privacy legislation 
needs to permit the beneficial uses of the information as well 
as address consumer concerns. And finally, we learned that we 
need to use a combination of tools to address privacy: 1) 
targeted legislation that specifically identifies the harm we 
are trying to regulate; 2) education to ensure consumers know 
what their rights are and how to commercialize those rights; 3) 
technological tools on the Internet to allow consumers to 
control their information better; and 4) policies that 
encourage and reward businesses for self-regulation and protect 
consumer privacy at the same time that they extend enormous new 
benefits to consumers by making valuable information available 
to them. We also have to be careful not to increase identity 
theft and fraud by making information unavailable to businesses 
and law enforcement to detect and stop crime.
    I also want to recognize and thank my colleague from 
Virginia, Congressman Boucher, for his dedicated hard work on 
this issue. We are, as you well know, the cochairs of the 
Congressional Internet Caucus, and with the hard work of 
Congressman Boucher the Caucus has sponsored a number of 
privacy-related activities and events in recent years, 
including several public policy forums, a technology 
demonstration of the latest privacy technologies, and a 
briefing book for Members that outlines various positions on 
the issues of online privacy.
    As my colleague mentioned, the Caucus will continue to be 
active on this issue after we adjourn this year. Earlier this 
year I had the opportunity to lead a congressional delegation 
along with Congressman Boucher that was attended by several 
members of the Commerce Committee, including Congressman 
Gordon, Congressman Stearns, and Congressman Pickering, in 
which we had the opportunity to testify before the European 
Parliament on the issue of privacy as relates to electronic 
commerce.
    As a part of that testimony, we promoted the efforts to 
coordinate privacy policy with the European Union, something 
that, as you know, is vitally important and something that 
hasn't been mentioned thus far today but is also important 
looking toward our States as well. We have a great concern that 
if we have 50 different State privacy policies enacted by our 
State legislatures, many of which are very active on this issue 
today, as well as differing privacy policies around the world, 
we will have an unworkable situation on the Internet. And so 
the effort to promote the safe harbor that allows U.S. 
companies to do business in Europe by meeting certain 
standards, while not requiring the United States to pass 
legislation that may be contrary to our interest and the intent 
of the majority of the Members of Congress, is vitally 
important.
    It is also important to recognize the contribution that 
industry has made because substantial progress has been made in 
the area of self-regulation. At this time, the vast majority of 
Internet sites of major businesses have good, solid privacy 
policies that are enforced by those companies, and that 
progress which would indicate that, for example, of the top 100 
web sites in the country, they have improved from 71 percent 
having a privacy policy to now better than 95 percent is 
progress, but obviously more work needs to be done in this 
area.
    Mr. Chairman, you have noted the substantial progress we 
have already made in a number of targeted areas dealing with 
children's privacy, financial privacy, and medical privacy. I 
think that is the type of approach that we should continue to 
pursue, not a shotgun approach, but a targeted approach to 
where the problems exist. We believe that through private 
initiative and this targeted Federal action, we have been 
making and will continue to make substantial progress toward 
achieving balance, toward ensuring adequate consumer 
protection, encouraging the development of electronic commerce.
    As we look ahead, obviously bipartisan support is vital. 
And I am pleased to hear so many Members on each side of the 
aisle commit to that, because that is exactly what is called 
for. There have been several legislative proposals introduced 
and considered in the Congress this year, and it is unlikely 
they will see any of them enacted into a general online privacy 
law this year. That is a good thing, that is not a bad thing. 
And I know there have been those who have been pushing for us 
to take action before we adjourn this year, but quite frankly 
the Congress must approach the issue of comprehensive online 
privacy information in a careful and deliberate manner, and 
that is exactly what we are doing with your leadership here 
today.
    Last, I want to say a little bit more about what 
Congressman Boucher mentioned, and that is the desire of the 
Internet Caucus to work with you and other Members of the 
Congress as we brainstorm, if you will, for ideas on this work 
in this direction. And I do think Congressman Boucher has 
outlined the shape of a very good potential piece of 
legislation, very similar to what came out of the privacy 
retreat which we host, and we are moving toward that kind of 
consensus; but during the time between now and when the 
Congress reconvenes in January, there is much work to be done, 
and the Internet Caucus intends to be a part of that by 
coordinating a working group of Caucus members and others to 
develop a statement of principles on Internet privacy.
    This working group will consist of any member of the Caucus 
or others who are interested in the issue of online privacy, 
will work informally from now until the new Congress convenes 
in January to outline those areas the Caucus deems important to 
address in any legislative initiative. And Members who have 
been leaders on privacy issues from both sides of he aisle and 
both sides of the Hill, from Congressman Asa Hutchinson to 
Senator Ron Wyden we hope will be actively involved in the 
working group. And we are also hopeful that by working in a 
bipartisan manner, we can contribute to the process which will 
begin in your committee, and to ensure that all Members of the 
House, including new Members who are still looking for 
information, are prepared to act on any legislation that is 
considered in the early part of this year. I thank you again 
for the opportunity to testify today and look forward to 
continuing to work with you.
    Mr. Tauzin. Thank you, Mr. Goodlatte.
    Let me first of all--you mentioned Asa Hutchinson. I wanted 
to state publicly our concern about Asa's bill to create a 
commission, which many members of this committee voted against, 
was not, of course, that we don't do an awful lot of work done 
on this issue and, as you pointed out, perhaps even some 
legislation next year, but it was our concern that this work 
ought to be done by Members of Congress rather than some 
commission. And Asa and I have had many discussions about that. 
Our opposition was simply that it was a job we had to do and we 
needed to get about doing it.
    Second, I think you will recommend to our good friends on 
this side of the aisle the experiences of the Lansdowne 
conference. I know the Chamber Foundation has agreed to conduct 
a similar treatment for Members of the Democratic Conference or 
Caucus.
    Let us talk about the Lansdowne conference quickly, Bob. 
First of all, it rained all weekend, so everybody had to listen 
to each other, which was pretty good after all the meetings, 
all the panels, which included, as you pointed out, members of 
industry, academia, think tanks, consumer representatives. 
After everybody had a chance to listen to one another, wasn't 
there a major shift in the conference opinion by the time we 
left the early morning sessions on the first day until the last 
session, and didn't that shift represent a sort of major 
redefining of our mission bearing on privacy?
    Mr. Goodlatte. I think there was definitely a coming 
together of ideas. And speaking about Asa again, one of the 
reasons why I also did not vote for his legislation was, in 
addition to the fact that Congress needs to address this, I 
think the speed with which we need to address it is upon us; 
and therefore, some might take the establishment of a 
commission that would last for some lengthy period of time as a 
putting off of addressing this, and I don't think we should do 
that. And I think that one of the things that came out of that 
conference was that we need to act in a comprehensive manner 
and we need to do it in such a way that sets a minimum 
baseline. There is an opportunity for legislation here that 
promotes self-regulation.
    Mr. Tauzin. Let us talk about some of the issues the 
conference highlighted. One of them was harmonizing various 
privacy laws. The conference--I noted the fact that in some of 
the State legislatures of our land, there were as many as 200 
bills filed. I know most of them didn't pass, but there is a 
lot of activity going on in State legislatures to establish 
privacy rights that may be very different from one another and 
may create some very different laws, all set on top of an 
Internet interstate-international commerce question, and would 
you address that quickly for us?
    Mr. Goodlatte. Well, I think we have an international 
problem here. We have to start by having our own house in order 
in the United States.
    And the chairman is absolutely right. One of the things 
that I mentioned earlier that came out of the conference was 
the need to have Federal legislation. To avoid having 50 
different States have 50 different privacy policies that are 
inevitably going to conflict with each other in a company 
attempting to do business in interstate commerce on the 
Internet is going to have to have a consistent policy. I mean, 
you can't have a web site which has two conflicting 
requirements on it, much less perhaps 50 different States with 
a multitude of different components of regulation that could 
collectively make it a totally unworkable proposition, 
particularly for a small business that wants to do something to 
supplement their bricks-and-mortar business with some Internet 
business and suddenly find that they have an enormously 
impossible task of complying with regulations. So we need to 
come up with something simple and understandable and 
comprehensive that everyone can comply with and avoid this 
problem.
    Mr. Tauzin. We also ran into the question of various 
Federal agencies adopting privacy policies that may or may not 
be in conflict with one another or in conflict with those State 
laws and businesses that have to comply with more than one 
agency privacy policy that may be different from one another. 
And the question was, do we need to focus on harmonizing the 
Federal standards as it applies to private businesses doing 
business with the Federal Government?
    Mr. Goodlatte. Well, I think that is absolutely correct. 
And we have to make sure the Federal Government itself, as you 
noted earlier, is setting the example of protecting the privacy 
of consumers and not abusing already existing laws much less.
    Mr. Tauzin. Finally, we are going to hear from the GAO 
about the various tests by which web sites are judged or rated, 
and we will hear from the FTC about how well privacy is being 
protected in the private commercial sites of America and we 
will learn that there are always going to be some bad actors, 
some bad players. Can we trust on privacy to be totally 
protected by private sort of self-policing organizations, or 
will we need some minimum standard by which--or something that 
applies to those sites that refuse to be members of self-
policing organizations?
    Mr. Goodlatte. We are always going to have, of the millions 
of commercial web sites, some that are going to, either through 
neglect or through deliberate desire to misuse consumers' 
privacy, abuse this process in very unacceptable ways that are 
going to harm consumer confidence in the entire Internet. And 
therefore it seems to me that legislation should include a 
baseline standard to go after those outliers who are not going 
to meet that standard.
    When we do that we have to be very, very careful that we 
don't get into the idea that we should dictate the minutia of 
how businesses protect privacy of consumers when we have, in 
fact, a long history, as you cited, of useful information being 
made available to consumers through businesses.
    Mr. Tauzin. Finally, Bob, I want to ask one thing of you, 
the Internet Caucus. If you don't mind, I would very much 
appreciate if before we get to this matter next year, if you 
would perhaps cohost with us a technology demonstration for all 
Members of the Congress to see the new technology in privacy. 
At the Lansdowne conference we saw some new software, some new 
hardware, some new IP systems by which consumers can and will 
be able to protect themselves from sites that might be 
negligent or intentionally damaging to their privacy, and I 
think a demonstration of all those new technologies would 
probably help us understand what needs to be done in law and 
what can be taken care of in technology and self-policing.
    So I would ask of you that consideration of perhaps some 
sort of technology demonstration for our committee, perhaps in 
union with the Internet Caucus perhaps next year.
    Mr. Goodlatte. We would be delighted to work with you to do 
just that. We have hosted some similar demonstrations and, you 
know, it is a hard time reaching so many Members of Congress 
who have such busy schedules, so continuing to do that and 
perhaps in conjunction with the committee here, tap a committee 
room or something.
    Mr. Tauzin. They could come or we threaten to release their 
private information.
    Mr. Boucher is recognized.
    Mr. Boucher. Well thank you, Mr. Chairman. And let me echo 
the comments of Mr. Goodlatte about our willingness through the 
Internet Caucus to integrate our activities more closely with 
those of this subcommittee, both in terms of conducting 
demonstrations and perhaps also in terms of having panel 
discussions that are apart from the formal hearing process and 
through other ways collaborating in the development of good 
policy.
    I want to commend Mr. Goodlatte on his superb statement 
here this morning, I will note in passing that I am not a 
particular fan of partisan retreats, so you will not be 
surprised if the Democrats do not accept the invitation to have 
a purely partisan retreat. I tend to think that the best policy 
is made in a bipartisan fashion, but I am very pleased that 
tremendous pub members gained education from the retreat that 
they had.
    Mr. Tauzin. Would the gentleman yield?
    Mr. Boucher. I will be pleased to yield.
    Mr. Tauzin. Did I notice sarcasm there?
    Mr. Boucher. Oh, no, Mr. Chairman there was no sarcasm; the 
statement speaks for itself.
    Mr. Goodlatte, I enjoy very much the visit that we paid to 
the European Parliament in February of this year and I am glad 
that you mentioned that. I thought it was an informative 
exchange on both sides. We did have, as Mr. Goodlatte 
indicated, the opportunity to testify before the European 
Parliament on the concerns that we have on this side of the 
ocean about privacy protection.
    At that time we strongly encouraged the formation of a safe 
harbor agreement which subsequently was negotiated. I am not 
sure we can claim much credit for, but we certainly endorsed 
the concept, and I was pleased to hear Mr. Goodlatte mention 
this morning that that safe harbor arrangement between the 
United States and the European Union is in the nature of a 
foundation. It is a minimum set of guarantees; it is in the 
nature of a floor. And it is anticipated that the privacy 
understandings between the U.S. and the European Union evolve 
over time.
    And I would ask Mr. Goodlatte if he agrees that adopting a 
set of guarantees as national policy here in the United States 
that would assure the privacy protection of those who are using 
the Internet and visiting web sites, whether commercial or 
governmental, would be in keeping with the spirit of the safe 
harbor agreement between the U.S. and the European Union and 
would serve to strengthen that agreement to the mutual benefit 
of U.S. citizens and European citizens alike.
    Mr. Goodlatte. Well, I say that the legislation that you 
and I introduced earlier and which is a shorter form of 
legislation that I know that the chairman and others have been 
formulating in their thinking process would provide such a 
baseline standard of guarantees. But we have to be careful that 
we don't try to, I think, micromanage that as the Europeans 
have done. I think that the purpose of that safe harbor is to 
allow us to take our course of action and to continue to 
promote privacy in a way very different than the way that the 
European Union has taken that approach of basically an opt-in 
policy, in fact, and opt in each time somebody wants to use 
information. And I would say that that would be the wrong 
direction to head.
    If I might give an analogy to other areas: If I go into a 
men's clothing store that I frequent every year in Roanoke 
Virginia--the gentleman is probably familiar with it--and they 
were to remember that I wear a size 40 suit and I like a 
particular brand of suit and so on--I am giving away a lot of 
privacy information--and he happens to remember that either in 
his head or by writing it down on a little card and keeping it 
in the back room, so when I come in again, he tells me about a 
special sale they have on this particular type of suit and 
pulls out the size 40 or goes directly to size 40 to see what 
they have in that stock, I am not in the least bit offended by 
that.
    And I am also not offended if I go online to Amazon.com or 
BarnesandNoble.com and the first screen pops up and says, 
``Welcome, Mr. Goodlatte. We know that you are interested in 
biographies and we have a new biography that we think that you 
might be interested in.'' That to me is a value to consumers, 
in fact, in some areas like purchasing airline tickets, you are 
also notified of a potential reduced rate on a particular hotel 
room notary public in the city that you are going to. I think 
most consumers would appreciate having that information and 
they should have the opportunity to opt-out if they don't like 
that. But I don't think we should get into the business of 
cutting people off from that, and I think that is the effect of 
the policy in Europe that we need to steer away from.
    Mr. Boucher. Well Mr. Goodlatte, thank you very much. In 
the interest of time, I am going to stop with this. But I do 
want to thank you once again for being here this morning. We 
always enjoy having you before this subcommittee and hope that 
you will return.
    Thank you, Mr. Chairman.
    Mr. Tauzin. The Chair asks unanimous consent, by the way, 
that all members' written statements be made a part of the 
record, including those of our witnesses. Is there any 
objection? Without objection so ordered.
    The gentleman from Maryland first, Mr. Ehrlich.
    Mr. Ehrlich. I yield my time, Mr. Chairman.
    Mr. Tauzin. The gentleman from California, Mr. Cox.
    Mr. Cox. Thank you. I just want to welcome my colleague, 
Mr. Goodlatte, and likewise thank you for your informed 
statement on this and all of the hard work and study that you 
are putting into this subject. I would like to ask you because 
of your role also as a member of the Judiciary Committee, 
whether or not you think that it would be possible to improve 
choices for consumers and protections for consumers by using 
property rights in personal information as the means by which 
we regulate as individuals the information sharing that goes on 
both over the Internet and in other forms of commerce.
    I want to stress, too, that I hope we can think about this 
in nontechnologically bound terms, because while the Internet 
is certainly today's medium, the Internet wasn't around a few 
years ago and it may not be around in recognizable form some 
years from now. Catalog sellers have collected financial 
information long before there was an Amazon.com. Direct 
marketers have bought lists of names and mailing addresses long 
before there was e-mail. Americans have used the white pages to 
look up people's names and phone numbers long before search 
engines like People Finder were around. So in that sense, what 
the Internet has done is simply to improve vastly the 
efficiency and reduce the expense of this kind of data 
collection and dissemination, and that development has brought 
into sharp attention the longstanding tension between the 
desire for privacy on the one hand and the benefits of 
dissemination of information on the other.
    So my question is whether or not as a consumer I shouldn't 
have the opportunity to take advantage, as you have said, of 
the opportunities to benefit, in many cases, from sharing my 
personal information. But if I am a consumer who just disagrees 
with you and, you know, what suit size I wear is nobody's 
business but my own, and that may be good for Goodlatte, may be 
good for Cox, but it is not good for me, the consumer, you 
know, should I have that choice? And can we do this, therefore, 
on market basis, on an individual basis, and give people 
property rights in the form of laws that we might pass here 
that would permit them in essence to license this information, 
sometimes for free or nominal cost, sometimes just for the 
benefits of whatever it is that they would be getting over the 
Internet, as a means of implementing this because--but I will 
just leave it to you to think about it and answer it--because I 
so fundamentally agree with what you said about the need for 
some predictability and uniformity. In the sense that we don't 
want to have all of these different privacy regimes in place 
and so some uniformity with a national rule might be useful, 
isn't it true that if you had a one-size-fits-all policy, that 
the downside of that is that it might not satisfy consumers, 
that the consumers come in a lot of different shapes and sizes, 
that is what markets are all about; what you really want are 
neutral rules of universal application that permit the maximum 
amount of flexibility so we can all have our own privacy 
policies. And the Cox privacy policy might be different from 
the Goodlatte privacy policy, which might be different from the 
privacy policy of every member of the panel, but what is the 
same is the law that gives us the right to choose and to 
enforce our choice in a legally binding way so that everybody 
leaves a market-based transaction happy because they chose the 
result, and so that we avoid the problems with government 
mandates which are almost impossible for everyone to leave 
happy because it is forced on everyone whether they like it or 
not.
    Mr. Goodlatte. Well, I think you make a very interesting 
observation. In fact, I think everyone does have their own 
privacy policy. If I don't like the fact that the fellow 
remembers my suit size and so on, I will go to another store 
the next time around. And similarly with other types of 
information. If I don't want to be listed in the phone book, I 
will asked to be deleted. And if there is an abuse of that 
information, I think we do need to set the policy to give the 
consumer that right so that, for example, when you go into a 
store or go to visit a web site, and that web site has 
information about me that they might want to use to give me 
more information, that is different than if that web site takes 
that information and sells it to somebody else. I need to have 
the opportunity to know that and make a decision about whether 
or not I want to deal with somebody who is going to turn around 
and share that information with somebody I may not want to have 
it shared with.
    Now, there are lots of new technologies that are enabling 
people to establish that personal privacy policy and fine-tune 
it to their own preferences. P3P for example is a new 
technology that is growing in its use on the Internet that 
allows you to set your computer so that when you visit a web 
site it will tell you whether or not that web site has met 
certain privacy policies based upon your own criteria that you 
devise at the outset and will warn you that this site does not 
meet all of those criteria and therefore you can leave the site 
if you don't want to participate in the standard that they 
have, or you can let them know you don't agree with their 
standard and negotiate with them to change that policy as they 
deal with you.
    But I think that should be a part of the opportunity not 
only of each consumer but each business to negotiate as a part 
of their doing business with you. But when they take that to 
the next step of taking that information beyond their own usage 
of it because, after all, the transaction that took place in 
the past between you and them is information that both you and 
they share in ownership, but if they even attempt to turn 
around and sell that to somebody else or give it to somebody 
else for whatever reason, I think you need to have the 
opportunity to avoid that if you don't want to.
    Mr. Cox. Can I ask you to comment just briefly on the other 
part of that question, which is whether it is possible to use 
property rights as the basis for enforcing this regime of 
privacy protection and information sharing and apply it across 
all technologies, pen and ink, typewriter, telephone, U.S. 
mail, the Internet, whatever it is going to be; we write a law 
that says you have these protections, you have these rights, 
businesses also have rights and ways to conduct themselves, 
they are all clear in advance and aren't dependent upon the 
Internet?
    Mr. Goodlatte. Well, framing it as a property right, I 
think we have laws that do that to a certain extent today, but 
in limited areas like intellectual property and so on. Whether 
you can take that beyond that is a good thinking tool, I guess, 
as we move forward to address this. But it would be, I think, a 
major change in policy to try to write every use of every piece 
of information about anybody that cannot be known; there are 
lots of things we pick up by looking around this room.
    Mr. Cox. To the contrary, what I would have in mind is 
simply by clarifying that people can do whatever they want, you 
would have the maximum freedom to exchange information, but 
also individuals would have the maximum opportunity if they 
chose not to participate in that regime to pick something else.
    Mr. Goodlatte. I think that is the direction we are headed 
in an opt-out policy here.
    Mr. Cox. Can you extend that to life on the planet as 
opposed to just the Internet?
    Mr. Goodlatte. Well, we I think should certainly consider 
that as we move forward, if it is necessary and appropriate, to 
make sure that we are not singling out the Internet.
    Mr. Cox. I think if we could do that, that would be ideal, 
because I worry about law, however well intended, will end up 
discriminating against the Internet. We need to recognize that 
some of this transcends the technology and a lot of these 
things have been going on for an awfully long time.
    Mr. Goodlatte. We also have some laws in those other areas 
that in a new technology we need to make sure that those same 
protections exist there. I think our objective is the same, but 
also important is how we achieve it----
    Mr. Cox. Thank you, Mr. Chairman.
    Mr. Tauzin. The Chair recognizes Mr. Sawyer for a round of 
questions.
    Mr. Sawyer. Thank you, Mr. Chairman. I am grateful for the 
work that both of the gentlemen from Virginia have done, not 
only within this Congress but internationally. I think the work 
that you have done internationally may be even more important 
than the work that has taken place here, as important as it may 
have been.
    I was interested in your tailor analogy. My tailor has gone 
one step beyond yours. He has been able to project trend lines. 
I came in when I was in the legislature at 38 and then when I 
was mayor it was 40, and now as a Member of Congress it is 42. 
I am stunned by his ability to anticipate such things.
    Mr. Tauzin. He has an inflated view of your potential.
    Mr. Sawyer. I was out of the room for a moment.
    Am I correct in hearing the tail end of your comment to the 
gentleman from California, you believe that there ought to be a 
distinction between information gathered for the internal use 
of a vendor of a service and that which is subsequently offered 
for sale for profit to others?
    Mr. Goodlatte. I think that there needs to be a standard 
set that allows people to know if that information is going to 
be used for other purposes to give them the opportunity to opt 
out. That is one of the things that Congressman Boucher 
outlined in potential legislation that I think would promote 
the Internet, at the same time make sure that consumers are 
aware of some of the risk and misuse of their information.
    Mr. Sawyer. Might that be an important point of distinction 
between opt-out and opt-in?
    Mr. Goodlatte. It is the opportunity to find out whether 
the information is going to be used for those purposes and 
choose not to do business with that company or have the company 
agree that in dealing with you they will not use the 
information for that purpose.
    Mr. Sawyer. Let me touch on the subject that you and Mr. 
Boucher talked about in terms of the work which has been done 
with the European Union. Clearly that is only one arena where 
this kind of problem will arise in a global market. To what 
degree do you believe this has served as a template for broader 
negotiations, and how would you propose to go about doing it?
    Mr. Goodlatte. We have such widely divergent approaches to 
consumer privacy on the Internet that it only works in the 
intermediate term, if you will.
    Mr. Sawyer. You are rather answering my second question.
    Mr. Goodlatte. Let me say----
    Mr. Sawyer. There are huge cultural differences between the 
United States and Europe in terms of their government-business 
relationship.
    Mr. Goodlatte. There are, and the Internet is probably the 
greatest challenge to the sovereignty of states and nations to 
insist on a particular format or standard. I think we need to 
continue to work with parts of the world that have taken the 
lead in addressing this issue, like the European Union, with 
whom we may have substantial disagreement, and attempt to forge 
a workable solution to that, and also show more leadership in 
the United States as we continue to evolve this policy so that 
then as other countries in the world begin to address this, we 
can have some influence over that process. Again, we will have 
the same problem with 150 nations around the world as we do 
with 50 States in the United States attempting to have 
different privacy policies.
    Mr. Sawyer. Or 18 members of the European Union. I yield 
back the balance of my time.
    Mr. Tauzin. I thank the gentleman. The gentleman, Mr. 
Luther, is recognized.
    Mr. Luther. Mr. Chairman, thank you. I will pass.
    Mr. Tauzin. Ms. McCarthy.
    Ms. McCarthy. I thank both gentlemen from Virginia for 
their efforts to raise and resolve this very important issue; 
and, Mr. Chairman, I would like to reserve my questions for the 
panelists who are coming.
    Mr. Tauzin. Thank you. Mr. Green from Texas.
    Mr. Green. Thank you, Mr. Chairman. I have one question 
that I would like to ask our colleague. I know that you 
mentioned beneficial uses earlier and data collection and I 
want to echo your comments. I think we in Congress must be 
careful not to restrict legitimate business practices.
    One of the concerns that I have on data collection, do you 
believe that Congress should prevent third parties from trying 
to collect an individual's anonymous web site visits with that 
individual's personal information? Now we are hearing new 
technology like this being developed every day. One time it was 
cookies, you didn't accept that, but now there is other 
technology that the individual user may not know. Again, it is 
hard to write laws to stop this type of practice when 
technology can change from day to day and week to week. I would 
appreciate a comment on third parties tracking someone who may 
not have a business relationship with that entity.
    Mr. Goodlatte. I think that is a very great concern and we 
have in our Constitution protections against governments doing 
that in our Fourth Amendment, and we certainly should have 
protections against other individuals who are not engaged in a 
transaction with you using some technological device to track 
your activities and gather information about you without your 
knowledge or approval. I think that is a serious problem.
    I think quite frankly that some existing laws and 
regulations enforced by the FTC give some protection in that 
area, but we need to continue to look at that. We also need to 
have the kind of spotlight on that activity that has, I think, 
been effective thus far in pointing out some entities that have 
stepped over the line on the Internet, and there has been an 
outcry, and if they are a reputable business they have backed 
away from some of these things. That is good and important.
    So in addition to disclosure to individuals, we also have 
to have prohibitions in any law that we write that say if you 
are gathering information about somebody without their 
knowledge and not disclosing that to them, that there is a 
consequence to doing that.
    Mr. Tauzin. I thank the gentleman. The Chair again wishes 
to thank our friend for his patience and again we pledge to 
work with him in the next Congress where we can continue this 
dialog and eventually a resolution on some of these issues.
    Mr. Goodlatte. Thank you, Mr. Chairman.
    Mr. Tauzin. We welcome our second panel. I want to preface 
the second panel with an explanation that the second panel will 
discuss with us findings of several reports, the Horn report, 
the Lieberman report and the recent GAO report done at the 
request of Mr. Armey and myself insofar as it covers the 
Federal web sites and the status of the Federal web sites.
    In prefacing this panel, I want to read the results of that 
GAO report in brief. As of July 2000, all of the 65 web sites 
in our survey conducted by GAO, collected personal identifying 
information from their visitors. 85 percent of the sites posted 
a privacy notice. That means 15 percent did not. The majority 
of these Federal sites, 69 percent, also met the FTC's criteria 
for notice, which implies that 31 percent did not. However, a 
much smaller number of sites implemented the three remaining 
principles of the FTC: Choice, 45 percent; access, 17 percent; 
and security, 23 percent. Few of the Federal sites, 3 percent, 
implemented elements of all four of the FTC's fair information 
principles. Three percent implemented elements of all four of 
the FTC's fair information principles. Finally, a small number 
of sites, 22 percent, disclosed that they may allow third party 
cookies. Fourteen percent actually allowed their placement. 
That is 14 percent of the sites surveyed by GAO indicated that 
they allowed placement of cookies on the Federal web sites.
    In fact, we learned in the news today that the White House 
itself discovered that it permitted the collection of 
information through a cookie system and has ordered it to be 
dismantled. Where is that notice? I want to refer to it so that 
everybody can see that this is a real problem. This is a story 
on the web today, White House on cookies, dah. Cookie dough, I 
guess. After being chastised by watchdog groups, the White 
House has issued an order to all Federal departments and 
agencies, no more cookies. The White House was embarrassed last 
week by the revelation that it used cookies, bits of consumer 
code, that track and record users' movement across web sites, 
on some of its web sites, violating its own privacy policies, 
and possibly violating Federal privacy laws. Check it out on 
the web entitled White House on cookies, dough, Wired News 
report.
    I am pleased to welcome Linda Koontz, Director, Information 
Management Issues, U.S. General Accounting Office, Ms. Sally 
Katzen, Deputy Director for Management, OMB; and Mr. Roger 
Baker, Chief Information Officer, Department of Commerce, who 
chairs a privacy subcommittee of the Chief Information Officers 
Council.
    We welcome our first witness, Linda Koontz. Remember, your 
written statements are a part of our record. Please summarize 
your comments and then open yourself up to a dialog with us on 
some of the issues that we have discussed today.
    Let me thank the GAO on behalf of Mr. Armey and myself and 
this subcommittee for conducting the survey. That information 
combined with the Lieberman and Horn reports is again the basis 
of this panel's discussion. We will begin with Linda Koontz.

STATEMENTS OF LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT 
 ISSUES, U.S. GENERAL ACCOUNTING OFFICE; SALLY KATZEN, DEPUTY 
 DIRECTOR FOR MANAGEMENT, OFFICE OF MANAGEMENT AND BUDGET; AND 
 ROGER W. BAKER, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF 
                            COMMERCE

    Ms. Koontz. Mr. Chairman, thank you for inviting us to 
discuss online privacy, a subject which has emerged as one of 
the key and most contentious issues surrounding evolution of 
the Internet. My testimony today will discuss the findings in 
our recent report on Internet privacy, which is based on the 
survey of Federal web sites that we conducted at your request 
in July 2000.
    Specifically, you asked us to determine how Federal web 
sites would fare when measured against the FTC's fair 
information principles for commercial web sites. These 
principles are: Notice. Data collectors must disclose their 
information practices before collecting personal information 
from consumers.
    Choice. Consumers must be given options with respect to 
whether and how personal information collected from them may be 
used for purposes beyond those which the information was 
provided.
    Access. Consumers should be able to view and contest the 
accuracy and completeness of data collected about them.
    And security. Data collectors must take reasonable steps to 
ensure that information collected from consumers is both 
accurate and protected from unauthorized use.
    Using the methodology that the FTC developed to evaluate 
commercial web site privacy disclosures, we analyzed a sample 
of 65 Federal web sites to determine whether they collected 
personal information such as name, address, e-mail; and if so, 
whether the sites included disclosures to indicate that they 
met the fair information principles. We did not try to 
determine whether the web sites actually followed their stated 
policies.
    I should note that Federal agencies are not required to 
follow FTC's fair information principles, but instead are 
subject to the requirements of law such as the Privacy Act and 
guidance issued by the Office of Management and Budget. In 
addition, FTC staff expressed concern about our use of the 
methodology stating that there are fundamental differences 
between Federal and commercial web sites which in their view 
make the methodology inappropriate for use in evaluating 
Federal web site privacy policies.
    You have already summarized very accurately what our 
findings were in this report, so I will conclude my statement 
here and I will be happy to answer any questions that you have 
at the end of the panel.
    [The prepared statement of Linda D. Koontz follows:]

Prepared Statement of Linda D. Koontz, Director, Information Management 
                              Issues, GAO

    Mr. Chairman and Members of the Subcommittee: Thank you for 
inviting us to discuss the privacy policies of selected federal web 
sites and their conformity with the Federal Trade Commission's four 
fair information principles--Notice, Choice, Access, and Security. 
After providing brief background information including an overview of 
the laws and guidance governing on-line privacy of federal web sites, 
my testimony today will discuss the findings in our recent report on 
Internet privacy which is based on the review we conducted at your 
request in July and August 2000.1
---------------------------------------------------------------------------
    \1\ Internet Privacy: Comparison of Federal Agency Practices With 
FTC's Fair Information Principles (GAO/AIMD-00-296R).
---------------------------------------------------------------------------
    As you know, on-line privacy has emerged as one of the key--and 
most contentious--issues surrounding the continued evolution of the 
Internet. The World Wide Web requires the collection of certain data 
from individuals who visit web sites--such as Internet address--in 
order for the site to operate properly. However, collection of even 
this most basic data can be controversial because of the public's 
apprehension about what information is collected and how it could be 
used.
    You asked us to determine how federal web sites would fare when 
measured against FTC's fair information principles for commercial web 
sites. In applying FTC's methodology, we analyzed a sample of 65 
federal web sites to determine whether they collected personal 
identifying information, and if so, whether the sites included 
disclosures to indicate that they met the fair information principles 
of Notice, Choice, Access, and Security. We also determined the extent 
to which these sites allowed the placement of third-party cookies 
2 and disclosed to individuals that they may allow the 
placement of these cookies. We did not, however, verify whether the web 
sites follow their stated privacy policies.
---------------------------------------------------------------------------
    \2\ A cookie is a small text file placed on a consumer's computer 
hard drive by a web server. The cookie transmits information back to 
the server that placed it, and, in general, can be read only by that 
server. A third-party cookie is placed on a consumer's computer hard 
drive by a web server other than the one being visited by the 
consumer--often without the consumer's knowledge.
---------------------------------------------------------------------------
    I should note that FTC staff expressed concern about this use of 
their methodology, stating that there are fundamental differences 
between federal and commercial web sites which, in their view, make 
FTC's methodology inappropriate for use in evaluating federal web site 
privacy policies. For example, an agency's failure to provide for 
Access or Choice on its privacy policy may reflect the needs of law 
enforcement or the dictates of the Privacy Act or other federal 
statutes that do not apply to sites collecting information for 
commercial purposes.
    As of July 2000, all of the 65 web sites in our survey collected 
personal identifying information 3 from their visitors; 85 
percent of the sites also posted a privacy notice. A majority of these 
federal sites (69 percent) met FTC's criteria for Notice. However, we 
found that a much smaller number of sites implemented the three 
remaining principles--Choice (45 percent), Access (17 percent), and 
Security (23 percent). Few of the federal sites--3 percent--implemented 
elements of all four of FTC's fair information principles. Finally, a 
small number of sites (22 percent) disclosed that they may allow third-
party cookies; 14 percent actually allowed their placement.
---------------------------------------------------------------------------
    \3\ Information used to identify or locate an individual, e.g., 
name, address, e-mail address, credit card number, Social Security 
number, etc.
---------------------------------------------------------------------------

                               BACKGROUND

    Concerned about the capacity of the on-line industry to collect, 
store, and analyze vast amounts of data about consumers visiting 
commercial web sites, the FTC reported in May 2000 on its most recent 
privacy survey of commercial web sites. The survey's objective was to 
assess the on-line industry's progress in implementing four fair 
information principles which FTC believes are widely accepted.

