[Senate Hearing 106-815]
[From the U.S. Government Publishing Office]
S. Hrg. 106-815
PRIVACY IN THE DIGITAL AGE: DISCUSSION OF ISSUES SURROUNDING THE
INTERNET
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
on
PRIVACY ISSUES SURROUNDING THE INTERNET, FOCUSING ON INTERNET INDUSTRY
POLICY, SECURITY, DATA PROTECTION, LAW ENFORCEMENT, TECHNOLOGY
DEVELOPMENT, AND ELECTRONIC COMMERCE
__________
APRIL 21, 1999
__________
Serial No. J-106-19
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
68-199 CC WASHINGTON : 2001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
Manus Cooney, Chief Counsel and Staff Director
Bruce A. Cohen, Minority Chief Counsel
(ii)
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Hatch, Hon. Orrin G., U.S. Senator from the State of Utah........ 1
Kohl, Hon. Herbert, U.S. Senator from the State of Wisconsin..... 3, 4
Leahy, Hon. Patrick J., U.S. Senator from the State of Vermont...16, 18
CHRONOLOGICAL LIST OF WITNESSES
Panel consisting of Katherine Borsecnik, senior vice president,
Strategic Businesses, America Online, Inc., Dulles, VA; Michael
Sheridan, vice president, Strategic Businesses, Novell, Inc.,
Orem, UT; Irving Wladawsky-Berger, general manager, Internet
Division, IBM Corp., Washington, DC; Jerry Berman, executive
director, Center For Democracy and Technology, Washington, DC;
Russell T. Bodoff, senior vice president and chief operating
officer, BBBOnline, Inc., Arlington, VA; and Gregory Fischbach,
chairman and chief executive officer, Acclaim Entertainment,
Glen Cove, NY.................................................. 7
ALPHABETICAL LIST AND MATERIALS SUBMITTED
Berman, Jerry:
Testimony.................................................... 65
Prepared statement........................................... 67
Bodoff, Russell, T.:
Testimony.................................................... 71
Prepared statement........................................... 73
Appendix: BBBOnline Privacy Programs, Compliance
Assessment Questionnaires and Flow Charts.............. 79
Borsecnik, Katherine:
Testimony.................................................... 7
Prepared statement........................................... 9
AOL's, Certified Merchants Program....................... 13
Fischbach, Gregory:
Testimony.................................................... 171
Prepared statement........................................... 172
Sheridan, Michael:
Testimony.................................................... 20
Prepared statement........................................... 21
Wladawsky-Berger, Irving:
Testimony.................................................... 25
Prepared statement........................................... 26
Exhibits: IBM's Privacy Practices on the Web............. 34
OPA Whitepaper: Online Consumer Data Privacy in the
United States.......................................... 48
APPENDIX
Additional Submissions for the Record
Letter to Senators Hatch, Feinstein and Leahy, accompanied by
AOL's Terms of Service (which includes the AOL Member
Agreement, the AOL Community Guidelines, and the AOL Privacy
Policy), as well as a copy of AOL's guidelines for using
``parental controls'' to protect children online, submitted by
Jill Lesser, vice president Domestic Public Policy, America
Online, Inc., dated April 23, 1999............................. 207
PRIVACY IN THE DIGITAL AGE: DISCUSSION OF ISSUES SURROUNDING THE
INTERNET
----------
WEDNESDAY, APRIL 21, 1999
U.S. Senate,
Committee on the Judiciary,
Washington, DC.
The committee met, pursuant to notice, at 10:03 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Orrin G.
Hatch (chairman of the committee) presiding.
Also present: Senators Thurmond, Leahy, Kohl, Feinstein,
and Schumer.
OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM
THE STATE OF UTAH
The Chairman. Good morning, and welcome to today's hearing
addressing the important and increasingly complicated issue of
privacy on the Internet.
It has been no secret that throughout my career in the U.S.
Senate, I have advocated and sought policies that encourage and
foster the development of new and better technologies. Included
among them are medical technologies that help to improve the
health of Americans and information technologies that bring
distance learning to many who live in rural areas in Utah and
across the Nation. The Internet's explosive growth promises to
impact every aspect of our daily life, as it provides the
public with useful and often vital information and literary
content immediately at the mere click of a mouse.
Internet technology will play an important role in
educating the population through distance learning and through
the general delivery of information. The Internet will also
continue to play an increasingly larger role in our daily
entertainment, whether it is through the delivery of movies and
music over the Internet or through the ability to play video
games with a network of literally millions of players across
the globe.
During the last session of Congress, I worked with my
colleagues on this committee in a bipartisan manner to act on a
number of matters aimed at fostering the growth of the Internet
and promoting a competitive environment in this new digital
environment.
First, this committee won passage of the Digital Millennium
Copyright Act, which put in place the most significant
revisions to the U.S. copyright law since the enactment of the
1976 Copyright Act. I consider that one of the most important
bills of the whole last session.
Second, the Judiciary Committee initiated the still
ongoing, thorough public examination of important issues
affecting competition and innovation in the digital
marketplace. In addition, the committee also provided
legislative assistance to industry in our national effort to
prepare for the Y2K problem by crafting and passing legislation
to allow businesses and local governments to share Y2K
remediation information with limited fear of liability.
During this session of Congress, I intend to continue
working on legislative and oversight efforts that address new
policy changes of the Internet and the new digital revolution.
Today's hearing is the first this committee has held on the
issue of consumer privacy on the Internet. Given the complex
nature of this issue and all of the various policy
considerations involved, I do not expect this to be our last
hearing on this issue.
Any revolutionary, paradigm-shifting technology presents
government with new and significant policy changes and
challenges. The Internet is no exception. I recently read that
earlier in this century there were concerns about the sale of
automobiles to the public as it provided crooks with a tool to
escape the police. Luckily, we found a way to address this
automobile, ``concern.'' It is my hope that we can do the same
for any concerns that surround the Internet.
As Americans spend more of their lives on the Internet,
they are more concerned about the ability of Web sites, both
government and commercial, to track their, ``digital steps.''
There is no question that in order for the Internet to reach
its maximum potential as a viable avenue for transacting
commerce, consumers must be assured that personally
identifiable information that is collected online is afforded
adequate levels of protection. But the question remains how do
we best do that. How do we do it without chilling the
development of new technologies or the expansion of the
marketplace?
There have already been over 50 legislative proposals
offered this session addressing privacy. I have been skeptical
of most proposals to date, as they require increased regulation
of the Internet by government. As I have expressed in the past,
we must be careful not to stymie the growth of new technologies
with broad government regulations.
The purpose of today's hearing is two-fold. First, it is
intended to educate the public and the members of this
committee about what the privacy issues are that surround
consumer use of the Internet and what industry is doing to
correct these problems.
Second, it will allow us to begin a dialogue with those
with an interest in the privacy issue in order to develop a
meaningful and balanced policy that takes into consideration
the needs of consumers, law enforcement and industry, one that
would ensure continued technology development in this important
area and that ensures electronic commerce is able to reach its
full potential.
Now, I believe that it is in the best interests of the
industry to develop meaningful privacy policies and to provide
adequate protections for consumer privacy. After all,
individual consumers will demand that the electronic
marketplace provide adequate and effective privacy protections.
Indeed, I have been very encouraged to see, in over the
past 6 months, the development of a productive and meaningful
effort by industry to ensure such privacy protection. We will
hear testimony from some of those involved in that effort
today. However, I am still concerned about reports that there
might still remain certain fringe operators of Web sites who
might not abide by the standards that the industry has set for
itself. Any successful self-regulatory model needs to have
adequate resources to enforce the rules that it sets for
itself.
To date, the discussions surrounding Internet privacy have
revolved around two mutually exclusive models as possible
solutions to this issue. The first, advocated by certain
consumer rights groups, would give government regulatory bodies
the authority to regulate conduct on the Internet. And the
second, advocated by most members of the industry, would
entrust the industry to regulate itself without any role for
the government. For the past several months, I have been
examining different self-enforcement systems that have proven
successful in other industries and that might serve as a useful
model for the protection of privacy on the Internet.
I believe we should explore whether another solution
exists, one that aims to respect both the need to foster
continued growth of the electronic marketplace and the need to
enforce any rules for the protection of consumer privacy. I
hope we could develop a solution that respects this dynamic and
diverse Internet industry, a solution that would give the
industry appropriate power to establish a code of conduct for
its online presence, while providing for a limited and proper
government oversight role, which, frankly, given the interest
received to date in Congress, appears inevitable. This solution
possibly could be based on the self-regulatory, quasi-
governmental model successfully employed in the securities
industry.
Now, I know that can bring a chill over anybody's body in
just a few seconds, when you look at how bureaucratically over-
regulated in some respects the securities industry is. Yet,
still, we have probably the most effective securities industry
regulations of any nation and of history itself.
As we continue to examine this issue, I invite any
interested person or persons to work with me and other members
of this committee to develop a reasonable policy for Internet
privacy, one that provides adequate privacy protections for
consumers, and at the same time allows the industry to regulate
itself in a manner that would allow them to bring new
innovations to the marketplace. So I am hopeful that we can do
that.
Herb, shall we turn to you at this time to represent the
minority?
STATEMENT OF HON. HERBERT KOHL, A U.S. SENATOR FROM THE STATE
OF WISCONSIN
Senator Kohl. Thank you, Mr. Chairman. I would like to
commend you for holding this hearing today on the very critical
issue of privacy, which is enormously important in the
information age that we live in. Public worry over privacy is
real. A recent survey found that 92 percent of consumers are,
``concerned'' about threats to their personal privacy, and that
is a startling figure.
Today, new technologies, including the Internet, facilitate
the free flow of vast quantities of information around the
world. The benefit of this technology is both real and
tangible. But as with many other things, there is a downside,
especially when this technology allows sensitive personal
information, such as medical and credit histories, to be
collected and often used by third parties.
Not even the local supermarket is insulated from the
information age. Nowadays, stores issue cards that can track
information regarding customer purchases right at the check-out
counter. Granted, these cards are helpful to consumers who want
discounts, but they are not so convenient when the cashier
notifies folks in the check-out line that you need to refill
your prescription of Prozac.
In much the same way, the Internet can track and store
personal data and preferences, oftentimes without the consumer
even knowing it. When this information is then shopped around
for a profit, privacy is lost and the problems begin.
Certainly, self-regulation is preferable to government
regulation, and many in the computer industry have made
important strides in this direction. However, striking the
right balance between access to information and protection of
personal privacy is a complicated matter. While these hearings
will help, it is not clear that Congress is equipped to look at
this issue with the sort of altitude or distance necessary to
resolve these issues. Nor is it clear that the best actors in
the private sector will set the standards for the worst.
So, Mr. Chairman, to my mind the time has come to step back
and assess privacy concerns from a broader perspective. With
Senator DeWine, I am considering legislation to create a
privacy study commission which would provide us with a
comprehensive overview of the privacy issues we need to focus
on today and suggestions of how to ensure privacy tomorrow.
This is not a new idea. In fact, 25 years ago a Privacy
Study Commission was established by the Privacy Act of 1974.
The work of that commission is legendary. It led to laws
protecting financial privacy and credit reporting. But times
and technology have changed. In light of the new privacy
challenges facing us today and into the next century, which are
of a vastly greater magnitude, we need to once again consider a
commission approach.
That said, Mr. Chairman, I applaud you and Senator Leahy
for holding this important hearing, and I look forward to
working with you in the future to address the real privacy
concerns of all Americans.
Thank you.
The Chairman. Well, thank you, Senator Kohl. We appreciate
it.
[The prepared statement of Senator Kohl follows:]
Prepared Statement of Senator Herbert Kohl
Thank you Mr. Chairman. I would like to commend you for holding
this hearing today on the very critical issue of privacy--which is
enormously important in the ``information age'' of today. Public worry
over privacy is real. A recent survey found that 92 percent of
consumers are ``concerned'' about threats to their personal privacy--
that's a startling figure. Another poll reported that 83 percent
believe they no longer have control over how companies collect and use
their personal information. No wonder that privacy has caught our
attention.
Today, new technologies, including the Internet, facilitate the
free flow of vast quantities of information around the world. We've
heard time and time again about the benefits of this ``Internet
Revolution,'' and these benefits are both real and tangible. But, as
with many things, there is a downside. For example, newer and faster
computers make it easier than ever to retrieve medical information in
an emergency; but, this technology also allows potentially sensitive
personal information, such as medical and credit histories, to be
collected and often used by third parties.
Not even the local supermarket is insulated from the information
age. Nowadays, stores issue cards that can track information regarding
customer purchases right at the checkout counter. Granted, these cards
are helpful to consumers who want discounts. But they are not so
convenient when the cashier notifies folks in the checkout line that
you need to refill your prescription for Prozac. [LAUGHTER]
In much the same way, the Internet can track and store personal
data and preferences, oftentimes without the consumer even knowing it.
When this information is then shopped around for a profit, privacy is
lost and the problems begin.
These are just some of the privacy concerns of Americans, and they
are not without consequence. Suspicions regarding Internet privacy, or
the lack thereof, have limited the growth of electronic commerce. Many
consumers hesitate to participate in on-line activities for fear of
having their personal data tracked and stored by unknown parties. There
is also the very real problem of harmonizing our privacy laws with the
generally stricter--and often less thoughtful--privacy laws of other
nations, most notably, the European Union.
Certainly, self-regulation is preferable to government regulation,
and many in the computer industry have made important strides in this
direction. However, striking the right balance between access to
information and protection of personal privacy is a complicated matter.
While these hearings will help, it is not clear that Congress is
equipped to look at this issue with a sort of ``altitude'' or
``distance'' necessary to resolve these issues. Nor is it clear to me
that the best actors in the private sector will set the standards for
the worst.
So Mr. Chairman, to my mind the time has come to step back and
assess privacy concerns from a broader perspective. With Senator
DeWine, I am considering legislation to create a Privacy Study
Commission, which would provide us with a comprehensive overview of the
privacy issues we need to focus on today, and suggestions of how to
ensure privacy tomorrow.
This is not a new idea. In fact, twenty-five years ago a Privacy
Study Commission was established by the Privacy Act of 1974. The work
of that Commission is legendary--it led to laws protecting financial
privacy and credit reporting. But times and technology have changed. In
light of the new privacy challenges facing us today and into the next
century--which are of a vastly greater magnitude--we need to once again
consider a Commission approach.
That said Mr. Chairman, I applaud you and Senator Leahy for holding
this important hearing, and I look forward to working with all of you
in the future to address the very real privacy concerns of all
Americans. Thank you.
The Chairman. Senator Leahy is going to be here. So when he
arrives, I will probably interrupt to permit him to make
whatever statement he desires.
In order to achieve today's dual goal of educating the
public and the members of this committee on Internet privacy
issues, we are fortunate to have with us six experts in the
field of Internet privacy and technology who will testify
today.
We will first hear from Ms. Katherine Borsecnik, Senior
Vice President of Strategic Businesses at America Online. Ms.
Borsecnik has been with AOL for more than 7 years and has
played an integral role in developing and implementing AOL's
online privacy and safety policies. We are delighted to have
you here.
Then we will hear from Mr. Michael Sheridan, Vice President
for Strategic Businesses at Novell, headquartered in my home
State of Utah. Prior to joining Novell, Mr. Sheridan previously
worked at Sun Microsystems, where he was co-creator of the
computer programming language Java. Mr. Sheridan is one of the
developers of Novell's recently announced digitalme technology.
Are you living in Utah, Michael, or are you down in
California?
Mr. Sheridan. I am actually out here.
The Chairman. You are out here?
Mr. Sheridan. Yes.
The Chairman. Also testifying today will be Dr. Irving
Wladawsky-Berger, General Manager of IBM's Internet Division.
Dr. Wladawsky-Berger has been affiliated with IBM since 1970
and is currently in charge of IBM's Internet and network
computing strategy, and is referred to at IBM as ``Dr.
Internet.'' I am not sure that that is good.
Mr. Wladawsky-Berger. I am not sure either. [Laughter.]
The Chairman. I would also like to note that Dr. Wladawsky-
Berger is a member of the President's Information Technology
Advisory Committee, or PITAC.
Then we will hear from Mr. Jerry Berman, Executive Director
of the Center for Democracy and Technology. As its mission
states, CDT works to promote democratic values and
constitutional liberties in the digital age. Mr. Berman has
worked tirelessly with free speech and privacy policy working
groups focusing on Internet policy issues.
We are certainly glad to have all of you here.
Next, we will hear testimony from Mr. Russell Bodoff,
Senior Vice President and Chief Operating Officer of BBBOnLine,
an independent subsidiary of the Council of Better Business
Bureaus. Mr. Bodoff is in charge of directing and supervising
the creation of BBBOnLine's new Privacy Seal Program, which we
are very interested to hear more about today.
Our final witness will be Mr. Greg Fischbach, Chairman and
CEO of Acclaim Entertainment, which develops and distributes
interactive entertainment software for the Internet and home
entertainment systems. Mr. Fischbach is also the Vice Chair of
the Board of Directors of the Interactive Digital Software
Association.
So we are really happy to have you here, Greg, Mr. Bodoff,
Mr. Berman, Mr. Wladawsky-Berger, Mr. Sheridan and Ms.
Borsecnik. We think this is a terrific panel and I am looking
forward to hearing what you have to say. I would like to thank
each of you for taking time out of your busy schedules and
appearing before the committee. We expect you, as experts, to
shed light on the issues inherent in the protection of privacy
on the Internet.
I feel confident that you share my view that Internet
privacy issues are too important not to be addressed, and that
growth of this new medium and its problems must be addressed
carefully. So I have looked forward to today's hearing as a
careful and considered first step toward opening a meaningful
dialogue between Congress and the interested public on the
issue of Internet privacy.
So with that, we will begin with you, Ms. Borsecnik, and we
will look forward to hearing what you have to say. I would like
you to limit your remarks to five minutes, if you can. I am not
going to be a stickler on that, but I would appreciate it if
you can because we do have some questions.
PANEL CONSISTING OF KATHERINE BORSECNIK, SENIOR VICE PRESIDENT,
STRATEGIC BUSINESSES, AMERICA ONLINE, INC., DULLES, VA; MICHAEL
SHERIDAN, VICE PRESIDENT, STRATEGIC BUSINESSES, NOVELL, INC.,
OREM, UT; IRVING WLADAWSKY-BERGER, GENERAL MANAGER, INTERNET
DIVISION, IBM CORP., WASHINGTON, DC; JERRY BERMAN, EXECUTIVE
DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC;
RUSSELL T. BODOFF, SENIOR VICE PRESIDENT AND CHIEF OPERATING
OFFICER, BBBONLINE, INC., ARLINGTON, VA; AND GREGORY FISCHBACH,
CHAIRMAN AND CHIEF EXECUTIVE OFFICER, ACCLAIM ENTERTAINMENT,
GLEN COVE, NY
STATEMENT OF KATHERINE BORSECNIK
Ms. Borsecnik. Thank you. I would like to thank you for the
opportunity to discuss online privacy with you here today. My
name is Katherine Borsecnik. I am Senior Vice President of
Strategic Businesses for America Online.
The online medium is quickly revolutionizing the way we
learn, communicate and do business. It impacts industries
fundamentally as diverse as booksellers to brokerage, and
offers consumers unprecedented convenience. Our customers can
sign onto AOL and instantaneously do research, send a letter,
find the best price on an airline ticket--tasks that just a few
short years ago would have taken them far more time.
But the technology of the Internet offers users even
something more unique--the ability to customize or personalize
their online experience. Consumers can communicate specific
preferences online that will allow them to receive services or
information that is targeted to their needs. For example, an
AOL member can set her online preferences to get the weather
forecast in her local area, to read news stories about her
professional interests, or to get a notice about the
availability of a new CD from her favorite musician.
But the power of the Internet can only be fully realized if
consumers feel very confident that their online privacy is
protected. For me, protecting my customers' privacy is
essential to earning their trust, without which I cannot
sustain a business. AOL learned this important lesson through
our own mistakes not too long ago when an AOL employee
wrongfully disclosed information to the government about a
member's screen name.
AOL has recognized that consumer trust is essential to
building our business and building the online medium, and we
have taken a number of important steps to create a privacy-
friendly environment for our customers. Building on the online
lessons we have learned, and from the information and opinions
we receive from our members on a daily basis, we have adopted
privacy policies that clearly explain to our users what
information we collect, why we collect it, and how they can
exercise choice about how that information is used.
We have based our policies on core principles that reflect
consumer needs and expectations. For example, we never read
members' private e-mail. We will not disclose to anyone any
information about where a member goes online, and we will not
give out a member's phone number, screen name, or credit card
information unless he expressly agrees.
We give consumers clear choices about how their personal
information is used, and we make sure that our members are
well-informed about what those choices are. For example, if a
customer decides that he does not want to receive targeted
marketing materials from us, all he needs to do is check a box
online that tells us not to send him such information.
We also make sure that our policies are well-understood and
implemented by our employees. We provide training about our
privacy policies and we require all employees to agree to abide
by our privacy policies as a condition of their employment at
America Online. We continually review state-of-the-art
technology to ensure that we use the most advanced technologies
to defend our customers' data security.
AOL takes extra steps to protect the safety and privacy of
children online. We do not collect personal information from
children without their parents' knowledge or consent. We have
created a secure environment for children, our Kids Only area,
and we carefully monitor all the activity in that area,
including chat rooms and message board posts, to ensure the
safest possible environment for children, and to ensure that a
child does not post personal information online that could
allow them to be identified or contacted offline. Furthermore,
America Online's parental controls technology enables parents
to safeguard their children online by allowing them to set
preferences and limits on who their children may talk to online
and where they may go and what they may see.
In addition to adopting and implementing our own policies,
AOL is committed to fostering best practices among our business
partners and industry colleagues. One of the strongest examples
of this effort is our Certified Merchant program, which
guarantees that our members will be protected and satisfied
when they are within the AOL environment. Through this program,
which currently includes over 150 of our merchant partners, we
offer a money-back guarantee to dispel consumer concerns about
shopping security and increased consumer trust in this powerful
new medium.
We believe that the more we are able to work with our
business partners and require high standards of them, the more
likely it is that these standards will become the marketplace
norm. In fact, we believe that the online industry as a whole
is taking positive steps toward protecting online privacy. To
strengthen industry's commitments to online privacy, AOL joined
with other companies and associations last year to form the
Online Privacy Alliance, which has grown to include more than
85 recognized industry leaders.
AOL believes that companies are responding to the
increasing marketplace demand for online privacy, and that the
tremendous growth of e-commerce reflects positive trends on a
variety of consumer issues, including privacy. In part, we
think that technology holds the key to ensuring a safe and
secure online environment. We believe it is critical for us to
provide the most sophisticated security technologies to our
customers so they can take steps to secure their own privacy.
That is why we continue to advocate the widespread availability
and use of strong encryption, both in this country and abroad.
Challenges that lie ahead will give us the opportunity to
prove that the industry and government can work together to
promote effective online privacy. But ultimately for me at the
end of the day, it is the consumer who will be the judge of our
efforts in these areas and whether they are adequate because no
matter how extraordinary the opportunities for electronic
commerce are, we know our business will fail if we cannot earn
the trust of our customers and meet the consumer demands for
privacy protection.
We at AOL are committed to doing our part in this effort.
Our consumers demand it, our business demands it, and we
appreciate the opportunity to discuss these important issues
with you and to work with you further on the issues of Internet
electronic commerce and privacy.
Thank you.
The Chairman. Thank you, Ms. Borsecnik. That was great.
[The prepared statement of Ms. Borsecnik follows:]
Prepared Statement of Katherine Borsecnik
Chairman Hatch, Senator Leahy, and Members of the Committee, I
would like to thank you, on behalf of America Online, for the
opportunity to discuss online privacy with you today. I am the Senior
Vice President for Strategic Businesses at AOL, and in that capacity a
significant amount of my work for the company is devoted to addressing
issues of online privacy, security, and data protection.
The online medium is quickly revolutionizing the way we learn,
communicate, and do business. People are migrating to the Internet to
meet their commerce and communications needs at an extraordinary rate
because it is convenient and fast, and offers an ever-growing selection
of information, goods and services. AOL subscribers can sign on to our
service and do research, shop for clothes, and buy airline tickets all
in a matter of minutes.
In addition, the online environment offers users unique benefits of
customization and personalization. Consumers can communicate specific
preferences online that will allow them to receive information targeted
to their own interests. For instance, AOL members can set their online
preferences to get the weather forecast for their own zip code, read
news stories about their own hometown, or receive notices about special
discounts on their favorite CDs. No other commercial or educational
medium has ever afforded such tremendous potential for personalization.
But the power of the Internet can only be fully realized if
consumers feel confident that their privacy is properly protected when
they take advantage of these benefits. We know very well that if
consumers do not feel secure online, they will not engage in online
commerce or communication--and without this confidence, our business
cannot grow. For AOL, therefore, protecting our members' privacy is
essential to earning their trust, and this trust is in turn essential
to building the online medium. We learned this important lesson through
our own mistakes not too long ago, when an AOL employee wrongly
revealed the screen name of one of our members to the government.
Recognizing the importance of this issue, AOL has taken a number of
steps to create an environment where our members can be certain that
their personal information and their choices regarding the use of that
information are being respected: from creating and implementing our own
privacy policies and educating our members about them, to promoting
best practices among our business partners, to engaging in self-
regulatory initiatives and enforcement mechanisms that will raise the
bar for all companies who do business online.
setting an example
Building on the lessons we have learned and the input we have
received from our members, we have created privacy policies that
clearly explain to our users what information we collect, why we
collect it, and how they can exercise choice about the use and
disclosure of that information. To that end, the AOL privacy policy is
organized around 8 core principles:
(1) We do not read your private online communications.
(2) We do not use any information about where you personally go on
AOL or the Web, and we do not give it out to others.
(3) We do not give out your telephone number, credit card
information or screen names, unless you authorize us to do so. And we
give you the opportunity to correct your personal contact and billing
information at any time.
(4) We may use information about the kinds of products you buy from
AOL to make other marketing offers to you, unless you tell us not to.
We do not give out this purchase data to others.
(5) We give you choices about how AOL uses your personal
information.
(6) We take extra steps to protect the safety and privacy of
children.
(7) We use secure technology, privacy protection controls and
restrictions on employee access in order to safeguard your personal
information.
(8) We will keep you informed, clearly and prominently, about what
we do with your personal information, and we will advise you if we
change our policy.
We give consumers clear choices about how their personal
information is used, and we make sure that our users are well informed
about what those choices are. For instance, if an AOL subscriber
decides that he does not want to receive any targeted marketing notices
from us based on his personal information or preferences, he can simply
check a box on our service that will let us know not to use his data
for this purpose. Because we know this issue is so critically important
to our members and users, we make every effort to ensure that our
privacy policies are clearly communicated to our customers from the
start of their online experience.
We also make sure that our policies are well understood and
properly implemented by our employees. We require all employees to sign
and agree to abide by our privacy policy, and we provide our managers
with training in how to ensure privacy compliance. We are committed to
using state-of-the-art technology to ensure that the choices
individuals make about their data online are honored.
Finally, we try to keep users informed about the steps they can
take to protect their own privacy online. For instance, we emphasize to
our members that they must be careful not to give out their personal
information unless they specifically know the entity or person with
whom they are dealing, and we encourage them to check to see whether
the sites they visit on the Web have posted privacy policies.
protecting children online
AOL takes extra steps to protect the safety and privacy of children
online. One of our highest priorities has always been to ensure that
the children who use our service can enjoy a safe and rewarding online
experience, and we believe that privacy is a critical element of
children's online safety.
We have created a secure environment just for children--our ``Kids
Only'' area--where extra protections are in place to ensure that our
children are in the safest possible environment. In order to safeguard
kids' privacy, AOL does not collect personal information from children
without their parents' knowledge and consent, and we carefully monitor
all of the Kids Only chat rooms and message boards to make sure that a
child does not post personal information that could allow a stranger to
contact the child offline. Furthermore, through AOL's ``parental
controls,'' our members are able to protect their children's privacy by
setting strict limits on whom their children may interact with online.
Because of the unique concerns relating to child safety in the
online environment, AOL supported legislation in the 105th Congress to
set baseline standards for protecting kids' privacy online. We worked
with Senator Bryan, the FTC, and key industry and public interest
groups to help bring the Child Online Privacy Protection Act (COPPA) to
fruition last year. We believe the enactment of this bill was a major
step in the ongoing effort to make the Internet safe for children.
fostering best practices
In addition to adopting and implementing our own policies, AOL is
committed to fostering best practices among our business partners and
industry colleagues. One of the strongest examples of this effort is
our ``Certified Merchant'' program, through which we work with our
business partners to guarantee our members the highest standards of
privacy and customer satisfaction when they are within the AOL
environment. AOL carefully selects the merchants we allow in the
program (currently there are 152 participants), and requires all
participants to adhere to strict consumer protection standards and
privacy policies. The Certified Merchant principles are posted clearly
in all of our online shopping areas, thereby ensuring that both
consumers and merchants have notice of the rules involved and the
details of the enforcement mechanisms, which help to foster consumer
trust and merchant responsiveness.
Here are the criteria that our merchants have to meet in order to
become certified and to display the America Online Seal of Approval
(some screen shots that show how these criteria appear to subscribers
on our service are attached to this testimony):
1. Post complete details of their Customer Service policies,
including: Contact Information, Shipping Information, Returns Policies,
and Money-Back Satisfaction Guarantee Information.
2. Receive and respond to e-mails within one business day of
receipt.
3. Monitor online store to minimize/eliminate out-of-stock
merchandise available.
4. Receive orders electronically to process orders within one
business day of receipt.
5. Provide the customer with an order confirmation within one
business day of receipt.
6. Deliver all merchandise in professional packaging. All packages
should arrive undamaged, well packed, and neat, barring any shipping
disasters.
7. Ship the displayed product at the price displayed without
substituting.
8. Agree to abide by AOL's privacy policy.
Through our Certified Merchant program, we commit to our members
that they will be satisfied with their online experience, and we have
developed a money-back guarantee program to dispel consumer concerns
about shopping online and increase consumer trust in this powerful new
medium. We believe that these high standards for consumer protection
and fair information practices will help bolster consumer confidence
and encourage our members to engage in electronic commerce.
helping to promote industry efforts
The online industry as a whole is taking positive steps toward
protecting consumer privacy. In fact, to improve industry's commitment
to online privacy, AOL joined with other companies and associations
last year to form the Online Privacy Alliance (OPA), a group dedicated
to promoting privacy online.
Since we began our efforts just a few months ago, the OPA has grown
to include more than 85 recognized industry leaders, and industry
efforts to protect consumer privacy online have blossomed. The OPA has
worked hard to develop a set of core privacy principles--centered
around the key concepts of notice, choice, data security, and access--
and its members are committed to posting and implementing privacy
policies that embody these principles. Furthermore, the OPA is
continuing to reach out to businesses nationwide to explain the
importance of protecting online privacy and posting meaningful privacy
policies.
We believe that the OPA member companies are setting a new standard
for online privacy, and that as consumers become more aware of the
choices available to them, the marketplace will begin to demand robust
privacy polices of all companies that do business online. But we also
understand the need for meaningful enforcement of self-regulation.
That's why we abide by the OPA requirement to participate in robust
enforcement mechanisms through our involvement in the TrustE and
BBBOnline privacy seal programs. We are key sponsors of both the TrustE
and BBBOnline privacy seal programs, and have worked closely with
industry representatives and members of the academic community to help
formulate strict standards for seal eligibility.
the challenges ahead
We believe that companies are responding to the increasing
marketplace demand for online privacy, and that the tremendous growth
of e-commerce reflects positive trends on a variety of consumer
protection issues, including privacy. But our work has only just begun.
As technology makes it easier for companies to collect and use personal
information, the adoption and implementation of robust privacy policies
will become even more important.
In part, we believe that technology holds the key to ensuring a
safe and secure online environment. As an online service provider, we
believe it is critical for us to be able to provide the most
sophisticated security technologies to our members so that they can
take steps to protect their own privacy online. That's why we will
continue to advocate the widespread availability and use of strong
encryption, both in this country and abroad.
The challenges that lie ahead will give us the chance to prove that
industry and government can work together to promote meaningful self-
regulation of online privacy. But ultimately, it is the consumer who
will be the judge of whether these efforts are adequate. Because no
matter how extraordinary the opportunities for electronic commerce may
be, the marketplace will fail if we cannot meet consumers' demands for
privacy protection and gain their trust.
We at AOL are committed to doing our part to protecting personal
privacy online. Our customers demand it, and our business requires it--
but most importantly, the growth and success of the online medium
depend on it. We appreciate the opportunity to discuss these important
issues before the Committee, and look forward to continuing to work
with you on other matters relating to the Internet and electronic
commerce.
[GRAPHIC] [TIFF OMITTED] T8199.001
[GRAPHIC] [TIFF OMITTED] T8199.002
[GRAPHIC] [TIFF OMITTED] T8199.003
The Chairman. Mr. Sheridan, before we turn to you, let me
turn to our Democrat leader on the committee for his statement.
Senator Leahy.
STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE
STATE OF VERMONT
Senator Leahy. Thank you, Mr. Chairman. As it often
happens, I am running between two different committees, and I
apologize for going back and forth because this is an area of
great interest to me.
I have told this story before. Since I have been in public
office, I have clipped and saved and actually framed only about
two news items about myself, and I will tell you about one of
the two just to give you an idea of why I think this issue is
so important.
I live on a dirt road in Vermont. Our nearest neighbors are
a mile or so in either direction. One of the neighbors, a
farmer, who has known me since I was a teenager, prompted a
whole article in the New York Times. An out-of-State car with
New York plates pulls up to the farmer. The reporter says, does
Senator Leahy live up this road? The farmer says, are you a
relative of his? The man says no. The farmer says, are you a
friend of his? The reporter says, well, not really. He says, is
he expecting you? The reporter says no. The farmer looks him
right in the eye and says, never heard of him. [Laughter.]
And I have often thought that probably reflects as much as
anything the sense of privacy we have in Vermont, and so I come
to this naturally.
The concern over privacy is reaching an all-time high. In
1978, 64 percent of Americans reported they were very concerned
or somewhat concerned about threats to their privacy. As Mr.
Berman knows, by 1998 this number had skyrocketed. According to
the Center for Social and Legal Research, 88 percent of
Americans reported being very or somewhat concerned about
threats to their personal privacy. So, Mr. Chairman, I thank
you and Senator Kohl and others for having this hearing.
Good privacy policies make good business policies. If you
have new technologies--and those on the panel know the new
technologies as well as anybody in this country--you know that
it brings new opportunities for business and consumers. But it
doesn't do any good if consumers hesitate to use a particular
technology because they are concerned about what it might do to
their privacy. That is why privacy policy is good business
policy.
Ensuring that we have adequate privacy laws has a more
significant and important role in our democracy than just
fostering high-tech businesses. We have to defend online
freedom from heavy-handed content regulation. The
Communications Decency Act in 1996 which was found
unconstitutional--I voted against that because of that.
Stopping efforts to create government censors is critical
to allow our First Amendment rights to flourish, but it is not
enough. For people to feel comfortable in exercising their
First Amendment rights, they have to be able to keep their
activities confidential and private. If Big Brother is
watching, then First Amendment rights are chilled as if
government is censoring it.
We have a long tradition of keeping our identities private.
The Federalist Papers, for example, the most important
political document written about our Constitution, was authored
anonymously initially by James Madison, John Jay and Alexander
Hamilton, and published under a pseudonym. The Supreme Court, I
believe, said ``anonymity is a shield from the tyranny of the
majority.''
The report that I released last month on Vermont Internet
commerce is telling on this point. The strongest obstacle among
consumers from shopping and doing business online was their
fear of the online security risk. This is important because in
my State, a rural State like mine, the commercial potential of
the Internet is enormous. We have seen businesses that are
using it--we have seen their businesses skyrocket, but it is
still held back by people who fear the security risks, right or
wrong. That is why promoting the use of encryption is so
important, so that businesses and consumers can use this
technology to provide the privacy and security they need.
I am going to introduce privacy legislation to ensure that
Americans' Fourth Amendment rights to be secure in their
persons, houses, papers and effects against unreasonable
government searches and seizures are given ample protection in
a networked computer environment. In addition, several
provisions of the bill will address the concern Americans have
about the use of their personally identifiable records and
information by businesses, satellite carriers, libraries and
book sellers.
Online businesses are engaging in serious efforts to make
available to consumers information on privacy policies, and I
commend and applaud those efforts. But in our current laws, we
don't apply privacy principles in an even-handed manner. Video
rental stores and cable operators are subject to privacy laws
to protect our rights to keep our viewing habits private, but
no protections exist for the books we borrow from the library
or buy from a bookstore, or the shows we watch via satellite.
We should have more privacy for that. For that matter, we
should have more privacy on our medical records, which can be
moved all over the country without any restrictions.
Telephone companies and cable operators are subject to
legal restrictions on how they may use personally identifiable
information about their Internet subscribers, but other
Internet and online service providers are not. The E-RIGHTS
bill I am introducing would promote a more level playing field
in terms of the privacy protections available to Internet
users, no matter whether they obtain their Internet access from
AOL, their cable company, or their local phone company.
So we have to look at a number of things. When should the
FBI be allowed to use cell phones to track a user's movements?
