b'<html>\n<title> - S. 2928, S. 2606, AND S. 809--INTERNET PRIVACY CONCERNS</title>\n<body><pre>[Senate Hearing 106-1147]\n[From the U.S. Government Printing Office]\n\n\n\n                                                       S. Hrg. 106-1147\n\n        S. 2928, S. 2606, AND S. 809--INTERNET PRIVACY CONCERNS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         COMMITTEE ON COMMERCE,\n                      SCIENCE, AND TRANSPORTATION\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            OCTOBER 3, 2000\n\n                               __________\n\n    Printed for the use of the Committee on Commerce, Science, and \n                             Transportation\n\n\n\n85-657              U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2003\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n\n       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             SECOND SESSION\n\n                     JOHN McCAIN, Arizona, Chairman\nTED STEVENS, Alaska                  ERNEST F. HOLLINGS, South Carolina\nCONRAD BURNS, Montana                DANIEL K. INOUYE, Hawaii\nSLADE GORTON, Washington             JOHN D. ROCKEFELLER IV, West \nTRENT LOTT, Mississippi                  Virginia\nKAY BAILEY HUTCHISON, Texas          JOHN F. KERRY, Massachusetts\nOLYMPIA J. SNOWE, Maine              JOHN B. BREAUX, Louisiana\nJOHN ASHCROFT, Missouri              RICHARD H. BRYAN, Nevada\nBILL FRIST, Tennessee                BYRON L. DORGAN, North Dakota\nSPENCER ABRAHAM, Michigan            RON WYDEN, Oregon\nSAM BROWNBACK, Kansas                MAX CLELAND, Georgia\n                  Mark Buse, Republican Staff Director\n               Ann Choiniere, Republican General Counsel\n               Kevin D. Kayes, Democratic Staff Director\n                  Moses Boyd, Democratic Chief Counsel\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on October 3, 2000..................................     1\nStatement of Senator Breaux......................................     7\nStatement of Senator Bryan.......................................     5\nStatement of Senator Burns.......................................     3\nStatement of Senator Cleland.....................................    53\nStatement of Senator Gorton......................................     5\nStatement of Senator Hollings....................................     2\nStatement of Senator Kerry.......................................    63\nStatement of Senator McCain......................................     1\nStatement of Senator Rockefeller.................................    50\nStatement of Senator Wyden.......................................     4\n\n                               Witnesses\n\nCooper, Scott, Manager, Technology Policy, Hewlett-Packard \n  Company........................................................     7\n    Prepared statement...........................................    10\nGarfinkel, Simson, Cambridge, MA.................................    20\n    Prepared statement...........................................    21\nRotenberg, Marc, President, Electronic Privacy Information Center    30\n    Prepared statement...........................................    33\nRubin, Paul H., Professor of Economics and Law, Emory University.    56\n    Prepared statement...........................................    57\nVradenburg, George III, Senior Vice President for Global and \n  Strategic Policy, America Online...............................    14\n    Prepared statement...........................................    16\n\n                                Appendix\n\nCleland, Hon. Max, U.S. Senator from Georgia, prepared statement.    71\nCooper, Scott, Hewlett-Packard Company, Manager, Technology \n  Policy, prepared statement.....................................    71\nResponse to written questions submitted by Hon. Ernest F. \n  Hollings to:\n    George Vradenburg............................................    75\nGarfinkel, Simson L., letter dated October 3, 2000, to Hon. John \n  McCain.........................................................    77\n\n \n        S. 2928, S. 2606, AND S. 809--INTERNET PRIVACY CONCERNS\n\n                              ----------                              \n\n\n                        TUESDAY, OCTOBER 3, 2000\n\n                                       U.S. Senate,\n        Committee on Commerce, Science, and Transportation,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 9:30 a.m., in \nroom SR-253, Russell Senate Office Building, Hon. John McCain, \nChairman of the Committee, presiding.\n\n            OPENING STATEMENT OF HON. JOHN MCCAIN, \n                   U.S. SENATOR FROM ARIZONA\n\n    The Chairman. Good morning. I want to thank the witnesses \nfor participating in today\'s hearing. As evidence of the \nimportance of this issue, this is the third hearing the \nCommittee has held since this summer on Internet privacy.\n    Today the Committee will hear testimony on the legislative \nproposals before the Committee dealing with Internet privacy. \nThe purpose of this hearing is to begin the process of moving \ntoward the enactment of legislation which would enable \nconsumers to protect their privacy online.\n    The Federal Trade Commission in its recent report on online \nprivacy recommended legislation to require the implementation \nof the four fair information practices of notice, choice, \naccess, and security. The FTC found that, while voluntary \nefforts had advanced the issue of privacy, those efforts were \nfailing to adequately protect privacy. Specifically, the \nCommission found that nearly 41 percent of random sites and 60 \npercent of the top 100 sites provided consumers with notice \nabout their information practices and offered a choice about \nhow that information is used. I agree we must work to enact \nlegislation to enable consumers to protect their privacy. I am \nnot convinced that we must mandate all of the four information \npractices to protect privacy.\n    Last July, Senators Kerry, Abraham, Boxer and I introduced \nthe Consumer Internet Privacy Enforcement Act. The bill is \nfocused around the two fundamental principles of notice and \nchoice. It would ensure that consumers are informed of a \nwebsite\'s information practices in a clear and conspicuous \nmanner. It would also require websites to give consumers a \nsimple method of exercising meaningful choices about how that \ninformation is used. By focusing on these two fundamental \nprinciples, I believe we strike the delicate balance between \nprotecting privacy and imposing burdensome rules that do little \nto help consumers.\n    We may not all agree about the specific details of the \nlegislative proposals, but we all agree that the time has come \nto enact legislation to protect consumers\' privacy. Some of the \nproposals before the Committee go further than the bill my \ncolleagues and I introduced. Some of the bills currently before \nCongress propose far less, such as a simple commission to \nmerely study the issue. Regardless of the proposal, I think \nit\'s important we move forward through the difficult process of \nreaching compromise and forging legislation.\n    I look forward to engaging in this process as we move \ntoward the next Congress, and I believe that next year we can \nreport legislation from the Committee and work for its passage \non the floor.\n    Again, I want to thank the witnesses for their testimony \ntoday.\n    Senator Hollings.\n\n             STATEMENT OF HON. ERNEST F. HOLLINGS, \n                U.S. SENATOR FROM SOUTH CAROLINA\n\n    Senator Hollings. Mr. Chairman, we have fiddle-faddled with \nthis problem now for 5 years, and like you, I would have wished \nthat they could have voluntarily regulated themselves. But as \nNewsweek, the business magazine--this is not Consumer Reports \nor the Consumer Federation--cites, and I read: ``In short, \nself-regulation is a sham. The policies that companies have \nposted under pressure from the government are as vague and \nconfusing as anything Lewis Carroll could have dreamed up. \nAgain, if a business wants to collect information about a \nconsumer\'s health, financials, or sexual orientation, it should \nask them for permission first. This allows a Web surfer to opt-\nin.\'\'\n    That is why myself and the other cosponsors have introduced \nour bill after a complete study and 5 years of the FTC trying \nto get self-regulation. There is no doubt in a comprehensive \nfield as the Internet that you are going to have to try to \nprotect the privacy if you are going to protect the users of \nthe Internet. This is not a government restriction against \nbusiness. This is a government restriction to propagate the \nbusiness in a proper fashion.\n    So, any bill that does not have the opt-in is just \nwhistling Dixie. All these studies going back and looking and \nwondering and everything else of that kind. Mind you me, this \nis not asking those about your personal information that are \nnot making it a business or not making a profit from it. On the \ncontrary, this is those who really are making a business and a \nprofit and money out of your own private information. I think \nwe are going to have the opt-in, the opt-out, the security, and \nthe availability of it if we are going to have a good bill.\n    We came back here last week and we were all in a heat over \nthe proposition of advertising violence and not doing something \nabout the violence itself after 30 years.\n    Now after 5 years, there are some that want to still study \nand everything else after the Federal Trade Commission has \ntried over the 5-year period. Their in-house studies, working \nwith the industry, and everything else have found that you are \ngoing to have to have an opt-in provision.\n    Thank you.\n    The Chairman. Senator Burns.\n    Senator Burns. I think Senator Wyden was before me.\n    Senator Wyden. Go ahead.\n\n                STATEMENT OF HON. CONRAD BURNS, \n                   U.S. SENATOR FROM MONTANA\n\n    Senator Burns. Well, thank you, Mr. Chairman, I appreciate \nthat, and I appreciate you holding this third hearing on \nprivacy in a new digital economy.\n    While the Internet has offered us some amazing things, we \nhave seen a lot of things happen, and it offers a lot of \ncommercial opportunities to millions of Americans, the new \ninformation technologies have allowed the collection of \npersonal information on an unprecedented scale. Many times this \ninformation is collected without the knowledge of consumers, \nbut we also face that in our grocery stores and wherever we go \nto restaurants. And every time we do business with a credit \ncard and even sometimes with cash, we are confronted with the \nsame thing.\n    But what is particularly concerning to most of us is that \ninformation is collected without the knowledge of consumers. \nOnline profiling poses particular concerns, especially those \nprofiles that are merged with offline information to create \nmassive, individualized data bases on consumers.\n    Given the continuing erosion of Americans\' privacy, I am \nmore convinced than ever that legislation is necessary to \nprotect and empower consumers in the online world. Privacy is a \nbipartisan issue. The number of bills before this Committee is \nevidence of the high level of member interest in this important \ntopic. Recently Senator Hollings and Senator McCain have \nintroduced legislation in this area, and I look forward to \nworking with them.\n    I would also like to thank my colleague, Senator Wyden of \nOregon, for his hard work on the privacy issues. Well over a \nyear ago, Senator Wyden and I introduced the Online Privacy \nProtection Act which was based on our shared view that while \nself-regulation should be encouraged, we need also to provide a \nstrong enforcement mechanism to punish those people who would \nact in bad faith.\n    I have grown increasingly frustrated with the industry\'s \ncontinuing stance that no legislation is necessary, even in the \nface of overwhelming public concern. Many in the industry have \nclaimed that our bill, the Burns-Wyden bill, goes way too far \nand that the time still is not right for privacy legislation. I \nwant to reiterate my commitment to moving strong privacy \nlegislation to protect consumers, whether industry agrees with \nit or not.\n    I commend the Federal Trade Commission for recognizing the \nindustry has failed to produce progress and finally calling for \nlegislation. The Commission\'s recent report to Congress reveals \nthe extent of a stunning lack of consumer privacy on the \nInternet. Even among the 100 most popular websites, only 42 \npercent have implemented fair information practices to ensure \nconsumer privacy, and among a broader random sample of all \ncommercial websites, the number drops dramatically to 20 \npercent in compliance.\n    So, I remain open in working with you, Mr. Chairman, and \nSenator Hollings and Senator Wyden, and all of my colleagues on \nthis Committee and the rest of the Senate and the Congress as \nwe work on this vital issue. I look forward to the testimony of \nthe witnesses today, and I thank you very much.\n    The Chairman. Thank you.\n    Senator Wyden.\n\n                 STATEMENT OF HON. RON WYDEN, \n                    U.S. SENATOR FROM OREGON\n\n    Senator Wyden. Thank you, Mr. Chairman. I want to thank my \nfriend from Montana for his kind words. He and I did, a year a \nhalf ago, introduce legislation. We note your bill, Mr. \nChairman, Senator Hollings\' bill. We have got a variety of good \nbills now before the Committee, and I would just make a couple \nof points at this time.\n    First, I just do not think it is right for the Congress to \nwait until there is an Exxon Valdez of privacy, and I am very \nconcerned, given the fact that we have some who are certainly \nnot rushing to embrace these voluntary programs that that is \ngoing to happen.\n    The reason that I feel so strongly about it is when you \nlook at this Committee\'s work--and I am very proud of what we \nhave done on a bipartisan basis, the Internet Tax Freedom bill, \nfor example, the law that went into effect yesterday, the \nDigital Signatures law. What we have been able to do in the \nlast couple of years is to begin to write the ground rules for \nthe new economy, and we have done it in a way that has made \nsense for business and made sense for consumers and helped to \ninspire confidence in these new economic opportunities that \nrevolve around the Internet. You have an Exxon Valdez of \nprivacy and that will, to a great extent, drain much of the \nconfidence out of the exciting things that are taking place in \nour country. So, it is critically important that we move \nforward, do it in a bipartisan way.\n    I would wrap up with just a couple of additional comments. \nFirst, Mr. Chairman, I do feel strongly that on a bipartisan \nbasis we ought to figure out a way to embrace these four key \nprinciples that the Federal Trade Commission has called for in \ntheir proposal. They have said that it is important to include \nnotice and choice and access and security. We do have \ndifferences of opinion in this Committee with respect to these \nfour principles. I would hope that we would work with industry \non a bipartisan basis and consumer groups and develop a plan \nthat does incorporate those four key principles.\n    Finally, with respect to the nature of the information, it \ndoes seem to me that the American people, when you are talking \nabout their health and their financial information, sensitive, \npersonal information, want in some way to give explicit \npermission before it is used. You can walk into any coffee shop \nin this country and that is what people think ought to be done.\n    At the same time, there are scenarios that seem almost \nabsurd if you carry this to absolutes. For example, if somebody \nsubscribes to Newsweek for 20 years, it seems kind of \npreposterous to require that the Newsweek company send them a \nnotice asking them permission to send them another notice to \nsign up for the 21st year. So, the nature of this information \nis very key, and I hope that with respect to the financial and \nhealth information that we can develop a plan that is in line \nwith the expectations of the American people.\n    Mr. Chairman, again I thank you. I think this is an \nimportant week. That Digital Signatures bill that this \nCommittee led the effort on is going to be a revolution in the \nprivate sector economy. Now it is time for us to join forces \nagain in the privacy arena, and I look forward to working with \nyou and our colleagues to do that.\n    The Chairman. Senator Gorton.\n\n                STATEMENT OF HON. SLADE GORTON, \n                  U.S. SENATOR FROM WASHINGTON\n\n    Senator Gorton. Mr. Chairman, as others have said, this is \nyour third hearing on a vitally important subject. You have \nintroduced a bill yourself that seems to me to have great \nmerit, as have two other Senators or groups of Senators here, \nincluding the bipartisan approach that Senator Wyden and \nSenator Burns have.\n    I think each of those show how important this issue is. I \nthink each shows the absolute necessity for us to do something \nhere. The other approaches have not worked.\n    I want to echo Senator Wyden in saying that it seems to me \nthat this is a field in which we do need to be working \ntogether. There are four basic elements that we must consider. \nThe degree to which we have got to legislate on each of them is \ncertainly a matter for negotiation. But as is the case with so \nmany other issues in this Committee, it is not going to break \ndown on partisan lines by any stretch of the imagination. \nWhether we are going to finish something in the next 2 weeks I \nthink is questionable, highly questionable, but that we should \nbe working, at the very least, toward doing something early in \nthe next Congress in my view is very important.\n    You have helped give us the ground for that. You have \nhelped us focus on the proposition that we should not have \nsignificant information about people being used without their \nknowledge and without their consent, which is exactly the \nsituation we find ourselves in today. Solving that problem as \npromptly and as justly as possible, both taking advantage of \nthe tremendous opportunities given us by the Internet, but \nprotecting people against things that they do not want and do \nnot know is very, very important. It seems to me that we are \nmoving toward a consensus on this Committee and that you are \nhelping us through this hearing in doing so.\n    The Chairman. Thank you, Senator Gorton.\n    Senator Bryan?\n\n              STATEMENT OF HON. RICHARD H. BRYAN, \n                    U.S. SENATOR FROM NEVADA\n\n    Senator Bryan. Mr. Chairman, I would like to thank you for \ncalling today\'s hearing on this important issue of Internet \nprivacy.\n    The right to privacy is constitutionally recognized by the \nSupreme Court and is a reflection of our citizenry\'s long-held \nexpectation that they should be able to engage in a wide range \nof day-to-day activities with a significant degree of autonomy \nand independence.\n    The Internet presents new challenges, as well as \nopportunities, for the protection of privacy. The sheer volume \nof personal information that is exchanged on a daily basis \nbetween individuals and businesses on the Internet, coupled \nwith the ability of other entities to track the flow of this \ninformation with relative ease, poses serious privacy concerns \nfor many consumers.\n    By way of example, the recent revelation involving the \ndynamic pricing strategy employed by Amazon.com is further \nevidence of how consumer privacy is threatened on the Internet.\n    A recent survey showed that 92 percent of consumers are \nconcerned about the misuse of their personal information \nonline. Only 15 percent of those polled by Business Week \nearlier this year believe that the government should defer to \nvoluntary industry-developed privacy standards, and as recently \nas August, the Pew Research Foundation reported that 86 percent \nof those surveyed supported an opt-in requirement as a \nnecessary component of any company\'s privacy policy.\n    I agree with the recommendations contained in the Federal \nTrade Commission\'s latest report on online privacy, but the \ntime has come for Congress to establish a baseline standard for \nthe protection of consumer privacy on the Internet.\n    Earlier this year, I joined with our distinguished ranking \nmember, Senator Hollings, in introducing privacy legislation \nthat largely tracks the recommendations contained in the FTC \nreport. This legislation builds upon the framework established \nby the Children\'s Online Privacy Protection Act, which I was \nprivileged to sponsor and which enjoyed the unanimous approval \nof all Members of this Committee. As you know, it went into \neffect earlier this year in April. It embodies the four widely \naccepted fair information practices of notice, choice, access, \nand security for the collection of personally identifiable \ninformation about consumers online.\n    It is important to note that the Children\'s Online Privacy \nProtection Act, which as I said, enjoyed the unanimous support \nof Members of this Committee in the last Congress, contains an \nopt-in requirement in the form of verifiable parental consent. \nThis requirement means that a website operator must make \nreasonable efforts to ensure that before personal information \nis collected from a child, a parent of the child receives \nnotice of the operator\'s information practices and consents to \nthose practices. This legislation also had the near unanimous \nsupport of the Internet industry, including the industry \nrepresentatives that are testifying before the Committee today.\n    The architecture of the Internet provides an opportunity \nfor technology to enhance online privacy. Many innovative \ncompanies are focusing more and more resources on the \ndevelopment of privacy enhancing tools that will enable \nconsumers to have more control over the use of their personal \ninformation.\n    But technological advancement should not be viewed as a \nsubstitute for strong legal protections. I understand the \nindustry\'s concern with the regulatory approach to protecting \nprivacy on the Internet, but I am hopeful, however, that they \nwill come to view this effort as an opportunity to enhance \nconsumer confidence in e-commerce, much like that that occurred \nin the offline world with the credit card industry in the \n1970\'s. And I am hopeful, Mr. Chairman, that this Committee \nwill continue to endeavor to enact a responsible bipartisan \npiece of legislation that adequately protects consumer privacy \nonline in a manner that does not unduly burden the growing e-\ncommerce market in America.\n    The Chairman. Senator Breaux.\n\n               STATEMENT OF HON. JOHN B. BREAUX, \n                  U.S. SENATOR FROM LOUISIANA\n\n    Senator Breaux. Well, thank you, Mr. Chairman. I am sure \neverything has been said that needs to be said except from our \npanel of witnesses.\n    Let me just add my congratulations to you for focusing in \non what many consumers feel is one of the most important \nconcerns that they have in today\'s modern society; that is, \nwhat happens to their personal information when they sit down \nin front of the Internet and use it for legitimate purposes. I \nthink that there has been a growing fear of even using the \nInternet because of the possibility that personal information \nwill be disseminated to those who seek to use it for purposes \nthat the owner of that information has not agreed to.\n    I think a solution to this problem is a win-win, both from \nthe business community who seeks to take advantage of the \nservices allowed by the Internet operations, as well as a win \nfor those who are concerned about their own personal \ninformation being disseminated, in some cases sold to others, \nthird parties in particular.\n    Time is running out but I think that we have laid the \ngroundwork for what needs to be done in the next Congress, and \nI look forward to working with the Chairman in order to do \nthat.\n    The Chairman. Thank you.\n    Mr. Scott Cooper, Mr. George Vradenburg, Mr. Simson \nGarfinkel, and Mr. Rotenberg. Mr. Cooper, Manager of Technology \nPolicy of the Hewlett-Packard Company, welcome.\n\nSTATEMENT OF SCOTT COOPER, MANAGER, TECHNOLOGY POLICY, HEWLETT-\n                        PACKARD COMPANY\n\n    Mr. Cooper. Mr. Chairman and Members of the Committee, \nHewlett-Packard appreciates this opportunity to testify today \nat this important hearing on privacy. My name is Scott Cooper \nand I am Manager of Technology Policy for HP.\n    We at HP believe that the Information Age will provide \nnumerous tools that will empower consumers and allow them to \nparticipate with confidence in the global electronic \nmarketplace. Consumers already have access to a tremendous \namount of information to help them negotiate prices, terms and \nconditions. They are no longer limited in where they shop, when \nthey shop, or with whom they do business.\n    But these benefits cannot be realized if consumers are \nconcerned about how their personal information is treated \nonline.\n    While industry self-regulation is not the complete \nsolution, we believe the private sector has done a pretty good \njob of responding to privacy concerns during the seminal period \nof the growth of electronic commerce. It is sometimes easy to \nforget how recent a phenomenon Internet commerce is. Five years \nago, almost nothing was bought or sold online. So, we are still \nfinding our way in this new environment. From that perspective, \nthe efforts to date by businesses to meet consumer privacy \nconcerns have been impressive. HP believes that self-regulation \nand credible third party enforcement, such as the Better \nBusiness Privacy Seal program, are the single most important \nsteps that businesses can take to ensure that consumer privacy \nwill be respected and protected online.\n    As an example of our concern on this issue, HP is making an \noffer we hope will encourage many other companies to join HP as \nmembers of the Better Business Bureau Privacy Seal program. For \nthe past four months, HP has paid the application fees of \nstart-up companies identified by the Better Business Bureau to \njoin the BBBOnLine Privacy Seal program.\n    This offer reflects, we believe, a commitment to address \nconsumer privacy concerns and, in fact, the BBB program has \nbeen singled out by the European Commission as the kind of \nprivacy program that gives them confidence that an American \nsafe harbor will meet European adequacy standards on privacy.\n    And just two weeks ago, HP\'s CEO, Carly Fiorina, joined \nwith Michael Dell of Dell Computer to send a joint letter to \ntheir fellow Fortune 500 CEO\'s requesting that they also join \nthe BBB Privacy Seal program.\n    But even with all these self-regulatory efforts by HP and \nother companies, it is unlikely that the majority of commercial \nwebsites will post consumer-friendly, easily readable privacy \npolicies or join privacy programs such as the BBB, at least in \nthe short run.\n    And unfortunately, there is a perverse legal incentive for \ncommercial websites not to post a clear and conspicuous privacy \nnotice. Currently if a website posts a privacy policy or posts \na third party privacy seal and then fails to live up to that \npolicy, it is then liable for enforcement by the FTC for having \ncommitted a deceptive act. If the website does not state a \npolicy or couches that policy in so many disclaimers and other \nconfusing legalese in order to limit liability, then consumers \nwill not have the material information they need to decide \nwhether they wish to do business with that site.\n    Hewlett-Packard has argued for some time now that consumers \ndeserve to have the necessary material information about a \nwebsite\'s privacy policy in order for them to make an informed \nchoice whether they want to do business with that site. We have \nadvocated that key consumer right is that of disclosure, that \nis requiring that all commercial websites clearly and \nconspicuously state what that website does with personal \ninformation. Consumers can then decide whether they want to \ncontinue a transaction with that website or go to another that \nhas a privacy disclosure more to their liking.\n    HP believes that clear and conspicuous privacy disclosure \nis not only the right thing to do for consumers; it is also the \nright thing to do for businesses if they want to grow and serve \ntheir customers in the Internet environment. If consumers in \nthe marketplace decided that privacy is important to them--and \nthey have--then the competitive advantage will be with those \nsites that have a more consumer-friendly privacy policy.\n    Hewlett-Packard, therefore, strongly commends the original \ncosponsors of S. 2928, Senators McCain, Kerry, Abraham, and \nBoxer, for their leadership in protecting the privacy of \nconsumers who use the Internet. We look forward to substantive \nlegislative hearings in the next Congress to flesh out the \ndetails of this proposal, but for the most part, we think the \nauthors have it just about right:\n\n    1. Clear, conspicuous and easily understood disclosure \nrequirements are key. We also commend the authors for including \na safe harbor section that recognizes the importance of self-\nregulatory third party seal programs that have been approved by \nthe FTC.\n    2. Recognizing the importance of empowering state \nattorneys general to protect their citizens\' privacy through \nnational uniform regulations, while preserving the right of the \nFTC to intervene when it feels necessary.\n    3. A study and report back to Congress by the National \nAcademy of Sciences on a series of complex but important issues \nthat must be resolved in order to ensure that the benefits of \nthe Information Age are not distorted or unrealized. These \ninclude:\n\n      a. An analysis of the benefits and risks inherent in the \nuse of personal information for both consumer empowerment and \ncontinued growth of electronic commerce;\n      b. an important examination of existing differences \nbetween the collection of information online and offline, an \nexamination we hope will lead to greater harmonization between \nthe two;\n      c. an analysis of the benefits and risks of providing \nvarious levels of consumer access to business databases and;\n      d. an examination of the security of personal \ninformation collected online.\n    It is our view that the Information Age cannot move forward \nwithout these questions being answered. At the same time, the \nimportance of getting the answers right precludes any overly \nprecipitous rush to judgment. Hewlett-Packard does not believe \nthat balancing consumer confidence and market growth is a zero \nsum game. We are confident that the National Academy of \nSciences will present Congress with a reasoned set of \nrecommendations of where further policymaking may be necessary \nand also where it may not. Congress should not be asked to \nlegislate on this complex, vital area of our economy based on \nanecdotal evidence. Nor should a reasoned debate be limited by \nproscriptions that, given enough time, the marketplace will \nultimately supply all answers.\n    We would welcome the public debate that will be spawned by \nthe studied recommendations of the National Academy of Sciences \nand believe it is by far the best way to discover, as Senator \nBreaux said, win-win answers for consumers and the economy.\n    And finally,\n\n    4. we think it important that the Internet and electronic \ncommerce be treated as an interstate issue. We agree with the \nauthors of 2928 that we must develop national uniform privacy \npolicies.\n    We also think that S. 809 has also defined the right goals \nfor consumer privacy protections, and we would like to continue \nto work with Senator Burns\' and Senator Wyden\'s offices to find \nindustry consensus on how we can achieve workable solutions for \nsuch issues as opt-in and access.\n    We also think S. 2606 has raised many of the right issues \nfor consumer confidence, including clear and conspicuous \ndisclosure. Other sections of S. 2606 raise issues that deserve \nfurther study, and others, such as section 303, the Private \nRight of Action, may be inappropriate as a solution for an \nissue that we believe we can find agreement and consensus \nsolutions between consumers, businesses, and policymakers.\n    Current concerns about consumer confidence must not be \nallowed to turn into barriers for empowering consumers through \nglobal electronic commerce. Hewlett-Packard believes that this \nhearing is an important step in the right direction, and we \nwelcome the opportunity to work with this Committee in the \ndevelopment of national policies governing the collection and \nuse of personal information.\n    I would be pleased to answer any questions you all may \nhave.\n    [The prepared statement of Mr. Cooper follows:]\n\n    Prepared Statement of Scott Cooper, Manager, Technology Policy, \n                Hewlett-Packard Company, Washington, DC\n\n    Mr. Chairman and Members of the Committee. Hewlett-Packard \nappreciates this opportunity to testify today at this important hearing \non privacy. My name is Scott Cooper, and I am Manager for Technology \nPolicy for HP.\n    We at HP believe that the Information Age will provide numerous \ntools that will empower consumers and allow them to participate with \nconfidence in the global electronic marketplace. Consumers already have \naccess to a tremendous amount of information to help them negotiate \nprices, terms and conditions. They are no longer limited in where they \nshop, when they shop, and with whom they do business.\n    But these benefits cannot be fully realized if consumers are \nconcerned about how their personal information is treated online.\n    While industry self-regulation is not the complete solution, we \nthink the private sector has done a good job of responding to privacy \nconcerns during the seminal growth of e-commerce. It is sometimes easy \nto forget how recent a phenomenon Internet commerce is. Five years ago, \nalmost nothing was bought or sold online. So we are still finding our \nway in this new environment. From that perspective, the efforts to date \nby businesses to meet consumer privacy concerns have been pretty \nimpressive. And HP believes that self-regulation and credible third \nparty enforcement--such as the Better Business Bureau privacy seal \nprogram--is the singlemost important step that businesses can take to \nensure that consumers\' privacy will be respected and protected online.\n    As an example of our concern on this issue, HP is making an offer \nthat we hope will encourage many more companies to join HP as a member \nof the Better Business Bureau Privacy Seal program. For the past four \nmonths HP has paid the application fees of start-up companies--\nidentified by the BBB--to join the BBBOnLine Privacy Seal program. We \nhave also offered limited, free consultation from HP\'s Privacy Managers \nto help each company get started.