 Notice. Data collectors must disclose their information 
        practices before collecting personal information from 
        consumers.
 Choice. Consumers must be given options with respect to 
        whether and how personal information collected from them may be 
        used for purposes beyond those for which the information was 
        provided.
 Access. Consumers should be able to view and contest the 
        accuracy and completeness of data collected about them.
 Security. Data collectors must take reasonable steps to ensure 
        that information collected from consumers is accurate and 
        secure from unauthorized use.
    In addition, the survey looked at the use of third-party cookies by 
commercial web sites. Although FTC noted improvement over previous 
surveys, it nonetheless concluded that the on-line industry's self-
regulatory initiatives were falling short. As a result, a majority of 
the FTC commissioners, based on a 3 to 2 vote, recommended legislation 
to require commercial web sites not already covered by the Children's 
Online Privacy Protection Act (COPPA) 4 to implement the 
four fair information principles.
---------------------------------------------------------------------------
    \4\ 15 U.S.C. 6501 et seq. The provisions of COPPA govern the 
collection of information from children under the age of 13 at web 
sites, or portions of web sites, directed to children or which have 
actual knowledge that a user from which they seek personal information 
is a child under 13 years old. These provisions took effect April 21, 
2000.
---------------------------------------------------------------------------
    While the FTC's fair information principles address Internet 
privacy issues in the commercial sector, federal web sites are governed 
by specific laws designed to protect individuals' privacy when agencies 
collect personal information. The Privacy Act of 1974 is the primary 
law regulating the federal collection and maintenance of personal 
information maintained in a federal agency's systems of 
records.5 The act provides, for example, that (1) agencies 
cannot disclose such records without the consent of the individual 
except as authorized by law, (2) under certain conditions, individuals 
can gain access to their own records and request corrections, and (3) 
agencies must protect records against disclosure and loss. While these 
requirements are generally consistent with FTC's fair information 
principles, the act's specific provisions limit the application of 
these principles to the federal government. Specifically, the Privacy 
Act applies these principles only to information maintained in a system 
of records and contains exceptions that allow, under various 
circumstances, the disclosure and use of information without the 
consent of the individual. On June 2, 1999, OMB provided additional 
guidance on Internet privacy issues in Memorandum M-99-18, directing 
agencies to post on principal federal web sites privacy policies that 
disclose what information is collected, why it is collected, and how it 
will be used. In a separate report issued earlier, 6 we 
evaluated selected federal web sites' privacy policies against certain 
aspects of applicable laws and guidance, and included a comparison of 
the Fair Information Principles and the Privacy Act. We also have 
ongoing work--which we intend to report on later this year--addressing 
in greater depth the use of cookies on federal web sites.
---------------------------------------------------------------------------
    \5\ A system of records means a group of any records under the 
control of any agency from which information is retrieved by the name 
of the individual or by some identifying number, symbol, or other 
identifying particular assigned to the individual.
    \6\ Internet Privacy: Agencies' Efforts to Implement OMB's Privacy 
Policy (GAO/GGD-00-191, September 5, 2000.
---------------------------------------------------------------------------

                         SCOPE AND METHODOLOGY

    As you requested, we used FTC's methodology to provide a snapshot 
of the privacy practices of two groups of web sites operated by 
executive branch agencies compared to the fair information principles. 
We reviewed a total of 65 sites during July 2000. One group consisted 
of web sites operated by 32 high-impact agencies, which handle the 
majority of the government's contact with the public.7 A 
second group consisted of web sites randomly selected from the General 
Services Administration's (GSA) government domain registration 
database.8 This group consisted mostly of web sites operated 
by small agencies, commissions, or programs. Finally, at your request, 
we assessed the FTC web site itself. (For the purpose of our analysis, 
the FTC site was added to the sites operated by the 32 high-impact 
agencies.)
---------------------------------------------------------------------------
    \7\ According to the National Partnership for Reinventing 
Government, these agencies handle 90 percent of the federal 
government's contact with the public.
    \8\ Our random sample was not large enough to project to the 
universe of federal web sites.
---------------------------------------------------------------------------
    In conducting our survey we generally followed the FTC methodology, 
including the selection of similar groups of web sites and the use of 
its data-collection forms and analytical techniques. We requested--and 
received--training from FTC similar to that provided to staff who 
collected and analyzed its survey information. Our staff underwent 2 
half-days of training by FTC staff on its methodology and content 
analysis procedures for commercial web sites.
    We visited the web sites in our samples from July 12 through July 
21, 2000. We reviewed the web pages within the site--for up to a time 
limit of 15 minutes--to determine whether the site (1) collected any 
personal or personal identifying information, (2) posted a privacy 
statement, information practice statement, or disclosure notice, (3) 
provided individual access to and choice regarding use of the 
information, and (4) provided security over the information. We also 
looked for the placement and disclosure of third-party cookies.

FEDERAL WEB SITES SURVEYED COLLECT PERSONAL DATA BUT VARY IN DEGREE OF 
                      CONFORMITY TO FTC PRINCIPLES

    We found that all of the 65 web sites surveyed collected personal 
identifying information from their visitors. Most sites--85 percent--
posted a privacy notice. However, they varied in the extent to which 
they provided Notice to consumers, allowed consumers Choice and Access 
regarding their information, disclosed that they provided Security for 
the information provided, and allowed and disclosed the placement of 
third-party cookies.
    Using the same scoring methodology that FTC used for commercial 
sites, our survey showed that only 6 percent of the federal high-impact 
agencies and 3 percent of the randomly sampled sites federal web sites 
implemented, at least in part, each of the four fair information 
principles. The following explains how we scored the sites to determine 
conformance with each principle and describes how the federal web sites 
in our survey fared in conforming with each of the principles.
Notice
    The Notice principle is a prerequisite to implementing the other 
principles. We concluded that a site provided Notice if it met all of 
the following criteria: (1) posted a privacy policy, (2) stated 
anything about what specific personal information it collects, (3) 
stated anything about how the site may use personal information 
internally, and (4) stated anything about whether it discloses personal 
information to third parties. Our survey showed that 69 percent of all 
sites visited met FTC's criteria for Notice.
Choice
    Under the Choice principle, web sites collecting personal 
identifying information must afford consumers an opportunity to consent 
to secondary uses of their personal information, such as the placement 
of consumers' names on a list for marketing additional products or the 
transfer of personal information to entities other than the data 
collector. Consistent with such consumer concerns, FTC's survey 
included questions about whether sites provided choice with respect to 
their internal use of personal information to send communications back 
to consumers (other than those related to processing an order) and 
whether they provided choice with respect to their disclosure of 
personal identifying information to other entities, defined as third-
party choice.
    We concluded that a site provided Choice if both internal choice 
with respect to at least one type of communication with the consumer 
and third-party choice with respect to at least one type of information 
were given to individuals. Our survey showed that 45 percent of all 
sites met FTC's criteria for Choice.

Access

    Access refers to an individual's ability both to access data about 
himself or herself--to view the data in the web site's files--and to 
contest that data's accuracy and completeness. Access is essential to 
improving the accuracy of data collected, which benefits both data 
collectors who rely on such data and consumers who might otherwise be 
harmed by adverse decisions based on incorrect data. FTC's survey asked 
three questions about Access: whether the site stated that it allows 
consumers to (1) review at least some personal information about them, 
(2) have inaccuracies in at least some personal information about 
themselves corrected, and (3) have at least some personal information 
deleted.
    We concluded that a site provided Access if it provided any one of 
these disclosures. Our survey showed that 17 percent of all sites met 
the FTC criteria for Access.

Security

    Security refers to the protection of personal information against 
unauthorized access, use, or disclosure, and against loss or 
destruction. Security involves both management and technical measures 
to provide such protections. FTC's survey asked whether sites disclose 
that they (1) take any steps to provide security, and if so, whether 
they (2) take any steps to provide security for information during 
transmission, or (3) take any steps to provide security for information 
after receipt.
    We concluded that a site provided Security if it made any 
disclosure regarding security.
    Our survey showed that 23 percent of all sites met FTC's criteria 
for Security.

Third-Party Cookies

    FTC defines a third-party cookie as a cookie placed on a consumer's 
computer by any domain other than the site being surveyed. Typically, 
in the commercial environment, the third party is an on-line marketing 
organization or an on-line service that tracks and tabulates web-site 
traffic. However, some federal web sites also allow placement of third-
party cookies. Our survey showed that 22 percent of all sites disclosed 
that they may allow third-party cookies and 14 percent allowed their 
placement.
    Mr. Chairman, this concludes my statement. I would be happy to 
respond to any questions that you or other members of the Subcommittee 
may have at this time.

Contact and Acknowledgements

    For information about this testimony, please contact Linda D. 
Koontz at (202) 512-6240 or by e-mail at [email protected]. 
Individuals making key contributors to this testimony include Ronald B. 
Bageant, Scott A. Binder, Mirko J. Dolak, Michael P. Fruitman, 
Pamlutricia Greenleaf, William N. Isrin, Michael W. Jarvis, Kenneth A. 
Johnson, Glenn R. Nichols, David F. Plocher, Jamie M. Pressman, and 
Warren Smith.

    Mr. Tauzin. Thank you. We will now hear from Ms. Katzen, 
Deputy Director of the Office of Management and Budget.

                    STATEMENT OF SALLY KATZEN

    Ms. Katzen. Thank you, Mr. Chairman. I congratulate you on 
having this hearing on this very important issue and I 
appreciate your inviting me to testify on privacy on government 
web sites.
    As the members of this panel know, protecting the privacy 
of American citizens is a very high priority for this 
administration. We have worked hard to ensure that fundamental 
privacy protections are properly safeguarded as our government, 
indeed society at large, moves into the Digital Age. Nowhere is 
this task more important than in the Federal Government's 
obligation to continue to protect the privacy and 
confidentiality of the personal information that it maintains 
and to protect the privacy of individuals in their interactions 
with the government over the Internet.
    Today the Federal Government is increasingly becoming an 
electronic government full of new opportunities to provide 
information easily and quickly to the public. But as everyone 
has noted today, we must be vigilant to ensure that personal 
privacy protections remain constant or improved in the process 
of this transformation. I am proud to be able to testify here 
today about the success of this administration in meeting this 
challenge and in taking major steps to boost the level of 
privacy afforded to American citizens when they access the 
government electronically. Without doubt we have more to learn 
as the government in this time of rapid change in technology 
and information flows; all organizations do, no matter their 
size. But I am confident that we are achieving significant 
progress and clearly heading in the right direction.
    Now to understand the GAO reports on privacy practices, it 
is important to put them in proper context and history, and I 
would begin with the Privacy Act of 1974, as you did, Mr. 
Chairman, in your opening comments. For over a quarter of a 
century, it has afforded Americans strong legal protections for 
personal information stored in government systems of records, 
no matter whether they exist in papers or in electronic form. 
This is not voluntary. This is mandatory. It is the law of the 
land. These protections include notice, prohibitions on the 
unauthorized release of personal information, ability to access 
your records and change errors that may appear, and security 
safeguards as well.
    I would just note that Representative Horn's grades on 
security, which you have mentioned a couple of times now, was 
the subject of another hearing that I participated in, and 
there is grave concern about the methodology that he used and 
the grades that he gave. That is not an uncontested system that 
he established. We believe that the security of the government 
web sites is indeed very strong and will remain so.
    Now, while the Privacy Act provides the bedrock privacy 
protections for Americans in their relationship with 
government, the changes in technologies have produced a 
different world than existed in 1974. And as has been noted, to 
keep current with meaningful privacy protections, the Office of 
Management and Budget has augmented the Privacy Act provisions 
with policy guidance. The agencies' response to that guidance 
has been outstanding.
    For example, in April 1999 a study revealed that just over 
a third of the Federal agencies had privacy policies posted on 
their main web pages. In June, 2 months later, OMB Director 
Jack Lew issued a memo to all agency heads directing them to 
post clearly written privacy policies on their web sites by 
September 1, 1999. Director Lew, echoing the sentiments of Mr. 
Boucher, said we cannot realize the full potential of the web 
until people are confident we protect their privacy when they 
visit our sites.
    The message was received by the Federal agencies, and the 
GAO confirmed this result, in what you have referred to as the 
Lieberman study. This was a study conducted in April 2000 and 
released on September 5, 2000. I call it the first GAO study.
    Now the chairman suggested that GAO found the privacy 
policies to be wanting. In fact, this study found that 69 of 70 
principal agency web sites had a privacy policy posted on their 
sites and all 70 did within days of release of that report. 
Equally impressive, the GAO identified 2,692 major points of 
entry to six Federal Government agencies. These are sites where 
the largest number of people interact with the Federal 
Government. And of the sites they reviewed, GAO found only 9 
lacked privacy policies. This record is impressive, and I 
believe is an accurate picture of Federal privacy policies 
online.
    In view of this, it is, I think, fair to ask why GAO 
reached the conclusions that it did about Federal agencies' 
compliance with the fair information practices written by the 
Federal Trade Commission for commercial web sites, which is the 
second GAO report. The answer, I believe, has more to do with 
the questions that were asked than the practices reported.
    Specifically, the administration pointed out to GAO staff 
in the course of that study that the study was misdirected and 
the answers to the study's questions would likely be 
misleading. GAO has also reported that the FTC independently 
expressed concern that its methodology was ``inappropriate for 
use in evaluating Federal web site privacy policies.''
    Why is this, you might ask. Let me explain. A central 
premise of the study that was done was that the FTC formulation 
of fair information practices for commercial sites could 
appropriately be used to measure the privacy protections of 
government web sites. We think it cannot because the FTC 
practices were designed for the private sector, where the 
Privacy Act and OMB guidance do not apply. This is a very 
important distinction between commercial companies and Federal 
agencies.
    The fact that there is no law establishing privacy 
protection for individuals in the commercial arena led the FTC 
to stress the need for a statement about policies, because 
absent a statement, the companies cannot be held accountable. 
That is, you must have a representation of what you will do and 
not do to be enforceable by the FTC. Government web sites by 
contrast do not have to make any representations to be held 
accountable. The Privacy Act establishes in the most public way 
possible the standards to which citizens can hold Federal 
agencies accountable and exactly how they can hold those 
agencies accountable.
    Thus, the test of whether a Federal web site provides 
privacy protection is not whether it includes a statement that 
makes it comparable with commercial practices, but rather 
whether good privacy protections are in fact in place. And the 
first GAO report, the Lieberman report, showed that the major 
Federal web sites inform citizens of how their data are used at 
their web sites, and I would refer you specifically to page 25 
of that report, which takes each of the fair information 
practices and documents that they are covered either by OMB 
policy or by the Privacy Act. It is against that which the 
first study measured the Federal web sites and it is against 
that standard that they did as well as they have done.
    Now, we recognize that in this Information Age it is 
critical that the Federal Government continue to use technology 
to keep the public informed and provide services to the public 
and stay on the cutting edge of technology. The launch on 
September 22 of firstgov.gov was a major step to enable us to 
continue providing information and resources to the American 
people. In this and many other ways, the need for privacy 
protection online and the need for public confidence in the 
Federal Government's online privacy standards is expected to 
only increase in the years ahead. It would be most unfortunate 
if any misleading conclusions as to the state of privacy on 
Federal web sites interfered with our common goal of achieving 
electronic government without full participation of the public. 
I thank you for holding this hearing and giving me an 
opportunity to testify.
    [The prepared statement of Sally Katzen follows:]

  Prepared Statement of Sally Katzen, Deputy Director for Management, 
                    Office of Management and Budget

    Mr. Chairman and members of the Committee, I thank you for inviting 
me here today to discuss the important topic of privacy on government 
web-sites. As you know, protecting the privacy of American citizens is 
a very high priority for this Administration. We have worked hard to 
ensure that fundamental privacy protections are properly safeguarded as 
our government, and society at large, moves into the Digital Age. 
Nowhere is this task more important than in the federal government's 
obligation to continue to protect the privacy and confidentiality of 
the personal information that it maintains, and, now, to protect the 
privacy of individuals in their interactions with the government over 
the Internet.
    Today the federal government is increasingly becoming an electronic 
government, full of new opportunities to provide services and 
information to the public quickly, easily, and when the public wants 
them. But as you, Mr. Chairman, and so many others here have noted, we 
must be vigilant to ensure that personal privacy protections remain 
constant or are improved in the process of this transformation. I am 
proud to be able to testify today about the success of this 
Administration in meeting this challenge--in taking major steps to 
boost the level of privacy afforded to American citizens when they 
access the government electronically. Without doubt, we have more to 
learn as a government. In this time of revolutionary changes in 
technology and information flows, all organizations do, no matter their 
size. But I am confident that we have achieved significant progress, 
and are clearly heading in the right direction in this critical area.
    To understand the recent General Accounting Office reports on the 
privacy practices of federal agencies on-line, it is helpful to put 
them in their proper context and history. First, there is the Privacy 
Act of 1974, which for over a quarter of a century has afforded 
Americans strong legal protections for personal information stored in 
government systems of records--no matter if they exist in paper or 
electronic form. These protections include notice, prohibitions on the 
unauthorized release of your personal information, the ability to 
access your own records, the ability to change errors in your records, 
and security safeguards, among other protections.
    While this Act provides the bedrock privacy protections for 
Americans in their relations with the government, changes in 
technology--most notably the dramatic increase in Internet-access to 
the government--have produced a different world than existed in 1974. 
To keep current with meaningful privacy protections, the Office of 
Management and Budget has augmented the Privacy Act provisions with 
policy guidance, and the agencies' response, I believe, has been 
outstanding.
    For example, in April 1999, a study revealed that just over one-
third of federal agencies had privacy policies clearly posted on their 
main web pages. In June 1999, OMB Director Jacob J. Lew issued a 
memorandum to all agency heads directing them to post clearly labeled 
and clearly written privacy policies on their web-sites by September 1, 
1999. Director Lew told agencies then, ``We cannot realize the full 
potential of the web until people are confident we protect their 
privacy when they visit our sites.''
    The message was received by federal agencies. The General 
Accounting Office confirmed this result in a review conducted in April 
of 2000 and released on September 5, 2000 (``the first GAO report''). 
This GAO study found that 69 of 70 principal agency web-sites had a 
privacy policy posted on their sites--and all 70 did within days of the 
report's release. Even more impressive, the GAO identified 2,692 major 
Web-site points of entry to six federal government agencies. These are 
sites where the largest number of citizens interact with the Federal 
government. Of the sites they reviewed, GAO found that only nine lacked 
privacy policies.
    This record of progress is impressive, and, I believe, it is an 
accurate picture of the state of Federal privacy policies on-line. It 
is a story of working rapidly, across the expansive federal government 
and across thousands of web-pages, to ensure that citizens' privacy is 
protected when they choose to visit the federal government over the 
Internet.
    As part of our continuing efforts in the area, OMB Director Lew 
issued another memorandum this June to further enhance privacy 
protections on federal web-sites. Director Lew directed that cookies 
will not be used on Federal web-sites, except under very limited 
conditions. He also made clear, as a matter of Federal policy, that 
agencies are to comply with the standards of the Children's Online 
Privacy Protection Act, even though Congress did not include the 
Federal Government within the scope of that law. In addition, he 
directed each agency to describe its privacy practices and the steps 
taken to comply with Administration privacy policies in its budget 
submissions this fall to OMB. In this way, good privacy protection gets 
built into the budget process, emphasizing to everyone in the 
Government the importance of assuring citizen privacy.
    These efforts to boost privacy safeguards have extended to areas 
beyond the federal government's practices on-line, as the 
Administration has supported strengthening citizens' legal privacy 
protections in such areas as medical information, financial records, 
genetic information, and Social Security numbers. These are categories 
of sensitive data that require protection in both the public and 
private sectors.
    In light of this record of significant achievement, you may well 
ask why GAO reached the conclusions that it did about the Federal 
agencies' compliance with the fair information practices written by the 
Federal Trade Commission for commercial web-sites (the second GAO 
report). The answer, I believe, has more to do with the questions that 
were asked than the practices reported. Specifically, the 
Administration pointed out to GAO staff in the course of that study 
that the study was misdirected and that the answers to the study's 
questions would be misleading. GAO also has reported that the FTC 
independently expressed concern that its methodology was 
``inappropriate for use in evaluating federal web site privacy 
policies.''
    The central premise of this particular study was apparently that 
the FTC formulation of fair information practices for commercial web-
sites could appropriately be used to measure the privacy protections of 
government web-sites. We think it cannot. As noted, the FTC practices 
were designed for the private sector, where the Privacy Act and OMB 
policy do not apply. This is an important difference between commercial 
companies and federal agencies, even though both the government and 
businesses often use web-sites for the same core purposes: to provide 
information to consumers and to provide services to the public. The 
fact that there is no law establishing privacy protections for 
individuals in the commercial arena led the FTC to stress the need for 
those web-sites to make clear statements as to their privacy 
protections. The FTC does the same--that is, require clear statements--
about commercial web-site policies with respect to access and security 
practices. It is through these statements that these companies can be 
held accountable.
    Government web-sites, by contrast, do not have to make any 
representations to be held accountable. The Privacy Act establishes--in 
the most public way possible--the standards to which citizens can hold 
federal agencies accountable and exactly how they can hold agencies 
accountable. Thus, the test of whether a federal web-site provides 
privacy protection is not whether it includes statements that make it 
compatible with commercial practices, but rather whether good privacy 
protections are in place. The first GAO report confirmed that they are: 
When government web-sites were measured against government privacy 
standards, the results were impressive.
    In this Information Age, it is critical that the federal government 
continues to use technology to keep the public informed and to provide 
services for the public. The launch of the Federal government's 
FirstGov web-site on September 22 was a major step to enable easy 
access to government resources on-line. In this and many other ways, 
the need for privacy protection on-line--and the need for public 
confidence in the Federal government's on-line privacy standards--is 
expected to only increase in the years ahead. It would be most 
unfortunate if any misleading conclusions as to the state of privacy on 
federal web-sites interfered with our common goal of achieving an 
electronic government with full public participation.
    As I said before, the federal government can, and should, continue 
to improve in its protection of the privacy of those individuals who 
access government web-sites. The first GAO report pointed out that we 
could do a better job of posting privacy policies at specific Federal 
web pages where a substantial amount of personal information is 
collected. That report also made recommendations about how OMB might 
provide clearer guidance to agencies, and we are working with the 
Federal CIO Council to respond to those recommendations. Beyond that, I 
think that we will learn much from the privacy materials included with 
the agency FY 2002 budget submissions to OMB. At the same time, I would 
again emphasize that the Administration's record on privacy protection 
in this area is strong, with a resolute commitment to safeguard 
personal privacy.
    I thank you, Mr. Chairman, for holding this hearing today and for 
inviting me to testify. I look forward to continuing to work with you 
and the other members of this committee in making the federal 
government a model of good privacy practices.

    Mr. Tauzin. Mr. Roger Baker, Chief Information Officer of 
the U.S. Department of Commerce.

                   STATEMENT OF ROGER W. BAKER

    Mr. Baker. Thank you, Mr. Chairman. Thank you for inviting 
me to testify before the committee today. I am testifying as 
the Chairman of the Chief Information Officers Council 
Subcommittee on Privacy. However, as a practicing Chief 
Information Officer for an agency, my testimony also includes 
some anecdotal information from the Department of Commerce.
    I would like to make three points: First, privacy is an 
important issue for Chief Information Officers throughout the 
government and the Federal CIO Council. Second, our fundamental 
guidance on privacy inside the Federal Government comes from 
the Privacy Act, other applicable Federal laws and OMB policy, 
and that in the past 2 years we have made substantial progress 
in both the quality and quantity of the privacy policies posted 
on Federal web sites and significantly raised the awareness of 
privacy issues within the Federal information technology 
community.
    First, privacy is an important issue for the Federal CIO 
Council. By creating a Subcommittee on Privacy, the Federal CIO 
Council signaled to all Federal information technology workers 
that protecting the personal privacy of the public is one of 
the key issues facing us today.
    The American public provides government agencies with the 
most sensitive of personal information. It is our duty as 
Federal employees to protect this information to the best of 
our ability. This means that our information systems must be 
secure from intrusion and the systems must work in accordance 
with applicable Federal laws. The CIO Council keeps this issue 
at the forefront of IT discussions by making it a key part of 
our annual strategic plan, by including privacy in the 
conferences we support and the speeches we make, and providing 
agencies with best practices or examples of how to improve the 
privacy and security aspects of their information systems.
    There are many examples of these best practices for privacy 
and security on the CIO Council web site at www.cio.gov.
    I would like to submit with my testimony the privacy impact 
assessment best practices developed by the IRS and recommended 
by the Security, Privacy and Critical Infrastructure Committee 
for use by all Federal agencies. The CIO continues to work with 
OMB and others to identify further best practices and other 
useful guidance to be provided to agencies to help them in 
their efforts to protect personal privacy on the Internet and 
other information systems.
    Second, our fundamental guidance on privacy inside the 
Federal Government comes from the Privacy Act and other 
applicable Federal laws. Federal information systems, including 
Internet web site servers, are subject to the provisions of the 
Privacy Act. OMB has issued policy directives regarding privacy 
protections on Federal web sites that focus on a number of 
issues. First, that all major entry points and all points where 
personal information is collected should have easily accessible 
privacy policies posted; second, that those privacy policies be 
clearly written and reflect actual agency policy with regard to 
the collected information; third, those policies are in 
accordance with the Privacy Act and other laws and guidance 
that may be applicable to specific agencies; and, fourth, that 
there is a presumption against the use of technologies that 
allow the tracking of activities over time and across different 
web sites; for example, persistent cookies as differentiated 
from session cookies, unless a high level of approval is 
obtained.
    The CIO Council has worked closely with OMB to support the 
development and implementation of these directives. As a result 
of an example of this work, I would like to submit the privacy 
policy posted on the main page of the Census Bureau's Internet 
web site, www.census.gov. While admittedly somewhat long, this 
privacy policy clearly conveys the types of information that 
may be collected, how used and the specific legal protections 
provided that information. I used the Census privacy policy as 
an example because it involves both the Privacy Act and Title 
13 protections.
    Mr. Chairman, I believe the following points were made in 
the GAO report, but they are so important I will quickly make 
them again.
    Federal records are covered by specific laws that give 
individuals specific rights and the remedies if their private 
information is disclosed. These laws apply whether or not a 
privacy policy is posted on a Federal web site. There are no 
equivalent laws covering nongovernmental systems. The FTC rules 
regarding privacy policies for private sector web sites are 
meant to establish a legal basis under which a private sector 
web site operator can be held responsible for the protection of 
private information collected on a web site. Once posted, the 
privacy policy falls under the jurisdiction of the FTC, which 
uses existing laws to hold companies to the promises they make 
to the consumers.
    In short, if a private sector web site does not post a 
privacy policy, there is no ready legal recourse available to 
an individual whose privacy has been violated. In contrast, the 
Privacy Act and other laws apply even if a Federal web site 
does not post a privacy notice. We can and should do a better 
job of communicating the protections that the Privacy Act and 
other Federal laws provide users on Federal web sites, but we 
should continue to use existing Federal laws or guidance in 
these areas instead of the FTC policies clearly intended to 
achieve a different purpose.
    In the past 2 years we have made substantial progress in 
both the quantity and quality of privacy policies posted on 
Federal web sites. In 1999, the secretary of commerce called on 
private sector web site operators to improve their privacy 
practices, placing special emphasis on the need for: One, 
posting privacy policies; and,second, that policies include the 
fair information practices of notice, choice, access and 
security. We quickly recognized that we also needed to make 
major improvements in our own web site privacy policies, both 
at the Department of Commerce and throughout the Federal 
Government. Working with OMB, we raised the profile of the 
privacy issues with both agency and technical management and 
made substantial strides in both the quality and quantity of 
privacy practices posted on Federal web sites. And I won't go 
through the GAO reports again, since you have that information.
    Clearly we made a major improvement, and I believe this is 
evidenced by the examples from the Census Bureau. The overall 
qualities of these privacy policies have seen substantial 
improvement as well.
    In closing, I would like to reiterate my main points. 
Privacy is a very important issue for agency CIOs and the 
Federal CIO Council. Our fundamental guidance on privacy inside 
the Federal Government comes from the Privacy Act and other 
applicable laws and OMB guidance, and in the past 2 years I 
believe we have made substantial progress in quality and 
quantity of privacy policies posed on Federal web sites.
    Thank you for your time and I look forward to any questions 
you may have.
    [The prepared statement of Roger W. Baker follows:]

Prepared Statement of Roger W. Baker, Chief Information Officer, United 
                     States Department of Commerce

    Mr. Chairman and members of the Committee: Thank you for inviting 
me to testify before the committee today. I am testifying in my role as 
the Chairman of the Federal Chief Information Officer's Council 
subcommittee on Privacy. However, as a practicing CIO, I will also 
include some anecdotal information from my agency, the Department of 
Commerce.
    In my testimony today, I would like to make three points.

 Privacy is an important issue for agency CIOs and the Federal 
        CIO Council.
 Our fundamental guidance on privacy inside the federal 
        government comes from the Privacy Act, other applicable federal 
        laws, and OMB policy.
 In the past two years, we have made substantial progress in 
        both the quantity and quality of privacy policies posted on 
        federal web sites, and significantly raised the awareness of 
        privacy issues within the federal IT community.
Privacy is an important issue for CIOs and the Federal CIO Council.
    By creating a subcommittee on privacy, the Federal CIO Council 
signaled to all federal information technology workers that protecting 
the personal privacy of the public is one of the key issues facing us 
today. The American public provides government agencies with the most 
sensitive of personal information. It is our duty, as federal 
employees, to protect this information to the best of our ability. This 
means that our information systems must be secure from intrusion, and 
that these systems must work in accordance with applicable federal 
laws.
    The CIO Council keeps this issue at the forefront of IT discussions 
by making it a key part of our strategic plan, by including privacy in 
the conferences we support and speeches we make, and by providing 
agencies with ``best practices'' to provide them with examples of how 
to improve the privacy and security aspects of their information 
systems.
    There are many examples of these ``best practices'' for privacy and 
security on the CIO council web site at www.cio.gov. I would like to 
submit with my testimony the Privacy Impact Assessment best practice 
developed by the Internal Revenue Service and recommended by the 
Security, Privacy, and Critical Infrastructure Committee for use by all 
federal agencies. The Privacy Impact Assessment best practice provides 
agencies with a template for evaluating and certifying that an 
information system has been implemented in accordance with applicable 
agency policies and federal laws on privacy.
    The CIO Council will continue to work with OMB and others to 
identify further best practices and other useful guidance that can be 
provided to agencies to help them in their efforts to protect personal 
privacy on the Internet and other information systems.

Our fundamental guidance on privacy inside the federal government comes 
        from the Privacy Act and other applicable federal laws.

    Federal information systems, including Internet web servers, are 
subject to the provisions of the Privacy Act. In addition, OMB has 
issued policy directives regarding privacy protections on federal web 
sites that focus on a number of issues. First, that all major entry 
points and all points where substantial personal information is 
collected should have easily accessible privacy policies posted. 
Second, that those privacy policies be clearly written and reflect 
actual agency policies with regard to the collected information. Third, 
that those policies are in accordance with the Privacy Act and other 
laws and guidance that may be applicable to specific agencies. And 
fourth, there is a presumption against the use of technologies that 
allow the tracking of the activities of users over time and across 
different web sites (for example, persistent cookies) unless high-level 
approval is obtained. The CIO Council has worked closely with OMB to 
support the development and implementation of these directives.
    As an example of the results of this work, I would like to submit 
into the record the privacy policy posted on the main page of the 
Census Bureau's Internet web site, www.census.gov. While somewhat long, 
this privacy policy clearly conveys the types of information that may 
be collected, how that information will be used, and the specific legal 
protections provided that information. I use the Census privacy policy 
as an example because it involves both the Privacy Act and Title 13 
protections.
    Mr. Chairman, I believe the following points were made in the GAO 
report, but they are so important that I will quickly make them again. 
Federal systems of records are covered by specific laws that give 
individuals specific rights and remedies if their private information 
is disclosed. These laws apply whether or not a privacy policy is 
posted on a federal web site. There are no equivalent laws covering 
non-governmental systems. The FTC rules regarding privacy policies for 
private sector web sites are meant to establish a legal basis under 
which a private sector web site operator can be held responsible for 
the protection of private information collected on a web site. Once 
posted, the privacy policy falls under the jurisdiction of the FTC, 
which uses existing laws to hold companies to the promises they make to 
consumers.
    In short, if a private sector web site does not post a privacy 
notice, there is no ready legal recourse available to an individual 
whose privacy has been violated. In contrast, the Privacy Act and other 
laws apply even if a federal web site does not post a privacy notice.
    We can and should do a better job of communicating the protections 
that the Privacy Act and other federal laws provide users on federal 
web sites. But I believe we should continue to use existing federal law 
as our guidance in this area, instead of FTC policies clearly intended 
to achieve a different purpose.

In the past two years, we have made substantial progress in both the 
        quantity and quality of Privacy Policies posted on federal web 
        sites.

    In 1999 the Secretary of Commerce called on private sector web site 
operators to improve their privacy practices, placing special emphasis 
on the need for (1) posting privacy policies and (2) policies include 
the fair information practices of notice, choice, access, and security. 
We quickly recognized that we, also, needed to make major improvements 
in our own web site privacy policies, both at Commerce and throughout 
the federal government. Working with OMB, we raised the profile of the 
privacy issue with both agency and technical management, and made 
substantial strides in both the quantity and quality of privacy 
policies posted on federal web sites. A recent GAO report concluded 
that 69 out of 70 agency main pages had privacy policies clearly 
posted. Further, GAO identified 2692 major points of entry to six 
federal agencies. Of the sites they reviewed, GAO found that only 9 
lacked privacy policies. This, clearly, is a major improvement. And, as 
is evidenced by the example from the Census Bureau, the overall quality 
of these privacy policies has seen substantial improvement as well.
Closing
    Mr. Chairman, in closing I would like to reiterate my main points.

 Privacy is an important issue for agency CIOs and the Federal 
        CIO Council.
 Our fundamental guidance on privacy inside the federal 
        government comes from the Privacy Act, other applicable federal 
        laws, and OMB guidance.
 In the past two years, we have made substantial progress in 
        both the quantity and quality of Privacy Policies posted on 
        federal web sites.
    Thank you for your time. I look forward to any questions you may 
have.