Should a Kosovo human rights organization that uses a Web site
to correct government misinformation be able to get a domain
name without having their names publicly available on a
database?
Should we allow Federal prosecutors to act like Special
Prosecutor Kenneth Starr did and go on fishing expeditions with
subpoenas issued to bookstores to find out what we are reading?
That was one of the most chilling things I ever saw, a
prosecutor going to a bookstore to find out what I was reading.
And this is not George Orwell; this is the United States of
America. I mean, of all of Mr. Starr's excesses, this was as
bad a one as any I saw.
Should we protect our choices of reading and viewing
materials the same way we protect our choice of videotapes that
we rent from our local Blockbuster? You may recall that when a
Supreme Court nominee was before this committee, somebody had
found out what videos he was renting. And Senator Alan Simpson
and I were so outraged by that, we introduced legislation
saying you can't go into the video stores to find out what they
are renting. That was probably the only thing that stopped Mr.
Starr on that. If you maintain your calendar on Yahoo,
shouldn't you get the same privacy protections as those who
keep their calendars on their desks or in their PCs' hard
drive?
So these are some of the questions. Mr. Chairman, I know we
have witnesses here, and you have been more than gracious with
the time. I will put the whole statement in the record, but
these are significant privacy issues--and I suspect that you
get people in Utah who are very concerned about their privacy,
and every State that is represented here. In the electronic
world, we have to be more concerned.
The Chairman. Thank you, Senator.
[The prepared statement of Senator Leahy follows:]
Prepared Statement of Senator Patrick Leahy
Concern over privacy is reaching an all time high. In 1978, 64
percent of Americans reported that they were ``very concerned'' or
``somewhat concerned'' about threats to their personal privacy. By
1998, this number had skyrocketed. According to the Center for Social
and Legal Research, 88 percent of Americans reported being ``very'' or
``somewhat concerned'' about threats to their personal privacy. I am
pleased the Senate Judiciary Committee is taking this concern seriously
and beginning an examination of new Internet-related privacy issues.
good privacy policies make good business policies
New technologies bring with them new opportunities, both for the
businesses that develop and market them, and for consumers. It does not
do anyone any good for consumers to hesitate to use any particular
technology because they have concerns over privacy. That is why I
believe that good privacy policies make good business policies.
protecting privacy plays an important role in the exercise of
first amendment rights
Ensuring that we have adequate privacy laws has a more significant
and important role in our democracy than just fostering high-tech
businesses. We also must defend on-line freedom from heavy-handed
content regulation. That was my purpose in voting against the
unconstitutional Communications Decency Act that became law in 1996.
Stopping efforts to create government censors is critical to allow
our First Amendment rights to flourish, but it is not enough. For
people to feel comfortable in exercising their First Amendment rights--
by speaking, traveling and associating freely online or in physical
space--they must be able to keep their activities confidential and
private. When Big Brother is watching, the exercise of First Amendment
rights is chilled no less than the threat of a government censor.
It is therefore not surprising that our country has a long and
honorable tradition of keeping our identities private when we exercise
our First Amendment rights. ``The Federalist Papers,'' which is
probably the most important political document ever written about our
Constitution, was authored anonymously by James Madison, John Jay and
Alexander Hamilton and published under a pseudonym.
Healthy advocacy and debate often rests on the ability of
participants to keep their identities private and to act anonymously.
Indeed, the Supreme Court has said, ``Anonymity is a shield from the
tyranny of the majority.''
Healthy commerce also depends on satisfying consumers' desire to
keep their business affairs private and secure. A report I released
last month on Vermont Internet commerce is telling on this point. The
strongest obstacle among consumers from shopping and doing business
online was their fear of the online security risks. This is why
promoting the use of encryption is so important, so that businesses and
consumers can use this technology to provide the privacy and security
they want and that best suits their needs.
I plan to introduce privacy legislation to ensure that Americans'
Fourth Amendment rights to be secure in their persons, houses, papers
and effects against unreasonable government searches and seizures are
given ample protection in a networked computer environment. In
addition, several provisions in the bill will address the concern
Americans have about the use of their personally identifiable records
and information by businesses, satellite carriers, libraries and book
sellers.
industry self-regulation efforts should be encouraged
In contrast to a citizen's relationship with his or her government,
consumers have a choice of whether they want to deal or interact with
those in the private sector. In my view, this choice should be
generally recognized in the law by allowing consumers and businesses in
the marketplace to set the terms of their interaction. This is an area
where the Congress should tread cautiously before regulating. Online
businesses are engaging in serious efforts to make available to
consumers information on privacy policies so that consumers are able to
make more educated choices on whether they want to deal. I commend and
applaud those efforts.
That being said, however, current laws do not apply privacy
principles in an even-handed manner. Video rental stores and cable
operators are subject to privacy laws to protect our right to keep our
viewing habits private, but no protections exist for the books we
borrow from the library or buy from a bookstore, or the shows we watch
via satellite. I am introducing a bill to provide more uniform privacy
protection for both books and videos, no matter the medium of delivery.
Similarly, telephone companies and cable operators are subject to
legal restrictions on how they may use personally identifiable
information about their Internet subscribers, while other Internet and
online service providers are not. The E-RIGHTS bill I am introducing
would promote a more level playing field in terms of the privacy
protections available to Internet users, no matter whether they obtain
their Internet access from AOL, their cable company or their local
phone company.
this legislation addresses a broad range of emerging
high-tech privacy issues
For example:
When should the FBI be allowed to use cell phones to track a
user's movements?
Should Kosovo human rights organizations that use Web sites
to correct government misinformation be able to get domain
names without having their names publicly available on a
database? Should we have the same ability to get an
``unlisted'' domain name (or Internet address) as we are able
to get an ``unlisted'' phone number?
Should we allow other federal prosecutors to act like
Special Prosecutor Kenneth Starr and go on fishing expeditions
with subpoenas issued to bookstores to find out what we are
reading? Should we protect our choices of reading and viewing
materials the same way we protect our choice of videotapes that
we rent from our local Blockbuster?
Should people who maintain their calendars on Yahoo! get the
same privacy protection as those who keep their calendars on
their desk or on their PC's hard-drive? Will people avoid
certain network services offered by Netscape or new Internet
start-ups because they get less privacy protection for the
information stored on the network than on their own PC's?
These are all important issues, and I have worked to propose
solutions to each of these and to other questions, as well, in the E-
RIGHTS bill I am introducing. I invite each of the witnesses and others
with interests in these matters to exchange ideas on these topics.
There are few matters more important than privacy in maintaining our
core democratic values.
The Chairman. We will turn to you now, Mr. Sheridan. We
respect all the things that you have done to cause angst
throughout the operating platform community.
STATEMENT OF MICHAEL SHERIDAN
Mr. Sheridan. Good.
The Chairman. Yes, it is good, and we are delighted to have
you here.
Senator Leahy. Good word, ``angst.''
The Chairman. Yes. We have had a lot of that expressed here
before this committee, by the way.
Mr. Sheridan. I can feel it.
The Chairman. Yes.
Mr. Sheridan. Mr. Chairman and members of the committee,
good morning, and thank you very much for giving me this
opportunity to testify on this important issue.
My name is Mike Sheridan. I am Vice President of Strategic
Businesses and a member of the Executive Committee of Novell,
Inc., which is the world's largest provider of directory-
enabled network software, and which is located in the great
State of Utah. Prior to coming to Novell in 1988, I worked at
Sun Microsystems, where I was one of the original members of
the team that created the Java programming language. I testify
before the committee today not as an expert in privacy policy,
but as a technologist who is building software products that
are relevant to the online privacy debate.
At Novell, we view online privacy as an extension of
Internet identity, since it is all about empowering users to
make decisions about how much information they want to share
and with whom. It will come as no surprise to you that I
believe that the first line of defense for online privacy is
commercial technology. The genius of Net culture is the
immediacy with which it funnels resources to new areas and the
furious pace, known as Internet time, at which it develops new
products. Several new firms have already been established to
address privacy on the Web and are attracting significant
amounts of venture capital. To the extent possible, we should
let the marketplace address privacy concerns, since it will
deliver the fastest, most flexible and most cost-efficient
solutions.
The second line of defense is industry self-regulation.
Before we regulate the Net, we must let the private sector
attempt to develop best practices and industry norms that
satisfy consumers' needs. The Online Privacy Alliance, TRUSTe,
BBBOnLine and the Platform for Privacy Preferences exemplify
this effort. We are making steady progress, as witnessed by the
rather dramatic increase in the number of privacy policies
posted across the Net. Only after we have given commercial
technology and self-regulation a chance to work should we turn
to government intervention and regulation, and even then we
must be sure that it supports America's leadership of the
networked economy and needs of consumers.
The first phase of the Internet was really all about
getting connected, and companies like AOL made it easy to do
this and led the way. For the past years, we have focused on
connecting individuals, schools, government and businesses to
the Net. The next phase, which is just beginning, will be about
creating and managing digital identities. Novell believes that
the best way to build the world of Internet identities is to
develop products that let individual users create, manage and
secure them. The directory, a sort of network white pages, is
at the center of our efforts to do so. Identities and
directories are two sides of the same coin. Identities describe
who you are on the Net. Directories process this information so
that you can connect to the right people, applications and
services.
An example of the new technologies that will allow
individual choice to govern individual privacy is a product
called digitalme. This product reflects Novell's belief that
the best way to resolve privacy concerns is to address the
larger identity issue. Digitalme allows users to enter and
modify personal data in the directory themselves, and to
control who has access to it. In other words, it lets people
specify the personal information they want to reveal, if any.
By providing such tools that allow users to manage their
Internet identity, we can educate them about their online
privacy.
Because no one technology or company can guarantee privacy
on the Web, Novell is also working to promote industry self-
regulation. We are currently in discussion with BBBOnLine and
are already a member of the Online Privacy Alliance and a
premier sponsor and licensee of TRUSTe. Our privacy policy,
which is posted on our Web site, was created in accordance with
the guidelines of these two groups, as well as the U.S. Federal
Trade Commission and EU Directive on Data Protection.
Mr. Chairman, the privacy debate has at times been
difficult for the Internet industry. But it has also been very
constructive, since it has helped reveal consumer preferences,
industry responsibilities, and the new landscape of e-commerce.
We should not cut off this debate by pretending that Internet
privacy concerns don't exist. Nor should we pass premature
legislation that assumes we know all of the answers.
For now, government should encourage private sector
solutions, investigate and prosecute deceptive business
practices, and monitor privacy abuses to determine the actual
harm to consumers. Only after we are satisfied that the private
sector cannot meet consumers' needs through commercial
technologies and self-regulation should we consider government
intervention.
Thank you very much.
The Chairman. Thank you, Mr. Sheridan.
[The prepared statement of Mr. Sheridan follows:]
Prepared Statement of Michael Sheridan
Mr. Chairman and Members of the Committee: I am Mike Sheridan, Vice
President for Strategic Businesses and a member of the Executive
Committee of Novell, Inc., which is the world's largest provider of
directory enabled network software. Prior to joining Novell in 1997, I
worked at Sun Microsystems where I was one of the original members of
the team that created Java. I testify before the Committee today not as
an expert on privacy policy, but as a technologist who is building
software products that are relevant to the online privacy debate.
What do we mean by online privacy? At Novell, we view it as an
extension of Internet identity. It is about empowering users to make
decisions about how much information they wish to share and with whom.
With all the press attention that online privacy is getting has
come a chorus of calls for government legislation and regulations. We
should exercise great caution in responding to them. We are in the
early stages of the next big phase of the Internet--a phase that will
focus on the creation and management of digital identities and
relationships. It would be a mistake to pass legislation regulating
privacy on the Net before we fully understand the commercial products
and services that will be available to us in this new environment.
The first line of defense for online privacy is commercial
technology. The genius of Net culture is the immediacy with which it
funnels talent and resources to new areas--like protection of personal
privacy--and the furious pace at which it develops new products.
Entrepreneurs have already established several new firms to address
privacy on the web, and they are attracting significant amounts of
venture capital. We must allow the market to address privacy concerns
to the greatest extent possible since it will deliver solutions that
are the most flexible, speedy and cost-efficient.
The second line of defense is industry self-regulation. Before we
regulate the Net, we must allow the private sector to attempt to
develop best practices and industry norms that satisfy consumers needs.
The work of TRUSTe, the Online Privacy Alliance (OPA), BBBOnline and
the World Wide Web Consortium's Platform for Privacy Preferences (P3P)
exemplify this effort. Only after we have given commercial technology
and self-regulation a chance to work should we turn to government
intervention, and even then we must be sure that they support America's
leadership in the networked economy and the needs of consumers.
In my comments today, I will examine three issues that are central
to the privacy debate: (1) The next phase of the Internet; (2) The
promise of commercial technology; and (3) The principles for future
progress.
1. the next phase of the internet: the identity wave
The Internet began as a Department of Defense research project and
for many years was used primarily by scientists at national
laboratories and research universities. The first big wave of the
Internet occurred in the mid-1990's with the advent of the world wide
web and the browser. Suddenly, it was easy to surf the Net, and there
was a scramble to connect. Companies like Netscape and AOL led the way.
Businesses wanted to connect to improve their communications and
productivity. Schools wanted to connect to improve educational
opportunities; government at all levels wanted to connect to enhance
their operations; and individuals wanted to connect to the new world of
digital information. Today, US Internet users number about 80 million.
The Internet is having an economic impact that is on the scale of the
industrial revolution, and it is occurring much faster.
The connection phase will continue for several years as we build
out the infrastructure of the web, but it is about to be supplanted by
something else--the identity wave. Now that the problems of getting
online, getting a browser and using the Net have been largely overcome,
we are faced with massive scale issues. These scale issues are really
identity problems. How do I find what I want? How do I control my
identity when it is scattered over dozens of different sites? How do I
keep track of all my passwords? How do I authenticate my digital
relationships? How to manage a system this complex in ways that create
trust?
Questions about Internet identity are closely related to privacy,
but they are not synonymous. Privacy is only one aspect of this
identity, albeit a very important one. The best way to resolve privacy
concerns is to address the larger issue of how to manage Internet
identities.
The transition from the connection phase of the Internet to the
identity phase should carry a red flag for public policymakers. Instead
of being well along a road we already know we are moving into
unfamiliar terrain. Decentralized decision-making and market solutions
will serve us better during this transition than centralized government
policy since they can respond more quickly and more flexibly to
consumers' needs.
2. the promise of commercial technology: directories and digitalme
TM
Entire new companies are being formed and many technologies are
being developed to deal with different aspects of online privacy. I
cite Novell's approach, not as a panacea, but to illustrate the
innovative ways that industry is beginning to respond. Novell believes
that online privacy is an extension of Internet identity and that by
addressing the broader issue of identity we can resolve many privacy
concerns.
The key to building a world of Internet identities is to develop
products that let individual users create, manage and secure them. The
directory is at the center of our efforts to do so. A true Internet
directory is an integrating layer of software that cuts across
operating systems to provide a platform for network services. Without a
directory, you cannot find, manage or use your network. Directories are
what allow network administrators to keep networks up and ready for the
user, regardless of where he is or what device he has.
Perhaps the simplest way to think of directories is to compare them
to the white pages of a telephone book. Just as white pages contain the
information for telephone identities, directories contain the
information for Internet identities. But while the white pages are
nothing more than a reference guide, a directory is a dynamic database
that makes it easy to manage networks, maintain digital interactions
and, ultimately, enable widespread electronic commerce.
Digital identities and network directories are two sides of the
same coin. Identities describe who you are on the Net; directories
process this information so that you can connect to the right people,
applications, services and devices.
Novell recently announced a new identity product called digitalme
TM that leverages Novell Directory Services so that
consumers and businesses can manage their digital identities. Consumers
are looking for secure ways to manage and protect their personal
information (such as bookmarks, cookies, preferences, user IDs, credit
cards and contact information) since these attributes define what they
can do, where they can go, and who they are on the web. Companies are
looking for opportunities to differentiate their business by creating
secure, personalized services that are beneficial to customers.
digitalme TM has a flexible interface built around
digital ``cards.'' These virtual meCards can be customized so that
users share different information about themselves with different sites
based on their personal preferences. For example, a user may want a
card for their favorite airline to hold information about their
frequent flyer number, their e-mail address, their telephone number,
their business travel patterns and their favorite vacation
destinations. Voluntarily providing this information would allow the
airline to customize its interactions with the user so that if low
fares to the users favorite vacation spot are available, for example,
the airline can alert them. The same user would provide an entirely
different set of personal information to his bank or local hospital.
Since the user knows what information he shares, who he shares it with,
and when he shares it, he is in more control of his identity on the Net
and more aware of his Internet privacy.
digitalme TM is all about user choice. It is downloaded
voluntarily from the Net, and is designed so users can enter only the
information that they want to share. If they choose to include highly
sensitive information a trusted third-party can hold it for them. It
puts users in control. By giving users control of their identities, it
allows them to create customized solutions that meet their individual
needs.
3. principles for future progress
Some seem to have already come to the conclusion that prompt
government intervention is necessary to address concerns about online
privacy. Surveys show the protection of personal privacy is the number-
one concern many people have about the Internet. And advocates of this
view note that it is easier than ever for businesses to gather digital
information about consumers without their knowledge or consent and to
use this data to market products, or worse, in discriminatory and
invasive ways. There is no doubt that the issue of Internet privacy
raises legitimate questions about the rights of web users. To the
extent that it leads to the erosion of consumer confidence in the Net,
it could even retard the growth of electronic commerce.
Nonetheless, it is too early to make a judgement about the need for
privacy legislation. Just like the Internet, our understanding of
digital privacy is still evolving. The success of Free-PC shows that
many consumers are only too happy to trade their privacy rights given
the right incentives. And although Internet identifiers can create an
invasion of privacy, they are also what allowed the FBI to find the
perpetrator of the Melissa virus and to discover who posted the
fraudulent Internet articles that artificially inflated the stock price
of Pairgain Technologies.
In order to balance these competing concerns, many companies have
created privacy policies that share a common set of guidelines. Among
the most important are giving consumers notice before gathering any
personal data, disclosing how any information that is collected will be
used, and letting users choose to opt out of personal data transfers
that are not necessary to complete a transaction.
Novell's policy, which is posted on our web site at www.novell.com,
was created in accordance with the guidelines set forth by TRUSTe, the
Online Privacy Alliance (OPA), the US Federal Trade Commission, and the
EU Directive on Data Protection. It consists of the following
guidelines:
1. In general, people may visit Novell web sites while remaining
anonymous and not revealing any personal information. Novell will at
times request basic data--such as name, address and e-mail--in order to
respond to visitors queries about our products or services, but we will
not contact you with additional marketing information unless you
indicate that you want to receive it.
2. Novell will not disclose your personal information for marketing
purposes to any third-party company without your consent.
3. Novell will not collect information from people who identify
themselves as being younger than 18 years of age.
4. Novell may use cookie technology only to obtain non-personal
information from its on-line visitors to improve their on-line
experience. If you do not wish to have a cookie set when visiting the
Novell web sites, you may alter the settings on your browser to prevent
them.
5. Novell will take appropriate steps to respect and protect the
information you share with us. Whenever you give Novell sensitive
information (e.g., credit card numbers), Novell will take commercially
reasonable steps to establish a secure connection with your web
browser. Credit card numbers are used only for payment processing and
are not retained for marketing purposes.
6. All of the information Novell gathers will be available to you
at the Novell Identity web page. From this site you can see what kind
of information Novell has collected from your visit to our web site and
update the information you have provided us in your personal profile.
From this site you can also indicate that you would rather be anonymous
and provide no information about yourself or your visit to our web
site.
As the debate about Internet privacy evolves, we should look to the
following principles to guide our efforts:
1. Rely on market-inspired solutions as much as possible
The private sector still has a lot of work to do, but we should not
let the highly publicized privacy problems of the past few months
distract us from the real progress that has been made. Many
organizations have invested a lot of time, effort and money to create a
self-regulatory system in which business takes real steps to protect
online privacy. OPA, TRUSTe and BBBOnline have educated industry about
the issue. Novell and several other companies have developed
technologies that hold promise. AOL has made a huge effort to educate
consumers. AT&T has funded studies to better understand consumer
demand. And IBM has withheld advertising dollars from sites that do not
have privacy policies. As a result of these actions, new products are
beginning to emerge and privacy policies are steadily proliferating
across the Net. If the government decides to take legislative or
regulatory action, it should persist in its role as champion of best
commercial practice. The private sector is likely to develop faster,
more flexible and more cost-efficient solutions than the government and
should be encouraged to do so.
2. Refrain from a one-size-fits-all policy approach
Just as no one technology or company can solve the privacy issue,
neither can any one policy. Not all information is equal. Some data--
such as medical and financial data, and information about children--is
especially sensitive. Other types of data can be quite mundane.
Moreover, different users have different privacy preferences.
Aggressive legislation that treats privacy as a uniform problem could
create more problems than it solves.
3. Keep government intervention consistent with the Internet
Where government involvement is needed, it should support and
enforce a predictable, minimalist, transparent and simple legal
environment. Government should follow a decentralized, technology-
neutral approach to policy that encourages private sector innovation.
It should refrain from picking technology winners or implementing
policies that undermine America's leadership of the networked economy.
4. Enforce existing laws and self-regulation
The government already has an extensive mandate to protect consumer
welfare and should vigilantly enforce laws that prevent deceptive trade
practices on the Net. Preventing fraud and false advertising are as
essential to consumer confidence and the growth of e-commerce as they
are to ordinary commerce.
4. conclusion
Mr. Chairman, the privacy debate has at times been difficult for
the Internet industry, but it has also been very constructive since it
has helped reveal consumer preferences and the new landscape of e-
commerce. Just as importantly, it has highlighted industry
responsibilities and made us think hard about the appropriate role for
public policy. We should not cut off this debate by pretending that
Internet privacy concerns don't exist. Nor should we pass premature
legislation that assumes we know all the answers. For now, government's
role is to encourage private sector solutions, investigate and
prosecute deceptive business practices, and monitor privacy abuses to
determine the actual harm to consumers. Only after we are convinced
that the private-sector cannot meet consumers needs through commercial
products and self-regulation should we consider government
intervention.
The Chairman. Mr. Wladawsky-Berger.
STATEMENT OF IRVING WLADAWSKY-BERGER
Mr. Wladawsky-Berger. Mr. Chairman, Senator Leahy, and
members of the committee, thank you for the opportunity to
comment on the question of privacy in the emerging digital age.
My name is Irving Wladawsky-Berger and I am the General Manager
of IBM's Internet Division.
Let me begin by reiterating that all of us, individuals and
businesses alike, derive incredible benefit from the free flow
of information over the Internet. At any hour, day or night,
people can check the status of a shipment, analyze their
investment portfolios, or compare prices over a whole universe
of suppliers. Likewise, businesses gain efficiencies they could
only dream of before the Internet, efficiencies that restrain
prices and bring them closer to their customers.
All this requires information, lots of it. So, clearly, it
is in everyone's interest that the privacy of information be
protected. After all, the consumer's embrace of the Internet
and the electronic marketplace it makes possible will only last
as long as they try us and all the other participants in that
marketplace to respect their privacy.
IBM is no stranger to this issue, and we have been working
on privacy issues ever since the 1960's. Not surprisingly,
then, in 1997 we adopted a worldwide privacy policy for our
thousands of Web pages, and at the same time recognized the
need for industry to unite on some basic principles and
actions. In fact, we have played key roles in the establishment
of the Online Privacy Alliance and the TRUSTe and BBBOnLine
Privacy Seal programs. We actively support Call for Action,
which is an educational program to educate consumers on what
they should look for, for privacy on the Web sites.
Most recently, IBM announced that, effective June 1, we
would no longer advertise on United States and Canadian Web
sites that did not post privacy policies. And as the second
largest advertiser on the Web, our action, we hope, should
influence the practices of others. That commitment to privacy,
and our experience in making the promise of the Net real for
thousands of customers, gives us an excellent vantage point
from which to view this issue.
It seems to us at IBM that the key question to be answered
at this point is how can our society strike the right balance
between the value of a free flow of information and privacy.
How can that flow of information be not just free, but fair as
well?
In our opinion, a broad new statute is not the answer. The
Internet is too global, too instantaneous and too decentralized
for a fixed, rigid statute to regulate it. The Net and its
related technologies simply change too quickly to be amenable
to centralized control. We strongly believe that the best way
to strike the balance between the free flow of information on
the Net and privacy protection is through market forces, which
are invariably the product of consumer preferences.
This self-regulation would ride atop a broad base of
consumer protection laws and targeted sectoral regulation. This
approach envisions a mix of business involvement and
commitment, government support and targeted action,
international cooperation among businesses and governments, as
well as individual responsibility.
Government should defer to private sector leadership for
any number of reasons. Number one, the private sector has many
incentives to respect privacy, not the least of which is self-
interest. The members of the business community simply have too
much to gain from the freest possible flow of information and
too much to lose if concerns over privacy limit the growth of
the networked economy.
Second, excessive regulation can exclude many small and
medium firms from the e-business marketplace. We believe that
one of the most important opportunities in electronic commerce
is to level the playing field, to allow not just the large
companies but the smaller companies to participate. We want e-
business to benefit Main Street, not just Wall Street.
Third, private sector self-regulation can adapt and change
much more quickly and responsibly than government regulation.
Fourth, the Internet and the e-business marketplace are fresh,
new phenomena and should be regulated very, very carefully and
only with good cause. And, finally, the fifth reason for
deferring to market forces is the fact that on the Internet
information is borderless and the Web itself decentralized,
complicating immeasurably all efforts to impose traditional
regulation.
The last few years have seen any number of promising
marketplace privacy initiatives, and I believe a lot of
progress is being made. As my colleague from AOL said, one of
the most promising efforts is the Online Privacy Alliance, a
cross-industry group established in 1998 to agree on a basic
framework for privacy policies tailored to individual
industries.
My written statement goes more into detail about the
practices of the Alliance. Let me just very quickly talk about
what is it based on. Number one, each company should adopt and
implement a privacy and post it at its Web site. Two, each
visitor to a site should be informed of what personal
information is collected at its site, its use, and whether it
will be disclosed to others.
Third, visitors to a site should have a choice in whether
information will be disclosed to others. Fourth, the Web site
owner should take reasonable steps to keep the information
secure. And, fifth, the owner should take reasonable steps to
keep data accurate and to provide individuals as much access to
their identifiable data as is possible.
Let me just conclude by thanking you for the opportunity to
appear before you, and afterwards I will be pleased to answer
any questions.
The Chairman. Thank you very much.
[The prepared statement of Mr. Wladawsky-Berger follows:]
Prepared Statement of Dr. Irving Wladawsky-Berger
Mr. Chairman, Senator Leahy, and Members of the Committee, thank
you for giving me the opportunity to comment on the question of privacy
in the emerging Digital Age.
My name is Irving Wladawsky-Berger and I am the General Manager of
IBM's Internet Division. In that capacity I am responsible for IBM's
Internet strategy, and for driving its implementation across the
company. I am also privileged to serve on the President's Information
Technology Advisory Committee.
As you may know, IBM is the largest information technology company
in the world, with over $81 billion in 1998 revenue and over 290,000
employees worldwide.
We believe this gives us a unique vantage point from which to
comment on privacy in the digital age, working as we do with leaders of
large, medium and small companies and with governments worldwide,
helping them navigate the historic shift to a networked world, and
offering them business solutions in the form of expertise, services and
technology.
i. the value of information in the information age
With every passing day it becomes more certain that the Internet
will take its place alongside the other great transformational
technologies that first challenged, and then fundamentally changed, the
way things are done in this world. But with all respect, let me begin
my comments by suggesting that, while technological advances in our
industry continue at an amazing pace, it is information not technology,
that is at the heart of this revolution.
Information has never been more important than today, when we are
engaged in a fundamental transformation of commerce, education, health
care, and government--indeed, just about every institution in society
that serves individual Americans either as consumers or citizens. For
every business, information has assumed an increasingly strategic role.
Information is their competitive advantage. It is what allows them to
differentiate themselves from all the others in the marketplace who are
trying to serve the public.
Leveraging the Internet and other networks so that businesses can
better work for all their constituents is what we in IBM call e-
business. Indeed e-business is our key market strategy.
We have worked in the marketplace with many thousands of our
customers around the world to help them implement e-business
strategies. And, one of the things we have learned in the process is
that the more information is available to business, government and
other institutions, and the more intelligently it is used, the better
the job they do serving their customers, dealing with business
partners, and running an effective organization. The cumulative effects
of all these improvements are greater convenience for consumers, more
satisfied constituents, and lower costs that can be passed on to
customers in the form of price reductions.
For example, customer self-service applications let consumers
obtain whatever information they need anytime of the day or night,
whether it is locating a package they have shipped, analyzing the
status of their investments, or getting expert advice about a purchase
they are contemplating. Moreover, with the amount of information in the
World Wide Web growing at a prodigious rate, businesses are
increasingly capable of using automated ``personalization'' techniques,
leading questions based on the customer's known needs and wants, to
help consumers better navigate through the growing sea of information.
Similar personalization techniques permit retailers to cement
relationships with customers by offering promotions on items shoppers
are most likely to want. In fact, the Safeway supermarket chain in the
United Kingdom typically gets a remarkable fifty percent-plus response
rate to their direct promotions based on this simple premise: offering
discounts on items they know customers are likely to buy anyway--and
Safeway knows what they are likely to buy because of the information
people have entrusted to them.
This same retailer, in devising additional customer loyalty
programs, discovered that people hate to write shopping lists and
invariably forget certain items. So, in cooperation with our research
labs, they are piloting a program in which customers get shopping lists
matched to their buying patterns. The lists are downloaded to a
portable device the customer picks up as he or she enters the
supermarket. This same device scans the items as the customer selects
them, thus significantly reducing the time spent checking out.
Health care is an area of enormous promise as well. We are working
with practitioners around the world to establish high-security health
information networks that connect physicians, laboratories and
hospitals. With much more timely health information available, patients
can receive faster, more effective treatment, and the significantly
lower administrative expenses could help restrain medical costs.
But the real promise of these health care networks is the
possibility of subjecting all that information to highly sophisticated
supercomputing analysis--what we call Deep Computing, since it is
similar to that developed in our research labs for our Deep Blue chess
playing application--and developing a truly ``intelligent'' assistant
able to deliver expert medical advice to health care professionals.
Such expert assistance could be available over networks to
practitioners everywhere, in a famous urban medical center or a small
rural practice.
In addition, such sophisticated information analysis can infuse far
better forecasting and planning into business processes of all sorts.
For example, our research laboratories are working with an airline to
apply Deep Computing techniques to the scheduling of crew assignments.
That improves not only the airline's efficiency, but working conditions
as well by matching assignments as much as possible with the
preferences of their flight personnel.
That's a great convenience for the flight crews certainly, but it
also saves the airline over $80 million annually, costs that would
otherwise find their way into airline fare schedules to be paid by the
consumer.
In the final analysis, if the digital age is about anything, it is
about using information to empower individuals, be they consumers or
citizens.
ii. addressing privacy expectations: ibm's longstanding commitment
Incredible prospects exist for enriching the lives of customers,
patients, citizens, or just plain individuals by using their
information for their benefit, not for their exploitation. And the
opportunity to obtain and use that information constitutes a
competitive advantage for business. With all that at stake, it stands
to reason that the business community has keen incentive to meet
people's privacy needs.
This is why IBM takes people's concern for the privacy of their
information very, very seriously. IBM understands that consumers will
continue to embrace the Internet, and the electronic marketplace it
makes possible, only to the degree that they trust those who use the
technology to respect the privacy of their personal information.
Equipping consumers with knowledge and choice about how their personal
information is used is key to building such confidence and trust.
We strive to lead by example via our own policies and behaviors.
And we have done so for three decades--a long term commitment to
individual privacy, one that predates, in many ways, the policies of
industry and government.
1960's
IBM adopted our first formalized and global privacy policy, on
handling of employee data, establishing employee access to their
personnel folder, well before the practice became common in the
workplace.
1970's and 1980's
We formulated specific guidelines and principles, applicable
worldwide, on the handling of employee and other data (such as medical
records). We instituted management training to ensure compliance. IBM
also participated via business groups in the formulation in 1980 of the
Organization for Economic Cooperation and Development (OECD) Guidelines
on the Protection of Privacy and the Transborder Flow of Personal Data.
These Guidelines underlie much of the international community's
thinking about privacy protection and IBM supports the spirit and
intent of the OECD Guidelines.
1990's
As the decade of the Internet began, it was characterized by much
hype and a lot of trial and error, but now by the end of the decade the
Net emerged as a new mass medium that is transforming how we work, buy,
sell, play and learn. As use of the Internet and other networked
technologies grew, the need for IBM to renew and refocus its commitment
on today's privacy issues became clear.
Therefore, in 1997 we adopted and implemented a worldwide privacy
policy for our thousands of web pages operating as part of ibm.com. A
copy of our corporate privacy policy statement from www.ibm.com is
attached as an Exhibit. Within IBM, we supported adoption of our Web
privacy policy with executive communications and the establishment of a
new executive position responsible for our internal privacy practices,
reporting to IBM's Chief Information Officer.
And we recognized the need for independent third-party backups to
company policies, and thus sponsored the formation and launch of both
the TRUSTe and BBBOnline privacy seal programs. We also played a key
role in the organization and launch of the cross-industry Online
Privacy Alliance, the principles of which I describe below. TRUSTe and
BBBOnline are independent non-profit groups that can provide consumer
assistance and dispute handling for privacy-related questions, and in
the case of BBBOnline can respond to any and all consumer queries or
complaints. We backed up our own policy by enrolling in the TRUSTe
program last year.
IBM also organized or sponsored a number of customer briefings on
the issue. In 1998 alone, for example, we hosted a conference in New
York City for over 100 senior executives from various business and
government organizations. We hosted Secretary of Commerce Bill Daley
for a roundtable with over 30 senior executives. With the Software
Publishers Association (now the Software and Information Industry
Association) we co-sponsored a series of a dozen workshops on web
privacy policies.
Recognizing the needs some businesses will have in this area for
expert assistance, we also formed a dedicated consulting team in our
IBM Global Services division to guide organizations (large and small)
through the process of creating and implementing practices that comply
with applicable privacy policies or regulations. This team relies on
the concept of a ``Privacy Architecture'' to help organizations adopt
the appropriate mix of policies and technologies to manage the privacy
and security commitments they make.
We also supported efforts to educate consumers on how to protect
their privacy online, most notably funding an effort by Call for
Action, a consumer assistance organization, to publicize its ``ABCs of
Privacy.'' I've included a sample sticker pamphlet as an Exhibit, and
you can find more of their information on www.callforaction.org. To
their credit, Circuit City supported Call for Action's efforts during
the 1998 Holiday season by allowing the organization to distribute this
material through their 500-plus stores in the United States.
And most recently, IBM last month stepped forward and announced
that, effective June 1, we would no longer advertise on U.S. and
Canadian Web sites that did not post privacy policies. As the second
largest advertiser on the Web, we believe that our action will
influence the practices of other market players. Attached as an Exhibit
is the letter sent by our advertising agency, OgilvyOne, to over 350
Web site owners, informing them of our policy.
iii. spreading the adoption of online fair information practices
The key question before all of us at this point is how our society
as a whole--business, government and individuals--will strike the right
balance between the free and fair flow of information and the
reasonable expectations of privacy. In particular, what is the right
balance between legitimate government action and the rewards and
sanctions of the marketplace?
IBM, led by our CEO Lou Gerstner, has thought about this question a
great deal, drawing on our decades of experience with privacy,
technology, and business practices. Frankly, we want rapid progress in
adoption of ``fair information practices'' by organizations that handle
personal data--so that the e-business marketplace, and consumer
acceptance of it--will continue to grow at double-digit rates. We also
appreciate that U.S. policy makers and other important stakeholders
also want rapid progress--especially since electronic commerce has been
recognized as a major economic driver of the U.S. economy's success
entering the 21st century.
A new statute is not the answer. It would be relatively easy, I
suspect, for some to fall into the trap of thinking that enacting a
simple statute that tries to make those who operate on the Internet,
through whatever means, ``respect privacy.'' But that would give a
false guarantee to our citizens--a single ``one size fits all''
approach could never really meet their expectations for privacy
protection, especially in such a complex and fast moving medium as the
Internet.
The Internet presents some special challenges that stem from its
wonderful and unique attributes. All at once it is: global,
instantaneous, and decentralized. Information flows through many
packets in order to get routed to its final destination, relying on a
very international distribution system that is by its nature
decentralized and under no one's ultimate control. The Net and its
related technologies change quickly as well. For example, the Internet2
and Next Generation Internet initiatives, under development now in the
United States, will soon make it possible to share richer stores of
data, much more quickly than before. New technologies and new online
startups are challenging us all with their continual changes and new
business models.
We strongly believe, therefore, that given these attributes the
best way to strike the balance between information flow and privacy
protection on the Net is through private sector leadership--what many
call ``self-regulation''--built atop a base of broad consumer
protection laws and targeted sectoral regulation. In order to succeed,
we need a mix of business involvement and commitment; government
support and targeted action; international cooperation among businesses
and governments; and individual responsibility.