\n    This offer reflects, I believe, our commitment to addressing \nconsumer privacy concerns, and in fact, the BBB program has been \nsingled out by the European Commission as the kind of privacy program \nthat gives them confidence that an American `safe harbor\' will meet \nEuropean adequacy standards for privacy.\n    And just two weeks ago, HP\'s CEO, Carly Fiorina joined with Michael \nDell of Dell Computer to send a joint letter to their fellow ``Fortune \n500\'\' CEO\'s requesting that they also join the BBB privacy seal \nprogram.\n    Even with all these self-regulatory efforts by HP and other \ncompanies, it is unlikely that the majority of commercial websites will \npost consumer-friendly easily-readable privacy policies, or join \nprivacy programs such as the BBB; at least in the short run. And \nunfortunately, there is a perverse legal incentive for commercial \nwebsites not to post a clear and conspicuous privacy notice. Currently, \nif a website posts a privacy policy or posts a 3rd-party privacy seal \nand fails to live up to that policy, then it is liable to enforcement \nfrom the FTC for having committed a deceptive act. If the website does \nnot state a policy, or couches that policy in so many disclaimers and \nother confusing legalese in order to limit liability, then consumers \nwill not have the material information they need to decide whether they \nwish to do business with that website.\n    And consumers have expressed their dissatisfaction with the ability \nof self-regulation alone to provide necessary consumer confidence on \nprivacy. In a recent Business Week/Harris Poll, 92 percent of Net users \nexpressed discomfort with sites sharing personal information with other \nsites. And 57 percent of those respondents to the survey said that \ngovernment should pass laws on how personal information is collected.\n    Hewlett-Packard has argued for some time now that consumers deserve \nto have necessary material information about a website\'s privacy policy \nin order for them to make an informed choice whether they wanted to do \nbusiness with that site. We have advocated that a key consumer right is \nthat of disclosure; that is, requiring that all commercial websites--\nclearly and conspicuously--state what that website does with personal \ninformation. Consumers can then decide whether they want to continue a \ntransaction with that website, or go to another that has a privacy \ndisclosure more to their liking.\n    Hewlett-Packard was therefore supportive of efforts by Congressman \nBoucher and Goodlatte--the co-chairs of the House Internet Caucus--to \nprotect consumer privacy through greater disclosure. And in May of last \nyear, they introduced H.R. 1685 which includes as Title III an ``Online \nPrivacy Protection\'\' section that requires commercial websites to \n``clearly and conspicuously provide notice of its collection, use and \ndisclosure policies\'\' with enforcement authority to the Federal Trade \nCommission.\n    HP believes that clear and conspicuous privacy disclosure is not \nonly the right thing to do for consumers; it is also the right thing \nfor businesses if they want to grow and serve their customers in the \nInternet environment. If consumers in the marketplace decide that \nprivacy is important to them--and they have--then the competitive \nadvantage will be with those sites that have more consumer-friendly \nprivacy policies.\n    Hewlett-Packard thus strongly commends the original co-sponsors of \nS. 2928, Senators McCain, Kerry, Abraham and Boxer, for their \nleadership in protecting the privacy of consumers who use the Internet. \nWe look forward to substantive legislative hearings in the next \nCongress to flesh out the details of this proposal; but for the most \npart we think the authors have it just about right:\n\n    1. ``[C]lear, conspicuous and easily understood\'\' disclosure \nrequirements are key. We also commend the authors for including a \n``Safe Harbor\'\' section that recognizes the importance of self-\nregulatory 3rd party seal programs that have been approved by the FTC.\n\n    2. Recognizing the importance of empowering state attorneys \ngeneral to protect their citizens privacy through national uniform \nregulations; while preserving the right of the FTC to intervene when it \nfeels necessary.\n\n    3. A study and report back to Congress by the National Academy of \nSciences on a series of complex but important issues that must be \nresolved in order to ensure that the benefits of the Information Age \nare not distorted or unrealized. These include:\n\n        a. An analysis of the benefits and risks inherent in the use \nof personal information for both consumer empowerment and continued \ngrowth of the electronic marketplace;\n\n        b. an important examination of existing differences between \nthe collection of information online and offline; an examination we \nhope will lead to greater harmonization between the two;\n\n        c. an analysis of the benefits and risks of providing various \nlevels of consumer access to business databases;\n\n        d. and an examination of the security of personal information \ncollected online.\n\n    It is our view that the Information Age cannot move forward without \nthese questions being answered. At the same time, the importance of \ngetting the answers right precludes any overly-precipitous rush to \njudgement. Hewlett-Packard does not believe that balancing consumer \nconfidence and market growth is a zero-sum game. We are confident that \nthe National Academy of Sciences will present Congress with a reasoned \nset of recommendations of where further policymaking may be necessary; \nand also, where it may not. Congress should not be asked to legislate \nin this complex, vital area of our economy based on anecdotal evidence. \nNor should a reasoned debate be limited by proscriptions that given \nenough time, `the marketplace\' will ultimately supply all answers.\n    We would welcome the public debate that would be spawned by studied \nrecommendations of the National Academy of Sciences and believe that \nthat is by far the best way to discover ``win-win\' answers for \nconsumers and the economy.\n    And finally,\n\n    4. we think it important that the Internet and electronic commerce \nbe treated as an interstate issue. We agree with the authors of S. 2928 \nthat we must develop national, uniform privacy policies.\n\n    But in order to truly earn the trust on consumers, we cannot stop \nhere, We also need to expand ongoing efforts to ensure that the global \nelectronic marketplace is a clean, well-lighted venue for both \nconsumers and businesses. For example, consumers need to have \nconfidence that when they do business across national borders, that \nthere will be a redress system in place should anything go wrong with \nthe transaction.\n    HP is working with 70+ businesses from around the world through the \nGlobal Business Dialogue for electronic commerce to develop worldwide \nconsensus standards on consumer redress systems; what are called \nalternative dispute resolution mechanisms, or ADR. In this effort we \nare working with consumer groups, government bodies such as the FTC and \nthe European Commission to ensure that consumers and businesses will \nquickly, fairly and cheaply resolve complaints related to online \ntransactions.\n    Current concerns about consumer confidence must not be allowed to \nturn into barriers to empowering consumers through global e-commerce. \nHewlett-Packard believes that S. 2928 is a significant step in the \nright direction, and we welcome the opportunity to work with this \nCommittee in the development of national policies governing the \ncollection and use of personal information.\n    I would be pleased to answer any questions that you may have.\n\n                                 ______\n                                 \nHewlett-Packard Proposal on Privacy Disclosure\n    1) Industry self-regulation and credible third party enforcement is \nthe best model for developing the necessary trust that private data \nwill be respected and protected online. It is unlikely however that the \nmajority of websites will post privacy policies in at least the short \nrun. And unfortunately. there is a perverse legal incentive for \ncommercial websites not to post a privacy statement. Currently, if a \nwebsite posts a privacy policy and fails to live up to that policy, it \nis liable to enforcement from the FTC for having committed a deceptive \nact. If the website does not state any policy, it is not legally \nvulnerable because no deception can be inferred. Therefore while the \nlargest websites will probably post privacy statements, the large \nmajority of sites may not: and that makes industry vulnerable to \nintrusive regulatory initiatives.\n    2) One way to deal with that problem would be through disclosure: \nthat is requiring that all commercial websites--clearly and \nconspicuously--state what that website does with personal information. \nA disclosure requirement would not require a website to do anything \nother than it is currently doing; it would only require that the \nwebsite inform consumers what it is that they do with personal \ninformation. Consumers could then decide whether they want to continue \na transaction with that website, or go to another that has a privacy \ndisclosure more to their liking. If consumers in the marketplace decide \nthat privacy is important to them, then the competitive advantage will \nbe with those sites that have more stringent privacy policies.\n    3) This concept of ``material information\'\' is a basic concept of \nU.S. consumer protection law. (See the ``FTC Policy Statement on \nDeception\'\'.) Simply stated, consumers have the right to information \nthat is essential for them to make an informed choice about a product \nor service. To fail to make such information available to consumers is \na deceptive act. Through rule or case law, this `material information\' \nconcept is a basis for US advertising regulation, and in a number of \nother areas:\n\n    Telemarketing: It is deceptive to fail to verbally disclose (in a \nclear and conspicuous manner) costs, material restrictions, refund \npolicies, prize odds, material costs, etc.\n\n    900-Number (Pay-per-Call): It is deceptive to fail to verbally \ndisclose (in a free preamble) the service to be provided, cost per \nminute, and other fees created by the call. (The `clear and \nconspicuous\' disclosures also carry over into print and TV ads for \n900#s)\n\n    Used Car Warranties: It is deceptive not to conspicuously post on \nevery used car a sticker that states in writing what warranty (if any) \na dealer offers on a used car.\n\n    Acknowledging that consumers have the right to know how their \npersonal information may be used is a pro-consumer initiative that will \ngive consumers and businesses greater certainty and confidence in \nundertaking negotiations on the Internet.\n    (All documents cited can be found on the FTC website at \nwww.ftc.gov)\n                                                 September 15, 2000\n                                 ______\n                                 \n<<First_Name>> <<MI>> <<Last_Name>>\n<<Company_Name>>\n<<Address>>\n<<City>>, <<ST>> <<Zip_Code>>\n\nDear <<First_Name>>:\n\n    We are writing to enlist your company\'s participation in meaningful \nand credible self-regulation to protect your customers privacy on the \nInternet. BBBOnLine, the Internet subsidiary of the Council of Better \nBusiness Bureaus, was developed to promote trust and confidence on the \nInternet. Eighteen major corporations sponsor, serve on the Board, and \nhelped build the BBBOnLine Privacy Program (a list of these companies \nis attached.) The goal was to build the most comprehensive and least \nexpensive privacy trustmark so that businesses could demonstrate their \ncommitment to adhere to their online privacy notices.\n    The recent ``Safe Harbor\'\' agreement covering online transfers of \npersonal data reached between the U.S., Department of Commerce and the \nEuropean Union would have not been possible without BBBOnLine\'s \ncredibility and reputation. This agreement will allow personal data \ntransfers from European Union citizens to BBBOnLine participants and \nothers meeting the safe-harbor provisions. If you do not meet these \n``Safe Harbor\'\' provisions your company may have difficulty \ntransferring data from Europe (including from your European operations) \nto the U.S. If these transfers are not possible this could obviously \ntake a staggering negative toll on US--EU commerce.\n    In addition, BBBOnLine has recently announced a joint trustmark \nwith the government-sponsored privacy seal program in Japan operated by \nthe Japan Information Development Processing Center (JIPDEC) This joint \nventure will allow BBBOnLine seal holders to qualify for Japan\'s \nprivacy seal and JIPDEC seal holders in Japan to qualify for the \nBBBOnLine seal. This option is unavailable from any other trustmark \nprogram and is another example of the global reach of BBBOnLine\'s \nreputation as the most comprehensive and credible form of online \nprivacy self regulation available.\n    The U.S. Congress, state legislatures, and federal regulatory \nagencies are continuing their efforts to regulate online privacy. While \nthey recognize the value of the BBBOnLine Trustmark program, they \nhighlight that not enough businesses have made a commitment. There is \nstill time to send a significant message to legislators and regulators \nthat businesses are committed to protecting consumer privacy through \nself regulation by participating in the BBBOnLine Privacy Program.\n    This letter is to urge <<Company_Name>> to apply and qualify for \nthe BBBOnLine Privacy seal to demonstrate your commitment to self-\nregulation. The cost is low and the benefits to your company and \nbusiness in general are great. Together we can send a strong message \nthat industry is willing to accept the online privacy challenge. For \ninformation on the BBBOnLine Privacy Program please have your staff \ncontact Ms. Mercedes Lemp at 703.247-3661, email her at \n<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2568494048556549464747470b4747470b4a5742">[email&#160;protected]</a> or look at BBBOnLine\'s website at \nwww.bbbonline.org.\n        Sincerely,\n                                             Carly Fiorina,\n                                                               CEO,\n                                           Hewlett Packard Company.\n                                              Michael Dell,\n                                                               CEO,\n                                         Dell Computer Corporation.\n                                 ______\n                                 \n                      BBBOnLine Founding Sponsors\n    America Online\n    Ameritech\n    AT&T Corp.\n    Bank of America\n    Dun & Bradstreet\n    Eastman Kodak Company\n    GTE\n    Hewlett-Packard Company\n    IBM Corporation\n    Intel Corporation\n    Microsoft Corporation\n    The Procter & Gamble Company\n    Reed Elsevier Inc.\n    Road Runner\n    Sony Electronics\n    US WEST\n    VISA\n    Xerox Corporation\n\n    The Chairman. Thank you, Mr. Cooper.\n    Mr. Vradenburg, welcome.\n\nSTATEMENT OF GEORGE VRADENBURG, III, SENIOR VICE PRESIDENT FOR \n          GLOBAL AND STRATEGIC POLICY, AMERICA ONLINE\n\n    Mr. Vradenburg. Thank you, Mr. Chairman and Members of the \nCommittee, and I thank you very much for the opportunity to \ntestify here this morning on this important issue.\n    As consumers demand the power and convenience of the PC on \ntheir TV sets and the mobility to take the Internet with them \non their wireless and other personal devices, it is becoming \nclear that online interactivity will become an integral and \nseamless aspect of how we live in a modern society. This rapid \nconsumer-driven environment we live in in the Internet requires \nindustry to know more about our consumers than in the past in \norder to serve them better, at lower cost, and with the \nproducts and services they want. This is all to the good for \nconsumers, for our economy, and for our society. But we must \nrecognize that we in business, and you as government, have a \ngreater responsibility than in the past for the proper \ntreatment and handling of consumers\' personal information.\n    With that in mind, we are happy to be participating in this \nimportant national debate. We believe that we have reached a \ncritical point at which industry and government must take the \nnext step together in order for us to get where we need to be \non privacy.\n    AOL is proud to have been a leader in a wide range of \nindustry-led and industry-based efforts to address privacy \nissues. We were founding members of the Online Privacy Alliance \nand NetCoalition and are strong supporters of TRUSTe, \nBBBOnLine, the DMA, and other efforts to set high corporate \nstandards for privacy protection. And we have worked in our \nrole as co-chair of the Global Business Dialogue on Electronic \nCommerce to promote strong privacy policies around the world \nbecause we believe this particular issue knows no boundaries, \nno borders, and must be addressed with its global impact in \nmind.\n    Within our own company, we have worked hard to develop \nprivacy policies based on the input we have received from our \nmembers over the years. We have described our privacy policy in \ndetail before this Committee in recent testimony, so I will not \ndiscuss all the specifics here again. I would just emphasize \nthat the cornerstone of our policy is that we clearly explain \nto our members what information we collect, why we collect it, \nhow they can exercise choice about the use and disclosure of \nthat information.\n    We at AOL are proud of the steps we have taken to create a \nprivacy friendly environment online for our members. We have \nadopted these policies because our business, more than ever, \nrequires us to respond to consumer demands. We take privacy \nseriously in order to build consumer and our own member trust \nin the medium. And we know that many other online businesses \nfeel exactly the same way.\n    The progress that industry has made in recent months is \nreal. One thing the FTC Online Privacy Report last May clearly \nshows is that the proportion of commercial websites posting \nprivacy policies has skyrocketed in less than 3 years from \nfewer than 14 percent to over 90 percent. Unbelievable progress \nfor an industry that barely existed just a few years ago. And \nthe rapid adoption and use of the Internet in this country, it \nseems to me, is a symbol that in fact consumers are taking to \nthis new medium with a greater rapidity than virtually any \nmedium in history, suggesting that in fact consumer confidence \nnot only is high but growing in this medium.\n    Despite this remarkable progress, it is clear from the \nlevel of public concern that still more needs to be done in \norder to broaden consumer confidence in the online medium. \nAlthough the industry has come a long way in creating and \npromoting best practices in protecting consumer privacy online, \nwe think legislation may now be able to play an important role \nin setting baseline standards for privacy protection and \nensuring that companies all play by the same rules.\n    How do we decide what those baseline standards should be? \nExamining this issue in light of the needs of our own members, \nwe have come to realize that the success that industry has \nattained thus far in the area of privacy protection is largely \nattributable to market-led initiatives premised on notice and \nchoice. The fundamental principle of privacy protection is to \ninform consumers of our personal information handling \npractices--to give them the ability to determine how that \ninformation may be collected, used and disclosed. Only in that \nway can we both reflect the diversity of suppliers in our \nindustry and the wide diversity of consumer privacy preferences \nin society.\n    As Congress turns its full attention to this issue next \nyear, we at AOL would, therefore, ask the Members of this \nCommittee to base their legislative initiatives on these key \nprinciples of notice and choice, backed up by strong \nenforcement authority. This type of solution will allow \ncompanies to determine the most effective ways to implement \nnotice and choice under their particular business models, while \nensuring that companies do indeed comply with those \nrequirements. In today\'s online world, consumer preferences can \nvary greatly from user to user, and we are in need of a \nlegislative approach that will give consumers the flexibility \nto express those preferences on an ever-expanding variety of \nplatforms and devices, from their PC\'s to their televisions, to \ntheir hand-held wireless devices.\n    We think that the legislation that you, Mr. Chairman, have \ncosponsored is a good example of a legislative approach that \ndoes set a baseline standard for notice and choice backed by \nstrong enforcement, under which market-driven initiatives and \ntechnology innovation can continue to blossom, but providing \nadditional confidence to consumers that they are, in fact, \nbeing honestly informed of what is being done with their \npersonal information and that they have choices in how that \ninformation is used.\n    So, we commend you, Mr. Chairman, along with your \ncosponsors, Senators Abraham, Kerry, and Boxer, for their \nefforts in drafting this bill which would ensure that all \ncompanies live up to these important principles by giving the \nFTC clear authority to enforce the notice and choice \nrequirements.\n    We are also pleased that other Members of this Committee \nhave recognized the importance of addressing this issue, most \nnotably Senators Hollings, Wyden, Burns, and Bryan, with whom \nwe have worked very closely in adopting the Children\'s Online \nPrivacy Protection Act. We look forward to working with all \nMembers of this Committee in the next Congress to develop \nprivacy legislation that will respect what we believe to be \nimportant principles of notice and choice.\n    We recognize that the power of the Internet can only be \nfully realized if consumers feel confident that their privacy \nis properly protected when they take advantage of the many \nbenefits that this medium has to offer. As the Committee \ncontinues its work on this issue next year, we urge you to \nconsider the risks of an over-regulatory approach and the need \nfor a solution to this issue that is flexible enough to sustain \nboth diverse business models and to respond to diverse consumer \npreferences.\n    We must also encourage user-friendly consumer interfaces. \nThat is, we must emphasize the importance of easy-to-use, easy-\nto-find, easy-to-read policies of choice and to develop in the \nmarketplace a wide variety of choice techniques and \ntechnologies.\n    We commend the efforts of all the Members of this \nCommittee. We look forward to working with you next year to \nbuild an effective privacy solution that will work for all of \nus. Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Vradenburg follows:]\n\nPrepared Statement of George Vradenburg, III, Senior Vice President for \n        Global and Strategic Policy, America Online, Dulles, VA\n\n    Chairman McCain, Senator Hollings, and Members of the Committee, I \nwould like to thank you, on behalf of America Online, for the \nopportunity to discuss proposed legislative responses to the issue of \nonline privacy.\n    From the very beginning, we at AOL realized that this medium would \nnot grow, and our company would not succeed, unless our members were \nconfident in their privacy and security online. That\'s why protecting \nour members\' privacy has always been one of our top priorities at AOL \nand why we have dedicated significant time, energy, and resources to \nestablishing one of the industry\'s strongest privacy policies and \neducating our members about this issue.\n    Online privacy has gained increasing attention in recent months, as \nthe Internet has become a central part of the lives of more and more \nAmericans. As consumers demand the power of the PC on their TVs, the \nconvenience of interactivity on their TVs, and the mobility to take the \nInternet with them on their wireless and other personal devices, it is \nbecoming clear that Internet-oriented interactivity will become an \nintegral and seamless aspect of how we live in a modern society. This \nrapid, consumer-driven environment requires industry to know more about \ntheir consumers than in the past in order to serve them better and at \nlower cost and with the products and services they want. Gone are the \ndays when a manufactured good was delivered through a tiered \ndistribution system into the hands of distant and anonymous customers. \nIn the future, many services will be delivered completely online and \nthe service provider and customer will have an almost intimate \nrelationship. In that environment, businesses will be under increasing \npressure to be responsive but will also be necessarily entrusted with \nmore personal information about their customers. This is all to the \ngood . . . for consumers, for our economy and for our society. But in \nthat environment we, as a society, must recognize that businesses will \nhave a greater responsibility than in the past for the proper treatment \nand handling of customer\'s personal information, and for ensuring that \nconsumers are fully informed about just what corporate policies and \npractices are. With that in mind, we are happy to be participating in \nthis important national debate, and we believe that we have reached a \ncritical point at which industry and government must take the next step \ntogether in order for us to get to where we need to be on privacy.\n    AOL is proud to have been a leader on a wide range of industry-\nbased efforts to address privacy issues. We were founding members of \nthe Online Privacy Alliance and NetCoalition and are strong supporters \nof TRUSTe, BBBOnLine, the DMA, and other efforts to set a high \ncorporate standard for privacy protection. We also were an early \nsupporter of P3P, a technology being developed by the World Wide Web \nConsortium that will empower consumers to set their own privacy \npreferences as they surf the Web. And we have worked in our role as Co-\nChair of the Global Business Dialogue on Electronic Commerce (GBDe) to \npromote strong privacy practices by companies around the world, because \nwe believe that the issue of privacy knows no borders and must be \naddressed with its global impact in mind.\n    Within our own company, AOL has worked hard to develop privacy \npolicies based on the input we\'ve received from our members over the \nyears. Because consumers want to control their own privacy--rather than \nhaving their privacy options dictated by government or private \nindustry--we\'ve created a privacy policy that clearly explains to our \nmembers what information we collect, why we collect it, and how they \ncan exercise choice about the use and disclosure of that information. \nWe have described our privacy policy in detail in recent testimony \nbefore this Committee, so I will not discuss all of the specifics again \nhere. I would just emphasize that the cornerstone of our policy is that \nwe give our members clear choices about whether and how we use their \npersonal information, we make those choices easy to find and easy to \nexercise, and we make sure that our members are well informed about \nwhat those choices are.\n    AOL\'s privacy commitment is company-wide. We have a designated \nofficial within the company who is devoted to ensuring privacy \ncompliance among all of our brands, and we have integrated privacy \ncriteria into the review process for new products. We also make sure \nthat our policies are well understood and properly implemented by our \nemployees. We require all employees to agree to abide by our privacy \npolicy, and we limit employee access only to member information needed \nfor their jobs.\n    AOL takes extra steps to protect the safety and privacy of children \nonline. To protect our youngest members, we have created a special \nenvironment just for children--our ``Kids Only\'\' area--where extra \nprotections are in place to ensure that our children are in the safest \npossible environment. Furthermore, through AOL\'s ``Parental Controls,\'\' \nparents are able to protect their children\'s privacy by setting strict \nlimits on whom their children may send e-mail to and receive e-mail \nfrom online. As you know, AOL supported legislation in the 105th \nCongress to set baseline standards for protecting kids\' privacy \nonline--precisely because of the unique concerns relating to child \nsafety in the online environment. We worked closely with Senator Bryan, \nChairman McCain, the FTC, and key industry and public interest groups \nto help pass and implement the Children\'s Online Privacy Protection Act \n(COPPA), and we believe the enactment of this bill was a major step in \nthe ongoing effort to make the Internet safe for children.\n    Because the best privacy protection is an informed consumer, we \nhave dedicated significant efforts to educating our members about the \nsteps they can take to protect their own privacy online. Through Steve \nCase letters, in-house advertisements, and industry-wide public service \ncampaigns, we have given tens of millions of users helpful tips about \nkeeping their personal information secure. For instance, we encourage \nour members to check to see whether every site they visit on the Web \nhas posted a privacy policy and to review those policies before giving \nany information or purchasing any products on those sites. We also help \nthem learn how to protect their passwords and personal information and \navoid falling for scams or downloading viruses.\n    Additionally, we have developed tools to help all Internet users \nprotect their privacy when they surf the Web. Netscape, which is part \nof the AOL family, has one of the strongest commitments to privacy in \nthe industry, and the newest version of the Netscape browser clearly \ndemonstrates that commitment. Netscape 6.0, which is now in a beta \ntesting phase, includes an exciting new tool called the ``Cookie \nManager,\'\' which allows users to control the amount of passive \ninformation that is collected about them by other companies when they \nsurf the Net. Through that tool, consumers are able to view, edit, or \ndelete any or all of the cookies that are placed on their computers by \nthe websites that they visit; and they can choose for themselves which \nwebsites they will accept cookies from and which websites they won\'t. \nAlthough AOL does not track the movements of our members when they surf \nthe Web, we believe that it is important, given the recent concerns \nraised about the issue of ``online profiling,\'\' to give consumers the \nability to control what information they disclose online wherever they \ngo on the Internet. The Netscape Cookie Manager is a timely and \neffective way to empower consumers to set their own privacy \npreferences.\n    We at AOL are proud of the steps we\'ve taken to create a privacy-\nfriendly environment online for our members. We are also committed to \nfostering best practices among our business partners and industry \ncolleagues. One of the strongest examples of this effort is our \n``Certified Merchant\'\' program, through which we work with our hundreds \nof business partners to guarantee our members the highest standards of \nprivacy and customer satisfaction when they visit e-commerce sites \nthrough AOL. Under that program, AOL requires every merchant doing \nbusiness on AOL to adhere to strict consumer protection standards and \nprivacy policies as rigorous as our own.\n    We\'ve adopted these policies because our business, more than ever, \nrequires us to respond to consumer demands and take privacy seriously \nin order to build consumer trust in the medium. And we know that many \nother online businesses feel exactly the same way. That\'s why AOL \nhelped form the Online Privacy Alliance 2 years ago. And that\'s why AOL \nand NetCoalition.com, a group representing some of the largest and most \nactive online companies, sent a letter to 500 CEOs earlier this year \nencouraging them to post comprehensive privacy policies based on the \nkey fair information principles, and to fully implement these policies \nwithin their companies. The progress that industry has made is real--\none thing the FTC online privacy report last May clearly shows is that \nthe proportion of commercial websites posting privacy policies has \nskyrocketed in less than 3 years from less than 14 percent to over 90 \npercent--unbelievable progress for an industry that barely existed just \na few years ago and which today is demonstrating the most rapid growth \nin the history of media.\n    Despite this remarkable progress, it is clear from the level of \npublic concern over privacy that more still needs to be done to broaden \nconsumer confidence in the online medium. Although many industry \nleaders--including AOL--have worked hard to build their brands on \nprivacy protection, too many online users are still worried about how \ntheir information will be collected and used by other companies doing \nbusiness online. We believe, therefore, that it is time for government \nand industry to move forward together to expand consumer confidence and \nprotect consumer privacy. Although the industry has come a long way in \ncreating and promoting best practices for protecting consumer privacy, \nwe think that legislation can play an important role in setting \nbaseline standards for privacy protection and ensuring that all \ncompanies play by the same rules.\n    But how do we decide what these baseline standards should be? \nExamining this issue in light of the needs of our own members, we have \ncome to realize that the success that industry has attained thus far in \nthe area of privacy protection is largely attributable to market-led \ninitiatives premised on notice and choice. The fundamental principle of \nprivacy protection is to inform consumers of personal information \npractices and give them the ability to determine how that information \nmay be collected, used, and disclosed. These tenets of ``notice and \nchoice\'\' are essential to the development of all of the privacy \ninitiatives that AOL undertakes, and guide the efforts of all companies \nwho have made strong commitments to user privacy.