    Mr. Tauzin. Thank you, Mr. Baker. The Chair recognizes 
himself for 5 minutes. There is another story on the web on 
Yahoo News that is quite relevant, Ms. Katzen. It is entitled 
``FTC to Apply Law to Web Sites,'' and it leads, ``Contrary to 
Federal directive, major government web sites, including the 
one operated by the White House, are not adhering to a law that 
requires companies to obtain parental consent before soliciting 
personal information from children. The web site invites 
children to submit personal information along with e-mail 
messages to the President and First Family, and there is no 
warning that children first get parental consent before sharing 
this information.''
    Is the White House violating the Federal law?
    Ms. Katzen. No, it is not. COPPA, the Children's Online 
Privacy Protection Act, does not apply to the Federal 
Government.
    Mr. Tauzin. Isn't that wonderful?
    Ms. Katzen. Excuse me, if I may explain the practices, 
because this is a statement that has been made time and again 
in the press.
    By law we are not covered by COPPA. However, we have taken 
every step that we can, consistent with our being a unique 
place, to meet the spirit of COPPA. COPPA was to protect 
children from marketers who would seek to exploit them----
    Mr. Tauzin. I want to ask you: Does not the June memorandum 
state that all Federal web sites and contractors when operating 
on behalf of agencies shall comply with the standards set forth 
in the Children's Online Privacy Protection Act?
    Ms. Katzen. Yes, but one of the conditions of COPPA is if 
you are going to get personal information for a one-time 
contact, you must destroy the record. The Presidential Records 
Act does not allow us to destroy records.
    Mr. Tauzin. Does not COPPA require the advice to children 
to get parental consent?
    Ms. Katzen. Yes. And on five different----
    Mr. Tauzin. And is the White House complying with COPPA 
today?
    Ms. Katzen. It is not required to comply with----
    Mr. Tauzin. Does the memorandum require it to?
    Ms. Katzen. The memorandum says do what we can, and we are 
working on systems to enable us not to destroy records. The 
Presidential Records Act, the security that attends the White 
House, and other considerations make the White House very 
different from what COPPA was designed to do.
    Mr. Tauzin. I am going to run out of time. I want to go to 
some other witnesses.
    Mr. Cox. Mr. Chairman, if you would yield on this point. 
Having served in the White House Counsel's Office, I am well 
aware of the Presidential Records Act, which has not been 
followed by this administration in any case. But why do you 
need to collect the information from the kids in the first 
place? Then you would not have a record to destroy.
    Ms. Katzen. Children do not have to provide any information 
to send a letter to the White House. If you want a response, 
you need to provide an e-mail address or a regular address. 
That is the information which COPPA says we would have to 
destroy if we obtained it from the child in the first instance. 
It is for that reason that on the White House Home Pages, which 
are here, it says on at least five occasions, make sure that it 
is okay with your parents. We cannot respond to your message 
without your address, but you can write us and tell us what you 
think without any information from you coming in.
    Mr. Tauzin. Reclaiming my time, does EPA require that? Does 
EPA advise----
    Ms. Katzen. Yes, and the site you were talking about has 
been taken down.
    Mr. Tauzin. Taken down today?
    Ms. Katzen. No, it was taken down on Friday.
    Mr. Tauzin. Right before this hearing.
    Ms. Katzen. It was taken down as soon as it was brought to 
our attention that there was a violation. When we learned----
    Mr. Tauzin. I have to control my time. Let me ask the other 
witnesses, you keep referring to the fact that Federal agencies 
don't need to post their privacy policies and say what they are 
collecting and how they are collecting it and who they are 
sharing it with because Federal agencies are covered by the 
Privacy Act. We have information on the Privacy Act. The 
Privacy Act provides 12 different exceptions, 12 exceptions 
provided by law for information collected by the Federal 
Government to be shared with other people. They include, for 
example, for routine uses defined in the act, to other offices 
and employees of the agency, to a recipient who has provided 
the agency with an adequate advance written assurance that the 
record will be used solely for statistical research. It allows 
the sharing of private information to persons pursuant to 
showing of compelling circumstances of health, to Members of 
Congress, to the Controller General, by an order of court, to a 
consumer reporting agency, 12 different exceptions by which 
consumer information can be shared with other people, and 
Federal agencies only say that we are complying with the 
Privacy Act.
    How do consumers know without getting a lawyer and getting 
a lawyer to explain what is in fact happening to his private 
information under this Privacy Act?
    Mr. Baker. I certainly wouldn't want to imply that I don't 
believe agencies should have privacy policies. I have worked 
hard to get agencies to have privacy policies.
    Mr. Tauzin. Shouldn't Federal agencies post their privacy 
policies just like people in the commercial sector so consumers 
know without getting a lawyer what is going to be shared with 
whom?
    Mr. Baker. Federal agencies should post a privacy policy 
which should reflect the Federal law which applies to them, and 
I certainly as Chief Information Officer would not advise 
anyone working for me to not comply.
    Mr. Tauzin. You are saying that it is our fault we wrote a 
law that lets these agencies share information so consumers be 
damned? Or should the Federal Government--let me pose a 
question to you as clearly as I can.
    If the FTC and, for that matter, Members of Congress are 
harping on the private sector to do more about informing 
consumers what information is being collected about them, how 
it is being shared and to whom it is being sent, should not 
Federal agencies live by the same standard, particularly where 
information is being shared with Federal agencies in a 
nonvoluntary situation?
    Ms. Katzen. They are, and they should be.
    Mr. Tauzin. I am asking Mr. Baker.
    Mr. Baker. I'm sorry?
    Mr. Tauzin. Let me ask it again as carefully as I can. If 
the FTC is setting up standards by which it is going to judge 
private sector web sites on the basis of whether or not they 
adequately inform consumers what information is being gathered 
and how it is being used and to whom it is being shared so that 
consumers can be warned, should not the Federal agencies by 
which consumers and constituents interact with information that 
is not necessarily voluntarily presented to the government, in 
many cases mandatorily provided to the government, shouldn't 
the Federal agencies be under a higher standard to do that, to 
inform consumers precisely about what information is being 
gathered, what it is being used for and to whom it is going to 
be shared with instead of hiding behind a law that has 12 
exceptions that the consumer doesn't even know about?
    Mr. Baker. I think Federal agencies should be as clear as 
they can. Again the Census Bureau example, I believe it is 
pretty clear about what the protections are. The Privacy Act is 
there and that is what we have used as our guidance.
    Mr. Tauzin. Ms. Koontz, did the IRS in fact have a cookie 
on its web site?
    Ms. Koontz. Using the FTC methodology, we identified a 
third party cookie in use at the IRS. In fairness to everyone 
here, the cookie that we identified was one that is placed on 
the visitors' hard drive when they are in the process of 
leaving the IRS site. The reason we picked this up----
    Mr. Tauzin. Wait. I want to understand that. We have a 
Federal policy discouraging--the memorandum discourages cookies 
on Federal web sites. But there are exceptions and cookies are 
allowed if the head of the agency allows a cookie on the 
Federal web site. Are you telling me in your investigation, in 
your survey, you did discover that the IRS had a cookie on its 
web site that visitors could click onto and have information 
shared with third parties?
    Ms. Koontz. When you were clicking onto a link that led you 
to another web site, the receiving web site was placing a 
cookie on your hard drive as you were exiting.
    Mr. Tauzin. Was that authorized by the head of the agency?
    Ms. Koontz. I didn't ask them.
    Mr. Tauzin. How many web sites had cookies?
    Ms. Koontz. There were eight web sites that had cookies.
    Mr. Tauzin. Out of the 65 that you surveyed, there were 
eight Federal web sites that had cookies by which third parties 
could gather information about citizens who visited those web 
sites?
    Ms. Koontz. Yes. I want to be clear. This is third party 
cookies identified using FTC's methodology.
    Mr. Tauzin. I understand. The gentleman from Virginia, Mr. 
Boucher.
    Mr. Boucher. Thank you. Let me ask our witnesses this 
morning if there is any reason why we shouldn't simply extend 
the protections of COPPA, which essentially require before any 
information is collected from children, that the permission of 
parents be obtained, to the Federal Government? Why should we 
not do that?
    Ms. Katzen. I don't have any problem with that. As the 
chairman noted, we have a memorandum from OMB instructing the 
agencies that they should comply, and if the law were expanded 
to cover Federal sites, it would be fine.
    It may mean that when children write to the White House and 
ask for a picture of the President, they want a glossy picture, 
we could not respond unless they wrote their request on paper 
and provided a postal address for return mail. But aside from 
the inhibition on incoming requests for pictures or papers from 
the White House, there is no reason why the law should not be 
expanded. We believe strongly in COPPA and have supported it. 
Whenever we find that someone is not complying, we take down 
that site.
    Mr. Boucher. Do either of the other witnesses have anything 
to add to that?
    Ms. Katzen, you were attempting to provide an answer about 
current White House web site practices with respect to the 
Children's Online Privacy Protection Act. I think you did not 
get a full opportunity to answer that question, and I would 
like to afford that to you if you would like to do that.
    Ms. Katzen. Thank you very much, Mr. Boucher. We had 
originally had a White House kids page, which got a lot of 
requests from children and we knew that it would be covered 
within the spirit, if not the letter, of COPPA.
    At the time we had asked for the child's name, the address, 
the e-mail address, the school, what grade they were in, a lot 
of different questions. Because of COPPA, we stripped that down 
to the bare essentials, the minimization principle, which is so 
prevalent in privacy discussions, and we only asked for that 
information if they wanted us to respond to them, not if they 
were simply communicating one way to us.
    Also, we placed throughout the site in a number of places 
warnings that children should be talking to their parents, that 
they should be involving their parents in this. Finally, we 
have been negotiating with NARA, the National Archives, to see 
whether we could get an exception from the Presidential Records 
Act, as we have for bulk mail, for example, or if we could put 
these children's addresses, just to send them a picture of the 
President or Socks or Buddy, if we could put those addresses in 
a separate file or folder and/or destroy them so we don't 
retain that kind of information. Our objection is to protect 
children's privacy and to engage parents. We think COPPA is 
good law.
    Mr. Boucher. And you would not object to having it extended 
to Federal Government sites generally?
    Ms. Katzen. Correct.
    Mr. Boucher. Good. Let me hear your response to suggestions 
that I made earlier, that the time has now come for Congress to 
accept the invitation of the FTC and legislate a set of minimum 
guarantees for the privacy protection of visitors to web sites, 
including the requirement that web sites post a notice of what 
information they collect and how it is used, and then provide 
an opt-out opportunity.
    Is there any reason why we should not extend that set of 
guarantees not only to the practices of commercial web sites 
but also government web sites?
    Ms. Katzen. For the most part the actual substance of what 
you want to provide exists now in the law. In terms of 
legislation, this administration has taken the position that 
the most sensitive information should be protected first and 
foremost, so we have worked on financial records, we have 
worked on medical records. These are areas where we think that 
it is essential to provide adequate protection because they are 
so sensitive. If we could have those types of procedures in 
place for the very sensitive information, we would very much 
want to work toward the next step, which is to extend the scope 
of protecting privacy.
    There are difficult questions, as Mr. Goodlatte and you 
have discussed--the balancing between giving out information 
and restricting the use of that information. But we have 
repeatedly called for more stringent protections, for 
financial, for medical, for genetic information and for Social 
Security numbers. There is a vast area that are specific 
problems have occurred.
    Mr. Boucher. I gather the answer to the question is you are 
not sure and perhaps we need to consider further whether to 
extend that minimum set of guarantees not only to commercial 
web sites, but to government web sites as well?
    Ms. Katzen. I think it is an important step, but I think 
the other steps are more important and should take priority in 
any legislative proposal.
    Mr. Boucher. May I have unanimous consent to proceed for 1 
additional minute?
    Mr. Tauzin. Without objection, so ordered.
    Mr. Boucher. Ms. Katzen, do you believe there are any 
statutory provisions that need to be adopted beyond what we 
have heard this morning? Do you have any recommendations for 
additional statutory provisions which would aid privacy of 
Internet users?
    Ms. Katzen. Yes, sir. The administration has a proposal to 
plug the loophole in Gramm-Leach-Bliley on financial records, 
which would enable consumers to know when information is being 
shared with affiliates of the organization. That bill in before 
the Congress. Mr. Markey has been active on that issue as well, 
I believe.
    Medical health is another area. We have for 2 years 
requested Congress to move forward on medical health records. 
This is an area which is terribly important to people, whether 
it be sensitive matters like mental health records or HIV 
testing, or commonplace like mammograms. There is a story on 
NPR this morning about a woman who was fired after information 
about breast cancer became available.
    The administration also has a Social Security bill to 
protect the sale and profiteering from selling Social Security 
numbers.
    Genetic discrimination has been in committee for a long 
time. Ms. Slaughter's bill has been one that we have been 
supporting and hoping Congress would pass. These are things 
that touch the lives of American people in a real way, not----
    Mr. Boucher. Thank you.
    Mr. Tauzin. The gentleman's time has expired.
    Mr. Boucher. Thank you.
    Mr. Tauzin. The Chair recognizes the gentleman from 
Illinois.
    Mr. Shimkus. Mr. Chairman, I yield my time to the gentleman 
from California. My brother-in-law was testifying before 
another committee, on the Government Reform Committee on 
anthrax. I got a chance to introduce him, and because of that I 
wasn't here to hear all of the testimony. In lieu of my being 
able to fully listen, I am going to yield my time to the 
gentleman from California.
    Mr. Tauzin. Mr. Cox from California.
    Mr. Cox. Thank you, and I will proceed out of order in that 
case. We begin with the GAO report telling us that most of our 
Federal agencies are not complying with the rules that we apply 
throughout the private sector when it comes to privacy. In 
fact, only 3 percent of agencies are implementing all or at 
least part of all of the FTC's requirements; and in particular 
the most disturbing, to me at least, finding is that so many 
agencies are placing cookies on the computers of people who log 
on.
    I don't understand why the Office of Management and Budget 
in its latest guidance continues to permit the use of cookies 
by Federal agencies, continues to authorize the placement of 
cookies on citizens' computers, and I wonder if from OMB's 
perspective there is a good reason that we should have such 
vague rules about cookies. OMB doesn't differentiate between 
temporary and permanent cookies in its guidance. It is very, 
very brief, just a few paragraphs. Director Lew says that 
agency heads can approve putting cookies onsites. We have 
agencies then who are quoted in this article from Wired News 
saying that they are quite sure that their agency heads will 
approve this and continue to use the cookies.
    The National Endowment for the Humanities says that they 
will continue to use cookies. The agency head was on vacation, 
that is what they told the reporter, but they were sure that 
the agency head would approve the gathering of information from 
citizens who log onto that site.
    The Federal Energy Regulatory Commission actually says we 
generally do not use cookies; but according to Wired, anyone 
who stops by the FERC home page will receive a cookie and it 
will not expire until December of 2010.
    The Department of Transportation has placed cookies on 
citizens' computers logging onto it that will last 34 years, 
and these are persistent cookies. They track your web activity 
after you leave the site.
    So from the standpoint of OMB, why shouldn't we just say no 
cookies? Why are you putting cookies on people's computers? If 
you are investigating, I understand it. If somebody is not 
under investigation, why do we put a cookie on their computer, 
and why would that cookie track their activity when they left 
the site?
    Ms. Katzen. I think you raise a very important question to 
which my bottom line answer is that we shouldn't, and that is 
why the OMB policy was written. I think it is important to note 
that GAO did its study in July of 2000. We had issued the Lew 
memorandum, no cookies on this--presumption of no cookies in 
late June. So it has taken some time----
    Mr. Cox. But the Lew memorandum doesn't say no cookies.
    Ms. Katzen. It says there should be a presumption against 
cookies. Incidentally, there is a clarification on the session 
cookies point. There is a letter to Roger Baker from John 
Spotilla, who is the Administrator of the Office of Information 
and Regulatory Affairs, that says when you are logging on for a 
single session and you want to make a purchase order at the 
Mint, for example, and you have put in your name and address, 
and because you can't remember which things you wanted to buy, 
you want to open up another window and come back to the order 
form, having the session cookie there means that you can 
complete that one transaction. That cookie disappears when you 
have finished the transaction and log off, and that is the 
clarification of September 5 to Roger Baker.
    There are other reasons, whether they be national 
security----
    Mr. Tauzin. Can we have a copy of that clarification for 
the record, Mr. Baker?
    Ms. Katzen. I have one here.
    [The following was received for the record:]

                  Executive Office of the President
                            Office of Management and Budget
                                                  September 5, 2000
Roger Baker
Chief Information Officer
U.S. Department of Commerce
Room 5033
14th & Constitution Avenue, NW
Washington, DC 20230
    Dear Roger: Thank you for your letter of July 28, 2000, regarding 
OMB Memorandum 00-13 on ``Privacy Policies and Data Collection on 
Federal Web Sites.'' We appreciate the CIO Council's strong support for 
protecting the personal information of citizens who visit federal web 
sites. We also stand ready to assist agencies as needed in implementing 
this guidance.
    The President and the Vice President are strongly committed to the 
protection of privacy rights. They believe that the federal government 
should serve as a model of good privacy practices. Agencies need to be 
particularly careful before launching any effort to gather information 
on the activities of citizens who visit federal web sites. As we work 
to promote customer service, we must keep privacy concerns in mind.
    In this spirit, OMB issued Memorandum 00-13, which aims 
specifically at the tracking of ``the activities of users over time and 
across different web sites.'' As you correctly point out, a principal 
example of such is the use of persistent cookies. In accord with the 
Memorandum, federal web sites should not use persistent cookies unless 
four conditions are met:

 The site gives clear and conspicuous notice;
 There is a compelling need to gather the data on the site;
 Appropriate and publicly disclosed privacy safeguards exist 
        for handling any information derived from the cookies; and
 The agency head gives personal approval for the use.
    We are concerned about persistent cookies even if they do not 
themselves contain personally identifiable information. Such cookies 
can often be linked to a person after the fact, even where that was not 
the original intent of the web site operator. For instance, a person 
using the computer later may give his or her name or e-mail address to 
the agency. It may then be technically easy for the agency to learn the 
complete history of the browsing previously done by users of that 
computer, raising privacy concerns even when the agency did not 
originally know the names of the users.
    We recognize that agency web sites can also seek information from 
visitors in ways that do not raise privacy concerns. Specifically, they 
may retain the information only during the session or for the purpose 
of completing a particular online transaction, without any capacity to 
track users over time and across different web sites. When used only 
for a single session or transaction, such information can assist web 
users in their electronic interactions with government, without 
threatening their privacy. One example of such an approach that 
supports electronic government would be the use of a shopping cart to 
purchase a number of items online from the U.S. Mint. Another example 
would be the current technology that assists users in filling out 
applications that require accessing multiple web pages on the 
Department of Education's Direct Consolidation Loan site. We do not 
regard such activities as falling within the scope of Memorandum 00-13.
    In your letter, you also inquired whether we should extend the 
policy guidance in Memorandum 00-13 to agency intranet sites as well as 
agency external internet web sites. The guidance, of course, focuses on 
internet traffic between the government and citizens. You raise an 
important issue, however, and we look forward to working with the CIO 
Council to review our policies regarding agency intranets.
    Thank you again for sharing your insights and those of our CIO 
Council colleagues. Your creativity and support are indispensable to 
our electronic government efforts.
            Sincerely,
                                                    John T. Spotila

    Mr. Cox. What is the national security reason that we want 
to track the usage of the web by American citizens?
    Ms. Katzen. I cannot tell you that there is one.
    Mr. Cox. You just did.
    Ms. Katzen. I was interrupted when I was saying that if the 
agency head is presented with a compelling case for why this is 
crucial to the agency's mission or otherwise endangers some 
facet of their operation, then the agency head is to consider 
that information and make a decision. They are then to report 
that to OMB, where we will have a chance to review that. We 
will be getting information about this kind of situation and we 
will be monitoring it. I don't know offhand the kinds of 
situations that will be presented. We are talking about changes 
in technology that are happening very rapidly and practices 
that are changing very rapidly. And for us to try to set policy 
that says no way, no how, never, never, never, I think is to 
fly in the face of what we have seen.
    Mr. Cox. We are so far away from that with the Lew 
memorandum. The Lew memorandum, far from saying never, ever, 
ever, puts it at the discretion of every agency head.
    Ms. Katzen. It is not unbridled discretion because you have 
to have privacy policies in place. You have to have other kinds 
of----
    Mr. Cox. As I just quoted from the Wired News article, the 
agency heads or the people who work at these agencies have 
concluded, for whatever reason, for statistical purposes, 
collecting information about the use of their site, they can 
continue to put cookies onto people's computers, 
notwithstanding the Lew memorandum. That article was written 
after the Lew memorandum went out. Obviously people are not 
taking this as an instruction no longer to put cookies onto 
people's sites.
    Last, with respect to COPPA, this business about the 
Presidential Records Act and now being able to respond to 
someone is relevant only if you are trying to end run the law 
because, as you know, the law, the basic provision of the law 
that the whole rest of the country is complying with is that 
you get parental consent. Verifiable parental consent is the 
touchstone of the law. If the White House were willing to live 
by the same rules as everyone else in America was living by, 
they would get parental consent and respond to kids in that 
way. The only reason that it becomes relevant that you destroy 
the information is if you were trying to do an end run around 
that requirement. There is an exception where consent is not 
required in narrow circumstances and you are trying to exploit 
that provision by importing the Presidential Records Act as the 
reason that you can't get it done. Why can't you just comply 
with the law?
    Ms. Katzen. The exception that you note is the one-time 
contact and that is the situation that I am talking about. If 
you write in and say I want a picture of the President, it is 
only a one time contact. We are not trying to build a track 
record or a long-term relationship with the child. That is not 
an end run around the statute. It is recognizing, as Congress 
did, that if you are not going to build a long-term 
relationship, you don't need verifiable consent. Verifiable 
consent on a one-time contract only doesn't make a whole lot of 
sense. To have a child say I want a picture of Socks, and we 
respond: have your parent fill out a form and fax it in and 
when we get that, we will send the picture is a little bizarre. 
That is why that exception has that built in.
    Mr. Tauzin. The Chair recognizes the gentlewoman from 
Missouri, Ms. McCarthy.
    Ms. McCarthy. I have no questions at this time.
    Mr. Tauzin. The Chair recognizes the gentleman from Texas, 
Mr. Green.
    Mr. Green. Thank you, Mr. Chairman. Ms. Katzen, the 
chairman outlined loopholes in the Privacy Act of 1974 and do 
you believe that the Privacy Act of 1974 is outdated and may 
allow the distribution of personal information cited by the 
Federal Government?
    Ms. Katzen. I think the Privacy Act has served us well for 
the last quarter century. I am always open to relooking at it 
to see whether in an age where we act faster with faxes and 
Internet, instead of more leisurely types of communication, 
some different language has to be included.
    But if GAO asks us, or Congress in its oversight function 
asks us, for information, we are going to provide it, and I 
think citizens know that is the case. Those are the kinds of 
exceptions that are in there.
    Routine use--to establish a routine use that the chairman 
mentioned, the agency has to publish a description of what it 
is they want to do--for example, they are going to take your 
information and share it with this bureau or that bureau for 
this purpose or that purpose. It is written in the Federal 
Register. Comments can be filed. It is a very public process.
    So my instinct is that for the last quarter century we have 
been well served, but I would not be opposed to looking again 
at the language to see if it could be tightened. We believe in 
privacy.
    Mr. Green. Are Americans providing information to Federal 
agencies vulnerable to having that information used in some 
inappropriate way, whether the IRS, whether it be HUD or 
somewhere else? Do you know of any examples where information 
that someone provided was used inappropriately?
    Ms. Katzen. I will not sit here and tell you that there is 
no misuse of information.
    I can tell you that we have taken all reasonable steps to 
minimize that and to ensure that when we hear about something, 
there is a remedy.
    I thought the first GAO study that identified where privacy 
policies could be more clearly stated, or better placed, was a 
good thing because the agencies saw that and they want to 
protect privacy, and they therefore have begun to take remedial 
steps from these kinds of reports. We have worked very closely 
with GAO to ensure that we know what is happening. I can't tell 
you there has never been an instance, and I won't do that.
    Mr. Green. I don't expect that. We have remedies, but 
generally the American people ought to feel comfortable in 
contacting or providing information that it is not going to be 
shared.
    Ms. Katzen. Absolutely.
    Mr. Green. And there are punishments for inappropriate use 
of that information.
    Ms. Katzen. Absolutely. Under the Privacy Act, if you feel 
that something has been done, you can bring suit.
    Mr. Green. I want to make sure that there is an appropriate 
response that the U.S. Government can do to someone that is 
ilegally using this information.
    Ms. Katzen. There are civil and criminal statutes involved.
    Mr. Green. Let me ask you about the Federal web placement 
of third party cookies, and the report that we have shows that 
22 percent of all sites disclose that they may allow third 
party cookies, 14 percent allowed their placement. What would 
be the reason why we would allow placement of a third party 
cookie on our web site?
    Ms. Katzen. I don't know. I did not understand the GAO 
statement that agencies ``may allow,'' and I did not understand 
that they ``do allow'' other than as people are leaving the 
site, the site to which they are going places the cookie. I 
think the witness from GAO was trying to explain it.
    I should add that cookies are used for site management. 
They are very, very popular in the private sector. Everybody 
uses them in the private sector.
    Mr. Green. Fourteen percent of a third party, I don't know 
if that is nongovernment. Mr. Baker, Ms. Koontz, do you know 
why we would have a third party involved in placing cookies on 
Federal web sites?
    Ms. Koontz. In the survey that we did, we identified eight 
web sites where we picked up the concept of a third party 
cookie. In the vast majority of those, those were cases where a 
visitor might be clicking on a link to go someplace else, and 
the new site was placing the cookie before you left.
    That is not something that is typically thought of as a 
third party cookie, but it was a concern because there was no 
clear warning that you were leaving, that you were subject to a 
new privacy policy or that a cookie was being placed. In one 
case, there was a Federal agency that did allow the placement 
of a cookie by a third party who collects information. This was 
done, I believe, as a way of the third party collecting usage 
information about that particular Federal site.
    Mr. Green. It seems like we would want to have some kind of 
restrictions on third party cookies, whether it is inadvertent, 
and maybe that is something that should be looked at.
    Thank you.
    Mr. Tauzin. I would like for the committee's edification, 
Ms. Katzen, if you would submit to the committee clarification 
of what conditions could an agency head permit the use of 
either session or persistent cookies under OMB policy.
    Ms. Katzen. Yes, sir.
    [The following was received for the record:]

    As discussed during the hearing, OMB Director Lew announced 
in June that, as a matter of federal policy, cookies that can 
track the ``activities of users over time and across different 
web sites'' will not be used on agency sites, except in very 
limited cases. When we issued this policy, we did not know and 
could not have known what mission-related uses of cookies might 
exist or be desired in the future. For this reason, we 
specified a process whereby only the agency head could give 
approval for the use of persistent cookies after balancing the 
importance of the use of cookies to the agency with the 
important privacy interests at stake. In addition, the agency 
head may give approval only where there is clear and 
conspicuous notice, a compelling need to gather the data, and 
appropriate and publicly disclosed privacy safeguards for the 
data gathered.
    I am advised that there have been authorizations for the 
use of persistent cookies in a number of circumstances that on 
review I find appropriate and beneficial to the public. One 
example is the Department of Interior's Alaska Fire Service. 
Its site is targeted to fire managers around the state 
(although the site is public and can be accessed by anyone). It 
allows the managers to view time-critical weather data from 
more than one hundred weather stations around the state. Fire 
managers use cookies to create the right group of weather 
stations for each geographic area, and optimize their ability 
to determine local potential fire hazards. Other uses of 
persistent cookies include allowing users to return to a set of 
previously supplied transactional information. For instance, 
individuals can check their reservations with the National Park 
Service and purchasers can more conveniently purchase from a 
General Services Administration wireless store (generally after 
consent to the use of the cookie). We cannot anticipate at this 
time what other types of uses of cookies may prove worthwhile, 
and so leave the question open on a case-by-case basis.

    Mr. Tauzin. The Chair recognizes the gentleman from 
Maryland, Mr. Wynn, for a round of questions. I'm sorry, Mr. 
Sawyer is first. Mr. Sawyer from Ohio.
    Mr. Sawyer. Thank you, Mr. Chairman. The irony of this is 
beyond belief. I have been going back and forth between 
Congress and Census with regard to a question which goes 
directly to this sort of thing. I am not going to go into that 
here, but I would hope that we could look at the mirror image 
of the concern that all of us up here share, and from what I am 
hearing you all share, about the assurance of privacy.
    Could you talk to us for a moment, each of the three of you 
in turn, about how we make it possible for agencies of 
government to share information that they need in order to 
illuminate and inform sound policymaking here in a way that all 
of us would support without compromising the privacy of the 
information with which they have been entrusted?
    Ms. Katzen. Mr. Sawyer, that is a subject that is near and 
dear to my heart. That is something that I have worked on for 
the last 5 or 6 years. GAO sometimes refers to this issue in 
some of its studies. We have identified this as one of our 
priority management objectives this year, and have been working 
on it to do a number of things. One is to enable agencies to 
share information--to test eligibility, to ensure that the 
right person is getting the right benefit, the right amount of 
the right benefit, and you do that by sometimes needing access 
to tax information, sometimes needing access to information 
that may be in somebody else's files.
    That is one form of sharing. There is the act on computer 
matching. There are procedures that are involved, and there are 
very stiff restrictions. Section 6103 of the Tax Code, for 
example, precludes this kind of sharing without a very detailed 
process.
    We have been working to see whether new technology will 
help us protect the privacy of the information, because one of 
our objectives in sharing data would be to ensure that, no 
matter in whose hands it was, it was being protected and it was 
being kept confidential.
    Another area that we have been working on, which I think 
has something to do with what you have been doing in the time 
that you have not been here this morning, has to do with 
statistical information. Right now, we ask American businesses 
to supply all sorts of information over and over and over 
again. If we could have the statistical agencies share more of 
that information--BLS, BEA, Census--you would be able to reduce 
the burden on respondents and therefore increase the likelihood 
of complete and honest and accurate responses. That is an issue 
which doesn't have personal information usually. It doesn't 
have even identifiable information. But it has sufficient 
protection and confidentiality that we need to work out the 
process whereby sharing can happen.
    Those are just two instances where, if we can establish 
that we do protect the information, we could save the American 
citizens and the American government a lot of time and effort.
    Mr. Sawyer. Mr. Baker, from the point of view of the 
committee that you have been working with, could you comment on 
that?
    Mr. Baker. It is interesting that the drive toward 
electronic government, there are a lot of great ideas coming up 
with Federal employees and their contractors for how to utilize 
information. And on the other side, you have the Privacy Act, 
Title 13 and other things that do I think to this point an 
appropriate job of governing that enthusiasm and keeping us 
from putting data bases together in ways that we know how to do 
but, frankly, the laws I think appropriately keep us from 
doing.
    One of the things that I can't help but emphasize, and I am 
sure you are well aware of this given the other thing that you 
are working on, is the attention that Federal employees pay to 
the privacy issue. When you go out to census and you are sworn 
in as a Title 13 swearing-in person, they take that very 
seriously. They are the defenders of the public's privacy as 
Federal employees, and I don't think that we recognize that or 
emphasize that enough in the government is that those people 
view that as their life job, A, to do a good statistical job 
but, B, to that protect that information.
    So I think that the intersection of those two forces, 
electronic government and what we can do, the Privacy Act, 
Title 13 and others, on what they keep us from doing so far has 
kept a balance in there. We have been able to move ahead but 
not too quickly and not without doing a tremendous amount of 
violating the people's privacy. I don't know how we change 
that, to be frank. It is interesting to work in it right now, 
and again it is a balancing act there.
    Mr. Sawyer. Ms. Koontz, in preparing your analysis of all 
of this, it is fair to say that you looked at it largely from 
the perspective of protecting privacy rather than the 
concomitant need to share information where appropriate.
    Ms. Koontz. I don't think we took actually either 
perspective. Our charge was, very simply, to use the same 
criteria that FTC uses, use their identical methodology and to 
evaluate Federal sites using that criteria and methodology. I 
don't think there was a particular view associated with that 
except to the extent that FTC may have a view on how they look 
at sites.
    Mr. Sawyer. In that sense, without having the two different 
angles from which to view a complex problem, would it be fair 
to say that--without using words like--I don't want to use--I 
won't even use the word, but that it yields a less than fully 
developed portrayal of the complexity of the problem that we 
are trying to deal with here?
    Ms. Koontz. I guess I look at this issue a little bit 
differently. It is true that you can't hold Federal sites 
accountable for not following the FTC methodology and the FTC 
fair information principles. They are subject to other rules, 
other laws, other regulations. But then, on the other hand, I 
think it is useful to look at what Federal agencies are doing 
in light of various standards as a way of, I think, continuing 
a debate on whether we are happy with the status quo. Are we 
happy with requirements that we have or do we need to take a 
re-look at them?
    Mr. Tauzin. Gentleman yield a second?
    Mr. Sawyer. Please do.
    Mr. Tauzin. Just to point out, I don't think private sites 
are required to follow the FTC. There is no law following that.
    Ms. Koontz. That is correct.
    Mr. Sawyer. Thank you, Mr. Chairman.
    Mr. Tauzin. Chair recognizes the Mr. Wynn from Maryland.
    Mr. Wynn. Thank you, Mr. Chairman.
    I guess I take a somewhat conservative view starting with 
domain cookies, and I really would like to get a clear 
understanding of the rationale for domain cookies with respect 
to getting personal information and how that enables you to 
manage--how the identification of the user enables you to, 
quote, manage the site better.
    Ms. Katzen. Let me start, and then Mr. Baker might be able 
to add--will definitely be able to add something.
    When we launched firstgov on September 22, everybody wanted 
to know how many hits did we get? And the question is, is that 
the same person coming back 12 times or is it 12 different 
people? If you have a cookie, you can tell whether it is the 
same person or not. Now that is how you use it for site 
management.
    Mr. Wynn. If I could jump in, is that the best rationale?
    Mr. Baker. Sir, if I could, I think the best rationale is 
the one the private sector utilizes, which is personalization 
of a web experience is a real benefit to the consumer, if that 
is all the information is used for is that personalization. So, 
for example----
    Mr. Wynn. But there is an assumption there that I am not 
ready to accept and that is that personalization is in the 
interest of the consumer. Says who?
    Ms. Katzen. Some consumers choose it. Mr. Goodlatte sat 
here and said he has no objection and indeed he sort of likes 
the idea that when he goes to Amazon.com they say, you like 
biographies. That is how they use it in the private sector.
    Mr. Wynn. I want to go back to this. There is no opt-out so 
your assumption that it is good for the consumer to be 
personalized doesn't give the consumer the ability to say, no, 
I don't want to be personalized.
    Mr. Baker. I would agree with you. There needs to be opt-
out.
    Mr. Wynn. That is one item that I think is important for 
discussion. You agree there needs to be opt-out on domain 
cookie, is that your position?
    Mr. Baker. My personal position, it would be yes, 
recognizing that that will have an impact on, if you will, the 
value of the companies in the Internet who base a lot of what 
they do on being able to personalize, that personalized 
experience.
    Mr. Wynn. That is fine. I am satisfied. I think we have got 
at least one policy option on the table, and that is let 
consumers out of this, and that is fine.
    Now is there any other rationale for domain cookies that we 
need to be aware of? Okay, with respect to third-party cookies, 
shouldn't there be some probable cause standard or some 
restriction conditioning, however you would phrase it, to 
justify any imposition of third-party cookies. I think members 
of the panel seem to be saying the same thing in a lot of ways. 
I will be candid and say I have a very hard time of accepting 
the notion of third-party cookies unless someone presents a 
probable cause case for national security.
    Ms. Katzen. Federal web sites are not to have third party 
cookies.
    Mr. Wynn. What is the penalty?
    Ms. Katzen. The penalty would be to immediately take the 
site down and hold the agency head responsible, as you would 
with any other kinds of violations of Federal policy. The 
assumption is that Federal employees will obey the policy as 
Mr. Baker indicated.
    Mr. Wynn. There are no statutory penalties against a 
Federal employee that imposes a third-party cookie.
    Ms. Katzen. Not that I am aware of. But I am also not aware 
of any instances where they are, in fact, imposing them, as Ms. 
Koontz was indicating they----
    Mr. Wynn. I thought you said there were about eight out of 
65, is that correct?
    Ms. Katzen. That is where, as people are leaving the site--
--
    Mr. Wynn. Please clarify that.
    Ms. Koontz. We identified these using the methodology that 
FTC used. We picked up eight instances that we called third-
party cookies.
    Mr. Wynn. We can stop there. So there are instances--any 
requirement in law that those eight instances be justified or 
can we conclude that they are, per se, in violation of existing 
law?
    Ms. Koontz. I don't know the answer to that question. I 
think that is----
    Ms. Katzen. It is not law, but policy. If they were placed 
by the agency, as opposed to the exiting link, which is what 
you had said earlier--many of these were placed as people click 
to go to someplace else. It is the someplace else that puts the 
cookie on the person's machine. It is not the agency. But if 
the agency is doing it, they shouldn't be doing it unless they 
have gone through the materials that we have provided to them 
in terms of the finding that they need to make, privacy 
protections that need to be in place, and the other processes 
in reporting to OMB on this kind of situation.
    Mr. Wynn. So they can make a showing to OMB, and it is okay 
to impose a third-party cookie?
    Ms. Katzen. It may or may not be okay, depends on what they 
show.
    Mr. Wynn. What do they have to show to justify a third-
party cookie?
    Ms. Katzen. That having the cookie is critical to obtaining 
their mission, and I think that is a pretty high showing.
    Mr. Wynn. Well, it depends on whether it is national 
security or whether it is Department of Interior.
    Mr. Tauzin. Would the gentleman yield? If the gentleman 
will yield, I will quote from the memorandum for the gentleman.
    It says that under this new Federal policy dated June 22nd 
cookies should not be used in Federal web sites or by 
contractors when opening web sites on behalf of agencies 
unless, in addition to clear and conspicuous notice--first of 
all, you have to at least give people the notice you are doing 
it--the following conditions are met: the compelling need to 
gather the data on the site--whatever that means--and 
appropriately and publicly disclosed privacy safeguards for the 
handling of the data on the site, appropriately and publicly 
disclosed privacy safeguards for handling information derived 
from the cookies, and personal approval by the head of the 
agency.
    Mr. Wynn. I thank the chairman. If I could have 30 
seconds----
    Mr. Tauzin. Gentleman is recognized for an additional 30 
seconds.
    Mr. Wynn. My concern is where is the oversight of the 
agency decision that they have a need to collect this 
information? I am perfectly willing to accept a national 
security, a law enforcement rationale, maybe the Interior does 
have a rationale, but where is the oversight that would enable 
those of us in Congress to know that these agencies are acting 
in fact within the scope of their authority?
    Ms. Katzen. Well, this information would ultimately be 
gathered together by OMB and OMB has very aggressive oversight 
committees that are constantly asking for, legitimately, this 
kind of information. I would also note this is a subject that 
has gotten a lot of play in the press because this is not 
something you can do in secret. The reason we are here is 
because there is a whole cadre of people there who are 
constantly testing us, the private sector, NGO's, they are 
constantly trying to discover these activities.
    Mr. Wynn. In other words, agencies that report to you, it 
has a rationale--is there mandated reporting of that 
information to Congress?
    Ms. Katzen. No, sir.
    Mr. Wynn. Thank you, Mr. Chairman.
    Mr. Tauzin. I thank the gentleman.
    For the record--you can submit this for the record. It was 
raised by a number of members. When was the last criminal 
prosecution of a Privacy Act violation? If you can submit that 
for the record. We can't recall one. We can recall a lot of 
stories about personal data being released to the press--
Kathleen Willey, Linda Tripp, all kinds of stories. Was there 
any prosecutions of violations of their rights?
    Ms. Katzen. We will be happy to do that.
    [The following was received for the record:]

    According to the Department of Justice, the last criminal 
prosecution under the Privacy Act was U.S. v. Trabert (D. Colo. 
1997)

    Mr. Tauzin. Gentleman from California, Mr. Cox.
    Mr. Cox. Thank you, Mr. Chairman.
    I just want to underscore my complete agreement with the 
concerns expressed by Representative Wynn; and I hope that also 
for the record, Mr. Chairman, if you would permit, perhaps we 
could see a list of those circumstances in which the collection 
of cookies, not temporary cookies, not session cookies, would 
be compelling for any agency under this memorandum.
    Mr. Tauzin. If the gentleman would yield a second, I want 
to make sure the request is specific.
    GAO identified eight sites of the surveyed sites, and GAO 
only surveyed at random a certain number of sites and the top 
30-some high-volume sites. What the gentleman is asking for the 
record is submission of all of the existing authorized cookies 
on all Federal sites, if you can identify those along with the 
compelling reasons for those cookies to be on those sites.
    And I yield back to the gentleman.
    Mr. Cox. I think in Representative Wynn's question he had 
embedded the sense we all share that if a person is 
legitimately under investigation that obviously tracking them 
through their web usage is as legitimate as tapping their phone 
or anything else. But, you know, if the national security 
concern is that somebody might be hacking into our computers or 
what have you, then we are all for doing whatever we can to try 
to track that down. But putting that in a clear category of its 
own, literally intentionally investigating people, what are the 
reasons that OMB thinks the government ought to be placing 
cookies on people's computers for that are not just session 
cookies? And if you could answer that for the record, because I 
know that----
    Ms. Katzen. I would be happy to, although I should state 
that we don't have a preexisting list of conditions. We don't 
think persistent cookies should be on Federal websites, but 
since we do not know everything and we don't know all the 
different circumstances that could be presented, we established 
this process. But I will supply the information that you 
requested for record.
    [The following was received for the record:]

    Please refer to the response to Representative Tauzin's 
earlier question.