IBM strongly supports such a ``layered'' approach to privacy
protection. Where specific, sectoral concerns are identified and are
not adequately addressed by self-regulation, some amount of legislation
or regulation may be needed. For example, IBM has for several years
supported the enactment of medical records privacy legislation--medical
data are among the most sensitive data an individual can share, and for
that type of data we support a comprehensive statutory framework.
But with respect to the Internet and electronic commerce generally,
we believe that self-regulatory efforts should be given more time to
address the reasonable privacy expectations of consumers. There are a
number of reasons to defer to private-sector leadership:
The private sector has many incentives to respect privacy
Frankly, since businesses have so much to gain, and so much
to lose, if privacy concerns limit the growth of the networked
economy, I believe that the members of the business community
need to establish themselves as worthy stewards of privacy. We
should be encouraged by business' efforts in the last year or
so (which I describe below) and we should also recognize that
it takes time to grow any movement.
The great majority of the business community recognizes that
its real interests lies in maintaining the trust and confidence
of their customers--and therefore it is smart business to
respect the privacy of personal information.
A number of high-profile examples from the last few years
illustrate my point--ranging from AOL, to Geocities, and to the
rapid actions taken by Intel and PC makers (including IBM) to
address consumer concerns about privacy implication of the new
Pentium III chip.
An appropriate role of government vis a vis the private
sector in this context would be for all levels of government to
lead by example and adopt fair information practices as much as
possible. Recent examples involving the reported sale of
drivers' license records are good reminders of the importance
of providing individuals with ``notice'' and ``choice'' over
what is done with information they disclose to others. Clearly,
the nature of government's responsibilities carries with it
duties to secure public safety and investigate potentially
harmful actions--but those investigations ought to be executed
within our Constitutional protective framework.
Excessive regulation can deter Main Street and others from joining the
e-business marketplace
While we agree that the government has a role in protecting
the privacy of its citizens, we worry that a pervasive
regulatory regime would be cumbersome and stifling, especially
for mid-size and small businesses. We want e-commerce to
benefit Main Street as well as Wall Street. We want to make
sure that businesses of all sizes, from the largest to the very
smallest, participate in the networked economy. And, we worry
that excessive regulation, with its increased costs, could
exclude many from the opportunity represented by the Internet.
Private-sector self-regulation can adapt and change much more quickly
and responsively than government regulation
The genius of our nation's Founders produced a political
system in which legislation usually develops deliberately and
slowly, while policy makers weigh the concerns of opposing
factions and competing interest groups. Self-regulation, on the
other hand, has the advantage of speed, and the benefit of
being able to adapt more quickly to technological changes and
consumer and other expectations.
The core forces driving the Internet and e-businesses, of
themselves, enable more flexibility in addressing privacy
concerns. Empowering technologies such as the Platform for
Privacy Preferences, under development as an industry standard
by the World Wide Web Consortium, will continue to put in the
hands of consumers the power to control their information.
Simple technology-related tools one can use today, such as
anonymizers and cookie cutters--while not perfect--can be used
by all who want to use them. And finally, new business models
are springing up that allow people who freely choose to provide
information, to get something of value in return. Do you want a
free PC today? Or a coupon for products? You decide.
In my view, the best example of private sector responsiveness
is the TRUSTe web privacy program. Just launched in 1997, the
program has already comprehensively updated its privacy
policies and practices in order to be consistent with the
fundamental principles espoused by the Online Privacy
Alliance--the latest ``best practices'' in online privacy. A
regulatory agency would not have been able to accomplish such
significant change in that time frame.
The Internet--and the e-business marketplace--are new phenomena and
should be regulated very, very carefully and only with good
cause
One school of thought says that a new mass medium has been
born when it's used by 50 million people. Radio took nearly 40
years to cross that threshold. TV took 13 years; cable TV, 10
years. The Internet did it in less than five. By one very
conservative estimate the number of Internet users worldwide
will surge to 210 million in 1999. Internet commerce will more
than double, to $68 billion in 1999. And spending on online
advertising grew to nearly $1.6 billion in 1998, an annual
growth rate of 83 percent.
Clearly, the Internet is taking off, but so are self-
regulatory efforts. I'll turn to a description of these efforts
next, but my point is: the U.S. private sector came together in
mid-1998, in consultation with government, to agree on robust
self-regulation for online commerce. Barely one short year
later, we are seeing encouraging early returns, that should
elicit additional support for these efforts from policy makers.
IBM urges the Committee to encourage such efforts, while being
extremely suspect of imposing additional regulation.
Where additional government involvement is deemed necessary,
it should address a specific, identified harm or concern--e.g.
so called ``identify theft'' or the rights of citizens against
government seizure of online information. An additional role
for government, as called for in the recently issued
recommendations of the President's Information Technology
Advisory Committee, is to support research on fundamental
attitudes and technologies related to privacy.
On the Internet, information flows freely across borders; the
decentralized nature of the medium complicates efforts to
address privacy via traditional regulation. It also highlights
the importance of U.S. government actions
National borders do not reflect the basic fabric of the
Internet, where information flows freely across borders. Its
distributed, decentralized nature means that traditional
regulation will have a hard time succeeding in meeting the
expectations of citizens that their data will be protected and
keep as private as they specify.
The United States today leads all other nations in our use
and development of the Net--I can confirm that personally,
based on my dealings with people all over the world. It is
clear--based on a number of measures--that we lead in the
technology, attitudes and practices that are key to succeeding
in the New Economy. Other nations watch what we do in this
space, and whatever steps our government takes in regulating
Internet-related, activity will be carefully studied and
potentially copied. To date, our government's willingness to
allow the medium to grow led primarily by market forces and
technological advances has been a very important precedent
abroad, leading governments that are more inclined to impose
pervasive regulation to hesitate and in some instances refrain.
Of course, I do not believe that there is no role for
government regulation. But I do believe that the best approach
involves careful, tailored legislation that allows maximum time
and flexibility for self-regulatory efforts to work.
iv. responding to the self-regulation challenge
In line with the U.S. system of private-sector leadership supported
by statutory requirements, we are seeing a number of promising
initiatives.
A number of industry-specific groups have developed privacy
principles and initiatives. In the information technology industry, for
example, groups such as the Computer Systems Policy Project, the
Information Technology Industry Council, and the Software and
Information Industry Association have all adopted privacy principles
for their members' use and guidance. Attached as an Exhibit are
examples from the CSPP and ITI principles--for example, the CSPP
developed a full-page ad for USA Today that explained their principles,
and mailed the information with a letter from eight CEOs to the Fortune
1000 companies of the United States.
One of the most promising examples of self-regulation, and one
which IBM strongly supports, is a cross-industry group that came
together in 1998 to agree on what constitutes a basic framework of
privacy policies that could be tailored to the needs of individual
industries. These eighty-plus companies and major trade groups of the
Online Privacy Alliance have created guidelines for privacy policies
and an enforcement framework with real teeth that each of the Alliance
companies (including IBM) has pledged to implement. In doing so we
consulted with privacy experts, government and advocacy groups, and
arrived at a framework that received generally positive support.
Attached as an Exhibit for the Committee's reference are the Alliance
Mission, Members, and Guidelines, also found at
www.privacyalliance.org.
The basic principles that the Alliance companies support for online
commerce are, in abridged form:
1. Adoption and Implementation of a Privacy Policy--every Web
site should post such a policy statement.
2. Notice and Disclosure of Information Practices--the
statement should give the Web site visitor notice of what
personally identifiable information is collected at the site,
the use of that information and whether it will be disclosed to
third parties.
3. Choice/Consent--over whether information is shared or
disclosed to others--the individual generally should have a
choice, at least the ability to opt out, about whether
information about them is disclosed or used for other purposes.
4. Data Security--reasonable steps should be taken to keep
data secure from unauthorized users or access.
5. Data Quality and Appropriate Access--reasonable steps
should be taken to keep data accurate and up-to-date, and as
appropriate and feasible access to personally identifiable data
should be given to the Web site visitor.
6. Enforcement of the Guidelines by an Easily Available and
Usable Mechanism--all Alliance companies pledge to employ self-
enforcement mechanisms that provide consumers with easily
understood and used recourse.
Many Alliance companies are working with ``seal programs''--
independent third parties like the Better Business Bureau's BBBOnLine,
and TRUSTe--that monitor a company's compliance with its privacy policy
and confer, as it were, a seal of approval. These seals are not empty
standards--both BBBOnline and TRUSTe aim to impose requirements that
are consistent with the Online Privacy Alliance's standards.
Industry has made real progress in the last year. According to
Media Metrix, the independent Web ratings agency, when someone visits a
Web site this month chances are over 90 percent that it will be
operating under the guidelines of the Online Privacy Alliance. More
data will soon be available about industry's progress, when Georgetown
University releases a new survey of Web practices next month. I don't
know what all of those data will show, but one thing is clear to me:
for the large majority of Web users in the United States visiting
commercial web sites, they will click on sites that post privacy
policies. And if that's not a good test of the successful start of
self-regulation, then what is?
iv. conclusions
The ``layered'' approach that I've advocated in this testimony is
nothing new for the United States: Attached as an Exhibit is a White
Paper and legal analysis prepared by the Online Privacy Alliance that
explains the ``layered approach'' to protecting data privacy in the
United States.
As this White Paper states:
The layered approach to data privacy protection--in which
publicly announced corporate policies and industry codes of
conduct are backed by
(a) the enforcement authority of the Federal Trade Commission
and state and local agencies;
(b) specific sectoral laws that protect the privacy of
particular types of information, enforceable by state and
federal agencies; and
(c) private civil actions for injunctive or monetary relief
brought by individuals or classes of consumers
--differs from the comprehensive government regulatory schemes
typically used in Europe. Notwithstanding the absence of any
regulatory agency dedicated to the enforcement of privacy
standards, however, the ``layered'' public-private enforcement
approach has a long and successful history in the United
States.
For example, many professions that traditionally have been
trusted to safeguard the confidentiality of personal data--
lawyers, doctors and accountants, for example--abide by self-
regulatory codes backed up by government or judicial
enforcement mechanisms, and the result has been a high level of
protection that has stood the test of time.
The framework of self-regulation in the United States,
buttressed by the threat of governmental or private
enforcement, has succeeded both in protecting personal
information and in affording adequate redress to those
individuals whose privacy has been invaded. Accordingly, a
layered approach--as adapted to address the unique conditions
of the Internet--should achieve a level of data privacy
protection online that satisfies the principles of the
[European Union Data Privacy] Directive.
Online Privacy Alliance, Legal Framework White Paper at 2 (Nov. 1998).
In an economy as networked, global, and competitive as the one we
are building, customers usually can impose sanctions and punish a
company much faster and more effectively than government. In a free and
competitive marketplace, customers will gravitate toward those brands
that provide them the best possible service, and whose brand they can
trust. By the same token, with our free and ever-increasing flow of
information, empowered people will quickly realize who they should
avoid.
Clearly, the less government obtrudes into the marketplace the
greater will be the flow of Web transactions delivering goods and
services, health care, government services, financial services * * *
indeed everything that depends on trust. And flowing from that will
come new opportunities, new businesses, and new jobs in all sectors of
the economy.
Privacy is not a cut and dried issue. What is and is not private
changes from person to person. For one person the scope of privacy is
very narrow, for another very broad. For some people privacy is
negotiable and they may be willing to trade information about
themselves in return for something of value.
Certainly a pervasive regulatory regime could assure the public
that nothing improper would happen to their personal information by
making sure that nothing at all would happen to their personal
information * * * nothing bad certainly but nothing good either.
At the other extreme is the laissez-faire solution which might
suffice in a perfect world, but as the Founders knew, human nature is
far from perfect. Somewhere between those two poles lies the answer * *
* some balance between legitimate government action and the rewards and
sanctions of the marketplace.
Frankly, I am inclined to find the balance much closer to the
marketplace.
After all the great majority of the business community recognizes
that its real interests lie in maintaining the trust and confidence of
their customers--and therefore in respecting the privacy of personal
information. That's why any government privacy policy should provide
maximum latitude for stringent self-regulation * * * the kind of
discipline that business is already adopting.
Thank you again for the opportunity to appear before you. I would
be pleased to answer any questions you may have.
[GRAPHIC] [TIFF OMITTED] T8199.004
[GRAPHIC] [TIFF OMITTED] T8199.005
[GRAPHIC] [TIFF OMITTED] T8199.006
[GRAPHIC] [TIFF OMITTED] T8199.007
[GRAPHIC] [TIFF OMITTED] T8199.008
[GRAPHIC] [TIFF OMITTED] T8199.009
[GRAPHIC] [TIFF OMITTED] T8199.010
[GRAPHIC] [TIFF OMITTED] T8199.011
[GRAPHIC] [TIFF OMITTED] T8199.012
[GRAPHIC] [TIFF OMITTED] T8199.013
[GRAPHIC] [TIFF OMITTED] T8199.014
[GRAPHIC] [TIFF OMITTED] T8199.015
[GRAPHIC] [TIFF OMITTED] T8199.016
[GRAPHIC] [TIFF OMITTED] T8199.017
Legal Framework White Paper: Submitted with the Comments of the Online
Privacy Alliance On the Draft International Safe Harbor Principles
[November 19, 1998]
OPA White Paper: Online Consumer Data Privacy in the United States
Introduction
This autumn marks the entry into force of the European Union's
Directive 95/46/EC, which establishes minimum requirements for the
protection of personal data across the Community and requires member
states to prohibit the transfer of personal data to countries where
such data is not subject to adequate safeguards. The Directive takes a
broad legislative approach to data protection that is not mirrored in
federal and state statutes in the United States. Nevertheless, similar
concerns about personal privacy in the digital age affect consumer
choices, corporate practices, and, ultimately, legal policies--
governmental, self-regulatory, and judicial--in the United States. This
paper, submitted by the Online Privacy Alliance (``OPA''), illustrates
how the collective effect of ``layered'' regulatory and self-regulatory
measures creates ``adequate'' safeguards for the protection of personal
information collected online in the United States.
The OPA is a cross-industry coalition of more than 70 global
companies and associations concerned with protecting the privacy of
individuals online. As described below, the OPA and its members have
adopted standards of conduct tailored to the online environment and
intended to ensure that personal information collected online by OPA
members receives the level of protection contemplated by the Directive.
The OPA has grappled with the unique challenges to and opportunities
for data privacy protection that are presented by the enormous and
constant data flow in the online environment and has addressed these in
a way designed to reflect the realities of the Internet while
satisfying the principles of the Directive and U.S. data privacy
policies. The OPA has set forth guidelines for online privacy policies,
a framework for self-regulatory enforcement, and a special policy
concerning collection of information from children. OPA requires its
members to adhere to these guidelines and policies, which are available
on OPA's website at http://www.privacyalliance.org.
The layered approach to data privacy protection--in which publicly
announced corporate policies and industry codes of conduct are backed
by (a) the enforcement authority of the Federal Trade Commission and
state and local agencies; (b) specific sectoral laws that protect the
privacy of particular types of information, enforceable by state and
federal agencies; and (c) private civil actions for injunctive or
monetary relief brought by individuals or classes of consumers--differs
from the comprehensive government regulatory schemes typically used in
Europe. Notwithstanding the absence of any regulatory agency dedicated
to the enforcement of data privacy standards, however, the ``layered''
public-private enforcement approach has a long and successful history
in the United States. For example, many professions that traditionally
have been trusted to safeguard the confidentiality of personal data--
lawyers, doctors, and accountants, for example--abide by self-
regulatory codes backed up by government or judicial enforcement
mechanisms, and the result has been a high level of protection that has
stood the test of time. The framework of self-regulation in the United
States, buttressed by the threat of governmental or private
enforcement, has succeeded both in protecting personal information and
in affording adequate redress to those individuals whose privacy has
been invaded. Accordingly, a layered approach--as adapted to address
the unique conditions of the Internet--should achieve a level of data
privacy protection online that satisfies the principles of the
Directive.
In recent years the U.S. government has been increasingly concerned
about ensuring protection of personal information both online and off.
The U.S. government has embraced the layered approach to online data
protection and consistently has advocated that self-regulatory
efforts--in the form of industry codes of conduct and self-policing
trade groups and associations--serve as the primary safeguard to
protect the electronic privacy of personal information.\1\ This belief
in the efficacy of self-regulation reflects U.S. confidence that
industry standards will rise to meet the challenge of meaningful data
protection, rather than become watered down by a ``race to the
bottom.'' Indeed, as discussed below in Part I, the Federal Trade
Commission and the U.S. Department of Commerce have identified five key
elements of a successful regime for data privacy protection in order to
define for U.S. industry the standards the government expects industry
to meet.
---------------------------------------------------------------------------
\1\ See White House Task Force, Framework for Global Electronic
Commerce (July 1, 1997).
(1) notice of the ways in which information will be used;
(2) consent to the use or third-party distribution of
information;
(3) access to data collected about oneself;
(4) security and accuracy of collected data; and
(5) enforcement mechanisms to ensure compliance and obtain
redress.\2\
---------------------------------------------------------------------------
\2\ See Privacy Online at 7-11 (describing principles in detail);
U.S. Department of Commerce, Privacy and Electronic Commerce (June
1998); see also White House Task Force, Framedwork for Global
Electronic Commerce (July 1, 1997). The FTC's core privacy principles
represent the most recent and comprehensive U.S. effort to identify the
fundamental elements of data protection. The FTC framework does not
exist in a vacuum, however. The National Telecommunications and
Information Agency (``NTIA''), the U.S. Information Infrastructure Task
Force, and the Commerce Department each have addressed issues related
to the protection of personal information and have all reached similar
conclusions as to what constitutes effective data protection. See
Framework for Global Electronic Commerce (describing results of various
studies). The core principles announced by the FTC represent a
synthesis of these earlier efforts and the OECD Guidelines. See Federal
Trade Commission, Privacy Online: A Report to Congress 7 & nn. 27, 28
(FTC June 1998), available at http://www.ftc.gov/reports/privacy3.
Thus, the U.S. commitment to self-regulation presumes--and will
encourage--the development through industry initiatives of meaningful
privacy measures that generally adhere to these core privacy
principles.
The U.S. government, furthermore, has made clear that the failure
of a company to abide by privacy standards to which it professes to
adhere can subject the company to the enforcement authority of the
Federal Trade Commission (or of state and local agencies) and
consequent legal penalties. This possibility of government enforcement
should provide ample incentives for companies to live up to their
guarantees of privacy. See Part I infra. Moreover, as demonstrated in
Part II, both federal and state laws provide an additional layer of
privacy protection: They establish numerous types of safeguards for
data privacy in various sectors of the economy by imposing legal
restrictions on the collection and use of particular types of
information. These various laws demonstrate the commitment of both the
federal and state governments to intervene and protect privacy if self-
regulatory efforts in a particular sector need reinforcement.
The OPA privacy guidelines and attendant enforcement mechanisms
(discussed in Part III) are designed to work with this regulatory
backdrop to protect the privacy of consumers' online data consistent
with the principles set forth in the Directive. OPA-prescribed
enforcement mechanisms, such as seal programs, provide a means to
guarantee that members comply with clearly identified self-regulatory
standards. Companies that identify themselves as adhering to the OPA
self-regulatory scheme also may be at risk of FTC (as well as state and
local) enforcement actions if they fail to follow the OPA privacy
principles; many of these companies also will be obligated to comply
with various sectoral data protection laws at the federal and state
levels. Thus, compliance with the OPA guidelines should provide
assurance to EU data protection authorities that personal information
collected online will be adequately protected within the United States,
and that such protection is enforceable.
OPA and its members have every incentive to adopt strong standards
for data protection and privacy. Political, technological, and economic
trends are all driving companies to the high end, not the low end, of
privacy protection. Recent polls indicate that public concern about
online privacy is the number one reason that consumers not currently
using the Internet--still a substantial majority of U.S. consumers--do
not go online,\3\ and a substantial number of consumers who do use the
Internet choose not to purchase goods sold through websites that do not
disclose their privacy policies.\4\ Congress and the Administration are
well aware of the tide of public opinion, and recent events--most
notably, the rapid passage by the U.S. Congress of the Children's
Online Privacy Protection Act--leave no doubt that the U.S. government
will take action if the online industry does not uphold its
responsibility to impose meaningful standards for the use and
protection of online customer data.
---------------------------------------------------------------------------
\3\ See Business Week/Harris Poll: Online Insecurity, Business
Week, Mar. 16, 1998, at 102.
\4\ See Prepared Statement of the Federal Trade Commission on
``Consumer Privacy on the World Wide Web,'' before the Subcommittee on
Telecommunications, Trade and Consumer Protection of the House
Committee on Commerce, July 21, 1998; Privacy Online at 3-4.
---------------------------------------------------------------------------
U.S. advocacy of a layered self-regulatory approach to data privacy
protection is therefore both a carrot and a stick. Private industry has
been given an opportunity to preserve Internet commerce from government
regulation--the carrot. However, if self-regulation does not work, or
if industry contents itself with meaningless or self-serving standards,
the U.S. government stands ready to impose whatever statutory
guidelines are necessary for the successful protection of information
gathered online--the stick.
This emphasis on meaningful self-regulation has produced real
progress in the promulgation of substantive guidelines to govern the
use of personal information in certain industries. For example, the
major players in the growing market for individual reference services
(``IRS'')--companies that, for a fee, provide financial and other
personal information about individuals--have worked with the Federal
Trade Commission to adopt a code of conduct that imposes strict
limitations on the use and sale of personal information by those
companies. Similarly, the OPA privacy guidelines demonstrate that the
self-regulatory framework outlined by the FTC offers a viable method of
protecting personal data collected over the Internet.
OPA strongly believes that the interests of its members will best
be served by working within that self-regulatory framework to assure
the public that personal data will be adequately protected. Online
markets are expected to expand dramatically in the coming years, and
consumers--particularly those who have yet to buy products or services
online--have demonstrated that they in fact care a great deal about the
privacy policies of the online companies with whom they do business.
New technologies, which will allow a consumer to bargain explicitly for
a desired degree of privacy protection, will only heighten public
awareness of privacy concerns and reinforce the public's expectation
that responsible companies will adhere to the privacy principles
espoused by OPA today.\5\ Internet markets will not reach their full
potential until and unless consumers trust that online businesses will
not misuse personal data that must be collected to consummate
commercial transactions (e.g., shipping addresses, contact information,
credit card numbers). Thus, every commercial online business has an
incentive to win that trust by safeguarding the privacy of its
customer's personal information, and those forward-looking companies
that set the standard for data protection on the Internet--companies
like OPA's members--will earn a competitive advantage in the
marketplace.
---------------------------------------------------------------------------
\5\ Even today, web browsers can be set to decline ``cookies'' so
as to prevent a website from writing files to a user's disk that permit
the site owner to track usage of the website by that user, and
filtering programs permit users to prevent access to specified sites,
which may include those with unacceptable privacy policies. In the
future, automatic protocols like P3P will allow Internet users to
negotiate desired levels of privacy protection or to avoid altogether
those sites that do not provide sufficient protection for personal
information.
---------------------------------------------------------------------------
i. the federal trade commission: enforcing self-regulation
Private self-regulatory bodies like the OPA--which establish a
framework of self-imposed data protection rules to govern the conduct
of all entities in a given industry that agree to operate according to
those standards--can effectively regulate the behavior of their members
and thereby safeguard the private information of consumers. Rather than
having to investigate the idiosyncratic information practices of a
given company, consumers will learn to associate a prominently
displayed seal or notice with a well-known standard of data
protection--much as U.S. consumers today know that the ``UL''
(Underwriters Laboratories) symbol on electronic appliances \6\
guarantees that a device's design meets a time-tested safety threshold.
Thus, companies that agree to abide by a recognized self-regulatory
standard gain the reputational advantage of being able to advertise a
consumer-trusted seal of approval--and those that do not bear a stigma
that can be expected to affect their performance in the marketplace.
Internal enforcement mechanisms guarantee that members live up to their
promises by threatening violators with the penalty of losing the
organization's stamp of approval.
---------------------------------------------------------------------------
\6\ The ``UL'' symbol serves a function similar to the ``CE''
symbol on products sold in Europe.
---------------------------------------------------------------------------
But the efficacy of collective self-regulation in the United States
does not depend on the private sector alone. The Federal Trade
Commission (``FTC'') may use its enforcement authority under section 5
of the Federal Trade Commission Act, which prohibits ``unfair or
deceptive trade practices'' in interstate commerce, to prosecute
companies that do not uphold the standards of a privacy seal or notice
that they display for customers. The FTC has broad jurisdiction over
companies doing business in the United States as well as substantial
enforcement powers. FTC remedies include injunctive relief and other
forms of redress and compensation, and thus impose an independent,
objective incentive on companies to take industry standards
seriously.\7\ State and local consumer protection agencies and consumer
advocates, as well as state attorneys general (the latter analogous to
the federal Department of Justice), complement the FTC's authority by
keeping a watchful eye on regional industries and smaller businesses.
---------------------------------------------------------------------------
\7\ See Federal Trade Commission, Individual Reference Services: A
Report to Congress 29 & n.297 (FTC Dec. 1997).
---------------------------------------------------------------------------
A. The Federal Trade Commission
1. FTC enforcement authority
The FTC is an independent administrative agency that has been
delegated broad enforcement authority under a variety of statutes
designed to promote fair competition and protect the interests of
consumers. Certain of these statutes--like the Fair Credit Reporting
Act (discussed below)--specifically empower the FTC to investigate and
prosecute violations of U.S. law governing the treatment of specific
types of information relating to an individual's credit and finances.
Others--like the recently passed Children's Online Privacy Protection
Act of 1998 (also discussed below)--grant the FTC authority to regulate
certain data protection practices and dictate minimum standards for the
collection and distribution of discrete types of personal information
(e.g., data relating to children). More generally, the FTC possesses
broad authority under section 5 of the Federal Trade Commission Act to
investigate and halt any ``unfair or deceptive'' conduct in almost all
industries affecting interstate commerce.\8\ This authority includes
the right to investigate a company's compliance with its own asserted
data privacy protection policies. Pursuant to section 5, the FTC may
issue cease and desist orders and may also order other equitable
relief, including redress of damages.
---------------------------------------------------------------------------
\8\ Industries exempt from the FTC's enforcement authority under
section 5 are in general subject to specific regulatory schemes that
tend to be both comprehensive and rigorous. See, e.g., 47 U.S.C.
Sec. 45(a)(2) (exempting banks and savings and loan institutions).
---------------------------------------------------------------------------
While the FTC possesses only limited authority to prescribe
regulations that have the force of positive law, it can determine
(subject to judicial review) that a given practice is unfair or
deceptive and therefore contrary to the public interest. Furthermore,
if the agency through its adjudicatory procedures determines that a
given practice constitutes unfair or deceptive conduct (usually in the
form of issuing a ``cease and desist order''), other parties who engage
in similar conduct are subject to civil penalties if they have actual
knowledge of the FTC's determination.\9\ Typically, a company will
choose not to run the risk of a full-scale FTC investigation and
prosecution and will instead enter into a ``consent order'' with the
agency in which a company agrees to comply with objective, judicially
enforceable requirements. Thus, the agency often can set a de facto
minimum standard of behavior through vigorous investigation of
companies that engage in questionable conduct, exercising considerable
influence over a wide variety of industry practices that the agency
deems important to consumers and the public interest. The FTC's recent
policy statements and reports leave no doubt that one such area of
special concern for the agency is the commercial collection and
distribution of personal information.
---------------------------------------------------------------------------
\9\ See 47 U.S.C. Sec. 45(m)(1)(B).
---------------------------------------------------------------------------
2. The FTC's core privacy principles
As noted above, in a June 1998 report to Congress, the FTC
identified five core principles of privacy protection that it will deem
to represent fair and adequate information practices: \10\
---------------------------------------------------------------------------
\10\ See Federal Trade Commission, Privacy Online: A Report to
Congress (FTC June 1998), available at http://www.ftc.gov/reports/
privacy3.
(1) Notice: Consumers must be given notice at the time data
is collected of (a) what kinds of information are being
gathered, (b) whether requests for information may be refused,
(c) the uses that will be made of that data, (d) the persons or
entities who will receive or have access to that data, (e) the
measures taken to ensure confidentiality and accuracy of the
data, and (f) whether an individual may limit the dissemination
or use of collected personal information.
(2) Consent: Individuals should be afforded a choice about
the ways in which collected information may be used and whether
that information may be distributed to third parties.
(3) Access: Individuals should have access to the data that
is collected about them and should have some means to correct
inaccurate or incomplete information.
(4) Security: Companies that collect personal information
should take reasonable steps to ensure the security and
accuracy of that information; in particular, measures should be
adopted to prevent unauthorized access to any personal data.
(5) Enforcement: Individuals must have some mechanism to
enforce compliance with an objective code of personal
information practices and to obtain redress for violations of
that standard.
As demonstrated by the GeoCities case (discussed below), the FTC
has taken enforcement action to ensure that a company complies with its
stated data protection standards.\11\ As companies increasingly adopt
and announce privacy policies, therefore, their practices become
subject to FTC enforcement. Even where a company has not publicly
embraced privacy standards, the FTC has cautioned that ``in certain
circumstances, information practices may be inherently deceptive or
unfair, regardless of whether the entity has publicly adopted any fair
information practice policies,'' leading to the possibility of an FTC
enforcement action under section 5 of the FTC Act.\12\ For example,
prior to the recent adoption of the Children's Online Privacy
Protection Act, the FTC issued an opinion letter concluding that ``it
is likely to be an unfair practice'' to collect personal identifying
information from children without a parent's prior consent.\13\ As
principles of data privacy protection become more ingrained and
accepted, other privacy practices similarly could become sufficiently
widespread and expected that a company's failure to comply with such
practices--at least absent notice to consumers--might be deemed unfair
by the FTC.\14\
---------------------------------------------------------------------------
\11\ See Privacy Online at 40 (``[F]ailure to comply with stated
information practices may constitute a deceptive practice * * * and the
Commission would have authority to pursue the remedies available under
the [FTC] Act for such violations.'').
\12\ Privacy Online at 40 (emphasis added).
\13\ See Letter from Jodie Bernstein, Director, Bureau of Consumer
Protection, Federal Trade Commission, to Center for Media Education,
July 15, 1997, available at http://www.ftc.gov/os/9707/cenmed.htm.
\14\ State and local consumer protection agencies also scrutinize
the extent to which companies engage in deceptive or misleading
practices by failing to adhere to announced codes of conduct, and thus
provide additional oversight. See, e.g., Cal. Bus. & Prof. Code
Sec. Sec. 17200, 17500 (West 1998) (revised in 1998 to apply explicitly
to Internet commerce); N.Y. Gen. Bus. Law Sec. Sec. 349, 350 (Consol.
1998); People v. Lipsitz, 663 N.Y.S.2d 468 (N.Y. Sup. Ct. 1997)
(applying N.Y. consumer protection statute to false advertising on
Internet); Andrew Countryman, ``America Online Deal Reached with 44
Attorneys General,'' Chicago Tribune, May 29, 1998 (describing deal
reached between AOL and state attorneys general regarding AOL business
practices). In particular, state and local agencies may be better
positioned than the FTC to examine the behavior of smaller and regional
companies and to respond to the complaints of individual consumers. See
John Borland, ``States Prepare To Examine New Internet Legislation,''
CMP TechWIRE, Jan. 12, 1998 (describing anticipated state legislation
to protect Internet consumers). Thus, the enforcement powers and
activities of local and state officials and agencies supplements the
authority of the FTC and provides an additional layer of protection for
personal information.
---------------------------------------------------------------------------
B. Enforcing Privacy Protection under Section 5 of the FTC Act
A recently settled FTC enforcement action against a website
operator demonstrates the FTC's use of section 5 of the FTC Act to
assure that companies operate in accordance with their announced
information protection practices--thereby putting teeth in self-
regulatory programs.\15\ This represents the FTC's first resolution of
a privacy action in the Internet context by way of a consent order, and
illustrates the flexibility of existing U.S. law to adapt to new
industry sectors in a timely way.
---------------------------------------------------------------------------
\15\ See In the Matter of GeoCities, File No. 9823015 (FTC 1998);
see also Michael D. Scott, GeoCities Targeted by FTC in Internet
Privacy Enforcement Action, Cyberspace Lawyer 5-11 (Sept. 1998).
---------------------------------------------------------------------------
In the GeoCities case, the FTC challenged the accuracy of certain
representations in the website operator's privacy notice regarding the
use of marketing information collected from persons registering at the
site. The FTC's complaint further alleged that GeoCities implied that
it operated a website for children without disclosing to the children
or their parents that the website was in fact operated by an
independent third party. The company denied these allegations but
promptly instituted information policies and procedures in accord with
standards proposed by the FTC, as ultimately reflected in a proposed
consent order.
Under the terms of the consent order, the company agreed to provide
clear and prominent notice to consumers of its actual information
practices, including what information is collected through its website,
the intended uses for that information, any third parties to whom that
information will be disclosed, the means by which a consumer may access
information collected from herself or himself, and the means by which a
consumer may have that information removed from the company's
databases.\16\ The company agreed that it would not misrepresent the
identity of any third party that collects data from a website promoted
or sponsored by the company. The company agreed to contact all
consumers from whom it previously collected personal information and
afford those individuals an opportunity to have data removed from the
databases both of the company and any third parties.\17\
---------------------------------------------------------------------------
\16\ At all points at which information is collected, the company
must post either this notice or a link informing consumers that data is
being collected and directing them to a complete explanation of the
company's information practices.
\17\ The company agreed as well to cease doing business with any
third party that refuses to agree to comply with the data removal
provisions of the consent order.
---------------------------------------------------------------------------
Finally, the company agreed to implement procedures to obtain a
parent's express consent prior to collecting and using a child's
identifying information; moreover, the company may not collect or use a
child's identifying information if it has actual knowledge that the
child does not have the permission of a parent (or guardian) to
disclose that information. The consent order's provisions concerning
information gathered from children are virtually identical to those
found in the more recently enacted Children's Online Privacy Protection
Act.
As a result of this enforcement action, the company must comply on
an ongoing basis with the binding rules of conduct specified in the
consent order. Beyond that, this highly publicized FTC enforcement
action concerning a prominent website operator serves as a benchmark
for other companies establishing information practices for their
websites.
C. An Industry Model for Facilitating FTC Enforcement of Core Privacy:
The IRSG Principles
FTC enforcement is also a powerful tool with respect to enforcement
of industry-wide codes of conduct as opposed to company-specific
standards or practices. Collective self-regulatory groups can use
marketplace dynamics to encourage (or coerce) adherence to a common set
of industry ``best practices''--no company can afford to be tarred as a
recalcitrant that is unconcerned with the privacy concerns of the
public (as illustrated on several occasions in recent years when
companies withdrew commercial offerings or practices that were publicly
criticized as overly intrusive \18\). Moreover, in contrast to the
self-regulatory efforts of individual companies, self-regulatory groups
can adopt joint mechanisms to investigate and resolve consumer
complaints and thus collectively can enforce each company's compliance
with a given industry's best practices. FTC oversight--in conjunction
with that of state and local authorities--complements such self-
regulatory enforcement mechanisms by providing an independent legal
incentive for each member company, and the group as a whole, to live up
to its promised standard of behavior. The FTC has made clear that, in
signing on to an industry group's data protection principles, ``a
signatory represents that its information practices are consistent
with'' those principles and that action inconsistent with them subjects
a company to liability ``under the FTC Act (or similar state statutes)
as a deceptive act or practice.'' \19\
---------------------------------------------------------------------------
\18\ See, e.g., Individual Reference Services at 1, 13 & n.1
(describing consumer outrage at Lexis-Nexis's ``P-Trak'' service, which
allowed subscribers to identify an individual's social security number;
Lexis quickly changed its policies).
\19\ Id. at 29 & n.297.
---------------------------------------------------------------------------
The data privacy standards announced by the Individual Reference
Services Group (``IRSG'')--an association of fourteen major companies
in the individual reference services industry--exemplify a self-
regulatory approach emphasizing an industry group's seal of approval.
The individual reference services industry gathers personal information
about individuals from a number of sources, both public (e.g., state
driving records) and private (e.g., credit information) and provides
that information for a fee to private parties and the government. To
protect the often sensitive personal data with which IRSG members deal
on a day-to-day basis, the group has adopted binding standards for the
protection of personal information. The IRSG developed these rules with
the advice and participation of the FTC, and the agency has endorsed
them as a promising mechanism to ``lessen the risk that information
made available through [individual reference] services is misused * * *
[and] address consumers' concerns about the privacy of non-public
information in the services' databases.'' \20\ The FTC further
recommended that the IRSG's self-regulatory efforts be given an
opportunity to demonstrate their effectiveness in conjunction with the
FTC's own enforcement activities (and those of sectoral regulatory
authorities).\21\
---------------------------------------------------------------------------
\20\ Id. at 31.
\21\ See id.
---------------------------------------------------------------------------
ii. sectoral regulation of privacy interests
In addition to the umbrella authority of the FCC over data privacy,
the United States has extensive laws regulating the collection and use
of consumer data in particular sectors of the economy. This sectoral
approach demonstrates the commitment of the U.S. government--at both
the federal and state level--to regulate the privacy of sensitive data
and to step in and provide governmental support for self-regulatory
regimes.