\n    As Congress turns its full attention to this issue next year, we at \nAOL would therefore ask the Members of this Committee to base their \nlegislative initiatives on these key principles of notice and choice. \nFurthermore, we believe that the best way to implement these standards \nis by backing up these basic notice and choice requirements with strong \nenforcement efforts. This type of solution will allow companies to \ndetermine the most effective ways to implement notice and choice under \ntheir particular business models, while ensuring that companies do \nindeed comply with these requirements. In today\'s online world, \nconsumer preferences can vary greatly from user to user, and we are in \nneed of a legislative approach that will give consumers the flexibility \nto express these preferences on an ever-expanding variety of platforms \nand devices--from their PCs to their televisions to their handheld \nwireless devices.\n    We would suggest that the U.S. securities laws provide a helpful \nmodel for this type of enforcement-based approach. Securities \ndisclosure requirements offer flexibility for a variety of business \nmodels, but the strong enforcement behind these requirements ensures \nthat companies will provide consumers with honest disclosures about \ntheir securities practices. Just as the U.S. financial markets are \nthriving under this type of enforcement-based model for securities law, \nso too will e-commerce continue to thrive if Congress enacts an \nenforcement-based approach to consumer privacy.\n    It is clear that companies are responding to the increasing \nmarketplace demand for online privacy, and that the tremendous growth \nof e-commerce reflects positive trends on a variety of consumer \nprotection issues, including privacy. Less than 3 years ago, many \ncompanies had to be convinced to join the OPA and adopt robust privacy \npolicies. Today, these same companies are competing to build the best \nprivacy solutions, have invested millions of dollars in developing \nprivacy technology, and are spending large advertising dollars to \ndistinguish themselves as privacy-friendly. The privacy technology fair \nsponsored by the Congressional Internet Caucus just 2 weeks ago gave \ncompanies an opportunity to demonstrate some of the exciting tools that \nare being developed today, as businesses compete to find the best ways \nto empower consumers to protect their own privacy online. Restrictive \nregulatory action could very likely curb such market innovation and \ncompetition, and discourage creative and flexible approaches to privacy \nprotection.\n    We think that S. 2928 is a good example of a legislative approach \nthat sets a baseline standard for notice and choice backed by strong \nenforcement, under which market-driven initiatives and technology \ninnovation can continue to blossom. We commend Senators McCain and \nKerry on this Committee--as well as Senators Abraham and Boxer--for \ncosponsoring this bill, which would ensure that all companies live up \nto these important principles by giving the FTC clear authority to \nenforce the notice and choice requirements. We believe this type of \nenforcement-based approach appropriately builds on existing market \npractices to set a baseline standard for privacy protection.\n    We are also pleased that many other Members of the Committee have \nrecognized the importance of addressing this issue--most notably \nSenators Hollings, Wyden, and Burns. Senators Burns and Wyden have \nworked hard to craft S. 809, an approach that is based also on the key \nprinciples of notice and choice. The bill would ensure that companies \nprovide clear notices to consumers about the personal information being \ncollected and the possible use or disclosure of that information, as \nwell as providing an easy-to-use mechanism for limiting the use and \ndisclosure of that information. We are concerned that this bill would \ndelegate broad rulemaking authority to the FTC, which could have an \nadverse impact on competition and technology innovation in the privacy \nspace.\n    S 2606, drafted by Senator Hollings, is one of the most \ncomprehensive privacy proposals introduced to date. However, we \nrespectfully disagree with the approach taken by this particular bill, \nand hope to have the opportunity to work further with Senator Hollings \nnext year on possible modifications to the proposal. S. 2606 recognizes \nthe importance of ensuring that companies provide consumers with \nmeaningful notice and choice with respect to the collection and use of \ntheir personal information. However, this bill mandates that the choice \nmechanism provided to consumers be based on an ``opt-in\'\' model.\n    While we agree with Senator Hollings that consumers should be \nprovided with meaningful choice, we believe that it is not appropriate \nfor all types of consumer information to be forced into the opt-in \nmodel in all circumstances. In the diverse online marketplace, we \nbelieve it is impossible to mandate a ``one-size-fits-all\'\' solution to \nconsumer choice, and we should ensure that the legal framework for \nonline privacy is flexible enough to accommodate the diversity in the \nonline world.\n    We commend the efforts of all of the Members of this Committee, and \nare particularly pleased that each of the approaches includes a \nprovision that would preempt inconsistent state law so that companies \nwould not be subject to a potential patchwork of contradictory privacy \nrequirements. We look forward to working with you next year, Mr. \nChairman, along with the other members of this Committee and other \nMembers of Congress, as you consider the appropriate legislative \napproach to protecting online privacy, because we believe that baseline \nprivacy protections are important both to consumers and to the \ncontinued growth of the Internet.\n    At AOL we recognize that the power of the Internet can only be \nfully realized if consumers feel confident that their privacy is \nproperly protected when they take advantage of the many benefits that \nthis medium has to offer. If consumers do not feel secure online, they \nwill not engage in online commerce or communication--and without this \nconfidence, our business cannot continue grow. For this reason, the \nborderless environment that is the Internet needs privacy solutions \nthat are workable and can scale across state and national boundaries, \nwhile encouraging technology solutions that hold the greatest promise \nfor user empowerment. Most of all, we must balance privacy initiatives \nwith consumers\' desire for personalization, customization and the other \nexciting benefits of the interactive medium, so that consumers can \nchoose for themselves what kind of online experiences they want to \nenjoy.\n    As you continue your work on this issue next year, we urge you to \nconsider the risks of any over-regulatory approach and the need for a \nsolution that is flexible enough to sustain diverse business models, \nencourage user-friendly consumer interfaces, accommodate widely varying \nconsumer preferences, and allow for rapid changes in technology, \nplatforms, and services. The time has come for us to work together to \nfind an effective legislative approach to online privacy protection. We \nat AOL are ready for that challenge, and look forward to working with \nall of you next year to build a solution that works for all of us. \nThank you.\n\n    The Chairman. Thank you.\n    Mr. Garfinkel, welcome.\n\n                STATEMENT OF SIMSON GARFINKEL, \n                         CAMBRIDGE, MA\n\n    Mr. Garfinkel. Thank you. Mr. Chairman, Members of the \nCommittee, my name is Simson Garfinkel. In January, I published \na book called Database Nation: The Death of Privacy in the 21st \nCentury. It was my ninth book. Besides that, I have experience \nas an entrepreneur in the field of computers and as a reporter \nwho has covered this field for many years. What I am not very \ngood at is reading prepared statements, and so I am going to \ndiverge from my prepared comments, which have been given to you \nas part of the record.\n    The Chairman. Your entire statement will be made part of \nthe record, Mr. Garfinkel.\n    Mr. Garfinkel. Thank you.\n    In January and February, I went around the country speaking \nwith Americans because of my book being published, and since \nthen I have received literally thousands of e-mail messages. \nThe conclusion that I have is that most Americans want much \nmore privacy protection both in the law and in technology.\n    I have also discovered that Americans are largely ignorant \nabout the extent of abuses and uses of their personal \ninformation at this point in time and that they do not \nunderstand how to use the mechanisms that have already been \nmade available to them under the current self-regulatory \nregime. A good example is many of AOL users are very unhappy \nthat they get these advertisements popping up, but few of them \nthat I have spoken with know how to turn that off.\n    Many Americans feel that privacy is over. One of the things \nthat I was trying to show people is that it is not over. There \nare many opportunities for us to change the future right now.\n    The other thing is that many Americans feel that they own \ntheir personal information. I have them repeat this to me again \nand again. In fact, in the law they do not own their own \npersonal information. What Americans are looking for is a way \nof controlling their personal information, some sort of moral \nright for that information, and that is what the legislation \nproposed here can do for them.\n    The fundamental right that they are seeking is access to \ntheir own personal information that is stored on other \ncomputers and at other businesses and organizations. This is \nthe basis of the Fair Credit Reporting Act. It is the basis of \nthe Privacy Act. And it is something that advanced technology \nmakes very easy to do. All of these Web-based systems for \ncollecting personal information can be easily turned around and \ngive the user access to the information that has been collected \nboth from the user and from other sources. All these systems \nneed that personal information to serve up customized \nadvertisements or to make decisions. I have built these e-\ncommerce systems and I know that it is merely a decision on the \npart of the company running the system whether or not to give \nthe consumer access to their own information. It is not a \ntechnical hurdle.\n    I am also very concerned about the connection of software \nrunning on a person\'s PC with software on the Internet. You can \nimagine your PC programs, your Microsoft Word, other programs \ncould scan through personal information on your computer and \nthen send that over an encrypted link to a third party or to \nthe vendor. Right now American consumers have no way of knowing \nif that is happening and, in fact, no right to know if that is \nhappening or not.\n    I am also very concerned that any legislation this \nCommittee passes have opt-in provisions rather than the opt-out \nprovisions that is currently embodied in two pieces of \nlegislation. The problem with the opt-out is that the opt-out \nprovisions can be very difficult for consumers to follow. Opt-\nin provisions require that companies properly disclose what \nthey are doing and propose a value proposition to the consumer. \nI think that without that, many of the deals happening between \ncompanies and consumers are inherently one-sided.\n    Finally, I would like to say that we really do need a \ncomprehensive solution for all privacy issues facing Americans. \nI would like to see legislation on that matter considered, but \nwe should not let the need for comprehensive legislation get in \nthe way of adopting legislation right now that covers the \nonline regimes. It is very important that we put in place \nprotections for consumers in the online world now before more \ncompanies spring into being that make violating privacy or make \nusing personal information in ways that are counter to the \ninterests of most Americans the basis of their business plans. \nWe are seeing more and more of these companies spring up.\n    Last, I think that we should be creating a single privacy \noffice as a focal point for the enforcement of all of this \nlegislation. There are many, many pieces of privacy legislation \nin the code right now. Such a privacy office could be a \nresource center for both government and for business and for \nconsumers. One of the concerns that I have with many of the \npieces of legislation is that they break up enforcement into \nmany different divisions of the federal government. I \nunderstand that there are reasons for doing that, but \nultimately I think that the interest of consumers and business \nwill be served by a single focal point.\n    That is what I wanted to say.\n    [The prepared statement of Mr. Garfinkel follows:]\n\n         Prepared Statement of Simson Garfinkel, Cambridge, MA\n\n    Mr. Chairman and members of the Committee, I am honored to speak \nbefore you today.\n    My name is Simson Garfinkel. I am perhaps best known in the field \nof consumer privacy because of my book Database Nation: The Death of \nPrivacy in the 21st Century, which was published this January. As a \njournalist, I have written about intersection of privacy and \ninformation technology for more than twelve years. Besides Database \nNation, I am the co-author of five books on computer security. Finally, \nI am an experienced technologist and an entrepreneur. I have had an \nInternet e-mail address since 1983. In 1995, I started Vineyard.NET, an \nInternet Service Provider on Martha\'s Vineyard. In 1998, I started a \ncompany called Sandstorm Enterprises, which develops advanced computer \nsecurity tools. I am currently the Chief Scientist at \nBroadband2Wireless, a company that is building a nation-wide high-speed \nwireless Internet service. I also serve as an advisor to two firms that \nsell privacy-related products and services. I must say, however, that I \nam here speaking for myself, for none of the companies with which I am \ncurrently affiliated.\n    Mr. Chairman, as you know, many surveys have found that Americans \nare very concerned about the growing number of threats to their \nprivacy. Other surveys have found that many Americans are refusing to \nparticipate in e-commerce on the Internet, because they are fearful \nthat they will be compromising their privacy in the process. Indeed, I \nhave many friends who do not use the Internet to make purchases, to \nview their bank statements, or to pay their bills. Some of these \nfriends are extremely sophisticated individuals: they feel that by \nmaking use of e-commerce, they will be putting their personal \ninformation at risk, and that they might become victims of fraud as a \nresult. It\'s hard to argue with this point of view given the dramatic \nrise in identity theft that we have seen in recent years.\n    In any event, this January, after my book was published, I went on \na book tour around the country. I spoke with many Americans about \nprivacy, both on and off the Internet. Most of the people that I spoke \nwith realized that there were few if any protections for their personal \ninformation in Cyberspace. What you might find more revealing, however, \nis that few Americans realized how poorly their privacy is protected \noff the Internet. Although Congress has passed a whole slew of privacy \nlaws over the past twenty years, it really is a legislative patchwork. \nThere are many basic protections that Americans feel they do have, but \nwhich in fact they do not. For example, many Americans do not realize \nthat stores routinely engage in covert video surveillance, and that \nthere is no legal requirement to notify shoppers that such surveillance \nis taking place.\n    One of the points that I make when I speak about privacy is that \nAmericans tend to approach electronic privacy issues as a big tabula \nrasa, an uncharted ocean, if you will, in which there are many \nquestions and few answers. Yet for more than 25 years we\'ve had a \nconsistent set of principles that do a wonderful job confronting and \nsolving these electronic privacy issues. I am speaking, of course, of \nthe Code of Fair Information Practices, as well as the refinements on \nthe code that have been made over the years.\n    The reason that the principles in the CFIP have been around so long \nis that they resonate with our basic democratic beliefs. The CFIP was \ndeveloped for the information age, and I think that these practices can \nand should be extended to the Internet.\n    All of the bills that you are considering embody aspects of the \nCFIP. I believe that S.2606 goes further and does a better job \nprotecting the interests of Americans. In the rest of my time, I\'d like \nto explain why.\n    Each and every bill you are considering require businesses to state \ntheir policies regarding the collection of personal information. But \nwhat then? After notice, I believe that access is a value that is \ncentral to our principles of fair play and justice.\n\nAccess\n    Imagine that you learned of a company that was in the business of \ncollecting and selling large amounts of personal information. You \ncontact the company and ask them if they have a file on you. They say \nthat they won\'t tell you. You ask if you can see the contents of your \nfile. The company says ``no.\'\' You ask if you can have a list of the \nother firms to which your personal information has been transferred. \nThe company responds that it is impossible to create such a list, and \neven if it were, that information is trade secret.\n    You can imagine how frustrated and how powerless you would feel.\n    This is the situation that confronted most Americans in the 1960s. \nThe companies were credit reporting agencies like Retail Credit (now \nEquifax) and TRW (now Experian.) When Congress considered legislation \nthat ultimately became the Fair Credit Reporting Act, those companies \ninsisted that giving consumers access to their credit reports would be \nunworkable, a tremendous economic burden, and would be subject to \nabuse. Today, nearly 30 years later, we view access to credit reports \nas a fundamental right.\n    As a technologist, I can tell you that it is granting an individual \naccess to their personal information is much easier to do today than it \nwas 30 years ago. Consider the case of cookies and Doubleclick. I have \nmet many people who do not want an internet advertising firm such as \nDoubleclick watching over their shoulder and keeping track of every \nwebsite they visit, every article that they read. They see that \nDoubleclick has put a cookie on their computer and they want to know \nwhat Doubleclick\'s computer\'s have in the databanks.\n    Now Doubleclick\'s computer\'s consult this database every single \ntime they show a banner advertisement over the Internet. Doubleclick \nprides itself on this capability--it is Doubleclick\'s value added. The \ncompany even has a patent on the technology, US5,948,061: a ``Method of \ndelivery, targeting, and measuring advertising over networks.\'\' It \nwould be a simple matter to turn this technology around so that when a \nuser visits the Doubleclick site, the Doubleclick computers would \nreport the personal information that they have on file about the \nindividual.\n\nConsent\n    Beyond the issue of access, the issue of Consent is paramount to \nany discussion of online privacy.\n    An overwhelming number of Americans that I have spoken with believe \nthat they own their personal information. It\'s true that this \ninformation runs contrary to US law. Nevertheless, it is a deeply held \nbelief among the vast majority of Americans.\n    The bills that you have for consideration before you take two very \ndifficult views of personal information ownership. By creating a so-\ncalled ``opt-out\'\' regime, S.809 and S.2928 essentially give ownership \nof personal information to corporations and businesses. These bills \ntell Corporate America: ``you can do anything you want with a \nconsumer\'s personal information, unless that consumer has the knowledge \nand the foresight to tell you otherwise.\'\'\n    I submit to you that this approach is inherently unfair.\n    Many Americans complain about telemarketing calls that they receive \nduring dinnertime. When I was writing the book Database Nation, I was \nsurprised to learn that Americans have been complaining about these \nnightly interruptions for more than thirty-five years. Now for many \nyears the Direct Marketing Association has operated its so-called \nTelephone Preference Service that lets Americans put their phone \nnumbers on a ``do-not call list.\'\' But few Americans know that these \nservices even exist.\n    Now many people think that privacy policies and the use of personal \ninformation are solely issues having to do with junk mail, \ntelemarketing calls, and spam e-mail. This is not the case. As we move \ninto the 21st Century, there is a vast array of actions that Internet-\nsavvy firms will be able to perform with our personal information. It \nwill be difficult for us to keep track of all the ways that our \npersonal information can and will be exploited. It will be nearly \nimpossible for us to meaningfully opt-out.\n    Consider this hypothetical example. What if a company were to \nelectronically rifle my online address book, get the list of every \nperson that I correspond with, and then send each one an e-mail \nmessage? What if these e-mail messages claimed to be from me, and \ncontained endorsements of the company\'s new product? What if the \ncompany had an opt-out privacy policy, but it was so complicated to \nopt-out that few people understood what was being done with their \npersonal information until it was too late? This Committee might very \nwell hold hearings to investigate the company, alleging that the \npractices were illegally appropriating the personal information and \nidentities of consumers. As it turns out, technologies that appropriate \ne-mail address books are already being deployed. I have attached to the \nend of my written testimony an article written by Boston Globe \ncolumnist Hiawatha Bray which alleges that Microsoft is using a \ntechnique such as this to market its new MSN server. Indeed, the only \nreason that Mr. Bray did not inadvertently send out thousands of e-mail \nto every person in his address book when he tried out Microsoft\'s new \nMSN server is that the service first asked Mr. Bray\'s permission--that \nis, the service abides by an opt-in policy.\n    An opt-in regime is inherently more democratic than an opt-out one. \nWith opt-in, companies explain to consumers what will be done with \ntheir personal information, and then it\'s up to the consumer to decide \nwhether or not they wish to participate. This is the same sort of \n``informed consent\'\' system that has become the standard in medicine, \nbanking, and other areas.\n    One of the growing critiques of the opt-out approach favored by \nS.809 and S.2928 is that these policies require consumers to read, \nunderstand, and act upon the so-called ``privacy policies\'\' posted by \nwebsites. Unfortunately, these policies are frequently difficult-to-\nunderstand and do little to protect privacy. To demonstrate how opaque \nthese privacy policies are, I\'ve attached the ``DoubleClick Privacy \nStatement\'\' at the end of my written testimony. I have a master\'s \ndegree in journalism, I\'ve written a book on privacy, and I\'ve taken \ncourses at law school, and I really don\'t understand what DoubleClick \nis with personal information. The advantage of an opt-in regime is \nthat, in an opt-in regime, if a company does clearly explain its \npractices and their advantages to consumers, the resultantly confused \nconsumers will have reason to opt-in.\n    As I said before, most Americans believe that they own their \npersonal information. But ownership really isn\'t the right word. As I \nmake clear in my book Database Nation, what is owned can be transferred \nor sold. American\'s view of their own privacy is much closer to the \nFrench notion of moral rights. Americans feel that they have a right to \nprivacy protection. They feel that they have a right to have companies \nprotect their privacy unless they give explicit permission otherwise. \nAmericans feel they have a right to be let alone. Americans want to \nlive in an opt-in system. Opt-out is contrary to our democratic \nprinciples and heritage.\n\nEnforcement\n    One concern that I have with all of the bills that you are \ncurrently considering is the issue of enforcement. I think that it \nmakes sense to have a single agency within the US government that is \nresponsible for enforcing privacy laws. Right now, that agency seems to \nbe the Federal Trade Commission. I\'m not sure that the FTC is the right \nchoice--I would like to see an independent Privacy Office that\'s \nresponsible for both the commercial sector and for the laws that apply \nto the federal government and to the laws that are enforced through the \nFCC. I think that it makes sense to build a center of expertise within \nthe federal government. I think that a Privacy Office could be a \nresource to the rest of the federal government, and to private industry \nas well.\n    But I understand that this Congress is unlikely to create a Privacy \nOffice and that the Federal Trade Commission seems to be the current \nprivacy torchbearer. Indeed, the Commission did an excellent job on its \nrecent privacy study. I\'m pleased that S.2606 would create a FTC Office \nof Online Privacy.\n    I am however concerned that both S.2928 and S.2606 split \nenforcement between the Federal Trade Commission and an assortment of \nother federal agencies. I understand that there are technical reasons \nfor doing this, but I think that they should be reconsidered.\n    I am very pleased that S.2928 establishes a statutory civil penalty \nof $22,000 for each privacy violation. Traditionally, one of the \nhardest problems for those faced with privacy violations has been to \ndemonstrate damages. Likewise, creation of a private right of action in \nS.2606, with awards up to $50,000 for willful and knowing violations, \nwill make it far easier for wronged individuals to pursue compensation \nin our courts. This may be an effective deterrent.\n    I think that S.2606\'s protection of Whistleblowers (section 305) is \nan important protection that is missing from the other bills under \nconsideration. Often times the privacy abuses that occur within an \norganization are unknown to outsiders. In these cases, it is important \nto encourage insiders to step forward, and the protection for \nwhistleblowers will create protections for these individuals.\n    In this age of mega-corporations, a vast amount of personal \ninformation could be collected and used in a manner that could be \nconsidered ``solely for internal company processes.\'\' For this reason, \nI think that the exemption for ``internal company processes\'\' in S.809 \nis a dangerous precedent. Company policies should not be exempt from \nprivacy legislation simply because they do not involve third-parties.\n    Bankruptcy is a real threat faced by many organizations that \ncollect personally identifiable information. It is very important that \ninformation collected by an organization when it is financially healthy \nnot be auctioned off to the highest bidder during a bankruptcy \nproceeding. S.2606 takes personally identifiable information off the \ntable of the bankruptcy courts. This is a very important provision that \nshould be echoed by the other legislation under consideration.\n    I am also concerned that the legislation under consideration does \nnot adequately address non-commercial threats to privacy. For example, \nexempting non-profit organizations, such as S.2928 does, would allow \npublic radio stations to engage in privacy abuses in the interest of \nfund raising. As we know, this has happened in the past; I would like \nto see legislation prohibit such abuses from happening on the Internet \nin the future.\n\nIn Conclusion\n    Mr. Chairman, I believe that the United States will eventually have \nsome form of legislation that protects consumers\' personal information, \nboth on and off the Internet. I believe that such legislation is vital \nto the long term health of democracy in this country.\n    What I do not know, Mr. Chairman, is whether comprehensive privacy-\nprotecting legislation will be passed this year, next year, or in \ntwenty years. I do know that the longer the US Congress waits to pass \nsuch legislation, the more economic dislocation there will be when it \nis final passed. That is because the longer you wait, the more \nbusinesses will spring up whose business model depends upon \nmisrepresentation and privacy invasion. There are a few such companies \nnow; with no action, there will be more next year.\n    Nevertheless, I think that it would be foolish to delay the passage \nof legislation that protects online privacy while the Congress tries to \ncreate that comprehensive privacy legislation.\n    The American people believe that they have a right to privacy, and \nthey wish to see this body pass legislation that affirms that right. \nParamount to protecting the right to privacy in the digital age is the \nrights of individuals to have access to their own information, and the \nright to have their information protected and held in trust unless they \nexplicitly give permission for it to be used otherwise. I therefore \ncannot support S.809 and S.2928, because both of these bills would \ncreate an opt-out regime. Instead, I would urge this body to make \nS.2606 the basis of any privacy legislation that is approved by this \nCommittee.\n                                 ______\n                                 \n                                UPGRADE\n                    Microsoft serves up its own spam\n             By Hiawatha Bray, Globe Columnist, Globe Staff\n                               9/28/2000\n    Sometimes I feel like that ape in the beginning of the movie \n``2001.\'\' There he is, starving amidst a pile of animal bones. He\'s so \nstupid that it takes a singing black slab from outer space to make him \ngrab a tibia and go kill something. Couldn\'t he just figure it out on \nhis own?\n    I felt that way yesterday as I read of the latest outrage involving \nunwanted e-mail, better known as spam. I am, of course, opposed to it. \nAnd so, ostensibly, is Microsoft Corp, which has built antispam \nfeatures into its e-mail software and its Web-based Hotmail service.\n    This makes me wonder why Microsoft is presently engaged in a \nmassive spam campaign of its own, one that features the unwitting \nparticipation of many Internet users. But I\'m even more puzzled by the \nfact that evidence of the outrage landed in my lap, and I ignored it.\n    A few weeks back, I installed the preview version of the new \nExplorer software for Microsoft\'s MSN online service. Basically, \nMicrosoft has customized its Internet Explorer browser with specialized \nlinks that mimic the features found on America Online. It\'s a pretty \ngood job. MSN Explorer\'s extra clutter isn\'t to my taste, but newbies \nmay find it congenial.\n    Anyway, after installing the MSN software, I was invited to click a \ncheck box that would have sent e-mails to my friends to announce the \njoyous event. This should have got me thinking.\n    Instead, I did what I almost always do when installing Internet \nsoftware. I clicked ``no thanks\'\' and forgot all about it.\n    Alas, not every user of the new software was so cautious. That\'s \nwhy I received an e-mail last week from a reader who was hopping mad \nabout getting an unsolicited advertisement from Microsoft, sent to him \nby some guy he\'d never heard of.\n    The reader fired off a complaint to Microsoft, and got this reply: \n``When a user installs MSN Explorer, they have the option of sending an \ne-mail from MSN Explorer to invite you to use the program. This is not \nan advertisement or commercial e-mail sent to solicit information from \nyou by MSN--it is only an invitation sent by an individual member to \ntry the new product.\'\'\n    This didn\'t satisfy the reader, but incredibly, it satisfied me. \nHere\'s my response: ``Well, that\'s not quite spam, is it? Maybe it\'s a \nquestionable tactic, but it was sent by someone you presumably know.\'\'\n    Proof positive that too much e-mail makes you stupid. Had I not \nbeen so swamped with the stuff, I might have put two and two together.\n    After all, I\'d written quite a bit on the Melissa computer virus--\nthe one that automatically sent copies of itself to every e-mail \naddress on a victim\'s computer. Melissa, you\'ll recall, only affected \nusers of Microsoft\'s e-mail software.\n    So I had all of the pieces of the puzzle, and only needed to snap \nthem together. I didn\'t. But others did, and by yesterday morning it \nwas the talk of the Web.\n    Sure enough, the MSN software, unless you tell it otherwise, will \ncheck to see if your computer has a copy of Microsoft\'s Outlook Express \ne-mail program. If it\'s there, the software then checks the program\'s \naddress book, scoops up all of the e-mail addresses contained therein, \nand sends them an ``invitation\'\' to join MSN. This invitation is, of \ncourse, signed by you.\n    If I hadn\'t clicked the ``don\'t you dare\'\' box while installing MSN \nExplorer, I\'d have sent this warm, personal invitation to 2,290 of my \nnearest and dearest friends. That\'s how many names are in my Outlook \nExpress address book. These are mostly tech-industry types who\'d have \nheld me in even lower regard than they already do once this \npersonalized spam arrived. For spam is exactly what this is, and of a \nparticularly insidious kind.\n    Granted, MSN Explorer asks for permission before cranking out the \nmail. But how many users realize that they\'ll be sending advertisements \nfor Microsoft? How many understand that they\'re sending these ads to \ntheir bosses, their bookies, their best customers--everybody?\n    I understand that Microsoft is frustrated; MSN has 3 million users \nto AOL\'s 24 million. But I never thought they\'d stoop to the favorite \nmarket tool of Internet pornographers. Somebody at MSN had a \nbrainstorm, but then failed to think it through. I guess we need a \ncouple more of those black slabs. Put one in the MSN marketing \ndepartment, and the other next to my desk.\n    Hiawatha Bray is a member of the Globe Staff. He can be reached by \ne-mail at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4c2e3e2d350c2b20232e29622f232162">[email&#160;protected]</a>\n    This story ran on page E01 of the Boston Globe on 9/28/2000. \x07 \nCopyright 2000 Globe Newspaper Company.\n                                 ______\n                                 \n    September 28, 2000\n\nDoubleClick Privacy Statement\n    Internet user privacy is of paramount importance to DoubleClick, \nour advertisers and our Web publishers. The success of our business \ndepends upon our ability to maintain the trust of our users. Below is \ninformation regarding DoubleClick\'s commitment to protect the privacy \nof users and to ensure the integrity of the Internet.