    Mr. Cox. All right, and I would just then conclude by 
saying I hope to get rid of the cookies. I think a policy----
    Ms. Katzen. So do I.
    Mr. Cox. If the concern is, gee, the government is so big, 
we can't get an answer to this question fast enough or we can't 
get it done quickly enough, which is what the administration 
expressed to wired news when they put the question, the best 
way to get it done quickly is to have a clear policy.
    Also, as you mentioned in your opening comments, if the 
objective is to instill confidence in the public that they are 
not in any way to be worried when they are going on to a 
government site, the easiest way to do that is to have a rule 
that the public can understand, which is no permanent cookies. 
And you know the notion that we have got cookies on computers. 
Some of the people on this committee, some of the staff have 
tracked this where the expiration days are 2034 where our 
government has been putting these cookies on lately. That is a 
very bad thing.
    I just logged on the White House web site and checked out 
the privacy disclosure there with respect to the kid's site and 
the regular site, and it states that the White House is 
collecting IP addresses. Now, on IP addresses unique to a 
specific computer, I need to know why that is important, but 
that I would think you could answer now.
    Ms. Katzen. If you would--I would rather provide it for the 
record rather than now--and I will provide that for the record, 
sir.
    Mr. Cox. I thank the chairman.
    [The following was received for the record:]

    Unlike an e-mail address, which can serve as a personal 
identifier, IP addresses are not personally identifiable tags. 
They are assigned to each computer using the Internet or other 
similar networks an are an integral component of network 
communications. IP address are session based--every time a user 
uses the Internet, he or she receives a different IP address.
    The White House web site is not unique in ``collecting'' IP 
address. Collecting IP addresses is an industry standard and 
all commercial software automatically collects IP addresses and 
compiles them into network activity logs. System administrators 
use these activity logs primarily for two purposes: first, to 
asses network and system performance and, second, as a standard 
security procedure to detect unauthorized intruders (i.e. 
hacking).

    Mr. Tauzin. Let me make an announcement.
    We have a vote on the floor, Mr. Markey has arrived and 
wants to do a round of questions, and we want to recognize--
before I do that, let me announce that both Mr. Shaw and Mr. 
Pitofsky have arrived, and we want to accommodate them as 
quickly as we can when we get back. So we will not have time I 
think, Mr. Shaw. So if you don't mind we will make this vote 
and come right back. We will take you up immediately, Clay, if 
that is all right with you. If you can just tell us briefly 
what your scheduling problem is.

    STATEMENT OF HON. E. CLAY SHAW, JR., A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Shaw. Well, the problem--I can dispose of this right 
new and leave this statement. This is a question of privacy 
issue having to do with Social Security. We are not--I know Mr. 
Markey is interested in that as well as the chairman, and this 
is something we should put high on our agenda next year when we 
return.
    Mr. Tauzin. I thank the gentleman. The statement will be 
part of the record. Thank you, Mr. Shaw.
    [The prepared statement of Hon. E. Clay Shaw, Jr. follows:]
 Prepared Statement of Hon. E. Clay Shaw, a Representative in Congress 
                       from the State of Florida
    Mr. Chairman and members of the Subcommittee, I commend you for 
holding this very important hearing, and I appreciate the opportunity 
to testify before you today.
    As Chairman of the Ways and Means Subcommittee on Social Security, 
my particular interest lies in the area of protecting the privacy of 
Social Security numbers (SSNs). This summer, my Subcommittee held three 
hearings on SSN use and misuse. We learned about the tragedy of 
identity theft from retired Colonel and Mrs. Stevens of Maryland who 
have seen their SSNs used to open 33 fraudulent accounts and to rack up 
$113,000 of bad debt. We also heard from Mr. Bob Horowitz, a single 
father and small business owner from my district, who saw his number 
used to open five fraudulent credit accounts. Months and years later, 
they are still spending time, money, and energy to clear their names 
and in the Steven's case, bring their perpetrators to justice.
    SSN misuse is a growing problem that needs to be addressed. In 
fiscal year 1999 alone, Social Security's Office of Inspector General 
received 62,000 allegations of SSN fraud, and the average number of 
monthly allegations has been increasing. This growth in SSN crimes has 
raised serious concerns over privacy and has emphasized the need to 
better protect SSNs in the law.
    When SSNs were created 65 years ago, their only purpose was to 
track a worker's earnings so that Social Security benefits could be 
calculated. But today, use of the SSN is rampant.
    We have literally developed a culture of dependence on the SSN. 
Businesses and governments use the SSN as the primary way of 
identifying individuals. It is integral to their business operations, 
program administration, record-keeping systems, and data-sharing 
systems. All of us know how difficult it is to conduct even the most 
frivolous transaction without having to cough up our Social Security 
numbers first. And once we provide this information for one purpose, it 
is often sold without our knowledge or used for other purposes without 
our consent.
    Although SSNs are used for many legitimate purposes, their 
prevalent use has made them very valuable. For example, counterfeiting 
Social Security cards for illegal aliens and using false SSN 
information to obtain federal benefits illegally have become quite 
profitable.
    Moreover, as we learned from Colonel Stevens and Mr. Horowitz, SSNs 
are so valuable, that someone who steals your SSN can literally steal 
your identity. Identity theft is now considered the fastest growing 
financial crime in the country, affecting more than 750,000 people 
every year and creating more than $745 million of monetary losses 
annually.
    Despite the pervasive use of SSNs and the potential for fraud, SSNs 
receive very little protection under the law. Clearly, there is a need 
for a comprehensive law that will better protect this very personal 
information and protect the American public from being victimized.
    Earlier this year, I introduced H.R. 4857, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2000 along with 
several members of the Ways and Means Committee. This bill was drafted 
on a bipartisan basis, and it passed unanimously out of the 
Subcommittee and the Full Ways and Means Committee.
    H.R. 4857 takes a comprehensive approach to SSN privacy by 
targeting the treatment of Social Security numbers in both the public 
and private sectors. A summary of the bill is provided below.

Restrictions on the Sale and Public Display of SSNs by Government 
        Agencies

 Prohibits Federal, State and local governments from:

     selling SSNs (limited exceptions are made to facilitate 
            law enforcement and national security, to ensure the 
            accuracy of credit and insurance underwriting information, 
            and to allow for the effective administration of programs 
            authorized under the Social Security Act),
     displaying SSNs on Internet sites and public documents 
            (limited exceptions are made to facilitate law enforcement 
            and national security and to ensure the accuracy of credit 
            information),
     displaying SSNs on checks, employee identification cards, 
            military tags, and identification documents issued by State 
            Departments of Motor Vehicles, such as drivers' licenses 
            and motor vehicle registrations, and
     employing prisoners in jobs that provide them with access 
            to SSNs.
 Strengthens verification requirements for birth records when 
        someone applies for a SSN card.
 Requires the U.S. General Accounting Office to conduct a 
        comprehensive study regarding how use of the SSN can be 
        minimized at all levels and branches of government.
Restrictions on Sale, Purchase, and Use of SSNs in the Private Sector
 Authorizes the Federal Trade Commission to issue regulations 
        restricting the sale and purchase of SSNs in the private 
        sector.
 Discourages businesses from denying services to individuals 
        who refuse to provide their SSNs by subjecting them to 
        penalties under Federal law.
 Includes the SSN in the definition of ``credit report'' under 
        the Fair Credit Reporting Act so that the SSN receives the same 
        privacy protections as other consumer credit information.
    The first two provisions are within the jurisdiction of the 
Commerce Committee, and the third provision is within the jurisdiction 
of the Banking Committee.
Enforcement, Fines, and Penalties
 Creates new criminal and civil penalties for violations of the 
        law relating to sale, purchase, or misuse of the SSN.
 Allows Federal courts to order defendants to make restitution 
        to the Social Security Trust Funds or the General Fund of the 
        Treasury for violations of the law.
 Enhances law enforcement authority for the Social Security 
        Administration Office of Inspector General.
    In addition to these provisions, H.R. 4857 strengthens protections 
for Social Security and Supplemental Security Income beneficiaries 
whose monthly benefits are managed by representative payees. The bill 
also includes several technical amendments that were submitted by the 
Social Security Administration.
    The Ways and Means Committee did not consider any of the private-
sector provisions because they are not within the Committee's 
jurisdiction. However, we have received many comments about these 
provisions, which were forwarded to the appropriate Committee. In 
general, the comments we received emphasized the role of the SSN as a 
unique identifier which enhances the efficiency of commercial 
transactions, ensures the accuracy of consumer records, facilitates 
fraud prevention efforts, and helps enforce the law. I urge the 
Commerce and Banking Committees to consider the provisions that have 
been referred to them as soon as possible.
    H.R. 4857 is a responsible and sensible bill. It balances concerns 
over privacy with concerns over efficiency. At the same time, it will 
effectively protect Social Security numbers and protect citizens from 
identity theft and other SSN crimes. Businesses and governments will 
need to re-think the way they do businesses so that customers are put 
first. Only through this type of re-tooling can we change the culture 
of dependence on Social Security numbers. Americans' right to privacy 
must be protected. I urge your Subcommittee to work with us so that 
together we can put the security back into Social Security numbers.

    Mr. Tauzin. The Chair now recognizes the gentleman from 
Massachusetts.
    Mr. Markey. Thank you, Mr. Chairman.
    Congressman Shaw and I have been working on this issue of 
privacy inside this Social Security context, and it just shows 
this is not a liberal or conservative or Democrat or Republican 
issue at all. It is an issue where the liberal left meets the 
libertarian right, isolates the pragmatic middle, okay, who 
just don't like to tell industry or their government employees 
that they can't do this. So there is kind of a pragmatist 
middle here that we just have to isolate and ultimately 
eliminate. That is the bottom line on this. That is the 
pragmatists, they are the problem here, because everybody else 
agrees on the issue.
    The issue isn't really Big Brother. The issue is Big 
Browser. They give it to anybody, public sector or private 
sector. They can't control themselves. They just have to get 
this information. It is almost like a compulsion. It is an 
obsession. Because it is there, the technology controls the 
ethos. Because you can do it, you do it. Technology makes it 
possible. So it is the browser itself, it is this capacity to 
data mine, you know, to know all this information.
    So, yeah, in a private sector, government context, you all 
call it security. You know, we need better security. From an 
individual's perspective, they say we need better privacy. It 
is all the same issue, though. Security, privacy, it all just 
means is the information secret or not.
    Well, the industry says, we want stronger encryption 
technology so we can move this information from the consumer to 
us, but after we get it, we don't have any rules, we can do 
whatever we want with it. The government says, we want 
security, but that is just so we can keep our information 
private. But if we can gather information about private 
citizens that help us do our business, it is good. But from a 
consumer's perspective, it is all their privacies, their 
individual family's identity. So that is why self-regulation 
doesn't work. You can't allow the government to self-regulate; 
you can't allow the private sector to self-regulate.
    You have got to have a certain minimal set of protections 
that every individual is entitled to, whether it be a big 
government agency or a big corporation or a small government 
player in your hometown or a small company in your hometown. 
Regardless of who it is, you have got to have this minimal set 
of rights that every American is entitled to, and so----
    We have a roll call on the floor.
    I thank all of our witnesses for helping us. I apologize 
for arriving late, but I thank you, Mr. Chairman.
    Mr. Tauzin. I thank the gentleman, and the Chair thanks the 
witnesses for their attendance and their participation. What we 
will do is declare a 15-minute recess, give everybody a break.
    Chairman Pitofsky, we will be back. As soon as we come 
back, we will take you up first, as soon as we get back.
    The committee stands in recess.
    [Brief recess.]
    Mr. Tauzin. The subcommittee will please come back to 
order.
    We are pleased to welcome the Honorable Robert Pitofsky, 
the Chairman of the Federal Trade Commission, who is elated 
today because the Senate just passed his reauthorization bill. 
He would love to see the House take it up before we leave.
    Mr. Pitofsky, we have often had this conversation in 
private and public. We are at it again. Today we welcome you. 
Your statement, of course, is part of the record; and we 
welcome you to summarize your report to us today on privacy, 
both in the private and public sector.

   STATEMENT OF HON. ROBERT PITOFSKY, CHAIRMAN, FEDERAL TRADE 
                           COMMISSION

    Mr. Pitofsky. Thank you very much, Mr. Chairman, members of 
the committee. As always, I appreciate this opportunity to 
discuss with you and the members these important issues 
relating to privacy.
    As this committee knows very well, the Commission has 
acquired considerable expertise and experience in addressing 
privacy issues on-line and off-line in recent years. Our 
activities in this area are based on our statutory authority to 
challenge marketing practices that are deceptive or unfair. Let 
me start with some basics.
    Protection of privacy is important to consumers. All 
surveys demonstrate consumer concern, and on-line commerce will 
not reach its full potential until and unless these privacy 
issues are adequately addressed.
    Incidentally, I saw just yesterday a Harris survey that 
reported that among Internet users, they were more concerned 
with their privacy on the Internet than they were with health 
care, crime and taxes. A really remarkable set of findings.
    Second, basic protections include notice of what 
information is collected and how it will be used, consent to 
use by consumers of their personal information, reasonable 
access to a data base to correct errors, and reasonable 
security arrangements as to how information is used.
    Even if all these fair information practices are adopted, 
that is not enough. There must be effective monitoring and 
enforcement to ensure that privacy guarantees are really 
respected, and it is interesting that many in the business 
community have pretty much adopted the four fair information 
practices that I described.
    The policy dispute in this area has turned on whether fair 
information practices can be best achieved through self-
regulation or legislation. My own view is that neither approach 
should be exclusive. Self-regulation is essential, but it will 
be most effective if it is backed by a rule of law.
    Also, Mr. Chairman, addressing an issue that I know you 
have raised with me, any policy choice must be flexible in the 
sense that it takes into account the possibilities that new 
technology may ease or modify the need for legislation.
    The FTC has conducted or reported on three surveys. Our 
first, in 1998, found of all sites surveyed only 14 percent 
published a privacy notice. The second, in 1999, showed 64 
percent. According to our 2000 survey, the figure had reached 
88 percent. That is the good news.
    But these numbers must be placed in context. Only 20 
percent of the sites reviewed in the 2000 survey satisfied all 
four fair information practices. Of the 88 percent that did 
include a privacy disclosure, many offered a kind of notice 
that was inadequate, misleading or obscure. Most important to 
me, only 41 percent provided notice and consent, in my view the 
two essential fair information practices.
    I should add that if you didn't look at these numbers from 
the point of view of all sites but only the hundred most 
visited, the numbers would be much better. For example, notice 
and consent are provided on 60 percent of the most-visited 
sites.
    Beyond statistics, there is a policy question of what to do 
about firms that provide inadequate notice or no notice at all. 
Those advocating an exclusively self-regulatory approach argue 
that firms should be denied a seal of approval and consumers 
observing the absence of the seal will choose to do business 
with other on-line sites. There are quite a few flaws with that 
approach.
    First, even in our 2000 survey, our most recent survey, 
only 8 percent of web sites posted a seal of approval; 92 
percent did not. More important, I do not see that denial of a 
seal of approval will really influence the outliers, the 
relatively few unprincipled firms, that are collecting and 
selling private data and will ignore industry standards 
designed to change their ways.
    The fact of the matter is that the best self-regulatory 
programs among advertisers, funeral directors and others are 
effective because they are backed by a rule of law.
    Beyond this fundamental question of legislation versus 
self-regulation, the Commission has been active in other areas.
    We commended the self-regulatory practices by the Network 
Advertising Initiative, an organization comprised of leading 
Internet advertisers, to develop a framework for self-
regulation in the profiling area, although we said there, too, 
that legislation to back them up would be appropriate.
    We issued rules interpreting Congress' statute entitled the 
Children's On-line Privacy Protection Act designed to protect 
young people from exploitation.
    We issued rules under Gramm-Leach-Bliley designed to 
protect consumers' privacy when dealing with financial 
institutions.
    Finally, the Commission has brought three cases in the past 
year challenging deceptive or unfair conduct in connection with 
web sites, and with additional support from Congress on our 
budget we will be more active in the future.
    To conclude, my hope is that in the next Congress, 
government, consumer advocates and the business community can 
join forces in finding their way to a moderate, balanced, 
forward-looking and sensible form of privacy protection.
    I would be glad to answer your questions; and, if I may, I 
would like to invite our Bureau Director, Jodie Bernstein, to 
join me for some of detailed questions that we may run into. 
Director Bernstein.
    [The prepared statement of Hon. Robert Pitofsky follows:]
    Prepared Statement of Robert Pitofsky, Chairman, Federal Trade 
                               Commission
    Mr. Chairman and members of the Subcommittee, I am Robert Pitofsky, 
Chairman of the Federal Trade Commission (``FTC'' or ``Commission''). I 
appreciate this opportunity to present an overview of the Commission's 
work over the past year in protecting consumers' privacy.1
---------------------------------------------------------------------------
    \1\ My oral testimony and responses to questions you may have 
reflect my own views and are not necessarily the views of the 
Commission or any other Commissioner.
---------------------------------------------------------------------------

                     I. INTRODUCTION AND BACKGROUND

    As you know, the Federal Trade Commission is the federal 
government's primary consumer protection agency and our 
responsibilities are far-reaching. The Commission's legislative mandate 
is to enforce the Federal Trade Commission Act (``FTCA''), which 
prohibits unfair methods of competition and unfair or deceptive acts or 
practices in or affecting commerce.2 With the exception of 
certain industries, the FTCA provides the Commission with broad law 
enforcement authority over entities engaged in or whose business 
affects commerce.3 Pursuant to these responsibilities, the 
Commission has acquired considerable experience in addressing privacy 
issues in both the online and offline worlds, 4 and has long 
had particular interest in, and gained extensive experience dealing 
with, privacy and consumer protection issues.5
---------------------------------------------------------------------------
    \2\ 15 U.S.C. Sec. 45(a).
    \3\ The Commission does not have criminal law enforcement 
authority. Further, certain entities, such as banks, savings and loan 
associations, and common carriers, as well as the business of 
insurance, are wholly or partially exempt from Commission jurisdiction. 
See Section 5(a)(2) of the FTC Act, 15 U.S.C. Sec. 45(a)(2), and the 
McCarran-Ferguson Act, 15 U.S.C. Sec. 1012(b).
    \4\ The FTC Act and most other statutes enforced by the Commission 
apply equally in the offline and online worlds. See, e.g., FTC v. 
ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan. 6, 2000) (discussed 
infra); In re Trans Union, Docket No. 9255 (Feb. 10, 2000), appeal 
docketed, No. 00-1141 (D.C. Cir. Apr. 4, 2000) (holding that 
defendants' sale of individual credit information to target marketers 
violated the Fair Credit Reporting Act).
    \5\ In particular, the Commission has law enforcement 
responsibilities under the Fair Credit Reporting Act, which, among 
other things, limits disclosure of ``consumer reports'' by consumer 
reporting agencies, 15 U.S.C. Sec. Sec. 1681 et seq., and under the 
Gramm-Leach-Bliley Act, which restricts the disclosure of consumers' 
personal financial information by certain financial institutions, 15 
U.S.C. Sec. Sec. 6801-6809 (Subtitle A).
---------------------------------------------------------------------------
    The Commission's interest and involvement in online privacy dates 
back to 1995. From that time forward, the Commission has held a series 
of public workshops on online privacy and related matters designed to 
educate itself and the public on the many issues involved. In addition, 
the Commission has been active on a number of privacy fronts. We have 
examined web site practices in the collection, use, and transfer of 
consumers' personal information; encouraged and evaluated self-
regulatory efforts and technological developments to enhance consumer 
privacy; developed consumer and business education materials; and have 
studied the role of government in protecting online information 
privacy, including in particular, the online collection and use of 
information from and about children.6 The Commission also 
has issued a series of reports to Congress regarding privacy online, 
including the topics of online profiling and the global aspects of 
Internet privacy.
---------------------------------------------------------------------------
    \6\ See, e.g., Online Profiling: A Report to Congress, Part 2 
Recommendations (July 2000); Online Profiling: A Report to Congress 
(June 2000); Privacy Online: Fair Information Practices in the 
Electronic Marketplace (May 2000) (``2000 Report''); Self-Regulation 
and Privacy Online: A Report to Congress (July 1999); Privacy Online: A 
Report to Congress (June 1998); Individual Reference Services: A 
Federal Trade Commission Report to Congress (Dec. 1997); FTC Staff 
Report: Public Workshop on Consumer Privacy on the Global Information 
Infrastructure (Dec. 1996); FTC Staff Report: Anticipating the 21st 
Century: Consumer Protection Policy in the New High-Tech, Global 
Marketplace (May 1996).
---------------------------------------------------------------------------

              II. COMMISSION INITIATIVES IN THE LAST YEAR

    The past year has been a very busy one for the FTC in the area of 
consumer privacy.
    Our efforts have included the following:

 surveying Web sites to examine their information practices and 
        privacy statements;
 convening the Advisory Committee on Online Access and Security 
        to study and provide recommendations pertaining to (a) 
        consumers' access to their personal information; and (b) 
        appropriate measures to protect the security of that 
        information;
 issuing a report to Congress on online privacy;
 issuing a series of reports to Congress on third-party online 
        profiling;
 issuing Rules implementing the Children's Online Privacy 
        Protection Act (COPPA) and the Gramm-Leach-Bliley Act (GLBA);
 providing comments to other government agencies examining 
        privacy issues; and
 bringing law enforcement actions against Web sites that 
        violate the FTC Act.
    What follows is a brief summary of our work in each of these areas.
2000 Online Privacy Survey and Report to Congress
    In its most recent report to Congress on online privacy, a majority 
of the Commission recommended legislation requiring consumer-oriented 
commercial Web sites that collect personal identifying information from 
or about consumers online to comply with the four fair information 
practices: Notice, Choice, Access, and Security.7 The Report 
analyzed the results of the Commission's survey of commercial Web 
sites' information practices, conducted in February and March 2000, and 
discussed the work of the Advisory Committee on Online Access and 
Security, which the Commission convened in December 1999.
---------------------------------------------------------------------------
    \7\ The Commission vote to issue the Report was 3-2, with 
Commissioner Swindle dissenting and Commissioner Leary concurring in 
part and dissenting in part.
---------------------------------------------------------------------------
    The Advisory Committee on Online Access and Security, a group 
comprised of 40 e-commerce experts, industry representatives, security 
specialists, and consumer and privacy advocates, provided advice and 
recommendations to the Commission regarding the implementation of the 
fair information practice principles of Access and Security online. In 
a series of public meetings, the Advisory Committee discussed options, 
and the costs and benefits of each option, for implementation of these 
principles. The Advisory Committee submitted a final report to the 
Commission in May 2000 which highlighted the complexities of 
implementing Access and Security and, in light of the differing views 
of Committee members, developed several different options for providing 
Access and Security.8
---------------------------------------------------------------------------
    \8\ Available at http://www.ftc.gov/acoas/papers/finalreport.htm.
---------------------------------------------------------------------------
    The Commission's survey included two groups of sites drawn from a 
list of the busiest U.S. commercial sites on the World Wide Web: a 
census of 91 of the 100 busiest sites (the ``Most Popular Group''), and 
a random sample of 335 sites that had at least 39,000 unique visitors 
per month (the ``Random Sample'').9 The survey results 
showed that 88% of sites in the Random Sample and 100% of the sites in 
the Most Popular Group posted at least one privacy disclosure, and that 
20% of Web sites in the Random Sample that collected personal 
identifying information, and 42% in the Most Popular Group, 
implemented, at least in part, all four fair information practice 
principles. The Commission also examined the data to determine whether 
Web sites were implementing Notice and Choice only. The data showed 
that 41% of sites in the Random Sample and 60% of sites in the Most 
Popular Group met the basic Notice and Choice standards.
---------------------------------------------------------------------------
    \9\ 2000 Report at Appendix A.
---------------------------------------------------------------------------
    Based on these results, as well as on the lack of a widely-adopted 
self-regulatory enforcement mechanism, a majority of the Commission 
recommended that Congress enact legislation to protect consumer privacy 
online. The proposed legislation would require Web sites to implement: 
(1) notice (providing clear and conspicuous notice of their information 
practices); (2) choice (offering consumers choices as to how their 
personal identifying information is used beyond the use for which the 
information was provided, including choice for both internal and 
external secondary uses of the information); (3) access (offering 
consumers reasonable access to the information a Web site has collected 
about them, including a reasonable opportunity to review information 
and to correct inaccuracies or delete information); and (4) security 
(taking reasonable steps to protect the security of the information 
collected from consumers).10
---------------------------------------------------------------------------
    \10\ 2000 Report at 36-38. The proposed legislation would govern 
U.S. commercial Web sites to the extent not already covered by the 
Children's Online Privacy Protection Act, 15 U.S.C.Sec. 6501 et seq.
---------------------------------------------------------------------------
Online Profiling Workshop and Reports to Congress
    In November 1999, the Commission, together with the Department of 
Commerce, held a public workshop on ``online profiling'' 11 
by third-party network advertisers, firms that place advertisements on 
Web sites. The workshop was designed to educate the public about this 
practice, as well as its privacy implications, and to examine current 
efforts by network advertisers to implement fair information practices. 
At the workshop, industry leaders announced the formation of the 
Network Advertising Initiative (NAI), an organization comprised of the 
leading Internet network advertisers, to develop a framework for self-
regulation of the online profiling industry. Following the workshop, 
the NAI companies submitted drafts of self-regulatory principles for 
consideration by FTC and Department of Commerce staff. After lengthy 
discussions, a set of principles emerged that a majority of the 
Commission found to be a reasonable implementation of the fair 
information practice principles. The Commission discussed the NAI 
Principles in Part 2 of its Report to Congress in July, 
2000.12
---------------------------------------------------------------------------
    \11\ Online profiling is the practice of aggregating information 
about consumers' interests, gathered primarily by tracking their 
movements online, and using the resulting consumer profiles to deliver 
targeted advertisements on Web sites. The transcript of the workshop, 
as well as public comments filed in connection with the workshop, are 
available at .
    \12\ See Online Profiling: A Report to Congress, Part 2 (July 
2000). The Commission vote to issue Part 2 of the Report was 4-1, with 
Commissioner Swindle dissenting and Commissioner Leary concurring in 
part and dissenting in part. Both Commissioner Swindle and Commissioner 
Leary commended NAI's self-regulatory program. A copy of the NAI 
principles is attached as an appendix to that report. The report is 
available at  and 
the NAI principles are available at . Among other things, the NAI Principles provide 
that consumers will receive notice of network advertisers' profiling 
activities on the Web site they are visiting (the so-called ``host'' or 
``publisher'' Web site) as well as notice of their ability to choose 
not to participate in profiling. Where personally identifiable 
information is collected for profiling, a heightened level of notice, 
``robust'' notice, will be required at the time and place such 
information is collected and before the personal data is entered. In 
addition, material changes in the information practices of a network 
advertising company cannot be applied to information collected prior to 
the changes, and previously collected non-personally identifiable data 
(``clickstream'') cannot be linked to personally identifiable 
information without the affirmative (opt-in) consent of the consumer.
---------------------------------------------------------------------------
    Despite the NAI companies' commendable self-regulatory initiative, 
however, a majority of the Commission found that backstop legislation 
was still required to fully ensure that consumers' privacy is protected 
online. The majority reasoned that while NAI's current membership 
constitutes over 90% of the network advertising industry in terms of 
revenue and ads served, only legislation can compel the remaining 10% 
of the industry to comply with fair information practice principles. 
The majority believed that self-regulation also cannot address 
recalcitrant and bad actors, new entrants to the market, and drop-outs 
from the self-regulatory program. In addition, the majority found that 
there are unavoidable gaps in the network advertising companies' 
ability to require host Web sites to post notices about profiling, 
including Web sites that do not directly contract with the network 
advertisers, and stated that only legislation can guarantee that notice 
and choice are always provided in the place and at the time consumers 
need them. Accordingly, a majority of the Commission recommended 
legislation that would set forth a basic level of privacy protection 
for all visitors to consumer-oriented commercial Web sites with respect 
to online profiling.
The Children's Online Privacy Protection Act
    In its 1998 Report to Congress on online privacy, the Commission 
documented the widespread collection on the Internet of personal 
information from young children, and recommended that Congress enact 
legislation to protect this vulnerable group. In October 1998, Congress 
passed the Children's Online Privacy Protection Act of 1998 
(``COPPA'').13 As required by the Act, on October 20, 1999, 
the Commission issued the Children's Online Privacy Protection Rule, 
which implements the Act's fair information practice standards for 
commercial Web sites directed to children under 13, or commercial sites 
that knowingly collect personal information from children under 
13.14 Violators of COPPA are subject to FTC law enforcement 
action, including civil penalties of $11,000 per violation.
---------------------------------------------------------------------------
    \13\ 15 U.S.C. Sec. Sec. 6501 et seq. The Act requires that 
operators of Web sites directed to children under 13 or who knowingly 
collect personal information from children under 13 on the Internet: 
(1) provide parents notice of their information practices; (2) obtain 
prior, verifiable parental consent for the collection, use, and/or 
disclosure of personal information from children (with certain limited 
exceptions); (3) upon request, provide a parent with the ability to 
review the personal information collected from his/her child; (4) 
provide a parent with the opportunity to prevent the further use of 
personal information that has already been collected, or the future 
collection of personal information from that child; (5) limit 
collection of personal information for a child's online participation 
in a game, prize offer, or other activity to information that is 
reasonably necessary for the activity; and (6) establish and maintain 
reasonable procedures to protect the confidentiality, security, and 
integrity of the personal information collected.
    \14\ The rule became effective on April 21, 2000, 16 C.F.R. Part 
312, and is available at .
---------------------------------------------------------------------------
    There have been several press reports indicating that some Web 
sites directed to children have experienced difficulty in complying 
with COPPA, particularly in the context of children's chat rooms 
(online discussion groups). Staff believes that, to some extent, these 
concerns may have been caused by misunderstanding of the Rule's 
requirements or unfamiliarity with the exceptions built into the Rule. 
FTC staff is working hard to educate Web site operators on these 
issues; staff hosted a well-attended ``compliance clinic'' for 
operators in August, and has scheduled a second clinic on the West 
Coast in November.15
---------------------------------------------------------------------------
    \15\ The FTC's August compliance clinic was held at FTC 
headquarters and included presentations on privacy policies and 
parental notices, how to obtain verifiable parental consent, and safe 
harbor programs under the Rule. FTC staff focused in particular on how 
Web sites can take advantage of the Rule's exceptions for collection of 
an e-mail address to provide interactive content to children. The 
program also demonstrated ways in which sites can identify their 
younger visitors by asking age in a manner that minimizes their 
incentive to provide false information to gain entry to the site.
---------------------------------------------------------------------------
    Some Web sites also have decided to discontinue children's chat 
rooms rather than to meet COPPA's requirements of either obtaining 
parental consent or monitoring chat rooms to prevent the disclosure of 
children's personal information. The operation of unmonitored 
children's chat rooms, which provide the opportunity for children to 
disclose personal information to third parties, has raised serious 
concerns about children's safety online. Those concerns contributed to 
the Commission's decision to recommend that Congress enact legislation 
to protect children's privacy online.
    In addition to the compliance clinic, the FTC has undertaken a 
number of initiatives designed to enhance compliance with the Rule. 
First, we have been active in monitoring compliance. FTC staff recently 
``surfed'' a number of children's sites, and sent an email to those 
sites that seemed to have substantial compliance problems, alerting 
them to COPPA's requirements. Second, the Commission has begun a 
program of law enforcement against Rule violators. To date, we have 
filed suit against one Web site for COPPA violations, and we have a 
number of other investigations ongoing.16
---------------------------------------------------------------------------
    \16\ On July 21, 2000, the Commission filed an amended complaint 
with the U.S. District Court in Massachusetts alleging that 
Toysmart.com, an online toy retailer, collected personal information 
from children in violation of COPPA, and had offered to sell its 
customer list to the highest bidder notwithstanding statements made in 
its privacy policy that it would never share customer information with 
a third party. As evidence of the COPPA violation, the Commission 
alleged that the site collected names, e-mail addresses, and ages of 
children under 13 through its Dinosaur Trivia Contest without notifying 
parents or obtaining parental consent. FTC v. Toysmart.com, 00-CV-
11341-RGS (D. Mass. filed July 21, 2000).
---------------------------------------------------------------------------
    Further, the FTC has undertaken a number of important and 
widespread educational initiatives to encourage compliance with COPPA's 
provisions. The Commission launched a special Web page at www.ftc.gov/
kidzprivacy to help children, parents, and site operators understand 
COPPA and how it will affect them. Resources available on the Web site 
include guides for businesses and parents and ``safe surfing'' tips for 
kids. Staff has handled several hundred telephone and e-mail compliance 
inquiries since the Rule was issued in October of 1999, and has 
prepared a publication, entitled COPPA FAQs, to answer more than 50 of 
the most frequently asked questions about COPPA and the new Rule. FTC 
staff also is working with staff of the Department of Education to 
develop educational materials for schools about COPPA and online safety 
and has partnered with the private sector to help with outreach 
efforts.
The Gramm-Leach-Bliley Act
    On November 12, 1999, President Clinton signed the Gramm-Leach-
Bliley Act (``GLBA'') into law.17 Subtitle A of Title V of 
the GLBA (``Disclosure of Nonpublic Personal Information'') requires a 
financial institution to disclose to all of its customers the 
institution's privacy policies and practices with respect to 
information it shares with both affiliates and nonaffiliated third 
parties and limits the instances in which a financial institution may 
disclose nonpublic personal information about a consumer to 
nonaffiliated third parties. Specifically, it prohibits a financial 
institution from disclosing nonpublic personal information about 
consumers to nonaffiliated third parties unless the institution 
satisfies various disclosure and opt-out requirements and the consumer 
has not elected to opt out of the disclosure.
---------------------------------------------------------------------------
    \17\ Public Law 106-102, codified in part at 15 U.S.C. 6801 et seq.
---------------------------------------------------------------------------
    The GLBA's financial privacy provisions require the Commission, 
along with the federal banking agencies 18 and other federal 
regulatory authorities, 19 to prescribe such regulations as 
may be necessary to carry out the purposes of the financial privacy 
provisions of the GLBA. On May 24, 2000, the Commission published its 
GLBA Final Rule.20 The Rule takes effect on November 13, 
2000. In recognition of the range of financial institutions covered by 
the Rule and the extent of system-wide changes necessary for 
compliance, as well as concerns about consumer confusion, the 
Commission extended the deadline for full compliance by financial 
institutions and other persons under the Commission's jurisdiction from 
November 13, 2000, to July 1, 2001.21
---------------------------------------------------------------------------
    \18\ Office of the Comptroller of the Currency (OCC), Board of 
Governors of the Federal Reserve System (FRB), Federal Deposit 
Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and 
Secretary of the Treasury.
    \19\ National Credit Union Administration (NCUA) and Securities and 
Exchange Commission (SEC).
    \20\ 56 Fed. Reg. 33646. The Rule is codified at 16 CFR Part 313. 
The Federal banking agencies jointly published final regulations 
implementing the GLBA privacy provisions on June 1, 2000 (65 Fed. Reg. 
35162). The NCUA and SEC published similar rules on May 18, 2000 (65 
Fed. Reg. 31722) and June 29, 2000 (65 Fed. Reg. 40334), respectively.
    \21\ Section 505(a)(7) of the GLBA provides that the Commission has 
jurisdiction over financial institutions not subject to regulation by 
either other federal agencies listed in footnotes 17 and 18 above or 
state insurance authorities. It also assigns the Commission authority 
to enforce the GLBA against ``other persons'' who receive protected 
consumer financial information covered by the GLBA. The broad scope of 
the Commission's jurisdiction is discussed in detail at the outset of 
the Federal Register notice (65 Fed. Reg 33646, 33647), which analyzes 
16 CFR 313.1, the ``Purpose and Scope'' section of the Commission's 
rule.
---------------------------------------------------------------------------
    The GLBA also obligates the Commission to promulgate a rule 
requiring financial institutions to safeguard their customer records 
and information. On September 7, 2000, the Commission issued a notice 
and request for comment pertaining to development of its Safeguards 
Rule in the Federal Register, 22 to garner public input 
concerning the safeguarding of consumer information by the wide range 
of financial institutions subject to the Commission's jurisdiction. 
After comments are received, the Commission will publish a Notice of 
Proposed Rulemaking, review comments received in response to that 
Notice, and issue a Final Rule.
---------------------------------------------------------------------------
    \22\ 65 Fed. Reg. 54186. The comment period is now scheduled to 
close on October 24, 2000.
---------------------------------------------------------------------------
Comments
    The Commission has also shared its expertise in consumer privacy 
with other government agencies dealing with privacy issues through the 
submission of public comments. Recently, Commission staff submitted 
comments in response to the request for public comment by the 
Department of Justice, the Department of Treasury, and the Office of 
Management and Budget regarding their study of how a consumer's filing 
for bankruptcy relief affects the privacy of individual consumer 
information that becomes part of a bankruptcy case.23 The 
staff comment focused on the privacy and identity theft 24 
concerns raised by the collection and use of personal financial and 
other information in personal bankruptcy cases. The staff comment 
suggested that the agencies may wish to (a) consider the extent to 
which highly sensitive information must be included in public record 
data; (b) prohibit the commercial use by trustees of debtors' nonpublic 
data for purposes other than those for which the information was 
collected; and (c) evaluate the interplay between consumers' privacy 
interests and the Bankruptcy Code.25
---------------------------------------------------------------------------
    \23\ See Federal Register Notice Requesting Public Comment on 
Financial Privacy and Bankruptcy, 65 Fed. Reg. 46735 (July 31, 2000).
    \24\ Identity theft is another privacy-related area in which the 
Commission has expertise. The Commission has implemented the Identity 
Theft and Assumption Deterrence Act of 1998, which directed the FTC to 
establish the federal government's centralized repository for identity 
theft complaints and victim assistance. For a description of the FTC's 
identity theft activities, see Statement of the Federal Trade 
Commission on Identity Theft, United States House of Representatives, 
Committee on Banking and Financial Services (Sept. 13, 2000) .
    \25\ The staff comment is available at .
---------------------------------------------------------------------------
    Earlier this year, at the request of the Department of Health and 
Human Services (``HHS''), the Commission submitted comments on HHS' 
proposed Standards for Privacy of Individually Identifiable Health 
Information 26 (required by the Health Insurance Portability 
and Accountability Act of 1996).27 The Commission strongly 
supported HHS' proposed ``individual authorization'' or ``opt-in'' 
approach to health providers' ancillary use of personally identifiable 
health information for purposes other than those for which the 
information was collected. The Commission also offered HHS suggestions 
it may wish to consider to improve disclosure requirements in two 
proposed forms that would be required by the regulations.28
---------------------------------------------------------------------------
    \26\ 64 Fed. Reg. 59918 (November 3, 1999).
    \27\ Pub. L. No. 104-191, 110 Stat. 1936 (August 21, 1996).
    \28\ The Commission's comments are available at .
---------------------------------------------------------------------------
Enforcement
    The Commission has also brought three cases in the past year 
challenging deceptive or unfair conduct in connection with Web sites' 
posted privacy policies. In FTC v. ReverseAuction.com, Inc., No. 00-
0032 (D.D.C. Jan. 6, 2000), the Commission settled charges that an 
online auction site allegedly obtained consumers' personal identifying 
information from a competitor site and then sent deceptive, unsolicited 
e-mail messages to those consumers seeking their business. In FTC v. 
Sandra Rennert, et al., No. CV-S-00-0861-JBR (D. Nev. July 6, 2000), a 
group of individuals and Web sites involved in providing prescription 
drugs online collected consumers' personal medical information through 
an online consultation form in addition to billing and shipping 
information. The Commission's complaint alleged that defendants 
misrepresented the security and encryption used to protect consumers' 
information and claimed that the defendants used the information in a 
manner contrary to their stated purpose.
    In another recent matter, as noted earlier in note 15 supra, the 
Commission challenged a Web site's attempts to sell personal customer 
information gathered pursuant to a privacy policy that promised that 
such information would never be disclosed to a third party. FTC v. 
Toysmart.com, 00-CV-11341-RGS (D. Mass. filed July 10, 
2000).29
---------------------------------------------------------------------------
    \29\ These cases follow in the footsteps of two the Commission 
brought in 1999. In Liberty Financial Companies, Inc., FTC Dkt. No. C-
3891 (Aug. 12, 1999) the Commission challenged the allegedly false 
representations by the operator of a ``Young Investors'' Web site that 
information collected from children in an online survey would remain 
anonymous. In GeoCities, FTC Dkt. No. C-3849 (Feb. 12, 1999), the FTC 
settled charges that the Web site misrepresented the purpose for which 
it was collecting personal identifying information from children and 
adults.
---------------------------------------------------------------------------
    In addition to these public enforcement actions, the Commission is 
currently conducting numerous nonpublic investigations of Web sites to 
determine if their privacy policies are deceptive or unfair.
                            iii. conclusion
    The Commission is committed to the goal of ensuring privacy for 
consumers and will continue working to address the variety of privacy 
issues raised by our increasingly information-driven society. I would 
be pleased to answer any questions you may have.