A. Principal Federal Statutes
1. Fair Credit Reporting Act
One of the primary federal statutes that protects consumer privacy
is the Fair Credit Reporting Act (``FCRA''), which regulates the
collection and dissemination of a wide range of information about
consumers. The purpose of the FCRA, as articulated by Congress, is ``to
require that consumer reporting agencies adopt reasonable procedures
for meeting the needs of commerce for consumer credit, personnel,
insurance, and other information in a manner which is fair and
equitable to the consumer, with regard to the confidentiality,
accuracy, relevancy, and proper utilization of such information.'' \22\
---------------------------------------------------------------------------
\22\ U.S.C. Sec. 1681(b) (emphasis added).
---------------------------------------------------------------------------
In general, the Act regulates the collection and dissemination of
``consumer reports,'' which include information concerning topics such
as a consumer's credit worthiness and other personal characteristics,
by ``consumer reporting agencies''--any person (or entity) who
regularly engages in assembling or evaluating these types of
information. Such agencies may disseminate consumer report information
only to third parties having a specifically delineated permissible
purpose for the information, such as a credit transaction or a
determination whether to issue an insurance policy. The FCRA also
provides further protections, such as the right of consumers to access
and obtain correction of data collected and maintained by consumer
reporting agencies. On the other hand, the FCRA also provides certain
exceptions to its reach, including, for example, situations in which a
merchant makes use of data it obtains based on first-hand experience
with a consumer.
The scope of the FCRA's privacy protections is dependent primarily
on the definitions of ``consumer reports'' and ``consumer reporting
agencies.'' The FCRA defines ``consumer reports'' broadly to include
``any written, oral, or other communication'' to a third party of
information ``bearing on a consumer's credit worthiness, credit
standing, credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used
or collected in whole or in part'' for one of several general
purposes.\23\ In particular, information bearing on one of the
specified characteristics is a consumer report if it is collected,
used, or even expected to be used for purposes including credit,
employment, insurance, or a legitimate business need in connection with
a business transaction with the consumer.\24\ Moreover, the collection
or use of the information does not have to be only or even primarily
for one of these purposes--it is enough that the information is used,
collected, or expected to be used only in part for one of the specified
purposes.\25\
---------------------------------------------------------------------------
\23\ Id. Sec. 1681a(d).
\24\ Id. Sec. Sec. 1681a(d), 1681b(a)(3)(F).
\25\ See, e.g., Comeaux v. Brown & Williamson Tobacco Co., 915 F.2d
1264 (9th Cir. 1990).
---------------------------------------------------------------------------
This definition of ``consumer reports'' sweeps a variety of
different types of information under the protective umbrella of the
FCRA. Data that is collected or used for the purpose of determining
credit eligibility or for deciding whether to provide insurance
coverage is included.\26\ So are reports that are compiled or used to
ascertain whether a particular individual is eligible for
employment.\27\ A list of consumers who have passed bad checks that is
supplied to merchants also falls within the category of ``consumer
reports.'' \28\ The FTC has taken the position that targeted marketing
lists also can constitute ``consumer reports'' within the meaning of
the FCRA.\29\
---------------------------------------------------------------------------
\26\ FTC Official Staff Commentary, 16 C.F.R. Pt. 600 app. Sec. 603
item 6.
\27\ Id.
\28\ See Estiverne v. Saks Fifth Avenue & JBS, 9 F.3d 1171 (5th
Cir. 1993).
\29\ See Trans Union Corp. v. FTC, 81 F.3d 228 (D.C. Cir. 1996)
(noting the FFC's position but remanding for further factual
development).
---------------------------------------------------------------------------
At the same time, the FCRA does provide certain limitations on the
definition of a consumer report. As noted above, information does not
fall within this category if it is based solely on the disclosing
party's first-hand experience with the consumer.\30\ Thus, a merchant
who discloses the amount and type of its transaction with a consumer is
not disseminating a ``consumer report'' for purposes of the FCRA. This
exception may allow dissemination of information without FCRA
protection in some circumstances; however, if the recipient of the
merchant's firsthand information then sought to pass it on to a third
party, the information would be protected as a consumer report
(assuming, of course, that it met the other requirements of the
definition).\31\ Recent amendments to the FCRA also provide that
information communicated to an affiliated entity is not a consumer
report if it was ``clearly and conspicuously disclosed'' to the
consumer that such disclosure might occur and the consumer had the
opportunity to ``opt out'' beforehand.\32\
---------------------------------------------------------------------------
\30\ 15 U.S.C. Sec. 1681a(d)(2)(A)(i).
\31\ FTC, Compliance with the Fair Credit Reporting Act 42 (1977).
\32\ 15 U.S.C. Sec. 1681a(d)(2)(A)(iii).
---------------------------------------------------------------------------
The FCRA generally regulates the collection and dissemination of
``consumer reports'' only when done by a ``consumer reporting agency.''
The latter term encompasses any person who for money or on a
cooperative nonprofit basis ``regularly engages in whole or in part in
the practice of assembling or evaluating consumer credit information or
other information on consumers for the purpose of furnishing consumer
reports to third parties.'' \33\ Examples of consumer reporting
agencies include credit bureaus such as Equifax, employment agencies
that routinely obtain information on job applicants from former
employers, tenant screening companies that assist landlords in checking
prospective tenants, and check approval companies that guarantee checks
for merchants.\34\ On the other hand, an entity that gathers or
evaluates consumer data on a one-time or other infrequent basis is not
subject to the FCRA.
---------------------------------------------------------------------------
\33\ Id. Sec. 1681a(f).
\34\ FTC Official Staff Commentary, 16 C.F.R. Pt. 600 app.
Sec. 603(f) items 4, 6(f).
---------------------------------------------------------------------------
A consumer reporting agency may legally furnish a consumer report
to third parties (in the absence of consent \35\) only if it has reason
to believe that the third party has one of the permissible purposes
listed in the statute. This generally includes someone who requests
information in connection with (1) a credit transaction, review or
collection of a credit account, or evaluation of a credit application
\36\; (2) a determination whether to issue or cancel an insurance
policy or how to set the rates and terms of such a policy \37\; (3) a
response to a court order \38\; or (4) a legitimate business need in
connection with a business transaction involving the consumer (such as
renting an apartment or a consumer's offer to pay by check).\39\ In
addition, a consumer report may be disclosed to a third party for
purposes of an employment decision relating to promotion, reassignment
or retention, but only if the consumer authorizes such disclosure in
writing beforehand.\40\ Marketing is not a permissible purpose. The
consumer reporting agency must maintain reasonable procedures designed
to ensure that consumer reports are furnished only for the listed
purposes.\41\
---------------------------------------------------------------------------
\35\ 15 U.S.C. Sec. 1681b(a)(2).
\36\ Id. Sec. 1681b(a)(3)(A).
\37\ Id. Sec. 1681b(a)(3)(C).
\38\ Id. Sec. 1681b(a)(1).
\39\ Id. Sec. 1681b(a)(3)(E); FTC Official Staff Commentary, 16
C.F.R. Pt. 600 app. Sec. 604(3)(E) item 3.
\40\ 15 U.S.C. Sec. Sec. 1681b(a)(3)(B), 1681b(b).
\41\ 15 U.S.C. Sec. 1681e(a).
---------------------------------------------------------------------------
The FCRA also provides further restrictions on the dissemination of
``consumer reports.'' For example, a consumer must consent ahead of
time to the release of a consumer report for purposes of employment,
credit, or insurance if the report contains medical information.\42\
The consumer must have the option to opt out of being included in any
lists for unsolicited credit and insurance offers.\43\ The FCRA
additionally prohibits the reporting of ``obsolete information''; the
Act sets forth specific time frames after which particular types of
data are deemed obsolete.\44\
---------------------------------------------------------------------------
\42\ Id. Sec. 1681b(g).
\43\ Id. Sec. 1681b(e).
\44\ Id. Sec. 1681c(a).
---------------------------------------------------------------------------
The Act further mandates that consumer reporting agencies establish
``reasonable procedures to assure maximum possible accuracy.'' \45\ The
Act seeks to promote accuracy and reliability in part by creating a
framework under which a consumer has the right to obtain the
information maintained about him or her and require the consumer
reporting agency to correct inaccurate information. Specifically, the
FCRA requires that every consumer reporting agency disclose upon
request to a consumer the ``nature and substance'' of the information
about the consumer in the agency's files, the sources of that
information, and the identity of those who have obtained a report about
the consumer in the past year.\46\ A consumer may dispute the
completeness or accuracy of any information maintained by the agency
and require the agency to ``reinvestigate'' the accuracy of the
information at no charge to the consumer.\47\ The consumer reporting
agency generally must complete such reinvestigations within 30
days.\48\ If the agency concludes that the disputed information is
inaccurate or unverifiable, it must modify or delete the
information.\49\ If, on the other hand, the agency decides that the
information is accurate, but the consumer continues to dispute that
conclusion, the agency must include the consumer's statement of dispute
in any subsequent consumer report.\50\
---------------------------------------------------------------------------
\45\ Id. Sec. 1681e(b).
\46\ Id. Sec. 1681g(a).
\47\ Id. Sec. 1681i(a)(1).
\48\ Id.
\49\ Id. Sec. 1681i(a)(5).
\50\ Id. Sec. 1681i(c).
---------------------------------------------------------------------------
The Act provides a robust enforcement scheme. Consumers can bring
civil actions for damages and attorneys fees for negligent or willful
violations of the Act.\51\ Punitive damages are also available in the
case of willful violations.\52\ The Act provides for parallel
enforcement at the federal level by the FTC, which can bring actions to
enjoin further violations and/or to impose civil penalties.\53\ Knowing
and willful violations of the Act also can lead to criminal penalties,
including imprisonment.\54\ Finally, most states have analogous credit
reporting statutes giving rise to private rights of actions and
providing enforcement powers to the state attorney general.\55\
---------------------------------------------------------------------------
\51\ Id. Sec. Sec. 1681n, 1681o.
\52\ Id. Sec. 1681n(a)(2).
\53\ Id. Sec. 1681s.
\54\ Id. Sec. Sec. 1681q, 1681r.
\55\ See, e.g., Cal Civ. Code Sec. 1785 et seq.; Conn. Gen. Stat.
36-432 to 435.
---------------------------------------------------------------------------
2. Children's Online Privacy Protection Act of 1998
Recently, in response to a study by the FTC concluding that
additional regulation was needed to protect the privacy of children,
the U.S. Congress enacted the Children's Online Privacy Protection Act
of 1998. The Act directs the FTC to promulgate regulations that govern
the collection, use, and disclosure of ``personal information''
obtained online from a child (defined as anyone under the age of 13) by
an operator of a commercial website or online service directed to
children, as well as any operator with actual knowledge that it is
collecting personal information from a child.\56\ ``Personal
information'' is defined to include ``individually identifiable
information,'' such as a child's name, address, phone number, social
security number, e-mail address, or any other ``identifier that * * *
permits the physical or online contacting of a specific individual.''
\57\ The Act further reaches any other information collected online
that is combined with any of the above identifiers.\58\ For example, if
a website were to assemble a file including a child's name, address,
and a list of past purchases, the information about purchases would be
deemed subject to the Act.
---------------------------------------------------------------------------
\56\ Children's Online Privacy Protection Act of 1998,
Sec. Sec. 1302(l), 1303(b)(1).
\57\ Id. Sec. 1302(8).
\58\ Id. Sec. 1302(8)(G).
---------------------------------------------------------------------------
Congress directed the FTC to promulgate regulations concerning the
collection, use, and disclosure of this personal information about
children. These regulations must require, inter alia, that website and
online service providers subject to the Act
(1) provide notice on the website of what information is
collected, how the operator uses the information, and if/when
it discloses the information;
(2) obtain verifiable parental consent for the collection,
use, or disclosure of such information;
(3) permit a parent to obtain any data his/her child has
provided to the operator;
(4) allow the parent to require the operator to delete such
data and/or not to collect further data; and
(5) ``establish and maintain reasonable procedures to protect
the confidentiality, security, and integrity of personal
information collected from children.'' \59\
---------------------------------------------------------------------------
\59\ Id. Sec. 1303(b)(1).
The Act establishes several narrow exceptions to its reach. For
example, its requirements do not apply either to information collected
from a child online that is used on a one-time basis to respond to a
request and is not maintained in retrievable form or to a request for
the name of a parent when made for the sole purpose of obtaining
consent to collect information about the child.\60\ The Act also
contains a ``safe harbor'' provision under which an operator is deemed
to comply with the FTC regulations if it follows a set of self-
regulatory guidelines approved in advance by the FTC (after an
opportunity for the public to comment) as meeting the requirements of
the FTC regulations.\61\
---------------------------------------------------------------------------
\60\ Id. Sec. 1303(b)(2).
\61\ Id. Sec. 1304.
---------------------------------------------------------------------------
A violation of the regulations promulgated by the FTC under the Act
is deemed to be a violation of Section 5 of the FTC Act,\62\ the
penalties for which are described above. Moreover, the Act provides
that certain other specified agencies also shall enforce the Act and
the FTC regulations against companies that those agencies regulate; for
example, the Department of Transportation must enforce the Act with
respect to airlines, and the Federal Reserve Board is charged with
enforcement against its member banks.\63\ In addition to these forms of
federal enforcement, the Act authorizes state attorneys general to
bring enforcement actions for injunctive and/or monetary relief for any
violation of the FTC regulations.\64\
---------------------------------------------------------------------------
\62\ Id. Sec. 1303(c).
\63\ Id. Sec. 1306(b).
\64\ Id. Sec. 1305.
---------------------------------------------------------------------------
3. Other federal statutes that protect the privacy of consumer
information
Numerous other federal statutes also protect the privacy of
particular types of information and provide regulatory and/or judicial
enforcement mechanisms:
Electronic Funds Transfer Act, 15 U.S.C. Sec. 1693 et seq.--
This Act requires institutions that provide electronic banking
services to inform consumers of the circumstances under which
automated bank account information will be disclosed to third
parties in the ordinary course of business. The Act is enforced
by the Federal Reserve Board, and violations can result in
civil and/or criminal penalties.
Electronic Communications Privacy Act, 18 U.S.C. Sec. 2510
et seq.--This statute prohibits the unauthorized interception
or disclosure of many types of electronic communications,
including telephone conversations and electronic mail, although
disclosure by one of the parties to the communication is
permitted. Violators of this statute are subject to criminal
penalties and civil liability.
Video Privacy Protection Act, 18 U.S.C. Sec. 2710--This
statute forbids a video rental or sales outlet from disclosing
information concerning what tapes a person borrows/buys or
releasing other personally-identifiable information. The Act
further requires such outlets to provide consumers with the
opportunity to opt out from any sale of mailing lists. The Act
is enforced through civil liability actions.
Telephone Consumer Protection Act of 1991, 47 U.S.C.
Sec. 227--This provision mandates that any company making a
telephone sales call first consult its list of those who have
elected not to receive such calls. The statute grants the
Federal Communications Commission (``FCC'') the authority to
prescribe regulations necessary to protect residential
subscribers' privacy rights. The Act also bans unsolicited fax
messages. It is enforced by the FCC and through civil suits
that can give rise to substantial penalties.
The Cable Communications Policy Act of 1984, 47 U.S.C.
Sec. 551 et seq., as amended by The Cable Television Consumer
Protection and Competition Act of 1992--This Act establishes
written disclosure requirements regarding the collection and
use of personally identifiable information by cable television
service providers and prohibits the sharing of such information
without prior consent. The Act also provides consumers with the
right to access cable company records for purposes of
inspection and error correction. The statutory provisions are
enforceable through private rights of action for damages.
Communications Act, 47 U.S.C. Sec. 222--This provision
requires telecommunications carriers to protect the
confidentiality of customer proprietary network information,
such as the destinations and numbers of calls made by
customers, except as required to provide the customer's
telecommunications service or pursuant to customer consent.
These requirements are enforced by the FCC.
Federal Aviation Act, 49 U.S.C. Sec. 40101, et seq.--
Department of Transportation regulations promulgated under
authority of this Act generally require airlines to keep
passenger manifest information, such as the names and
destinations of passengers, confidential and prohibit use of
this data for commercial or marketing purposes.\65\ These
regulations are enforced by the Department of Transportation.
---------------------------------------------------------------------------
\65\ See 14 C.F.R. Sec. Sec. 243.7, 243.9.
---------------------------------------------------------------------------
Health Insurance Portability and Accountability Act of 1996,
42 U.S.C. Sec. 1301, et seq.--This Act provides that the
Secretary of Health and Human Services must promulgate
regulations regulating the privacy of individually identifiable
health information if Congress itself does not enact
legislation on this subject by August 1999. The Secretary has
already issued a set of recommendations to Congress that
include provisions such as restricting the disclosure of
patient identifiable information and providing patients with
notice about how such information will be used and to whom it
will be disclosed.
Office of Thrift Supervision Policy Statement on Privacy
\66\--This policy statement advises savings associations on how
to best protect consumer privacy. Among other things, the
statement urges savings associations to provide notice to
consumers as to how personal information will be used and in
what circumstances such information may be disclosed to third
parties.
---------------------------------------------------------------------------
\66\ Office of Thrift Supervision, Statement of Privacy and
Accuracy of Personal Customer Information (Nov. 1998).
---------------------------------------------------------------------------
Right to Financial Privacy Act of 1978, 12 U.S.C. Sec. 3401,
et seq.--This Act mandates that the federal government present
proper legal process or ``formal written request'' to inspect
an individual's financial records kept by a financial
institution (including a credit card company) and give
simultaneous notice to the consumer to provide him/her with the
opportunity to object. Both government agencies and financial
institutions that violate this Act are subject to civil court
actions.
B. State Law Protection
In addition to sectoral privacy protection at the federal level,
states provide both statutory and common law privacy protection with
respect to numerous types of data, particularly in the financial and
credit sectors. These state laws sometimes complement similar
safeguards at the federal level by providing alternative remedies and
enforcement schemes. In other cases, the state laws provide protection
for types of data that federal laws do not reach.
1. State statutes
A number of states have statutes that generally concern privacy of
financial data. Illinois, for example, regulates the circumstances in
which a bank may disclose a customer's financial records, including any
information ``pertaining to any relationship established in the
ordinary course of a bank's business.'' \67\ In addition to the state
analogues to the FCRA discussed above, a number of state statutes
specifically address the use of consumer credit information,
particularly for marketing purposes. Maine, for example, generally
forbids any sale or disclosure of mailing lists or account information
of credit card holders to a third party without an explicit opt-in by
the consumer.\68\ Florida and Hawaii also have opt-in schemes for
dissemination of credit card lists, except that they allow disclosures
to a third party as long as that party is prohibited from divulging
consumer information except to carry out the purpose for which the
cardholder provided the information.\69\ California requires that,
before a credit card issuer discloses marketing information to any
person, the issuer must inform the cardholder of such disclosure by
written notice that provides an opportunity to opt out of the
program.\70\
---------------------------------------------------------------------------
\67\ Ill. Rev. Stat. ch. 202, Sec. 5/48.1; see, e.g., Minn. Stat.
Sec. 13A.01; N.J. Stat. Ann. Sec. 17:16K-3.
\68\ Me. Rev. Stat. Ann. tit. 9-A, Sec. 8-304.
\69\ Fla. Stat. ch. 817.646; Haw. Rev. Stat. Sec. 708-8105.
\70\ Calif. Civ. Code Sec. 1748.12(b).
---------------------------------------------------------------------------
State statutes also extend privacy protections to other sectors of
the economy. A number of states, for example, restrict the collection
and disclosure of information gathered by insurance companies. These
statutes, based on the Insurance Information and Privacy Protection
Model Act promulgated by the National Association of Insurance
Commissioners, often require insurance companies and agents to provide
a policyholder or applicant notice concerning the types of personal
information that may be collected about him or her from a third party
and the individual's rights to access and correct information in the
company's files.\71\ Many state statutes also protect the privacy of
medical information by, for example, providing patients a general right
of access to their medical records \72\ and protection from disclosure
of medical records by licensed health-care providers.\73\
---------------------------------------------------------------------------
\71\ See, e.g., Cal. Ins. Code Sec. 791; Conn. Gen. Stat. Ann.
Sec. 38-501; Ill. Rev. St. ch. 215, Sec. 5/1001.
\72\ See, e.g., Cal. Health & Safety Code Sec. 1795; Colo. Rev.
Stat. Sec. 25-1-801.
\73\ See, e.g., Fla. Stat. chs. 455.241, 395.017.
---------------------------------------------------------------------------
2. State common law
States also provide privacy protection through a number of common
law doctrines. On a general level, virtually all states recognize a
tort of invasion of privacy. This tort is generally divided into four
categories: intrusion upon seclusion of another, appropriation of
another's name or likeness, unreasonable publicity given to another's
private life, and publicity placing another in a ``false light'' before
the public.\74\ The most relevant form of this tort in the context of
protecting an individual's private data is giving unreasonable
publicity to another's private life. Although this tort is unlikely to
apply to the disclosure of arguably public information such as names
and addresses, release of more private information such as transaction
histories might trigger this tort.\75\
---------------------------------------------------------------------------
\74\ Restatement (Second) of Torts Sec. 652A (1977).
\75\ But see Dwyer v. American Express, 652 N.E.2d 1351 (Ill. App.
1995) (rejecting invasion of privacy claim based on alleged sale of
card member lists sorted by buying patterns because customers
voluntarily used card and company had ownership interest in data).
---------------------------------------------------------------------------
In certain cases, the relationship between the consumer and the
holder of consumer data gives rise to a legally cognizable duty not to
disclose consumer information or to do so only in particular
circumstances. A number of states, for example, have recognized an
implied contractual duty on the part of banks not to disclose
information about a depositor's account.\76\ A similar duty arguably
arises in the context of a creditor-debtor relationship \77\ and a
security firm-customer relationship.\78\
---------------------------------------------------------------------------
\76\ See, e.g., Barnett Bank of West Florida v. Hooper, 498 So.2d
923, 935 (Fla. 1986); Twiss v. State Dept. of Treasury, 591 A.2d 913,
919-20 (N.J. 1990).
\77\ See, e.g., Pigg v. Robertson, 549 S.W.2d 597, 600 (Mo. Ct.
App. 1977).
\78\ See, e.g., Barnsdall Oil Co. v. Willis, 152 F.2d 824, 828 (5th
Cir. 1946).
---------------------------------------------------------------------------
Finally, state regulation of professionals, such as accountants,
doctors, lawyers, and psychologists, often impose restrictions on the
use and disclosure of personal information such professionals obtain
from their clients. Often the state code simply enforces or supports
the self-regulatory code adopted by the profession. For example, many
states protect communications between doctors and psychiatrists and
patients, recognizing those professions' commitment to safeguarding
such communications. Some states also have recognized that accountants
have a general duty to maintain the confidentiality of client
information.\79\ State laws often provide additional protections by
determining that these professional codes of conduct create fiduciary
duties on the part of professionals and permitting civil suits for
breach of those duties.
---------------------------------------------------------------------------
\79\ See, e.g., Alaska Sta. Sec. 8.04.662; Ariz. Rev. Stat.
Sec. 32-749; Conn. Gen. Stat. Sec. 20-281j.
---------------------------------------------------------------------------
iii. the online privacy alliance: using self regulation to safeguard
consumer privacy online
In keeping with the traditional commitment to self regulation in
the United States and in response to the FTC's and the Clinton
administration's call for responsible self-enforcement of privacy
protection by U.S. industry, many U.S. businesses have come together to
begin exploring the creation of self-regulatory programs. One
particularly successful example of this effort has been the OPA, which
brought together over 70 leading global companies and associations
beginning in 1998 to address growing public concern over online privacy
issues.
The online medium creates particular challenges for privacy
protection while simultaneously creating significant opportunities for
consumer privacy education and empowerment. The challenges are
manifold: Use of the Internet necessarily involves a tremendous flow of
information, much of it personal in nature, in a wide variety of
contexts. Some information flows involve the consumer actively
providing information. For example, commercial Internet transactions
require consumers to provide credit card or other payment and contact
information, and in certain more sensitive contexts, some transactions
may require other identifying data. Some sites may seek data in order
to satisfy the consumer's request for information or services, such as
where a consumer is asked about family size or smoking habits in
response to an inquiry about hotel accommodations. Other sites may
request data simply to use for marketing purposes. Consumers also may
provide a great deal of data in order to obtain personalized services,
such as targeted clipping services or personalized Internet service
offerings. In some cases, consumers provide data without necessarily
realizing they are doing so. For example, simply visiting or
subscribing to certain online sites or services may itself create a
footprint that conveys data about the individual's interests. But
regardless of the context, all data collected online is already in
digital format, which makes it easy to manipulate, store, and process,
and in turn provides massive capabilities for use and transfer of data.
Meanwhile, unless effective security measures are used, collection of
data online is susceptible to computer ``hacking'' by unauthorized
users, and also to fraud by consumers posing as a third party.
These challenges place a special obligation on the online industry
to educate consumers about the Internet's privacy risks and to enhance
consumers' ability to make educated choices about how to protect their
privacy rights. And indeed, the online medium provides tremendous
opportunities for consumer data protection. Online merchants have an
unmatched ability to provide consumers with information online quickly,
efficiently, and cheaply. Unlike offline merchants who must rely on a
one-time mailing or a small print notice in a catalogue, online
merchants (or other site owners) interact directly with the consumer
each time the consumer visits the merchant's site and therefore have
the opportunity to educate and interact with the consumer concerning
the site's privacy policies before any data collection takes place.
Where appropriate, therefore, consumer consent can be requested at the
point where a consumer interacts with a site or inquires about a
product or service. Moreover, the merchant's ability to control what
the consumer sees on any page of its site provides the merchant with a
unique ability to educate the consumer about the site's privacy policy.
The site can emphasize its participation in a privacy seal program, for
example, or provide a link to the site's privacy policy from any page
of the site. This in turn can empower consumers to make educated
choices about whether they wish to deal with the particular online
service based, at least in part, on the level of privacy protection the
online operator provides.
The online environment also permits a site to be designed to permit
different levels of participation (or provide different types of
benefits) based on the consumer's willingness to provide information,
or to provide different levels of protection based on consumer demand.
Online services also may provide the ability to make data anonymous
easily, or to do so selectively upon consumer request. In addition, new
technologies, such as P3P and filtering programs, provide consumers
with the means to exercise independent control over the level of
privacy they obtain while online. Finally, consumers have the ability
to vary the level of privacy protection they desire each time they
visit an online service or site: The process for providing or
withdrawing consent is accessible and can be executed immediately and
repeatedly to personalize the level of privacy protection.
Thus, if the online industry takes seriously its obligation to
educate and inform consumers, the medium presents enormous
opportunities for consumer choice and self-determination. Accordingly,
a central pillar of OPA's self-regulatory program is the requirement
that an online site notify consumers about the site's data collection
and dissemination policies. OPA members are committed to providing
consumers with the information and tools they need to make informed
choices. A second pillar of OPA's program is ensuring that consumers
have the opportunity to make choices: consumers must be able to consent
or withhold consent to the use of their data by the site they visit.
Lack of consent may manifest itself in the consumer's refusal to use
the particular service or continued interaction with the site on a
limited level. In some cases, consent or opt-out may be more explicit
and permit consumers to participate in the site while blocking only
certain secondary uses of the consumer's data.
OPA's program is designed to address the challenges and
opportunities provided by the online medium while addressing the U.S.
government's and the Directive's data privacy concerns. OPA has adapted
these privacy principles to address the Internet industry's enormous,
ongoing data flows. In order to enforce the OPA's privacy program and
policies, the OPA encourages participation in a seal program that will
ensure and enforce a minimum standard level of privacy protection. The
seal program must also be easy for consumers to recognize and
understand. Seal programs provide the added benefit of being backed up
by the FTC's umbrella enforcement authority, state and local consumer
protection agencies, and applicable sectoral data privacy regulation.
A. OPA's Privacy Policy Guidelines
In keeping with the key substantive requirements of the Directive
and the FTC's privacy principles, the OPA's privacy program addresses
notice to data subjects, limitations on use of data, data security and
quality, the right to correct personal data, and onward transfers of
data. The OPA's program for online data privacy protection is compared
with the key requirements of the Directive below.
Notice to Consumers. Because of the rapidly growing ability to
collect data about online consumers and the increasing demand for a
personalized browsing experience, OPA strongly believes that website
operators have a heightened responsibility to make available to online
consumers the information necessary to make informed decisions about
data privacy. The OPA believes that properly informed consumers should
then be allowed to choose the level of privacy that they desire. The
OPA therefore requires its members to post a privacy policy that online
consumers can view before or at the time that personal data is
collected or requested. The privacy policy must, among other things,
notify consumers about the online site's data collection practices. The
OPA's privacy policy requirement thus is similar to Article 10 of the
Directive, which requires data controllers to provide data subjects
with information about the controller's identity, the purposes of data
processing, and other information necessary to guarantee fair
processing. In addition, the privacy policy must be easy to find, read
and understand; it also must clearly describe the information that is
being collected, any possible onward transfers of personal data, and
any options that consumers have to refuse to provide data or to block
certain uses or transfers of data. OPA further encourages its members
to disclose in their privacy policy any consequences of a consumer's
refusal to provide information, the accountability or enforcement
mechanism(s) used by the organization, and information about how to
contact the organization with privacy concerns. By requiring members to
provide comprehensive online privacy policies that are easy to find and
read, OPA ensures that all online consumers have the information
necessary to make an informed decision about whether or not to provide
personal information to particular websites, how much information to
provide, or whether to even visit certain sites.
Limitations on purposes and onward transfers. Consistent with the
OPA's principles regarding notice and consent, the OPA advocates
allowing data subjects to opt out of any uses or processing unrelated
to the original purpose for which the data are collected. Like Article
6 of the Directive, which requires that personal data not be further
processed in a way incompatible with the original purpose for
collecting the data, the OPA privacy guidelines limit the extent to
which data can be processed for purposes unrelated to the original
disclosed purposes in the absence of proper consent. The OPA guidelines
similarly limit transfers to third parties for marketing purposes or
for other purposes unrelated to the original purposes for collecting
the data, much like Articles 10 and 11 of the Directive, which require
notifying data subjects of onward transfers of data to third parties
where notification is necessary to ensure fair processing of the data.
With respect to disclosure of data for marketing purposes, OPA requires
its members to disclose in their privacy policies possible onward
transfers of personal data and any marketing uses of data. These
requirements, and the consumer's ability to leave the site or, in some
cases, to opt out of a specific data use on the site, address the
principles in Article 14 of the Directive, which provides data subjects
with the right to notice prior to disclosure of their personal data for
direct marketing purposes and the right to object to direct marketing
uses of their data. OPA also encourages its members to take reasonable
steps to ensure that third party transferees take reasonable
precautions to protect transferred data.
Data quality, access to data, and correction. The OPA supports the
Directive's principles of assuring that (1) data are accurate,
complete, and timely for their intended purposes, and (2) consumers can
access data about them and correct that data where appropriate.
However, the extraordinarily wide range of online data processing
activities makes it difficult and costly to require all websites to
provide consumers with unrestricted access to personal data without
regard for its intended purposes or alternative means of ensuring that
individuals are informed of data collection and that data quality is
maintained as appropriate to those purposes.
Consistent with the spirit of Article 12 of the Directive, which
guarantees data subjects the right to access personal data and have
that data corrected where necessary, the OPA requires its members to
provide ``easy mechanisms'' for consumers to make inquiries and lodge
complaints or objections. The precise mechanisms for such inquiries and
the nature and scope of information provided to the consumer on request
will necessarily vary according to the data at issue and the costs and
benefits associated with furnishing access to the raw data or a summary
of the data, given the context of the specific intended uses of the
data. For example, some data collected online may be used for
electronic commerce transactions or decisions to provide or terminate a
service. OPA anticipates that its members would routinely provide
access to transaction records and an opportunity to lodge corrections,
as these have a substantive impact on the consumer. By contrast, a
website may automatically record navigational or ``clickstream'' data
as an individual moves from page to page on a site, either for
statistical purposes (to better design and manage the site) or to
automatically personalize the initial pages presented to the visitor
based on the visitor's historical use of the site. Such information is
processed automatically and changes over time. There is little benefit,
and much cost, in accumulating this data in a form that could be
reviewed intelligibly by the individual at any moment. Moreover, doing
so raises additional privacy risks, since it means that more data is
readily retrievable by name, and more identifying data must be
collected to ensure that the person requesting access is indeed the
data subject. Similarly, the use of website data to determine
automatically whether to send an individual a product solicitation
involves no substantive decision that affects significant consumer
interests and does not warrant the cost (and sometimes the increased
privacy risks) of storing and providing subsequent access to the data
that prompted the solicitation.
Because the online medium entails the possibility of tracking and
recording enormous amounts of data on the use of a website, the costs
of furnishing unlimited consumer access to all such data would often be
prohibitive. The data may not be maintained in a manner conducive to
consumer-specific access: marketing data, for example, is often coded
and stored by categories of merchants or purchases rather than by
consumer. Before imposing on website operators (and ultimately on
consumers) the costs of providing access to all data resulting from a
site visit, the nature and uses of that data must be taken into
account. Where data is not used for a purpose that in any way affects
the consumer's ``fundamental rights or freedoms,'' or that does not
even involve denial of a more mundane benefit to the consumer, the cost
and difficulty of access must be given particular weight.
Access by the individual to all data generated online is not the
only means of ensuring that consumers (and the relevant enforcement
bodies) are aware of the operator's data collection practices and can
assess their potential impact. This can often be accomplished, for
example, by appropriate notices, consumer education, and monitoring
techniques such as the use of ``decoys'' (pseudonymous registrations to
check the manner in which an online service or website uses personal
data), rather than by individualized access to vast amounts of non-
sensitive data. It is in the nature of online services and websites
that it is easy to display notices at the point where information is
collected and to give visitors an opportunity at any stage to seek
clarification, opt out, or simply leave a site if they are not
satisfied with its privacy practices. This offers an efficient means of
protecting privacy and should suffice where the data collection is not
used for substantive decisionmaking.
Security. Like Article 17 of the Directive, the OPA advocates
taking appropriate measures to protect personal data from destruction,
loss, misuse or alteration.
Collection of data from children. Well before the passage of the
Children's Online Privacy Protection Act, discussed above, the OPA
thought it necessary to provide special protection for young Internet
users. Out of this concern, the OPA was among the first organizations
to adopt principles specifically addressing collection of data from
children under the age of 13. These specific principles require OPA
members to obtain prior parental consent before collecting any
individually identifiable offline contact information from children
under the age of 13. Members may collect online contact information
from children without obtaining prior parental consent only if they
notify parents and allow them to prevent use of the data. Other special
protections provided by these OPA principles include requiring members
to prevent children from being able to publicly post individually
identifiable contact information without prior parental consent;
prohibiting members from using special games, prizes or activities to
entice children to reveal more information than necessary to
participate in the activity; and prohibiting members from distributing
to third parties any individually identifiable information collected
from a child without obtaining prior parental consent.
B. Enforcement Mechanisms
Although membership in the OPA, standing alone, itself denotes a
commitment to privacy protection that arguably could be enforced by the
FTC, OPA also advocates that its members commit to an independent
enforcement mechanism intended to back up that commitment. OPA promotes
participation in a ``seal program'' by its members as a means of
enforcing the OPA privacy guidelines and the member's privacy policies.
Seal programs provide participants the right to use an identifiable
symbol or logo (``seal'') to alert consumers that the participant's
online service complies with the seal program's standards; that the
participant has procedures to ensure compliance; and that the
participant participates in a program designed to resolve consumer
complaints.
Seal programs are ideal enforcement mechanisms in the online
environment for two reasons. First, seal programs take advantage of the
visual nature of websites to alert consumers' attention to privacy
policies and practices through the use of visible and easily
recognizable graphic seals that can, if desired, be displayed on every
page of a site. Second, to some extent seal programs standardize the
terms and terminology of privacy practices, making them easier for
consumers to comprehend. They give consumers a relatively simple, user-
friendly means of identifying websites that have made privacy
commitments, linked to greater detail about the site's particular
practices.
In many seal programs, participants cede a degree of investigative
or complaint resolution authority to the seal program's enforcement
entity. The entity often is permitted to disclose complaints to the
public and government agencies, and the entity can drop a company that
fails to conform with the required conduct. Moreover, seal programs may
provide government agencies with a hook to mix self-enforcement with
government regulation: as discussed in Part I above, a company's public
affirmation of participation in a seal program would provide the FTC
(or other consumer protection entity on the state or local level) with
the grounds to prosecute a company's failure to in fact uphold the
standards articulated by the seal program.
A seal program meeting OPA's criteria would enhance data privacy
protection by requiring that seal participants live up to the types of
privacy guidelines advocated by OPA, as well as any additional policies
the seal program adopts. OPA does not, at least currently, intend to
operate its own seal program, and it has not endorsed a specific
program to date. In reviewing seal programs, however, OPA would expect
a commitment to at least the same degree of privacy protection espoused
by the OPA, as well as the following enforcement practices and
policies:
Participation from outside the business community. OPA suggests
that the seal program obtain input from representatives of consumer
advocate groups and academia, in addition to representatives of the
business community.
Verification and monitoring. Prior to awarding the seal to an
organization, the seal program must require participants to submit to a
compliance review by the seal program or provide a self-assessment
verifying that the organization is in compliance with the program's
standards. Once the seal has been awarded, participants must consent to
periodic verification in the form of auditing, periodic reviews, or use
of pseudonymous ``decoys'' or other technological monitoring.