\nInformation Collected in Ad Delivery\n    In the course of delivering an ad to you, DoubleClick does not \ncollect any personally-identifiable information about you, such as your \nname, address, phone number or email address. DoubleClick does, \nhowever, collect non-personally identifiable information about you, \nsuch as the server your computer is logged onto, your browser type (for \nexample, Netscape or Internet Explorer), and whether you responded to \nthe ad delivered.\n    The non-personally identifiable information collected by \nDoubleClick is used for the purpose of targeting ads and measuring ad \neffectiveness on behalf of DoubleClick\'s advertisers and Web publishers \nwho specifically request it. For additional information on the \ninformation that is collected by DoubleClick in the process of \ndelivering an ad to you, please.\n    However, as described in ``Abacus Alliance\'\' and ``Information \nCollected by DoubleClick\'s Web Sites\'\' below, non-personally \nidentifiable information collected by DoubleClick in the course of ad \ndelivery can be associated with a user\'s personally identifiable \ninformation if that user has agreed to receive personally-tailored ads.\n    In addition, in connection solely with the delivery of ads via \nDoubleClick\'s DART technology to one particular Web publisher\'s Web \nsite, DoubleClick combines the non-personally-identifiable data \ncollected by DoubleClick from a user\'s computer with the log-in name \nand demographic data about users collected by the Web publisher and \nfurnished to DoubleClick for the purpose of ad targeting on the Web \npublisher\'s Web site. DoubleClick has requested that this information \nbe disclosed on the Web site\'s privacy statement.\n    In addition, in connection solely with the delivery of ads via \nDoubleClick\'s DART technology to one particular Web publisher\'s Web \nsite, DoubleClick combines the non-personally-identifiable data \ncollected by DoubleClick from a user\'s computer with the log-in name \nand demographic data about users collected by the Web publisher and \nfurnished to DoubleClick for the purpose of ad targeting on the Web \npublisher\'s Web site. DoubleClick has requested that this information \nbe disclosed on the Web site\'s privacy statement.\n    There are also other cases when a user voluntarily provides \npersonal information in response to an ad (a survey or purchase form, \nfor example). In these situations, DoubleClick (or a third party \nengaged by DoubleClick) collects the information on behalf of the \nadvertiser and/or Web site. This information is used by the advertiser \nand/or Web site so that you can receive the goods, services or \ninformation that you requested. Where indicated, DoubleClick may use \nthis information in aggregate form to get a better general \nunderstanding of the type of individuals viewing ads or visiting the \nWeb sites. Unless specifically disclosed, the personally-identifiable \ninformation collected by DoubleClick in these cases is not used to \ndeliver personally-tailored ads to a user and is not linked by \nDoubleClick to any other information.\n\nAbacus Alliance\n    On November 23, 1999, DoubleClick Inc. completed its merger with \nAbacus Direct Corporation. Abacus, now a division of DoubleClick, will \ncontinue to operate Abacus Direct, the direct mail element of the \nAbacus Alliance. In addition, Abacus has begun building Abacus Online, \nthe Internet element of the Abacus Alliance.\n    The Abacus Online portion of the Abacus Alliance will enable U.S. \nconsumers on the Internet to receive advertising messages tailored to \ntheir individual interests. As with all DoubleClick products and \nservices, Abacus Online is fully committed to offering online consumers \nnotice about the collection and use of personal information about them, \nand the choice not to participate. Abacus Online will maintain a \ndatabase consisting of personally-identifiable information about those \nInternet users who have received notice that their personal information \nwill be used for online marketing purposes and associated with \ninformation about them available from other sources, and who have been \noffered the choice not to receive these tailored messages. The notice \nand opportunity to choose will appear on those Web sites that \ncontribute user information to the Abacus Alliance, usually when the \nuser is given the opportunity to provide personally identifiable \ninformation (e.g., on a user registration page, or on an order form).\n    Abacus, on behalf of Internet retailers and advertisers, will use \nstatistical modeling techniques to identify those online consumers in \nthe Abacus Online database who would most likely be interested in a \nparticular product or service. All advertising messages delivered to \nonline consumers identified by Abacus Online will be delivered by \nDoubleClick\'s patented DART technology.\n    Strict efforts will be made to ensure that all information in the \nAbacus Online database is collected in a manner that gives users clear \nnotice and choice. Personally-identifiable information in the Abacus \nOnline database will not be sold or disclosed to any merchant, \nadvertiser or Web publisher.\n    Name and address information volunteered by a user on an Abacus \nAlliance Web site is associated by Abacus through the use of a match \ncode and the DoubleClick cookie with other information about that \nindividual. Information in the Abacus Online database includes the \nuser\'s name, address, retail, catalog and online purchase history, and \ndemographic data. The database also includes the user\'s non-personally-\nidentifiable information collected by Web sites and other businesses \nwith which DoubleClick does business. Unless specifically disclosed to \nthe contrary in a Web site\'s privacy policy, most non-personally-\nidentifiable information collected by DoubleClick from Web sites on the \nDoubleClick Network is included in the Abacus Online database. However, \nthe Abacus Online database will not associate any personally-\nidentifiable medical, financial, or sexual preference information with \nan individual. Neither will it associate information from children.\n\nSweepstakes\n    DoubleClick\'s Flashbase, Inc. subsidiary provides automation tools \nthat allow our clients to provide online contests and sweepstakes \n(``DoubleClick sweepstakes\'\').\n    All DoubleClick sweepstakes entry forms must provide a way for you \nto opt-out of any communication from the sweepstakes manager that is \nnot related to awarding prizes for the sweepstakes. Entry forms must \nfurther provide consumers with a choice whether to receive email \nmarketing materials from third parties. When you enter a DoubleClick \nsweepstakes, the information you provide is not be shared with \nDoubleClick or any third party, unless you agree by checking the opt-in \nbox on the sweepstakes entry form. If you enter a sweepstakes, you \nagree that the sweepstakes sponsor may use your name in relation to \nannouncing and promoting the winners of the sweepstakes. See the \nofficial rules of the sweepstakes you are entering for additional \ninformation.\n    DoubleClick does collect aggregate, anonymous information about the \nsweepstakes. That information is primarily used to help sweepstakes \nmanagers choose prizes and make other decisions regarding the \norganization of the sweepstakes. DoubleClick does not associate \ninformation provided through the sweepstakes with your other web \nbrowsing activities or clickstream data.\nEmail\n    DoubleClick uses DARTmail, a version of DART technology, to bring \nyou emails that may include ads. Email is sent only to people who have \nconsented to receive a particular email publication or mailing from a \ncompany. If at any time you would like to end your subscription to an \nemail publication or mailing, follow either the directions posted at \nthe end of the email publication or mailing, or the directions at the \nemail newsletter company\'s Web site.\n    In order to bring you more relevant advertising, your email address \nmay be joined with the information you provided at our client\'s website \nand may be augmented with other data sources. However, DoubleClick does \nnot link your email address to your other Web browsing activities or \nclickstream data.\n\nInformation Collected by DoubleClick\'s Web Sites\n    The Web sites owned or controlled by DoubleClick, such as \nwww.NetDeals.com and www.IAF.net may ask for and collect personally-\nidentifiable information. DoubleClick is committed to providing \nmeaningful notice and choice to users before any personally-\nidentifiable information is submitted to us. Specifically, users will \nbe informed about how DoubleClick may use such information, including \nwhether it will be shared with marketing partners or combined with \nother information available to us. In most cases, the information \nprovided by a user will be contributed to the Abacus Online database to \nenable personally-tailored ad delivery online. Users will always be \noffered the choice not to provide personally-identifiable information \nor to have it shared with others.\n\nAccess\n    DoubleClick offers users who have voluntarily provided personally-\nidentifiable information to DoubleClick the opportunity to review the \ninformation provided and to correct any errors.\n\nCookies and Opt-Out\n    DoubleClick, along with thousands of other Web sites, uses cookies \nto enhance your Web viewing experience. DoubleClick\'s cookies do not \ndamage your system or files in any way.\n    Here\'s how it works. When you are first served an ad by \nDoubleClick, DoubleClick assigns you a unique number and records that \nnumber in the cookie file of your computer. Then, when you visit a Web \nsite on which DoubleClick serves ads, DoubleClick reads this number to \nhelp target ads to you. The cookie can help ensure that you do not see \nthe same ad over and over again. Cookies can also help advertisers \nmeasure how you utilize an advertiser\'s site. This information helps \nour advertisers cater their ads to your needs.\n    If you have chosen on any of the Web sites with which Abacus does \nbusiness to receive ads tailored to you personally as part of Abacus \nOnline\'s services, the cookie will allow DoubleClick and Abacus Online \nto recognize you online in order to deliver you a relevant message.\n    However, if you have not chosen to receive personally-targeted ads, \nthen the DoubleClick cookie will not be associated with any personal \ninformation about you, and DoubleClick (including Abacus) will not be \nable to identify you personally online.\n    While we believe that cookies enhance your Web experience by \nlimiting the repetitiveness of advertising and increasing the level of \nrelevant content on the Web, they are not essential for us to continue \nour leadership position in Web advertising.\n    While some third parties offer programs to manually delete your \ncookies, DoubleClick goes one step further by offering you a ``blank\'\' \nor ``opt-out cookie\'\' to prevent any data from being associated with \nyour browser or you individually. If you do not want the benefits of \ncookies, there is a simple procedure that allows you to deny or accept \nthis feature. By denying DoubleClick\'s cookies, ads delivered to you by \nDoubleClick can only be targeted based on the non-personally-\nidentifiable information that is available from the Internet \nenvironment, including information about your browser type and Internet \nservice provider. By denying the DoubleClick cookie, we are unable to \nrecognize your browser from one visit to the next, and you may \ntherefore notice that you receive the same ad multiple times.\n    If you have previously chosen to receive personally-tailored ads by \nbeing included in the Abacus Online database, you can later elect to \nstop receiving personally-tailored ads by denying DoubleClick cookies.\n    Your opt-out will be effective for the entire life of your browser \nor until you delete the cookie file on your hard drive. In each of \nthese instances, you will appear as a new user to DoubleClick. Unless \nyou deny the DoubleClick cookie again, DoubleClick\'s ad server will \ndeliver a new cookie to your browser.\n\nDisclosure\n    DoubleClick makes available all of our information practices at \nwww.doubleclick.net, including in-depth descriptions of our targeting \ncapabilities, our privacy policy, and full disclosure on the use of \ncookies. In addition, we provide all users with the option to contact \nus at with any further questions or concerns.\n\nSecurity\n    DoubleClick will maintain the confidentiality of the information \nthat it collects during the process of delivering an ad. DoubleClick \nmaintains internal practices that help to protect the security and \nconfidentiality of this information by limiting employee access to and \nuse of this information.\n\nIndustry Efforts to Protect Consumer Privacy\n    DoubleClick is committed to protecting consumer privacy online. We \nare active members of the Network Advertising Initiative, \nNetCoalition.com, Online Privacy Alliance, Internet Advertising Bureau, \nNew York New Media Association, and the American Advertising \nFederation.\n    For more information about protecting your privacy online, we \nrecommend that you visit www.nai.org, www.netcoalition.com, and \nwww.privacyalliance.org.\n    We also recommend that you review this Privacy Statement \nperiodically, as DoubleClick may update it from time to time.\n\n                                 ______\n                                 \n1973: The Code of Fair Information Practices\n    The Code of Fair Information Practices was the central contribution \nof the HEW (Health, Education, Welfare) Advisory Committee on Automated \nData Systems. The Advisory Committee was established in 1972, and the \nreport released in July. The citation for the report is as follows:\n    U.S. Dep\'t. of Health, Education and Welfare, Secretary\'s Advisory \nCommittee on Automated Personal Data Systems, Records, computers, and \nthe Rights of Citizens (1973).\n    The Code of Fair Information Practices is based on 5 principles:\n\n          1. There must be no personal data record-keeping systems \n        whose very existence is secret.\n\n          2. There must be a way for a person to find out what \n        information about the person is in a record and how it is used.\n\n          3. There must be a way for a person to prevent information \n        about the person that was obtained for one purpose from being \n        used or made available for other purposes without the person\'s \n        consent.\n\n          4. There must be a way for a person to correct or amend a \n        record of identifiable information about the person.\n\n          5. Any organization creating, maintaining, using, or \n        disseminating records of identifiable personal data must assure \n        the reliability of the data for their intended use and must \n        take precautions to prevent misuses of the data.\n\n1980: OECD Guidelines on the Protection of Privacy and Transborder \n        Flows of Personal Data\n    Today privacy advocates have moved beyond the 1973 Code of Fair \nInformation Practices and have adopted the OECD\'s 1980 Guideliens on \nthe Protection of Privacy and Transborder Flows of Personal Data. You \ncan find the entire document on the OECD website. The most important \nprinciples are:\n\nCollection Limitation Principle\n    There should be limits to the collection of personal data and any \nsuch data should be obtained by lawful and fair means and, where \nappropriate, with the knowledge or consent of the data subject.\n\nData Quality Principle\n    Personal data should be relevant to the purposes for which they are \nto be used, and, to the extent necessary for those purposes, should be \naccurate, complete and kept up-to-date.\n\nPurpose Specification Principle\n    The purposes for which personal data are collected should be \nspecified not later than at the time of data collection and the \nsubsequent use limited to the fulfilment of those purposes or such \nothers as are not incompatible with those purposes and as are specified \non each occasion of change of purpose.\n\nUse Limitation Principle\n    Personal data should not be disclosed, made available or otherwise \nused for purposes other than those specified in accordance with \nParagraph 9 except:\n\n      a. with the consent of the data subject; or\n\n      b. by the authority of law.\n\nSecurity Safeguards Principle\n    Personal data should be protected by reasonable security safeguards \nagainst such risks as loss or unauthorized access, destruction, use, \nmodification or disclosure of data.\n\nOpenness Principle\n    There should be a general policy of openness about developments, \npractices and policies with respect to personal data. Means should be \nreadily available of establishing the existence and nature of personal \ndata, and the main purposes of their use, as well as the identity and \nusual residence of the data controller.\nIndividual Participation Principle\n    An individual should have the right:\n\n      a. To obtain from a data controller, or otherwise, confirmation \nof whether or not the data controller has data relating to him;\n\n      b. To have communicated to him, data relating to him\n\n      <bullet> within a reasonable time;\n\n      <bullet> at a charge, if any, that is not excessive;\n\n      <bullet> in a reasonable manner; and\n\n      <bullet> in a form that is readily intelligible to him;\n\n      c. To be given reasons if a request made under subparagraphs(a) \nand (b) is denied, and to be able to challenge such denial; and\n\n      d. To challenge data relating to him and, if the challenge is \nsuccessful to have the data erased, rectified, completed or amended.\n\nAccountability Principle\n    A data controller should be accountable for complying with measures \nwhich give effect to the principles stated above.\n\n    The Chairman. Thank you, Mr. Garfinkel.\n    Mr. Rotenberg, we will go with you and then we will run \nover and vote.\n\n  STATEMENT OF MARC ROTENBERG, PRESIDENT, ELECTRONIC PRIVACY \n                       INFORMATION CENTER\n\n    Mr. Rotenberg. Mr. Chairman, Members of the Committee, \nthank you very much for the opportunity to be here. My name is \nMarc Rotenberg. I am Director of the Electronic Privacy \nInformation Center. I have also taught the law of information \nprivacy at Georgetown for the last 10 years, and my textbook, \nwhich is a collection of privacy laws from the U.S. and around \nthe world, is now in its third edition.\n    I am going to focus on the substance of the three proposals \nbefore the Committee today. I would like at the outset to \ncommend you for your focus on this issue. Privacy is obviously \na very important concern for Americans. Many believe it is the \nNo. 1 issue facing the future of the Internet, and there has \nclearly been progress in addressing the issue, among the \nprivacy groups and the Congress and also the industry groups.\n    But the critical decision now is what is the legislative \napproach that is going to provide meaningful protection for \nAmericans going forward.\n    Now, there is a very attractive proposal on the table. It \nis a proposal based on notice and choice. It says, in effect, \nlet us inform people about the collection and use of their \npersonal information and give them some choices. This is the \napproach that Mr. Vradenburg and others have endorsed. It is, \nby and large, the approach, sir, in your bill, and it is the \napproach generally followed by the industry groups that talk a \ngreat deal about privacy.\n    But the critical point to understand is that notice and \nchoice operating alone, without the other rights that are \ntypically found in a privacy bill, do not provide privacy \nprotection. What they will provide, in fact, is a type of \nwarning label or disclaimer. They will allow companies to do \nwhatever they wish with the personal information that they \ncollect, and they will not establish any substantive rights for \nindividuals who provide their information.\n    The Chairman. That is an interesting interpretation of this \nlegislation. It is a fascinating one, but please proceed. It \ncould not be further from the truth, but please go ahead.\n    Mr. Rotenberg. It may not be the intent of the legislation. \nI will be clear on this point. It may not be the intent, but I \nhave to tell you that in practice this is how it operates.\n    Privacy warning notices are found in the work place. They \ntell employees that they do not have an expectation of privacy \nin the use of a computer or a telephone. Privacy warning \nnotices are found on commercial websites. They tell people who \nbuy products that the information that they offer will be \ndisclosed to third parties. This is how privacy notices have \ntypically operated.\n    Now, I think it is important to contrast this approach with \nthe way that privacy laws have traditionally been constructed \nin the United States. Privacy laws in the past, whether it is \nthe cable act or the video act or the credit reporting act, are \nbased on a group of rights called fair information practices. \nThey include rights of access, rights to limit the disclosure \nof information, sometimes even obligations to destroy the \ninformation about individuals that is collected. This is what \nyou see, for example, in the Video Privacy Protection Act. \nCompanies are actually told that after a period of time, to \nprotect the privacy interests of their customers, they are \nexpected to destroy the information. Now, that approach, the \napproach that is based upon fair information practices, is the \nway that we have traditionally constructed privacy protection \nin this country.\n    Now, the argument can be made, well, things are changing \nvery quickly with the Internet. Maybe we need a more modern \napproach.\n    The Chairman. Do you disagree with that, that times are \nchanging very quickly?\n    Mr. Rotenberg. No. Actually I think things are changing \nquickly.\n    But the second point I wanted to make, Mr. Chairman, is \nthat these privacy laws that we have adopted in the past, that \nhave included all of these rights--quite a bit more, I am \ntrying to point out, than notice and consent--were in fact a \nresponse to changing technologies. The Privacy Act was a \nresponse to the computerization of records in the federal \ngovernment.\n    The Chairman. No. The Privacy Act was an attempt to protect \nsomeone\'s privacy whether it be computerized or on paper. At my \nage, Mr. Rotenberg, I remember it very well. I do not think you \nwere around then.\n    Mr. Rotenberg. Well, Mr. Chairman, I was around. I was \nmaybe a few years younger.\n    I think there is certainly a lot to show in the history \nthat it was the automation of records, and the Cable Act was \nthe response to cable television.\n    The Chairman. If you do not mind my interrupting you again. \nIt was because of egregious violations of people\'s privacy that \ntook place that required Congress and the American people to \ndemand action. There were a number of scandals. It had nothing \nto do with computerization or non-computerization. It had to do \nwith direct and egregious violations of Americans\' privacy. I \nthink I can show you a clear legislative record of that and the \nscandals associated with it.\n    Please proceed.\n    Mr. Rotenberg. Mr. Chairman, the Privacy Act was passed by \nthe post-Watergate Congress in 1974, and there was no question \nthat the misuse of personal information by the President at \nthat time supported the congressional effort.\n    But the beginning of congressional hearings, the reason \nthat Congress got interested in this issue in the 1960\'s, was \nbecause of a proposal called the National Data Center. In 1965, \nthe federal government said let us take all of the information \non American citizens, automate it, made possible now with \ncomputers, and use it for statistical purposes and government \nprograms. And beginning in 1966, both the House and the Senate \nheld a series of hearings to look at the automation----\n    The Chairman. And never acted until egregious violations of \nAmerican citizens\' privacy were committed.\n    Look, I have got to stop because there is only one minute \nleft. We will take a very brief break. There are two votes, and \nI will look forward to continuing this dialog. We will return \nin approximately five to ten minutes. We will take a break.\n    [Recess.]\n    The Chairman. We will recommence the hearing, and Mr. \nRotenberg, I will try to restrain myself from interrupting you \nfor the rest of your testimony. I do not guarantee it. I will \ntry.\n    [Laughter.]\n    The Chairman. Thank you and thank you for your indulgence.\n    Mr. Rotenberg. Thank you, Mr. Chairman. I will also agree \nto move on past the Privacy Act because I guess we have our \ndiffering views.\n    This really was my point, that over the last 25 years, \nthere have been a lot of new technologies that Congress has \nconfronted. Congress has confronted cable and electronic mail \nand videotapes, fax machines, and so forth. In each instance, \nrather than saying technology is changing quickly or we do not \nunderstand it, maybe we should not regulate, Congress has come \nup with good privacy legislation. You did it with children\'s \ninformation on the Internet last year.\n    The point of my testimony here is to really say that I \nthink we need to put in place the kind of meaningful safeguards \nthat we have in the past with new technologies to safeguard the \ninterests of consumers. I think 2606 does that very well. This \nis a bill that is forward looking. It anticipates a bunch of \nproblems. It updates and amends current privacy laws that are \nalready doing a good job, and most critically, it provides an \neffective form of protection. It gives people some baseline \nrights. And I think that is what they need. I think that is \nwhat the public is asking for. I think that is what the \nindustry increasingly understands is likely to come about.\n    Now, I understand this is toward the end of the session and \nmaybe all these things cannot be worked out now, but I do have \nto underscore, we have never done a privacy bill in this \ncountry based simply on notice and choice. We have always tried \nto give people something more. We can talk about how far we can \ngo, whether access works in all circumstances or in some \ncircumstances or for certain types of information. I think that \nis an important debate to have, but we have to give people \nsomething more than notice and choice.\n    We also have to give them an opportunity to pursue privacy \ncomplaints on their own if they wish. We think a private right \nof action is absolutely vital to protect privacy interests. One \nof the problems that we have seen over the past year following \nthe developments with the FTC, which is certainly working very \nhard to try to protect privacy, is that they are just not able \nto respond to all the privacy complaints that they are \nreceiving. And because of the way section 5 is structured, they \nreally do operate almost like a choke point on the types of \nclaims that can be brought under this unfair and deceptive \ntrade practices.\n    Privacy bills have traditionally given people a private \nright of action so that if they wish, they can pursue the \nmatter in court. Not many of these cases are brought, but when \nthey are brought, I think they are quite important to protect \nand safeguard privacy interests.\n    So, I want to thank you again, Mr. Chairman. I understand \nthe Committee has done a lot of important work in this area. \nAnd I just urge you, please, to consider what type of rights \npeople are going to have online going forward to protect their \nprivacy.\n    [The prepared statement of Mr. Rotenberg follows:]\n\n  Prepared Statement of Marc Rotenberg, President, Electronic Privacy \n                   Information Center, Washington, DC\n\n    My name is Marc Rotenberg.\\1\\ I am the Executive Director of the \nElectronic Privacy Information Center (EPIC) in Washington DC and an \nadjunct professor at Georgetown University Law School where I teach \ninformation privacy law.\\2\\ I am grateful for the opportunity to appear \nbefore the Committee today. I also appreciate the Committee\'s ongoing \nefforts to explore the important issue of Internet privacy.\n---------------------------------------------------------------------------\n    \\1\\ Executive director, Electronic Privacy Information Center; \nadjunct professor, Georgetown University Law Center; editor, The \nPrivacy Law Sourcebook 2000: United States Law, International Law, and \nRecent Development; editor (with Philip Agre) Technology and Privacy: \nThe New Landscape (MIT Press 1998).\n    \\2\\ The Electronic Privacy Information Center is a project of the \nFund for Constitutional Government, a non-profit charitable \norganization established in 1974 to protect civil liberties and \nconstitutional rights. More information about EPIC is available at the \nEPIC web site http://www.epic.org\n---------------------------------------------------------------------------\n    I will focus my comments on the need to ensure strong privacy \nsafeguards for the Internet based on Fair Information Practices. These \nguidelines are the basis for almost all privacy laws, and provide the \nframework to evaluate the proposals currently before the Committee.\n    I will address specific provisions of the Online Privacy Protection \nAct, the Consumer Privacy Protection Act, and the Consumer Internet \nPrivacy Protection Act. I will recommend that the Committee adopt \nstrong, sensible provisions that safeguard the interests of consumers \nand provide clarity and a level playing field for businesses. I will \nalso address some of the issues that are not addressed directly in the \nlegislative proposals, such as the need to protect online anonymity.\n\nStatus of Internet Privacy\n    Mr. Chairman, at the outset, I wish to make 3 brief points \nconcerning Internet privacy. First, we believe that there is widespread \npublic support for legislation in this area and also that industry \nrecognizes that such legislation is appropriate and necessary. Polling \ndata routinely shows that the public believes that privacy laws for the \nInternet are needed.\\3\\ And although industry groups have objected as a \ngeneral matter to government regulation of the Internet, in the area of \nonline privacy I believe most will concede that legislation is \nlikely.\\4\\\n---------------------------------------------------------------------------\n    \\3\\ Business Week/Harris Poll: A Growing Threat, March 20, 2000, \n[http://www.businessweek.com/2000/00_12/b3673010.htm]. The poll found \nthat 57 percent of people surveyed supported laws governing the \ncollection and use of personal information online while only 15 percent \nsupported letting industry groups develop voluntary standards. Georgia \nTech Graphic, Visualization, & Usability Center\'s Tenth WWW User Survey \n(October 1998) [http://www.gvu.gatech.edu/user_surveys/survey-1998-10/\ngraphs/privacy/q59.htm] This poll found that 41 percent agreed strongly \nand 31 percent agreed somewhat with the statement: ``There should be \nnew laws to protect privacy on the Internet.\'\'\n    \\4\\ ``Mixed Views on Privacy Self-Regulation,\'\' DM News, October 2, \n2000 [http://www.dmnews.com/articles/2000-10-02/10780.html]\n---------------------------------------------------------------------------\n    Second, while we recognize that commercial web sites have made \nprogress in developing and posting privacy notices, we do not believe \nthat these policies alone protect online privacy. In fact, privacy \nnotices without other substantive rights operate more like warning \nlabels or disclaimers than actual privacy safeguards. Although it would \nbe tempting to pass legislation based simply on the notice requirement, \nwe believe such a bill over the long term would reduce the expectation \nof privacy and the level of online protection. A substantive privacy \nmeasure must provide more than notice.\n    Third, we believe that enforcement mechanisms must remain flexible. \nAny legislation that leaves a central agency in the position to limit \nenforcement at the local level or prevents an individual from pursuing \na privacy complaint in court could significantly undermine the \nprotection of privacy interests. And to the extent that the FTC plays a \ncentral role in overseeing the enforcement of privacy, it is vitally \nimportant that formal reporting requirements be established so that \nthis Committee, the Congress, and the public will be able to evaluate \nthe effectiveness of privacy protection in the United States.\n\nPrivacy Laws and the Role of Fair Information Practices\n    The basic goal of privacy legislation is to outline the \nresponsibilities of organizations that collect personal information and \nto provide rights to those individuals that provide the personal \ninformation. These rights and responsibilities are commonly referred to \nas ``Fair Information Practices.\'\' Fair Information Practices ensure \nthat consumers have control over their personal data and that companies \nabide by ethical business practices.\n    Fair Information Practices have provided the basis for privacy \nlegislation across both the public and private sectors. The Fair Credit \nReporting Act of 1970 placed requirements on credit reporting agencies, \nrestricting their ability to disclose information about individual \nconsumers and providing a right of access so that individuals could \ninspect their credit reports and determine whether decisions affecting \ntheir ability to obtain a loan or receive credit were based on accurate \nand complete information.\\5\\ Since 1970, privacy laws based on Fair \nInformation Practices have covered educational records \\6\\, cable \nsubscriber records \\7\\, email \\8\\, video rental records \\9\\, and \ntelephone toll records \\10\\. The recently passed Children\'s Online \nPrivacy Protection Act \\11\\ requires parental consent before \ninformation is collected from minors and access to any information \nalready collected.\n---------------------------------------------------------------------------\n    \\5\\ Fair Credit Reporting Act (1970) 15 U.S.C. Sec. 1681.\n    \\6\\ Family Educational Rights and Privacy Act (1974) 20 U.S.C. \nSec. 1232g.\n    \\7\\ Cable Communications Policy Act (1984) 47 U.S.C. Sec. 551.\n    \\8\\ Electronic Communications Privacy Act (1986) 18 U.S.C. \nSec. 2510.\n    \\9\\ Video Privacy Protection Act (1988) 18 U.S.C. Sec. 2710.\n    \\10\\ See Telecommunications Act (1996) 47 U.S.C. Sec. 222.\n    \\11\\ Children\'s Online Privacy Protection Act (1999) 15 U.S.C. \nSec. 6501.