    Mr. Tauzin. Thank you, Mr. Chairman, and welcome.
    Mr. Tauzin. Obviously, the first question you know I am 
going to ask you is you gave the industry a grade in 1998 with 
only 14 percent posting privacy policy, and the grade you gave 
them was incomplete. In 1999, after 64 percent had complied 
with posting privacy policy, you gave the industry a B-plus for 
effort and a C overall. In 2000, 88 percent in your survey and 
now posting some privacy policy--good, bad or adequate but a 
privacy policy--what grade are you giving the industry today on 
effort and what do you give them overall?
    Mr. Pitofsky. I want to give the private sector some credit 
here because I truly believe that they recognize that invasion 
of privacy is a problem and they have worked hard to solve it. 
So on effort I would give them A-minus. I would say they are 
doing better.
    Mr. Tauzin. You are moving it up.
    Mr. Pitofsky. I am moving it up.
    On overall performance, I would move that up from C to C-
plus, but C-plus is not good enough to protect consumers or the 
Internet. But they have certainly committed financially and in 
terms of energy to try to improve the situation, and they 
deserve credit for that.
    Mr. Tauzin. When it comes to grading, let me first thank 
the FTC for training the GAO officials who conducted the 
Federal web site survey that Mr. Armey and I requested.
    As you know we asked that it be done using your criteria 
because we felt that we wanted some sort of comparison whether 
it was a good one or not that it was on an equal basis between 
Federal sites and commercial sites do you know what grade the 
FTC got?
    Mr. Pitofsky. The FTC was found wanting in that report.
    Mr. Tauzin. So you were not part of the 3 percent that 
passed all of your own criteria?
    Mr. Pitofsky. We were not.
    Mr. Tauzin. Where were you found wanting?
    Mr. Pitofsky. Let me explain that because I think this is 
important.
    Mr. Tauzin. Yes, it is.
    Mr. Pitofsky. The FTC satisfies anybody's standards in 
terms of notice, access, and security. The problem was with 
choice. Let me explain why that happens.
    Mr. Tauzin. Why did the FTC not make the grade on choice? 
Your own standard?
    Mr. Pitofsky. Let me give you an illustration.
    Mr. Tauzin. Okay.
    Mr. Pitofsky. Congress has generously supported something 
we run called Consumer Sentinel, in which we gather complaints 
from consumers, we analyze them, we marshall them and then we 
share that information with other law enforcement agencies. 
That was the whole point of Congress giving us the money--that 
we would share it with law enforcers, FBI, State AGs and so 
forth. I think it has been quite successful.
    Now we tell people in our notice statement, if you give us 
the information we are going to share it with the FBI and the 
State AGs. We do not give them the option of saying we want to 
give you the information but do not share it.
    Mr. Tauzin. So you do not give them an opt out?
    Mr. Pitofsky. We do not give them an opt out. And of course 
we shouldn't. It would undermine the whole point of the 
program.
    Mr. Tauzin. You shouldn't give your web site users an opt 
out. Suppose I want to give the information about a complaint 
that I make but I do not want you sharing that. I do not want 
to have repercussions from someone else because I complained to 
you. Shouldn't I have the right to do that, Mr. Chairman, 
without your sharing it with people without my consent?
    Mr. Pitofsky. Remember, it is all in the notice.
    Mr. Tauzin. But you are telling me that I can't complain to 
you without you sharing that complaint with other people. 
Shouldn't constituents have a right? I give them that right in 
my office they can use my web site and complain to me about a 
Federal agency or they can complain to me about a third party 
business in my district, and I give them an assurance on my web 
site that I will not share that information with anyone else.
    But shouldn't we at least give them the choice that you 
wouldn't share it with someone else if that is what they 
wanted?
    Mr. Pitofsky. I take your point, but I do think that since 
the whole point of gathering the information is to share it, 
that to allow them, to give them that choice, does not make any 
sense.
    Mr. Tauzin. But isn't part of your business as an FTC 
agency to in fact collect complaints from consumers and is that 
not also a good thing to do without necessarily sharing that 
worthy people pursuant to this act?
    Mr. Pitofsky. Let me make a more general point. Our fair 
information practices are designed to control the marketing 
sector of the economy. We are not selling anything to these 
folks. The FTC is not selling them books or records.
    Mr. Tauzin. I understand.
    Mr. Pitofsky. So it seems to me when you talk about choice 
in that context it is really a little different.
    Mr. Tauzin. I understand that Mr. Chairman, but I think you 
are making my point which is that in your own analysis, your 
own review of other commercial web sites, we hear the same 
complaint. That your own, if you will, methodology for 
examining and grading these web sites does not often make room 
for those kind of distinctions as to what it is being used for 
and whether the site for example may have a security but it 
does not say it has security. And therefore it gets graded down 
under your criteria. One of the problems that Mr. Armey and I 
wanted this GAO study done was exactly that. Was to I guess 
amplify the fact that the methodology itself is not necessarily 
perfect, that it has flaws and that therefore the reports that 
are issued by the agency are not necessarily as reliable as 
they perhaps should be.
    I think you would say that the FTC, as an agency that is 
examining other sites, would want to be as good about privacy 
as any agency of the Federal Government, and yet under your own 
methodology you fell short.
    I think that makes our case about how this methodology 
perhaps needs to get further fine-tuned so that it does not 
reflect bad onsites that are really trying, that deserve the A 
minus for effort and perhaps even better than a C plus for 
performance.
    Mr. Pitofsky. Let me take your comments to heart and think 
about them. We did say in our response to GAO that to transpose 
our four fair information practices exactly intact away from 
the commercial area to the government area might lead to 
misleading conclusions. But I hear what you are saying and I 
would like to think about it.
    Mr. Tauzin. Yes, what we are also saying is to use that 
methodology on commercial sites without making room for those 
kind of distinctions that you make for your own site may be 
misleading and that is my point, but I thank you for at least 
considering it because obviously what you say publicly about 
the performance of the private sector has some real weight in 
the Congress and with the American public. And obviously it is 
important that whatever assessment you make be as clear and as 
precise as you can make it.
    I want to first of all, finally, rather, thank you for 
continuing this effort. You and I have had this private 
discussion. I think that the FTC constantly monitoring and 
reporting on the progress of the industry and making cases 
where fraud and deceptive practices are appearing on the 
Internet is very good. How come only three cases if it is 
really that bad out there, why have you brought only three 
cases?
    Mr. Pitofsky. First of all, it is three cases in just this 
past year in which we continued this kind of program.
    What we try to do is bring cases against the most egregious 
misconduct--we do not want to hit people for technical 
violations.
    Mr. Tauzin. You go after the really bad players. But again 
does that say something about the overall effort in the private 
sector that you found three egregious case not 10, 12, 20, 100 
last year?
    Mr. Pitofsky. Well, I don't know, Jodie?
    Ms. Bernstein. If I could add something to that Mr. 
Chairman, among the techniques that we have tried to use, 
because this is a whole new area we conduct something we call 
``surf days'' where we look at the sites all at one time, and 
in many of those instances instead of bringing cases against 
all of them we will send out a notice saying this is a new kind 
of inquiry on our part, do you know that you may be violating 
these----
    Mr. Tauzin. You are giving them fair warning sort of like a 
traffic policeman who gives me a warning and says you are going 
through a school zone, you better slow down.
    Ms. Bernstein. Exactly right. And then we go back maybe 
after 30 days and we have found a lot of them have dropped out 
or have corrected.
    Mr. Tauzin. So you do not have to take action.
    Ms. Bernstein. I think it is one way, it is a fair way and 
helps us get to the ones where we think we can make a 
difference.
    Mr. Tauzin. The gentleman from Ohio.
    Mr. Sawyer. Thank you, Mr. Chairman. Let me thank our 
witnesses for being here. You heard my question earlier about 
the way in which we assure the ability of agencies to share 
information with one another while preserving their mutual 
guarantees of privacy in the information that they gather. Do 
you have any inside guidance that you could offer us this 
morning or would you prefer to answer that later?
    Mr. Pitofsky. Well, I think it is the right question. When 
you are talking about the government and not a commercial 
marketer, you want to ensure that the collection of information 
can serve government purposes, including the sharing of 
information where that is appropriate.
    Mr. Sawyer. Where it is appropriate.
    Mr. Pitofsky. Yes, where it is appropriate.
    Mr. Sawyer. While guaranteeing the confidentiality of 
information that is being shared.
    Mr. Pitofsky. Yes, and on the other hand you do not want to 
unnecessarily invade people's privacy. It has got to be 
designed to serve your mission purpose and that is what we have 
tried to do.
    Mr. Sawyer. Do you have policies and principles which guide 
you in making that judgment in terms of where it is 
appropriate? Largely a subjective decision but one that you try 
to squeeze as much subjectivity out of.
    Mr. Pitofsky. Within my own agency we certainly do.
    Mr. Sawyer. Can you describe those for us?
    Mr. Pitofsky. I will be glad to submit that to the 
committee. We probably have the most--one of the most clear and 
conspicuous non-obscure notice provisions that you are ever 
going to see.
    Mr. Sawyer. It is not just notice. It is the protocols for 
sharing.
    Mr. Pitofsky. But nobody could misapprehend what we are 
going to do with this information. We also provide reasonable 
access and reasonable security. It is only on this question of 
choice which the chairman has raised with me. The tradeoff is 
whether we can share this information the whole program is 
designed to collect and share, or should we give people an 
opportunity to say, look, I want to complain to you, but I 
don't want this information going to the FBI and some States? 
We have cut in the direction of giving them notice as to what 
we are going to do with it but sharing the information for law 
enforcement purposes.
    Mr. Sawyer. Thank you, Mr. Chairman.
    Mr. Tauzin. I thank the gentleman. Again, Mr. Chairman, let 
me thank you and let me for the record indicate again that you 
actually, your office actually trained the GAO in the survey 
that they collected; is that correct?
    Mr. Pitofsky. I believe that is right.
    Mr. Tauzin. And they did use your methodology in examining 
your agency and other agencies.
    Mr. Pitofsky. They did.
    Mr. Tauzin. And they did find that under your methodology, 
only 3 percent of the Federal sites surveyed met all of the 
criteria that your office uses to judge private sites; is that 
correct?
    Mr. Pitofsky. I understand that is correct.
    Mr. Tauzin. As compared to 20 percent of the private sector 
that met all five of those criteria; is that correct?
    Mr. Pitofsky. Yes.
    Mr. Tauzin. Is it fair to conclude that the private sector 
is doing better than the government sites?
    Mr. Pitofsky. No, I don't think that is fair.
    Mr. Tauzin. Tell me why.
    Mr. Pitofsky. I don't know why other government agencies 
have failed to satisfy fair information practices.
    Mr. Tauzin. We have got a list and it is pretty 
interesting.
    Mr. Pitofsky. I suspect it is often this issue of sharing 
the information with other agencies and not giving people the 
opportunity to say count me out. They say: I want to complain, 
I want to submit information but I don't want to share----
    Mr. Tauzin. But you know a lot of them failed because they 
just did not post a privacy policy. A lot of them failed 
because they did not give notice to consumers that they were 
gathering information. Some of them failed because they said 
they were not gathering person information and they were. Some 
of them failed because they had cookies. By the way what is a 
cookie? Not everybody knows what a cookie is. We are talking 
about a new cookie monster here in effect.
    Mr. Pitofsky. People have learned what it is about. It is a 
device that is placed on the hard drive of the computer of the 
person who is surfing which allows the collector of information 
to trace where you have been and what you are doing. I 
described it as like a technology that would allow your TV set 
to keep track of what programs you watch, what ads----
    Mr. Tauzin. Worse than that it is like having a camera 
follow you around for the rest of your travels all day long, 
all week long, perhaps for 35 years. Pretty bad stuff.
    Mr. Pitofsky. I think that is a fair analogy of what we are 
talking about here.
    Mr. Tauzin. And some of these--14 percent failed because 
they did have cookie on their site and in some cases without 
advising consumers.
    Mr. Pitofsky. I heard Sally Katzen say that she does not 
intend to defend cookies on government web sites and I am not 
going to step in to do it.
    Mr. Tauzin. The only point I want to make is that when you 
compare--we have a comparison sheet of the Federal sites, and 
the private sites, on every standard that you use to judge 
private sites, Federal sites fared worse on every standard. On 
the question of frequency of disclosure, 100 percent of 
commercial sites compared to 85 percent of the government 
sites. On all four principles, 42 percent of the Federal sites 
and only 6 percent of the high impact sites, 20 percent at 
random and only 3 percent of the at random Federal sites. In 
fact, there was only one category at all that was comparable 
between the Federal and the public sites--I mean the Federal 
and the private sites.
    We have a copy of this I want to make sure that you get it. 
But it basically says that when your criteria was applied to 
the public sites where we have to share information in many 
cases, that privacy was less protected than in the commercial 
sites of America. That is not a good finding. Mr. Armey and I 
have asked a simple thing of our government: Maybe we need to 
clean up our own house as we go by grading and commenting on 
someone else's house.
    But again, I thank you for both cooperating with our effort 
to examine the Federal sites and second, for continuing your 
monitoring of the private sites and invite you and your staff 
to stay in close touch with us because I think we have all come 
to the conclusion that next year we are going to have to move 
legislatively in some of these areas.
    Mr. Pitofsky. I am glad to hear that and I do want to 
continue working with you and this committee.
    Mr. Tauzin. Thank you, Mr. Chairman, and we will stand in 
recess for another 10 or 15 minutes.
    [Brief recess.]
    Mr. Tauzin. We are going to get started and anybody who 
misses this is just going to miss a lot of good time. The 
committee will please come back to order.
    Let me welcome our final panel. Mr. Larry Chiang, Chief 
Executive Officer of MoneyForMail.com; Ms. Glee Harrah Cady, 
Vice President for Global Public Policy, Privada, in Sunnyvale, 
California; Ms. Parry Aftab, Special Counsel for Darby and 
Darby in New York; and Mr. Mike Griffiths, Chief Technology 
Officer of Match Logic Inc., and Mr. Andrew Shen, Policy 
Analyst for Electronic Privacy Information Center.
    I apologize for the long day, but I suspect we are going to 
have a lot of long days thinking this business through. Part of 
what we are doing is building a record, so all of your written 
statements are part of that record. And trust me on this, 
members and staff actually read those statements and get into 
them because we are desperate for understanding here. And what 
you will provide for us on this panel is a little more depth of 
understanding about what is happening in the marketplace of 
privacy and the technology and the private sector.
    So let me please welcome you, and we will begin with Larry 
Chiang, MoneyForMail.com. Welcome.

     STATEMENTS OF LARRY CHIANG, CHIEF EXECUTIVE OFFICER, 
 MONEYFORMAIL.COM; GLEE HARRAH CADY, VICE PRESIDENT FOR GLOBAL 
PUBLIC POLICY, PRIVADA; PARRY AFTAB, SPECIAL COUNSEL, DARBY AND 
 DARBY, P.C.; MIKE GRIFFITHS, CHIEF TECHNOLOGY OFFICER, MATCH 
LOGIC INC.; AND ANDREW SHEN, POLICY ANALYST, ELECTRONIC PRIVACY 
                       INFORMATION CENTER

    Mr. Chiang. Thank you, Mr. Chairman. Thank you, members of 
the subcommittee. I come to you as a person who is on his 
second business. I am an entrepreneur. My background is in 
engineering, so I am fortunate to head up a very popular 
company called MoneyForMail. This is my second company. My 
first company was one that sold credit cards to college 
students. And my efforts in starting new businesses is to 
empower consumers to control and empower them both on two 
fronts, both on credit understanding and an understanding on 
privacy.
    And what MoneyForMail does basically in a little nutshell 
is it empowers consumers to opt in their information so that 
they control their own information so that the people that 
previously compiled and sold information to companies such as 
Trans Union, Equifax, Experian profited by selling this data.
    Mr. Tauzin. Give me an example of how that works.
    Mr. Chiang. For example, let's say you are a car leasing 
company and you want to sell cars to people in their middle 
20's that have a good job with good credit. So you can send a 
prequalified lease to those people using credit data. Now, a 
consumer today and up until the past 20 or so years has not 
been able to control their own data. So if a car leasing 
company wants to buy that information and extract that 
information from the three credit bureaus, they are able to do 
so without knowledge and consent of a consumer.
    Where you are now bringing forth a number of these privacy 
issues also then starts to question previous legislation on the 
Fair Credit Reporting Act with who exactly owns and controls 
pieces of credit data.
    So what MoneyForMail tries to do and does successfully is 
it compiles credit data along with demographic data so the 
demographic data is information that gets collected on 
different surfers and their preferences, their gender, what 
State they live in, maybe even some detailed information as to 
what sports they like to watch or participate in.
    What we do with that demographic data is we add in credit 
data so that advertisers now have more pieces of the 
information to then collect this information and then send out 
advertising messages that are geared toward it.
    To backtrack a little bit, the reason all of this is such a 
large issue is simply because advertisers know that when they 
spend money, 50 percent of that money is simply wasted. Now the 
question is what 50 percent did I waste? With the Internet you 
are allowed to target specifically demographics of your 
advertising, let's say men's suits from a previous example, 
target men's suits, advertising solely to men that are prepared 
to buy a suit, whereas previously you are just shotgunning that 
advertising message to everyone. So the Internet as a medium 
allows that.
    That is why this issue is going to balloon further because 
how many billions of dollars are spent on advertising and how 
many of those billions of dollars could potentially not be 
wasted should there be a better methodology in sending out 
these types of messages.
    It not only permeates the Internet, where, yes, it is 
personalized content, but in the future you will talk about 
cable TV advertising. Right now everybody in certain markets 
gets the exact same advertisement. What if you opted in your 
demographic data and were able to control your own demographic 
data and then the cable TV companies can send you specific ads 
based on your needs, your usages, your preferences?
    So the situation that I come to you today with is, No. 1, 
the parallel nature of how credit data previously was compiled 
without regulation, and how the Fair Credit Reporting Act 
obviously is legislating and regulating the three bureaus in 
compiling this data to also then translate that where the FTC 
regulates that data. I see a parallel where the FTC also 
similarly will further regulate privacy issues in a simple, 
easy to use, easy to understand principle. Whereas right now if 
you visit a lot of these web sites you are faced with pages, 
literally pages where you have to scroll down, and how many 
users actually read and understand the privacy statement?
    What I think in the future is you are going to be allowed 
to go to something similar to a Schumer box where some of these 
ideas that I bring forth are not really necessarily my own 
ideas but based on historical regulatory ideas. How the Schumer 
box then translates to privacy is maybe in five major points, 
similar, an annual fee, interest rates, terms, and junk fees, a 
privacy policy box or someone's name box then can therefore 
disclose the five major points or six major points for how it 
is that you as an Internet web surfer can then be assured of 
some type of standardized policy.
    [The prepared statement of Larry Chiang follows:]
     Prepared Statement of Larry Chiang, CEO, MoneyForMail.com Inc.

                            I. INTRODUCTION

    Mr. Chairman and Members of the Subcommittee:
    Good morning. I am Larry Chiang, CEO of MoneyForMail.com in Palo 
Alto California. I welcome this opportunity to comment on the current 
state of Internet privacy and the impact of compiling consumer data for 
consumers and businesses.
    I am here to testify on what I believe are reasonable standards for 
promoting consumer safety for those who use the Internet, and to report 
to you the efforts my company has taken to help consumers ``take back'' 
their personal information.
    The comments and views expressed in this Statement are offered in 
my capacity as CEO of MoneyForMail.com, and my experience in dealing 
with privacy and credit issues since 1989. I will discuss:

 Economic benefit of matching surfing data with ``real world 
        data''
 How these combined data files may be abused
 Potential discrimination using today's technology
 How privacy issues tie into Fair Credit Reporting Act
 Future trends of consumer demographic collection
 Pending privacy scandals
    I believe strongly that you, the members of Congress, will play a 
critical role in shaping legislation that will enhance privacy by 
expanding and strengthening the consumer's right to control his or her 
own own personal information. I appreciate the opportunity to share my 
views on that topic.

  II. ECONOMIC BENEFIT IN MATCHING SURF DATA WITH ``REAL WORLD DATA''

    Advertisers are willing to pay for advertising that better targets 
an audience. The medium of the Internet naturally lends itself to 
specifically targeted ad messages for users groups as small as one 
person.
    Internet advertising agencies can earn a premium by matching online 
demographic data and ``surf pattern'' data with ``real world'' data. 
Surf data is the tracking of user movements from web site to web site. 
Real world data is purchasing history, club memberships, newspaper and 
magazine subscriptions and credit-related data.
    By ``spooling up'' banner ads to a person visiting particular web 
sites, the real world data serves as a qualifier of purchasing power 
and offline interests.

           III. HOW THESE COMBINED DATA FILES COULD BE ABUSED

    Two particular industries have definite potentials for abuse: 
credit and insurance.
    Say a web surfer visits a Las Vegas Hotel site and his combined 
profile dictates that he visits Vegas three times a year. An insurance 
company underwriter may find that behavior tends to increase the 
likelihood of filing a fire insurance claim. Therefore, the insurance 
applicant may be rejected for fire insurance because of the Las Vegas 
visits. Now take this example and apply it to breast cancer sites, 
Bible study sites, scuba diving sites--and the potential to abuse 
privacy is very likely.
    While this may sound far-fetched, is it unreasonable to assume it 
could not happen? I don't believe so. After all, who would have guessed 
ten years ago that your credit record--a report of how you've managed 
your bills--would be a better predictor of how many insurance claims 
you would file than your driving record? Yet today a number of 
insurance companies rely on credit records when evaluating insurance 
applications.
    Combined data files put more information into everyone's hands. 
While it may seem innocuous for a web site that sells BBQ grills to 
sell surf information to Midwestern beef houses, the consumer needs to 
control and know what data files are being used and distributed.

         IV. POTENTIAL DISCRIMINATION USING TODAY'S TECHNOLOGY

    Since web sites can be made dynamic to each and every particular 
web user, certain collected data files could be used to discriminate 
against consumers.
    For example: access to low-cost mortgage rates could be kept from 
those individuals that have an online surf pattern of perpetually 
visiting job listing boards. The mere act of visiting a job listing 
board could signify job instability. Or, an insurance company could 
determine that people that purchase adventure gear (ski equipment, sky 
diving supplies or mountain climbing ropes) are not a good risk. These 
are the types of discrimination that are made possible using technology 
available today.

         V. HOW PRIVACY TIES INTO THE FAIR CREDIT REPORTING ACT

    Nearly thirty years ago, Congress enacted the Fair Credit Reporting 
Act to protect consumers' credit reports. Your predecessors realized 
that this information played an important role in consumers' lives, and 
that people should have the right to review their reports and challenge 
their accuracy. In addition, Congress acknowledged that this sensitive 
information should be available for limited purposes.
    Today we are beginning to see interesting overlaps between 
companies that collect credit data and companies that collect other 
data about consumers. Experian, one of the major credit reporting 
agencies, owns 19.9% of MyPoints.com and 6.4% of AdForce. Both are 
companies that derive the majority of their income from Internet 
advertising.
    Is it such a stretch, then, to ask Congress to consider regulating 
Internet data collection just as it did credit data? Or is it 
unreasonable to ask the FTC to oversee these practices as it does the 
credit reporting agencies?

          VI. FUTURE TRENDS OF CONSUMER DEMOGRAPHIC COLLECTION

    The holy grail of advertising has always been getting the right 
message to the right person. The complaint of advertisers has been, ``I 
know I am wasting 50% of my advertising dollars, I just don't know 
which 50%.'' Collecting Internet demographic data and marrying it with 
real world data will only increase as advertisers try to narrow their 
targets.

                      VII. PENDING PRIVACY SCANDAL

    Right now the pieces are in place for a number of privacy scandals.
    In Silicon Valley, you have (1) young CEOs--some in their 20's--(2) 
heading up cash-strapped companies, (3) oblivious to privacy concerns, 
and (4) controlling private information worth a great deal of money. 
These ingredients up the likelihood of a privacy scandal which will 
negatively impact e-commerce.

                            VIII. CONCLUSION

    It is my opinion that Congress should act now to establish 
guidelines for the collection and use of personal data on the Internet. 
At a minimum, consumers should be told what information will be 
collected when they visit web sites, what it will be used for, and 
steps they can take to ensure their privacy. The Federal Trade 
Commission should be given regulatory authority to ensure privacy, and 
to protect consumers' rights.
    Mr. Chairman and members of the Committee, I hope this overview has 
been helpful for you. If you have any questions, I will try to answer 
them.

    Mr. Tauzin. Thank you very much, Mr. Chiang. Now we welcome 
Mrs. Glee Harrah Cady, the Vice President for Global Public 
Policy of Privada.

                  STATEMENT OF GLEE HARRAH CADY

    Ms. Cady. Thank you, Mr. Chairman. It is a pleasure for me 
to be here today to talk to you, not only about what my own 
company does in privacy enhancing technologies but what our 
industry is doing as a whole.
    Privada itself is based in Sunnyvale, California, and we 
build privacy infrastructure systems for financial service 
companies, for network service providers and for other people 
who, in turn, would like to offer privacy services to their 
customers. You may have seen a recent series of advertisements 
on the television by a large credit card company that is going 
to be partnering with us in future products, and we expect to 
have further announcements like that.
    Generally, technology is quicker than legislation. I know 
this point has been made to you a number of times. And we can 
today provide help to your constituents and the people who are 
genuinely concerned about a genuine problem with technologies 
that will assist them to protect their privacy while the debate 
goes on here in the Congress.
    Since early this year, I think there has been something 
like 700 different announcements made about privacy enhancing 
technologies, and of course we are all terrific. Mr. Boucher 
and Mr. Goodlatte mentioned today the Internet Caucus and 
earlier this year, in fact just 3 weeks ago, we were privileged 
to be part of a privacy technology fair. And I know that this 
little booklet has been added into the record so that people 
can see who demonstrated there at that time.
    Finally, we have this lovely poster that we have also 
provided you that was developed by the privacy leadership 
initiative. There are more of these in the back of the room for 
those in the room who would like to have that. It is a 
description of some people and their technologies that are in 
the market today.
    Today, not next Congress, not tomorrow, not next week. So 
these technologies range from companies who provide complete 
anonymity all the time to people who are occasionally called 
infomediaries who will broker information on your behalf. 
Choosing among them might be complex at this point, but they 
are all there. I have tried to provide links to lists of these 
technologies in my written testimony, and I would urge you to 
encourage your constituents to look at these pieces of 
information, and if anybody has any questions about specific 
technologies or what any of the companies can do to help them, 
I would be happy to answer them.
    Thank you.
    [The prepared statement of Glee Harrah Cady follows:]