Complaint resolution. The seal program must require participants to
provide an easy-to-use consumer complaint resolution process that will
serve as the consumer's first remedy. If the participant and consumer
are unable to resolve a complaint through the participant's internal
dispute resolution process, the participant must then submit to the
seal program's complaint resolution mechanism. In addition to these
mechanisms, consumers must not be prohibited from pursuing any other
legal remedies that may be available to them under federal or state
law.
Penalties or noncompliance. Failure to comply with the requirements
of the seal program (and in particular, failure to follow the program's
dispute resolution requirements) should result in placing the
participant on probation or instituting proceedings to revoke the
participant's right to use the seal.
Monitoring for misuse or misappropriation. The seal program should
monitor use of the seal and if necessary, bring litigation to prevent
unauthorized use of the seal. In addition, the seal program must refer
non-complying companies to appropriate government agencies, including
the FTC.
Education and outreach. The seal program must educate consumers and
businesses about the seal program and online privacy issues. These
education and outreach efforts should include providing publicity for
participants, publicly disclosing seal revocation and material non-
compliance, and periodically publishing verification and monitoring
procedures.
To date, two major seal program initiatives are underway or about
to be launched that may embody the policies and practices advocated by
the OPA: TRUSTe and BBBOnLine. The OPA is monitoring the development of
those programs and others to determine whether they meet OPA's
requirements for privacy protection and effective enforcement.
The TRUSTe program, which began as a collaboration between the
Electronic Frontier Foundation and CommerceNet, has been administering
its online privacy seal program since June of 1997. This program
requires participants to post an online privacy policy that meets
TRUSTe guidelines, to submit to TRUSTe oversight, and to cooperate with
TRUSTe's dispute resolution efforts. In return, participants are given
the right to display TRUSTe's seal on their home page. This seal serves
as a link to the company's privacy policy, and consumers can also
verify the authenticity of the seal online.
The privacy policy required of TRUSTe participants must explain
what data are being collected, the purposes of data collection and
processing, with whom the data will be shared, the consumer's options
concerning processing and onward transfers, data security procedures
that are in place, and how consumers can update or correct data.
Licensees who join or renew after October 1998 must also give consumers
the opportunity to opt out of secondary or third-party uses of data
provided by the consumer. Also in October 1998, TRUSTe introduced a
Children's Privacy Seal Program that applies to websites directed
specifically at children under the age of 13, as well as sites that
collect age-specific information. The children's program requires site
operators to notify parents and obtain their consent before collecting
and using a child's online or offline contact information. Sites aimed
specifically at children must post the unique ``kid's seal.''
TRUSTe utilizes a variety of verification and enforcement
techniques. In cases where TRUSTe suspects that a participant is not
complying with program guidelines or with the participant's own privacy
policy, the participant may be subject to on-site compliance reviews by
TRUSTe's official auditors, revocation of the right to use the TRUSTe
seal, termination from the TRUSTe program, and referral to appropriate
government agencies.
The Better Business Bureau (``BBB'') runs the largest and most
recognized retail, service and national advertising self-regulation and
consumer dispute resolution programs in the United States. Using its
self-regulatory models as a starting point, the BBB has been operating
an online seal program (with more than 2000 participants) through
BBBOnLine since mid-1997. BBBOnLine assists consumers in finding
reliable online merchants that have agreed to BBB standards for
truthful advertising and customer satisfaction. BBBOnLine has proposed
a privacy program that likely will be similar in many ways to the
TRUSTe program and will utilize BBBOnLine's existing self-regulatory
framework.
BBBOnLine is still in the process of developing its privacy
principles. These principles are expected to be similar to those of the
OPA and TRUSTe programs, although they may in some respects provide
additional privacy protections not currently required by the OPA and
TRUSTe. The BBBOnLine enforcement framework will consist of use of a
recognizable seal to assert compliance with BBBOnLine principles and
the company's privacy policy, a comprehensive annual compliance
assessment, additional independent verification measures, consumer
dispute resolution, and appropriate referrals by BBBOnLine to the FTC
and other government authorities. BBBOnLine participants will have to
respond promptly to all consumer complaints, submit to BBBOnLine's
dispute resolution process, and maintain a satisfactory complaint
handling record with the BBB. BBBOnLine will refer eligible complaints
to a free, informal dispute resolution process patterned after BBB's
national advertising review program, and BBB will make that process
available for complaints about non-seal participants as well as seal
participants. BBBOnLine also will refer uncooperative or non-compliant
companies to the FTC or other appropriate federal or state regulatory
agencies.
iv. conclusion
As Articles 25(2) and 27 of the Directive make clear, the EU has
recognized that industry and professional standards can be powerful
tools for protecting data privacy. In the United States, industry-wide
self-regulation of data privacy can be an especially effective means of
ensuring that consumer data receives the level of protection embodied
in the EU Directive where such self-regulation combines private sector
standards with FTC enforcement, regulation by federal and state
agencies and, where appropriate, enforcement by the courts.
In the online environment, OPA has established principles--
principles its members must publicly embrace--that are consistent with
the policies of the U.S. government and with the Directive. OPA members
must submit to dispute-resolution procedures, and, by publicly
embracing OPA's principles, members are also subject to potential
enforcement by the FTC and other government agencies. The emergence of
two online privacy seal programs demonstrates that the enforcement
element of OPA's self- regulatory framework is not just hypothetical,
but is quickly developing. Moreover, these seal programs are not
engaging in a ``race to the bottom,'' but rather, in keeping with the
recent initiatives and pronouncements of the U.S. government, they are
embracing meaningful principles embodying a significant degree of
privacy protection. In addition, OPA members frequently will be subject
to additional regulation of various types of data protection on both
the state and federal level, enforced by government agencies and the
courts. Self-regulatory programs such as OPA's, which are designed to
operate in the context of the United States' layered approach of self-
regulation backed by government enforcement, should be recognized as
effective by the EU in its effort to protect privacy while promoting
the uninterrupted flow of global commerce.
W. Scott Blackmer
([email protected]),
Lynn Charytan
([email protected]),
Wilmer, Cutler & Pickering,
Washington, DC.
The Chairman. Mr. Berman.
STATEMENT OF JERRY BERMAN
Mr. Berman. Thank you, Senator. Mr. Chairman, Senator
Leahy, Senator Kohl, Senator Schumer, I appreciate the
opportunity to be here to talk about privacy on the Internet.
While I agree with the caution and concerns of the previous
witnesses, I want to endorse them, but also try and reposition
the issue somewhat. I think we have to step back and say what
are we doing here. The Internet is not just a commercial forum;
it is the future community for many of us and for many of our
transactions going into the 21st century. There are 160 million
people on the Internet. It is eventually going to be all of us
because we are moving our transactions. We are going to do
business there; our libraries are there, medical records are
there. We are putting entertainment there. We are building new
communities.
In all due respect, and it is true, without all the hype,
we are building a ``virtual me'' and virtual communities, and
that means that we are now looking at developing the
fundamental rules for this Internet. It is almost like
constitution-building, in my view. It is a global Internet, and
that makes it difficult. We are not just all sitting in
Philadelphia writing the rules for the world, but we are trying
to figure out what the fundamental law is.
My organization wants to ensure that there is a commerce
clause, but that there is also a bill of rights, and that means
that we have to look at the Internet from several perspectives.
First, the key thing to understand about the Internet is that
it is a different architecture. It is global, decentralized,
interactive, which changes the characteristics.
It is very important for Congress to understand its
architecture. Not understanding the architecture in the
Communications Decency Act--it is 0 for 2 in terms of writing
legislation, so a careful look at how the Internet works and
why it is different than other media is very important.
Second, the goal has to be privacy. It is not legislation
or self-regulation; it is privacy. And what do we mean by
privacy? Privacy is not just protection against commercial
users of information misusing my information. The government is
also on the Internet. Law enforcement is also on the Internet.
We just published a study of government Web sites. Two-thirds
of all government sites haven't got a privacy policy up. They
are doing business on the Internet.
Senator Leahy's E-RIGHTS bill deals with how do we balance
law enforcement needs and privacy in this new community. How is
law enforcement going to be done? How are they going to relate
to these new databases that are at AOL or on the Net, the
digitalme that Novell talks about? So it is both privacy
expectations against the government and the private sector. And
self-regulation may work a great deal in the private sector up
to a point, but I don't know how you solve the government
problem without drawing law to limit and define the rights of
citizens as against the government.
When we talk about privacy, we have to break it down into
several expectations. The first expectation that we have when
we go on the Internet or into any community is that we have a
certain amount of autonomy, what Senator Leahy talked about in
Vermont, the right to be let alone, not to be identified, to
shop, to browse. The Internet can afford that, but also the
technologies like the Intel chip, which is an identity chip
which may identify each one of us as we go through the
Internet, cookies. You have heard of the technologies that are
tracking and collecting information about citizens, not for bad
purposes, but to make the Net more efficient, to sell commerce,
to get people to the sites that they want to go to. But there
is a rich, new source of information on the Internet, and the
question is will citizens have the autonomy to be left alone.
Second, the key to that is at least fair information
practices. We go on the Net and we want to know when
information is collected about us, where it is going, how is it
going to be used, and do we have choices about that. That is
fair information practices and it is the key. It helps us to
know whether we have any autonomy. We have to ensure that those
fair information practices are on the Net.
The bad news is that we are very far behind. Only 14
percent of all Web sites post what their privacy policies or
information policies are. The good news is that the business
community and everyone understands that it is good for business
and commerce, and that consumers will not trust the Internet
until those policies are there.
Third, consumers want confidentiality. They want
confidentiality in their communications. This committee, in
1986--Senator Hatch, Senator Leahy--wrote the Electronic
Communications Privacy Act which created new privacy rights for
e-mail. The whole issue of encryption--because of the
decentralized nature, that debate over encryption and
technology policy is critical. There are new databases that are
being created on the Internet, like digitalme, which are as
sensitive as our wallet that is still there, but we are now
shopping with on the Net. What are the protections against
government for that?
So we have to come back and say, well, what are the
solutions? There are a bundle of solutions. Partly, it is
technology, the Platform for Policy Preferences which allows
people to express privacy policies on the Net. Partly, it is
self-regulation, like BBBOnLine and TRUSTe, which is telling
consumers and getting sites to disclose what their policies
are. That will work up to a point.
And I think that IBM and AOL and the Privacy Alliance are
in the lead of establishing what the baseline rules are for
fair information practices on the Net, but it will only go up
to a point. At some point, you are going to have to deal with
the bad actor on the Net, define what is a violation of privacy
on the Net. In other words, you can't just say, well, this is
what I am going to promise you about your information, but if I
don't do it, what are the remedies? There may be some private
sector remedies, but what is the role of the FTC there?
You have to go very carefully here because you are dealing
with information, and information raises First Amendment
issues. The remedies have to be clear, concise and not vague,
so that a lot of thinking has to go into what is the remedy for
someone misusing your address and personal information in a
commercial transaction versus a medical transaction. One size
does not fit all. And then we are going to need legislation.
To conclude, it is a series of things that we have to look
at. We are at the beginning of trying to define the
constitution for cyberspace. I think that there are several
ways that you can go. One, Senator Hatch and Senator Leahy
participated a decade ago in bringing the private sector and
the privacy community and industry and policymakers together to
define the Electronic Communications Privacy Act. That was a
dialogue reaching consensus. No privacy legislation has ever
been done without consensus between the private sector and the
privacy community. It just never happened. So, that consensus
is important. Senator Kohl's idea of a commission 25 years
after the last commission, with the whole Internet, is a good
idea for trying to sort out some of these problems.
So I think we are at the beginning. We are anxious to work
with all of you to try and define these issues. We think that
this is a critical part of the new society that we are moving
into, and I appreciate the opportunity to testify here today.
Thank you.
The Chairman. Thank you, Mr. Berman.
[The prepared statement of Mr. Berman follows:]
Prepared Statement of Jerry Berman
i. overview
The Center for Democracy and Technology (CDT) is pleased to have
this opportunity to testify on the issue of individual privacy in the
online environment. CDT is a non-profit, public interest organization
dedicated to developing and implementing public policies to protect and
advance civil liberties and democratic values on the Internet. One of
our core goals is to enhance privacy protections for individuals in the
development and use of new communications technologies.
CDT focuses much of its work on the Internet because we believe
that it more than any other media has characteristics--architectural,
economic, and social--that are uniquely supportive of First Amendment
values. Because of its decentralized, open, and interactive nature, the
Internet is the first electronic medium to allow every user to
``publish'' and engage in commerce. Users can reach and create
communities of interest despite geographic, social, and political
barriers. As the World Wide Web grows to fully support voice, data, and
video, it will become in many respects a virtual ``face-to-face''
social and political milieu.
But while the First Amendment potential of the Internet is clear,
and recognized by the Court, the impact of the Internet on individual
privacy is less certain. Will the online environment erode individual
privacy-building in national identifiers, tracking devices, and limits
on autonomy? Or will it breathe new life into privacy--providing
protections for individuals' long held expectations of privacy?
As we move swiftly toward a world of electronic democracy,
electronic commerce and indeed electronic living, the need to construct
a framework of privacy protection that fits with the unique
opportunities and risks posed by the Internet is critical. But as
Congress has discovered in its attempts to regulate speech, this medium
deserves its own analysis. Laws developed to protect interests in other
media should not be blindly imported. To create rules that map onto the
Internet we must fully understand the characteristics of the Internet
and their implications for privacy protection. We must also have a
shared understanding of what we mean by privacy. Finally we must assess
how to best use the various tools we have for implementing policy--law,
computer code, industry practices, and public education--to achieve the
protections we seek.
ii. what makes the internet different?
As Congress considers crafting rules to protect privacy on the
Internet, it must first understand the specific challenges to privacy
posed by the Internets' functions and use.
A. Increased data creation and collection
The Internet accelerates the trend toward increased information
collection that is already evident in our offline world. The data
trail, known as transactional data, left behind as individuals use the
Internet is a rich source of information about their habits of
association, speech, and commerce. When aggregated, these digital
fingerprints reveal a great deal about an individual's life. This
increasingly detailed information is bought and sold as a commodity by
a growing assortment of players and often sought by government.
B. The globalization of information and communications
On the Internet, information and communications flow unimpeded
across national borders. The Internet places the corner store, and a
store three continents away, equally at the individual's fingertips.
Just as the flow of personal information across national borders poses
a risk to individual privacy, citizens' ability to transact with
entities in other countries places individual privacy at risk in
countries that lack privacy protections. Whether protecting citizens
from fraud, limiting the availability of inappropriate content, or
protecting privacy, governments are finding their traditional ability
to make and effectively enforce policies challenged by the global
communications medium.
C. Lack of centralized control mechanisms
The Internet's distributed architecture presents challenges for the
implementation of policies. The Internet was designed without
gatekeepers--there is no single entity that controls the flow of
information. And as individuals and governments continually discover,
the Internet offers users an unequalled ability to route around
unwanted attempts to control activities and communications.
iii. what do we mean by privacy, and how is it being eroded?
There are several core ``privacy expectations'' that individuals
have long held vis-a-vis both the government and the private sector,
the protection of which should carry over to interactions on the
Internet.
A. The expectation of autonomy
Imagine walking through a mall where every store, unbeknownst to
you, placed a sign on your back. The signs tell every other store you
visit exactly where you have been, what you looked at, and what you
purchased. Something very close to this is possible on the Internet.
When individuals surf the World Wide Web, they have a general
expectation of anonymity, more so than in the physical world where an
individual may be observed by others. Individuals believe that if they
have not affirmatively disclosed information about themselves, then no
one knows who they are or what they are doing. But, counter to this
belief, the Internet generates an elaborate trail of data detailing
every stop a person makes on the Web. The individual's employer may
capture this data trail if she logged on at work, and it is captured by
the Web sites the individual visits. Transactional data, click stream
data, or ``mouse-droppings'' can provide a ``profile'' of an
individual's online life.
Two recent examples highlight the manner in which individuals'
expectation of autonomy is challenged. (1) The introduction of the
Pentium III processor equipped with a unique identifier (Processor
Serial Number) threatens to greatly expand the ability of Web sites to
surreptitiously track and monitor online behavior. The PSN could become
something akin to the Social Security Number of the online world--a
number tied inextricably to the individual and used to validate one's
identity throughout a range of interactions with the government and the
private sector. (2) The Child Online Protection Act (COPA), passed in
October, requires Web sites to prohibit minors' access to material
considered ``harmful to minors.'' Today when an individual walks into a
convenience store to purchase an adult magazine they may flash their
id. Under the COPA an individual will instead be asked to not only
flash their id, but also to leave a record of it and their purchase
with the online store. Reliance on such systems will create records of
individuals' First Amendment activities, thereby conditioning adult
access to constitutionally protected speech on a disclosure of
identity. The defenses pose a Faustian choice to individuals seeking
access to information--protect privacy and lose access or exercise
First Amendment freedoms and forego privacy.
B. The expectation of fairness and control over personal information
When individuals provide information to a doctor, a merchant, or a
bank, they expect that those professionals/companies will collect only
information necessary to perform the service and use it only for that
purpose. The doctor will use it to tend to their health, the merchant
will use it to process the bill and ship the product, and the bank will
use it to manage their account--end of story. Unfortunately, current
practices, both offline and online, foil this expectation of privacy.
Whether it is medical information, or a record of a book purchased at
the bookstore, or information left behind during a Web site visit
information is routinely collected without the individual's knowledge
and used for a variety of other purposes without the individual's
knowledge--let alone consent.
The Federal Trade Commission report from last June, ``Privacy
Online: A Report to Congress,'' found that despite increased pressure
businesses operating online continue to collect personal information on
the World Wide Web without providing even a minimum of consumer
protection. The report looked only at whether Web sites provided users
with notice about how their data was to be used; there was no
discussion of whether the stated privacy policies provided adequate
protection. The survey found that while 92 percent of the sites
surveyed were collecting personally identifiable information only 14
percent had some kind of disclosure of what they were doing with
personal data.
In a CDT study of federal agency Web sites, last week, we found
that just over one-third of federal agencies had a ``privacy notice''
link from the agency's home page. Eight other sites had privacy
policies that could be found after following a link or two and on 22 of
the sites surveyed we could not find a privacy policy at all.
C. The expectation of confidentiality
When individuals send e-mail they expect that only the intended
recipient will read it. In passing the Electronic Communications
Privacy Act in 1986, Congress reaffirmed this expectation.
Unfortunately, it is once again in danger.
While United States law provides e-mail the same legal protection
as a first class letter, the technology leaves unencrypted e-mail as
vulnerable as a postcard. Compared to a letter, an e-mail message is
handled by many independent entities and travels in a relatively
unpredictable and unregulated environment. To further complicate
matters, the e-mail message may be routed, depending upon traffic
patterns, overseas and back, even if it is a purely domestic
communication. While the message may effortlessly flow from nation to
nation, the privacy protections are likely to stop at the border.
E-mail is just one example. Today our diaries, medical records, and
confidential documents are more likely to be out in the network than
stored in our homes. As our wallets become ``e-wallets'' housed
somewhere out on the Internet rather than in our back-pockets, the
confidentiality of our personal information is at risk.
The advent of online datebooks, and products such as Novell's
``Digital Me'', which invite individuals to take advantage of the
convenience of the Internet to manage their lives, raise increasingly
complex privacy questions. While the real ``me'' has Fourth and Fifth
Amendment protections from the government, the ``Digital Me'' is
increasingly naked in cyberspace.
iv. where do we go from here?
It is clear that our policy framework did not envision the Internet
as we know it today, nor did it foresee the pervasive role information
technology would play in our daily lives. Our legal framework for
protecting individual privacy in electronic communications, while built
upon constitutional principles buttressed by statutory protections,
reflects the technical and social ``givens'' of specific moments in
history. Crafting privacy protections in the electronic realm has
always been a complex endeavor. Reestablishing protections for
individuals' privacy in this new environment requires us to focus on
both the technical aspects of the Internet and on the practices and
policies of those who operate in the online environment.
A. The importance of architecture
Understanding the context is central to all effective efforts to
protect privacy. While the global, distributed network environment of
the Internet raises challenges to our traditional methods of
implementing policies, the specifications, standards, and technical
protocols that support the operation of the Internet offer a new way to
implement policy decisions. By building privacy into the architecture
of the Internet, we have the opportunity to advance public policies in
a manner that scales with the global and decentralized character of the
network. As Larry Lessig repeatedly reminds us, ``(computer) code is
law.''
Accordingly, we must promote specifications, standards and products
that protect privacy. A privacy-enhancing architecture must
incorporate, in its design and function, individuals' expectations of
privacy. For example a privacy-protective architecture would provide
individuals the ability to ``walk'' through the digital world, browse,
and even purchase without disclosing information about their identity,
thereby preserving their autonomy and ensuring the expectations of
privacy. A privacy-protective architecture would enable individuals to
control when, how, and to whom personal information is revealed. It
would also provide individuals with the ability to exercise control
over how information once disclosed is, if at all, subsequently used.
Finally, a privacy-protective Internet architecture would provide
individuals with assurance that communications and data will be
technically protected from prying eyes.
While there is much work to be done in the designing of a privacy-
enhancing architecture, some substantial steps toward privacy
protection have occurred. Positive steps to leverage the power of
technology to protect privacy can be witnessed in efforts like the
Anonymizer, Crowds, and Onion Routing that shield individuals' identity
during online interactions, and encryption tools such as Pretty Good
Privacy that allow individuals to protect their private communications
during transit. The World Wide Web Consortium's Platform for Privacy
Preferences (``P3P'') is also a promising development. The P3P
specification will allow individuals to query Web sites for their
policies on handling personal information and to allow Web sites to
easily respond. While P3P does not drive the specific practices, it is
a standard designed to drive openness about information practices to
encourage Web sites to post privacy policies and to provide individuals
with a simple automated method to make informed decisions. Through
settings on their Web browsers, or through other software programs,
users will be able to exercise greater control over the use of their
personal information.
Technologies must be a central part of our privacy protection
framework, for they can provide protection across the global and
decentralized Internet where law or self-regulation alone may prove
insufficient.
B. Protecting the privacy of communications and information
Increasingly, our most important records are not ``papers'' in our
``houses'' but ``bytes'' stored electronically at distant ``virtual''
locations for indefinite periods of time and held by third parties. The
Internet, and digital technology generally, accelerate the collection
of information about individuals' actions and communications. Our
communications, rather than disappearing, are captured and stored on
servers controlled by third parties. Daily interactions such as our
choice of articles at a news Web site, our search and purchase of an
airline ticket, and our use of an online date book to manage our
schedule such as Yahoo's calendar leave detailed information in the
hands of third-parties. With the rise of networking and the reduction
of physical boundaries for privacy, we must ensure that privacy
protections apply regardless of where information is stored.
Under our existing law, there are now essentially four legal
regimes for access to electronic data: (1) the traditional Fourth
Amendment standard for records stored on an individual's hard drive or
floppy disks; (2) the Title III-Electronic Communications Privacy Act
standard for records in transmission; (3) the standard for business
records held by third parties, available on a mere subpoena to the
third party with no notice to the individual subject of the record; and
(4) a statutory standard allowing subpoena access and delayed notice
for records stored on a remote server such as the diary of a student
stored on a university server, or personal correspondence.
As the third and fourth categories of records expand because the
wealth of transactional data collected in the private sector grows and
people find it more convenient to store records remotely, the legal
ambiguity and lack of strong protection grows more significant and
poses grave threats to privacy in the digital environment.
While Congress took the first small step towards recognizing the
changing nature of transactional data with amendments to the Electronic
Communications Privacy Act enacted as part of the Communications
Assistance for Law Enforcement Act of 1994 (``CALEA''), the increase in
transactional data and the increasing detail it reveals about
individuals' lives suggests that these changes are insufficient to
protect privacy.
Moreover, the Electronic Communications Privacy Act must be updated
to provide a consistent level of protection to communications and
information regardless of where they are stored and how long they have
been kept. Technologies that invite us to live online will quickly
create a pool of personal data with the capacity to reveal an
individual's travels, thoughts, purchases, associations, and
communications. We must raise the legal protections afforded to this
growing detailed data regardless of where it resides on the network.
C. Establish rules that give individuals control over personal
information during commercial interactions
We must adopt enforceable standards, both self-regulatory and
regulatory, to ensure that information provided for one purpose is not
used or redisclosed for other purposes without the individual's
consent. All such efforts should focus on the Code of Fair Information
Practices developed by the Department of Health, Education and Welfare
in 1973. The challenge of implementing privacy practices on the
Internet is ensuring that they build upon the medium's real-time and
interactive nature to foster privacy and that they do not
unintentionally impede other beneficial aspects of the medium.
Historically, for privacy legislation to be successful, it must
garner the support of at least a section of the industry. To do so, it
must build upon the work of some industry members--typically binding
bad actors to the rules being followed by industry leaders--or be
critically tied to the viability of a business service or product as
with the Video Privacy Protection Act and the Electronic Communications
Privacy Act.
Today, the dialogue over assuring privacy on the Internet and in
electronic commerce is well situated for a successful legislative
effort. Consensus exists around at least four general principles:
notice of data practices; individual control over the secondary use of
data; access to personal information; and, security for data. However,
the specifics of their implementation and the remedies for their
violation are just beginning to be explored by all interested parties.
When is information identifiable? How is it accessed? How do we create
meaningful and proportionate remedies that address the disclosure of
sensitive medical information as well as the disclosure of inaccurate
marketing data? These hard issues must be more fully resolved before
the policy process will successfully move forward. The leadership of
Internet-savvy members of this Committee and others will be critical if
we are to provide workable privacy protections for the Internet.
D. A privacy protection entity to provide expertise and institutional
memory, a forum for privacy research, and a source of policy
recommendations on privacy issues
The work outlined above, and the state of privacy today, all weighs
in favor of creating a privacy entity within the federal government.
The existing approach has hindered the development of sound policy and
failed to keep pace with changes in technology. While we are pleased
with the Administration's recent appointment of Peter Swire to the
Office of Information and Regulatory Affairs as the federal ``privacy
czar,'' we believe that OIRA is incapable, due to institutional
constraints and a lack of autonomy, of addressing several key privacy
issues. The United States needs an independent voice empowered with the
scope, expertise, and authority to guide public policy. Such an entity
has important roles to play on both domestic and international fronts.
It would serve as the forum for collaboration with other governments,
the public interest community, and the business community.
v. conclusion
No doubt, privacy on the Internet is in a fragile state. However,
there is new hope for its resuscitation. There is a special need now
for dialogue. Providing a web of privacy protection to data and
communications as they flow along networks requires a unique
combination of tools--legal, policy, technical, and self-regulatory.
Cooperation among the business community and the nonprofit community is
crucial. Whether it is setting limits on government access to personal
information, ensuring that a new technology protects privacy, or
developing legislation--none will happen without a forum for
discussion, debate, and deliberation. We thank the Committee for
providing this initial forum and look forward to working with the
members and staff and other interested parties to foster privacy
protections for the Digital Age.
The Chairman. Mr. Bodoff.
STATEMENT OF RUSSELL T. BODOFF
Mr. Bodoff. Thank you. Mr. Chairman and members of the
committee, I am pleased to present to you our BBBOnLine Privacy
Seal program and to share the experience of our first month of
operation, after our official launch of the program which took
place on March 17.
BBBOnLine is a subsidiary of the Council of Better Business
Bureaus, with the start-up of our BBBOnLine privacy initiative
supported by 24 leading-edge sponsoring companies. The program
benefits from the Better Business Bureau's 100-percent name
recognition, as well as the BBB's 86 years' experience in
voluntary self-regulation and consumer dispute resolution.
Our privacy program awards an easily recognizable seal to
businesses that post online privacy policies meeting rigorous
principles, including notice to consumers, disclosure, choice
and consent, access, and security. It offers a separate and
distinct seal for sites directed at children. It provides a
thorough and consumer-friendly dispute resolution system. It
monitors compliance through a comprehensive assessment of a
company's online privacy practices, and it takes specific
actions for non-compliance, such as seal withdrawal, publicity
and referral to government enforcement agencies.
To qualify for a privacy seal, companies must submit an
application and successfully complete a comprehensive
assessment process that investigates over 170 different aspects
of an applicant's information practices. The founding principle
of our privacy program is that it requires privacy seal
participants to say what they do, to do what they say, and have
it verified.
This begins with an easy to find and easy to understand
privacy notice. Privacy notices must be one click away from a
Web site's home page and from every other page where personally
identifiable information is collected. Depending on the
information practices of the participant, this privacy notice
may contain as many as 16 required disclosures, but it will
always describe who is collecting the information, what type of
information is being collected, and how that information is
used and shared. It will always disclose how an individual can
access and correct their information, how to contact the
company, and how to contact BBBOnLine.
While evaluating the privacy notice is critically
important, the BBBOnLine assessment does not stop there, but
looks further into the actual information practices of a
company. Participants must have in place reasonable security
measures to prevent unauthorized access to both stored and
transmitted data. This includes doors and locks, adequate
training for employees, adequate logs and recordkeeping, and a
mandatory use of encryption when there is a receipt or
transmission of sensitive information, such as credit card
numbers, health care data or Social Security numbers.
Seal participants must provide a means by which individuals
can gain reasonable access to all the maintained and
retrievable personally identifiable information they submit
online. Seal participants that operate Web sites or online
services that are directed to children under the age of 13 must
also complete an additional children's assessment process.
BBBOnLine's privacy program's free, convenient and speedy
dispute resolution service offers the assistance of trained
professionals to ensure that consumers have a simple and
effective way to have their concerns addressed. Consumers can
contact the BBBOnLine dispute resolution intake center via e-
mail, toll-free telephone call, or by following the
instructions on our Web sites.
As remedies, consumers can seek to have the information
which was submitted online used only in a manner consistent
with the company's published privacy policy and/or the consumer
can seek to have inaccurate information corrected. BBBOnLine
may also require corrective action in the form of a change in
the seal participant's online privacy policies or practices if,
based on evidence in the case, it finds such action to be
required to avoid return to the same complaint.
The program will also monitor compliance through a system
of random audits to ensure that program participants remain in
compliance. We have designed our program to have serious and
effective consequences for non-compliance. In our dispute
resolution process, we will publish decisions so the public
will be able to monitor resolution of complaints about
violations of privacy policies.
The Privacy Seal program has been officially open now for
about 1 month. Since the launch, we have already processed over
240 formal applications. We have awarded 14 seals and have many
other companies ready and close to approval. The response has
been impressive and more applications are coming in everyday.
Companies are reporting to us that the assessment process is so
thorough that it requires them to carefully evaluate and in
some cases change their entire data-collecting and processing
practices.
Now that we are open for business, we are engaging in an
aggressive outreach program to educate businesses on good
privacy practices. For example, we recently entered into an
agreement with the American Electronics Association to educate
their 3,000 members about good privacy principles. Similar
business outreach will be announced shortly with other major
trade associations, as well as our Better Business Bureaus.
Next on our agenda will be developing a major outreach to
consumers and children to help them better understand how to
protect their privacy while they are online.
In closing, let me say how excited we are that the
BBBOnLine privacy program, which was created in less than 9
months, is already being described as the most comprehensive
privacy self-regulation anywhere in the world. Consumers have a
high level of trust in our organization. A study released last
week by AT&T Research Labs indicated that a privacy notice on a
Web site, along with the Better Business Bureau seal, gave a
consumer a higher level of confidence than even privacy
regulation.
I want to thank the committee members for their attention,
and I hope that you share our enthusiasm about the tremendous
progress that has been made.
The Chairman. Thank you, Mr. Bodoff.
[The prepared statement of Mr. Bodoff follows:]
Prepared Statement of Russell T. Bodoff
Mr. Chairman and members of the Committee, my name is Russell
Bodoff, I am Senior Vice President and Chief Operating Officer of
BBBOnLine, an independent subsidiary of the Council of Better Business
Bureaus. I am pleased to present to you the BBBOnLine Privacy Seal
program and to share the experience of our first month of operation
after the official launch of the program on March 17, 1999.
The Council of Better Business Bureaus (CBBB) is the umbrella
organization for the nation's Better Business Bureau system, which
consists of over 130 local BBB's and branches and 270,000 member
businesses across the United States. The CBBB is a nonprofit business
membership organization tax exempt under section 501(c)(6) of the
Internal Revenue Code. More than 325 leading edge companies nationwide
belong to the CBBB and provide support for its mission of promoting
ethical business practices through voluntary self-regulation and
consumer and business education.
Each year, millions of consumers contact the Better Business Bureau
for pre-purchase information or for assistance in resolving marketplace
disputes. In large part, they are drawn to the BBB by its enormous name
recognition. The BBB trademark is one of the country's most widely
recognized by both business and consumers (100 percent business and 98
percent consumer brand recognition according to a 1996 Gallup Poll).
The public looks to the Better Business Bureau for impartial and
reliable information on a broad range of companies, products and
services. We. provide reliability reports on individual businesses
(members and non-members), issue reports on publicly soliciting
charitable organizations and provide consumer advisories on a host of
offers, promotions and scams. We offer consumers and businesses a means
to resolve disputes through conciliation, mediation and, when
necessary, arbitration. In fact, the BBB operates one of the, if not
the, largest out-of-court consumer/business dispute settlement program
in North America.
Through its partnership with the major advertising trade
associations, the American Association of Advertising Agencies (AAAA),
the Association of National Advertisers (ANA), and the American
Advertising Federation (AAF), the CBBB also operates a highly
successful and much praised advertising self-regulation program that
helps assure truthful advertising and appropriate advertising directed
to children.
Our name recognition, the extremely high level of trust we have
earned from the public, and our experience in operating self-regulation
and dispute settlement programs, including our previous experience with
offering another seal program in the BBBOnLine Reliability Program, are
some of the reasons the business community and the Administration asked
BBBOnLine once again to provide a framework for self-regulation in the
major issue of concern in online commerce--personal privacy protection.
BBBOnLine is a 501(c)(6) tax exempt organization, supported by
leading online marketing and technology companies in the United States.
A wholly owned subsidiary of the CBBB, BBBOnLine was established by the
CBBB and its member sponsors as a means to promote the highest ethical
business practices online through self-regulation and consumer
education and self-help measures, and thereby help to foster consumer
trust and confidence in this new market. The online marketplace has
vast potential for consumers and business alike. However, it presents
risks to consumers who can not easily determine the reliability of any
given company by simply looking at its website, and it makes it
difficult for an ethical business to distinguish itself from a fly-by-
night operator.
To help online companies distinguish themselves, BBBOnLine provides
two separate seal programs for online businesses--the Reliability Seal
Program and the Privacy Seal Program--and provides consumer information
through our website, www.bbbonline.org.
The BBBOnLine Reliability Program was launched in April of 1997
with the support of 11 major corporate sponsors. The objective was to
provide a resource for consumers seeking trustworthy businesses on the
Internet; to help legitimate businesses distinguish themselves from
fly-by-night operators; and to demonstrate that self-regulation of the
online marketplace can succeed. To participate in the Reliability
Program a company must be a BBB member, cooperate with CBBB's National
Advertising Division (NAD), Children's Advertising Review Unit (CARU)
and National Advertising Review Board (NARB) and commit to third-party
dispute resolution. Over 2,900 companies from various sectors and of
various sizes have been approved to date for the Reliability Seal and
we are currently approving 200 new participants each month. Some of the
largest marketing sites on the Internet participate in the program.
Posting the Reliability Seal on a website provides consumers with an
easy means to check a company's history, obtain contact information,
and be assured that the company stands behind its advertising claims. A
BBB representative visits, in person, the physical office of each and
every Reliability Seal applicant, to ensure that they are who and
where, they say they are.
Launched in March 1999, the BBBOnLine Privacy Program is the only
privacy seal program that is rooted in 86 years of experience in
voluntary self-regulation and consumer dispute resolution. The
BBBOnLine Privacy Program awards seals to online businesses verified as
meeting our high standards including: the posting of online privacy
policies meeting rigorous privacy principles, completion of a
comprehensive evaluation, monitoring and review by a trusted
organization, and participation in a consumer dispute resolution
system. For further detail, please visit www.bbbonline.org/businesses/
privacy/eligibility.html.
After the successful creation and implementation of the BBBOnLine
Reliability Program, it was a natural progression for BBBOnLine to
address the significant issues pertaining to privacy in electronic
commerce. BBBOnLine agreed to design a new BBBOnLine privacy self-
regulation program in June of 1998. There was tremendous industry
support for this effort. Twenty-four major companies provided start up
funds of $2.3 million to develop the program design. Currently
seventeen companies serve as full corporate sponsors: Ameritech, AT&T,
Bank of America, Dun & Bradstreet, Eastman Kodak, GTE, Hewlett-Packard,
Microsoft, Netscape, Procter & Gamble, Reed Elsevier (LEXIS-NEXIS),
Road Runner Group, Sony Electronics, US WEST, Visa and Xerox. Plus,
twenty-four companies support and participate in our privacy steering
committee: America Online, American Express, AMR Corporation (American
Airlines and Travelocity), AT&T, Bank of America, Dell, Dun &
Bradstreet, Eastman Kodak, Equifax, Experian, Ford, Hewlett-Packard,
IBM, Intel, J.C. Penney, MCI WorldCom, Microsoft, New York Times
Electronic Media, Nickelodeon, Procter & Gamble, Reed Elsevier (LEXIS-
NEXIS), Sony Electronics, US WEST, and Xerox. In addition to the
financial support provided by our founding sponsors, a steering
committee of supporting companies was formed to assist BBBOnLine in
developing a self-regulatory program that was substantive, realistic,
and workable. Contributing to this effort were privacy experts such as
Professor Alan Westin of Columbia University and Dr. Mary Culnan of
Georgetown University. We also created a separate dispute resolution
committee to help design a dispute resolution component to the program
to deal with the specialized area of privacy disputes.