\n---------------------------------------------------------------------------\n    For more than 25 years, the United States has established privacy \nlaws based on Fair Information Practices directly in response to the \ndevelopment of new technologies, such as computer databases, cable \ntelevision, electronic mail, movies on video tape, and fax machines. \nFar from discouraging innovation, these baseline privacy standards have \npromoted consumer trust and confidence as new services have emerged. \nPrivacy laws have also provided businesses with clear rules and a level \nplaying field.\n    Fair Information Practices have also contributed to the development \nof privacy laws around the world. Important international agreements \nsuch as the Organization for Economic Co-operation and Development \n(OECD) Guidelines on the Protection of Privacy and Transborder Flows of \nPersonal Data and the recently concluded Safe Harbor arrangement have \nbeen built on Fair Information Practices \\12\\. These international \nguidelines have become more important as we move toward a global \neconomy where US firms seek to sell products online in other countries \nand US consumers have increasingly made their personal information \navailable over the Internet to companies operating all around the \nworld.\n---------------------------------------------------------------------------\n    \\12\\ http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM\n---------------------------------------------------------------------------\n    Because of the central role that Fair Information Practices have \nplayed in the development of privacy law in the United States and the \nincreasing importance of these principles for online commerce going \nforward, I believe they provide the appropriate framework to evaluate \nthe bills now pending before the Committee.\n\nFair Information Practices Principles and Consumers\n    Strong legal protections built on Fair Information Practices \nsatisfy the basic, common sense privacy expectations of consumers. The \nbills under consideration today follow the rubric of notice, \n``choice,\'\' access, security, and enforcement when discussing Fair \nInformation Practices. While this is not a complete list of the \nobligations that can be found in US privacy law, it is a useful \nframework for evaluating privacy measures. All three bills present \nvarious approaches towards upholding Fair Information Practices and \nestablishing baseline standards for Internet privacy.\n\nNotice\n    The first principle of privacy protection is that a consumer should \nbe provided notice of the collection, use and dissemination of his or \nher personal information. A privacy notice or a privacy policy should \ntell a consumer when his or her personal information will be collected, \nthe purpose it will be used for and whether it will be disclosed to a \nthird party. Simply put, a privacy notice should be a basic description \nof what information a company collects and for what purposes.\n    The problems with current privacy policies have been brought up by \nthe Committee in earlier hearings. They tend to be long, confusing, and \nfull of obscure legal language. It is ironic that a principle intended \nto make consumers aware of privacy practices has been subverted to one \nthat misleads and frustrates consumers on a regular basis. There is the \nadditional problem that companies have found it too easy to change \nprivacy policies when they wish. This was the problem with Doubleclick \nthat gave rise to the FTC investigation.\n    Furthermore, although notice is an important part of a privacy \npolicy it does not by itself constitute privacy protection. Notice must \nbe accompanied by the other principles of Fair Information Practices. \nThis point was made clear in EPIC\'s recent report ``Surfer Beware 3: \nPrivacy Policies Without Privacy Protection\'\'. This study found that \nwhile the vast majority of high-traffic e-commerce sites had privacy \npolicies none of those sites displayed a privacy policy that provided \nthe full range of Fair Information Practices \\13\\.\n---------------------------------------------------------------------------\n    \\13\\ http://www.epic.org/reports/surfer-beware3.html\n---------------------------------------------------------------------------\n    S. 2928, the ``Consumer Internet Privacy Enhancement Act\'\', has the \nmost extensive discussion of notice in comparison to S. 809 and S. \n2606. However, it is possible that the amount of information that this \nbill requires to be disclosed will likely overwhelm the average \nInternet user. The speed and convenience of shopping online will \nquickly hit speed bumps if all consumers are expected to read such \nnotices before transacting business. Consumers should be assured that \nbaseline principles to safeguard their privacy apply to every site they \nvisit. They should not be burdened with having to examine and \ncomprehend each line of a privacy policy before they decide whether or \nnot to transact business with that specific company.\n    The notice provisions of S. 809, the ``Online Privacy Protection \nAct of 1999\'\', and S. 2606, the ``Consumer Internet Privacy Enhancement \nAct\'\', are less burdensome but neither are perfect. While S. 2606 \nspecifies that notice should be ``clear and conspicuous\'\', S. 809 \nprudently requires that contact information is provided. While the \nlegislative construction would be difficult, notice should be able \neasily understood by most consumers. Of course, contact information \nshould be included as well.\n    In addition to this basic analysis of notice, S. 2606 properly \naddresses a growing trend of Internet companies that unilaterally \nchange privacy policies on their customers. The requirement of notice \nof a policy change and consent before information can be used in \naccordance with the new policy would ensure that companies could not \nchange terms on their customers. Furthermore, it would force companies \nto think more carefully the first time they write their privacy policy.\n\nConsent\n    The principle of consent is based on the view that if a consumer \nprovides information for a particular transaction it should not be used \nfor another purpose without first obtaining the consent of the \nconsumer. The purpose of this requirement is to ensure fairness and \ntransparency and to prevent the type of ``bait and switch\'\' that can \neasily result if a consumer is led to believe that a disclosure of \npersonal data is necessary for a transaction when it will in fact be \nused for another purpose. If I provide my name and mailing address so a \nbook I ordered online will arrive at my house, the information should \nnot be used for another purpose without my permission.\n    Opt-in means asking the consumer\'s permission before information is \ncollected or used. Opt-out means that a consumer will have to go \nthrough a long, burdensome process to tell a company that she doesn\'t \nwant information used in a particular way. Which one will help a \nconsumer control her information? Which will encourage companies to \nmake it as difficult as possible to let her exercise that control?\n    We support opt-in as a common-sense standard that will give \nconsumers a fair chance at controlling their personal information. The \naffirmative consent requirement that would be established by S. 2606 is \na ``consumer friendly privacy standard\'\' that allows for individuals to \nrightly decide how their information held by others should be used.\n    The exceptions in S. 809 for consent present an issue that the \nCommittee should consider. S. 809 excludes ``transactional information \nwhere identifiable information is not removed\'\' from its consent \nrequirement. While S. 2606 establishes that personally identifying \ninformation may only be collected and used with consent, a great deal \nof information is collected and tied to unique identifiers.\n    While it does not establish an opt-in, only S. 809 recognizes that \n``transactional information\'\' or clickstream data should be considered \npersonal information. Within the bill, personal information includes \n``information that is maintained with, or can be searched or retrieved \nby means of\'\' other identifiers. Transactional information is data \ngenerated by online movements--pages visited, searches conducted, links \nclicked--and has been at the center of recent privacy controversies \nover online profiling. Not including this information as part of an \nonline privacy bill and protecting it would overlook a major concern of \nInternet consumers.\n\nAccess\n    One of the critical requirements of genuine privacy protection is \nto ensure that consumers are able to see the information about them \nthat is collected. The right of access, which can be found in laws \nranging from the Fair Credit Reporting Act to the Privacy Act to \nmedical privacy laws across the country, is oftentimes the most \neffective way that individuals have to monitor the collection of their \ndate and to object to inappropriate uses of personal information.\n    Businesses sometimes object to providing access because they claim \nthat it is too costly. But it is also possible that many organizations \nsimply don\'t want to actually show their customers how their personal \ninformation is actually used. This is a risky strategy that we believe \nonline companies should avoid.\n    In the online world it is much easier to provide access to profile \ninformation. Many websites today, from airline reservations to online \nbanking, are making information that they have about their customers \nmore readily available over the Internet. Many of these companies \nrealize the importance of ensuring the information they have is \naccurate and developing a transparent and accountable business-customer \nrelationship.\n    But we need a much broader right of access in the online world \nbecause some bad actors are taking advantage of technological tools \nthat are beyond the knowledge of most Internet users. The online world \nenables far-reaching profiling of private behavior in a way that is \nsimply not possible in the physical world. This became clear during the \npast year over the debate with Doubleclick and it is today a critical \nissue with Amazon.\n    Any company that creates a persistent profile on a known user, or \nthat could be linked to a known user, should be required to make known \nto that user all of the information that is acquired and how it is used \nin decisions affecting that person\'s life. The profile should always be \nonly ``one-click\'\' away--there is no reason on the Internet that \ncompanies should force users to go through elaborate procedures or pay \nfees to obtain this information about them.\n    It would also be appropriate in many cases to give individuals the \nright to compel a company to destroy a file that has been created \nimproperly or used in a way that has caused some harm to the \nindividual. Data could still be preserved in an aggregate form, but \nindividuals should be able to tell a company that they no longer have \npermission to make use of the personal information that they have \nobtained.\n    S. 2606 provides the most robust right of access. Providing \n``reasonable\'\' access to personally identifying information and the \nability to correct or delete information allows the consumer to control \nwhat happens to her data.\n    S. 809 is better than S. 2928 on access, though the numerous \nexemptions create several problems. Transactional information, \nespecially where identifiable information is not removed, has received \nsome of the greatest recent attention as mentioned above via online \nprofiling. Personal information that is used internally or \nconfidentially is the type of information that should be most subject \nto access since it is used outside the realm of normal customer \ninteraction. If one of the goals of access is transparency, the \ninformation which is most hidden should be brought to light. The other \nexceptions for discarded data and data that has no impact seem \nredundant or unnecessary. The presumption of access is that if personal \ninformation is held by a company, it should be provided to the \nconsumer. Discarded data is not held by a company and whether data has \nimpact should be a question the consumer should answer.\\14\\\n---------------------------------------------------------------------------\n    \\14\\ For further comments on S. 809, see Testimony and Statement \nfor the Record of Marc Rotenberg, Director Electronic Privacy \nInformation Center, Hearing on S. 809, The Online Privacy Protection \nAct of 1999, Before the Subcommittee on Communications Committee on \nCommerce, Science and Transportation, U.S. Senate, July 27, 1999, \n[http://www.epic.org/privacy/internet/EPIC_testimony_799.pdf]\n---------------------------------------------------------------------------\nEnforcement\n    Perhaps the most important element of Fair Information Practices is \nenforcement. Absent an effective means to ensure compliance, privacy \nprinciples will have little impact on business practices.\n    The key to enforcement is the independence of the enforcer. Self-\nregulation has been an incomplete solution to privacy protection due to \nthis lack of independence. A company overseeing its financial \nsupporters will not be effective or independent. In our view, the Safe \nHarbors created by both S. 809 and S. 2928 lack sufficient oversight to \nensure privacy protection. Privacy advocacy groups like EPIC have \ndocumented reasons to be concerned through its ``Surfer Beware\'\' \nreports.\\15\\ If self-regulation had been effective, the FTC would not \nhave reluctantly made its recommendation for legislation earlier this \nsession and we would not be discussing 3 potential Internet privacy \nlaws today.\n---------------------------------------------------------------------------\n    \\15\\ EPIC, ``Surfer Beware I: Personal Privacy and the Internet\'\' \n(1997) [http://www.epic.org/reports/surfer-beware.html]; EPIC, ``Surfer \nBeware II: Notice is Not Enough\'\' (1998) [http://www.epic.org/reports/\nsurfer-beware2.html]; EPIC, ``Surfer Beware III: Privacy Policies \nwithout Privacy Protection\'\' (1999) [http://www.epic.org/reports/\nsurfer-beware3.html].\n---------------------------------------------------------------------------\n    All three bills allow State Attorneys General to police unethical \ncompanies that harm the consumers in their jurisdiction. However, all \nthree allow the FTC to intervene in proceedings and permit its actions \nto take precedence over the actions of State Attorneys General. While \nwe recognize the important role of the FTC in the protection of \nconsumers, it still remains unclear whether it is the appropriate \nagency to safeguard privacy interests. Rather than putting roadblocks \nin the way of State Attorneys General, we should allow consumers to be \nprotected by local authorities and other independent agencies that are \navailable.\n    It is also important to ensure that individual consumers are able \nto pursue privacy complaints. For that reason, a right to private \naction with a provision of liquidated damages should be provided. This \npreserves the right of consumers to pursue privacy complains when \nnecessary. While S. 2928 does establish a fixed level of civil \npenalties, S. 2606 establishes a private right of action, liquidated \ndamages attorney\'s fees, and punitive damages.\n    None of the bills provide for the establishment of a privacy \nagency. S. 2606 goes furthest in establishing a FTC Office of Online \nPrivacy but like the other bills rely on the existing section 5 \nauthority of the Federal Trade Commission. The reliance of privacy \nguidelines on the FTC Act prohibiting unfair and deceptive business \npractices has not provided an adequate basis for the protection of \nprivacy interests and has failed to develop simple dispute resolution \nprocedures that could assist both consumers and companies resolve \nprivacy problems.\n    Most consumers are not lawyers, computer experts, or privacy \nadvocates. For that reason, many countries have created independent \ndata protection agencies that answer questions and follow up on \nconsumer complaints. In addition to providing invaluable assistance for \nconsumers, a privacy agency can bring the consumer perspective to other \ngovernment agencies and business groups. These agencies are also \ngenerally responsible for public education and international \ncoordination with privacy agencies in other countries. In order to help \nconsumers resolve complaints and to penalize unethical companies, they \nshould have the power to take action when irresponsible companies \nbreach privacy principles established in law.\n\nAdditional Issues\nState Preemption\n    All three bills propose state preemption, though S. 2606 will allow \nfor common law tort and certain other claims to go forward. Limiting \nthe ability of states to develop additional safeguards to protect the \nprivacy interests of their citizens is a dangerous precedent and has \nonly occurred in a few statutes. By and large federal privacy laws \noperate as a floor and allow states, ``the laboratories of democracy,\'\' \nto develop new and innovate safeguards as required.\\16\\ We believe this \napproach should be followed with Internet privacy.\n---------------------------------------------------------------------------\n    \\16\\ See, e.g., Video Privacy Protection Act (1988) 18 U.S.C. \nSec. 2710(f), Cable Communications Policy Act (1984) 47 U.S.C. \nSec. 551(g).\n---------------------------------------------------------------------------\nAdditional Safeguards\n    In addition to the other substantive provisions to protect privacy \non the Internet. S. 2606 also proposes important amendments that would \nupdate current privacy laws. The Video Privacy Protection Act would be \nextended to include all video recordings, recorded music, and book \npurchases. The Cable Communications Policy Act would be extended to \nsatellite TV subscriptions. These are sensible recommendations that \nbuild on current laws.\n\nAnonymity\n    Finally, although the bills do not directly address the issue of \nonline anonymity, I would like to underscore that this issue remains \none of the central challenges of Internet privacy. While anonymity does \ncreate some risk, the loss of anonymity in the online world could \nsignificantly undermine any legislative effort to safeguard privacy. We \nhave noticed a disturbing trend in the last year with more and more web \nsites requiring registration and making use of new tracking techniques \nto profile Internet users. Legislative safeguards will help limit the \nworst of the abuses, but formal recognition of a right to be anonymous \nin the online world may be the most robust form of privacy protection \nin the years ahead.\n\nConclusion\n    We commend the Committee for the important efforts to address \nonline privacy. We believe that S. 2606 provides the most robust \nframework to protect privacy on the Internet, that it is consistent \nwith other privacy laws, and that it is in the interests of consumers \nand business to ensure a high standard for privacy protection in the \nworld of e-commerce. We urge the Committee not to place too much value \non privacy notices without other substantive safeguards. Privacy law is \nbased on Fair Information Practices, a collection of rights and \nresponsibilities that help safeguard the interests on consumers in the \nworld of rapidly changing technology.\n\nReferences\nArticles, Reports and Web Sites\n    EPIC letter to FTC, Dec. 14, 1995 [http://www.epic.org/privacy/\ninternet/ftc/ftc_letter.html]\n    EPIC, ``Surfer Beware I: Personal Privacy and the Internet\'\' (1997) \n[http://www.epic.org/reports/surfer-beware.html]\n    EPIC, ``Surfer Beware II: Notice is Not Enough\'\' (1998)\n    [http://www.epic.org/reports/surfer-beware2.html]\n    FTC, ``Online Privacy: A Report to Congress\'\' (1999) [http://\nwww.ftc.gov/reports/privacy3/index.htm].\n    Doubleclick page [http://www.privacy.org/doubletrouble/]\n    Junkbusters [http://www.junkbusters.com/ht/en/new.html#Ginsu]\n    Jerry Kang, ``Information Privacy in Cyberspace Transactions,\'\' 50 \nStanford Law Review 1193 (1998).\n    Letter to Senator John McCain, August 1, 1997 (from Center for \nMedia Education, Privacy Rights Clearinghouse, Privacy Times, \nElectronic Frontier Foundation, Consumer Federation of America, EFF-\nAustin, Consumer Project on Technology, Electronic Privacy Information \nCenter, Privacy Journal) [http://www.epic.org/privacy/databases/\nftc_letter_0797.html]\n    Joel R. Reidenberg, ``Restoring Americans\' Privacy in Electronic \nCommerce,\'\' 14 Berkeley Technology Law Journal 771 (1999).\n    Testimony of Marc Rotenberg before the Subcommittee on \nCommunications, Senate Commerce Committee on the Online Privacy \nProtection Act of 1999, July 27, 1999.\n    Paul Schwartz, ``Privacy and Democracy in Cyberspace,\'\' 52 \nVanderbilt Law Review 1609-1702 (November 1999).\n    Gregory Shaffer, ``Globalization and Social Protection: The Impact \nof EU and International Rules in the Ratcheting Up of U.S. Privacy \nStandards,\'\' 25 Yale Journal of International Law 1-88 (Winter 2000)\nBooks\n    Phil Agre and Marc Rotenberg, eds., Technology and Privacy: The New \nLandscape (MIT Press 1997)\n    Colin Bennet, Regulating Privacy (Cornell Press 1992)\n    David H. Flaherty, Protecting Privacy in Surveillance Societies: \nThe Federal Republic of Germany, Sweden, France, Canada, and the United \nStates (Chapel Hill 1989).\n    Priscilla M. Regan, Legislating Privacy: Technology, Social Values \nand Public Policy (University of North Carolina Press 1995)\n    Marc Rotenberg, The Privacy Law Sourcebook 2000: United States Law, \nInternational Law, and Recent Developments (EPIC 2000).\n    Paul Schwartz and Joel Reidenberg, Data Privacy Law: A Study of \nUnited States Data Protection (Michie 1996)\n\n    The Chairman. I thank you and I thank the witnesses for \nbeing here.\n    A great deal of the debate on this issue revolves around \nthe issue of opt-in versus opt-out. I would like to hear all \nthe witnesses\' views of the advantages and disadvantages to \nboth consumers and businesses associated with each of these \napproaches. We will begin with you, Mr. Cooper, and go down the \nline.\n    Mr. Cooper. Thank you, Mr. Chairman.\n    Hewlett-Packard has done a lot of work lately, in fact very \naggressive work, in moving from an opt-out to an opt-in \nsituation for our own websites. We have learned a lot as we are \ndoing it. It is not as easy as we first thought. Very few \nthings dealing with the Internet are. But we think that that is \nthe way to go. It is certainly right for consumers. It is also, \nwe think, a good business practice.\n    As we are doing this, we are finding that there are certain \nareas where opt-in may be difficult either because of logistics \nor because it then sets off other problems that kind of \nescalate down the road.\n    I think we have come to the conclusion that we think there \nshould be sort of a reverse of what is now kind of the \nrebuttable presumption on opt-in/opt-out. I think now it is \nthat everything is opt-out unless there is the decision either \nby the company or Congress or others that it should be an opt-\nin. We have certainly seen with financial services, with \nchildren, with medical records, those have turned into opt-in.\n    I think ultimately we could see where there should be the \nrebuttable presumption where everything would be an opt-in \nunless there were reasons that could be given that it should be \nan opt-out. So, we do not think that opt-in works in all cases, \nbut we think that is probably where companies should go in \ntheir own personal uses.\n    The Chairman. Mr. Vradenburg.\n    Mr. Vradenburg. I think we are only at the beginning of \nunderstanding exactly how to effectively give consumers choice. \nYour bill, Senator McCain, focuses on the ease of use and \nclarity with the choices offered and exercised. It neither uses \nthe word opt-in or opt-out. I think that focus is right. How \neasy do we make the choice and how clear do we make the \ninformation needed by the consumer to make that choice? A one-\nsize-fits-all kind of approach here is not going to work.\n    In a number of areas, we too have moved toward an opt-in \napproach, whether it be in the financial area, where obviously \npeople do not put their financial records online unless they \nclearly choose to do so, whether it be the medical and health \narea, where in fact the High Ethics Coalition has recommended \nopt-in policies for a wide variety of companies dealing with \nhealth care information, and clearly we did that in the \nchildren\'s arena. But in fact, I think to say that one-size-\nfits-all with respect to all of the information exchanges that \nare currently going on or may go on in the future is an unwise \napproach and that we ought to focus, as your bill does, on the \nease with which consumers can both find, understand, and then \nexercise the choices they are offered.\n    The Chairman. Mr. Garfinkel.\n    Mr. Garfinkel. Thank you, Mr. Chairman.\n    A few years ago, Bill Gates said that opt-in/opt-out was an \nirrelevant distinction. He said you could just put up a \nquestion and force people to answer it one way or another.\n    The Chairman. Do you agree with Mr. Gates\' assessment?\n    Mr. Garfinkel. No, I do not and I am about to explain why.\n    Since then we have learned that opt-in/opt-out is \nextraordinarily important. With opt-out, it requires that \nconsumers be tremendously informed. I have been a computer \nsecurity practitioner for about 10 years now, and for the first \nfive, I thought that all the security problems would be dealt \nwith when we properly educated people. But we have learned that \nyou really cannot educate people. People just do not have the \ntime. Many people do not have the ability.\n    With an opt-in system, it requires that the business \nexplain to the consumer the value proposition to get the \nconsumer to make an affirmative statement to share their \ninformation. If the business does not adequately explain what \nis going on, the consumer has no incentive to opt-in. With opt-\nout, it is just the reverse. The business has an incentive not \nto explain things clearly.\n    Now, let me explain this in terms of positional \ninformation, something I am extraordinarily concerned about. \nEvery cellular telephone that is used in the world right now \nhas to track the movements of its user because that is the way \nthe cellular telephone systems deliver the calls. Now, it might \nbe that the company is recording your positions over time and \nselling that information. If you have an opt-out regime, it is \nup to me to find my cellular company\'s privacy statement to \nread it to find out if they are selling my positional \ninformation rather than simply being told that they would like \nto do that and being given the choice.\n    We have recently seen that with the Sprint PCS. They have \nWeb forms that you can do on your phone, and it was revealing \npersonal information when people filled out their forms. It was \nrevealing their phone number. People were never told it was \ndoing that. It might have been on some privacy statement \nsomewhere.\n    So, my feeling is that with the way Americans approach \ntechnology, an opt-in regime is the only one that really makes \nsense. It is the only one that is fair.\n    The Chairman. Mr. Rotenberg.\n    Mr. Rotenberg. Mr. Chairman, I think opt-in is just common \nsense. I think if a company wants to take personal information \nthat is acquired through a commercial transaction and use it \nfor a purpose unrelated to the transaction, most people would \nthink maybe I will agree to do that, but should you not ask me \nfirst?\n    What happens under the opt-out regime is companies realize \nthat this information has a great deal of value and that if \nthey actually have to go back and ask the customer, the person \nmight object. So, they make it difficult and they discourage \npeople from exercising any control.\n    I think it is not surprising, and in some ways commendable, \nthat industry has moved toward opt-in, but I think if you \nlegislate opt-in, you will, in effect, protect the good actors. \nIf you do not, there will be a lot of bad actors running around \ntaking advantage of weak opt-out policies.\n    The Chairman. I have one more question for the panel. Mr. \nCooper, you want to respond to that.\n    The FTC would favor an approach that would provide them \nwith rulemaking authority to regulate privacy on the Internet. \nDo you agree with that approach?\n    Mr. Cooper. First of all, one last thought on opt-in/opt-\nout. I think that your legislation has advantages that really \nhave not been discussed to the degree that they need to be, \nwhich is clear and conspicuous. I think this is the important \nkey to opt-out, and I think it is something that we need to do \nas quickly as possible. If the FTC has authority to insist that \nany privacy policy is described in a clear and conspicuous \nmanner, then I think a lot of the problems that have been \ndiscussed at the witness table should go away because \nbusinesses cannot hide what their policy is. I think if you are \ngoing to do one thing, having clear and conspicuous privacy \npolicies is the thing. The FTC does that for a living. They do \nclear and conspicuous on advertising, on used cars, on \ntelemarketing, you name it. That is the front line of defense \nfor the FTC on consumer protection.\n    As far as giving a rulemaking to the FTC, we are not too \nsure that they do not already have the power within their \nsection 5 authority to do pretty much I think everything that \nyou have described in your bill. If it requires a further \nworking through of that, I would hope that it would be an open \nprocess where we would have either hearings before this \nCommittee or some sort of hearing process before the FTC to \nensure that there is that balance between their needs for \nprotecting consumers and the ability of the marketplace to \ncontinue growing as it has.\n    The Chairman. Mr. Vradenburg.\n    Mr. Vradenburg. Mr. Chairman, I have gotten somewhat \ndistrustful of the FTC\'s rulemaking authority recently, and I \nwould say this: It does seem to me that Congress is going to \nset the policy here, and if the policy is notice and choice, as \nI think it should be, that is a market-driven choice where \nbasically companies will be out there clearly and conspicuously \ngiving notice of precisely what information is being collected, \nhow they are using it, what choice is being made.\n    My concern with additional rulemaking authority beyond the \ntraditional enforcement power of the FTC is that we will get \ninto a debate about what size the font ought to be, exactly how \nmany scrolls you ought to be able to go through, how you put it \non the cell phone. What we will end up doing is constraining \nthe innovation that is going on in the marketplace by depriving \nthe consumer of a variety of choices simply because the FTC has \ndescribed with excruciating detail precisely all of these \nelements in a way that will make innovation and continued \ntechnological progress in this industry and, indeed, new choice \ntechniques and methodologies and technologies continue to \nevolve on the marketplace.\n    So, I am in favor of your approach in your bill, which is a \nnotice and choice approach, with clear and conspicuous \ndisclosure, with enforcement authority, believing that that \ngives the marketplace its maximum capacity to continue to \ninnovate in this area and at the same time give confidence to \nthe American people through this body that, in fact, there are \nsome baseline standards being set in this arena.\n    The Chairman. Mr. Garfinkel.\n    Mr. Garfinkel. Thank you, Mr. Chairman.\n    I have long said that Congress should not be making \nlegislation on cookies, that it is far better for a regulatory \nbody to make those decisions. I think that the technology is \nmoving very fast and that a regulatory body is able to respond \nto the changes in technology more quickly than Congress can \nrespond to it. So, I would think that would be a very good \nplace for the rulemaking authority, to be with the FTC.\n    At the same time, I do have some concerns about the FTC \nlargely because they are relating to trade, and I think that \nthere are issues on the Internet involving privacy that the FTC \nis not concerning itself with, like the way nonprofits collect \ninformation on the Internet. That is why I would ideally like \nto see the creation of an independent organization to do that \nwithin the government. But given the choice of not giving the \npower to the FTC or giving the power to the FTC, I think that \ngiving it to the FTC and funding a privacy office within the \nFTC so we can have a set of experts there who are resources for \nthe rest of the federal government would be the best solution.\n    The Chairman. Mr. Rotenberg.\n    Mr. Rotenberg. Mr. Chairman, I actually do not favor FTC \nrulemaking authority in this area. I think the better approach \nis to establish the statutory obligations to give people the \nprivate right of action and to allow the FTC to do enforcement. \nBut my assessment is that when we do these very detailed \nregulations with elaborate participation, as it should be, from \nall the stakeholders, we end up with a set of rules, as Mr. \nVradenburg has suggested, that become very time-bound. They \nwork today but they may not look as good a couple of years out.\n    One of the remarkable things about U.S. privacy law, \nwhether it passed 5 years ago, 10 years ago, or 25 years ago, \nis that it has been aging pretty well. As long as we stay away \nfrom specific technologies, as long as we do not build privacy \nlaws tied to the technology of the day, I think that is the \nmore durable approach over time.\n    The Chairman. Thank you.\n    I think one thing that is clear from this hearing and from \nthe statements of the Senators and Members of the Committee, as \nwell as the witnesses, is that there is a wide division of \nopinion as to how we address this issue. There is agreement \nthat it is an incredibly important and challenging issue that \ncontinues to grow daily. There is not a consensus yet. We may \nhave to, in January, have another set of hearings in order to \ntry to build consensus on this issue.\n    But I also think that there is a compelling argument that \nwe not remain dormant here without acting on the issue. As \nevery day Internet users increase, the fact is that this issue \nbecomes more and more important.\n    We have never passed a bill that I can remember out of this \nCommittee directly on partisan lines. In fact, both sides have \ndifferent views on this issue, but we have usually tried to \nreach consensus because it never moves if we do not get it out \nof Committee with an overwhelming majority. So, I think the \nhearing today, the statements by the Senators, as well as the \nwitnesses indicate that we have a ways to go before we have \nconsensus on this issue.