            Prepared Statement of Glee Harrah Cady, Privada

    Mr. Chairman and members of the committee, thank you for the 
opportunity to discuss the progress that technology companies have been 
making in the development of privacy enhancing technologies to protect 
consumers.
    My name is Glee Harrah Cady and I work for Privada, Inc,\1\ a 
Sunnyvale, CA based company that builds comprehensive privacy 
solutions. We deliver those solutions through Network Service 
Providers, financial institutions and other digital enterprises. By 
building a virtual ``curtain'' between the user and the Internet, 
Privada gives users control over the dissemination of information about 
themselves. Our services make it possible for businesses to offer 
privacy-based services to their customers.
---------------------------------------------------------------------------
    \1\ The Privada website may be found at http://www.privada.com
---------------------------------------------------------------------------
    Our current partners (which include American Express, Cisco, and 
Portal) will integrate Privada's privacy protection into products that 
meet their customers' need for digital privacy. Our joint commitment to 
providing sound and robust digital privacy will ensure that individuals 
maintain choice and control over their personal information.
    Privada works with other technology and consumer product and 
service companies in trade associations and coalitions to inform and 
educate policy makers, press, and individuals about digital privacy. We 
are members of the Commercial Internet eXchange Association, the 
Internet Alliance, the Information Technology Association of America, 
the Online Privacy Alliance,\2\ the Software and Information Industry 
Association, the United States Council for International Business, and 
TechNet. We support the efforts of the Privacy Leadership Initiative. 
And we were pleased to be selected to participate in the recent Privacy 
Technology Fair sponsored by the Internet Caucus.
---------------------------------------------------------------------------
    \2\ The Online Privacy Alliance is on the web at http://
www.privacyalliance.org
---------------------------------------------------------------------------
    Today's privacy debate has been fueled by two very opposing views--
one side advocates exploitation of personal information for any and all 
purposes, and the other wishes to prohibit the use of personal 
information for any and all purposes. As the debate acknowledges, we 
fear intrusion into our private lives by both government and business. 
We all want the benefits of personal services but fear the possibly 
unpleasant surprise of someone we don't know knowing too much about us. 
This is why digital privacy is so important to us. With Internet access 
we have grand opportunities to gain knowledge, improve communication, 
and have products and services delivered to us wherever we are, 
whenever we want them. But we know we are being watched and we don't 
like it
    Each day, too, individuals become more aware that they need to 
think about the business behind the website. Who are these people and 
what are they doing? We hope that the Platform for Privacy Preferences 
(P3P) will be a language used by all to make finding and understanding 
a privacy policy easier, so that the ``who'' and ``what'' questions are 
answered. Rick Jackson, Privada's CEO, frequently says that as 
consumers we also should look to see how a company is making its money. 
A company's revenue source most often tells us what is important to the 
company and its investors. With that information, we can determine how 
the company values us as consumers and customers--whether we are 
customers or information assets.
    The polls illustrate that increased sales and larger numbers of 
repeat customers are a likely consequence of strong privacy policies 
and more individual control over personal information. A sponsored 
survey by research firm IDC (released on Monday of this week) found 
that consumers are concerned about the sharing or selling of personal 
information collected during online purchases. Almost 60% of the 
respondents were concerned that Web sites will share or sell 
information about them. The press release announcing the survey also 
reported that 91% of the respondents value privacy management tools and 
services that assure protection of personal information when making 
online purchases. This survey echoes the words of SIIA's 2000 Report on 
Trends Shaping the Digital Economy.\3\ The chapter on ``Customer 
Empowerment'' shows that the customer, who has always ``been right'', 
now has new ways to interact with the vendor and those ways are 
increasingly automated and increasingly personalized. SIIA recommends 
that retailers planning to use technology to advance remember to 
combine airtight privacy policies with business models that defer to 
customer empowerment. Those businesses that do not place customer 
service above all else will fail. The report also notes that, on the 
Internet, it is very, very easy for an unhappy consumer to find another 
store selling the same or similar products almost instantaneously--and 
tell all their friends when they do.
---------------------------------------------------------------------------
    \3\ The Software and Information Industry Association Report on 
Trends Shaping the Digital Economy is at http://www.trendsreport.net/
customer/1.html
---------------------------------------------------------------------------
    Companies like Privada are happy to hear that individuals want to 
control the distribution of their personal information and that people 
want to receive the marketing advantages that accrue from smarter 
business marketing. American consumers want great deals without junk 
mail and personalized service without telemarketing calls. Privada 
provides a privacy infrastructure where building such services is 
possible: you can get what you need without unknowingly releasing 
personal information. Privada systems support reasonable uses of 
personal information by providing online identities that are separate 
from your real world identity. Your online identity, not your real one, 
will be the recipient of any personalized services you choose. And you 
don't need to give up any information that you don't wish to release. 
Privada-based services support the points of both sides of the privacy 
debate by allowing the enjoyment of the benefits of the information 
economy--keeping it moving and expanding to benefit even more people--
with no compromise of personal data.
    Privacy is an intensely individual matter. The choices I make about 
my personal information will not necessarily match yours. For example, 
I don't mind if you know that I am a proud parent--if you give me a 
chance I will certainly boast about my wonderful children. But in fear 
of predators, some people don't want others to know they have children. 
I don't mind if you know what kind of car I drive--certain of my 
friends say that I sound like a car commercial. Others don't want you 
that information available unless you are the car manufacturer and 
there is a product recall. I don't want you to have access to my 
financial information unless I give you that permission so you can help 
me with a financial transaction. I don't want intimate details of my 
medical records in the public domain. Unless I know you well, I am 
unlikely to share a list of the email addresses of my fellow Privada 
employees. Email addresses of public employees, however, are frequently 
readily obtainable.
    Because we don't yet have concensus about privacy among 
individuals, businesses, and government, and because the technology is 
changing almost daily, governmental solutions necessarily lag behind. 
Laws take an even longer time than computer programs to define, 
construct, test, and implement. Here is where technologies play a 
significant role. While committees like this one strive to determine 
the best way to provide legal protection, technology can provide tools 
for individuals to use to protect themselves. With each of us in 
control of our individual information, the rewards of the digital 
economy can reach more people. This is a win for individuals; for 
business, with more consumer confidence; and for government, with one 
less area to track. Privacy enhancing technologies can benefit 
everyone.
    Today there are many and varied technologies designed to provide 
differing types of digital privacy protections to individuals. The 
available products and services range from complete digital anonymity 
services to products that broker your information on your behalf. The 
recent Internet Caucus Privacy Technology Fair \4\ in the Capitol 
invited 19 different companies to show their technologies. The Privacy 
Leadership Initiative has listed 27 technological tools on a poster 
entitled ``Privacy Technology in the Digital Age, Version 1.0''. The 
Information Technology Industry Council's Digital Frontier \5\ site 
mentions 29 different privacy enhancing technologies (not including 
ours, so I guess I am going to have to call them up and tell them about 
us). ``Know the Rules, Use the Tools,'' \6\ is a 31-page handbook 
developed by Majority Staff of the Senate Judiciary Committee at the 
request of Senator Orrin Hatch and first released at the Internet 
Caucus event.
---------------------------------------------------------------------------
    \4\ The listing of companies demonstrating technologies at the 
Internet Caucus Privacy Technology Fair is at http://www.netcaucus.org/
events/privacyfair.shtm
    \5\ The Information Technology Industry Council Digital Frontier 
paper on Personal Privacy Solutions may be found at http://
www.itic.org/digital--frontier/consumer/intro.html
    \6\ The Senate Judiciary Committee booklet may be found at http://
judiciary.senate.gov/privacy.htm
---------------------------------------------------------------------------
    Some products help other businesses construct understandable, and 
machine-readable, privacy policies. Some services allow individuals to 
purchase items over the Internet as anonymously as if they were using 
cash. Some are tools to install on an individuals own computer (client-
based tools); others are tools that individuals access through the 
Internet (server-based tools); and still others are combination tools 
that use a client program to initiate the protected transmissions. Some 
technologies provide for web-browsing without leaving tracks that are 
individually-identifiable. Some provide anonymous communication. Some 
manage your many account passwords and release only the information the 
individual has specified. Since the Internet Caucus Technology Fair 
just three weeks ago, several new privacy technology companies have 
launched and respected technology companies have released new privacy 
products. We at Privada can see that the privacy business is becoming 
more competitive each day.
    On the Internet there are so many different ways to gain access, to 
present items for sale, and/or to search for information: supported by 
advertising, bid for in auctions, pay-per-use, subscriptions. Many 
companies are searching for the right business model to provide 
services just as individuals are searching for the right mixture of 
tools, effort, time, and money to use those services. Here in 
Washington, legislative and administrative policy makers are seeking 
the right mixture of consumer protection and business encouragement, 
one that doesn't encourage irresponsible businesses nor penalize those 
who are striving to find new ways to deliver their products. Sometimes 
the discussion has centered on legislating a particular method of 
consumer choice (opt-out versus opt-in). Sometimes the discussion has 
focused on a particular delivery vehicle (the World Wide Web). Someone 
usually points out that not all Internet sites are in the United States 
(nor do we want them to be) so that laws would not reach all potential 
sites. And clear and conspicuous notice isn't as easy as it sounds. 
Privacy enhancing technologies can be used for protection while the 
discussions continue. This means that protection need not wait until we 
all agree on what constitutes legal protection.
    What you on the committee can do today is to help us spread the 
word. When your constituents voice their fears in your town hall 
discussions, tell them how to find help. If they are already on the 
net, you can point them to one of the links I've included here. If they 
are not on the net, I'd be happy to help them find a service that meets 
their needs. Have them call me. Let's not leave anyone out.
    Thank you.

    Mr. Tauzin. Many of these are free; right?
    Ms. Cady. Yes, sir, many of them are free.
    Mr. Tauzin. Now we will hear from Ms. Parry Aftab, Special 
Counsel for Darby and Darby, New York.

                    STATEMENT OF PARRY AFTAB

    Ms. Aftab. Thank you, Mr. Chairman, and thank you for 
inviting me to testify here today. I am a privacy lawyer. I 
specialize in the children's industry, and I am often called 
the kid's Internet lawyer. But about half of my time is also 
spent running nonprofits. I run Cyber Angels, the largest 
Internet safety and health group in the world, and Wired Kids. 
I am also the author of the parents' guide to protecting your 
children in cyberspace. And my testimony will be a blend of 
both my expertise as a privacy lawyer and my advocacy for 
children.
    Mr. Tauzin. This is the book that you are talking about?
    Ms. Aftab. It is, Mr. Chairman. Thank you very much.
    There are roughly 25 million children online in the United 
States. These are children under the age of 18, and there are 
web sites that are very valuable to children that can help them 
with education, give them games. They can be very entertaining. 
Children can have web sites where terminally and seriously ill 
children can communicate with each other and talk to children 
around the world.
    We are here to talk about problems, but I would like all of 
us to remember that the Internet is a wonderful place, 
especially for children, and the greatest risk our children 
face in connection with the Internet is being denied access.
    And no one cares more about children than the children's 
Internet industry, except perhaps the FTC, who I would like to 
compliment during my testimony here today for being always 
available, always listening and always trying to help the 
Internet industry as a whole. They are willing to speak at all 
of the conferences. They are willing to do many things, and in 
fact today I bear an invitation from the government of 
Singapore for the FTC to come and teach them about regulating 
privacy in the area of children.
    But there are serious problems that the children's Internet 
industry is facing. This morning on Good Morning, America they 
talked about ``dot gone,'' and problems with the Internet 
industry generally. The children's Internet industry is facing 
even greater problems because they have no generally accepted 
viable business model. Advertising is not working because 
children are not directly engaging in e-commerce. There are 
lots of problems in this area and one of the things we need is 
more flexibility on the part of the FTC to have greater 
discretion and exception under COPPA.
    Today there has been a lot of discussions about parental 
consent. One of the biggest problems that we face is that 
parents, although they want their children to do these things, 
are not taking the time to actually give the consent to the web 
sites. And the choice is then locking children out of these 
interactive tools. It is not merely a matter of children 
sharing personally identifiable information; it is a matter of 
whether they can send e-postcards or whether or not they can 
get a picture from Elmo. And it is important that we get 
parents involved in finding compelling reasons for them to be 
using the Internet.
    We need several things that Congress, especially this 
subcommittee and your expertise, can help us with. No. 1, we 
need research on how children are actually using the Internet. 
We need research on what parents really want and what it will 
take to get them to be active in the kid space. We also need 
educational programs teaching children how to surf the Internet 
safely, how to use the best filter that exists, which is the 
one between their ears, Mr. Chairman, and teaching them how to 
use critical judgment when they are communicating with 
strangers online.
    We also need to give flexibility and discretion to the FTC 
in carving out exceptions or special rules under COPPA for 
companies that put children's safety and privacy first forward 
innovation rather than putting extra strain on the industry. 
What we need to do is work together to make sure that the 
expertise that each of us brings to the table is used to help 
children, to help the Internet industry and to help everyone 
preserve their privacy and keep children safe at the same time.
    We are also creating the children's Internet industry trade 
association. It is called KITA, the Kids Internet Trade 
Association, to help members of the kids Internet industry to 
come up with solutions and work together and work together with 
regulators and legislators on coming up with solutions that 
work. The greatest problem we have in the area of privacy is 
unexpected consequences when legislation has not been as 
thoroughly thought out as the chairman has been looking at 
here.
    So I welcome the ability to help in any way that I can at 
any time, and thank you very much.
    [The prepared statement of Parry Aftab follows:]

Prepared Statement of Parry Aftab, Special Counsel, Darby & Darby, P.C.

              SNAPSHOT OF THE CHILDREN'S INTERNET INDUSTRY

    There is no more exciting or rewarding industry than the children's 
Internet industry. Where else can you have fun, help children and 
change the world at the same time? When you deal with children, safety, 
quality content and privacy are good business. Parents are partners in 
this. But, as exciting and potentially rewarding as it is, the 
children's Internet industry is facing many challenges, these days, and 
they need help from both within the industry and from regulators, in 
order to face those challenges and make sure that what's best for 
children is always foremost.
    Who are the players? The children's Internet industry is largely 
dominated by U.S. sites. They typically fall into three categories, (i) 
large, well-recognized leaders in children's entertainment and media, 
such as Disney (disney.com), Viacom (Nickelodeon, nick.com, and 
nickjr.com, and MTV, mtv.com), Fox, PBS (pbs.org/kids), Sesame Workshop 
(the new name for Children's Television Workshop--Sesame Street, 
sesamestreet.org), Sports Illustrated (sikids.com), Nintendo 
(nintendo.com), and Cartoon Network (cartoonnetwork.com), (ii) new 
players to children's media, which came from the Internet, as opposed 
to traditional entertainment media, such as Surfmonkey 
(surfmonkey.com), MaMaMedia (mamamedia.com), Freezone (freezone.com)), 
Bonus (bonus.com), Alfy (alfy.com and cleverisland.com), Zeeks 
(zeeks.com), Lycoszone (Lycos's kids site, lycoszone.com), Yahooligans 
(Yahoo's kids site, yahooligans.com) and, until recently, Headbone 
(headbone.com), and (iii) sites that are linked to educational 
services, media and products, such as Chancery Software 
(k12planet.com), Discovery Channel (discoverykids.com), Scholastic 
(scholastic.com), Weekly Reader (weeklyreader.com), National Geographic 
(nationalgeographic.com/kids), Princeton Review (homeroom.com), Big 
Chalk (bigchalk.com and homeworkcentral.com) and ePALS (epals.com, a 
penpal service for schools using e-mail rather than traditional postal 
mail).
    How do they operate? Generally the children's Internet industry 
operates on a B to C business model. That means they are businesses 
delivering services to consumers. Essentially they offer kids content, 
games and interactivity to children. Most sites are free. Some sites 
require that children register to be able to access certain content and 
services. That registration may require personally identifiable 
information and therefore parental consent under the new children's 
online privacy law, The Children's Online Privacy Protection Act 
(``COPPA,'' described later in this testimony and the appendix), but 
many only require that a child inputs a user name (using anything they 
want) and password. Some sites operate on a subscription model, 
charging parents, sponsors and in some cases even parents' employers 
(see Kids Online America, kola.net), for subscriptions to special 
services and content for children.
    But B to C models have fallen into disfavor with the venture 
capitalists, recently. Therefore, some children's Internet industry 
members have recently changed their model (or gone back to their 
original models) to a B to B model, offering their services to other 
businesses, even within the children's Internet industry itself. Most 
notable among these is, perhaps, Surfmonkey (surfmonkey.com) which 
started out as a technology company, specializing in browser technology 
and content management. When the market (and venture capitalists) cried 
out for portals, it repositioned itself as a children's portal, 
providing content, branded media and interactive features to children. 
It's now designing a special browser that provides content management 
to preapproved content, allowing parents to select content filters, and 
manage their children's access to chatrooms, instant messaging, e-mail 
and other interactive tools and even their time online. This is being 
offered to other children's sites to allow them to have interactive 
communities, without having to jump through the regulatory hoops.

      THE CHILDREN'S INTERNET INDUSTRY IS FACING DIFFICULT TIMES.

    Last month, there was an industry-wide conference for members of 
the children's Internet industry. A representative of one well-known 
children's site commented to a panel (that included me) on COPPA 
compliance in the kids Internet industry. This woman stated that if you 
are involved in the kids space, your primary obligation is safety and 
privacy. She said that all children's sites need to be obsessed with 
safety and privacy of their site visitors. A representative of another 
well-known children's site stood up, and said although they cared 
deeply about online safety and privacy for children, they were 
``obsessed'' with the bottom line.
    I have never heard a comment repeated within the industry as often 
as this response. That's because it spoke to the hearts of all members 
of the children's Internet industry. While most of the industry is 
focused on online safety and privacy and doing what's right for 
children, many have forgotten to stay focused on staying in business. 
There are several solutions for this, and no one area to blame. One 
essential solution is to educate sites on business models and help them 
work with others to stay successful. In response to this, we are 
forming the first children's Internet industry trade association, to 
operate in alliance with an existing umbrella non-profit dedicated to 
children's equitable access, education online resources and safety and 
privacy issues, WiredKids.org. This organization is creating KITA, the 
Kids Internet Trade Association, to help sites address these issues, 
learn what they need to know to keep their businesses operating and 
help them network with others within the industry and government on 
these issues. It will include filtering companies, ISPs, technology 
companies, educational services, content providers, media providers and 
others involved either directly or indirectly with this industry. But 
although a help to the sites, this will not address all of the issues 
faced by the industry.
    Problems faced by the Children's Internet Industry: While children 
are online more and more (roughly 25 million in the U.S. alone under 
the age of 18), few children's sites have been able to find a single 
business and revenue model that works in the kids space. (Children's 
sites for the purposes hereof are directed at children and preteens.) 
While children may be loyal site visitors, parents aren't supporting 
the industry in sufficient numbers. The key to success of the 
children's Internet industry is to get parents to understand the value 
of their children's online activities, and support them.
    Most sites in the kids space are using a combination of several 
revenue models that are helping them stay afloat until parents find a 
compelling reason to support the children's Internet industry. (This 
will come over the next few years with the delivery of educational 
services, games, videos, online music delivery and new media and 
programmable toys that can only be programmed online.) When we can find 
the model that parents find compelling, the kids space will be very 
successful. But during this interim period, between the earlier 
excitement over the children's Internet industry and finding the right 
revenue model and what parents find compelling, the industry is facing 
hard and lean times.
    This makes the industry particularly vulnerable to other factors 
and outside influences. Prime among outside factors are: tech and 
Internet stocks are down, the IPO market for the Internet industry has 
slowed, and the venture capitalist money in the Internet space has been 
drying up or directed at currently profitable e-ventures, generally, 
Many sites that were planning on rounds of financing after February, 
2000, found themselves without funding because of the market downturn 
last Spring. Several proposed mergers and combinations that involved 
some of the kids space leaders fell through, causing these sites to 
waste months and even years in discussions. Time that would have been 
better spent, in hindsight, developing revenue models and maintaining 
their dominance in the space.
    In addition, being involved in kids content development and 
delivery is very costly and particularly time intensive for sites other 
than Disney, Fox, Nickelodeon and the like, whose business is the 
development of content online and offline for children. Couple this 
with the high cost of maintaining a safe site for children (with 
moderators in chatrooms and oversight of what the children are doing 
and posting at the site), confusion over the years as to what the 
market needed (largely driven by the venture capitalists) and the 
speedbumps caused by regulations make it very difficult and costly to 
operate a children's site and it's no wonder many are struggling to 
stay afloat. Some wonderful sites have already lost and are losing that 
battle.
    While many are now blaming the FTC and COPPA, however, this isn't 
fair and isn't a true reflection of the situation. It is a complicated 
combination of factors that is making the life of a children's Internet 
site precarious. Since many of these factors came to bear after the 
March downturn in the market, and COPPA came into effect in April, 
COPPA is an easy target for blame. But there is no one culprit here. 
And if there is, it isn't COPPA. COPPA plays a role in the problem, but 
more as a result of parental lassitude and in the lack of flexibility 
and discretion given to the FTC to administer COPPA and provide 
carveouts for other safe models.
    There are seven issues that are creating special challenges for the 
industry: (i) no clear revenue model has been generally identified as 
working for the kids Internet industry, (ii) parents say they care 
about children's online safety and privacy, but aren't taking the time 
and effort to do anything about it and are unwilling to pay for most 
online content, (iii) the venture capitalists, angel funding and public 
security markets have become more cautious since the Spring 2000 
downturn of the Internet markets, (iv) content development is very 
costly and time-consuming, (v) children are not candidates at this time 
for viable e-commerce and direct purchasing online, (vi) parents are 
often unwilling to use credit cards and other adult verifiers online, 
without a compelling reason to do so, and (vii) regulations pose 
difficulties when preteen-interactivity is involved, which decreases 
traffic, which further decreases the likelihood of obtaining financing. 
Each of these points, either individually or in combination with one or 
more of the other points, is examined below.
    No generally identified business and revenue model exists yet for 
the children's Internet industry: Currently the children's Internet 
industry is struggling to discover a viable generally-applicable 
business model for supporting children's content and features online. 
At this time, most are using a combination of revenue models to support 
the high cost of maintaining entertaining and fresh content for 
children and preteens. Some good sites, which children enjoyed and 
parents approved of, have been unable to survive during this difficult 
time for the children's Internet industry. Even the ones that have 
survived the downturn on e-commerce and Internet investments, the 
falloff of the IPO markets, the high costs of safety and privacy 
safeguards and legal compliance, and the lack of parental enthusiasm 
and support, are struggling to find a viable and consistent business 
and revenue model.
    Advertising: Advertising, while a portion of most site's business 
models, isn't able to support the costs of maintaining children's 
online content. Advertisers are currently seeking a new interactive 
model for Internet-based advertising that may be more effective with 
children, but the advertising typically used (click-thru banners) isn't 
producing the results advertisers are seeking. This will, hopefully 
change. Children, while capable of influencing offline and online 
purchases, are not yet participating in e-commerce. This both affects 
the advertising rates and the ways in which advertisers are willing to 
work with children's sites.
    E-Commerce: Children, for the most part, don't purchase products 
online. They research products and services, but are not purchasing 
them online. Teens are starting to become an e-commerce force online, 
but this has not extended to children and preteens. Children and 
preteens influence offline spending of their parents in large amounts, 
however. While a few kids e-commerce sites exist (relying largely on 
the gift registry and gift certificate concept, such as iCanBuy.com, 
RocketCash.com and doughNET.com), this isn't generally a standalone 
viable business model at this time for the children's Internet 
industry, either. E-commerce for children isn't compelling enough yet 
for parents to support in large enough numbers. This will change over 
the next few years when services and products that children want most 
are only available online (such as programmable toys, computer games 
and, to serve the desires of parents, educational services; for an 
example, see Homeroom.com, offered by Princeton Review).
    Sponsorship: Sponsorship is a business model used by many 
children's websites during the last few years. Some use it to handle 
the costs of a particular feature or section of their own site. Others 
use it to design sites for other companies. Some large brick and 
mortar, offline corporations have paid for the development of special 
sites directed at children. Fleet Kids (designed by Headbone, one of 
the saddest casualties of the children's Internet industry) is a 
notable example of how the offline industry can join forces with the 
children's Internet industry to develop educational and entertaining 
resources for children. But, the revenues raised through sponsorships 
are generally insufficient to defray the costs of running an entire 
children's site. Some notable specialists in the area of kids website 
designs for other companies are Media Jelly, which designed the Magic 
School Bus site for Scholastic and Goosebumps, among other award 
winning sites (www.mediajelly.com), and Zeeks (formerly a popular child 
portal and now using their expertise to create sites for others).
    Marketing and Collecting Data: One model many general audience 
sites use is collecting marketing and demographic information about 
site users. They may have site registrants provide personal 
information, such as income, occupation, educational levels, addresses, 
telephone numbers and e-mail addresses and pair this with their surfing 
practices, marketing preferences and buying practices. Many members of 
the children's Internet industry had been collecting personally 
identifiable information from children at their site. When parents 
learned about this, they reacted strongly. This is one of the abuses 
COPPA was designed to prevent.
    But marketing and demographic aggregate information not tied to a 
specific child could be a partial business model for popular sites. 
While children's sites could easy collect and aggregate non-personally 
identifiable information and still be in compliance with the law, most 
either don't know how to do this, or haven't discovered the value of 
sharing their expertise about children's preferences with marketers, in 
aggregate demographic mode. For example, Nike wouldn't need to know 
that Billy Smith from 100 Main Street in Englewood, N.J. who attends 
fourth grade at the Englewood Grammar School likes blue sneakers more 
than black ones. They need to know that fourth grade boys in the NY 
metropolitan area prefer blue sneakers to black ones. This lets them 
market to all fourth grade boys, rather than directing ads to Billy via 
his e-mail or by directing special ads to him when he surfs online. 
This isn't as valuable to advertisers that may be seeking direct 
marketing opportunities, but it may help increase revenues. And here, 
COPPA levels the playing field between those sites willing to collect 
and mine personally identifiable data from children, and those that 
refuse to use their young site visitors in that way. With advertisers 
limited in what can be collected and shared without verifiable parental 
consent, the sites find it easier to direct them to aggregate 
demographic information options.
    Subscription-Based Models: The subscription model hasn't been 
successful to date. Parents are unwilling, generally, to pay for 
children's online content. Some new sites will be offering special 
features and content, which may hopefully change this. Alfy, one of the 
leading kids content Internet sites is launching its new subscription-
based model, cleverisland.com. Disney is focusing again on its Disney 
Club Blast! (disneyblast.com) subscription site (the site has been in 
existence for several years and is now entirely made-over). This has 
the additional parental attraction (and therefore, potential for 
success) of being Disney content. Juniornet (juniornet.com) has been a 
subscription-based service since its launch in 1997, and was the first 
of the new types of closed access services, which provide selected 
Internet content within a ``walled garden'' rather than from the 
Internet itself.
    The experts see the subscription model as one of the most hopeful 
for the children's Internet industry, at least until software, games 
and educational services are regularly delivered online (about two to 
three years down the road) and parents are forced through market 
pressure to pay attention to their children's online activities.
    Parental Involvement: Parents care about privacy and online safety, 
but they aren't interacting with the sites or supporting the sites that 
protect their children's safety and privacy. It may be that they are 
intimidated, or just plain too busy. But the children's online laws 
depend on obtaining parental consent, and if parents aren't bothering 
to provide consent, sites are running into problems.
    Bonus's experience is a case in point. It found that out of the 
parents who were asked for their consent for Bonus to use children's 
information internally, 51% never replied, 31% provided consent and 5% 
said ``no.'' (13% are still pending from this sample group.) This was a 
six to one ratio of parents allowing their children to use those 
services, over those who wouldn't allow them to share the information. 
But the 51% of parents not bothering to respond is frightening.
    Bonus is losing more than half of the children who want to 
participate. And Bonus doesn't have chat, e-mail, e-commerce, on 
instant messaging. Bonus is a site that has games for children, and 
sends newsletters to their site visitors. This is a typical situation 
faced by many children's sites.
    The solution is two-fold. One we need to teach parents how 
important they are to their children's safe and private online 
experience. They often feel that since their children understand the 
technology, they don't have to get involved. But they need to recognize 
that, although their children's technological skills may exceed their 
own, their children haven't yet developed the requisite judgment for 
handling communications with strangers online safely, at a younger age. 
Kids have better tech skills, but parents have better judgment.
    We need them to understand the real risks children face online. 
Parents need to see the Internet as the telephone, rather than the 
television. While they may be concerned about too much sex and violence 
on television, parents are rarely compelled to take action in 
connection with what their children see on TV. Yet, all parents feel 
compelled to make sure our children do not talk to strangers. None of 
us would allow our child to talk on the phone with an adult stranger 
for two hours. Yet, their children often do just that, online in 
chatrooms and using instant messaging. Once we can get parents to see 
their children's safety and privacy in terms they understand, such as 
the telephone calls with stranger, they can use common sense to help 
their children learn how to surf safely. (Detailed information on all 
aspects of online safety for children can be found in my new book, The 
Parent's Guide to Protecting Your Children in Cyberspace, McGraw-Hill, 
2000 (retail price $12.95), copies of which will be provided to the 
Subcommittee.)
    Two, we need to make it easy for parents. If they need to provide 
consent to ten sites their children visit, separately, they just won't 
do it. We have worked on this issue as well, by developing a central 
site registry where parents can make a donation to Wired Kids via 
credit card, and register at one time for as many member sites as they 
want. A second service for parents is being developed with Wired Kids, 
where parents give noted online safety experts the right to approve 
sites for their children, based on certain criteria set by the parents, 
such as moderated chatrooms.
    But these are a drop in the bucket, and more intensive parental 
consent mechanisms need to be developed. Offline consent, obtained at 
certain store locations from parents may be one possible solution. 
Parents who are shopping at a store may be able to use an offline 
consent gathered there to give the level of consent for their 
children's online interactivity. Schools are another place to collect 
consents.
    Schools are being used by large sites for parental collection 
systems already. Big Chalk works with more than 26 million children in 
more than 42,000 schools. Chancery Software (k12planet.com) works with 
20 million children in US schools. Under existing regulations and 
guidelines, sites are permitted to rely on the school's representation 
that the parents have consented to the student providing the personally 
identifiable information or using interactive features at the site. If 
schools make this representation, the site has millions of registered 
children and has complied with COPPA without having to deal directly 
with the parent. This is creating a risk management issue for schools, 
however, which may or may not have actually obtained the parents' 
verifiable consent.
    Sources of Funding and Financing: Venture capitalists have pulled 
back from the children's Internet industry. A couple years ago, venture 
capitalists first became interested in the children's Internet 
industry. Until then, their main focus had been in e-commerce, but as 
more and more children got online (with a growth from 6 million in 1996 
to more than 25 million today in the United States alone), the 
children's portion of the industry became more attractive. But the 
venture capitalists were looking for potential IPOs, and the IPO market 
has been dry for most of the Internet industry. Without IPO potential, 
and with no presently viable generally-recognized business model, 
venture capital dried up, and the chance for many children's sites to 
survive largely dried up with it.
    Many sites had periodic financing schedules. Those that managed to 
raise their financing prior to the market correction this past spring 
are sitting pretty in the kids space. Others have international 
investment and business and revenue models. This too gives them more 
flexibility. But many found their expectations of being able to raise 
the financing they needed, as they always had raised them, unrealistic. 
Depending on how long they had waited in the financing cycle, many 
found themselves unable to keep their doors open. Most cut staff, 
changed operations and looked to other avenues for revenue. Licensing 
content and strategic alliances were seen as potential new revenue 
models, and have helped several sites survive and have brought others a 
higher profile outside of the traditional kids space. Brick and mortar 
children's industry players became more important and educational 
resources, which had additional value to bring to the mix, became more 
prominent.

                KIDS ONLINE PRIVACY, THE FTC AND COPPA:

    While there is a substantial focus on COPPA today, and the costs of 
compliance and to the industry, it is also important that we remember 
why COPPA was passed in the first place, and the serious risks to 
children is was intended to address.
    COPPA was intended to address two separate concerns, (i) over-
marketing to children and collection of personally identifiable 
information from children that is shared with advertisers and 
marketers, and (ii) children sharing information with online predators 
who could use it to find them offline. Both are valid concerns and need 
to be addressed.
    Children's Online Marketing Practices: The FTC has conducted 
several surveys of websites, both sites directed at children and 
general audience sites. In each survey they learned that sites were 
collecting personal information from children, not informing the site 
visitors about their information collection practices and what they did 
with the information collected, and in many cases sharing this 
information with marketers and advertisers. While the bulk of the 
credible online community took this issue very seriously and drafted 
clear privacy policies and instituted ethical collection practices when 
children were involved, far too many sites ignored the FTC's warnings 
and plea for self-regulation from the children's Internet industry 
itself.
    Interestingly enough, the practice of collecting and sharing 
personally identifiable information about children has been almost 
entirely eradicated. No credible children's site is currently 
collecting personal information from children for outside marketing, 
and none are knowingly sharing information collected with third 
parties. So COPPA works in this respect. It has changed an industry 
practice--one that parents wanted changed.
    A sunset provision has been adopted and is in effect until April, 
2002, that allows sites to collect personally identifiable information 
from children (this includes e-mail addresses, as well as what we would 
normally consider personally identifiable information) for internal use 
only with less than full-fledged ``verifiable parental consent'' (which 
is currently, typically, via telephone, credit card or debit card 
verifiers, regular postal mail or fax). During the sunset period, 
parents can provide their consent via e-mail, provided that the e-mail 
requesting this consent is delivered in such a way as to make it more 
likely that the parent and not the child will receive the e-mail and 
provide consent, and providing that the email consent is confirmed in 
some way. This is an ``opt in'' model that only permits the child's 
information to remain on file and be used if the parents affirmatively 
consent to it, by replying to the notice. As discussed in more detail 
later, we describe the actual statistics obtained from a leading 
children's site, Bonus. Bonus reports that more than 51% of the parents 
don't bother to respond to this e-mail. Of those who do respond, there 
is a six to one ratio of those providing consent, as opposed to 
refusing it.
    Protecting Children from Online Predators: The second concern 
intended to be addressed by COPPA was children being lured and stalked 
by online predators who gather information about them from chatrooms, 
instant messaging, e-mails, websites and the like.
    This is a very real risk, and one that should be addressed. Last 
year the FBI's Innocent Images Unit (charged with investigating crimes 
against children online) opened 1500 new cases of suspects who were 
attempting to lure a child into an offline meeting for the purposes of 
sex. Based upon my experience, about the same number of cases were 
opened by state and local law enforcement agencies last year for the 
same crime. Out of 25 million underage Internet users from the U.S., 
3,000 cases may not seem like very much (especially when often it is a 
law enforcement agent posing as a child who is being lured, not a real 
child victim), but one if too much and all of these cases are currently 
avoidable. Also, most child molesters have a history of abusing 
children, so each case represents harm done to more than one child. Our 
children go willingly to offline meetings with these people. They may 
think they are meeting a cute fourteen year old boy, but find that they 
are meeting a 47-year old child molester instead. Teen People has an 
article I worked on with them, on this very issue, in its new November 
issue, now out on the stands.
    Law enforcement is not aware of anyone who is using the information 
children provide online to seek them out offline, by hiding behind a 
bush or grabbing them on their way home from school. But it's only a 
matter of time before this happens, since universal access to the 
Internet means that even violent sexual offenders who are online can 
use it for their own horrible purposes.
COPPA in Practice
    Parents have told me that having to provide verifiable consent is a 
burden, although they are grateful that someone is notifying them of 
their children's online activities. They are also complaining that 
their children cannot use the interactive tools immediately upon 
obtaining their consent, given the current process which is largely 
offline. They object to using their credit card information, and credit 
card companies are unhappy that their verification systems are being 
used for this purpose. The charge to a site for credit card 
verification, for these purposes, is $.10 to $.20 per verification 
(generally per child). Sites are also being pressured not to use the 
merchant account systems for this purpose.
    Obviously, the issues that COPPA was designed to address are still 
of great importance. But many of the problems cited in connection with 
COPPA could be handled easily if the FTC had more discretion in 
approving exceptions to full verifiable parental consent for safe 
applications and site practices. The law, as finally adopted, gave the 
FTC little or no discretion in this regard. It is the lack of 
flexibility, rather than the law itself, which presents the greatest 
problem.
    While COPPA has received much criticism from members of the 
children's Internet industry, whether or not it is warranted, the FTC 
deserves only praise. The FTC has been outstanding in trying to inform 
the industry of what COPPA provides and how to comply with COPPA. They 
have been available for private meetings with site operators, have held 
a clinic on COPPA and how to comply, and have been active speaking at 
industry conferences on the law and how it affects the children's 
industry and general audience sites.
    Cost of COPPA-compliance: We have polled most of the mid-sized 
children's websites for the cost of COPPA-compliance, in hard dollars, 
not as to any lost revenue or loss in traffic. This can run from more 
than $115,000 per year to $290,000 per year, depending on whether the 
site is fully interactive, with chatrooms, etc. and what level of 
consent they collect. Here's what they told us:

 $10,000-15,000 for legal, including audits and construction of 
        privacy practices and policy
 Cost of toll-free telephone and dedicated fax service
 $35,000 in engineering costs to make the site complaint
 $2,500-$10,000 monthly for professional chat moderators (price 
        differs depending on training, hours of operation and 
        organization)
 $35-60,000 per year for one person to oversee offline consent, 
        respond to parents questions, review phone consents, and review 
        permission forms.
 $35-60,000 per year for person to oversee compliance, database 
        security, respond to verification and access requests.
    One specific example of a site and how it is dealing with COPPA is 
ePALS.
    ePALS Classroom Exchange' is the world's largest online classroom 
community and the leading provider of collaborative classroom 
technology. ePALS pioneered the collaborative classroom concept in 1996 
and now connects more than 2.5 million students and teachers in 182 
countries worldwide.
    ePALS Community members use a set of free, collaborative tools to 
meet and correspond online, combine professional expertise, join 
interactive projects, and develop international friendships. This tool 
set includes extensive profile creation and search functions, monitored 
email with profanity filters, moderated discussion boards, private 
chat, and soon, photo sharing technology. ePALS works to balance 
participation in the global community and learning through 
collaboration against the safety concerns of our educational community.
    Educators turn to ePALS for a safe, creative way to integrate 
technology into the curriculum and to introduce students to the skills 
they'll need to participate in the global community. The ePALS 
commitment to safety is an ongoing success story.
    ePALS has developed a simple COPPA consent package for American 
teachers who are already registered with ePALS. Teachers download this 
package directly from www.epals.com, print it and distribute consent 
forms to their students to take home to their parents. Only when all 
the consent forms have been received is the teacher free to carry on 
with ePALS activities. For all new teacher registrations, ePALS 
requires teachers to collect consent forms before they can set up 
monitored email accounts for their students.
    All individuals registering with ePALS must now submit their birth 
date and citizenship. If the individual is under 13 and from the United 
States, the registration process requests the parent's email address to 
complete the sign-up. Without the email address, the registration 
cannot be completed. If the child does provide his/her parent's email 
address, ePALS sends the parent a copy of the ePALS privacy policy 
(http://www.epals.com/privacy/index--en.html) and a consent form, which 
must be signed and returned via fax or post. Parents may also use a 
special toll-free number to provide their consent. ePALS will not 
activate a child's account without verifiable parental consent.
    Beyond securing parental consent, the ePALS site offers three 
additional layers of security:

1) All profiles submitted to ePALS must be read and approved by a 
        trained Site Support Coordinator before they are added to the 
        site. Suspicious profiles are refused immediately.
2) The profile creator, the teacher or parent, is the first point of 
        contact for anyone interested in a class/group profile. The 
        teacher or parent can decide to refuse any communication.
    The teacher or parent has comprehensive access to ongoing 
communications for his/her group of children. He/She can read every 
incoming and outgoing piece of email before it is received or sent, or 
simply choose to read specified pieces--ones with attachments, 
profanity, etc. The choice is up to the teacher or parent.
    An example of what had to be undertaken to make ePALS COPPA-
compliant:

 Massive revision of registration system to capture age, 
        nationality, and parent/guardian information, send data to 
        parent/guardian, and restrict access to appropriate users
 Revisions of Privacy Policy
 Creation of COPPA consent forms
 Installation of dedicated phone and fax system
 Hiring and training of Site Support staff to administer COPPA 
        consent process
 Ongoing legal counsel
 Teachers cannot use ePALS in their classrooms until parental 
        consent is received
    Potential Solutions in Connection with COPPA: As discussed in more 
detail at the end of this section, solutions will come from three 
areas.
    First is from Congress itself:

 We need studies conducted about how children use the Internet, 
        and what help parents want and need.
 We also need funding for Internet safety education in schools 
        and community groups.
 We need governmental support of leading Internet safety 
        advocates t help them do their job in educating parents and 
        children, and providing helplines for those who run into 
        trouble online.
 We need more funding for law enforcement, to fight crimes 
        against children online.
 We need more training of state and local law enforcement 
        agencies to help fight crimes against children online.
 We need more discretion given to the FTC, and practical and 
        reasonable carevouts from COPPA, or reduced consent levels, for 
        sites that can demonstrate that they care about children's 
        privacy and online safety.
 The FTC needs more funding to hire and retain quality staff 
        experienced in this field. (The FTC staff is stretched too 
        thin, and its staff members are too often recruited and hired 
        by Internet industry members who need experienced advisors.)
    Second is from the FTC itself, many of which are already 
implemented:

 We need more education of the industry in how COPPA works, and 
        how sites can comply. (The FTC held an unprecedented clinic on 
        compliance in August, and has been outstandingly proactive in 
        this area.)
 We need a close interaction between the industry and the FTC 
        in the area of online safety and privacy, and new technologies. 
        (Here, too, the FTC deserves praise for its accessibility to 
        the industry and its willingness to keep open dialogue with 
        members of the children's Internet industry, large and small.)
 We need more FTC staff in the area of privacy and Internet 
        consumer protection issues.
 Once more discretion is given to the FTC, we need it to 
        address other methods of protecting children's safety and 
        privacy under COPPA, which may allow sites to avoid the offline 
        consent mechanisms.
 We need help in educating parents and children about online 
        safety and privacy.
    Third is from the industry:

 We need to work together to form solutions, such a central 
        registries, and joint consent mechanisms, and consent 
        mechanisms where parents set the standards and allow a trusted 
        third party to select the sites which satisfy the guidelines 
        approved by the parents.
 We need to educate the children's Internet industry on 
        business and revenue models and provide them with skills they 
        need to run their businesses profitably. (The new trade 
        association will help address that.)
 We need to educate parents about online safety and privacy, 
        and educate children on safe surfing practices and how to 
        exercise critical thinking online.
 We need to develop new technologies that make Internet safety 
        and privacy as seamless as offline safety and privacy.
 We need to share our concerns and recognize that, as an 
        industry, we survive or fall together.
 We need to share our expertise with Congress and the FTC. No 
        one knows kids better than members of the children's Internet 
        industry. The more we share our knowledge and expertise, the 
        better Congress can legislate in this area, and the better the 
        FTC can administer those regulations and advise Congress.
    An analysis of COPPA, how it works and why it was adopted is 
included in the appendix. I divide the issues addressed into two areas: 
data collection and interactivity.
    Sites should have to jump through many hoops before they are 
permitted to collect and share personally identifiable information from 
children. They don't need to collect personally identifiable 
information, other than e-mail addresses. And sites should have a very 
good reason before being allowed to collect more. Parents agree 
wholeheartedly.
    But it would be very helpful for Congress to enable a study on what 
information is being collected, how it is being used and what parents 
really want. Most of what exists is more anecdotal than scientific. 
Parents send me about 600 e-mails a day, in my role as author of the 
leading book for parents on children's Internet safety and privacy, The 
Parent's Guide to Protecting Your Children in Cyberspace (McGraw-Hill, 
2000), and in my position as Executive Director of Cyberangels (the 
world's largest Internet safety, help and education group), and 
President of WiredKids.org (which includes UNESCO's online safety 
project for the U.S.). They care about finding reliable and safe sites 
for their children to enjoy online. They care about spam (unsolicited 
junk e-mail, often linking to adult content sites), more than any other 
single issue. They care very much about their own and their children's 
privacy. I am not sure that they care about providing offline consent, 
or online credit card or similar identifiers for their children to be 
able to chat or use interactive community tools at sites that have 
adopted safety guidelines and procedures.
    With respect to interactivity, requiring the highest level of 
consent from parents before children can use chat, e-mail, instant 
messaging, and the like was designed to address the danger posed by 
pedophiles and other bad actors. But there are two things that can 
address it even more effectively.
    One is educating our children on smart surfing practices. We, at 
WiredKids.org, working with Cyberangels, are designing a curriculum for 
teachers to use in the classroom to teach safe chatting and online 
communication skills. Congress can be very effective in helping promote 
online safety education, especially for children. Our Teenangels 
program educates teens to teach other teens and children about safe 
surfing. This can be expanded nationally, with support from schools and 
community groups. Our new online safety video for children and teens 
will teach practical safe surfing tips. But we need more programs like 
this and funding for these programs, in order to be effective.
    Two is getting sites to use safe surfing practices, such as 
moderated chat, and parental approved e-mail and instant messaging 
correspondent lists. Closed list of permitted correspondents, like the 
Buddy list used by AOL and the Cyberfriends list used by Surfmonkey are 
good examples of how parents can pre-clear certain real life friends 
for communication, while locking out strangers. These kinds of 
interactivity, when designed with children's safety in mind, should be 
permitted without having to get parental consent. Not, in my opinion, 
that parent's won't give the consent if they took the time to focus and 
respond, but because parents aren't bothering to respond. This is an 
issue that providing the FTC with more discretion can resolve.
    Perhaps, by providing the FTC with more discretion in this area, 
the sunset provision for ``email plus'' consent may be extended, and 
certain types of activities at safe sites can be permitted with a 
reduced level of consent or notification. Sites could submit their 
practices to either the FTC or a safe harbor entity for approval. This 
would allow sites the flexibility they need and provide incentives for 
adopting safe surfing and ethical privacy practices.
    For example, the FTC should have been permitted to allow sites 
which have designed a safe chatting setting, such as clear site rules, 
trained chatroom moderators and use of technology to filter out certain 
prohibited terms, to avoid the onerous task of getting prior parental 
consent. Sites should have been permitted the option of presenting a 
package safety and privacy solution and approach to the FTC for 
approval, and for exceptions to the prior verifiable parental consent 
rule.
    The way it currently operates, a site can get parental consent to 
any interactivity, no matter whether it is designed with the child's 
safety in mind. This actually provides a disincentive for safety and 
privacy practices at the site. And given the cost of moderating 
children's chatrooms, it is a choice many sites are making.
    If the FTC had more discretion, it could approve these systems and 
permit the sites that use them to avoid the full-fledged verifiable 
consent mechanisms. It would encourage more innovation in this area, 
and keep our children safer at the same time. Sites which were approved 
could boost traffic by providing chat and interactive features children 
enjoy, which would in turn improve their financial position. This would 
provide further incentive for developing safe programs for children.
    Offline consent mechanisms, digital signature development, school-
related programs, and central registries are essential to helping the 
children's Internet industry navigate the current challenges it faces. 
But giving the FTC more discretion to provide exceptions to the 
verifiable consent requirement is one of the most important changes 
that could occur, and one of the most important things that this 
Subcommittee can recommend.
    Our children are worth it, and so is the Internet. Too often blamed 
for everything from the Black Plague to the sinking of the Titanic, the 
Internet is a wonderful tool for learning, communication and 
entertainment. It levels the playing field between the haves and the 
have-nots. All children look alike online. No one is classified by 
their race, ethnic origin, religion, accent or physical ability. Online 
they are all just children. And like it or not, the Internet is here to 
stay.
    We're all in this together. Let's work together to make the 
Internet fun, safe, private and educational for children. And let's 
work together to make sure that the children's Internet industry, which 
has so much to offer our children, flourishes!
    For the children.
    I remain willing to help, and provide input and expertise in any 
way this Subcommittee can use my help and expertise.
    I wish to thank the Subcommittee, its chairman and all its members 
for inviting me to present this testimony on such an important subject.

                Appendix--COPPA Development and Analysis

    The Children's Online Privacy Protection Act (``COPPA''), and the 
regulations thereunder which took effect on April 21, 2000, require all 
commercial sites to take special measures when they collect personal 
information from children or allow children to use interactive 
features, such as e-mail, instant messaging and chat (if they could 
share personal information with others using those tools). Many sites 
are confused about what the law provides, since it uses the word 
``collection'' and they see that as something affirmative they are 
doing. But ``collection'' includes letting children use e-mail accounts 
or post messages publicly through a chat room or discussion board, as 
well as fill out forms. And it has nothing to do with adult content 
children may see online.
    While the regulations are aimed principally at the children's 
Internet industry, they are fully effective against general interest 
sites with actual knowledge that a child is using their services. Few 
lawyers, even among experienced cyberspace practitioners, understand 
the children's Internet industry and the regulations and safety 
concerns that apply to it. But failing to understand what information 
can be collected from children, how it can be used, and what must be 
accurately disclosed to parents has cost many companies dearly.
    There are two issues dealt with by COPPA and the existing consumer 
protection authority of the FTC. One is privacy, the other is safety. 
Both are regulated by the FTC, although states are permitted to enforce 
consistent local laws. In brief, privacy relates to the collection, 
maintenance, or use of personally identifiable information from 
children 12 years old and under. Safety is impacted, legally, when a 
child under the age of 13 is able to share personally identifiable 
information with others online.
    The safety concern is that someone such as a pedophile may be able 
to contact the child either online or offline because the child has 
shared such contact information, whether intentionally or not. Last 
October, the FTC promulgated its final regulations implementing the 
Children's Online Privacy Protection Act of 1998 (COPPA). Yet few were 
aware that the FTC already had the ability to enforce the privacy and 
safety concerns noted above, and has expressly set forth the parameters 
of that authority since mid-1997.
    The salient document is the ``Kids-Com Letter.'' Online since 
February 1995, KidsCom was one of the first children-only sites on the 
Internet. It did not use ``cookies''--which glean data about site 
visitors--to gather information, but collected data through 
registration forms, contests, and pen pal programs. It was directed at 
children from ages four to 15 and came under criticism for its 
collection practices. (As a result of the FTC investigation, KidsCom 
revamped its site and is very popular among parents and children.)
    In May 1996, the Center for Media Education, a consumer watchdog 
group, filed a petition with the FTC requesting that the agency 
investigate KidsCom and bring an enforcement action against it. CME 
asserted that KidsCom's data collection practices violated Section5 of 
the FTC Act's ``anti-deception'' laws in two ways. First, KidsCom 
collected information from children without accurately disclosing the 
purpose, and second, KidsCom failed to disclose that it was paid to 
endorse certain products. In July 1997, the FTC issued its findings in 
a letter. The FTC determined that KidsCom's disclosure was ``likely'' 
inadequate and misleading, but declined to take any punitive action 
against KidsCom since the company had already changed its data 
collection practices and cooperated in the FTC investigation. The FTC 
discovered that KidsCom was sharing information collected from children 
with third parties, though this information was provided only in an 
aggregate form (e.g., 10-year-old boys from New York preferred baseball 
over football).
    In issuing this ruling, the FTC for the first time publicly 
announced its guidelines for data collection from children on the 
Internet. Relying on '5 of the FTC Act, which prohibits unfair and 
deceptive practices in or affecting commerce, the FTC stated: ``It is a 
deceptive practice to represent that a Web site is collecting 
personally identifiable information from a child for a particular 
purpose (e.g., to earn points to redeem a premium), when the 
information will also be used for another purpose which parents would 
find material, in the absence of a clear and prominent disclosure to 
that effect.''
    Second, the FTC stated, when collecting personally identifiable 
information, ``adequate notice'' of such practices must be given to a 
parent because of a child's limited ability to understand the 
disclosure. ``Adequate notice'' requires disclosure of: (1) who is 
collecting the personally identifiable information; (2) what 
information is being used and for what purpose it is being used; (3) 
whether it will be disclosed to third parties, and if so, to whom and 
in what form; and (4) how parents can prevent the ``retention, use or 
disclosure'' of that information.
    Third, the FTC articulated its ``unfairness'' test for Internet 
child safety, noting that the disclosure of children's personal 
information to third parties is of particular concern, and that parents 
must be given adequate notice of such use and the opportunity to deny 
their consent to it. The FTC has had broad regulatory powers when 
dealing with safety issues, under its unfairness authority in section 
5. Under that section, a practice is unfair if it causes or is likely 
to cause substantial injury to consumers that is not reasonably 
avoidable and not outweighed by countervailing benefits to consumers or 
competition.
    In its fourth and final principle, the FTC criticized KidsCom's 
endorsement practices as misleading and deceptive. KidsCom had ``New 
Product'' areas, where products were reviewed and endorsed. What it had 
not disclosed was the fact that, in exchange for an endorsement, 
product manufacturers had to contribute at least $ 1,000 worth of 
product, which was used for premiums and prize redemptions. The passing 
off of an advertisement as an independent review or endorsement is a 
deceptive practice under '5 of the FTC Act. KidsCom failed to clearly 
and conspicuously disclose that the product information was solicited 
from manufacturers and printed in exchange for in-kind payment.
    Following the issuance of the KidsCom Letter, the FTC broadened its 
principles to include offline consent for children 12 and younger 
anytime their personal information may be shared online in chat rooms 
or similar third-party communications, and before any site collects and 
stores their personal information, even an e-mail address.
    The adoption of COPPA was in direct response to the lack of 
industry compliance with the law as articulated by the FTC in the 
KidsCom Letter.
    In June 1998, the FTC presented its Privacy Online Report to 
Congress, documenting the online collection of personal information 
from children. The FTC rearticulated its prior concerns that collection 
of personal information from a child under the age of 13 without 
informed parental consent would be a deceptive trade practice. The FTC 
reported to Congress that even in chat rooms, children innocently and 
without request may reveal where they live or go to school or their 
real e-mail addresses. The FTC informed Congress that parents need to 
understand the risks and consent to any such collection and disclosure 
of personal information. Congress apparently agreed, and wasted no time 
in acting on the FTC's report. Within months, COPPA was law.
    COPPA requires that commercial Web sites obtain verifiable parental 
consent before collecting personal information from a child under the 
age of 13. Failure to obtain such consent is an unfair and deceptive 
trade practice and can result in fines of up to $11,000 per occurrence.
    COPPA applies to commercial Web sites, online services ``targeted 
at children,'' and any online service operators with actual knowledge 
that they collect personal information from a child. (Actual knowledge 
can be as simple as a child's sharing her grade or age in a monitored 
general audience chat room on a site, or can be supplied by an e-mail 
or phone call from concerned parents who object to the collection 
practices on behalf of their child.) Personal information includes such 
items as full name, home address, e-mail address, telephone number, 
Social Security number, or any other information that the FTC 
determines ``permits the physical or online contacting of a specific 
individual.''
    The regulations require covered operators to:

1. Provide notice on the Web site of what information is collected from 
        children, how information is used, and the Web site operator's 
        disclosure practices for such information (notice this applies 
        to all information, not just ``personal information'');
2. Obtain verifiable parental consent (which requires more than a mere 
        e-mail consent from the parent) to collect, use, or disclose 
        children's personal information before it is collected from the 
        child, with certain exceptions and special rules for 
        newsletters and internally used information;
3. Upon request, provide parents with a description of the types of 
        information collected from their child, or the actual 
        information obtained from their child, and the opportunity to 
        refuse to permit the further use, maintenance, or future 
        collection of the child's personal information. Thus, in 
        addition to having to obtain initial consent from the parents, 
        if a parent withdraws consent at any time, the operator must 
        remove that child's personal information from the system;
4. Cease conditioning the child's participation in games, contests, or 
        any other activity upon the disclosure of more information than 
        is reasonably necessary to participate, including permitting 
        parents to allow the site to collect personal information but 
        refusing to let the site share the information with third 
        parties;
5. Maintain reasonable procedures ``to protect the confidentiality, 
        security, and integrity of personal information collected from 
        children.''
    The law also details three different levels of consent, as well as 
the various types of notices required under the statute, which cover 
everything from the content of those rules to the look and placement of 
the link to the privacy policy displayed at the site, as well as the 
technical requirements for obtaining ``verifiable'' parental consent.
    All websites need to look hard and thoroughly at their collection 
practices. Even if COPPA doesn't apply to the site, they may still run 
afoul of the FTC Act if their privacy policy does not accurately and 
completely disclose what personal information they collect from their 
users and what they do with that information. If they collect personal 
information that includes a person's age or grade or similar 
information, they may then have actual knowledge that they are 
collecting personal information from a ``child'' and need to comply 
with the full panoply of COPPA regulations. Even if they don't overtly 
request that information, if they have monitored chat rooms or 
discussion boards at which a user may disclose information from which 
the site should know they are under 13, that may provide the requisite 
knowledge under COPPA.
    If the site collects any personally identifiable information from 
its users or provides any means of public disclosure of such 
information (such as through an e-mail service, chat room, discussion 
boards or instant messenger service), and the site is alerted that a 
particular user is a statutory ``child,'' then the site must also 
comply with COPPA.
    Banner advertisers and network advertising companies are covered by 
COPPA and its regulation if they advertise at children's sites and 
collect personal information from children who click through from such 
sites. They are also covered if they have ownership or control over 
such information collected directly at the children's sites. 
Advertisers at general audience sites may also be covered by COPPA if 
they collect personal information from people who click through, and 
that information discloses that the visitor is a child.
    We have learned that many companies are collecting data from their 
Web site visitors without knowing why they are collecting it or if they 
are using it properly. Unless companies are under investigation or have 
heard of another company under investigation, their legal departments 
rarely communicate with Webmasters. With this new law on the books, all 
commercial Web sites must be vigilant in ensuring that the rights of 
parents to notice and consent are honored. If such companies ignore 
parents' concerns regarding privacy and advertising, they will have to 
face more than the FTC they will be facing the even tougher scrutiny of 
a disgruntled parent.

    Mr. Tauzin. Thank you.
    Mr. Mike Griffiths, the Chief Technology Officer of Match 
Logic Inc. Welcome.

                  STATEMENT OF MIKE GRIFFITHS

    Mr. Griffiths. Mr. Chairman and members of the committee, I 
want to thank you for inviting me to testify. My name is Mike 
Griffiths. I am the Chief Technology Officer and one of the 
founders of Match Logic, an Internet marketing and advertising 
services company that provides strategic marketing solutions to 
Fortune 500 companies. We were founded in 1996 and currently 
operate as a subsidiary of a leading broadband Internet service 
provider, Excite at Home.
    I am here representing the Network Advertiser Initiative, 
an industry group comprised of the leading Internet advertising 
companies. The NAI was formed at the behest of the Federal 
Trade Commission and the Department of Commerce to address 
consumer privacy concerns by developing self-regulatory 
guidelines on the practice of online preference marketing or 
profiling. The NAI companies represent more than 90 percent of 
the Internet advertising industry in terms of revenue and 
numbers of ads served.
    Mr. Chairman, as you know, the NAI announced its self-
regulatory principles in July of this year after months of 
intensive consultations with the Federal Trade Commission and 
with the Clinton administration. The Internet advertising 
industry needed to adopt rules of the road for its information 
practices in order to satisfy legitimate user concerns about 
privacy.
    For the industry to write these rules in a manner that 
would garner public confidence, the NAI needed the guiding hand 
of public officials. The talks between the NAI and the Federal 
Government were tough but fair in that the industry had to make 
a number of important concessions. Ultimately, we were pleased 
that the NAI could develop industry self-regulatory guidelines 
that are meaningful and real and which the FTC, Clinton 
administration and Members of Congress on both sides of the 
aisle unanimously applauded.
    The NAI principles dealt with the practice of online 
preference marketing. We define this as data collected over 
time and across web sites which is used to determine or predict 
consumer characteristics or preferences for use in ads delivery 
on the web.
    In other words, we try to figure out which is the best ad 
to play to the consumer at a given point in time. We believe 
that OPM, if done responsibly, benefits both consumers and 
businesses. Consumers benefit because they receive banner ads 
targeted to their interests. If you are interested in golf, for 
example, you will see more advertisements for the latest golf 
equipment. If you buy a lot of women's clothing, you will see 
more women's clothing ads. Advertisers benefit because targeted 
advertising is more effective and they get a better return on 
their investments. Finally, web sites benefit because the more 
effective the advertising, the more they can charge.
    This brings us back to the consumer. Without targeted 
advertising, advertisers will pay less, web sites will earn 
less and consumers will suffer. Currently a vast majority of 
web sites are free. If Internet advertising does not work, 
these web sites will not be able to survive or they will have 
to move to a subscription model that charges users for 
services.
    Our companies allowed tens of thousands of small and medium 
sized web sites to compete with bigger players for advertising 
dollars. We give them the economy of scale that they would 
otherwise lack. So in summary, our job is to make the Internet 
a more efficient and competitive advertising medium that will 
further stimulate the growth and viability of the Internet as a 
source for free content.
    We at Match Logic and at the NAI understand that consumers 
are very concerned about Internet privacy. We share these 
concerns. If consumers are not comfortable that their privacy 
is protected, then the Internet will suffer. That is why the 
NAI companies came together with the Federal Government to 
develop landmark principles on data collection and the level of 
notice and choice that we must give to consumers. These 
principles lay the ground rules and safeguards for the 
collection and use of nonpersonally identifiable or unanimous 
information, the collection and use of personally identifiable 
information, and the merger of PII with non-PII.
    In summary, here are the guidelines: First of all, NAI 
companies have agreed that we will not use personally 
identifiable sensitive health information, sensitive financial 
information, or information of a sexual nature for the purposes 
of profiling. We do not believe that these categories of data 
should be used, and we will not use them. For non-PII, we 
require notice and choice. NAI members must disclose their OPM 
practices through their web sites and through the NAI gateway 
web site. In addition, where possible they must contractually 
require their web site partners to disclose the collection of 
non-PII for OPM. NAI members will provide mechanisms for 
consumers to opt out from the use of PII for OPM.
    For personally identifiable information, or PII, we require 
that NAI members follow the online privacy alliance guidelines 
for online privacy policies. These policies require the 
adoption and implementation of a privacy policy and that notice 
and choice be afforded.
    Importantly, for the merger of non-PII with PII, we have 
two scenarios. The first case is where PII is linked with 
previously collected non-PII. In this case, members will not 
without prior affirmative consent or opt in, merge PII with 
previously collected non-PII.
    The second case is where PII will be merged with non-PII 
for OPM purposes on a going forward basis. In this case NAI 
members will provide consumers with robust notice and choice. 
The NAI principles include several examples of what would be 
considered robust notice for each of these scenarios.
    The NAI members have also agreed to establish a third party 
enforcement program that will include random audits by the 
third party enforcer, the ability to file and handle consumer 
complaints and the ability to redress lack of compliance though 
sanctions such as revocation of the seal or through a 
designated public or government forum such as the Federal Trade 
Commission.
    Finally, the NAI members strongly believe that industry, 
government, consumer, and advertiser pressures to set and 
maintain high standards for privacy will render participation 
in the NAI all but mandatory for network advertisers. Moreover, 
because of the contractual reach of these NAI companies across 
literally thousands of web sites, the NAI principles will have 
a tremendously broad impact on web privacy.
    In conclusion, and to summarize, the NAI self-regulatory 
principles are designed primarily to accomplish two things: 
first, to make sure that advertisers and web sites post notice 
that are strong and clear where OPM occurs, and second, to make 
it easy for users to opt out. Under these principles NAI 
companies agree to afford consumers with important notice 
disclosures and appropriate methods of choice for 
participation, while at the same time one of the main engines 
behind this Nation's booming new economy, the Internet, can 
continue its remarkable growth and improve as a provider of 
free and reduced price content.
    Mr. Chairman, on behalf of the NAI, I want to pledge that 
we will continue to work with the FTC, the Commerce Department 
and you and your members and staff to ensure that these self-
regulatory principles live up to their promise. Thank you.
    [The prepared statement of Mike Griffiths follows:]

    Prepared Statement of Mike Griffiths, Chief Technology Officer, 
                               MatchLogic

    Mr. Chairman and Members of the Committee, I want to thank you for 
inviting me to testify. My name is Mike Griffiths, and I am the Chief 
Technology Officer and one of the founders of MatchLogic. MatchLogic is 
an Internet marketing and advertising services company that provides 
strategic marketing solutions to Fortune 500 companies. We were founded 
in 1996 and currently operate as a subsidiary of the leading broadband 
Internet service provider Excite@Home.
    Before I begin I would like to thank Chairman Tauzin for holding 
this hearing and taking an active role on the important issue of 
Internet privacy. We have consulted with Chairman Tauzin and his staff 
during the development of the self-regulatory principles that I am here 
to discuss and his leadership helped us put forward guidelines that 
both protect user privacy in an unprecedented manner while, at the same 
time, allowing internet advertising to thrive. So, again, thank you Mr. 
Chairman and Congressman Markey for your hard work and for holding this 
hearing.
    I'm here today representing the Network Advertising Initiative, an 
industry group comprised of the leading Internet advertising companies. 
The NAI was formed at the behest of the Federal Trade Commission and 
the Department of Commerce to address consumer privacy concerns by 
developing self-regulatory guidelines on the practice of online 
preference marketing, or ``profiling''. The NAI companies represent 
more than 90 percent of the Internet advertising industry in terms of 
revenue and numbers of ads served
    Mr. Chairman, as you know, the NAI announced its self-regulatory 
principles in July of this year after months of intensive consultations 
with the Federal Trade Commission and the Clinton Administration. The 
Internet advertising industry needed to adopt ``rules of the road'' for 
its information practices in order to satisfy legitimate user concerns 
about privacy. For the industry to write these rules in a manner that 
would garner public confidence, the NAI needed the guiding hand of 
public officials. The talks between the NAI and the federal government 
were tough but fair, in that the industry had to make a number of 
important concessions. Ultimately, we were pleased that NAI could 
develop industry self-regulatory guidelines that are meaningful and 
real and which the FTC, Clinton Administration and members of Congress 
on both sides of the aisle unanimously applauded
    The NAI principles deal with the practice of Online Preference 
Marketing. We define this as ``data collected over time and across web-
sites, which is used to determine or predict consumer characteristics 
or preferences for use in ad delivery on the Web.'' In other words, we 
try to figure out which is the best ad to play to a consumer at a given 
point in time.
    We believe that OPM, if done responsibly, benefits both consumers 
and businesses. Consumers benefit, because they receive banner ads 
targeted to their interests. If you are interested in golf, for 
example, you will see more advertisements for the latest golf 
equipment; if you buy a lot of women's clothing, you will see more 
women's clothing ads. Advertisers benefit because targeted advertising 
is more effective and they get a better return on investment. Finally, 
web sites benefit because the more effective the advertising, the more 
they can charge.
    This brings us back to the consumer. Without targeted advertising, 
advertisers will pay less, web sites will earn less and consumers will 
suffer. Currently, a vast majority of web sites are free. If Internet 
advertising does not work, these web sites will not be able to survive, 
or they will have to move to a subscription model that charges users 
for their services. Our companies allow tens-of-thousands of small and 
medium size web-sites to compete with the biggest players for 
advertising dollars. We give them the economy of scale that they 
otherwise would lack. So, in summary, our job is to make the Internet a 
more efficient and competitive advertising medium that will further 
stimulate the growth and viability of the Internet as a source for free 
content.
    We at Matchlogic and at the NAI understand that consumers are very 
concerned about Internet privacy. We share these concerns. If consumers 
are not comfortable that their privacy is protected then the Internet 
will suffer. That is why the NAI companies came together with the 
Federal government to develop landmark principles on data collection 
and the level of notice and choice that must we must give to 
consumers.. These principles lay out the ground rules and safeguards 
for the collection and use of Non-Personally Identifiable (or 
anonymous) information, the collection and use of Personally 
identifiable information, and the merger of PII with Non-PII.
    In summary, here are the guidelines:
    First, all of the NAI companies have agreed that we will not use 
personally identifiable sensitive health information, sensitive 
financial information, or information of a sexual nature for the 
purpose of profiling. We do not believe that these categories of data 
should be used, and we will not use them.
    For Non-PII, we require notice and choice. NAI members must 
disclose their OPM practices through their web-sites and through the 
NAI gateway web-site, and in addition, where possible, they must 
contractually require their web-sites partners to disclose the 
collection of Non-PII for OPM. NAI members will provide mechanisms for 
consumers to opt-out from the use of Non-PII for OPM.
    For PII, we require that NAI members follow the Online Privacy 
Alliance (OPA) guidelines for Online Privacy Policies. These policies 
require the adoption and implementation of a privacy policy, and that 
notice and choice be afforded.
    For the merger of non-PII with PII, we have two scenarios. The 
first case is where PII is linked with previously collected Non-PII. In 
this case NAI members will not, without prior affirmative consent 
(``opt-in'') merge PII with previously collected Non-PII. The second 
case is where PII will be merged with Non-PII for OPM purposes on a 
going forward basis. In this case NAI members will provide consumers 
with robust notice and choice.
    The NAI principles include several examples of what would be 
considered robust notice for each of these scenarios.
    The NAI members have also agreed to establish a third-party 
enforcement program that will include: random audits by the third party 
enforcer, the ability to file and handle consumer complaints, and the 
ability to redress lack of compliance through sanctions such as 
revocation of the seal, or through a designated public or government 
forum such as the Federal Trade Commission.
    Finally, the NAI members strongly believe that industry, 
government, consumer, and advertiser pressures to set and maintain high 
standards for privacy will render participation in the NAI all-but-
mandatory for all network advertisers. Moreover, because of the 
contractual reach of these NAI companies across literally thousands of 
Web sites, the NAI Principles will have a tremendously broad impact on 
Web privacy.
    In conclusion and to summarize, the NAI self-regulatory principles 
are designed primarily to accomplish two things: first, to make sure 
that advertisers and web-sites post notices that are strong and clear 
where OPM occurs, and second, to make it easy for users to opt-out. 
Under these principles, NAI companies agree to afford consumers with 
important notice disclosures and appropriate methods of choice for 
participation, while at the same time one of the main engines behind 
this nation's booming new economy, the Internet, can continue its 
remarkable growth and improve as a provider of free and reduced-price 
content.
    Mr. Chairman, on behalf of the NAI, I want to pledge that we will 
continue to work with the FTC, the Commerce Department and you and 
members of your staff to ensure that these self-regulatory principles 
live up to their promise.
    Thank you, and I look forward to any questions you may have.

    Mr. Tauzin. Thank you.
    Finally, Mr. Andrew Shen, Policy Analyst for the Electronic 
Privacy Information Center here in Washington.

                    STATEMENT OF ANDREW SHEN

    Mr. Shen. Thank you, Mr. Chairman. Thanks for inviting me 
to speak on a very important issue to the American public and, 
obviously, also to members of this committee.
    I will try to keep my remarks very short since I am the 
very last speaker of what has been a very long morning. My name 
is Andrew Shen, and I am a Policy Analyst at the Electronic 
Privacy Information Center. EPIC is a public interest research 
center located here in Washington, DC. Today while I am here 
formally on behalf of EPIC, I am really speaking here to 
represent the views and interests of American consumers.
    EPIC believes that privacy has and will be one of the 
defining consumer protection issues for Internet, and what we 
have seen in these early years of electronic commerce is that 
the Internet has resulted in a vast amount of information 
collection that I think is unprecedented, and that information 
collection has resulted in corresponding concerns about 
personal privacy.
    Now, when I speak in public at events like these, I do my 
best to address the concerns of American consumers and those 
that really just want to ask a very simple question, and their 
question usually goes something like this: How do I protect my 
privacy? How do I keep my personal information within my 
control?
    To some extent, fellow members of my panel have tried to 
address that problem. Some have proposed self-regulatory 
guidelines, some have proposed technologies. Some have proposed 
a mix of both. But I think it is important to sort of analyze 
what a typical consumer experience of these approaches are.
    Some suggest to a lot of consumers that they should change 
the settings in their browsers or use privacy tools or 
subscribe to anonymizing services. But this will not be 
sufficient for the protection of most American consumers. Many 
information collection technologies use jargon and terms that a 
lot of people are not familiar with. Terms like cookies, online 
profiling, online preference markets, opt in, opt out. This 
tends to confuse a lot of people. And here as evidence I want 
to cite a recent study by Pew Internet American Life Project. 
They found that 43 percent of Internet users--only 43 percent, 
less than half--know what a cookie is.
    Even more astonishing than that are the results that of 
Internet users that have 3 or more years of experience online, 
that number only rises to 60 percent. That is for people who 
have been online for a very long time still do not know what a 
cookie is, let alone what a company like Match Logic can do 
when they combine cookie technology with banner ads and huge 
networks.
    Others may suggest that people can just read privacy 
policies and try to parse out what tend to be long, complex, 
and vague statements about what companies will do with their 
personal information. These privacy policies, as I already 
said, tend to be confusing. Larry spoke to this a minute ago. 
But I think a more important, more recent phenomenon is that 
these privacy policies are constantly changing. Many privacy 
policies will explicitly say: Our terms may change at any time. 
Please check back later. And that is just not good enough for 
the American consumers.
    More recently than that, many consumers are simply being 
told that if the company fails or goes bankrupt or mismanages 
the resources they have at their disposal, their customers' 
personal information can be sold just like the computer sitting 
on their desk in the office as if it was their information to 
sell.
    Now, do I have an answer for these people. I do not want to 
tell them they can't do anything. What I usually tell them to 
do is talk to lawmakers and legislators like yourself, tell 
them to say to you that they want their privacy protected, and 
tell them to tell you that you do have it within your power to 
protect their personal information. And Congress has done this 
before.
    You listed off many bills earlier this morning, listing all 
the various sectors that have information that protect the 
personal information of consumers. These include information 
contained in credit reports, student records, e-mail messages, 
telephone toll records, video rental records, cable subscriber 
records. And they have succeeded in protecting American 
consumer privacy. And you can do the same for the Internet. You 
can protect the personal information that is submitted online.
    But beyond that, because I realize that several members of 
your committee have introduced legislation. Congressman Luther 
spoke about it briefly this morning and so did Congressman 
Boucher. Sort of what is the law that we want to see? What is 
the ideal approach to the situation? And I would like to make a 
couple of points.
    Chairman Pitofsky said that he believes that notice and 
consent were the most important parts of fair information 
practices. But in addition we need to think about access, a 
principle that has not been discussed a lot today. It is an 
important one. Access ensures that consumers can see the 
information that has already been collected on them, make sure 
it is accurate and up-to-date. And moreover, which I think is a 
very important point, it builds an ongoing relationship. I am 
providing my information to you and when I want to see my 
information you show it back to me. That sort of trust and 
confidence is something that e-commerce will definitely need 
going forward in the future, and I hope that you will include 
that as the protections that you choose to provide to American 
consumers.
    [The prepared statement of Andrew Shen follows:]

 Prepared Statement of Andrew Shen, Policy Analyst, Electronic Privacy 
                           Information Center

    My name is Andrew Shen. I am a Policy Analyst at the Electronic 
Privacy Information Center (EPIC) 1. At EPIC, I work largely 
on consumer privacy issues. Earlier this year, I served as a member of 
the Federal Trade Commission (FTC) Advisory Committee on Online Access 
and Security 2. I have been a panelist at FTC and Department 
of Commerce workshops on online profiling and more recently, online 
privacy technologies.
---------------------------------------------------------------------------
    \1\ EPIC is a public interest research center in Washington, D.C. 
It was established in 1994 to focus public attention on emerging civil 
liberties issues and to protect privacy, the First Amendment, and 
constitutional values. More information about EPIC is available at the 
EPIC website, http://www.epic.org
    \2\ http://www.ftc.gov/acoas/
---------------------------------------------------------------------------
    EPIC works with consumer organizations on a wide range of privacy 
issues. We also work on the international level within coalitions such 
as the Trans Atlantic Consumer Dialogue (TACD) that brings together 
consumer advocates from the U.S. and Europe 3.
---------------------------------------------------------------------------
    \3\ http://www.tacd.org
---------------------------------------------------------------------------
    I want to thank the Committee for inviting me to testify today on 
an issue that is of growing importance to the American public.