The Privacy Program is designed to be a user-friendly tool that
helps foster trust and confidence on the Net. It is also designed to be
a valuable resource for business as a simple, one-stop, non-intrusive
way to demonstrate compliance with credible online privacy principles.
The core of the BBBOnLine Privacy Program:
Awards an easily recognizable and affordable ``seal'' to
businesses that post online privacy policies meeting rigorous
principles, including notice to consumer, disclosure, choice
and consent, access, and security;
Offers a separate and distinct seal for sites directed at
children;
Provides a thorough and consumer-friendly dispute resolution
system;
Monitors compliance through requirements that participating
companies undertake, at a minimum annually, assessments of
their online privacy practices; and,
Takes specific actions for non-compliance, such as seal
withdrawal, publicity and referral to government enforcement
agencies.
Applicants eligible to participate in the BBBOnLine Privacy program
must post a clear and easy to find privacy notice and operate a website
or online service that is directed to U.S. residents. To reach broadly,
BBB membership is not required to participate in the privacy program,
although applicants can not have an unsatisfactory BBB record.
To ultimately qualify for a privacy seal, applicants must submit an
application and successfully complete a comprehensive assessment
process that investigates over 170 different aspects of an applicant's
information practices, including privacy notice content and placement,
corporate structure, security measures, transfer and merger of
information, access, correction; and (if the website or online service
falls within our children's guidelines) a comprehensive set of
additional children's requirements. For more information, please visit
www.bbbonline.org/businesses/privacy/assess-html.html or see Appendix
A.
The assessment process itself was field tested with a diverse group
of companies to make sure that its objective of performing an in-depth
evaluation of information practices was user friendly for business and
workable in performing an effective analysis of the way a seal
applicant collects and uses personal information. The assessment
process offers companies an excellent benchmark for evaluation and
implementation of sound privacy policies and practices.
After successfully completing the assessment process, applicants
must then have a company officer sign a participation agreement that
obligates them to submit to random and independent third party
verification, to utilize the BBBOnLine Dispute Resolution process, and
to notify BBBOnLine whenever there is a material change in either (1)
their privacy notice, (2) their information practices, and/or (3) the
scope of the privacy seal.
The essence of the BBBOnLine Privacy Program is that it requires
privacy seal participants to ``Say What You Do, Do What You Say, and
Have It Verified.'' SM This begins with a clear and easy to
find privacy notice. Privacy notices must be ``one click away'', from a
website's homepage and every other page where personally identifiable
information is collected. Depending on the information practices of the
participant, this privacy notice may contain as many as 16 required
disclosures, but it will always describe who is collecting information,
what types of information is being collected, and how that information
is used and shared. It will always disclose how an individual can
access and correct their information, how to contact the participant,
and how to contact BBBOnLine. Mandatory opt-outs are required whenever
information will be transferred to third parties for marketing, and
whenever information is used in a way not described in the privacy
notice.
While evaluating the privacy notice is critically important, the
BBBOnLine assessment does not stop there, but looks further into the
actual information practices of an applicant.
Seal participants must have in place reasonable security measures
to prevent unauthorized access to both stored and transmitted data.
This includes doors and locks, adequate training for employees,
adequate logs and record keeping, and a mandatory use of encryption
when there is a receipt or transmission of sensitive information such
as credit card numbers, health care data, and social security numbers.
In addition to disclosing information transfer practices and
providing opt-outs if such transfers are for marketing purposes, seal
participants must also take steps to ensure that transferred
information continues to be used only in the ways disclosed in the
privacy notice and according to the choices made by an individual. Seal
participants must also follow special rules when information is
submitted online by one person about someone else, such as with gift
recipients.
Seal participants must provide a means by which individuals can
gain reasonable access to all the maintained and retrievable personally
identifiable information they submit online, and establish a reasonable
process by which seal participants can verify the identity of those
requesting access.
Seal participants that operate websites or online services, or
portions thereof, that are directed to children under 13, or at which
information is collected from visitors actually known to be children
under 13, must also complete a children's supplemental assessment
questionnaire and assessment process based upon the requirements of the
Children's Online Privacy Protection Act of 1998, and the guidance set
forth by both the Online Privacy Alliance, and the Council of Better
Business Bureaus' Children's Advertising Review Unit.
Such children's websites must acquire prior verifiable parental
consent before a child's information can be collected and before
children are given the ability to post identifying information.
Reasonable efforts must be taken to prevent children from posting
contact information. In certain circumstances and at certain locations,
additional warnings and reminders to children must be placed within the
website or online service. The participation in games or other online
activities may not be conditioned on the disclosure of more information
than is necessary. Special limitations are placed on e-mail and the
creation of hyperlinks to other websites. Finally, seal participants
who e-mail children must also take proactive steps to remind and
encourage parents to check and monitor their children's online
activities.
In the month that the BBBOnLine Privacy program has been in
operation, we have already gained much valuable experience. The
assessment process involves a lengthy dialog between ourselves and our
applicants, and often. we find ourselves learning from each other. For
instance, in the process of evaluating the information practices of
applicants, we find that we are also educating them on the importance
of drafting clear privacy policies that disclose with sufficient
specificity what is being collected and how that information is being
used. We are talking with applicants about the necessity of providing
access to and correction of information, and simultaneously, the
importance of having in place verification methods for providing access
to only those individuals authorized to obtain it. We are educating
applicants on security measures, the many issues that arise in clearly
defining the scope of the privacy seal protections, and the best way to
protect children's privacy. In this way, we believe we are not only
certifying websites that follow the BBBOnLine criteria, but also
greatly raising the bar by giving applicants the time and guidance
needed to make them knowledgeable about the issues surrounding online
privacy.
In addition to the assessment process, BBBOnLine offers consumers
and businesses significant experience in resolving disputes. The BBB
system currently runs what is probably the nation's largest consumer-
business dispute resolution program, primarily for most of the
automobile industry, for whom we are certified as operating state-
compliant lemon law programs in those states allowing for state
certification; BBB dispute settlement efforts also include 60,000 local
business participants; our programs handle more than 30,000 cases a
year, using the services of about 5,000 trained volunteer arbitrators,
not to mention the hundreds of thousands of informal complaint
resolution cases handled by the BBB's every day.
Using BBB's dispute settlement experience, we stand ready to
provide consumers with a specialized forum to air and resolve privacy-
related disputes (Appendix B). We will accept complaints from both U.S.
residents and non-U.S. residents about companies and organizations with
posted privacy notices, whose websites or online services are intended
to be directed at U.S. residents, that misuse information. Complaints
can be about the actions of seal participants and non-seal
participants. Companies or organizations that do not cooperate with us
in a dispute resolution proceeding can, in turn, be subject to public
withdrawal of our seal and/or referral to the appropriate government
agency.
Free, convenient, and speedy dispute resolution by trained
professionals ensures that consumers have a simple and effective way to
have their concerns addressed. Consumers can contact the BBBOnLine
Dispute Resolution Intake Center via e-mail, telephone call or by
simply following our online complaint directions located on our web
site at www.bbbonline.org/consumers/drguide.html. As remedies,
consumers can seek to have the information which was submitted online
used only in a manner consistent with the company's published privacy
policy and/or the consumer can seek to have inaccurate information
corrected. BBBOnLine may also require corrective action in the form of
a change in a seal participant's online privacy policies or practices
if, based on the evidence in the case, it finds such action to be
required to avoid recurrences of the same complaint.
The BBBOnLine dispute resolution process is designed to deliver
consumer satisfaction. The first step will be to encourage a business
and the consumer to resolve a complaint between the two parties. If
this fails, BBBOnLine will step in to help, providing a consumer-
friendly process to resolve the complaint. An appeal process to an
impartial panel is also available providing neutral expertise in the
privacy arena. Indeed, we have been fortunate to recruit Andrew
Strenio, a former Commissioner of the Federal Trade Commission, to be
Chair of our appeals board. Businesses that repeatedly violate their
own policies will have their seal revoked, and as previously mentioned,
they will be publicly identified and the most serious or frequent
offenders will have the violations reported to the proper government
authority. The Better Business Bureau system has a long history of
cooperation with regulatory authorities and the BBBOnLine Privacy
Program will continue this collaboration to promote trust and
confidence on the Internet.
Seal participants are required to provide information within their
privacy policy on how to contact BBBOnLine in order to ensure ease of
access to the complaint resolution system.
Each participant in the BBBOnLine Privacy Program agrees to
cooperate with BBBOnLine in verification of their compliance with
eligibility requirements. BBBOnLine may itself, or through an
independent third party designated by BBBOnLine, conduct random
compliance reviews (online, onsite, or otherwise) of one or more
eligibility requirements on BBBOnLine's own initiative or in response
to complaints from individuals or other third parties. By conducting
surprise audits on program participants, we will be able to keep the
importance of privacy issues at the forefront of online business
practices and create a significant deterrence to noncompliance.
If, as a result of a random review or other third party
information, BBBOnLine finds the organization not to be in compliance
with any of our eligibility requirements, we may decide to pursue a
complete review of all of the eligibility requirements in order to
allow BBBOnLine to retain confidence in the organization's continued
eligibility to participate in the program. In addition, if the
organization is merged, acquired by or consolidated with another
company, it must inform BBBOnLine, which will require review of the
circumstances surrounding the merger, consolidation or acquisition to
determine whether the organization must requalify or provide additional
information for use of the seal.
We have designed our program to have serious and effective
consequences for non-compliance. In our dispute resolution process we
will publish decisions so that the public will be able to monitor
resolution of complaints about violations of privacy policies. Our
complaint resolution process will also keep statistics which will help
us identify patterns of improper information practices and instances of
non-compliance which we can use to monitor and enforce our program
requirements. Of course we will only publish the name of the company
complained about, protecting the consumer complainant's identity from
disclosure. An important feature of our dispute resolution process is
that it will not be binding on the consumer, so consumers will be free
to exercise available judicial remedies in addition to the remedies
offered by BBBOnLine.
The Privacy Seal Program has been officially ``open for business''
for only one month. In this brief period of time we have already
received over 240 applications and have awarded 13 seals. The response
has been impressive and more applications are coming in everyday. The
assessment process is a very thorough process that forces companies to
carefully evaluate, and in some cases change, their entire data
collecting and processing practices, online and off-line. The process
goes well beyond the posting of a privacy policy.
A study led by AT&T Research Labs released last week came to the
conclusion that the combination of a privacy policy and a seal from a
well known organization, like the Better Business Bureau, significantly
raised people's confidence when they were asked to provide personal
information online (www.research.att.com/projects/privacystudy/). In
fact, of the respondents that were unsure or said that they would not
provide personal information to receive free pamphlets and coupons at a
site related to a favorite hobby:
48 percent said they would be more likely to provide it if
there was a law that prevented the site from using the
information for any purpose other than processing the request,
28 percent said they would be more likely to provide it if
the site only had a privacy policy,
and 58 percent said they would be more likely to provide it
if the site had both a privacy policy and a seal of approval
from a well known organization such as the Better Business
Bureau
BBB's 100 percent brand name recognition and its 86 year history in
self-regulation allows us to provide a program that can make a
difference.
Online privacy is often mentioned as one of the biggest concerns
keeping consumers from engaging in e-commerce. The online privacy issue
has become such a hot issue that many businesses are now starting to
respond. As evidenced in our program, it is not only the large
businesses that are exercising self-regulation.
Many of the applications we have received have come from small to
medium sized businesses. The BBBOnLine Privacy Seal Program was
intentionally priced so that all companies could apply (Appendix C).
The only item keeping a company from participating in the program
should be its inability to meet the eligibility requirements; price
should not be a factor. The World Wide Web is made up of hundreds of
thousands of websites, most of which are not large companies. In order
for self-regulation to work it must be accessable to the majority of
web marketers, large and small companies alike. Indeed, now that we are
open for business we are engaging in an aggressive outreach effort to
reach as wide a business audience as possible. For example, we recently
entered into a co-marketing arrangement with the American Electronic
Association to educate their 3,000 plus members about good privacy
principles and the BBBOnLine Privacy Program.
BBBOnLine plans a comprehensive outreach effort for consumer
education. We have approached consumer advocacy groups about joint
efforts and hope to use our website to provide educational materials on
helping consumers protect their privacy online.
Though we just launched the Privacy Seal Program, it is our hope
that as the program grows and as consumer awareness and education
increases we will have been able to make the online marketplace a safer
place to negotiate for all. We want to thank the Committee for your
attention and hope that you share in our enthusiasm for the tremendous
progress already made.
I am available to answer any questions you may have.
[GRAPHIC] [TIFF OMITTED] T8199.018
[GRAPHIC] [TIFF OMITTED] T8199.019
[GRAPHIC] [TIFF OMITTED] T8199.020
[GRAPHIC] [TIFF OMITTED] T8199.021
[GRAPHIC] [TIFF OMITTED] T8199.022
[GRAPHIC] [TIFF OMITTED] T8199.023
[GRAPHIC] [TIFF OMITTED] T8199.024
[GRAPHIC] [TIFF OMITTED] T8199.025
[GRAPHIC] [TIFF OMITTED] T8199.026
[GRAPHIC] [TIFF OMITTED] T8199.027
[GRAPHIC] [TIFF OMITTED] T8199.028
[GRAPHIC] [TIFF OMITTED] T8199.029
[GRAPHIC] [TIFF OMITTED] T8199.030
[GRAPHIC] [TIFF OMITTED] T8199.031
[GRAPHIC] [TIFF OMITTED] T8199.032
[GRAPHIC] [TIFF OMITTED] T8199.033
[GRAPHIC] [TIFF OMITTED] T8199.034
[GRAPHIC] [TIFF OMITTED] T8199.035
[GRAPHIC] [TIFF OMITTED] T8199.036
[GRAPHIC] [TIFF OMITTED] T8199.037
[GRAPHIC] [TIFF OMITTED] T8199.038
[GRAPHIC] [TIFF OMITTED] T8199.039
[GRAPHIC] [TIFF OMITTED] T8199.040
[GRAPHIC] [TIFF OMITTED] T8199.041
[GRAPHIC] [TIFF OMITTED] T8199.042
[GRAPHIC] [TIFF OMITTED] T8199.043
[GRAPHIC] [TIFF OMITTED] T8199.044
[GRAPHIC] [TIFF OMITTED] T8199.045
[GRAPHIC] [TIFF OMITTED] T8199.046
[GRAPHIC] [TIFF OMITTED] T8199.047
[GRAPHIC] [TIFF OMITTED] T8199.048
[GRAPHIC] [TIFF OMITTED] T8199.049
[GRAPHIC] [TIFF OMITTED] T8199.050
[GRAPHIC] [TIFF OMITTED] T8199.051
[GRAPHIC] [TIFF OMITTED] T8199.052
[GRAPHIC] [TIFF OMITTED] T8199.053
[GRAPHIC] [TIFF OMITTED] T8199.054
[GRAPHIC] [TIFF OMITTED] T8199.055
[GRAPHIC] [TIFF OMITTED] T8199.056
[GRAPHIC] [TIFF OMITTED] T8199.057
[GRAPHIC] [TIFF OMITTED] T8199.058
[GRAPHIC] [TIFF OMITTED] T8199.059
[GRAPHIC] [TIFF OMITTED] T8199.060
[GRAPHIC] [TIFF OMITTED] T8199.061
[GRAPHIC] [TIFF OMITTED] T8199.062
[GRAPHIC] [TIFF OMITTED] T8199.063
[GRAPHIC] [TIFF OMITTED] T8199.064
[GRAPHIC] [TIFF OMITTED] T8199.065
[GRAPHIC] [TIFF OMITTED] T8199.066
[GRAPHIC] [TIFF OMITTED] T8199.067
[GRAPHIC] [TIFF OMITTED] T8199.068
[GRAPHIC] [TIFF OMITTED] T8199.069
[GRAPHIC] [TIFF OMITTED] T8199.070
[GRAPHIC] [TIFF OMITTED] T8199.071
[GRAPHIC] [TIFF OMITTED] T8199.072
[GRAPHIC] [TIFF OMITTED] T8199.073
[GRAPHIC] [TIFF OMITTED] T8199.074
[GRAPHIC] [TIFF OMITTED] T8199.075
[GRAPHIC] [TIFF OMITTED] T8199.076
[GRAPHIC] [TIFF OMITTED] T8199.077
[GRAPHIC] [TIFF OMITTED] T8199.078
[GRAPHIC] [TIFF OMITTED] T8199.079
[GRAPHIC] [TIFF OMITTED] T8199.080
[GRAPHIC] [TIFF OMITTED] T8199.081
[GRAPHIC] [TIFF OMITTED] T8199.082
[GRAPHIC] [TIFF OMITTED] T8199.083
[GRAPHIC] [TIFF OMITTED] T8199.084
[GRAPHIC] [TIFF OMITTED] T8199.085
[GRAPHIC] [TIFF OMITTED] T8199.086
[GRAPHIC] [TIFF OMITTED] T8199.087
[GRAPHIC] [TIFF OMITTED] T8199.088
[GRAPHIC] [TIFF OMITTED] T8199.089
[GRAPHIC] [TIFF OMITTED] T8199.090
[GRAPHIC] [TIFF OMITTED] T8199.091
[GRAPHIC] [TIFF OMITTED] T8199.092
[GRAPHIC] [TIFF OMITTED] T8199.093
[GRAPHIC] [TIFF OMITTED] T8199.094
[GRAPHIC] [TIFF OMITTED] T8199.095
[GRAPHIC] [TIFF OMITTED] T8199.096
[GRAPHIC] [TIFF OMITTED] T8199.097
[GRAPHIC] [TIFF OMITTED] T8199.098
[GRAPHIC] [TIFF OMITTED] T8199.099
[GRAPHIC] [TIFF OMITTED] T8199.100
[GRAPHIC] [TIFF OMITTED] T8199.101
[GRAPHIC] [TIFF OMITTED] T8199.102
[GRAPHIC] [TIFF OMITTED] T8199.103
[GRAPHIC] [TIFF OMITTED] T8199.104
[GRAPHIC] [TIFF OMITTED] T8199.105
[GRAPHIC] [TIFF OMITTED] T8199.106
[GRAPHIC] [TIFF OMITTED] T8199.107
[GRAPHIC] [TIFF OMITTED] T8199.108
[GRAPHIC] [TIFF OMITTED] T8199.109
The Chairman. Mr. Fischbach.
STATEMENT OF GREGORY FISCHBACH
Mr. Fischbach. Thank you, Mr. Chairman, Senator Kohl and
Senator Schumer, for the opportunity to testify before the
committee today regarding the protection of personal
information on the Internet. I applaud you for your leadership
in seeking to strike the right admittedly delicate balance
between industry self-regulation and the appropriate role, if
any, of government.
I testify today wearing two hats. I am the Chairman and
Chief Executive Officer of Acclaim Entertainment, a leading
maker of video and PC games. Though headquartered in New York,
Acclaim's flagship develop studio is Iguana Studios in Salt
Lake City, which employs 90 software professionals.
Senator Schumer. Excuse me, sir. Are you bragging about
that? [Laughter.]
The Chairman. Let's not have interruptions from New York.
[Laughter.]
We ought to be grateful here for the link-up, you know.
Mr. Fischbach. Well, it works for both of you.
I am here as Vice Chair of the Interactive Digital Software
Association, the trade body representing the $6.3 billion U.S.
entertainment software industry.
Maintaining communication with our customers is fundamental
to our success as a business. Unlike many other businesses
where the essential interaction with consumers involves a one-
time transaction, entertainment software consumers expect and
even rely on a continuous dialogue with their publishers. For
example, buyers of our games expect us to provide them with
software bug fixes, game tips, virus warnings and software
upgrades.
The Internet has become a major vehicle for talking to our
customers. We use it to provide online product registrations,
direct download of bug fixes and updates, new product
information, and online gaming services. We recognize that
using the Internet to communicate with customers means we must
appropriately safeguard the personal information we collect and
use online.
In October 1998, the IDSA officially adopted voluntary
principles and guidelines for fair information practices
online. The guidelines generally conform to privacy principles
proposed by the Department of Commerce and the OECD. While
consistent with guidelines issued by other industry groups, the
IDSA guidelines go further in three areas--access, information
and children.
On access, the IDSA guidelines direct that companies give
consumers the opportunity for reasonable, appropriate access to
personal identity information and the opportunity to correct or
amend that information. In the area of enforcement, the
guidelines direct the IDSA to make publicly accessible a status
report on IDSA member implementation of privacy practices, and
they require that members utilize certification seals provided
by third-party entities.
Finally, in the children's area the IDSA guidelines require
that companies provide parents of children ages 13 to 17 with
notice of online information collection and the opportunity to
remove the information from the site's database. To date, 16
IDSA members, who together accounted for almost 60 percent of
all games sold in the U.S. in 1998, have posted online privacy
policies as required by our guidelines or are in the process of
doing so.
For our company, compliance has required fundamental
changes in the way that we do business and relate to our
customers. This is an important point. Business does have a
responsibility to protect privacy, but government must
understand that these changes often touch on the most basic and
important business asset we have, our consumer relationships.
Let me tell you that overhauling our business model in this
area is not as easy as it might seem when rules are first put
on paper. In fact, we at Acclaim have opted to significantly
limit how much information we collect on our Web site.
Acclaim.net only collects and stores e-mail addressed, and only
does so in three circumstances.
When a Web site visitor is subscribing to our newsletter,
downloading software, or ordering something from our online
store, we make it clear that we may use these e-mail addresses
for a variety of internal marketing purposes, but do not sell
or distribute them to any outside person or organization. We
also offer our customers the ability to have Acclaim delete
their e-mail addresses.
Finally, we expressly forbid children 12 and under from
submitting information to us, and we will implement whatever
consent and notice procedures the FTC identifies as appropriate
regulations that are promulgated under this law. Our policy is
posted and we hope to have a certification seal from the ESRB
as soon as it is open for business, which we would anticipate
by the end of this May.
Mr. Chairman, I believe our industry and my company have
made important strides toward protecting privacy. But my
experience in these last few months tells me that one size does
not fit all. A legislative or regulatory approach probably
creates great confusion. I understand the appeal of a Federal
mandate, but as someone working in the trenches I suggest to
you that industry self-regulation, while perhaps imperfect, is
ultimately the best and swiftest way to protect consumer
privacy on the Internet, while allowing Internet creativity and
experimentation to flourish.
Thank you for this opportunity and I would be glad to
answer any questions.
The Chairman. Thank you, Mr. Fischbach.
[The prepared statement of Mr. Fischbach follows:]
Prepared Statement of Gregory Fischbach
Thank you, Mr. Chairman, for the opportunity to testify before the
Committee today regarding the protection of personal information on the
Internet. I applaud you for your leadership in seeking to strike the
right, admittedly delicate balance, between industry self-regulation
and the appropriate role, if any, for government.
I testify today wearing two hats. I am the Chairman and Co-Chief
Executive Officer of Acclaim Entertainment. I am also here as the Vice-
Chair of the Board of Directors of the Interactive Digital Software
Association.
Acclaim Entertainment, Inc. is a leading worldwide developer,
publisher and mass marketer of software for use with interactive
entertainment platforms including Nintendo, Sony and Sega hardware
systems, and PCs. Acclaim owns and operates five studios located in the
United States and the United Kingdom, and publishes and distributes its
software directly in North America, the United Kingdom, Germany, France
and Australia. Acclaim posted 1998 revenues of over $325 million. Our
headquarters are located in Glen Cove, New York and Acclaim's common
stock is publicly traded on NASDAQ under the symbol AKLM.
You may know some of our key internally developed brands, Acclaim
Sports, Turok, and WWF Warzone. WWF Warzone, developed by our flagship
studio, Iguana Salt Lake City, was Acclaim's best selling product in
1998. Our Salt Lake City Studio employs over 90 software professionals
and generates several products annually.
All of our company brands are supported by significant marketing
campaigns including on-line promotion. Over the last year we have
allocated significant resources to Acclaim On-Line, in an effort to
better service our consumers. Consumers visit our site, Acclaim.Net for
product information, release dates, free demo software, Ecommerce, tips
and hints and company information. Last year traffic on Acclaim.Net
grew by 325 percent. In calendar 1999, we expect to generate over 50
million page impressions. In the future we plan to continue to serve
our consumers on-line by offering new features including on-line game
play through Acclaim.Net.
The IDSA represents the U.S. publishers of entertainment software
games for video game consoles, PCs, and the Internet. IDSA members
collectively account for more than 85 percent of the $6.3 billion in
entertainment software sold and rented in the U.S. in 1998, and
billions more in export sales of U.S.-made entertainment software. The
entertainment software industry is now the fastest growing of all U.S.
entertainment industries, selling nearly 200 million units of PC and
video games in the U.S. alone, or almost two per household.
I want to spend my time sharing with you some of the lessons that
Acclaim and the IDSA have learned as a result of the steps that we have
taken to protect the personal information of entertainment software
consumers online.
Let me start with a little context: maintaining communication with
our customers is at the core of what we do. It is fundamental to our
success as a business. Unlike many other businesses where the
transaction with consumers is a one-time event, our consumers expect
and even rely on this continuous dialogue.
Consumers expect us to provide them with software patches, game
tips, and software upgrades and enhancements. They want information
from us on sequels, they want technical support, they want to tell us
what they think of our products, they want to volunteer to test
products, and more. Consumers of online games, a growing part of the
entertainment software industry, also increasingly expect us to provide
online game services so they can participate in tournaments, find
playing partners, or play massive multi-player games. Without personal
information from those consumers, such as email address, name, and
snail mail address, we cannot meet these needs; moreover, in an
industry which is besieged by piracy, we need registration information
to ensure that the consumer owns a legitimate, rather than pirated,
copy and we need personal information from online game players to
prevent players from abusing the game service or harassing other
players.
The Internet has become the major vehicle through which we meet
many of these consumer demands. The Internet allows us to provide
online product registrations, direct downloads of bug fixes and
updates, new product information, and online game services.
We recognize that our use of the Internet to communicate with our
customers imposes a burden on us to put in place appropriate safeguards
to ensure that the personal information we do collect is protected.
This leads me to the actions that both Acclaim and the IDSA have taken
to protect the personal information of consumers online.
In March 1998 the IDSA convened a Privacy Working Group to create
appropriate standards for protecting the privacy of consumers on the
Internet. This Privacy Working Group consisted of General Counsels,
Marketing Directors, and Webmasters from nine IDSA member companies,
bringing legal, business, and technical expertise to the issue. Over
the ensuing eight months, this Working Group and the IDSA Board
hammered out Principles and Guidelines for Fair Information Practices.
The Board officially adopted these Guidelines at its October 1998
meeting, and IDSA members are expected to be in compliance by May 31,
1999. Copies have been provided to the Committee.
Developing these guidelines was not simple. It's easy to lose sight
of the fact that we are talking about redefining how we relate to our
consumers. From a business standpoint, this is not something we take
lightly, especially not after spending years to build a sense of
loyalty and trust with those who play our games. While some believe
developing guidelines is a simple matter, we know from experience that
even using the very valuable templates developed by such groups as the
Online Privacy Alliance, the Organization for Economic Cooperation and
Development (OECD), and the Department of Commerce, an enormous amount
of thought must still be applied to ensure that the guidelines we've
adopted for this industry take into account its unique qualities.
We believe that the Guidelines we eventually developed represent an
appropriate balance between protecting the online privacy of our
customers while also preserving the interactive relationship that our
customers expect. As their longer title indicates, the guidelines have
two elements. First, they establish a core principle to which companies
adopting the guidelines must adhere. Second, they provide guidance on
ways to comply with each core principle, recognizing that companies
may, depending on size, practices, and resources, choose different
paths to complying with the principles.
As these elements are widely recognized to be essential, the IDSA
Guidelines contain principles on Notice, Choice, Data Collection
Limitation, Security, Access, Enforcement, and special rules for
children. With regard to Notice, Choice, Data Collection Limitation,
and Security, the IDSA Guidelines are in conformance with those
suggested by the OECD and the Department of Commerce, and consistent
with those adopted by other industries and companies. However, the IDSA
Guidelines go farther than other industries with regard to Access,
Enforcement, and Children.
With respect to Notice, Choice, and Data Collection Limitation, and
Security, the IDSA guidelines (1) direct each IDSA member to implement
and publish online a ``privacy policy'' that informs consumers about
its online collection and use of personal information, (2) direct that
each IDSA member give consumers the choice to exercise reasonable
control over the collection and use of their personal data, generally
establishing ``opt-out'' choice as the minimum acceptable tool; (3)
direct IDSA members to only collect and retain personal data of
consumers that is needed for valid business reasons, and give guidance
as to the breadth of personal data that should be collected and when
personal data should no longer be retained; and (4) direct that IDSA
members take reasonable measures to assure the reliability of personal
data they collect and take reasonable precautions to protect that data
from loss, misuse, or alteration, and recommend that IDSA members take
reasonable steps to assure that third parties to whom they transfer the
personal data of consumers will provide sufficient protection to that
personal data.
As an industry which is both highly sensitive to our customer
relationships, and which has a significant following among children, we
spent considerable time crafting guidelines in the Access, Enforcement,
and Children's areas. The result is that our guidelines in these areas,
in some instances, go beyond recently enacted law and other voluntary
approaches.
For example, the IDSA guidelines with regard to access do not
restrict consumer access to instances of ensuring data quality.
Instead, they direct that IDSA members give consumers the opportunity
for reasonable, appropriate access to personal identifying information
about them that an IDSA member holds, and the opportunity to correct or
amend that information when necessary.
In the enforcement area, the IDSA guidelines create a detailed
scheme for ensuring that IDSA members comply with their data privacy
policies and provide appropriate means of recourse for consumers. They
give explicit direction on internal mechanisms that should be followed,
including establishment of clear procedures and specific time frames
for resolution of complaints, identification and training of personnel
that will ensure compliance and provide recourse to consumers, and
appeals structures. IDSA members are also directed to create a system
of incentives and/or sanctions, which might include bonuses, to
encourage adherence to privacy policies. I believe that the vast
majority of consumer complaints will be adequately and effectively
addressed through these mechanisms.
But, in order to provide consumers with additional confidence that
they can rely on a privacy policy, the IDSA guidelines also establish
two external mechanisms for ensuring member compliance with the IDSA
guidelines. First, they direct the IDSA to make publicly accessible,
both on its Web site and in its files, a report on the status of IDSA
member adoption and implementation of privacy practices. After the May
31, 1999 deadline for compliance, this status report will, among other
things, identify the certification seal provider used by each member,
include links to the privacy policies of IDSA members, and inform
consumers how to access privacy practice compliance information about
each IDSA member from the relevant seal provider.
Second, the IDSA guidelines require that members utilize
certification seals provided by third party entities. Such third party
seal providers must be empowered to investigate and verify compliance
with privacy policies, and to mediate or arbitrate consumer complaints.
You are familiar with the BBB Online program, one prominent third party
seal provider. In a few months, the Entertainment Software Ratings
Board (ESRB) will launch its own seal program for entertainment
software companies. Since 1994, the ESRB has been rating entertainment
software titles for age and content appropriateness. Senators Kohl and
Lieberman have called the ESRB the best and most credible entertainment
ratings system in the U.S. More recently, the ESRB has begun rating
entertainment software web sites along similar lines. In rating more
than 5,000 products and web sites, the ESRB has developed a depth of
ratings experience as well as terrific brand recognition and confidence
among entertainment software consumers. The ESRB therefore decided it
was a natural progression to build on that consumer trust by expanding
into the privacy ratings arena. I'm sure the ESRB would be happy to
share with this Committee details about its new seal service.
The last area of the IDSA guidelines I would like to discuss are
its rules regarding children. While 56 percent of video gamers and more
than 70 percent of computer gamers are over 18, the IDSA recognizes
that many children use our products, and that the online collection and
use of personal data from children raises a different set of concerns
than exist with adults. Therefore, the IDSA has adopted a more rigorous
set of guidelines with respect to IDSA members that collect information
from children.
With respect to children age twelve and under, the IDSA guidelines
mirror the recently enacted Children's Online Privacy Protection Act,
but we go beyond the Act to create special rules with regards to
children over twelve and under eighteen. If IDSA members engage in
collection of personal information from these older children, the IDSA
guidelines direct them to provide parents with notice of the collection
and an opportunity to remove the information from the site's database.
To date, sixteen IDSA members, who together accounted for almost 60
percent of all games sold in the U.S. in 1998, have posted online
privacy policies as required by the Guidelines or are in the process of
doing so. IDSA is actively reaching out to others in the industry, and
plans to meet face-to-face with the remaining members at our annual
industry trade show next month. The IDSA also plans a series of
regional seminars to help its members work through implementation
issues.
Once the IDSA adopted these guidelines in October 1998, the really
tough work began. While drafting guidelines to cover companies of
assorted sizes, resources, practices, business structures, and
sensitivity was challenging, it is an even greater challenge to
implement them. I tell you that based on real world experience. Think
tanks, interest groups, government agencies, and congressional
committees are laboratories; what might seem workable in the lab is not
always practical outside of it.
Acclaim has been actively trying to implement the IDSA guidelines
for several months. If there is any one message I would like to leave
you with today, it is that even modest rules on online collection and
use of personal information often require fundamental changes in the
ways companies do business and in their customer relationships. It is
important to remember that for entertainment software companies this is
an area vital, as folks in DC like to say, ``to our national
interest.'' Anything we do which affects our interaction with customers
is a significant business issue. As I noted earlier, our customers
expect an ongoing relationship, and the effort to meet these
expectations and protect their privacy is not an overnight process.
In the last few months, Acclaim has conducted an internal review of
our Web sites and the way they collect and use personal information
from Web site visitors. We then worked with the IDSA to understand the
guidelines and the changes we would have to make in our business
practices to comply with the guidelines. We have posted a privacy
policy on our Web site, and hope that the ESRB Privacy Program will
soon be operational and thus able to review our policy and practices.
If the ESRB requires further changes to our privacy policy and
practices, we will have to devise ways to implement these changes.
The privacy practices that Acclaim developed as a result of these
efforts are, I think, pretty straightforward: we have opted to
significantly limit how much information we collect on our Web site. We
only collect and store email addresses and only do so in three
circumstances: when a Web site visitor is subscribing to our
Newsletter, downloading software, or ordering something from our online
store. We make it clear that we may use these email addresses for a
variety of internal marketing purposes, but will not sell or distribute
these email addresses in any way to any outside person or organization.
We do offer customers the ability to have Acclaim delete their email
addresses from our databases by emailing our Webmaster with the word
``remove'' in the subject header of the email. Finally, we expressly
forbid children twelve and under from submitting information to us, and
will implement whatever consent and notice procedures the Federal Trade
Commission identifies as appropriate in regulations promulgated under
the Children's Online Privacy Protection Act.
As I stated, this ``simple'' Acclaim policy resulted from a very
difficult process of figuring out how to apply the IDSA Guidelines to
Acclaim. I will just to throw out a few scenarios to demonstrate the
difficulties we faced when we tried to implement information collection
and use limitations.
The words ``provide reasonable, appropriate access'' seem simple.
But what do they mean in practice? Suppose a consumer calls Acclaim in
New York and asks for all information that all our operating units have
on them? Acclaim New York and Iguana Salt Lake City have separate
databases. Is it reasonable to give the consumer the information we
have in New York and direct them to make other calls to ascertain the
information held by other units? I'm sure the consumer would regard
that as a nuisance. But the alternative would be for Acclaim to
centralize all its databases. That is a very costly and complicated
undertaking. Moreover, it raises privacy issues of its own since we
would now have greater ability to develop profiles of individuals by
aggregating all the data held by our individual companies.
In the children's area, implementing the requirements for parental
consent and notice are extremely difficult. For example, what does
Acclaim do about the personal information it has collected from
consumers for several years through offline registration of different
products, such as our NFL Quarterback Club series? We collected
information from registrants of NFL Quarterback Club '98 so that we
might send them software bug fixes or information on the 1999 version.
However, we never collected information on the age of these
registrants, so now we are in a bind. What if some of these registrants
are twelve and under? Are we breaking the new federal law, because we
do not have parental consent to do so, by contacting them via email to
inform them that their software is buggy? Alternatively, are we
violating the IDSA guidelines by sending the same email to a seventeen-
year-old registrant because we do not send his parent notice of this
contact? This could be solved by grandfathering in previous collected
information, but for now it remains a troubling area of uncertainty.