\n    Senator Wyden.\n    Senator Wyden. Thank you, Mr. Chairman. I agree with the \nstatement you just made as well.\n    A question for you, Mr. Cooper and Mr. Vradenburg. This is \nan effort to find this consensus the chairman talks about. Are \nthe two of you against including access and security in a bill \nat this point? Just yes or no I think would be helpful because \nthen I am going to ask you to explain it in a minute.\n    Mr. Cooper. Well, in a sense it is in the chairman\'s bill. \nIt just goes to a study for a report back to Congress.\n    Senator Wyden. But other than a report, you would not favor \nany action at this time.\n    Mr. Cooper. We think those issues are too complicated to \ndecide within legislation.\n    Mr. Vradenburg. I agree with that.\n    Senator Wyden. As you know, in the Burns-Wyden bill, we \ninclude access and security in an effort to try to give a lot \nof flexibility for business and the like. Especially the access \nissue is so key because if a consumer\'s profile contains \nmistaken or fraudulently obtained information about a sensitive \ntopic, credit or medical information, there is a question about \nhow they would ever correct it if they did not have access to \nit. I understand your concerns, and you all have been very \nthoughtful in terms of dealing with us.\n    What I would like to do is ask Mr. Rotenberg and Mr. \nGarfinkel to tell us why they think it is workable to do access \nand security, and then have the two of you respond to that in \nthe name of, again, trying to find the kind of common ground \nthe chairman is talking about. Mr. Garfinkel and Mr. Rotenberg, \nwhy do the two of you think it is possible to address access \nand security now?\n    Mr. Rotenberg. I think the main point, Senator, is that in \nthis highly dynamic environment where companies are still \nexploring a lot of different ways to take advantage of the new \ntechnology, people are finding it not so difficult to provide \nextensive information to their customers that in the past would \nhave been impractical or too expensive to provide. You can go \nonline today and see a profile of information that the airline \ncompany that you deal with or the hotel that you make \nreservations with or the bookstore that you buy from collected. \nAll the information that they have about you or, I should say \nmore precisely, most of the information they have about you is \nnow available to you. That is possible because the technology \nis changing today and makes it possible for companies that say \nwe value access to do this.\n    Now, there are certain types of information that are not \nbeing made available and then there are certain companies like \nthe online advertisers who have made it particularly difficult \nto find these profiles. But I think the key point here is that \nthe technology makes it much easier today than it had been in \nthe past to make access real.\n    Mr. Garfinkel. I want to amplify what Marc says with two \nexamples.\n    The first example is from online advertising. The online \nadvertisers build a comprehensive profile of a person viewing \nan Internet site, and they use that profile to decide what \nadvertisement to show the individual.\n    Now, a way to deal with the access and the security issues \nare the information on the user\'s computer, the cookie that \npulls into that profile, could also be used as a kind of \npassword to access that profile. The computers that are serving \nup the advertisement have the possession of all that \ninformation, and they could very easily display the information \nat the same time or at another time with another form rather \nthan simply using that information internally and then not \ndisplaying it.\n    Technically, access is very easy to convey. The security \ntechniques that we have come up with on the Internet that we \nhave said are sufficient for downloading credit card \ninformation, sufficient for viewing other kinds of highly \nconfidential information online should provide the same sorts \nof security provisions for personal information when you are \nshowing that to the user.\n    Now, if you look at Amazon, Amazon has a tremendous amount \nof personal information that they record. One of the things \nthat they record is every book that you have ever purchased, \nand they use this for making recommendations when they show you \nother books. You can ask for recommendations. One thing you can \ndo is you can go to a Web page on the Amazon system and see the \nlist of all the books that you have ever purchased, and if you \nwant Amazon to strike one of those books so that there will not \nbe a record, they allow you to delete it. Now, what I do not \nknow is if it is actually deleting it inside Amazon\'s computers \nor not or if it is simply deleting it from what it shows me \nbecause Amazon is not really known as a strong privacy player.\n    On the other hand, the fact that they are doing this and \nmaking this capability available to consumers--and I have used \nit and it seems to work--leads me to believe that these are not \ninsurmountable hurdles. They are in use now by some of the \ncorporations that are doing business on the Web.\n    Senator Wyden. Mr. Cooper, Mr. Vradenburg.\n    Mr. Vradenburg. Senator, I think the difficulty here is \nmore pragmatic than anything else. It is a matter of whether or \nnot one can develop adequate access standards and decide when \nthey apply in what circumstances and where we may not create a \ngreater danger to privacy than we create a user opportunity to \nsee their own records.\n    Regarding security, I think it is just a difficulty of \nsetting those standards. We have tried that inside the industry \nand we have tried that inside government and have been unable \nto do so.\n    Let me come back a second to access. We do not use \nnavigation information on our service. We do not use it for \nmarketing purposes. We do not sell it. So, the only purposes \nthat we would ever use that information for internally are \naggregated information and, indeed, really to improve the \nservice by finding out exactly in aggregate where people tend \nto go and why they tend to go there. As a consequence, none of \nour files are organized by a member, by a user. To require \naccess would perhaps cause us to have to create files that do \nnot now exist to make things more accessible not just to the \naverage user, but to the average hacker.\n    So, our problem and concern here is less sort of the \nprinciple than the pragmatic effort to get at what it is that \npeople are to have access to, under what circumstances. The \neasier you make it for the average user of the Internet to get \naccess to their information that may be disaggregated inside \nour files is to make it more accessible to hackers.\n    I would also say, not in any adversarial way, one ought to \ntry and apply the standard to government. That is to say, I say \nthat not with an effort to say government is lousy and we are \ngreat. I am just say to really apply the access standards that \nyou would adopt, go to your federal government agencies and \nsay, apply this access standard, and figure out whether or not \nyou are creating more danger to government users and government \nrecords than you are creating an opportunity to use.\n    We saw this with Social Security records about a year ago \nwhen there was an effort to provide more information to users \nand more information about the file, and the great concern was \nthat those were hackable and that the information has become \nmore widely dispersed. Thus, there was a greater danger to \nprivacy in making access available, easier to users because it \nwas easier to get at by hackers.\n    So, this is a pragmatic problem that we address. We do not \nthink that the state of affairs is ready yet to address this in \nfederal legislation, and that is why we do not think it ought \nto be embraced. That is why we have supported Senator McCain\'s \napproach.\n    Mr. Cooper. We are always nervous when somebody says that \nthere is a simple solution to a technical Internet problem \nbecause it may work in the first case or the first 10,000 \ncases, but when you try to scale these things with companies \nthat have very different kinds of approaches and they have \nartifact systems and they have very different data bases or \ncompletely non-interoperable data bases, trying to find a \nsimple solution that will fit all these I think is going to be \na problem.\n    I think what the FTC Advisory Commission on Access and \nSecurity was able to describe was I think a direction where we \ncan work through those problems. They did not reach \nconclusions, but I think they raised all the right questions. \nBut I think if we turn this over to a study, a reputable study \nand one that reports back to Congress on a date certain with a \nrecommendation to Congress, I think that will certainly get our \nattention. I think it will get every other companies\' \nattention. I think we can work through probably to some kind of \nfinality.\n    Senator Wyden. Mr. Chairman, I know my time is expired. The \nreason I ask about these two points is I do not think you can \ngo to the American people in a credible way without a provision \ninvolving access. I think you know, as a result of the efforts \nthat we have worked on together, that I want to do this in a \nbipartisan way. I think what Mr. Vradenburg has said with \nrespect to ensuring that this is pragmatic is absolutely right.\n    But particularly with respect to this access question, I do \nnot see how you can go to the public without some way to get \nthe ability to get the chance to see that personal information. \nI look forward to working with you on a bipartisan basis.\n    The Chairman. Senator Burns.\n    Thank you, Senator Wyden.\n    Senator Burns. Along the same line as Senator Wyden\'s \nquestioning--by the way, thank you you for coming today. Just \nlistening to the exchange, I happen to agree with the approach \nthat Senator Wyden and I have taken on access. It also points \nto what you have remarked that it gives some concern to hackers \nand this type of thing. We have talked about encryption ever \nsince I have been here, and the security measures that we have \nto take in order to make ourselves secure. Yet, we keep getting \nsome feedback on strong encryption legislation. I think they go \nhand in hand. I think as we go along with collecting this \ninformation that we have to figure out some way to make it \nsecure.\n    Let us talk a little bit about the statement that you put \nup with regard to your privacy. How many people actually \ndownload that thing and read it and understand it? No matter if \nyou are an opt-out or an opt-in, it makes no difference on your \napproach.\n    Mr. Vradenburg. I do not know the answer to that, although \nwe probably can provide that information to you, Senator. But \nthere are a rather substantial number of hits to that and to \nthe keyword privacy preferences on AOL and it is read quite \nwidely. Whether we can actually provide you numbers is a good \nquestion, and I will look into that.\n    Senator Burns. I know you cannot provide the numbers of \npeople who want to read all the legalese and interpret it.\n    Mr. Vradenburg. We have tried to set forth eight \nprinciples, which are relatively straightforward, on one or two \npages and then have links back to deeper information if people \nwould like to understand more about it precisely for that \nreason because, indeed, one of the problems here is to be clear \nwith your customers. And to be honest with them, you have to be \nas comprehensive as you can be, and that requires some length, \nand you would like to lift out of that some basic principles \nthat you can get, and if you have need for deeper information, \nyou can get that too. So, how to present this in a way that is \neasy to read is a challenge. We think we have done that, but I \nrecognize that it is a challenge.\n    Senator Burns. Mr. Rotenberg, you would like to comment.\n    Mr. Rotenberg. Senator, I was going to make two points. \nFirst of all, I think there is a particular problem with notice \nfor Internet privacy from the consumer viewpoint, which is if \nyou think about buying a car or some other big transaction, \nyes, you are going to read all the details----\n    Senator Burns. I do not do that. I buy my cars in garage \nsales.\n    [Laughter.]\n    Mr. Rotenberg. Well, that is even better.\n    But, of course, if you are on the Internet, and you are \ngoing from one website to another--this is more changing than \nchannel surfing on a television, if you find something \ninteresting, you want to go on to the next website. The \nquestion is should you have to check the privacy policy before \nyou start reading information from a website.\n    Now, some people suggest that maybe the solution to that \nproblem is to automate it, but my concern about that approach \nand the reason that we have not been supporters of P3P is I \nthink people are going to find pretty quickly that once they \nhave a few websites that they want to get to with low privacy \npolicies, they are going to have to turn down their privacy \ndial to continue surfing. So, that is one kind of problem. You \nmove very quickly from one website to another.\n    Another kind of problem is that companies change their \nprivacy policies. They may begin with a good notice. Amazon, \nfor example, when they started, they said, we will not disclose \nyour personal information to third parties. We said that is a \ngood privacy policy. We are a privacy organization. We were \nactually one of their first affiliates. They have got hundreds \nof thousands now. We were one of the first groups online \nselling books with Amazon. A couple weeks ago, they said, well, \nwe have changed our privacy policy and we can no longer give \nyou that assurance. What do we do with that?\n    Senator Burns. Mr. Cooper, and then I have a followup \nquestion.\n    Mr. Cooper. Very quickly. Again, I think that clear and \nconspicuous is the key here, and that is a term of art to the \nFTC and we think it is very important that they have that \nauthority to go in and make sure that whatever somebody says is \nclear and conspicuous.\n    We think the other thing that should be done is joining a \nseal program. We have the Better Business Bureau seal on all \nour websites. It was a hard program to come under. We think it \nis sort of the gold standard for seal programs. It took a lot \nof work to get all our websites underneath that, but we feel \nvery confident now that when people see that seal, that they \nwill recognize that they are dealing with a reputable company.\n    Senator Burns. I want to ask you, do you think Senator \nWyden\'s and my approach--we do not make it clear enough on the \nopt-out situation? It is not clear?\n    Mr. Cooper. I think you and Senator Wyden have targeted \nexactly those issues that need work on next year and that we, \nas businesses, should be engaging with you and this Committee \nto find those answers, or at least find the approach that will \nlead us to those answers.\n    Senator Burns. Thank you very much.\n    Now, with saying that, give me your assessment on safe \nharbor. Do you support safe harbor, and why has the majority, I \nwould say, of the industry been reluctant to accept safe harbor \nlegislation in this area.\n    Mr. Cooper. Speaking again for HP, we think that safe \nharbor can be very useful because the FTC--and even with the \nState attorneys general being able to enforce any FTC rules--\nyou do not have the eyes and ears you need to make sure that \nthis marketplace is going to be clean and well-lighted. I think \nyou need to have things like third-party enforcers to be able \nto help police this market as well. So, I think the idea of \nhaving the FTC being able to vet third-party seal programs is a \nvery good one. We would hope it would be a very high standard. \nAgain, we think BBB would certainly meet that.\n    What you get from that also is that--and BBB does this with \nthe FTC already--that if there are patterns of abuse, if they \nfind that a company has got a constant series of complaints \nagainst them, each one perhaps not a very high level, but that \npattern creates what they think is an abusive technique, they \nwill pass that on to the FTC or the AG\'s as well. That might \nnot show up coming down from the enforcers themselves. We think \nthat third party can be very useful.\n    The Chairman. I want to apologize to my colleagues. I have \nbeen informed there has been an objection voiced on the floor \nto the hearing. We are going to have to be done in a half an \nhour, and we still have another panel of two witnesses to hear \nfrom. So, I would appreciate it if we could stick to a five-\nminute rule so that we at least can get the second panel\'s \nquestions.\n    Senator Burns. Thank you, Mr. Chairman. I have no more \nquestions.\n    The Chairman. Thank you, sir.\n    Senator Bryan.\n    Senator Bryan. Thank you very much, Mr. Chairman.\n    Mr. Rotenberg, let me ask you. You have had some \nreservations about FTC rulemaking, you indicated previously. \nYou talk about the need for clear notice in terms of what the \nwebsite is offering. How do we get that clear, understandable \nnotice so customers or consumers can intelligently inform \nthemselves, and what problems, for example, have occurred with \nrespect to the rulemaking of the Children\'s Online Privacy \nProtection Act?\n    Mr. Rotenberg. I think in terms of notice, a baseline \nrequirement for clear and conspicuous notice of use and \ncollection and so forth takes you pretty far.\n    Senator Bryan. How do you define that? How do you enforce \nit if you do not have an FTC rulemaking?\n    Mr. Rotenberg. Well, we have done it in other areas. The \nCable Act, for example, has a notice requirement that has been \nlitigated, and courts can take a look at that language, as they \ndo in other areas, and try to give a reasonable interpretation. \nI think it is actually a good approach because it builds in \nsome flexibility.\n    Now, in fairness, I think the FTC did a good job with the \nChildren\'s Online Privacy Protection Act. It was a tough bill \nto write regulations for because of the technology and because \nof the range of issues that the bill sought to address. I \nthought they did a good job.\n    But I think going forward, given the choice between FTC \nrulemaking and a good set of statutory principles that courts \nand others could come back to, the second will give you more \nflexibility.\n    Senator Bryan. You believe that if we define what is \nrequired by notice by congressional act as opposed to \ndelegating that authority to the FTC is likely to give us more \nflexibility?\n    Mr. Rotenberg. In fact, Senator, that is what we have \ntypically done with privacy laws, not generally with consumer \nprotection because there are a lot of regulations and \nrulemaking procedures. Interestingly, we are big privacy \nadvocates, but we are not necessarily in favor of a lot of \nregulation. If there is a way to establish legal rights, make \nthose principles clear, create incentives, I think it is the \nbetter approach.\n    Senator Bryan. Mr. Vradenburg, let me ask you about--there \nare two different spellings. One on the notice indicates that \nthere is an N in his name and the other indicates there is not. \nWhat is the correct pronunciation?\n    Mr. Vradenburg. Vradenburg, no N in there.\n    Senator Bryan. So, the information here is incorrect and \nthe information on our notice is correct.\n    The Chairman. We will fire one of the staffers.\n    [Laughter.]\n    Mr. Vradenburg. No less a punishment.\n    Senator Bryan. I would ask that this part of the colloquy \nnot be subtracted from my five minutes.\n    [Laughter.]\n    Senator Bryan. Mr. Vradenburg, the legislation that a \nnumber of us have supported, the S. 2606 option, defines data \nin two different categories. One is personally identifiable. \nWith that, we say there is an opt-in requirement.\n    Now, let me ask you this. Among those personally \nidentifiable information definitions would be included the \nindividual\'s first or last name, his home or other address, \ntelephone number, Social Security number, a credit card number. \nWhy shouldn\'t the consumer have the right to require that his \nor her affirmative consent be given before that information be \ncollected? We are not talking about all data. I want to make \nsure the record is clear.\n    Mr. Vradenburg. Well, Senator, actually I speak only from \nAOL\'s experience. Quite clearly that information is obtained \nonly with the consumer\'s consent because they have to give us \nthat in order to sign up with the service, and they clearly \nhave made a choice to do that, with the exception of Social \nSecurity information. But certainly name and address \ninformation and telephone number information is given to us \nright up front. We obviously do disclose at the time exactly \nwhat use we will make of that information and the fact that we \ndo not disclose it to third parties except subject to that opt-\nout requirement.\n    But I am not sure then what the issue is because clearly \nthe consumer is choosing to give us that information.\n    Senator Bryan. But I do not understand your response. If \nthat is the policy that you are following currently--that is, \nyou are, in effect, giving the consumer the ability to say, \nlook, I do not want this information collected with respect to \nthis type of information--why not provide a statutory \nprotection for the consumer? What is the objection to that? We \nare not talking about all information. We are just talking \nabout this personally identifiable information. What would be \nthe objection?\n    Mr. Vradenburg. I guess, Senator, I am misunderstanding the \ncharacter of the issue here because clearly, in order to sign \nup for our service or any paid-for service, you are typically \ngoing to get that kind of information. The consumer clearly is \ngoing to make a choice whether or not to give up that \ninformation or to subscribe to the service.\n    If the question then is should they not be given an opt-in \nor an opt-out or some choice before that information is then \nredisclosed to somebody else outside the company, I agree with \nyou that the consumer ought to be given a choice. At AOL, we \nmake that choice available to the consumer, disclose to them up \nfront that if they do not wish us to make it available to \nothers by means of renting lists of our subscribers to others, \nthat they can opt-out and quite a few of them do.\n    Senator Bryan. Well, but that is opt-out, not opt-in. I \nthink we are playing games here with the words. In other words, \nwhat opt-in requires is that you must get affirmative consent, \nnot notify them, look, if you do not want us to do this, give \nus a call in some fashion. I am asking what is wrong with that, \nparticularly with this kind of information, Social Security \ncard number, telephone, credit card? Why should the policy not \nbe that you have to get their prior consent before you \ndisseminate----\n    Mr. Vradenburg. Well, Senator, this is a matter of \nterminology. I do not want to get into a vocabulary debate. The \nquestion is whether you get the consumer\'s consent, and I think \nwe do and we do in our processes get the consent. We do it \nthrough an easy-to-use, easy-to-find, easy-to-make-a-choice \nsystem online on our system. So, the vocabulary of opt-in and \nopt-out gets us boxed into whether or not this is going to be \nan easy-to-use choice on the part of the consumer.\n    Senator Bryan. Let me say that this is a complicated area. \nI am the first to acknowledge it. Consumers are not confused. \nAn opt-in requires you have got to get the affirmative \npermission before rather than saying, in effect, silence is \nacquiescence, and that is the effect of opt-out, is silence is \nacquiescence. If the consumer does nothing, you are \ninterpreting his or her silence as giving you the right to do \nthat. I do not think most Americans would view that as much \nprotection.\n    Thank you very much, Mr. Chairman.\n    The Chairman. Thank you.\n    Senator Rockefeller.\n\n           STATEMENT OF HON. JOHN D. ROCKEFELLER IV, \n                U.S. SENATOR FROM WEST VIRGINIA\n\n    Senator Rockefeller. Thank you, Mr. Chairman.\n    Mr. Cooper, you indicated that you favor protection for the \nconsumers. I want to do a little bit about opt-in. You support \nopt-in for anything that has to do with medical records. \nCorrect?\n    Mr. Cooper. Yes. It is already I think a given.\n    Senator Rockefeller. And you support it for financial \nrecords. Correct?\n    Mr. Cooper. Yes.\n    Senator Rockefeller. Do you support it for religious \naffiliation?\n    Mr. Cooper. I am not too sure what the context would be. \nWhat we have done within HP----\n    Senator Rockefeller. It is not a very complicated question.\n    Mr. Cooper. That would not be a question that would be \nasked of somebody, by our company----\n    Senator Rockefeller. What about political party or beliefs?\n    Mr. Cooper. This is what I was afraid of. It is sort of the \nslippery slope and where is that line drawn? What I can say is \nthat somewhere along that line, that line should be drawn, and \nI am not sure exactly where that should be. But we would \ncertainly say that that is where I think the debate should be.\n    Again, back to the point I made earlier, I think we have to \nflip that rebuttable presumption. In other words, I think you \nshould have to show the reasons why things should be left as \nopt-out as opposed to the rebuttable presumption that it will \nbe considered opt-in unless there are other reasons. Some of it \nmay be logistic, just you have different data bases out there.\n    I understand where you are taking that question, and I \nthink we would agree that it would be the obligation of \ncompanies to say where that line should be and why it was \nimportant to have it as an opt-out rather than an opt-in.\n    Senator Rockefeller. What about ethnicity? Should that be \nopt-in?\n    Mr. Cooper. I think it comes back to use of that \ninformation because obviously the Census or a lot of other \ngroups will take that information and aggregate it. So, a lot \nof this is how this is going to be used.\n    Senator Rockefeller. I find those answers troubling, as I \nfind your earlier statement that this is going to be very hard \nto do in terms of technology. Of all the people in this world \nto say this is going to be difficult to do from the \ntechnological point of view--and I think you, Mr. Garfinkel, \nsaid that access just is not that difficult and the rest of it. \nI just find that not very compelling.\n    I do not have anything against commissions. I have served \non a Medicare commission, a children\'s commission, a coal \ncommission, all kinds of commissions. The problem is that \ncommissions tend to be an amalgam and they do not come out with \nsharp things because there is always dissent because they are \nso carefully picked that they are almost doomed to fail at the \nvery beginning.\n    So, when you say these are very hard to do from a \ntechnological point of view, things are not as simple as they \nwould seem, of all the industries, yours would be the last one \nthat I would expect to hear that from.\n    Mr. Cooper. Well, not that they are impossible to do \nbecause we can do them, but I think we have a better sense of \nwhere the difficulties are, and we would certainly want to \nshare that with any group that is coming up with \nrecommendations.\n    What we like about the National Academy of Sciences is that \nit avoids just exactly the kinds of problems you mentioned as \nbeing difficulties, which is that you have an amalgam of \ndifferent groups that kind of cancel each other out. We would \nwant to have, an expert body, because we consider ourselves an \nexpert company on the Internet, that we could work with and \nconsumer groups could work with, to come up with those \nrecommendations to Congress, again at a date certain.\n    We are not saying that you cannot do it. I think this is \none of the problems that business has gotten itself into, is \nthat we have come up as a group to the Congress and said, ``you \ncannot get there from here.\'\' At HP, we think you can.\n    Senator Rockefeller. I have got to hurry and I apologize to \nyou.\n    Suppose I have had cancer and it is in a data base, but it \nhas been in remission for 10 years, move a little bit out into \nthe future. I want to go in and take that out. Or let us say \nthat I have diabetes, and then for some miraculous reason, \nsomebody discovered the cure for diabetes and it went out. Do \nyou not believe that I should have the right to go in and \ncorrect that information, eliminate that information?\n    Mr. Cooper. I think you should have the right to correct \nany information that could identify you or certainly that is \nwrong. But we have found some State actions, where they have \ngone into medical privacy issues. You want to be careful how \nyou approach this because you could end up taking out data that \nis used in the aggregate to identify problems with certain \nareas, such as how the structures of diseases are evolving. So, \nyou want to make sure that you do not take this information in \nthe aggregate and not be able to use it in ways that will serve \npeople in general terms.\n    Senator Rockefeller. So, that would be one of the \nadvantages then of the Hollings bill that I support, and others \ncould have this in their bill too. We would preempt States. It \nwould be one standard for the whole country, so you would not \nhave to worry about that, would you?\n    Mr. Cooper. Well, all three bills include that, but we \ndefinitely think that aggregated information can be very useful \nto individuals, the economy as a whole, and the Nation as a \nwhole.\n    Senator Rockefeller. I happen to believe in access and \nsecurity very strongly. What is the point of having all of this \nif it is not really secure? You say the seal, the gold \nstandard, all the rest of it. What is the point of having any \nof this if it is not secure? Why would any bill leave out \nsecurity?\n    Mr. Cooper. Well, again we think that has to be addressed \nand we think that we are getting close to what the answer \nshould be. We do not think that through the Committee process \nwe will have all the right answers certainly this Congress.\n    Senator Rockefeller. We are not going to pass this in this \nCongress. This will not get passed until the 107th Congress. It \nwill be passed.\n    Mr. Cooper. We think there will be legislation at the \nfederal level as well.\n    What we would like to see, is that extra step, of a year \nstudy within the McCain-Kerry bill to create the vetting \nprocess that we think will reach the right answers.\n    Senator Rockefeller. But you do agree that the security \naspect is absolutely necessary.\n    Mr. Cooper. Yes, we do, as well as access. Those answers \nhave to be discovered to make the Internet work for consumers. \nHow we get there I think has to be at least an open process so \nthat the best answers can be discovered rather than the easiest \nanswer.\n    Senator Rockefeller. Mr. Rotenberg, just very quickly. In \nthat I am detecting a certain ambivalence in the answers and, \nto be frank, wanting to have it both ways, could you comment on \nwhat Mr. Cooper has said?\n    Mr. Rotenberg. I am sorry, Senator, which point? Regarding \nthe need for access----\n    Senator Rockefeller. Yes. In other words, yes, we want to \nhave security, but yes, we want to have the commission. Yes, we \nwant to take our time. There will be legislation but we need to \nlook at these things carefully. This could be difficult to \nimplement. Who knows what the consequences will be?\n    And we are not talking about telephone books. I did an \ninterview yesterday and somebody said the U.S. Chamber of \nCommerce--wait a second. You have telephone books. Look, that \nwas then. That was like 30 centuries ago. We are talking about \nworldwide millions, hundreds of millions of people.\n    Mr. Rotenberg. As I suggested earlier, I do not think there \nis any question in anyone\'s mind at this point that privacy \nprotection is the No. 1 issue facing the future of the \nInternet. This is everywhere that we read and in the polling \nand you ask consumers, what is your view about the Internet. It \nis exciting. It is great technology. It is a business \nopportunity. But am I going to lose my privacy? I do not think \nthere is any question about the importance.\n    Now, on the access issue, I have to say it is a little \namusing and maybe, sir, this was your reaction as well. You can \ngo online tonight, if you do financial trading or bank records, \nyou have a tremendous amount of information online. A lot of \nbusinesses have figured out how to make it possible for you to \nget to your bank account information, to write checks, conduct \ntrades, give you access and provide you security. The thought \nthat at this point we need to create a study group to figure \nout how to get that done--it is like turn on a computer and go \nto one of these online brokerage firms. It is being done. The \nquestion is, why is it not more widely done? Why can it not be \nroutinely done?\n    Senator Rockefeller. Thank you. Thank you, Mr. Chairman.\n    The Chairman. Senator Cleland.\n\n                STATEMENT OF HON. MAX CLELAND, \n                   U.S. SENATOR FROM GEORGIA\n\n    Senator Cleland. Thank you very much, Mr. Chairman. Thank \nyou for the hearing.\n    I guess my instincts about telecommunications go back some \n30-32 years ago when I was a young signal officer in Vietnam \nand realizing that if you could not communicate securely, bad \nthings were going to happen. It does seem to me that in the \nworld of the Internet, where we have connectivity, where we do \nnot have just one-way communication--say, looking at a \ntelevision that is one way. If I voluntarily want to be part of \nthe Nielsen ratings, I can have a little box sitting on my TV \nand I voluntarily opted in for somebody somewhere to follow the \npatterns of my television viewing. I opted in. But if I did not \nwant to be part of the Nielsen ratings or some other ratings \nsystem, I would have just sat there and enjoyed, in the privacy \nof my home, watching television.\n    It seems to me with the Internet and what has been \ndescribed as the breaking down of walls, breaking down of \nbarriers, and this open playing field here, that it is a two-\nway communication, and that when I access the Internet, I think \nmost of us still feel that it is a one-way, that we are getting \nsome good stuff. We access a lot of interesting things. It is \nfascinating. We can play with it. We can surf it. We can do a \nlot of good things. Basically I do not think Americans are \naware that somebody else is watching them while they are doing \nthat. I think therein is the rub.