                         SURFER BEWARE REPORTS

    Since 1997, EPIC conducted annual ``Surfer Beware'' surveys on the 
state of Internet privacy. EPIC's survey of Internet privacy policies 
``Surfer Beware: Personal Privacy and the Internet''--the first survey 
of online privacy ever conducted--found that only 17 of the 100 most 
frequently visited websites posted privacy policies and that none met 
basic standards for privacy protection 4. That report 
recommended that Internet websites make privacy policies easy to find, 
clearly state how and when information is collected, provide access to 
data already collected, make cookie transactions more transparent, and 
continue to support anonymity.
---------------------------------------------------------------------------
    \4\ http://www.epic.org/reports/surfer-beware.html
---------------------------------------------------------------------------
    ``Surfer Beware II: Notice Is Not Enough'' assessed the online 
privacy practices of members of the Direct Marketing Association (DMA) 
5. The DMA was and is a leading proponent of industry self-
regulation with regards to personal information. The report found that 
only 8 of the 40 new DMA members with websites had privacy policies and 
only 3 complied with the DMA's own guidelines published nine months 
earlier.
---------------------------------------------------------------------------
    \5\ http://www.epic.org/reports/surfer-beware2.html
---------------------------------------------------------------------------
    Our most recent report ``Surfer Beware III: Privacy Policies 
without Privacy Protection'' was conducted shortly before last year's 
holiday shopping season 6. Looking at the top 100 e-commerce 
sites, we found that not a single one had a privacy policy that 
complied with the benchmark of Fair Information Practices. For example, 
many websites posted privacy policies but did not provide access to 
personal data already collected.
---------------------------------------------------------------------------
    \6\ http://www.epic.org/reports/surfer-beware3.html
---------------------------------------------------------------------------
    We also found that many of the privacy policies were confusing and 
inconsistent. While over 80% of the websites that we surveyed did post 
a privacy policy, our survey proved that posting a privacy policy has 
no significant correlation with a high level of protection.
    In the years between our first and last reports, we have documented 
the lack of protections for consumer privacy in these crucial early 
years of e-commerce. It is no secret that consumer concerns about 
privacy on the Internet have not dissipated in this time. If anything, 
recent developments such as online profiling indicate that the current 
approach of self-regulation may be putting consumer privacy at 
increasing risk.

                            ONLINE PROFILING

    Online profiling caught the attention of consumers earlier this 
year when online advertiser, DoubleClick, proposed to created detailed 
profiles on Internet users. The company came under fire for linking 
personal information such as a name and address to online profiles, 
records of what Internet consumers were doing online. In doing so, it 
reneged on earlier statements made in its privacy policy that all 
information it collected would remain anonymous 7. In 
testimony before the Senate Commerce Committee in July of 1999, EPIC 
was one of the first organizations to publicly discuss the change in 
DoubleClick's business model 8.
---------------------------------------------------------------------------
    \7\ For more information, see http://www.epic.org/doubletrouble/
    \8\ http://www.epic.org/privacy/internet/EPIC--testimony--799.pdf
---------------------------------------------------------------------------
    In early February, EPIC filed a complaint with the Federal Trade 
Commission (FTC) that DoubleClick had unfairly and deceptively misled 
consumers about its information collection practices. At the end of 
July, the FTC approved a set of self-regulatory guidelines that permits 
wholesale tracking of Internet consumers and linking of those profiles 
to personal information without the knowledge or permission of the 
consumer. The guidelines were negotiated with the Network Advertising 
Initiative (NAI), a group of online profiling companies.
    In response, EPIC along with 13 other consumer privacy 
organizations signed a letter pointing out that ``the NAI Principles 
recently endorsed by the Federal Trade Commission fail to provide an 
adequate level of privacy protection'' 9. The letter said 
that
---------------------------------------------------------------------------
    \9\ http://www.epic.org/privacy/internet/NAI--group--letter.html
---------------------------------------------------------------------------
    The Principles will allow online profilers to combine previously 
declared anonymous data with personally identifiable data, like home 
addresses and telephone numbers. In the future, online profilers will 
be allowed to link information about online behavior with personally 
identifiable data on a burdensome opt-out basis. The persons profiled 
by these companies will have no guaranteed level of access to view what 
data has been collected on them. Personally identified profiles may 
also be distributed to any third party--for completely unrelated 
purposes--on an opt-out basis. All of these provisions, and others, 
will erode consumer control over the collection and use of highly 
detailed profiles 10.
---------------------------------------------------------------------------
    \10\ ibid.
---------------------------------------------------------------------------
    Furthermore, the letter faults the FTC for failing to involve the 
consumer advocacy community in negotiations with the Network 
Advertising Initiative. The negotiations were done behind closed doors 
and EPIC had to file a Freedom of Information Act request just to see 
the record of those proceedings.
    EPIC, along with Junkbusters, completed a full analysis of the 
Network Advertising Initiative guidelines entitled ``Network 
Advertising Initiative: Principles not Privacy'' detailing the vague 
and weak restrictions it offers 11. That review concluded 
that
---------------------------------------------------------------------------
    \11\ http://www.epic.org/privacy/internet/NAI--analysis.html
---------------------------------------------------------------------------
    The Principles perpetuate the secretive tracking of Internet users 
and run counter to the standards that consumers want. The Principles 
place the burden of privacy protection squarely on the consumer by 
relying on opt-out for both tracking of Internet users and linking of 
profiles to personally identifying information 12.
---------------------------------------------------------------------------
    \12\ ibid.
---------------------------------------------------------------------------
    Further, the report recommended that ``strong laws and effective 
enforcement will spur Internet advertisers to adopt methods and 
technologies that promote consumer privacy'' 13.
---------------------------------------------------------------------------
    \13\ ibid.
---------------------------------------------------------------------------
    Online profiling remains a serious concern for Internet users. I 
urge the Committee to ask the FTC why, despite their own 
recommendations for Internet legislation, it chose to approve self-
regulatory guidelines for online profiling companies--the most personal 
information intensive sector that has developed to date on the 
Internet.

                               BANKRUPTCY

    Apart from the activities of online profiling companies, the most 
recent development facing online consumers is the growing number of 
Internet companies that are auctioning off personal information when 
they go bankrupt. In June, online retailer Toysmart.com went bankrupt 
and advertised the sale of its assets in the Wall Street Journal. What 
caught the attention of many is that the company also attempted to sell 
its customer lists and other personal information in violation of 
representations made when it collected that data. The ongoing dot-com 
shakeout will likely produce more companies trying to recoup capital 
for their investors, but how will the privacy of this personal 
information be protected?
    The FTC was able to pursue Toysmart.com since the company said that 
the information collected was ``never shared with a third party''. The 
FTC's attempted settlement fell short of requiring the company not to 
sell the personal data of its customers. Since then, other companies 
have been failing, similarly putting the information of its customers 
at risk.
    Over Labor Day weekend, Amazon.com told its millions of customers 
that in the event that it failed--it would also declare their personal 
information as a business asset. That statement and other changes to 
the company's privacy policy prompted EPIC's decision to cut ties with 
the online bookseller. In a letter to EPIC's newsletter subscribers, we 
said that ``Because of this decision, and in the absence of legal or 
technical means to assure privacy for Amazon customers, we have decided 
that we can no longer continue our relationship with Amazon'' 
14.
---------------------------------------------------------------------------
    \14\ http://www.epic.org/privacy/internet/amazon/letter.html
---------------------------------------------------------------------------
    Failing to guarantee that personal information will not be sold in 
the future is an obvious requirement of privacy protection but one that 
companies have avoided taking on. As bankruptcies become more common, 
the failure to provide privacy standards for online consumers allows 
companies to protect privacy only when it suits them. When bankrupt, 
the privacy of a company's customers is no longer important to the 
company and is no longer respected. Furthermore, the growing number of 
bankruptcies points to an underlying problem with the current reliance 
on privacy policies. By making privacy policies the only standard to 
which Internet websites are held, it allows companies to change the 
terms on consumers--most recently allowing companies to unilaterally 
declare personal information theirs to sell.

                      GOVERNMENT PRIVACY POLICIES

    Another issue before the Committee today is the issue of government 
website privacy policies. While this will not be the focus of my own 
testimony, I do wish to make a few comments on this issue.
    The General Accounting Office survey commissioned by Rep. Armey and 
others found that 97 percent of government websites did not comply with 
the FTC Fair Information Practice principles of Notice, Consent, 
Access, and Security.
    We support efforts to strengthen the privacy safeguards for federal 
websites. History has proven that such restrictions are necessary to 
curtail possible governmental abuses of power. Events like Watergate 
spurred laws such as the Privacy Act of 1974 that provides citizens 
with an array of rights to protect their privacy.
    I should also point out that government agencies--unlike commercial 
entities--are not free to use personal information however they wish. 
Government agencies have to comply with guidelines set out in law while 
commercial websites have to comply with privacy policies that they 
themselves write.

                     PRIVACY ENHANCING TECHNOLOGIES

    Since the beginning of the online privacy debate, EPIC has urged 
the wide adoption of privacy-enhancing technologies to protect 
consumers. However, I would like to point out what makes a technology 
one that enhances rather than invades privacy. Privacy enhancing 
technologies make it easier to take advantage of rights as provided 
through Fair Information Practices and minimize or eliminate the 
collection of personal data.
    Without legal guarantees that data is collected for limited 
specific purposes, is collected only with consent, is accessible to the 
consumer, is securely stored and transmitted, privacy technologies can 
currently do little to help consumers utilize their rights. Only when 
existing law provides those rights will technologies develop to help 
consumers take advantage of them. The Platform for Privacy Preferences 
(P3P) demonstrates that failings of online privacy technologies in an 
environment without privacy law. A report released earlier this June, 
entitled ``Pretty Poor Privacy: An Assessment of P3P and Internet 
Privacy'', details some of the protocol's failings 15.
---------------------------------------------------------------------------
    \15\ http://www.epic.org/reports/prettypoorprivacy.html
---------------------------------------------------------------------------
    There is however, one area in which technology can address privacy 
in the absence of laws. That is in the promotion of anonymity and 
elimination of the need to collect personal data. Most of the 
activities conducted online such as reading news, shopping for 
products, searching for information, can be done without the collection 
of information from consumers. However, the current trend towards 
``personalization'' results in the increased storage and analysis of 
these basic online activities. Infomediaries that seek to provide 
information according to user preferences do not provide this 
anonymity. Rather than reinforcing that the dispersal of customer 
information should not be the norm, they seek to encourage more 
information collection by making it easier than ever for personal data 
to be disclosed.

                           CONCLUDING REMARKS

    Internet consumers are facing an increasingly hostile environment. 
Faced by online profiling companies that seek to know about their 
online surfing habits and websites that change their privacy policies 
at will, consumers are increasingly left to their own devices in 
protecting their privacy. Technologies available to consumers, for 
reasons I mention above, have a role to play but will only have 
significant impact once legal standards become effective.
    Congress has a critical role to play in safeguarding online 
privacy. It should build on the legal framework for privacy protection, 
consistent through many federal laws protecting personal information 
16.
---------------------------------------------------------------------------
    \16\ Fair Credit Reporting Act (1970) 15 U.S.C. Sec. 1681; Family 
Educational Rights and Privacy Act (1974) 20 U.S.C. Sec. 1232g; Cable 
Communications Policy Act (1984) 47 U.S.C. Sec. 551; Electronic 
Communications Privacy Act (1986) 18 U.S.C. Sec. 2510; Video Privacy 
Protection Act (1988) 18 U.S.C. Sec. 2710; See Telecommunications Act 
(1996) 47 U.S.C. Sec. 222; Children's Online Privacy Protection Act 
(1999) 15 U.S.C. Sec. 6501.
---------------------------------------------------------------------------
    There is significant public support for Internet privacy 
legislation 17. Consumers should not be left without legal 
rights in the online world.
---------------------------------------------------------------------------
    \17\ Business Week/Harris Poll: A Growing Threat, March 20, 2000, 
http://www.businessweek.com/2000/00--12/b3673010.htm

    Mr. Tauzin. Thank you. I think it is important to point out 
that why we are finding it hard to put our arms around all of 
the many aspects of the privacy issue is that there is a lot of 
tension here. Consumers have different expectations about 
privacy. On the one hand they want their privacy protected. 
They also would like the advantage of people advertising to 
them very specifically and very effectively, as was pointed 
out; the notion that I do not necessarily want to see a lot of 
ads that are about things that I am not interested in, but I 
very much would like to get books and pamphlets and ads and e-
mail and maybe Internet advertising on things that I am 
interested in.
    At our conference, for example, we heard from a banker who 
installed all sorts of privacy protections, separations between 
each division in his bank about the information that was stored 
there, the mortgage side from the savings and deposit side. And 
the first thing they experienced was that their customers 
started leaving them because they did not like the service 
anymore. They did not like the people telling them we can't 
help you because we do not have that information about you.
    Ms. Aftab has pointed out that the parental consent of 
COPPA is not necessarily functioning as well as people thought 
because parents do not take the trouble to go ahead and okay 
their kids onsites that kids probably should be visiting. It 
would be good for them to visit and have interaction with.
    In addition, we have got some experience with that. We had 
incredible debates, my friend Mr. Markey and I, over a thing 
called the V-chip, and the percentage of parents who are using 
it now are still pretty small, and I don't think it is expected 
to grow because it is just something parents, as I predicted by 
the way, would not have time to go around programming the 
television for the week.
    So we come to this issue understanding all of this tension, 
and the problems we also experience are how much should we 
legislate and how much should we count on consumers eventually 
controlling much of their own private data through technology 
and through information.
    But there are several things we have learned today that I 
think are important. One, we can have all the privacy notices 
required in the world and the bottom line is people are not 
necessarily going to read them, and they do get changed and 
they are confusing and more consumers will not be adequately 
served if that is the way we solve this problem.
    Two is that there are some things that do help a lot. You 
brought some to our attention, some software, some hardware 
technology and seals. We know seals works pretty good. We heard 
from Chairman Pitofsky today that only 8 percent of the 
companies' surveyed web sites are using seals. Why is that so 
low? That would seem to be a real easy thing for consumers to 
build confidence in web sites and in advertisers and in 
commercial enterprises if they saw and recognized a seal on a 
site without having to go read all of this policy and 
understand it and opt in or opt out or what have you. If what 
we are looking for is a user friendly world on the Internet in 
the area of privacy, would not seals, some simple way of 
understanding what I am visiting and what my rights are here 
without having to read all and understand all of those terms, 
wouldn't that seem to be a very positive and sort of 
appreciated thing on the web? And why is so small a percentage 
of web sites choosing to get an approved seal on their site? 
Anyone?
    Ms. Aftab. Mr. Chairman, if I may, Parry Aftab, what we are 
finding is that consumers do not recognize the viability of 
certain seals. There is no one Good Housekeeping Seal of 
Approval that is recognized generally by consumers. Once 
consumers can find various seals that mean something to them, 
then the seals will become a market issue.
    Mr. Tauzin. Let me give you an example. If instead of 
having the problem you cited where parents have to always 
consent to let their kids visit a site and share information, 
if there was a kiddie seal that parents knew and recognized to 
be representative of a site where, in fact, their kids are not 
going to be abused and information is not going to be 
mishandled, if they knew that, wouldn't parents appreciate that 
instead of having to constantly okay a child's visit to a site?
    Ms. Aftab. Absolutely, Mr. Chairman.
    Mr. Tauzin. Are we ever going to get there?
    Ms. Aftab. We have a seal that is going to be coming out 
under Wired Kids, which is safety and privacy, a quality site, 
which is a subjective test, but put together by librarians and 
teachers and child advocates, saying trust us, we can brand it 
for you. That will be coming out of the Wired Kids----
    Mr. Tauzin. And I suppose the same thing happened with 
software and hardware, that if at some point the private sector 
were to build consumer awareness of software and hardware 
technologies that are available, that parents and consumers 
generally would prefer that than reading extensive notices and 
constantly checking to see if the terminology has changed or 
the notice has changed, is that right? Any one of you?
    Mr. Griffiths. Being a technologist, I have some faith that 
technology will provide part of the answer. I think there is a 
reason why people do not read a lot of privacy policies either. 
Even if we encourage every web site on the planet to have 
privacy policies, the nature of the web is very fluid and 
dynamic. If you are searching, you do not stop and read the 
privacy policy.
    Mr. Tauzin. You can't. You do not have time. You may not 
know all the terms.
    Mr. Griffiths. Exactly. So I believe that technology such 
as P3P that allows for automated negotiation of preferences 
with respect to a site policy are part of the answer.
    Mr. Tauzin. But they are all part of the answer, but the 
concern I have is when do consumers really understand which of 
these solutions works for them and have the confidence in them? 
I do not see that happening yet. I do not see people generally 
saying, you know, there is a good seal out there. There is a 
good software, there is a good program that I can attach to and 
feel comfortable with without having to study and read and 
constantly update my permission, if you will, on a site.
    Mr. Griffiths. I think the answer today is that the 
Internet is still changing. It is ever changing and expanding 
and growing.
    Mr. Tauzin. Is it too little too late?
    Mr. Griffiths. Well, I think we see approaches from a 
regulatory perspective, from a self-regulatory perspective, 
from a technology and an awareness perspective, and I think it 
will take some time to work through. I really do.
    Mr. Tauzin. Ms. Cady?
    Ms. Cady. I wanted to first of all give a personal response 
rather than a corporate response to why I think there is a lack 
of understanding of seal programs on the part of people who are 
in business, not on the consumer end. On the consumer end, we 
have the branding problem, and we all know that consumer 
branding of anything takes time and money and effort and 
certainly the seal programs are working toward that.
    From the other perspective of businesses, it is hard to 
know which seal might be relevant. And then it is: Can I 
actually participate? Because there is a cost involved to the 
web site owner and if they are a very small organization they 
may deem that joining a seal program is not something they 
could do at some point--at this point.
    Mr. Tauzin. But if legislation provided safe harbor from 
government regulation if you were sealed properly, that would 
help, wouldn't it?
    Ms. Cady. That would solve the branding problems.
    Mr. Tauzin. That is one of the things we are looking at 
that might help a great deal.
    Ms. Cady. On the issue of expanding protections, what 
Privada is working toward, quite frankly, is to not have to 
have you worry about a seal if you are a consumer, or not 
having to worry about knowing where the technology is. But what 
we are trying to do is build in down another layer so that it 
will be with you all the time. And so our vision is that 
privacy is provided for you by your financial service provider 
and/or your Internet service provider, and/or other service 
providers that are available to you and which you use and you 
use it in conjunction with the tools that you are already 
using, your current browser, your current e-mail clients so 
that you have that protection if you want, and it is available 
to you easily.
    Now, we again have a sales and branding and growth problem. 
So that we can't say to you that today, Mr. Chairman, we can do 
this for everyone in this room and everyone listening to this 
hearing, but that is certainly where we are going. Thank you.
    Mr. Tauzin. Mr. Shen, you wanted to add something.
    Mr. Shen. Yeah. I just want to add on to your earlier 
comments, Mr. Chairman. I think obviously what we are trying to 
address here are really the needs of the consumers; and I think 
consumers, while they have an appreciation for the fluidity, 
the dynamic nature of the Internet, really don't want that 
fluidity and dynamic nature to touch their personal 
information. They want guarantees.
    Mr. Tauzin. Let me tell you something about that. We have a 
hard time gauging what consumers really want in this area, and 
I will tell you why. We find this out in a lot of our political 
surveys. When you ask consumers questions about this, they 
often tell you what they think they should want rather than 
what they really want. They often answer these questions with 
``I am supposed to want to protect my privacy,'' as opposed to 
``Yeah, I will take all these efforts to go operate all these 
consents and these opt-in and opt-outs.''
    What they really want is comfort, ease. They want to be 
able to use these systems with some credit confidence but also 
with ease, and user friendliness is a huge consumer desire we 
are finding in our meetings and town hall meetings and 
discussions and everything else about this.
    When you really pin people down they say, yes, I want my 
privacy protected and protected at all costs. But they also 
tell you, when you really get away from any kind of public 
surveys where they are answering what they think you want them 
to say, what they say is they really want this to be easy. I 
don't want all this trouble. I don't want to have to work too 
hard to use these systems. I don't want to have work too hard 
to access, for example, credit or to access the store that 
sells me what I want on the web and to get the information I 
want; and I am willing to take some risk to do that.
    But if you can make it, you know, reasonably secure for me, 
reasonably, you know, comfortable that I am not going to get 
burned on this, if you make it easy, I am pretty happy. That is 
what we are hearing. It is a real tension.
    So it is hard to understand what consumers really want in 
the way of legislation and/or, you know, even regulation in 
this area. I hear you, and I know what you are saying. Because 
whenever we do surveys, privacy, No. 1, everybody wants it 
protected at all costs.
    But then when you really get down to it they say, ``Yeah, I 
really want my kids to go and visit those good web sites'' and 
``Yeah, I really want the advertisers to know enough about me 
to target ads for my taste and my wants and my desires'' and 
``Yeah, I don't want to have to read big notices and I don't 
really want to have decide which seal is a good seal and which 
program is a good program.'' I mean, we get real conflicting 
signals about this stuff. As much as we think we understand it, 
we constantly realize we don't.
    The other thing I want to get into with you is the question 
of bankruptcies, mergers, acquisitions, change of leadership. 
Here we are collecting data. I may indeed agree that your 
company, your web site, can collect all my data because I trust 
you with it. I trust you are going to manage it well. But next 
week you die. Somebody else takes over the company. Next week 
the company merges with another company.
    You mentioned merging personally identifiable data with 
nonpersonally identifiable data problems, but you have got a 
range of issues here, not just bankruptcy but issues where we 
change the management of the company, the stockholders may 
change, I may merge, I may sell the company, all sorts of 
different ways in which different people come in to control how 
the information I trusted with a certain group of people or a 
company that I trusted only to find out that company is a new 
company tomorrow because it merged or it was acquired or 
because it went bankrupt and was selling all its assets, 
including my information.
    There are all sorts of different scenarios you can paint 
where information I thought was secure with this group of 
people in this company brand name that I trusted is all of a 
sudden now potentially under somebody else's control. How do we 
deal with that? Anybody.
    Ms. Aftab. Mr. Chairman, I will put my bankruptcy 
practitioner hat on because, before I started doing Internet 
law, I used to do Chapter 11 bankruptcies. There is a problem 
here in that there is a tension between the bankruptcy laws, 
which try to maximize the value of any asset of a company and 
the ability of a trustee or the debtor in possession, and the 
bankruptcy court to permit any contract to be modified. So that 
you can say it will never happen, but under the bankruptcy law 
and under policy you can move all those things around.
    Mr. Tauzin. But I mean we are talking about dot com 
companies now. Dot com companies, the physical assets very 
often are much less valuable than the information assets, the 
intangible assets. In fact, there is a huge debate over how to 
properly assess the value of a company and how do you measure 
intangible assets. As you know, FASB has got a big debate on 
its hands. We have engaged them on that very question.
    But the point is that in dot com companies the information 
base is the asset, and if we say as a matter of law that 
because you collected that on a confidential basis with your 
consumer base that you can't ever transfer your company with 
that asset, you are basically devaluing that company 
significantly in commerce, are you not?
    Ms. Aftab. You absolutely are, Mr. Chairman. I think that 
is part of the tension, and part of what can be done is people 
can actually reach out to members of that list through e-mail 
and say we are moving this or this list is up, not an answer, 
certainly not an answer, but something that at least will raise 
additional questions.
    Mr. Tauzin. It is something we may have to address, right? 
Because it gets down to whether or not--in this case, the 
rights of the consumer is a matter of contract or we make it a 
matter of law, and if we take it from whatever the contract 
provided, whatever agreement I had with the company, we start 
making law on it, it could dramatically affect the value of dot 
com companies, the way in which dot companies are financed and 
the way the stock performs and everything about them. It could 
dramatically affect the whole dot com economy.
    Mr. Chiang. Well, Mr. Chairman, with regulating this facet 
of, let us say, the sale of information of the company, can't 
we look toward where--previous legislation where when two banks 
merged and one person's ATM fee is $1.20, another person's ATM 
fee is $1.25, where you have maybe not just one e-mail 
notification but maybe a statement update or a card member 
services agreement update where you maybe don't just send one 
e-mail, maybe a series of three e-mails.
    Mr. Tauzin. But let us say I have a privacy policy at my 
bank that I will not sell or transfer your private financial 
information to anyone else, but now I go bankrupt and my bank 
is being sold and somebody else acquires it. Is the asset--my 
financial information--an asset of that company that can be 
transferred even though I have a contractual relationship with 
a bank that it not be shared with anyone else? Get my drift? 
These are weird questions.
    Mr. Chiang. Right. Previously, I think that is why if the 
FTC were given the regulatory authority--and I am not, you 
know, financially supported from them in that MoneyForMail is 
its own for-profit corporation. But in that instance where then 
the FTC can say in the specific example, the case study where I 
think a company called Toysmart went out of business----
    Mr. Tauzin. That is the one we are talking about. That case 
was built because, obviously, it went out of business. But the 
point I make is I can envision 12 different scenarios where the 
ownership, control of that information changes hands, not just 
through bankruptcy. We could have a major shake-up at the 
corporation, all the board of directors get fired and a new 
management team is brought in. Effectively, that is a new 
company now in control of my information.
    Did I want that team to have my private information? Maybe 
people I don't trust. Maybe, you know, if a foreign entity 
moves in and I may have some problem with that. I might have--
you know, we have got an entity seeking to buy a company in 
America that is government-owned right now. We are having a big 
discussion about that. Suppose that entity has private 
information? Now a foreign government is going to have 
information about me that maybe I didn't want a foreign 
government to know.
    You get my drift. There are many scenarios affecting the 
collection and the use of private information by companies in 
this changing marketplace that we need to think about, and we 
are going to need some help in figuring all that out.
    Mr. Chiang. I think previously with the property question 
issue that was I think two panels ago, where who owns the data, 
it is shared data between the corporation and also the 
personal----
    Mr. Tauzin. Let us get away from the Internet. How do they 
work in the brick and mortar?
    Mr. Chiang. I think what is going to happen is that the 
Internet is causing a catalyst where in America it is very 
inexpensive to send out a piece of direct mail. I mean, if 
anybody goes home today and looks at how many credit card 
inserts that you are going to have, it is probably between 10 
to 15. It is not price constrained. It is just logistics 
constrained--not even logistics constrained, but just----
    Well, getting back to the point where I think what is going 
to happen with the Internet, it is going to cause people to 
say, hey, well, don't I also then control other pieces of data 
that is compiled and collected on me, not just Internet data 
where I like to purchase these specific toys that are racing-
oriented toys? Then what about credit data pieces? Don't I also 
control my own credit data? I mean, where everyone's talking 
about notice and choice and access--I mean, today I don't have 
access to my own credit report, and I work in the credit 
industry, and I do not have access unless I pay $8. That is 
going to catalyze some of the questions that I think are going 
to happen in the industry which is, who does control it? Is it 
shared control of the information?
    Mr. Tauzin. We have never settled all that, have we, about 
who owns the information about me and doesn't it have a lot to 
do with how you obtained it? I mean, you can observe me in this 
room and gather a lot of information about me, and so you are 
obtaining it in a public sense. How it is obtained may have 
something to do with whether or not we protect it in the 
person, we allow it to be in the public domain or publicly used 
or publicly traded. I don't know. But some interesting thoughts 
that we are going to have to have and some interesting 
discussions.
    Mr. Shen, you look very thoughtful.
    Mr. Shen. You obviously bring up a lot of very interesting 
issues, basically why I like working on this issue as well. We 
are confronting new sort of conflicts, things that we have--
tensions between bankruptcy, the need to try to satisfy 
creditors and also the need to protect consumer privacy.
    I think, sort of adding on to what people have already 
said, there is no reason I think why most American companies 
cannot contact their customers if they are going to be bought 
or merged or acquired in some fashion. The Internet is 
interactive. It supposed to facilitate that sort of contact and 
communication.
    I think, with all due respect to your earlier point, what 
happens in the off-line world is something we do have to go 
back and address. I think in the off-line world there is 
obviously not a great deal of protection for personal 
information in a bankruptcy proceeding. Is there a reason to go 
back and see if we want to reopen that issue? I definitely 
think so.
    Mr. Tauzin. The reason I raised the issue--if we get away 
from the Internet, take ourselves back in time a bit. If I have 
a little country store in Thibodaux, Louisiana, where I was 
born and raised, and I have a customer base that I have been 
selling to and I decide to sell out, I sell that information--
we sold that information to the next guy that bought the store, 
and nobody complained. What is different about the Internet 
that makes us want to complain? What was it--Toys.Com, why was 
that such--whatever it was--why was that such a scary thing 
when that happened in the brick and mortar world with such 
frequency?
    Mr. Shen. Well, I think one possible answer--and that is 
not a complete answer--is that the information collection on 
the Internet is much deeper than it has ever been before. 
Perhaps if you had owned a small business in Louisiana with 
information about a person's name, maybe their mailing address 
in case you wanted to send a receipt to them. On the Internet 
you create profiles like this gentleman does right next to me. 
You create information, records about what they have been doing 
on-line across thousands and hundreds of web sites. I think 
that is at least one reason----
    Mr. Tauzin. Is part of it the fact that we all know that 
little store owner in town and we probably know the person who 
is buying the store but we don't know all these people on the 
web?
    Mr. Griffiths. Right. And it is important what the original 
premise was of the collection and that original relationship. I 
think if the party down the line meets and supports the 
original premises of collection, it will be used for this 
purpose and contact in this way, then it is seamless. If they 
dramatically change the premise under which they are 
contacting, then it is scary.
    Ms. Aftab. I think also in the Toysmart case there were 
children involved and I think there is this fear that parents 
have and knowledge that they have that their 8-year-olds know 
more than they do about what is going on with the computer and 
the Internet.
    Mr. Tauzin. And they do.
    Ms. Aftab. They absolutely do. If you have to have 
something fixed, you call the 8-year-old. But in this case, 
children were sharing information at the site, and the concern 
about the parents not even knowing what the kids may have 
shared and that now being sold to third parties is what had 
frightened people.
    Mr. Tauzin. When we were growing up, my parents used to be 
afraid of what we would tell our teachers about our parents.
    Ms. Aftab. That is it. And the most we had was the Birthday 
Club at Howard Johnsons.
    Mr. Tauzin. Now, we can tell people we totally don't know 
about anything. It is a totally different world.
    We could keep this going a long time, and we probably will 
before we come to some conclusions, but I will invite you to do 
several things.
    No. 1, the record stays open for 30 days. If something we 
have said here or something you have heard here has provoked 
some good thought and some good comment from you, please submit 
some more information to us.
    As I said, this is an extraordinary learning process. Mr. 
Shen, you are right. It is one reason I love this work, too, 
because it is extraordinarily fascinating; and I don't know 
where it all comes out yet. I do know that we have got enormous 
tensions here, and you have heard from a lot of members how we 
need to proceed very judiciously here and carefully here 
because, obviously, we can make some rules that don't work. We 
can do like that bank. We can impose some conditions on people 
that we think people want only to find out not only they don't 
want it but it didn't work very well for them.
    Finally, we obviously need some real-world thought and 
experience from those of you working with consumers to try and 
find solutions that work for them.
    The record will stay open. We may have some questions we 
may want to submit to one or two of you.
    I apologize for the lack of members here. That is the 
reason why I have always hated second and third panels because 
the members all leave and I am the only one left with you, but 
it has been a good experience for me. I have learned a lot, and 
we will try to make sure other members pick up your material 
and read it and learn from it as well. Thank you very much.
    If you have got something final you want to tell me, this 
is a good chance.
    Ms. Aftab. I would like on behalf of the entire panel to 
offer all of our continuing expertise to anyone who is willing 
to listen.
    Mr. Tauzin. Thanks so much.
    The hearing stands adjourned.
    [Whereupon, at 2:50 p.m., the subcommittee was adjourned.]
    [Additional material submitted for the record follows:]
      Prepared Statement of Hon. Dick Armey, House Majority Leader
    I would like to thank the Chairman, Ranking Member and the 
Committee for inviting me to testify today. Internet privacy is an 
important subject, and one that deserves our full attention.
    And since we're talking today about the government's online privacy 
standards, we need to be doubly vigilant.
    The government collects and stores vast amounts of personal 
information on you and me. The IRS knows how much you make, who you 
work for, and where you live. And the Department of Health and Human 
Services has access to many of your personal medical records.
    You are required to give this information to the government. You 
have no choice. But you don't have to use a commercial website if you 
feel it has a bad privacy policy. And which worries you more? The IRS 
accidentally disclosing your personal financial information, or a 
website knowing how many books you purchase each year?
    That's why the government must be held to absolutely the highest 
privacy standard. There is no excuse for anything less.
    And that's why I was quite surprised when the GAO discovered that 
the government failed to meet the Federal Trade Commission's own 
criteria for online privacy. They didn't just fail, they failed big 
time. A mere 3 percent of the agencies surveyed lived up to the 
proposed standards. And the FTC wasn't even on the list of agencies 
that passed. They failed to meet their own criteria.
    So when I hear administration or FTC officials talking about 
privacy, I can't help but think: Doctor, heal thyself.
    There is more evidence of a certain cavalier attitude toward 
personal privacy on the part of the administration. A privacy watchdog 
group known as Privacilla recently issued a report last week that shows 
the White House and other administration websites violate the Child 
Online Privacy Protection Act.
    Rep. Terry Everett and his subcommittee found that the Veterans' 
Administration computer system was so insecure that any 12-year-old 
hacker with limited skills could ``own'' the system and call up 
confidential medical records at will. And that's after the VA has spent 
over 5 billion dollars upgrading their computer systems.
    Without proper security, there can be no privacy. Recently, Rep. 
Steve Horn gave the government as a whole a ``D-'' for its computer 
security efforts. But, even worse, several agencies such as the 
Departments of Health and Human Services, Justice and Labor that 
collect a lot of personal information failed completely.
    Further, just three weeks ago the Department of Justice posted on 
its website a report about the review of its controversial 
``Carnivore'' Internet cybersnooping system. But there was a problem--
the agency didn't bother to adequately protect the personal information 
about the researchers involved in the study.
    The clear message from all this seems to be: we need to get our own 
house in order.
    Now, I have read many administration officials complain to the 
media that applying FTC rules to the government is unfair. They say 
it's like comparing apples and oranges. I don't think so. I say that we 
need results, not excuses.
    When the FTC first began measuring private sector websites with its 
``Fair Information Practice Principles,'' it was a ``pop quiz.'' It 
never gave advance notice to the companies that were checked. And I 
seriously doubt that the FTC would have let a commercial website get 
away with the excuse they were just ``complying with the spirit of the 
FTC rules.'' Our GAO study was not a pop quiz. The government knew in 
advance the criteria by which they would be graded. And, in fact, the 
FTC was unable to meet its own criteria. There's no excuse for that.
    Others in the administration have pointed to the Privacy Act as the 
reason why they failed to provide ``notice'' to website visitors. But 
the whole point of a privacy policy is to disclose to visitors what 
your policies are. How many people actually understand the laws and 
guidelines governing government websites? Just because you can find 
guidelines in the Code of Federal Regulations doesn't mean you 
shouldn't post this information for website visitors in plain English.
    It's entirely fair to see whether the administration can live up to 
the standards that they are trying to impose on everyone else. 
Government should live by the same rules it imposes on everyone else.
    I was pleased to read Commerce Secretary Norman Mineta quoted as 
saying that he intends to make his agency's website adhere to the 
proposed FTC standard. So the claims that the government just can't 
meet these standards rings hollow.
    The GAO report certainly has raised questions about the standards. 
And it certainly is interesting that several Administration officials 
have begun to point out deficiencies in the FTC criteria in light of 
the GAO report. None of these individuals spoke up when the FTC was 
using the same criteria to beat up on the private sector.
    With this in mind, I think the FTC guidelines on privacy bear re-
examination. Because I wonder how well a government that has this kind 
of a performance can presume to police the private sector on privacy.
    Either the FTC standards are the correct measure of online 
privacy--in which case the federal government is an absolute privacy 
disaster; or, they are not the correct criteria, and the FTC should not 
be asking Congress to impose them on the private sector. It's one or 
the other.
    That is, in fact, the main reason we asked GAO to perform this 
study. We are learning more about what it means to have principles 
governing website privacy. And we need to keep asking these sorts of 
questions before we assume we have all the right answers.
    Make no mistake--the government's privacy failures should not be 
construed as an excuse for the private sector. Obviously private 
websites should observe good privacy habits. A few bad apples shouldn't 
be used as an excuse for the government to jump in and regulate the 
Internet. So long as the private sector continues to do a much better 
job than the government, and continues to improve its own practices, we 
should restrain the instinct to interfere with the Internet.