I mention these challenges not as an excuse for inaction, but a
warning that what seems simple in principle can be devilishly
complicated in reality. I believe IDSA's guidelines do protect consumer
privacy while allowing entertainment software companies to maintain an
interactive relationship with customers and to continue to experiment
with business models on the Internet. But they may not be for everyone
in the private sector. They are specifically crafted to meet the
privacy expectations of entertainment software customers and the
business needs of entertainment software companies. So our industry has
made important strides toward protecting privacy. But my experience
these last few months developing a privacy policy which works for
Acclaim tells me that a `one size fits all' legislative or regulatory
approach is a recipe for confusion. Industry self-regulation, while
imperfect, is ultimately the best and swiftest way to protect consumer
privacy on the Internet while allowing Internet creativity and
experimentation to flourish. Thank you.
The Chairman. This has been an extremely interesting panel.
I have to momentarily go meet with the Russian foreign minister
on a very important matter and so I may have to leave before I
can finish my questions, but I am going to try and come back.
Let me begin with you, Mr. Sheridan. It is no secret that
the Internet provides a new, valuable medium for merchants, as
they are able to use the network to collect personal
information about consumers. Some of the obvious methods by
which commercial Web sites collect personal information include
online surveys, registration pages, contests, and application
forms.
However, it is my understanding that sites also collect
personal information, using technologies that are not obvious
to the particular Web surfer. There has been a lot of confusion
as to exactly what some of these technologies are and how they
work.
Could you please explain to us what a, ``cookie,'' is and
how it works?
Mr. Sheridan. It is fattening.
The Chairman. It is fattening.
Mr. Sheridan. Well, a cookie, as Mr. Berman mentioned
earlier, is not an evil thing in and of itself. When you go to
a page and fill out a form and you have put in what you are
interested in, and magically next time you reappear at that
page your preferences are known on what kind of news you would
like, what has been set there is some data about you and what
you are interested in and that is a cookie, in a simple way.
It is also used when you go to buy a book at one of the
online bookstores, for example. It has your credit card,
shipping and all kinds of other information, and the nice thing
is you can click there and just buy the book. The potential
downside is that information is being used to help you and
sometimes it is not clear how it is being used once it is in
the system.
The Chairman. If I understand you correctly, basically, a
cookie is the technology that extracts information without the
consumer knowing about that information.
Mr. Sheridan. Generally, the cookie is set through
information gotten by the consumer. Of course, it could also
just log the fact that you were there and your address, too. It
is a two-edged sword.
The Chairman. Does this allow the Web sites to track which
pages a consumer views and for how long?
Mr. Sheridan. Well, the cookie doesn't necessarily do that,
but inside of their system, depending on the site, there are
ways in which the user can be essentially followed. They would
know what they had clicked on and what their preferences were,
then use that often to recommend something positive, such as a
recommendation for a book that they think you would be
interested in, based on what you had clicked on.
The Chairman. Is there technology available, or do Web
browsers allow a consumer to set his or her computer to prevent
cookies from being placed, or at the very least give the Web
surfer notice before it is placed in the computer?
Mr. Sheridan. Web browsers from early on in the development
of this technology have allowed the user to turn off cookies or
to ask for notification when one is being asked for.
The Chairman. I see. I want to thank you for this because
it is helpful in educating the public in two ways. First, by
letting them know how information could be extracted from them
and, second, by informing them that they do have the power to
control how some of these technologies are used through the use
of technologies that they may already have on their laptops. So
I think that is important that we establish that.
Mr. Sheridan. Yes, it is.
The Chairman. Now, Ms. Borsecnik, as an Internet service
provider and a portal, you may have an interesting perspective
to add. Does AOL use cookies on its Web sites?
Ms. Borsecnik. AOL does use cookies on its Web sites. We
use cookies to identify whether a customer has been there
before. What we do is we can personalize a page someone sees
based on the fact of whether they have been there before. So,
for example, the first time they come we may offer a degree of
help, a degree of explanation about the site that is not
required on subsequent visits, things like that.
Our system automatically collects a lot of data, some of
which is required for us to run our business and some of which
isn't in a personally identified way. So when we collect data
of where people go online, we store and use that data in a way
that anonymizes it and doesn't allow for us to connect that
data with a specific user and we review it in aggregate. So we
may know, for example, that ``x'' number of people have visited
the personal finance area, but we couldn't say that you were a
visitor to the area that day.
The Chairman. I see. Mr. Berman, I need to run and I am
appreciative that Senator Thurmond is here to spell me off, but
it appears that some uses of cookies are legitimate and help to
create a more efficient Internet. However, it also seems that
these cookies could be used by some bad actors for purposes
that certainly would be suspect. Maybe you could shed some
light on what some of these less desirable uses of cookies are
and what type of Web operators use cookies in these improper
manners.
Mr. Berman. Well, it is very difficult to make a judgment
like that. Anyone who is using information in a way which I did
not consent to--I go to a site, I think I am just browsing.
They collect information about me. Then they may have marketing
information and they are selling something to me. I don't like
it. So it is a relative judgment by the consumer.
I think that you are onto the right answer, which is that
consumers ought to know that a cookie is being placed, in other
words that information is being collected. There are mechanisms
now in the browser which allow you turn a cookie off. There is
even more advanced technology, such as the P3P platform, which
the World Wide Web Consortium is working on with other industry
and privacy organizations which will allow you to set your
browser and state your preferences about what you want
collected or not collected about you, and that will help to
turn a cookie off or keep you away from sites that are
collecting that information. The consumer can be put into a
position to know what is going on.
The Chairman. Mr. Wladawsky-Berger.
Mr. Wladawsky-Berger. Yes. If I may add, Mr. Chairman, I
think that all of the self-regulation concepts have at their
heart an empowered consumer, and that is why what we always
want is three key principles--notification, choice and
recourse.
Notification means that the consumer, the person that you
are interacting with, always knows what is happening, what
information you are collecting, what it is going to be used
for. Choice means that if they are happy that it will be used
for good things, they are happy to let you have it; otherwise,
if they don't know or choose for whatever reason not to give it
to you. And recourse means that there is a way, if you feel
that you have been wronged, to take recourse, like contact
BBBOnLine or some other mechanism, or in some cases the Federal
Trade Commission.
So I think those are the key principles, and then within
those principles there are a lot of technologies that can do a
lot of good, but if misused, then they can be used wrongly.
The Chairman. Well, thank you.
Mr. Berger. I just wanted to add one point, which is the
most difficult issue to resolve is the recourse issue. One,
getting everyone to put those notices up and tell you what is
happening with information, but with the millions and millions
of Web sites and the new ones coming online, the self-
regulatory efforts that are going on are really important. And
AOL and Microsoft are doing a good job in terms of trying to
move along toward self-regulation. We do have to raise the
issue of the bad actor and the small Web site and what the
recourse is there. That is not clear, but it is not easy to
write because the violations have to be spelled out.
The Chairman. Senator Kohl, let's turn to you. I apologize
to you that I have to leave for that meeting, and I am not sure
I can get back. But if not, Senator Thurmond will finish the
hearing. Thanks so much.
Senator Kohl. Thank you, Senator Hatch. I have a single
two-part question for the panel, starting with Ms. Borsecnik.
Are you all worried that the worst actors in your industry, the
people who do not respect privacy, will undermine your efforts
at self-regulation, and that Congress will legislate on the
basis of anecdote in a way that neither makes good sense nor
good public policy? And if you are worried about this, doesn't
it make sense to consider a commission which may preempt some
of the worst legislation and, even better, bring together
industry, government and privacy experts to establish a
balanced approach to privacy protection?
Ms. Borsecnik.
Ms. Borsecnik. Do we worry about it? Yes. Privacy is a real
concern to our customers; we hear it on a daily basis from
them. And we do worry that there are bad apples out
there,tentially, just like in the days when the Senator was
talking about being afraid that criminals would use cars to get
away from the scene of the crime.
But we worry more about legislation activity that is too
quick to put a stake in the ground at a time when--you have
heard from us all that this is a nascent industry; things are
moving so quickly. Maybe I am just a poor predictor, but at any
point in time I have a hard time knowing what my business is
going to look like in 6 months, much less 6 years.
And not only is the technology moving so quickly, I have
found that customers' demands are progressing along with it. So
to take a snapshot at any point in time when the industry is in
its infancy and say this is the right solution, this technology
is the right solution, I think I worry that that will be viewed
as short-sighted in retrospect.
In terms of a commission, we believe that an open and
public dialogue is an enormous help on this issue. Even
incidents that have happened, I believe, in the end have helped
the industry realize that more attention needs to be focused on
it and have resulted in some of the activities you have heard
about here today. So we are very much in support of that kind
of dialogue, particularly in areas that need particular
attention, like kids' privacy and health care and things like
that. A one-size-fits-all solution is definitely something that
we would be concerned about that could stymie our business.
Senator Kohl. Mr. Sheridan.
Mr. Sheridan. Well, to address the first part of your
question, yes, I think we all worry about it, both
individually, those with kids who have to deal with it
everyday, and also because frankly it hurts our business if
this trust is broken down.
We believe that the right approach is one that does not try
to do everything at once; again, as my colleague here had said,
a snapshot in time. And the time frames on the Internet are
very compressed; things happen very quickly. And what we would
be concerned about is any piecemeal, in-time solution that
doesn't take into account the fast-moving nature of the Silicon
Valleys of this country, and there are many of them, which are
really an American miracle of competitiveness, job creation and
wealth creation. It would be our concern that that would be
derailed by government intervention.
On the second part of the issue, we would welcome an open,
balanced approach that is structured to represent this
position. And if that were to occur, I think we would support
it.
Mr. Wladawsky-Berger. Senator Kohl, I agree with my
colleagues that the Internet and all the applications that it
is helping bring about--it is too young, too complicated and
too fast to know at this time what to regulate. It is just very
hard when we don't have enough information because it has only
really been around, in this explosive way it has taken off, for
the last few years. And it feels like every month, something
brand new happens. The fear we all have is we can regulate
something now that 2 years from now will just look quaint. Why
did we do that when technology went way beyond that, or the
marketplace?
Now, when things are moving so fast, definitely research
and dialogue are more important than ever. Chairman Hatch
mentioned when he introduced me that I am a member of the
President's Information Advisory Technology Committee. We just
submitted a report; it was just printed last week. And we
recommended a doubling of IT research over the next 5 years,
especially research on long-term strategic issues, and we
called out specifically privacy issues as areas that should be
aggressively funded because the more we understand the problem,
the more we study it, the more we can then have the right
approaches to getting privacy to happen. I think your idea of a
commission is a very sound one. It is in the spirit of
understanding and getting more information, and we would be
very happy to work with you to see how best to make it happen.
Senator Kohl. Mr. Berman.
Mr. Berman. I certainly support the idea, particularly if
it has a time frame and some very specific questions about
remedies. The last privacy commission 20 years ago really did
get out of the one-size-fits-all and looked at the particulars
of different industries and the technology. In the absence of
OTA and all of that background, this would be very helpful.
In the CDA legislation on child decency, Congress passed a
second statute. It is now being enjoined in the courts, and
they added to that statute a commission to study the issue
about what was the best way to do it. They passed the
legislation before they finished their commission work. Now,
the commission is going to start. I think the better way to do
it is to have the commission and then pass the legislation. So
that would get it right for once.
Senator Kohl. Thank you. Mr. Bodoff.
Mr. Bodoff. I think there is a variety of ways of answering
that question, and let me take two approaches. First of all,
when we deal with bad apples, the first concern always has to
be companies who don't post any privacy notice at all. If we do
our job correctly in the self-regulatory area and we get out
there and we educate consumers to look for privacy policies,
the marketplace is going to drive companies to put privacy
notices on their Web sites.
If a company has a privacy notice and violates it, through
a self-regulation process and working closely with the Federal
Trade Commission and other regulatory organizations, those can
be acted upon as deceptive trade practices. But a lot of talk
is on the bad apples, and in our extensive experience looking
at the Internet, our greater challenge is a lot of the new,
smaller businesses coming online that we wouldn't describe at
all as bad apples, but they are coming online with lack of
sophistication and experience of how to operate on the
Internet.
And it really is critical for business organizations to
come together and educate these businesses on good practices
because our experience is when we reach out to these companies,
we have very, very good compliance with companies responding
and wanting to do the right thing.
Senator Kohl. Mr. Fischbach.
Mr. Fischbach. Our business has really changed and will
change dramatically over the next 4 to 5 years. I mean, we
started writing software that was costing us $25,000, and some
of the people in the back of the room probably played some of
those games. But, today, we will spend anywhere between $3 and
$6 million to write a title. We will spend over $100 million on
R&D.
The competitive nature of our industry--it is the fastest
growing portion of the entertainment business--puts everybody
up to a much higher standard and really does eliminate a lot of
the bad apples just because they can't afford to compete or
they can't afford to participate in the organization or the
association.
The industry itself is a relatively new industry. Our
association is relatively new, but the steps that we have taken
in order to self-regulate, I think, are to be looked at and
commended. When it was asked by Congress whether we should
create a rating system for our organization or not, as you
know, Senator Kohl, we went ahead and did that, and we have
done it very effectively and we have virtually 100 percent
compliance within our industry.
We have taken the same steps with respect to our Internet
sites and our Internet activities. We do think it is an issue.
We are being very proactive. The companies in our industry
participate on one side from Sony, which is a multi-billion-
dollar company, to some very small companies. So the way that
those rules will become enforced and how quickly we can have
them adopted by our members may be different. It may not be
quite as quick as Congress would like, but we are all moving in
the right direction.
Virtually all of the companies in our association that have
any kind of public presence at all, whether they be public
entities or just basically marketing their products to the
public as a whole, have taken an aggressive action with respect
to this. So I think with respect to our industry self-
regulation will work and has worked.
Mr. Berman. May I just add to my comment?
Senator Kohl. Mr. Berman.
Mr. Berman. A commission should be tracking ongoing efforts
to see whether they are effective. In other words, it should
not be let's all stop and study this, because there are some
very important efforts in technology and self-regulation, and
even legislation at the State level that ought to be looked at
in terms of whether they are effective, and if they are not,
what are the alternatives, and report back to Congress and to
the administration.
Senator Kohl. Ms. Borsecnik.
Ms. Borsecnik. One follow-up point is that represented here
today are some of the more influential companies in the
Internet industry. And as such, we have a great deal of
responsibility and influence on other players. We have
mentioned a couple programs today, including AOL's Certified
Merchant program, IBM's advertising program, in which we have
the ability to influence that sphere of business contacts and
partners by only engaging in business contracts that require
our business partners to follow our privacy policies or privacy
policies of a standard set by BBBOnLine, or only allocate
advertising dollars to those sites that agree to comply with
that. I think that that is having an enormous impact, also, on
the proliferation of privacy policy sites on the Web.
Senator Kohl. Thank you all.
Senator Thurmond [presiding]. Senator Leahy.
Senator Leahy. Thank you, Mr. Chairman. One of the things I
have been concerned about is the different privacy policies of
different companies. I look at Web sites and while many various
companies have policies, it gets kind of confusing because they
are so different. Some sites reserve the right to change their
policy, but only a few explicitly state that a change in policy
will not affect what they have already gathered. And the fact
that they may just suddenly change their mind is a little bit
puzzling.
I looked at one I have got here from Polaroid. It says,
``we reserve the right to change this statement at any time''
on what they do. It says that they collect aggregate and user-
specific information on what pages consumers access or visit. I
consider myself somewhat Web-savvy, and I am sure that the Web
master finds this perfectly clear, but I am not quite sure what
it is they are finding out. In any event, they say they can
change that any time they want anyway, so it probably doesn't
make any difference what it is they are finding out.
In fact, I saw one, Purina, which goes on at great, great
length about it. It is very specific, very legalistic. It looks
like a corporate merger proposal. Then we have another one,
though, that I do kind of like, Super Stats. They give you the
legal line and then they put in parenthesis, ``translation: we
don't see or give your info to jerks who want to send you a
bunch of junk mail.'' That, I like. [Laughter.]
You know, I am a lawyer, but that one I can understand and
I think it is kind of nice.
I am not suggesting we sit here and impose a uniform
privacy policy, but how do we reduce the confusion for
consumers without us standing up here and saying here is what
it is going to be? I mean, how do you do it in such a way that
I go from company A to company B, to a travel agency, to this,
to that and the other thing, and have some idea what the
consistency is?
Mr. Wladawsky-Berger. Senator, that is one of the reasons
to make it very simple for a potential customer to see the
practices that we all support so strongly--the seal programs
like BBBOnLine or TRUSTe. The hope is that when you go to a
site and you see a seal program that you trust, it is like
buying, let's say, an electric hair dryer, seeing that
Underwriters Laboratory----
Senator Leahy. I don't use a hair dryer with my hairline,
but I understand what you are saying.
Mr. Wladawsky-Berger [continuing]. Or some other electric
appliance, and it has Underwriters Laboratory. They have a good
reputation. At least a base level of good practices has been
followed.
Now, it is all very new. TRUSTe has been in operation about
a year, 2 years now, and BBBOnLine just started. So we don't
have enough information whether that will be enough. That is
certainly the hope we have for the seal programs, to make life
much easier.
Senator Leahy. I have said this to your company up in
Vermont: I feel, as I said earlier today, too, that good
privacy policies are good business policies. I think what IBM
did in your decision not to ship the Pentium III chip with the
built-in serial number activated and in your decision not to
advertise IBM on Web sites without posted privacy policies is
very good and I hope that produces results. But I also hope
that what it might do is be a kind of a corporate example that
others will follow.
Mr. Berman. Senator.
Senator Leahy. Mr. Berman.
Mr. Berman. I think that the seal programs are attempting
to make some consistency across the Net in terms of
expectations so that if it is a Good Housekeeping seal of
approval or BBB, you will have some sense of what the
parameters of those privacy policies are.
We are very much in favor of a technology step, which is
the development of what is called a Platform for Privacy
Preferences, which would allow you, every consumer, to set what
your preferences or your expectations of privacy are as you go
shopping and going around the Net. And it will only go to sites
that are consistent with your preferences. And if it is
inconsistent with your preferences, that side would have to
negotiate with you. If they want more information from you and
you don't want to give it to them in your browser, they would
have to explain what the big deal is and why they are giving it
to you.
I think that is absolutely essential because there is no
way that the consumer is going to be able to read, let alone
offline, but online, all of these policies. They need ways to
make it seamless as part of their Web experience.
Senator Leahy. Well, I know if I get my Internet through
the phone company or the cable company, either under 47 U.S.C.
Section 222 or Section 551, they have to give me a very clear
understanding of how the information might be used. But if you
are going outside that, AOL, for example, works very hard at
protecting it, but that is still going to be a corporate
policy, not a legal policy.
Mr. Bodoff, you were trying to say something there. I mean,
what I am saying is I want to know, if I have a certain
expectation under one way of having it provided, how do I get a
similar expectation under another one, because most people have
an expectation of privacy and may not realize that it may vary
considerably where they are.
Mr. Bodoff. Well, I think one of the most important aspects
of the program that we have just launched was the development,
through the effort of many companies and privacy experts
working together, of what we would call a series of best
practices. In a sense, it is a road map, and any company who is
applying for our seal and they go through their process, they
have to evaluate their privacy policy against these best
practices.
So the issue that you started with, Senator Leahy, would be
addressed in the criteria in our program. Each of the companies
that have been approved to date in our program have had to make
adjustments to the processes. So what is going to happen is as
more and more companies go through these self-regulatory
processes and match their own efforts against best practices
that have been developed, we are going to see improvements in
privacy policies throughout companies, and that is small,
medium and large. And I think it is going to be very positive
for the Internet and very positive for consumers.
Senator Leahy. But are you saying that it should be done by
policy and not by law?
Mr. Bodoff. We are a self-regulation organization. We
believe we have laid out models that have been developed in
consensus environments that really point to excellent practices
that should be included in a privacy policy, and we have given
the road map for companies to follow.
Senator Leahy. But the industry seemed to say they weren't
good enough or fast enough last year when they supported the
Children's Online Privacy Protection Act. They said we had to
have a law. The Federal Trade Commission, I think, yesterday
proposed the rules for implementing that new law which
prohibits Web sites and online services from collecting, using
or disclosing children's personal information.
Why shouldn't industry support for the Children's Online
Privacy Protection Act be taken as an admission that self-
regulation has serious limitations? Ms. Borsecnik.
Ms. Borsecnik. I think there is an obvious and real concern
about children that requires even more sensitivity, perhaps not
the patience to wait as the policies evolve. Therefore, we were
very supportive of those efforts in the area of children
because there is just a certain extra added degree of concern
that you need to apply to kids under the age of 18.
In terms of the privacy seals----
Senator Leahy. But let me just stop just for a moment. I do
Internet chats almost once a week for the different schools
around my State. I find it very exciting, especially when I see
the quality of what the kids are asking, oftentimes better than
the quality of some of the questions that we get in debate
around here.
But I have no way of knowing what their age is. I mean, the
school will tell us when they come on, but I wouldn't know
otherwise. I don't know whether they are under the age of 13
and subject to the new law or not. I mean, how can you possibly
do that?
Ms. Borsecnik. How do we know that? Well, at AOL we
encourage parents to set up separate accounts for kids that are
set up specifically with controls in place for children that
limit their ability to interact online in adult areas. And, in
fact, that effort has been very successful. At this point, over
75 percent of households with children in them that are AOL
users use parental controls for their kids' accounts. So we
have worked really aggressively in that area because we do
believe that added care and protection is required for kids
online, and added supervision.
Senator Leahy. I cut you earlier in your answer.
Ms. Borsecnik. I am sorry. I was referring back to the
point someone made earlier about these Good Housekeeping-
equivalent seals. They are very helpful, we have found, among
our members in helping convey that sense of security. What we
found when we started looking at our privacy policy and
rewriting it a year ago was we are throwing around terms that
we assume other people are comfortable with, even things as
simple as ``notice'' and ``choice.'' You know, we are drinking
our own bath water.
When you talk to customers, they want to know, are you
giving out my phone number? Are you giving out my screen name?
Are you following me around where I am going online? You know,
really basic questions that anybody would be concerned about,
and so we found that it is absolutely essential that privacy
policies need to be stated in very plain English.
Furthermore, they need to be available in an area that is
easy to find online. When a customer first joins AOL, they see
the privacy policy right when they are signing up to become a
member and giving us their credit card. So everything that we
can do and require our business partners to do that educates
consumers at a really very basic level is necessary, and I
believe the seal programs help in that regard, too.
The Chairman. Mr. Berman.
Mr. Berman. Senator, I think that the Child Protection Act,
which we supported and worked on, and your mention of the Cable
Act, is a very good example of what we are facing here. It
would be great to just pass the Cable Act for the Internet, but
as you know from the CDA experience, this is not just a cable
network. It is very different. It is cable, television and
everything all piled together. So trying to figure a one-size-
fits-all across the Internet is very difficult to do.
What happened in the children's area is there was a clear
set of concerns. It was an agreement on what was wrong, that it
was inappropriate to collect that information on children.
There was an effort to define what was a kid's site versus an
adult site to hone in on that, and giving the FTC the
flexibility to try and implement it in a way that balanced
commerce, privacy and First Amendment rights. It had the
element so that it was over-burdensome.
I think that the real worry of Congress stepping in is not
that they couldn't set the right rules, but that the privacy
rhetoric and the demands could be counterproductive by passing
an overall one-size-fits-all statute. I think that is the
concern, not whether legislation ultimately is needed.
Mr. Fischbach. In our industry, I mean we will move to
electronic distribution of software. I mean, that is evident.
In the next 4 to 5 years, 30 to 40 percent of our revenues will
come from electronic distribution. Our consumer expects us to
talk to him, whether he be 12 or he be 24 or he be 36. And
unless he tells us what his age is, we won't know that.
But we have a real issue with how to communicate, how to
give him patches, how to tell him how to handle certain issues,
because they will come and they will talk to us on the
Internet. We have a Web master that goes back and forth. You
can come to the site and you can find out about the products
that we have or about the forthcoming products. We will
sometimes send a notice and we will announce new products to
him.
But the basic information we are collecting is just an e-
mail address, at most, and very, very limited use of it. But it
does create a question of how we deal with the child under 12.
And I think in our industry, about 30 percent of the software
is sold to children under 12 years old, and the balance is sold
to adults or those over 12. So it is a real issue for us, and
not one that I think legislation----
Senator Leahy. It is also one where parents have got to
start paying a lot more attention. You can't just simply say
the companies and the Congress are going to do it. I mean,
parents are going to start spending some time in finding what
their kids are looking at off the computer, where they are
going and how they are doing it.
Mr. Fischbach. And we came together as an industry and we
spent about 6 months trying to hammer out a policy that we have
agreed to as an association, and then giving that policy to
another board to enforce what works with the seal. So there is
a check and a balance that exists within the system, with
penalties that go along with it, and a way for people to become
notified if a particular company isn't following the particular
protocols.
The Chairman. Thank you.
Senator Thurmond.
Senator Thurmond. Thank you, Mr. Chairman. I am pleased
that we are holding this important hearing today on privacy and
the Internet. I commend Senator Hatch for his leadership in
this matter.
Consumers are concerned about privacy. A Business Week
magazine poll has said privacy is a major reason many consumers
who are not using the Internet have stayed off. Therefore, this
is an important issue. At the same time, I am concerned about
government regulation being the solution. I am pleased that we
have many industry representatives here to discuss their
efforts to advance Internet privacy. I share the view of
Senator Hatch that self-regulation is better than a detailed
legislation mandate, and I am glad to have all of you with us
today.
Now, I have a question I would like to ask, and any one of
you can answer it if you want to volunteer. When we talk about
Internet privacy, there are a number of different consumer
concerns that people talk about. We hear that consumers are
concerned about the collection of personal data and that this
affects their participation in electronic commerce.
Based on the information you receive from your customers,
and based on your experience in this business, I would like to
hear from you what you believe to be some of the leading
privacy concerns of consumers. What is it that consumers are
concerned about that is keeping them off the Internet?
Let's start with you, Mr. Fischbach, I think, and I would
like to hear from any of you that care to express yourselves.
Mr. Fischbach. I think the principal concern of the
consumer is how is the information used; what do you know about
me, and how can I stop you from using it from time to time if I
don't want you to use it. In that regard, we have been pretty
proactive in explaining to the consumer how we use the little
information that we collect and how he can take his information
off our list and how we clean our list from time to time so
that we can basically deal with his issues.
Senator Thurmond. Does anybody else care to comment?
Ms. Borsecnik. I would like to comment. Our customers tell
us three major concerns, as well as others, but the three major
ones are, first of all, I am concerned about the security of my
data online. One of the obstacles to e-commerce is concern
about whether or not, when I enter my credit card and transmit
it across this unknown network, whether it is safe and secure.
And our customers tend to associate those security issues and
privacy issues all together. To them, it is just one sort of
vague concern.
The second area we get a lot of concern about is are you
tracking where I go and what I do online. Specifically, it is
none of your business whether I am researching some health care
issue for my family. So there is a lot of sensitivity there.
And then, finally, the question we get a lot is what of
this information do you share with anyone else. As our members
establish a business relationship with us, they know and agree
that certain information we collect we need to use for business
purposes. We need their credit card information, we need their
mailing information. But they are very concerned about our
practices in regard to how we share that with third parties,
whether they be private industry or the government. So those
are issues that we address very specifically in our privacy
policy and give our customers choices about opting out of.
Senator Thurmond. With all the recent media attention to
online privacy, many groups are advocating that we develop
legislation imposing privacy standards for the Internet. In
your written testimonies, most of you believe that broad
Federal legislation to regulate the Internet at this time is
premature.
As someone who has been dealing with both the policy and
business implications of privacy in the real world, can you
tell us what problems would occur if broad Government
regulation were imposed for privacy on the Internet? I call for
a volunteer. Go ahead.
Mr. Wladawsky-Berger. Senator Thurmond, the biggest concern
we have is that it would make it very cumbersome especially for
the smaller businesses we all have a hope to attract into the
networked economy to get on. The larger companies--IBM, AOL and
others--could adapt to it, and we can afford the expenses of
what it takes.
But for all of us, the biggest promise of this information
revolution is reaching out, connecting everything, reaching
everybody, businesses of all sizes. And we want to make it as
easy for the businesses to get on and participate. As one of my
colleagues at the table said before, the vast majority of small
businesses want to do the right thing. They just don't know
because they haven't used these technologies before. And we
worry that if we have excessive regulation at this time, before
we know what is needed, it will detract quite a number of them
and that will not be good for them.
Senator Thurmond. Mr. Berman, do you want to comment?
Mr. Berman. Yes. I think that on one extreme is self-
regulation will solve this whole problem. That is just not
going to happen. On the other side is there is something called
excessive legislation, and I think that I would agree with you.
You were talking about the European model of a big data
protection board sitting on top of the Internet.
But I also think that it is possible, and it is not a one-
size-fits all. But within those parameters, there is something
less than excessive legislation and more than self-regulation
which Congress ought to look at it, which is to try and figure
out what the differences are between the different sectors on
the Internet, create safe harbors there, create remedies that
work, bring that down to concreteness. That is not an
impossible task; it is absolutely an essential task that
Congress do it and move.
And I think that the IBM's and the AOL's and the IDSA's
will be the flagship and set, I think, the good safe harbor
standards about what is good behavior on the Net. But for the
millions of Web sites that are not going to comply with
BBBOnLine, are not going to join any seal program, have no
incentive to do privacy, I think public policy requires that
Congress address that issue.
Senator Thurmond. Thank you.
Ms. Borsecnik. One other point. We keep referring to the
Internet industry, and the truth of the matter is the Internet
is not an industry. The Internet is a medium and the Internet
touches every single industry. So when you think of it that
way, everything from A to Z--the travel industry, the personal
finance industry--you know, every piece of commerce, every
business is moving online in one way or another. It gives a
good perspective of the complexity of regulating an environment
in which clearly one size can't fit all.
Mr. Sheridan. From our point of view, the issue is how is
it that it is not immediately out of date in something that is
moving this fast. The Government isn't known for its own speed,
and our concern would be that a proper balance would absolutely
have to be struck. And our concern is it is a snapshot in time
again.
And the other one is just plain old confusion; it would be
a different kind of confusion. How do we avoid confusing people
additionally with a great deal of new regulations? That would
be another one of our concerns. How does this not turn into a
mess and a slippery slope if we do this and then all kinds of
regulations follow and build on it, because once it is written
in, it is very unlikely to ever go out.
Senator Thurmond. Thank you.
Mr. Berman. May I respond to that?
Senator Thurmond. Mr. Berman, did you want to say
something?
Mr. Berman. I just want to respond to that. I think that,
yes, there are very serious concerns that you could, you know,
bollux up the Internet, and my organization shares those
concerns. And a rule could be obsolete tomorrow, but there is
no reason why you cannot have the flexibility to try and figure
out a process which recognizes the flexibility, the changing
nature of the Internet, and tries to get going on these
problems.
I think that one of the confusions out there now is that no
one knows what the rules are, whether they are simple or
complex. And I think that consumers are staying off the
Internet because they don't know whether there is any privacy
out there, and there are a lot of companies that don't know
what their liability or exposure is, or what is coming down the
pike. So it is very difficult to plan for privacy. Getting some
simple rules and simple remedies, not complex and excessive,
might help the Internet so that it would know where it is.
Senator Thurmond. Mr. Fischbach, in your testimony you
address some practical problems with implementing effective
privacy practices. I think it would be very helpful to us as
policymakers if you could share with us some specific examples
of the problems that have occurred.
Mr. Fischbach. Well, databases are probably the easiest one
to point a finger at. In terms of where we have collected
information in the past, we have been in business for a dozen
years or so and we have collected information from our
consumers based on registration and warranty cards that we
compile on a database and from time to time sift through. We
also have operated several different sites from time to time
where we collected information from consumers, for whatever the
reasons were, that would talk to us.
When it came to the question of how we deal with the term
``access'' and how we define what we are supposed to do with
the consumer who comes to us and says, OK, I would like to know
what kind of information sits in your database about myself,
does that mean as a company that we have to go through the
simple record of the site that we now operate and say, OK, we
can sift through that pretty quickly?
Does it mean that we have to go through the other databases
that we kept and say, OK, now we have to collect that
information to find out what we know about you? Or do we go
even to a third place where we have collected these warranty
cards from our consumers who registered with us for products?
And we ship about 15 million boxes a year, so we have lots of
cards that we have been dealing with over the last 12 years or
so.
And the question is how do we interpret that. We
interpreted that language to say that we would use reasonable
efforts to come back and provide whatever information the
consumer was asking for to tell him what we knew about him that
sat in our database.
Senator Thurmond. Mr. Bodoff, some----
Mr. Bodoff. Well, I probably could share some of these--I
am sorry.
Senator Thurmond. I just started to ask another question.
Did you want to comment on this?
Mr. Bodoff. The only thing I was going to add to that from
our experience and in the development of our process and
hearing many companies going through it is that having the
opportunity to revisit and look at what is identified as good
practices, large companies with multiple divisions are finding
surprises. That is going to happen. The positive thing is
moving to address them. Having information being maintained on
a Web site by a lot of different business units, it has to
filter down to these large, diversified organizations. So as
they move to improve their privacy policies, I think
organizations are finding challenges in front of them, and the
positive thing is the way that they are responding to them.
Senator Thurmond. Mr. Bodoff, some of the witnesses have
noted the industry seal programs, such as BBBOnLine and TRUSTe,
to address self-enforcement. Can you explain how BBBOnLine
works and how BBBOnLine is different from other seal programs?
Mr. Bodoff. Well, as I mentioned earlier in my testimony,
we have an 86-year history in self-regulatory activities. Our
program, we believe, goes much further than any other privacy
seal effort on the Internet. It is extremely comprehensive in
that it does not look at just the privacy notice. It looks at
the entire information practices within the company and it
evaluates whether the company has the processes in place to be
able to live by the privacy notice. And that is very, very
important because that is where we are getting feedback from
the companies.
Now, when they are asked to measure their processes against
the policy statements that they are making is where the rubber
hits the road and when they really realize whether indeed they
do have the processes in place. So I think it is the
comprehensiveness, the way our program has been described, the
name recognition. One of the things that we bring to the table
is very quick public confidence levels in a seal associated
with the Better Business Bureau name because of the public
trust level associated with our organization.
Senator Thurmond. I now have to leave for another
engagement. I wish to thank all of you people for coming here
and testifying and giving us the benefit of your good advice.
I thank you, Senator Hatch, for the good job you are doing.
The Chairman. Thank you, Senator Thurmond.
Senator Schumer.
Senator Schumer. Thank you very much, Mr. Chairman, and
thank you for having these timely hearings. I think it is so
good that we are having hearings before any proposals are
before us on an important issue. I am new to this issue and am
glad we are also trying to make it a good, strong judiciary
issue.
So I have some questions, I guess. My first question deals
with my experience with privacy issues and with other kinds of
issues in the House. And one of you mentioned this, but no one
focuses on it. Usually, when government is importuned to act,
it is because there are bad actors. There are not the IBM's or
the AOL's, but others who do things that horrify people. And
sure as we are sitting here, there are going to be bad actors
who do something. They will sell private medical records that
they get hold of or something like that.
What do any of you suggest we do, just say, well, you know,
relying on the marketplace? That won't work. These are market-
driven decisions. Self-regulation? That doesn't work. By
definition, a bad actor doesn't submit to self or industry
regulation. How do we deal with bad actors, and if we don't
deal with them, isn't it likely that they will just grow and
grow and grow, and actually hurt you folks who are trying to
do--I respected the statements that everyone has done here
because you are trying to do the best work.
So that, to me, is the fundamental question here, not the
95 percent of those involved who would find a balance. Left to
your own devices, you will find a balance between freedom of
speech and privacy rights, but there are some who won't.
Yes, the gentleman from IBM.
Mr. Wladawsky-Berger. Senator Schumer, first of all, as my
colleague from AOL said before, the Internet is a medium, and
it is a wonderful, mysterious, very flexible medium. But what
is happening more and more is that the technology is now
disappearing into the woodwork and enabling lots of
applications.
Now, for a lot of bad things that would happen on the
Internet, there are probably already laws to handle those bad
things because people are doing things over the Internet that
have been done for many, many years. And so one thing for sure
is to have a good understanding whether existing practices
protect that, and if so, apply those protections. And then when
they don't, then one can look at incremental changes to the
protection. So I would say that is point No. 1.
Senator Schumer. If I might, I agree with you, and
certainly in an ideal world you could apply the--the Internet
basically just speeds information up.
Mr. Wladawsky-Berger. Right.
Senator Schumer. It doesn't change the transaction of
information. However, because things are so quick, there are
detection problems; there are problems that are different than
non-Internet problems, in actuality.
Go ahead.
Mr. Wladawsky-Berger. I agree totally with you. It is not
identical; it is an extension. I mean, the reason it has
exploded in the marketplace, and the reason there is so much
activity is that it is such a phenomenal extension. But for
lots of problems, there are probably already recourses. That is
the only point we should understand.
I think point No. 2 is I would say that massive education
is needed so that consumers, businesses, everybody knows sort
of the rules of the road. This is what is expected, this is
what you should do, this is what shouldn't happen. And we are
all pretty comfortable that the more education there is, the
better things will get. Maybe it is a little bit naive, but we
have seen already----
Senator Schumer. The more education, the better the good
people can be and the worse the bad people can be.
Mr. Wladawsky-Berger. I realize that, but lots of things
can happen also if consumers realize this is what you should
expect from Web sites you deal with. So it is not just that
there won't be bad Web sites, it is that the invisible hand in
the sense of they lose all their customers will take care of
that.