\n    The FTC found that some 92 percent of consumers on the \nInternet are concerned and some 67 percent--that is two-\nthirds--are very concerned about the potential misuse of their \npersonal information online. The personal information is if you \nbuy something online, you put your credit card on there, Visa, \nAmerican Express, whatever. That is personal information.\n    Fifty-seven percent of Internet users have decided not to \npurchase online due to privacy concerns.\n    I think we are at one of those watersheds here where we \neither work to enhance confidence about the use of the Internet \nand being online or else we will see online usage attrit or not \nused to its fullest potential, as you pointed out.\n    It is called privacy but I guess another way to look at it \nis secure communication. Basically I think American consumers \nassume security until they find out differently. So, in many \nways I think that is the baseline. They do not assume that \nsomeone is watching them do their thing. So, that is where I \nget a little bit confused here because my assumption is that \nwhen I pay for a service and I access it, that my transactions \nare going to be private unless told otherwise. It is when I \npick up a telephone. Some government agency cannot listen in on \nmy telephone or track my telephone conversation without my \nknowledge or a court order. We have this pretty much ingrained \nin our thought process.\n    So, quite frankly, I do not know whether to opt-in or opt-\nout. If it is a jump ball every time I click on, I do not know \nwhether I am being watched or not being watched. I do not know \nwhether they are going to sell it to somebody else I do not \nwant to sell it to or not. Then if I access the privacy code, \nthen that could be changed tomorrow based on their view not \nmine.\n    So, I think we are touching a raw nerve here with American \nconsumers who would love all the benefits of the Internet and \nAmerican business that would love all the benefits of the \nInternet. And I am all for that. We just have a wonderful tool \nhere, but we just have to make sure that we keep American \nconfidence or consumer confidence in the Internet alive.\n    Therefore, we need you all to help us walk through this \nmine field. None of us want to throw the baby out with the bath \nwater here. We want to move forward and not backward.\n    In this whole opt-in/opt-out thing, do you have any sense, \nMr. Rotenberg, that the American people just kind of assume \nthat their transactions are private unless told otherwise? Do \nyou have that sense?\n    Mr. Rotenberg. I think that is the common sense view, \nSenator. I think it is as you described it. If a business asks \nyou for your credit card because you are going to buy something \nby a credit card, you understand and you expect them to take \nthe credit card number for the purchase. If you want to have a \ngift shipped to someone in your family around the holiday \nseason and they say, what is the address, and you give them the \naddress, you understand that that is to make sure that the \npackage is delivered.\n    Senator Cleland. May I just inject here? I call a florist \nand I give them my American Express card number, but I am \ndealing with that florist. It is a confidence thing. I do not \nexpect the florist to go down the mall and give my American \nExpress card number to everybody in the mall and then be \ndeluged with a bunch of offers on other things. I just do not \nexpect that. I expect the florist to hold that in confidence, \nand it is a relationship kind of thing.\n    Mr. Rotenberg. I think the problem here and the reason that \nthere is a great deal of consumer concern is that we are \nbasically operating in an environment without rules. Businesses \nunderstand that this personal data has value. It can be sold. \nIt can be reused, oftentimes for the benefit of consumers, I \nshould point out. There are certainly some benefits. But \nconsumers are losing control and businesses are not expected \ntoday to follow any rules.\n    And I think that this tension is going to accelerate. I \nthink that this problem is going to increase going forward. \nBusinesses are going to be under increasing pressure to \ngenerate revenues online, to make these e-commerce businesses \nprofitable. Consumers are going to be asked for more and more \ndetailed information.\n    We are about to enter a very interesting period where the \ncollection and use of genetic information will be \ntechnologically possible within the next 5 to 10 years. And I \nthink it is important to put the rules in place.\n    The Chairman. Senator Cleland, thank you.\n    Senator Kerry, I know you have been waiting to ask a \nquestion. Would you do me a favor? We have two more witnesses \nin the next panel. As you know, we have been objected to and \nare not supposed to go past 11:30. Mr. Berman is here in \nWashington. Mr. Rubin, who is in the next panel, is from \nAtlanta, and we all know how hard it is to get a flight out of \nAtlanta to Washington.\n    [Laughter.]\n    The Chairman. So, I would ask for your indulgence. We will \nassure Mr. Berman that we will invite him back to the next \nhearing, and we will ask Mr. Rubin, who came all the way from \nAtlanta, if he could give a brief statement, and then we could \nask questions. Would that be agreeable to you, John?\n\n               STATEMENT OF HON. JOHN F. KERRY, \n                U.S. SENATOR FROM MASSACHUSETTS\n\n    Senator Kerry. Sure. I am not going to ask a question. I \njust wanted to make a couple of points.\n    The Chairman. Maybe you could wrap up the hearing.\n    Senator Kerry. I will be happy to accommodate.\n    The Chairman. Thank you.\n    Mr. Rubin, would you come forward? The witnesses remain. \nBring a chair for Mr. Rubin. When the witnesses come from out \nof town, we like to at least allow them to be heard.\n    Mr. Berman, I want to apologize to you and promise you that \nyou will be a witness at the next hearing in the first panel.\n    [Laughter.]\n    The Chairman. Mr. Rubin, would you give a brief statement? \nThen, Senator Kerry, because of the objection to the Committee \nmeeting more than two hours, will wrap up by making some \ncomments. Maybe we could allow a response to your comments by \nthe panel, if that would be all right.\n    Senator Kerry. If they want to.\n    The Chairman. Mr. Rubin.\n\n  STATEMENT OF PAUL H. RUBIN, PROFESSOR OF ECONOMICS AND LAW, \n                        EMORY UNIVERSITY\n\n    Mr. Rubin. Thank you for the opportunity to testify and \nthank you for you considering my schedule trying to get back \nand forth from Atlanta.\n    I am from Emory University, but I am here as a \nrepresentative of the Progress and Freedom Foundation which is \nengaged in a big study, a major study, of how these Internet \nmarkets work.\n    I think the conclusion we are reaching is that at this \npoint, in spite of all we have heard, there really is not very \ngood evidence that there is a market failure. We have markets \nhere. It is a new market, as we have all said.\n    In the FTC study, the most remarkable thing that I found \nwas the number of Internet sites and websites that have \nincreased their privacy notification. The various programs, \nBBBOnLine, TRUSTe, are all relatively new. I think things are \nprogressing quite quickly and it is our belief and my belief \nthat we should really be very careful in looking at the problem \nand seeing the extent to which markets can go some way toward \nsolving the problem.\n    We have heard lots of testimony this morning that people \nare changing, the policies are changing. The websites are \nposting privacy policies, and of course, if you go to a website \nthat does not have a privacy policy, consumers are starting to \nlearn what that means. We have heard people say that consumers \ndo not understand. We have also heard people say that consumers \nare very concerned about privacy, and to the extent they are \nconcerned about privacy, it pays for private sellers and \nwebsites to begin posting privacy policies.\n    We have heard discussions of new technologies that may be \ncoming online. We have heard mention of P3P, a protocol that \nwill perhaps greatly simplify consumer privacy preferences as \nit goes forward.\n    So, I think the fear that we have is that it may be \npremature that we really have not had time to observe how the \nmarket will work.\n    There is discussion of a National Academy of Sciences \nstudy. Progress and Freedom Foundation is also engaged in a \nstudy. I think it is premature to legislate before we have this \ninformation, before we have really had these objective studies \nof the problem, as opposed to the evidence so far, which seems \nto us to be mainly anecdotal. It is our belief that we really \nshould get more information.\n    Now, there have been discussions of the FTC. I used to work \nat the FTC. I never found it to be a terribly flexible agency. \nOnce a rulemaking was in place, for example, it became very \ndifficult to change that rule. I was impressed, as I was \nreading the P3P protocol that it was labeled P3P, Release 1.0, \nwhich carries the connotation that there will be 2.0 and so \nforth and so on. I have yet to see a law or a rulemaking that \ncomes with a release number, and the fear is that if we pass \nsomething, it will perhaps freeze technology or change \ntechnology, and that given the rapidity of change in this \nindustry, there is a real danger of passing something too soon.\n    So, you discussed going forward with the analysis and I \nthink that would be the recommendation, that we really do try \nto get more information before we go ahead and do it, and \nparticular information about the way in which markets can and \nare beginning to solve these problems as consumers express \ntheir concerns.\n    [The prepared statement of Mr. Rubin follows:]\n\n Prepared Statement of Paul H. Rubin, Professor of Economics and law, \n                     Emory University, Atlanta, GA\n\n    Mr. Chairman and Members of the Committee:\n    I want to thank you for inviting me to testify on this important \nmatter this morning. I am appearing before you today in my capacity as \na Senior Fellow at The Progress & Freedom Foundation. While the views \nexpressed are my own and do not necessarily represent those of the \nFoundation, its board, officers or staff, you should know that I am the \nlead investigator in a major study of the costs and benefits of \nregulating privacy now underway at the Foundation.\\1\\ The study is not \ncomplete, but we have found enough to raise some questions relevant for \nthis morning\'s hearing. The issue as we see it is whether market forces \nwill be able do handle issues of privacy, or whether government \nregulation will improve the functioning of the market.\n---------------------------------------------------------------------------\n    \\1\\ I am also a professor of economics and law at Emory University.\n---------------------------------------------------------------------------\n    I first discuss the market for privacy. I then address the issue of \nwhether we can expect government regulation to improve the situation. I \nstress that these are preliminary results. To summarize, those results \nsuggest that legislation at this time would be premature. While \nconsumers clearly are concerned about on-line privacy, the risk of \nunforeseen consequences from proposals for government intervention is \nvery high, and those consequences could be to impede the development of \nthe new medium to the detriment of consumers and the economy alike.\nThe Market\n    A transaction between a consumer and the owner or operator of a \nwebsite is a 2-party transaction. Therefore, in principle the parties \nare free to negotiate the terms of that transaction. One of the terms \nthat can be negotiated in this way is the use of whatever information \nthe consumer gives to the website. There is no obvious reason why the \nconsumer cannot make the transaction conditional on the use of the \ninformation, or why the marketplace will not offer the kinds of choices \nconsumers desire\n    For example, consider two competing websites both selling a \nproduct--say, CDs. Assume that site CDP has a strong privacy policy, \nand makes a strong and binding commitment to maintain privacy, and that \nsite CDNP has no privacy policy, and makes use of the information \nprovided by consumers for other purposes. Presumably, CDNP will sell \nCDs cheaper than will CDP, because it earns revenue from the sale of \ninformation received from consumers and so can charge a lower price for \nCDs and still make a profit. But consumers might still prefer to deal \nwith CDP because the information is worth more to them than to the \nwebsite. This means that consumers would be willing to pay a higher \nprice for CDs and retain their rights in the information, rather than \npaying a lower price and losing their rights. If this is the preference \nof consumers, then at equilibrium CDP will get more business than CDNP, \nand ultimately CDP\'s business model will prevail in the marketplace. \nAlternatively, if the information were worth more to the website than \nto the consumer, then consumers will prefer to deal with CDNP because \nof the lower price, and CDNP\'s business model will prevail.\n    A more likely result is that some consumers will prefer more \nprivacy and deal with CDP, and others will prefer lower prices and deal \nwith CDNP. Merchants often offer different terms of sale and prices \n(Wal-Mart and Macy\'s) and there is no reason to expect more uniformity \nof terms in the market for information than in the markets for other \nsorts of contractual provisions.\n    There are of course various assumptions in the above story. One of \nthe most important is that consumers know and understand the privacy \npolicies of the two websites. If they do not, then the market will not \nfunction as described. For example, consumers who value the information \nmore than does the website might shop at CDNP because of its lower \nprice. Such consumers would be harmed, because they would be \ntransferring information at a price below its value to them.\n    Government mandated notice requirements, such as those proposed in \nthe Federal Trade Commission\'s recent Report to Congress,\\2\\ and in the \nbills under consideration today, assume that consumers do not \nunderstand the privacy policies of alternative websites and that \ngovernment action is needed to make such information available. As a \ngeneral matter, however, there are strong incentives for the \nmarketplace to provide such information to consumers. In the example \nabove, CDP will have an incentive to tell consumers that they will \nguarantee privacy. They may do so by explicitly comparing themselves \nwith CDNP, but even if they do not, consumers will be able to learn \nthat CDP provides privacy. When they visit site CDNP they will not see \nany mention of privacy, and will rationally assume that the site does \nnot provide this benefit.\\3\\ This competition between websites over \nprivacy policies is potentially important, although many analysts have \nignored such competition.\n---------------------------------------------------------------------------\n    \\2\\ ``Privacy Online: Fair Information Practices in the Electronic \nMarketplace: a Report to Congress,\'\' Federal Trade Commission, May, \n2000.\n    \\3\\ Sanford Grossman (1981), ``The Informational Role of Warranties \nand Private Disclosure About Product Quality,\'\' Journal of Law and \nEconomics v. 24, December: pp. 461-483.\n---------------------------------------------------------------------------\n    It is sometimes argued that it may be too expensive for a given \nsite to provide useful information. This argument suggests that, if \nconsumers do not understand privacy issues, it would be costly for a \nparticular site to explain these issues, and other sites could free \nride on the efforts of one site to explain. Moreover, it would take a \nsubstantial amount of time for a consumer to read and absorb the \nprivacy information provided by a site, and it may well be that the \ncost of obtaining this information is greater than the value. This \ncould lead consumers either to avoid the Web altogether, or to \n``mistakenly\'\' purchase from sites like CDNP and suffer a net loss.\n    The economics of transactions costs and various approaches to \nminimizing such costs are one of the areas we are examining in our \nstudy. As a general matter, however, issues like those above would be \nof greatest concern if consumers were broadly ignorant of privacy \nissues. While this may have been the case in the early days of the \nInternet, it no longer is. Indeed, as summarized in Table 1, privacy \nhas become a major concern of users of the Internet, with most polls \nshowing that majorities of users are concerned with privacy. Some take \nthis level of concern as a justification for government regulation. \nBut, in fact, it is the opposite: If enough consumers are concerned \nwith privacy, the marketplace will be more likely to respond to their \nconcerns.\n    The FTC\'s report seems to suggest the market is responding as one \nmight expect. In its 1998 report, the FTC indicated that only 14 \npercent of websites disclosed their information practices. In the 2000 \nreport, 88 percent of a random sample of sites and 100 percent of the \nMost Popular sites had some privacy disclosure.\\4\\ Thus, in a very \nshort time, the percentage of sites voluntarily providing information \nabout privacy policies has increased from a small fraction of websites \nto all of the most popular, and most of the others.\n---------------------------------------------------------------------------\n    \\4\\ Data from ``Privacy Online,\'\' pp. i, ii.\n---------------------------------------------------------------------------\n    There is substantial additional evidence that consumers and firms \nare already making well informed decisions about privacy matters. For \nexample:\n\n  <bullet> In one survey, the most common reasons for not registering \n        at a website are that the terms and conditions of the use of \n        information are not clearly specified, or that revealing the \n        requested information is not worth registering and being able \n        to access the site.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ GVU\'s 7th WWW User Survey, http://www.gvu.gatech.edu/gvu/\nuser_surveys/survey-1997-04/\n\n  <bullet> Many companies, including IBM and Walt Disney, do not \n        advertise on websites that do not have privacy policies.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ ``It\'s Time for Rules in Wonderland,\'\' Business Week, March 20, \n2000.\n\n  <bullet> Companies are increasingly hiring ``privacy officers\'\' and \n        giving them substantial power and discretion in setting company \n        policies. In fact, Alan Westin, a well known privacy advocate \n        and expert, offers a training course for this position.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ D. Ian Hopper, ``Companies Adding Privacy Officers,\'\' AP, July \n11, 2000.\n\n    There are other mechanisms available to minimize the costs of \ndealing with privacy issues. One such mechanism is the use of voluntary \nstandards, as defined and explained by a consortium of web operators. \nLarge firms--Microsoft, AOL, Intel--make enough money and are large \nenough forces so that it pays for them to internalize production of \nvarious standards.\\8\\\n---------------------------------------------------------------------------\n    \\8\\ Peter Swire (1997), ``Markets, Self-Regulation, and Government \nEnforcement in the Protection of Personal Information,\'\' in Privacy and \nSelf-Regulation in the Information Age, U. S. Department of Commerce, \nWashington, DC. http://www.ntia.doc.gov/reports/privacy/selfreg1.htm.\n---------------------------------------------------------------------------\n    As a general matter, there are voluntary standards organizations \nthat deal with a wide variety of issues. ANSI (the American National \nStandards Institute), for example, is an umbrella organization for over \n1000 members.\\9\\ The American Society for Testing and Materials (ASTM) \nis another voluntary standards organization.\\10\\ Defining a standard of \nInternet privacy is in principle no different than defining other \nstandards. A standard can establish a set of defaults and can serve to \ninform consumers of the options and issues involved in privacy. In \nother words, a standard can serve to define the property rights so that \ntransactions can occur and the right can be properly assigned through \nmarket processes.\n---------------------------------------------------------------------------\n    \\9\\ See http://www.ansi.org/\n    \\10\\ http://www.astm.org/index.html\n---------------------------------------------------------------------------\n    For example, the World Wide Web Consortium (W3C) is a consortium of \n434 members, including the largest players in the Internet, such as \nMicrosoft, America Online and Cisco.\\11\\ This consortium is in the \nprocess of drafting a major private privacy protocol, the Privacy \nPreferences Project, P3P.\\12\\ While P3P is not yet operational, there \nare numerous private seal programs already in place, including TRUSTe \nand BBBOnline.\\13\\ The Direct Marketing Association also has various \nvoluntary standards in place, including a method consumers can use to \nhave their names removed from email lists, and members of the \nAssociation must meet certain requirements regarding privacy on the \nweb.\\14\\ Thus, organizations such as the BBB, TRUSTe or W3C can define \nproperty rights and provide information about them and about \nalternatives.\n---------------------------------------------------------------------------\n    \\11\\ For the W3C homepage, see http://www.w3.org. For the list of \nmembers, see http://www.w3.org/Consortium/Member/List.\n    \\12\\ http://www.w3.org/P3P/.\n    \\13\\ http://www.bbbonline.org/\n    \\14\\ http://www.the-dma.org.\n---------------------------------------------------------------------------\nGovernment\n    While the market appears to be responding well to consumer demands \nfor more control over their personal information, some still argue that \nthere is a role for government regulation. Government, perhaps, might \nmove more quickly than the marketplace, or provide a greater degree of \nuniformity, or better reflect the ``value\'\' of personal privacy in ways \nthe market would not. These are all issues we are examining in our \nwork.\n    One cautionary note about government regulation, however: It is \nextremely inflexible. Once a major law is passed, it tends to establish \na regulatory framework that lasts for a long time. For example, the \nFederal Communications Commission began allocating licenses using \ninefficient methods such as administrative hearings when it was \nfounded, and it took many years until the agency began using an \nauction, although economists and others advocated sale of licenses at \nleast as early as 1951.\\15\\ This danger has been referred to as \n``freezing technology\'\'--that is, destroying incentives for innovation, \nsince innovations will not satisfy the government requirements.\n---------------------------------------------------------------------------\n    \\15\\ Thomas W. Hazlett (1998), ``Assigning Property Rights to Radio \nSpectrum Users: Why Did FCC License Auctions Take 67 Years?\'\' 41 \nJournal of Law and Economics, Number 2, Part 2, October.\n---------------------------------------------------------------------------\n    There are several reasons for the relative inflexibility of \ngovernment regulation. First, simply getting Congress to pass a major \npiece of legislation is difficult. Congress has limited ability to pass \nsuch legislation, and does not tend to re-examine an issue frequently. \nSecond, there is the regulatory time interval required to implement the \nlaw. Third, and perhaps most important, the passage of a law and \nsubsequent promulgation of regulations create interest groups with an \ninterest in maintaining that law. For example, attorneys specialize in \ndealing with the law as it exists, and become a vocal group in opposing \nchanges. Firms come into being specializing in institutions that comply \nwith the law, and these firms also lobby to retain the current law. \nRegulatory authorities in charge of enforcing particular laws lobby for \nthe retention of these laws, an important component of the FCC delay \nmentioned above. The institutions created by the law themselves become \nbarriers to entry, as potential entrants must adapt to these \ninstitutions. On the other hand, those who could benefit from changes \nin the law have difficulty in making their voices heard.\n    It is a cliche to say that the Internet is dynamic. But it is true. \nAny regulation at this time would freeze some aspects of the Internet \nin their current state. Even if the regulators were able to regulate \nperfectly for today\'s environment, any regulations would quickly become \nobsolete as the Internet changes. The P3P release is P3P 1.0, \nindicating that, like software in general, the drafters expect that the \nprivacy policies embedded in the document will change over time. \nIndeed, at several places in the document itself there are indications \nof directions for change in future versions. While such expectations \ndrive software and the development of the web, laws passed by \ngovernment do not come with release numbers--because there is no \nexpectation that they will be changed quickly (or ever). While change \nis the normal state of affairs for the Internet and for software and \nother elements that interact with the Internet, it is not the way in \nwhich government operates.\n    It is important to remember that technological and marketplace \ndevelopments in the privacy and security arena are happening almost \ndaily. One new program has increased the ability of websites to \nidentify consumers logging on to the website.\\16\\ The technology allows \nthe Checkfree website, in conjunction with Equifax, the credit \nreporting agency, to identify customers quickly and accurately, thus \nincreasing security. Another relatively new service, PayPal from X.com, \nenables consumers to pay bills on the Internet anonymously.\\17\\ A \nvirtually infinite array of such technologies is in development.\\18\\ \nAny regulation passed by Congress could interfere in unknown and \nunpredictable ways with such technological progress.\n---------------------------------------------------------------------------\n    \\16\\ D. Ian Hopper, ``New Way Found to ID Web Customers,\'\' AP, July \n17, 2000.\n    \\17\\ Michelle Slatalla, ``Easy Payments Put Hole in the \nPocketbook,\'\' New York Times, June 29, 2000.\n    \\18\\ Peter Wayner, ``New Tools to Protect Online Privacy,\'\' New \nYork Times, November 11, 1999.\n---------------------------------------------------------------------------\n    It is also important to keep in mind that government regulation is \nof necessity of the ``one size fits all\'\' variety. But with respect to \nInternet privacy, different consumers have different preferences. These \nare documented carefully in a survey on Internet privacy by AT&T.\\19\\ \nFor example, those most concerned about Internet privacy--those the \nAT&T report calls ``privacy fundamentalists\'\'--often already protect \nthemselves using a variety of techniques, such as anonymous \nremailers.\\20\\ On the other hand, at least one company, \nAllAdvantage.com, pays consumers for the right to monitor their \nbrowsing, and some consumers are apparently willing to join this \nprogram.\\21\\ Thus, consumers clearly have different preferences \nregarding Internet privacy.\n---------------------------------------------------------------------------\n    \\19\\ Lorrie Faith Cranor, Joesph Reagle, and Mark S. Ackerman, \n(1999), ``Beyond Concern: Understanding Net Users\' Attitudes About \nOnline Privacy,\'\' AT&T Labs-Research Technical Report TR 99.4.3, http:/\n/www.research.att.com/library/trs/TRs/99/99.4/\n    \\20\\ Lorrie Faith Cranor, ``Agents of Choice: Tools That Facilitate \nNotice and Choice about Web Site Data Practices\'\', available online.\n    \\21\\ http://www.alladvantage.com/home.asp?refid=\n---------------------------------------------------------------------------\n    Furthermore, it seems likely that consumers have different privacy \npreferences regarding different types of information. In one survey, \nfor example, consumers were less willing to provide social security and \ncredit card numbers than other types of information. Similarly, 78 \npercent would accept cookies to provide a customized service; 60 \npercent would accept a cookie for customized advertising; and 44 \npercent would accept cookies that conveyed information to many web \nsites.\\22\\\n---------------------------------------------------------------------------\n    \\22\\ Cranor et al., 1999.\n---------------------------------------------------------------------------\n    Incorporating such nuances in a government regulation would be \ndifficult, and any privacy notice that resulted would have to be \nexceedingly complex, perhaps to the point that most people would be \nunwilling to read such a detailed notice. The very value of information \nto advertisers is evidence that at least some consumers benefit from \nthe information being available to sellers. Advertisers would not value \ninformation if they could not use it to sell products. But if consumers \nbuy products based on being contacted by merchants, then consumers must \nbenefit, else they would not buy the products. The modern theory of \nadvertising indicates that most or all advertising provides valuable \ninformation, and if advertising leads to sales than at least some \nsubset of consumers is benefiting from the advertising.\n\nSummary\n    In summary, there are reasons for expecting the market to manage \nprivacy issues efficiently. There are also substantial dangers from \ninappropriate government intervention. If we rely on the market and the \ndecision turns out to be incorrect, we can always pass legislation \nlater. But if we regulate, it is much more difficult to change our \nposition. At The Progress & Freedom Foundation, we are working to \nproduce a report to help Congress and other policymakers evaluate the \nrelative merits of market-based approaches, on the one hand, and \ngovernment regulation on the other. The results of that research, at \nthis stage, suggest that premature legislation and/or regulation is \nlikely to do more harm than good.\n    Mr. Chairman and Members of the Committee, that completes my \nprepared statement. I would of course be pleased to respond to any \nquestions you may have.\n\n                                Table 1: Is Privacy Important to Internet Users?\n----------------------------------------------------------------------------------------------------------------\n\n----------------------------------------------------------------------------------------------------------------\nAARP National Survey, 2000       Percentage of respondents having made internet       74% (40% very concerned,\n                                  purchases who say they are concerned about privacy   34% somewhat concerned,\n                                                                                       Page 35)\n\nAT&T Labs-Research: Beyond       Percentage of respondents who say they are very or   87% (Page 6)\n Concern: Understanding Net       somewhat concerned about threats to personal\n Users\' Attitudes about Online    privacy while online\n Privacy, 1999\n\nLouis Harris and Associates,     Percentage of net users who are concerned about      81% (Page 3)\n Inc.: E-Commerce and Privacy:    threats to their personal privacy while online\n What Net Users Want, press\n release, 2000\n\nIBM Multi-National Consumer      Percentage of U.S. respondents who somewhat or       80% (Page 76)\n Privacy Survey, 1999             strongly agree with the statement ``Consumers have\n                                  lost all control over how personal information is\n                                  collected and used by companies.\'\'\n\nIBM Multi-National Consumer      Percentage of U.S. respondents who somewhat or       71% (Page 76)\n Privacy Survey, 1999             strongly agree with the statement ``It\'s\n                                  impossible to protect consumer privacy in the\n                                  computer age.\'\'\n\nIBM Multi-National Consumer      Percentage of U.S. respondents who somewhat or       64% (Page 76)\n Privacy Survey, 1999             strongly agree with the statement ``Most\n                                  businesses handle the personal information they\n                                  collect about customers in a proper and\n                                  confidential way.\'\'\n\nIBM Multi-National Consumer      Percentage of U.S. respondents who somewhat or       59% (Page 76)\n Privacy Survey, 1999             strongly agree with the statement ``Existing laws\n                                  and organizational practices in the United States\n                                  provide a reasonable level of consumer privacy\n                                  protection today.\'\'\n\nCyberdialogue: Capturing         Percentage of respondents who feel that online       52% (Page 12)\n Visitor Feedback, 1997           services which ask for personal information are\n                                  directly invading their privacy\n\nCyberdialogue: Privacy vs.       Percentage of respondents who feel that online       37% (Page 1)\n Personalization, 1999            services which ask for personal information are\n                                  directly invading their privacy\n\nAARP National Survey, 2000       Percentage of respondents who cited concerns about   24% (Page 34)\n                                  privacy as a reason for not having made any\n                                  internet purchases (multiple answers were\n                                  permitted; ``not interested\'\' was top answer)\n\nAARP National Survey, 2000       Percentage of respondents who cited security/        6% (Page 24)\n                                  privacy concerns as a reason for not having\n                                  internet access (multiple answers were permitted;\n                                  ``no interest or need\'\' was top answer)\n----------------------------------------------------------------------------------------------------------------\n\n\n    References for Table 1:\n    American Association of Retired Persons, ``AARP National Survey on \nConsumer Preparedness and E-Commerce: A Survey of Computer Users Age 45 \nand Older.\'\' March, 2000.