And then when that doesn't work, then we are not against
legislation. We are not against the Government acting. We are
saying let's not do it on a broad basis; let's do it for highly
targeted problems when we find them. And protection of minors,
protection of very sensitive information like medical records,
might be in that category where we do need legislation. And
when we find those highly targeted categories, by all means we
should take action.
Senator Schumer. Yes, Mr. Berman.
Mr. Berman. There is a lot of truth in what he says. We
have a very weak privacy regime for data in this country. We
talk about privacy, but it is pretty thin in terms of
legislation. There is no medical privacy. There is higher
protection for video records than for medical records, and
higher for video records than financial records.
So there is a whole set of sectors where we have stopped
doing any work or haven't been able to break the logjam between
the different sides which need to be resolved because that
information is moving on the Internet. So there are specific
problems that need to be resolved.
I think the difficult issue, and I think it is worth
working on, is what are the remedies for violations in the
commercial transaction world. When I talk about medical records
and the big database, I understand someone ought to go to jail
for that. There is a problem when you get down to when L.L.
Bean takes--and forget their name--without my permission, gives
my name and my address to REA, and they did it intentionally.
There is a harm there, but what is it, and what do we impose on
REA?
If we don't figure that out and make it clear and specific
and proportional, a lot of little companies aren't going to go
into business. IBM can figure that out and go to court, but the
vagueness, due process, and First Amendment issues that are
raised by privacy remedies have not been addressed.
Senator Schumer. I agree with you. I mean, we have had this
in credit cards in the Banking Committee and we still haven't
come to a good solution. But in reference to what Mr. Wladawsky
said, you are right, we haven't come to this, but the
Internet--I mean, hospital records; 20 years ago, the damage
that would occur to your privacy would be maybe if someone who
had access to those records gave them to a friend and somehow
you heard about it. When it happens, the damage is limited and
it doesn't happen that often.
With the Internet, the chances of those records being
spread to everyone in the world is much greater. That is the
quantum difference here, which is a serious difference, and
that is why we are having these hearings and we never had
hearings on these privacy issues before.
Yes, Mr. Sheridan.
Mr. Sheridan. I think the context is what we are talking
about. The Internet is in many places simply replacing certain
processes, and there is no real protection for medical
information bureaus for what they do. And they have been
selling our information, and it may be even worse than not
having it in the Internet because at least on the Internet, I
am on that network. Before, there was a network between the
insurance company who is checking my application for health
insurance or life insurance and I have no idea what is going
on.
So what I am trying to say is this is in the context of the
Internet is an attractive target for it, but it is actually a
much broader problem than that.
Senator Schumer. It is, but the Internet is bringing it to
a head. That is the bottom line here, and I still think we are
going to have to figure out, whether we do anything or not,
some way to deal with bad actors. It may be as simple as what
Mr. Berman said, increased penalties for those who do. Maybe
there needs to be a greater prophylactic measure. I don't know.
I am just getting into this. All I can tell you is I think the
problem is not going to go away. I think it is going to get
worse because the bad actors have more clout and more ability
to do things, and we have to deal with it.
I just had one other question. Did you want to say
something, Ms. Borsecnik?
Ms. Borsecnik. The only other comment I would add to that
is they are also more highly visible and more exposed in this
medium, which is a good thing for everyone. I think an enormous
amount of attention is paid when these things happen. So I
think rather than them proliferating like mushrooms in the dark
somewhere, they will be further exposed in our industry because
it is so open.
Senator Schumer. Yes, and you will have a greater--I mean,
there is a privacy issue and there is an accuracy issue, and
the accuracy issue will--as I think Mr. Sheridan mentioned,
that will be better because it will be out in the open, as you
say. But the privacy issue is still one that hasn't been dealt
with.
Mr. Sheridan. It is like Mr. Berman is saying that there is
a very fine line between our other freedoms.
Mr. Berman. One point. We have worked on privacy issues
before, particularly the law enforcement and privacy balance.
Senator Schumer. Yes.
Mr. Berman. And I said at the start of my testimony that
Senator Leahy's effort to look at the Fourth Amendment issues
on the Net are incredibly important because these companies are
creating new kinds of data that make the Monica Lewinsky book
purchase subpoena a piece of cake; I mean, just incredibly
sensitive data being put away from your home and on the
Internet. And we have got to figure out the standards of access
for that for government agencies as against----
Senator Schumer. This is one other point that I would like
to make, a separate point, as somebody who is not as proficient
as my children on this, but I am sort of learning. So I usually
late at night read a national publication on the Internet, and
I was wondering why they did it because I don't have to buy it
the next day. And, you know, they got smart and last week they
changed the whole system where you can only read parts of it
now.
But they also made me register and they just said, you
know, they wanted my name and all that, but they wanted my
phone number. Well, I didn't want to give them my phone number
to get this, only because I wanted to make sure that they
wouldn't give it to 30 people who would keep interrupting us at
dinner.
And I, who is probably middle-level proficient, but
assuming from everything you say that everyone is going to be
using this service, so I will probably move to a higher-level
of proficiency over the next few years--I couldn't find out
what they were going to use my phone number for. I punched
around, I went to ``Help,'' I did everything I could. I could
not find out why they wanted to use my phone number, so I
didn't register.
So there is a long way even on the things--forgetting the
bad actor for a minute, this related to what you said, Ms.
Borsecnik, that those of us who are not as proficient as you
have very sort of elementary questions that for a semi-literate
person in this area is very hard to figure out the answers to.
Ms. Borsecnik. And you didn't register and they lost a
customer, so they are going to realize that pretty quickly that
they are losing people.
Senator Schumer. But they have no idea why I didn't
register.
Ms. Borsecnik. Well, it will become obvious.
Mr. Berman. Yes, they will figure it out.
Senator Schumer. They will?
Ms. Borsecnik. Oh, yes.
The Chairman. Or you can type in 11111.
Senator Schumer. Well, you know what? I thought about that.
[Laughter.]
I thought of doing 1234567, and then I said, well, you
know, maybe I better check if I am violating some kind of rule
or something like that. [Laughter.]
The Chairman. Well, that is why I said 11111, because some
poor slob could have that 1234567.
Senator Schumer. That is true, that is true. Good point.
You know what, Mr. Chairman? This is a pretty good political
opportunity.
Mr. Berman. It might have been his phone number.
Senator Schumer. I would never do that to my Chairman, for
whom I have tremendous esteem and respect.
Mr. Sheridan. We are actually developing a product that
will, if you choose to as your own personal policy, fill that
in with random information that will appear correct, and it
will be different every time.
Senator Schumer. Ms. Borsecnik wasn't so happy with that
idea. [Laughter.]
Well, Mr. Sheridan, if you want to establish a branch
office in New York that has 80 or 90 people to do that, I would
be all for it.
Mr. Sheridan. We have quite a few people in New York.
Senator Schumer. Anyway, please.
Ms. Borsecnik. My point was my view is that companies
shouldn't be collecting information that is not necessary to
run their business, or they should make it very obvious what is
optional, what is not optional, and how you can exercise choice
about how that information is used.
Senator Schumer. By the way, I wouldn't have even minded if
this company wanted my phone number to solicit me for them. But
I was worried they would sell it to somebody or to a lot of
somebodys.
Ms. Borsecnik. Right.
Senator Schumer. Thank you, Mr. Chairman.
The Chairman. You are welcome.
Senator Feinstein.
Senator Feinstein. Thank you very much, Mr. Chairman. My
concerns, in a sense, parallel Senator Schumer's. I, like him,
am somewhat a newcomer to the Internet. I am the proud
possessor of a new Think Pad which I enjoy very much.
Mr. Wladawsky-Berger. Thank you.
Senator Feinstein. You are welcome. [Laughter.]
However, I have watched this privacy issue two-fold. The
first has to do with the giving out of personal financial and
medical information, some of it the most intimate details. And
I have noticed then people begin to bring it in the public
arena, and slowly the industry begins to respond by some form
of self-regulation.
I also have concerns on the other element of privacy and,
of course, that is the pedophile looking for a victim. That is
the drug cartel using highly encrypted computer technology to
conspire to move tons of cocaine into this country, and that is
the terrorist, as we found in the Philippines, using the
privacy that encryption provides to conspire to blow up
airliners.
I am as heartened by anything, frankly, as Mr. Berman's
comments this morning that the industry is beginning to realize
that it has to be more vigilant with respect to self-
regulation. I mean, I know of no excessive legislation being
proposed anywhere, certainly in this body, with respect to
regulation. I do, however, think the jury is out with respect
to self-regulation. And there are many of us with respect to
children and crime that are really watching very carefully.
I, for example, will look to see where the youngsters from
the incident yesterday in Denver got the information to put
together the 30 explosive devices that they put at that school
and whether it came, in fact, from the Terrorist Handbook,
something that I have been trying to get off the Internet for 5
years now. It gets passed in the Senate and it gets deleted in
the conference. So I have a little bit of frustration when I
see somebody advertising, if you want to learn how to build a
bomb that is bigger than the one at Oklahoma City, just read
this.
There was a cartoon in a California newspaper that showed a
mother talking on the phone to a friend who said, I am so
pleased with Johnny, he is learning so much from the Internet.
And there is Johnny over at his computer stringing together
sticks of dynamite. And so I only say that because it is a
problem out there and children have blown themselves up, and I
have enough testimony to know that that is an accurate
statement.
The question is really what we do about the abuses. Now, I
am not talking about the companies, but the real abuses. And I
would be interested, Mr. Berman, if you would be willing to
expand a little bit on your comments in this direction.
Mr. Berman. Well, it depends on the case we are dealing
with. Certainly, in the real abuses, the pedophile, the people
collecting information from children, and even the marketer
who, under false pretenses, collects information and sells it,
to my detriment, there needs to be a set of penalties, both
civil and criminal, that make it clear that that is
unacceptable behavior.
Senator Feinstein. Is your organization willing to work in
this direction?
Mr. Berman. Absolutely.
Senator Feinstein. I would like to work with you.
Mr. Berman. As you know, we have had a debate about where
to draw these lines, and I just got appointed by Senator
Daschle, for good or for evil, to the COPA commission to again
look at the issue of indecent communications on the Internet
and what to do about that. I want to try and find solutions to
keep that information away from children, but to try and do it
consistent with this technology and the First Amendment.
Two times I have said to the Congress I agree with your
goals, but it is not going to work legally, so why don't we
work a little more closely together to try and fine-tune this?
And I think that solutions are possible, both in the First
Amendment area and the privacy area, but it requires everyone
taking a deep breath both on the privacy front and the law
enforcement front, and even on the pornography front, and
saying these are hard questions. We know it when we see it, but
someone's Spam is someone else's First Amendment leaflet. How
do we sit down and craft remedies? I am glad to work on that.
It is just not a fast train.
Senator Feinstein. It is very interesting. As a newcomer to
this, I am so amazed by the power of it and the speed with
which the technology is improving. I mean, just to keep up, I
have had to buy two new computers in 4 years. Things change so
fast.
And I think none of us want to impinge on the First
Amendment. On the other hand, one of the things I have been
very concerned about is drugs coming into this country, and
cocaine literally coming in by the ton and the inability to do
anything about it. And we are told constantly that intelligence
intercepts are way down because the telephone isn't being used
anymore. Therefore, they can't get court orders to tap a phone
because the phone isn't being used. But another vehicle is
being used, and that, of course, is the computer. So how we get
at this to prevent these kinds of major conspiracies also I
think is something I would like very much to work on. I don't
know the answers.
Mr. Berman. Well, my experience has been that whether it is
passing the Foreign Intelligence Surveillance Act or the
Electronics Communications Act--that tells how long I have been
around here--in all of these statutes, where law enforcement
issues and privacy issues have been on the table, it ultimately
requires some consensus and tradeoffs on both sides.
Law enforcement may need ``A'' and clarification of its
authority to do something, but at the same time Congress needs
to be looking at the need for adjustments on the privacy side
so that there is an increase in privacy as well as law
enforcement and national security. Every time you have been
able to find that kind of balance so that everyone has
something to gain from it, you have a chance to craft
meaningful legislation.
Senator Feinstein. I am really heartened to hear that. Your
testimony today, for me, was a major step forward from what I
have been hearing for the last 6 years, and I just want to
thank you and commend you for it.
If anybody has any other comments to make on that, I would
like to hear them, but I would like to ask Ms. Borsecnik
something about your written statement just very quickly. You
implied that AOL doesn't read private online communications,
but you said that you carefully monitor your children's chat
rooms and message boards.
Ms. Borsecnik. Right.
Senator Feinstein. How do you do this?
Ms. Borsecnik. Well, there is a difference between private
and public communications online. Private communications are e-
mail and instant messages. They are one-to-one. They are sent
in privacy. There are also public areas online. Chat rooms are
public areas and message board areas are public areas. That is
very clear to users.
In our policies, we set forth our policy, as you
reiterated, on private communication. We also say that we hold
our members to a certain conduct standard online, particularly
in the areas that are targeted at kids and teens, and that we
monitor what goes on in that area. Typically, the kind of
transgressions we act against are your pretty typical profanity
or threatening other members, the things that go on just sort
of on a normal basis among----
Senator Feinstein. Do you send this to all members?
Ms. Borsecnik. Members review that all----
Senator Feinstein. You have never sent it to me. I am a
member.
Ms. Borsecnik. When you first registered with America
Online and we talked to you about what we call our terms of
service, that information is included in that. And you are
required as part of the registration process to click a button
that said I have read this and I agree to the terms of service.
Senator Feinstein. I never did.
Ms. Borsecnik. It is also available online in a number of
places where you can find it easily. I can send you a link or
whatever. But, clearly, ensuring that people are aware of what
those policies are is important for a variety of reasons, not
the least of which is ensuring an enjoyable experience online,
not only a safe and privacy-secure one, but an enjoyable
experience for the rest of our customers.
So we have rules of the road just like any other community,
and in an online environment it is a little harder to convey
what those rules are because people are anonymous. You wouldn't
tend to stand up in a public forum and be profane. In an online
environment where there is anonymity, we take extra efforts to
explain to people what those community guidelines are. And that
is even more true in the public arenas, as you mention, but we
do have strict policies against private arenas, which are e-
mail, for example.
Senator Feinstein. Could you send me some of that
information that everybody gets? I would love to see it.
The Chairman. I wouldn't mind receiving it, also.
Ms. Borsecnik. I will send it to all of you.
Senator Feinstein. Thank you.
The Chairman. That would be great.
Senator Feinstein. Thank you very much. Let me just ask one
other question about children. I think we all agree that
children present certain distinctive privacy issues due to
their greater vulnerability. So I think it follows that
children should be treated differently by Web sites operators
and online service providers. The tricky issue, I think, is how
do you determine when one actually is a child and when one
isn't a child.
I would be interested in hearing from each of you as to how
a Web site operator or an online service provider could go
about determining whether an individual is really a child or
not.
Ms. Borsecnik. I will answer that first. It is a little
easier for AOL because to use AOL, you become a member. You
need to use a credit card to become a member, and so it is not
typical for children to have credit cards. We make it very
clear in the registration process that to register as a member,
you need to have a credit card and you need to be 18 years or
older.
Then, furthermore, we very aggressively encourage parents
with children in the household to set up separate screen names
for those children and designate them in certain age categories
so that we can block certain functionality or areas on the
Internet or our service from those kids.
Senator Feinstein. Could you send me that information as
well?
Ms. Borsecnik. Yes, that will all be included and it is all
explained in that document.
Senator Feinstein. Thanks. I appreciate it. Thank you.
Anybody else on that? Yes, sir.
Mr. Fischbach. We are in the video game business and it is
a real, ever-present question to us as to how we determine who
a child is because it is certainly easy for them to say that
they are not a child, or they just come onto the site and look
around or they drop their e-mail address.
The guidelines that we have chosen to follow are pretty
clear in terms of what we use that information for, so we don't
ask for his address. We don't ask for financial data, we don't
ask for medical records, we don't ask for credit cards. The
most that we ask for is an e-mail address at that juncture.
What we are trying to determine as an organization and also as
a company is how much further should we go in order to
determine whether he or she is or is not a child.
Should we ask them to give us her parent's address or e-
mail address? Should we ask for a telephone number for them?
The more information that we attempt to extract, the more
information we then have available to us and we are not
interested in that information. We are not interested in
somebody coming back. So it is really a question, and we as an
industry organization are trying to look at how to best handle
that situation. There is not a 100 percent answer.
One of the ways that we just attempted to look at it was
just to limit the amount of information because kids will come
online and play games. They will ask for information about our
next products. They will want to know if we have got a bug--if
there is a bug in a game, and all software has bugs, if there
is a fix for it. If I can't get from level 12 to level 13, how
do I do it? And they will come and ask that information and we
will pass information back to them. So it is a difficult issue
and I don't know how we do it. There is not a 100-percent pure
answer for it.
Senator Feinstein. Please, anybody that wants to comment.
Mr. Bodoff. I was going to say the answer is easy to say we
require parental verification before you can collect
information from a child. What is difficult is determining what
is parental verification, and we are really looking forward to
some new technology approaches and new ideas. What we are using
now is basically what the Federal Trade Commission has
referenced, and we use as examples credit cards or e-mail
information from the parents before you can actually accept
personally identifiable information from the child.
But we all know children are creative, and that is a
challenge. And we all, I think, in the business community are
going to be looking for different ways of trying to improve
upon that, but we definitely have a criteria that you cannot
collect information from a child under the age of 13 without
parental verification.
Senator Feinstein. Could I ask a question? Why was 13 set
as the age?
Mr. Bodoff. We are modeling after the Online Privacy Act,
the Children's Online Privacy Act, the Online Privacy Alliance.
It is the feeling that I think--and I am not an expert in the
children's area, but below 13 children do not have enough
cognitive sense to be able to make the right decision when
somebody is asking them to solicit information and how that is
being used. And above that age, children start having that
capability and there is a higher confidence level with that.
Senator Feinstein. Anybody else on that?
[No response.]
Senator Feinstein. I think that is it. Thank you very much,
Mr. Chairman.
The Chairman. Thank you, Senator Feinstein.
Let me just finish with one or two. Mr. Fischbach, I know
you did not come here to testify about the nature of the
products you sell and make available over your Web site, but
many in America are trying to come to grips with the terrible
tragedy that occurred yesterday in Colorado, and really in Salt
Lake City as well, but especially in Colorado, where two
dysfunctional young men murdered as many as 14 fellow students
and a teacher, and then turned the guns on themselves.
I predict that we will learn over the coming days that
those Trenchcoat Mafia boys were obsessed with death and
killing, and that much of what fueled their obsession came from
the Internet and other media sources. In my opinion, our young
people are exposed to too much violence and killing in our
popular culture. You turn on a television set and you have got
murder happening all the time. You flip through any number of
the channels and it is hard to find a show where somebody is
not being killed. You listen to today's music and its obsession
with death and distress, groups like Marilyn Manson, which
apparently these Trenchcoat Mafia members idolized.
Another source for violence and death, of course, is video
games. And I am not meaning to pick on you, but I would like to
have you answer this because I think it is important for all
people in this industry to realize that we watch stuff like
this. Take, for example, Acclaim's ``Shadow Man.'' Now, I would
note that Acclaim has many games on the Web site that are
totally all right and that are not violent.
This morning, however, we went to your Web site and took a
look at some of the other games your company offers and
stumbled across ``Shadow Man.'' Now, here is how your game
information Web page reads, ``A killer is coming walking
between worlds, trailing death from live side to dead side. A
dead man is coming, scull in one hand, gun in the other, a
voodoo mask in his chest and lines of power in his back. A
possessed man is coming, stalking killers in tenements and
deserts, subways and swamps, spirit world and real world.
Shadow Man is coming, voodoo slave and hero, hitman and dead
man. Sometimes, it takes a killer to stop a killer. Uniquely
terrifying third-person adventure. Enter the dark world of Mike
Leroy, hitman, dead man, Shadow Man. Blow your enemies away
body and soul. Go in armed with voodoo power and gunpowder.
Pack weapons like the 50-magnum Desert Eagle, the Violator, the
Flambeau, the Calabash, and many more. Unravel the dark
mysteries or die trying. More than just another blood-drenched
shootout.''
Now, could you tell us how many people access ``Shadow
Man'' on your Web site daily? Do you have that kind of
information.
Mr. Fischbach. We can provide that to the committee if the
committee was interested in that.
The Chairman. OK.
Mr. Fischbach. I can say we are equally as appalled with
what happened in the schoolyard as you and everybody else.
The Chairman. No, I don't mean to blame you for that, but I
just cite this because it seems to me this is one of the
illustrations of what is happening in our society.
Mr. Fischbach. I think, in part, there are lots of factors
that take place in what goes through young people's minds--what
kinds of homes they come from, how they are dependent on other
people, whether their families are really dysfunctional.
We also have a very open gun environment in our society,
where anybody can go buy weapons and anybody can buy ammunition
to do what they please with. Yet, we don't sometimes point at
those issues and say maybe that is part of the problem as well.
There have been lots of studies that have been done with
respect to violence and video games or violence and television
or violence and motion pictures, most of which conclude that
that is not the cause, especially of people like these young
men here, as to why they become dysfunctional in our own
society and do acts that we are all appalled by. So it is very,
very difficult, and it is an issue that we all are confronted
with. I mean, Kosovo is on the front page, as well as this
other one, and we deal in a society that is very violence-
oriented.
The products are a fantasy, and the products are a fantasy
no different than a book or a film or a television show. And
both of us know that you can't go from life side to dead side,
which is the fantasy to begin with. And the game is really an
adventure game that is very suspenseful as you go through. It
is based on a comic book, not unlike many of the films or many
of the books that have already been turned into films or video
games. It is part of our culture.
The Chairman. Well, as you can see, you are making a pretty
good case that we have got a culture that seems to foster this.
I remember the Tupac Shakur matters and how he was calling for
killing police people and a lot of other things like that.
For our information, it would be interesting for me to know
how many people access ``Shadow Man'' on your Web site daily,
whether or not you know how many of them are children, and how
many video-depicted killings they engage in in a typical round
and, in addition, if you could tell me whether you share my
view that there is a collective dumbing-down of young people's
attitudes toward violence. And I am not blaming you or the
Internet solely. There is no question that the Internet has its
bad side.
Mr. Fischbach. With respect to ``Shadow Man'' or the sports
games that sit on our Web site at this point in time, that is
mere publicity and I don't believe there is a downloadable
function from that, except they can take a visual if they want
to take a visual from it. But there is no game-play that is up
on our Web site that we have released at this juncture. So all
it is is a statement about what the game contains, and I think
some pictures about what the game contains.
The Chairman. OK.
Mr. Fischbach. And in terms of the number of people or
whether they are children or not, we don't ask them. So you can
access our Web site without asking our permission, whether you
are a child or not.
The Chairman. But even if you did, you may not be able to
know. These kids are very clever.
Mr. Fischbach. The game also carries an ``M'' rating on it,
so the game is identified for a mature audience. It is not
identified for children.
The Chairman. I see. You know, I held a hearing on Internet
sales of alcohol and I figured that would be an interesting
hearing. You can't believe the fur that has been stirred up
because of that, and you can't believe the arguments on all
sides of that issue. I mean, it was really amazing how complex
and difficult it was, as certainly exists with this.
I didn't mean to pick on you, but I thought I would bring
that out because we all know that there are problems with the
Internet. We all know there are things that are wrong about the
Internet. We all know there are many, many wonderful things
that are right about it, too, and I would like to accentuate
the ``rights'' and see what we can do to alleviate the
``wrongs.''
Senator Feinstein. Mr. Chairman, would you let me ask just
one quick question?
The Chairman. Sure.
Senator Feinstein. Would you agree that this adds to the
culture of violence that is being promoted in the United
States?
Mr. Fischbach. I can't answer that question because--I
personally don't think so. I think the culture that we live in
is reflective of lots of other environments, and I think with
respect to the culture that we live in today with respect to
how we use guns and ammunition, which I am highly opposed to, I
think we are wrong. I think there is no legislation that deals
with guns that is really effective.
When we talk about what should exist and what shouldn't
exist, and you say we are going to point it toward a film or we
are going to point it toward a book and we are going to say,
OK, that is the answer, I think that is a real simple approach.
I mean, it is like a check mark, and if you looked at some of
the other things that exist in our society, because we have
access to all kinds of information, just not what sits on our
Web site, but what sits in public records and what sits in
libraries, what sits in films, it all has an influence.
So you either take a paint brush and eradicate it all or
you deal with it as a society through education. But there are
elements in our society that can be dealt with, such as
weapons, because there is no reason why anybody, especially a
17-year-old kid, should walk around with a gun or be able to go
buy ammunition.
Senator Feinstein. Of course, I happen to agree with that.
Mr. Fischbach. Thank you.
Senator Feinstein. And I have tried very hard, which is not
an easy thing to do around here.
The Chairman. I give her an opportunity every chance I get.
[Laughter.]
Let me tell you, we already have a law that forbids selling
of guns to minors. It isn't perhaps working, and there is no
easy solution because we have people all over this country who
value their right to keep and bear arms. We have those who
abuse that right. But again, as Senator Feinstein has said,
there is a culture here that no one individual, no one
business, no one entity is to blame for all of it. But I think
we all need to work on it and that is the only reason I raised
that.
Let me just say one last thing here. As I noted in my
opening statement today, much of the discussion about possible
solutions revolve around two exclusive models, either
Government regulation by the FTC, the FCC, or some other
regulatory body, or sole industry self-regulation. Mr. Berman,
you have indicated we ought to go as far as we can on self-
regulation, but there is going to have to be some aspect of
regulation.
As many argue against the merits of either one of these
solutions, I think it would be productive to explore whether
another solution possibly exists; for example, examining quasi-
governmental self-regulatory models that have been successful
in other industries. That is what we need to do, it seems to
me. I think it is important to not establish rigid rules in
this area, and instead have a flexible system in place that can
respond quickly to changing consumer preferences and new
technologies, like digitalme, perhaps, designed to give
consumers more control over personal identifiable information.
I don't know whether we have enough information about what
it is exactly that consumers expect in terms of privacy
protection, or even how this is effected. A flexible system
would best be accomplished through self-regulation by members
of the electronic community who are aware of consumer demands
and expectations, it seems to me.
I would like to get your views on whether a model similar
to the one in the securities industry could be useful to
address privacy on the Internet, a model where the basic codes
of conduct are established by the industry with limited
Government oversight to provide for a level of consumer
confidence in the process.
Now, if you believe it could be a useful model, I would
kind of like to conclude this hearing by asking you to work
with me over the coming days and weeks to develop a reasonable
but limited legislative proposal that might help to solve some
of the problems that all of you recognize exist in ways that
don't stifle the industry and don't stifle innovation and
creativity.
I think that is a pretty big assignment, but that is one
reason why we are holding this hearing to see if we can find
some methodologies or some ways of solving these problems that
will protect society, and yet make sure that we continue to go
forward as the leaders in the world in this area.
So why don't I start with you, Mr. Wladawsky-Berger, and
then maybe you, Mr. Sheridan; you, Borsecnik; and Messrs.
Berman, Bodoff and Fischbach. You don't all have to comment,
but if you would like to.
Mr. Wladawsky-Berger. Mr. Chairman, clearly, what should
unite us here is the fact that we want the potential of the
networked economy for the Nation to be fulfilled and all the
positive things to happen and eliminate the negatives. And what
that really means is that it is all very pragmatic. We are
after a common objective, and if there are things that are
highly targeted that can help us better achieve that objective
within a self-regulatory mechanism, we would be very happy to
work with you and investigate what those things might be.
As I said in my testimony, and as we have discussed through
the hearing, the only concern, or the main concern we have is,
because things are moving so fast in such a complicated area,
that we have regulations that will not work and that will make
it harder for the objectives to be accomplished.
However, if we can find highly selected areas where we can
do some good, and we talked about protection of minors as one;
protection of very sensitive information like medical records
might be another that can help start setting the right
mechanisms. And as we learn more, we learn more of what else to
do. We will be very happy to work with you and see what makes
sense.
The Chairman. Well, as you know, one reason we held the
Microsoft hearings was not just to try and resolve some
problems that exist, but basically, I am a firm believer that
unless we attack these problems now, you are going to have an
over-regulatory nature, and that would be very detrimental to
the Internet and to our future and to our future governance of
these innovative and creative matters.
So I think those hearings have proven to be the beginning
of something very important. And I don't wish my friends at
Microsoft any harm. I think the world of what they have been
able to do, but there were some things that needed to be
corrected and I think they are going to be corrected in the
end.
And it is important that we move in these directions
because the last thing on Earth I want is an over-regulation of
the Internet. But at least I have seen from the shaking of
heads that all of you kind of indicate that there needs to be
something here. And I don't want these wonderful, genius
Members of Congress to just come up with it themselves. My
experience has been that they may have a genius of sorts, but
without an awful lot of help, we could really screw up the
Internet, and I don't want to see that happen.
Mr. Sheridan, do you have any comments about that?
Mr. Sheridan. Yes. We would, Mr. Chairman, be more than
happy to work with you on a middle way, something in between.
The Chairman. Put some time into it because, you know, you
have been right in the middle of all this. And, you know, my
experience with the Internet creators is that they just love to
burrow in and solve the engineering problems, but they are not
really concerned about the legal problems or the statutory
problems.
Mr. Sheridan. Social problems.
The Chairman. Social problems, yes, and I think you are
going to have to be because the last thing on Earth you want is
to have us come in here with a heavy hand.
Mr. Sheridan. We agree.
The Chairman. That is where it is headed, I can tell you,
and I am trying to stop it with everything I can. And I think
in the end, Microsoft may not thank me, but the fact of the
matter is I think they will be better off in the end as well.
Mr. Sheridan. We would be very happy to explore new models
and look at what has worked, how can it be simple and flexible
around a model that, as you were saying, is a hybrid. We would
be glad to participate in that, and we would also like to see
what laws could be better enforced, say, around medical issues
and things that are----
The Chairman. Right. Well, see, that is another big issue.
I am very, very concerned. People say, well, we should be able
to disclose people with emotional illness so they can't get
guns. Well, there are a myriad set of problems there,
everything from litigation and malpractice to--I mean, it is
mind-boggling. And I would like to do that. I mean, I would
like to be able to find some way that we could prevent that
without destroying people's lives or their privacy, and it is
pretty hard to do. But you folks, I think, may have the keys to
do that.
Ms. Borsecnik, as you know, I have tremendous respect for
AOL and I have been very impressed with you here today, but do
you have any comments on this?
Ms. Borsecnik. Well, I think the issue you just brought
up--we keep using the example in the health care industry--
conveys the concern of the one-size-fits-all issue. And I think
Senator Kohl's suggestion of a commission that looks further
into all the various sectors that are affected by privacy----
The Chairman. A commission that might be supervised by the
Government, you are saying?
Ms. Borsecnik. Yes, because I think, as you said at the
beginning, we are in the first inning on this discussion and
the debate because of the myriad of complicated issues and
industries involved. And we encourage that kind of discourse
because only through that will we be able to focus on a
solution that provides a standard that is acceptable, but is
workable across a variety of businesses and a variety of
consumer concerns.
The Chairman. I am going to come to you last, Mr. Berman,
since you have been the one who has been so crass as to
recommend this process.
Mr. Bodoff.
Mr. Bodoff. The only thing I would add--and I have heard
from two of our sponsors, AOL and IBM at the table here with
me, and that is probably reflective of the other companies who
have been instrumental in building our program--is that
whatever happens, we don't do anything that discourages
companies from joining self-regulatory activities.
We have a great challenge in front of us now. We have got
to get out and educate businesses and we have got to get
businesses to make a commitment. And we are only open a month
and we have some very aggressive plans, and I think if we were
talking at the end of the year, we would see some very
interesting results, the danger being in any activity that
holds out something else and lots of companies who may be
moving toward a self-regulatory approach right now hold off
because they are waiting for something else. They are fearful
of something else or something else is happening. So I would
only ask that that be given consideration in any action that
takes place.
The Chairman. Thank you. Mr. Fischbach.
Mr. Fischbach. Well, I think that as we continue moving
forward, I put down in my notes paint brush as opposed to a
small, thin brush, because each particular sector is going to
have its own particular issues. And if we are too broad in
whatever we attempt to do from a congressional standpoint, I
think that the answer will probably harm us as oppose to help
us with respect to the economics that can come from the
Internet, plus the fact that it is really a worldwide issue. It
is not just a local issue as to what takes place in the United
States because of the access of information and where you can
set your sites up.
We would be happy to participate in some sort of a body
which would study and make recommendations in terms of how to
handle this, the suggestion of a commission to work on what
kinds of legislation or rules should be passed. The problem, I
think, is we know where we are today; we are not sure where we
are going to be in 3 to 4 years from today and what changes
will take place in technology and how we will move information
back and forth. Some of it we can anticipate, but it will
change the way that all of us do business and it will change
the way that we access information.
The Chairman. Thank you. Now, Mr. Berman, we will let you
sum up for everybody.
Mr. Berman. I think that we are all committed to the growth
and dynamism of the Internet, and we want to make sure that it
has the right fundamental law, and that commerce goes on and
privacy is protected, and the free flow of information. And I
think that the right approach is somewhere between these
extremes, which is to really hone in and work together to bring
the industry and the privacy advocates and policy experts
together and try and work through these issues, to find the
flexible--it doesn't have to be one-size-fits-all, but to work
toward resolving some very hard issues of how to get fair
information practices out on the Net. So we are pleased to work
with you and the committee. We have done it before and we will
do it again.
The Chairman. Well, let me just challenge all of you to
really live up to that because I would like to have the very
best ideas you have. This committee has been doing some pretty
good things in this area, in my opinion, and we are capable of
doing many more good things, but we have got to have the right
advice and the right counsel to be able to do them right.
You know, there are so many problems, but I cite this
problem. Since yesterday's murders in the Colorado school, I
have been hit all over the place by people saying, well, we
have got to have disclosure, at least from a weapons
standpoint, of people's mental illness. The mental illness
societies are going berserk over this because they know that
once that starts, they are going to be discriminated against if
it isn't handled absolutely right.
Can it be handled absolutely right? Can we do something
that really is a privacy type of thing that will work so that
people are not discriminated against who have had an emotional
disturbance at one time in their lives? If the truth is known,
probably every one of us has suffered emotionally from time to
time. Whether it rises to the dignity of having to have special
professional help or not is another matter.
But it is a big problem because everybody comes up with
these broad-brush--you know, we have got to stop all weapons,
or we have got to do this, or we have got to make sure nobody
who has an emotional illness or even emotional distress has
access to weapons. Well, that is just one very small, little
aspect of this whole thing. You get into all the others, credit
cards right on through, and it is almost mind-boggling.
And you are kind of suggesting a private sector commission,
set up maybe by the industry, that is supervised by maybe some
sort of governmental supervision or regulation. My problem with
Government is, once regulation starts, it becomes a stifling
aspect to what really is, in the minds of many, one of, if not
the most important set of opportunities in America's history,
and one of, if not the most important industry in America right
now, because from this industry almost everything we do in the
future is going to be connected.
So we would really like to have some ideas here before some
people want to ram through some idiotic, stupid approach toward
this that creates another Internet IRS, which goes from a few
hundred pages to 6,000 pages overnight. I just don't want to
see that happen.
This has been a very good hearing. We are very grateful to
each and every one of you for coming because each of you has
expressed different aspects of this set of problems, and I
think it has been a very, very good panel. So thank you so
much.
With that, we will adjourn until further notice.
[Whereupon, at 12:51 p.m., the committee was adjourned.]
[GRAPHIC] [TIFF OMITTED] T8199.110
[GRAPHIC] [TIFF OMITTED] T8199.111
[GRAPHIC] [TIFF OMITTED] T8199.112
[GRAPHIC] [TIFF OMITTED] T8199.113
[GRAPHIC] [TIFF OMITTED] T8199.114
[GRAPHIC] [TIFF OMITTED] T8199.115
[GRAPHIC] [TIFF OMITTED] T8199.116
[GRAPHIC] [TIFF OMITTED] T8199.117
[GRAPHIC] [TIFF OMITTED] T8199.118
[GRAPHIC] [TIFF OMITTED] T8199.119
[GRAPHIC] [TIFF OMITTED] T8199.120
[GRAPHIC] [TIFF OMITTED] T8199.121
[GRAPHIC] [TIFF OMITTED] T8199.122
[GRAPHIC] [TIFF OMITTED] T8199.123
[GRAPHIC] [TIFF OMITTED] T8199.124
[GRAPHIC] [TIFF OMITTED] T8199.125
[GRAPHIC] [TIFF OMITTED] T8199.126
[GRAPHIC] [TIFF OMITTED] T8199.127
[GRAPHIC] [TIFF OMITTED] T8199.128
[GRAPHIC] [TIFF OMITTED] T8199.129
[GRAPHIC] [TIFF OMITTED] T8199.130
[GRAPHIC] [TIFF OMITTED] T8199.131
[GRAPHIC] [TIFF OMITTED] T8199.132
[GRAPHIC] [TIFF OMITTED] T8199.133
[GRAPHIC] [TIFF OMITTED] T8199.134
[GRAPHIC] [TIFF OMITTED] T8199.135
[GRAPHIC] [TIFF OMITTED] T8199.136
[GRAPHIC] [TIFF OMITTED] T8199.137