\n    AT&T Labs, ``Beyond Concern: Understanding Net Users\' Attitudes \nabout Online Privacy\'\'. Available online at http://\nwww.research.att.com/library/trs/TRs/99/99.4/ 99.4.3/report.htm. April, \n1999.\n    Cyber Dialogue, ``Capturing Visitor Feedback.\'\' Available at http:/\n/www.cyberdialogue.com. March, 1997.\n    Cyber Dialogue, ``Privacy vs. Personalization: A Delicate \nBalance.\'\' Available at http://www.cyberdialogue.com. 1999.\n    Cyber Dialogue, ``Privacy vs. Personalization Part III.\'\' Available \nat http://www.cyberdialogue.com. 2000.\n    Harris Black International, ``The Use and Abuse of Personal \nConsumer Information.\'\' Available online at http://\nwww.harrisblackintl.com/harris_poll/index.asp?PID=8. January, 2000.\n    Georgetown University, ``Georgetown Internet Privacy Policy Survey: \nReport to the Federal Trade Commission\'\'. Available online at http://\nwww.msb.edu/faculty/ culnanm/gippshome.html. June, 1999.\n    IBM, ``Multi-National Consumer Privacy Survey.\'\' October, 1999.\n    Louis Harris and Associates, Inc. and Dr. Alan F Westin, ``E-\nCommerce and Privacy: What Net Users Want\'\', press release. Available \nonline at http://www.pandab.org/E-Commerce%20Exec.%20Summary.html. \nJuly, 2000.\n    National Consumers League, ``Consumers and the 21st Century\'\'. \nAvailable online at http://www.natlconsumersleague.org/FNLSUM1.PDF, \n1999.\n    NFO Interactive, ``Online Retail Monitor: Branding, Segmentation, & \nWeb Sites\'\'. 1999.\n    Privacy and American Business, ``Personalized Marketing and Privacy \non the Net: What Consumers Want.\'\' November, 1999.\n    Privacy and American Business, ``\'Freebies\' and Privacy: What Net \nUsers Think.\'\' Available at www.privacyexchange.org/iss/surveys/\nsr990714.html. July, 2000.\n\n    The Chairman. At what timeframe do you think we would have \nthis?\n    Mr. Rubin. Well, we are hoping to have at least a \npreliminary study by January. I do not know what the time \ntable, for example, for the National Academy of Sciences is. \nBut I think at this point we do not have the information to \npass legislation.\n    The Chairman. Senator Kerry.\n    Senator Kerry. Thank you, Mr. Chairman.\n    The Chairman. And I thank you, Senator Kerry.\n    Senator Kerry. I am delighted. I just wanted to make a few \ncomments, and I think obviously we have got to try to respect \nthe time here.\n    I agree with Mr. Rubin, and I think you know, Mr. Chairman, \nyou and I have been working together. I think I was one of the \nearly advocates in this Committee, if not the first, to suggest \nthat there is a lot of unknown here as Congress began to sort \nof respond to the hue and cry about privacy. There was some \nearly legislation submitted on this Committee, and I have great \nrespect for the authors of that legislation. It represents sort \nof one pole in the debate. Senator McCain and I have written a \npiece of legislation that represents a different one, and I am \nconfident there will be even other views as we move forward \nhere. But I would like to make a couple of points about it.\n    First, there is no question among any of us at all that \nconsumers expect a certain degree of privacy on the Internet. \nWe have seen that in survey upon survey, and we see it also I \nthink in behavior. And those concerns, I am confident, will be \naddressed.\n    But I think the expectation of privacy when they surf the \nInternet is different from what they demand particularly for \nmedical records and for financial information. I think those \nare two items that particularly are distinguished, and we have \nseparate pieces of legislation addressing those.\n    A survey done in Massachusetts supports this conclusion. \nMass Insight Corporation found in a survey performed in May of \nthis year that where they can clearly perceive specific \nbenefits from data collection and information sharing on the \nInternet, most people see the rewards outweighing any concerns \nabout privacy.\n    Now, Massachusetts does have more Internet users than the \nnational average, and that may make them more comfortable with \nprivacy practices on the Internet. But I think it also \nindicates, as more and more people use the Internet, that they \ntoo become more comfortable sharing certain kinds of \ninformation in exchange for the benefits that they receive. A \nvery interesting statistic from that survey is that 70 percent \nof Massachusetts adults have access to the Internet, and of \nthose, 69 percent say the benefits of electronic information \nsharing outweigh the risks.\n    We also have a responsibility to establish a baseline for \nprivacy standards, but I think what Senator McCain and I have \ndone actually empowers consumers to make that kind of \ndiscerning decision that best suits their needs.\n    I have mentioned that we obviously will deal with the \nmedical records and financial issues separately.\n    But I want to point out that another important finding in \nthe Massachusetts survey is that when asked to choose between \nprivacy risks and specific benefits and real-life tradeoffs, \nmore people say that we should encourage rather than discourage \ntechnology-based information sharing.\n    In the category of shopping over the Internet, which is the \narea that we are really targeting, 49 percent of the people \nsurveyed said we should encourage information sharing compared \nto the 38 percent who said we should discourage it.\n    Finally, Mr. Chairman, I would just point out that given \nour interest in campaign finance reform, 69 percent of the \npeople surveyed believe we should encourage more technology-\nbased information sharing in the laws regarding disclosure of \npolitical contributions.\n    Now, I would like to point out also part of the early \ndebate, and Senator Cleland was just going through this a \nlittle bit in his questions about offline/online distinctions. \nAgain, early on I have tried to point out that if privacy is \nthe concern in Americans\' minds, we have to recognize that \nwhile there are different sectors of the marketplace, the \nmarketplace is essentially the marketplace and privacy no \nmatter where it occurs. If the right to privacy accrues in one \nplace, certainly it accrues in another, and we have to look \nvery carefully at how we do anything--and a number of you have \nmentioned this in your testimony this morning--really affects \nthe marketplace as a whole and the capacity to pick winners and \nlosers inadvertently sort of as an unintended consequence of \ntrying to protect rights in one place without being certain we \nfully understand the implication of those rights in other \nplaces.\n    Specifically, the list of areas which we are learning more \nand more about where Americans are affected in the context of \nprivacy within the marketplace is really quite extraordinary. \nOne can easily solicit campaign contributions from donors who \nhave given to almost any list, and that is bought and sold in \nthe marketplace every day.\n    Age of any individual. Date of birth is included in almost \nall data bases, and it can be used to determine whether the \nmagazine you subscribe to includes ads targeted to seniors or \nto teenagers or so forth. All of that marketable and available.\n    The cost of your own house. Real estate transactions \navailable to the public at the county courthouse. Companies \ncopy this information, sell it to third parties. All kinds of \ntargeting can take place through that.\n    Travel habits. Airline frequent flyer programs keep track \nof numerous habits, including frequency of travel, \ndestinations, hotels, car rentals, all of it available within \nthe marketplace.\n    Purchasing habits. Supermarket shopping carts could be \nused, anywhere you purchase whatsoever, to create a data base \non individuals as to whether they purchase personal items that \nmight be embarrassing, home pregnancy tests, baby food, \nanything, all of which can result in targeting.\n    Health information. When patients answer questionnaires and \ndisclose that they have cancer, diabetes, or arthritis, that \ninformation can be sold to pharmaceutical companies and is and \nwinds up in various kinds of marketing and targeting.\n    Phone habits. A telephone company can tell how often and \nwhere you travel by keeping track of how often and from where \nyou use your telephone calling card. They can sell that \ninformation to hotel companies, to rental car companies, and \nairlines.\n    Creditworthiness likewise opens people up to all kinds of \nquestions about bank marketing, higher interest rates, and so \nforth.\n    Sexual preferences, subscriptions to magazines, or \ncontributions to an AIDS related charity would give marketers \nan indication of sexual preference and marketing capacity.\n    Birth of a newborn, women who subscribe to parenting \nmagazines, shop at maternity stores, sign up for childbirth \nclasses, any number of things.\n    Browsing habits. Department stores in malls use \nsurveillance to study the best layouts of stores and displays. \nOther information can clearly be gleaned from that.\n    So, we probably all have great differences of opinions \nabout which of these practices we believe is egregious and \nviolates our propriety, but it does not stop us from going to \nthe malls, making purchases or continuing to use credit cards \nand engage in the marketplace. Clearly there are tiers and \ndistinctions of the violation, in a sense, of one\'s expected \nzone of privacy, and Americans understand that.\n    I think, Mr. Chairman, we need to understand that very, \nvery clearly as we approach any kind of legislative effort here \nwith the understanding that the consequences of that clearly \ncan have major impacts on the marketplace itself, as well as \nthe growth of the Internet which depends on advertising to be \nfree. One of the most important things we need to take note of \nis that Americans have an expectation that it will be free. And \nif we are concerned about divide and other issues, that free \naccess is going to be increasingly important to us in terms of \nequal access in America and equal opportunity to use the power \nof the Internet.\n    So, I welcome these hearings. I think they have already \nshed a lot of light. They have been helpful in educating the \nCommittee. We are not going to be able to legislate this year \nobviously, but as we come into next year, I hope our study and \nI hope other information will be available to us.\n    I do not know if any of the panelists want to comment \nquickly on anything I have said, but I will not ask a specific \nquestion.\n    The Chairman. I want to thank Senator Kerry for one of the \nmore in-depth analyses of this issue. I hope that every member \nof the Committee gets a chance to read that statement because I \nthink it puts a perspective on this issue that is vitally \nimportant. Sometimes we have a tendency to more narrowly focus.\n    I would like to ask the witnesses, beginning with you, Mr. \nRubin, if you any response to Senator Kerry\'s statement. We \nwill make it brief because we are about the incur the wrath of \nthe Senate rules. Mr. Rubin.\n    Mr. Rubin. I think it was a nice statement, particularly \npointing out that there may be further implications and things \nthat you do may affect the marketplace in ways that have not \nbeen thought about. I think that is a very important point to \nkeep in mind going forward.\n    The Chairman. Mr. Rotenberg. By the way, you are free to \nmake any additional comments.\n    Mr. Rotenberg. I would just say, Mr. Chairman, I certainly \nagree, Senator, it is a big and complex issue and it touches \nmany different aspects of our private lives. But we have \nstruggled with this issue in the United States for more than a \ncentury now, and the wonderful thing about our legal system is \nthat it has adapted, and we have over time enlarged the legal \nright of privacy as new technologies have evolved. This is a \ncomplex one, but I do not think the enormity of the task should \nbe a reason not to proceed.\n    People value this right. They really do. We each value it \nin a different way, but we do value it as a country. I think we \nlook to the Congress to ensure that it will be protected in \nlaw.\n    The Chairman. Mr. Garfinkel.\n    Mr. Garfinkel. Senator Kerry, I am honored to be one of \nyour constituents.\n    But I would like to say something that industry has been \nsaying a lot, which is that unless there is this personally \ntargeted information, the Internet will not remain free. There \nis no basis for that statement. There is no basis for saying \nthat you can get higher ad rates if you know who is at the end \nof the Internet connection than you could by selling car ads on \na car site and electronics ads on an electronic site. \nPersonally targeted ads is something that the technology makes \navailable, but it is not something that necessarily is good. We \nknow that there are lots of things that the technology makes \navailable but that do not make economic sense, like video \ntelephones.\n    So, I would encourage you to say that there are a lot of \nvery important privacy issues here, and you touched upon them \nall. But I am not sure we need to sell our privacy to get free \nInternet service.\n    The Chairman. Do you think it is a violation of privacy, \none of the examples that Senator Kerry just mentioned, that \nbecause one of us donates to one individual in a political \nparty, that that information should be sold throughout the \nNation to virtually every cause that there is? Do you believe \nthat is a violation of our privacy?\n    Mr. Garfinkel. We have made a decision as a people----\n    The Chairman. Well, I would like to know your opinion as to \nwhether it is a violation of privacy or not.\n    Mr. Garfinkel. I believe that the violation of privacy that \ncomes from the disclosure of political contributions is an \nacceptable price because----\n    The Chairman. I am talking about selling that information, \nnot having it disclosed. We all know about disclosure laws, Mr. \nGarfinkel.\n    Mr. Garfinkel. I believe that any information that comes \nfrom the government that is sold now should be distributed for \nfree to the people of this country.\n    The Chairman. I am sorry that you will not answer my \nquestion.\n    Mr. Vradenburg.\n    I think it is a legitimate question Mr. Kerry asked, and I \nam sorry you will not answer it.\n    Go ahead, Mr. Vradenburg.\n    Mr. Vradenburg. Senator Kerry, I thought you brought a good \nperspective to this, and I think the only closing comment I \nwould make is that we probably in industry share virtually \nevery value you articulated. And the great challenge that we \nhave to work through together during the course of the next \ncongressional session is achieving the balance between a \nmarketplace that provides free flow of information, which is \ninnovative and which provides a continuing refreshment of the \nproducts and services and how we respond to consumers and, at \nthe same time, honor and respect the privacy values that \nSenator Cleland has mentioned because I do think that there is \na balance here.\n    I think that we try and respond to it in industry in terms \nof the conservatism with which, for example, AOL might take \nwith the handling of the personal information of its members, \nbut in fact, this is a conversation that we ought to have to \nmake sure that we have struck the right balance, whether it be \nindustry on the one side or government on the other.\n    Again, I do not think you were here, Senator Kerry, but I \nwould challenge the Committee, as it thinks through its bills, \nto apply the bills to the government\'s handling of personal \ninformation, not because I say that as a challenge, but to say \nit as a technique by which we ought to discover the hardness of \nsome of these questions and the balances that you seek to \nachieve.\n    Senator Kerry. I agree completely with that.\n    Mr. Vradenburg. As you look at the Freedom of Information \nAct and the wider dissemination of government records, we will \nbegin to question that when it becomes available to your \nneighbor as opposed to the private investigator or the lawyer \nthat you can hire. In fact, the wider dissemination of \ninformation through electronic records is going to be a \nchallenge to our Freedom of Information Act and the way we look \nat government records and the way we look at disclosure. I do \nnot think that the government has got it right yet. I am not \nsure that business has got it uniformly right yet. But it is a \nconversation that I think is vitally important and I think we \nboth have to go through that conversation honestly to try to \narrive at the right balance for both government and for \nindustry.\n    The Chairman. Mr. Cooper.\n    Mr. Cooper. I think this Committee deserves a lot of credit \nfor getting beyond the zero sum game that I think this issue \nhas been held hostage to up till now. I think what we are \nfinding is that a significant, hopefully a critical mass of \ncompanies are willing to say we need to work with you, we need \nto find ways of making this work, though not where we then say \nthat all the answers have been revealed, because I do not think \nthat they have.\n    We think that a lot of very useful information will be in \nthe aggregate whether it is in medical or whatever. We do not \nwant to lose that. We do not want to lose the advantages that \ntechnology is giving us for taking the aggregate use of this \ninformation to benefit the country as a whole.\n    At the same time, in working through these issues we will \nhave to engage business, consumers, and policymakers to find \nthe right answers. Hewlett-Packard thinks that McCain-Kerry has \nit about right. We think the National Academy of Sciences is \nthe place to resolve a lot of these issues or at least give \nCongress the opportunity to have a debate based upon a clear \nset of facts that I do not think is going to come out of just a \npolarized debate by the loudest voices.\n    Senator Kerry. Well, Mr. Chairman, thank you.\n    I would just point out that what the chairman and I have \nintroduced is a pretty strong requirement of notice and choice. \nIn point of fact, one of the reasons I ran through that list of \nexamples is, if you measure all of those, we are in fact \nproviding greater privacy opportunity through what we have \noffered than anybody has in any of those other sectors I just \ntalked about. I ask people to take note of that. You will have \nactually greater privacy, just through the notice requirements \nand the choice requirements, than you have in any of those \nother sectors of the economy.\n    You have to also measure the harm done. I go home and I \nhave got 50 magazines waiting for me from whatever it is, \ntargeted from whatever I have purchased previously. You could \nstop them all, and most of them wind up very quickly going \nstraight--it is a shame what happens to the trees in the \nprocess, but that is what happens. But what is the harm done \nmeasured against the other choices we have? That is what we \nhave to ask very carefully here, is what is the harm done that \nsomebody got an advertisement. As long as personal information, \nmedical, financial, genetic is obviously an enormous concern, \nthese kinds of things. I think we ought to be able to define \nthat line fairly readily. So, I welcome the debate.\n    Thank you, Mr. Chairman.\n    The Chairman. I would like to apologize again to Mr. \nBerman. Mr. Berman, we will see you next time. We will be \nhaving several more hearings in the month of January because \nthis issue has obviously not been resolved.\n    I want to thank the witnesses for a spirited dialog. We \nlike to have the point/counterpoint in this Committee, and I \nthink it is very helpful to the members. I want to thank all of \nyou for coming, and we will welcome you back in January.\n    As much as I would like to assure people that we will pass \nlegislation between now and the next week or two, it simply is \nnot something that is going to happen. But at the same time, I \nthink by the time January or February rolls around, this issue \nwill have increasing importance that the Congress of the United \nStates act in some way on it.\n    I thank you all. This hearing is adjourned.\n    [Whereupon, at 11:49 a.m., the Committee was adjourned.]\n\n                                APPENDIX\n\n   Prepared Statement of Hon. Max Cleland, U.S. Senator from Georgia\n    Reality television has hit an all-time high in the ratings system. \nThis form of entertainment allows viewers to watch the ``real\'\' lives \nof people on TV, but once these viewers cut off their TV and cut on \ntheir computer, they become the focus of reality web surfing. Cookies \nallow on-line companies to gather a great deal of information about \nconsumers and possibly link this information with the person\'s name, \naddress, social security number, and other personally identifiable \ninformation. While the people on television know the cameras are taping \ntheir every move, many on-line consumers have no knowledge of how \ncompanies monitor their behavior.\n    Today this Committee revisits the issue of on-line privacy. \nEstimates are that 137 million Americans can access the Internet and \nabout 300 million people worldwide. America, with almost double the \nnumber of net users, is the world leader, and the Federal Trade \nCommission has recommended that these users need adequate privacy \nprotection when surfing the web.\n    I would like to remind the Committee of some statements in the FTC \nreport:\n\n      92 percent of consumers are concerned and 67 percent are ``very \nconcerned\'\' about the misuse of their personal information online;\n\n      57 percent of Internet users have decided not to purchase online \ndue to privacy concerns;\n\n      79 percent of consumers identified the ability to be removed \nfrom a site\'s mailing list a ``very important\'\' criterion in assessing \na site\'s privacy protections, and\n\n      79 percent of Internet users believe that a procedure allowing \nthe consumer to see the information companies have stored about them is \n``absolutely essential\'\' or ``very important.\'\'\n\n    S. 2606, of which I am a co-sponsor, addresses these issues raised \nby the FTC report. It allows customers to ``opt-in\'\' in order for \nwebsites to use their personally identifiable information and ``opt-\nout\'\' for use of non-personal information. S. 2606 also requires that \nconsumers have access to the information collected about them by a \nwebsite and the ability to correct it. It requires that consumers be \naware of how collected information will be used and that everything is \nadequately protected.\n    Reality programs belong in a world in which people know their \nactions are being taped. They do not belong in a world in which many \nusers are not aware of the vast amounts of information collected about \nthem. Notice, consent, access, and security are the recommendations of \nthe FTC report, and they are guiding principles of S. 2606. I look \nforward to the testimony that will be offered here today.\n                                 ______\n                                 \n   Prepared Statement of Scott Cooper, Hewlett-Packard Co., Manager, \n                           Technology Policy\n\nLegislative questions about opt-in and opt-out\nLevels of data collection affected by opt-in/opt-out strategies\n    The HP privacy policy is one external manifestation of HP company \nstrategy and vision to make the web a friendly place for customers, \ninspiring trust. resulting in positive benefits and experiences, and e-\ncommerce growth.\n    When discussing privacy and opt-in/opt-out practices, its important \nto address the scope and nature in applying these practices. The terms \nare often used to cover different aspects of data collection and use \nthat differ in the level of privacy protection offered and the value \nproposition between customers and businesses. These practices (opt-in, \nopt-out) should be evaluated in relation to sharing personal data with \n3rd parties, customer contact strategies using personal data and the \ncollection itself of personal data.\n\nA. Data sharing with 3rd parties\n    1. Personal data. HP policy is not to sell or rent our customer \ndata. In the case of HP relationships with a few strategic partners, HP \npolicy is that customers must opt-in to share their personal data. We \nbelieve this approach respects the trust and boundaries that customers \nexpect when providing their personal data to a company. This policy \napplies to offline and online data. Customer feedback to HP is very \npositive regarding these policies.\n\n    2. Aggregated (non-personal) data. HP occasionally shares \naggregate, non-personal data with a few strategic business partners for \nthe purpose of understanding web navigation and usage. This is how we \nanalyze design effectiveness, usability and usage trends of joint \nprograms or services offered, ultimately measuring successes (or the \nlack of). These measures drive billing and payment between business \npartners. HP receives aggregated non-personal data through the HP ad \nbanners placed on web sites. We do not accept personal data from these \nsources or link the non-personal data to HP-held personal data. HP \nreceives virtually no customer feedback on this level of data sharing.\n\nB. Contact based on data collection\n    The most common discussion regarding opt-in and opt-out relates to \ndirect contact from a company to a customer. When discussing this, it \nis important to remember the scope which includes marketing contact, \nsupport contact and administrative contact.\n    Marketing contact refers to programs and information directed at \ncustomers or potential customers about new products and services. \nBesides product information, features and benefits, this includes \nspecial offers, promotions and sweepstakes. It may include market \nresearch/customer surveys.\n    Support contact refers to information and solutions directed at \ncustomers to solve functional, repair issues or improve performance and \nusability. This includes software drivers, news and information, \ndiagnostic analysis/tools and product upgrade data.\n    Administrative contact refers to information directed to customers \nas part of a process or transaction, such as order confirmation, \ncontract renewals and records management.\n    In all types of contact the approaches will vary from direct \nperson-to-person telephone (call center), email, or hardcopy mail.\n    Customers have views and concerns about marketing contact different \nfrom support contact. In general, support-related contact is not an \nissue for customers, given the correct assumption that it is collected \nonly for support purposes, but NOT specific to one transaction or \ninteraction. In cases where support-related personal data is used for \nmarketing contact, then the issues become the same as general marketing \ncontact. Some customers view the use of support contact personal data \nfor marketing purposes as a violation of trust even when they are \nclearly informed that this is a possibility. The vast majority of \ncustomers expect, value and even demand administrative contact.\n    In evaluating opt-in for HP, we have focused largely on marketing \ncontact and secondarily on support contact. In some contact the \nboundaries between marketing and support contact are blurred--for \nexample where is the difference between sending information about new \nproducts as compared to product upgrade notices that correct \nfunctionality or prevent repair problems? In general, we believe the \ndifference is how the contact is initiated. With a support situation \nthere is often a true real need from a customer who explicitly or \nimplicitly (through diagnostics tools that generate support alarms) \ninitiate contact to HP.\n    Lets focus on the challenges of implementing an opt-in process for \nmarketing contact by using HP Subscription Services (InfoAgent) as an \nexample.\n    HP Subscription Services, through the HP InfoAgent technology, \nprovide the means for HP customers the opportunity to sign up \n(subscribe) to a variety of software updates, support and marketing \nnewsletters, focused in the consumer peripheral space. Specifically, \nsoftware drivers (e.g. for a HP DeskJet printer, etc.), Support tools, \nresources and tips by product category (e.g. for HP DeskJet or HP \nLaserJet printers, etc) and product news, solutions and promotions by \nproduct category (e.g. for HP ScanJet, etc.).\n    HP Subscription Services represents at most 25 percent of all \npossible HP-related news and information sources available to/sent to \nHP customers. When a customer subscribes, it can only happen as a \nspecific action on their part. Although it is not characterized this \nway on the HP web site, I would call this a functional opt-in.\n    When the customer subscribes, HP asks the customer if he/she is \ninterested in receiving other related information from HP. In the past, \nthe box next to this question was pre-checked, indicating a ``YES\'\'. \nThis is an opt-out.\n    Recently, HP changed the box next to this contact question to leave \nit blank instead of pre-checked. This is a passive and poorly designed \nopt-in. This particular approach drives much of the marketing \ncommunities\' (HP and otherwise) complaint about opt-in. If the contact \nquestion is vague and/or if the customer is not REQUIRED to respond, \nthe results can be just as ineffective as the opt-out. Subscription \nrates typically drop by 50-75 percent, mostly due to ``no action\'\' \n(unanswered) on the part of the customer. Ultimately this becomes then \nnot a technology issue but a business rule issue. In an opt-out \nbusiness model, the are those unanswered OK to contact? Most would say \nyes. In an opt-in business model the answer to the ``OK to contact\'\' \nquestion is most likely no. But an additional process (with business \nrules) must be created to confirm the customers\' intent.\n    Our next step is to move to an ``active opt-in\'\' approach. We \nbelieve if implemented properly, that a single, active opt-in works \nwell with regard to engaging trust and creating leading customer \nexperience. The new contact question will be:\n    ``May HP contact you from time to time about products or services \nof interest to you:\n\n    _Yes_No Postal Mail\n\n    _Yes_No E-Mail\n\n    _Yes_No Telephone\n\n    _Do Not Contact me\'\'\n\n    As we implement this privacy/contact question today, we are working \nto resolve across HP several issues around how to interpret and manage \ncustomer responses to this question and in context with other places \nthis question may be asked. How to set business rules to apply \ninterpretation of existing customer data not collected in this question \nformat, such as how to handle data where the privacy/contact data is \n``unknown\'\' (customer inaction, not asked, etc)? How should we \ninterpret a ``yes\'\' in postal mail with a ``do not contact me\'\' also \nchecked.\n    A customer could easily have multiple records with HP (product \nregistration, new subscription signup, etc) and continue to add them. \nHow should conflicting answers to the question be interpreted? By date? \nAre there exceptions in certain HP business segments or functions? How \nshould the data be linked with other data from the customer gathered \noffline through hardcopy product registration, tradeshows, promotional \noffer responses, call centers, support centers, and sales \nrepresentatives? We\'ve just begun to develop a detailed decision matrix \nto apply business and data processing rules to these questions.\n    Our objective is to ask this privacy/contact question at each point \nof data collection. Additionally we must find answers to issues about \ncustomer notice and intent. A fundamental question for HP Subscription \nservices is that if a customer comes in who has registered (a product) \nand subscribed at other times to several newsletters and software \ndrivers, and this time marks ``do not contact me\'\'. . . . Does that \nresponse apply to that specific registration event or does it cancel \nevery other subscription and software driver? We have hundreds of \ncustomers today that subscribe through this service to dozens of \ndrivers and several newsletters. Part of the answer is in better \ncustomer notice, explaining what will happen when ``do not contact me\'\' \nis marked. But there is significant concern about customer \nsatisfaction. Does a ``do not contact me\'\' apply to other subscription \nand registration areas in HP . . . on the web, through a call center, \nfor support? Or does it apply just to that particular product/service \nspace? How exactly should we apply and interpret customer responses \nacross the whole of HP, for the other 75 percent of possible \ndestinations where a customer may choose to give information, subscribe \nand so on?\n    HP has hundreds of customer databases and few are linked in any \nmeaningful way. Our long term vision, to be implemented over the next \nfew years, is that all major customer databases will be linked through \na top-level customer identification application. A few major databases \nlink today but many others remain. Linking requires software and \nbusiness process redesign in many HP organizations. Every database has \ndifferent data standards and system architectures that must be \nrationalized.\n    So while the vision is to ``know our customer\'\' as they move \nthrough different HP environments: call center, web, support, \nmarketing, sales (and as he/she desires to be known); the ability to \nhave one common view of a given customer and therefore manage privacy/\ncontact choices (among other things) is a mix of human-managed manual \nprocesses tied to many individual, decentralized systems/databases.\n    We\'re excited about the move to opt-in because we believe it\'s the \nright thing to do for HP customers in a marketing context. We believe \nit is a competitive differentiator. Clearly, the implementation is more \ncomplex than the old default opt-out approach. Our fist aim is in the \nconsumer space and for email. Other customer segments and contact \napproaches are still under discussion. As part of HP consumer business \nCRM (Customer Relationship Management), we plan to make all type of \ncontact, as per the question, opt-in. Our business customer approach \nmay be somewhat different, whether for solution developers, small-\nmedium businesses or support delivery.\n    Opt-in (and even opt-out) is much more about business process and \nbehavior than technology, but all must work together and be compatible \nat all levels. The example above represents one set of business \nprocesses and systems out of hundreds. HP wants to do this because we \nthink it\'s important. We want to do it right so that customer privacy \nchoices are honored, customer relationships and satisfaction is \nenhanced and customers will be able to receive information that helps \ntheir business or personal use of HP equipment be effective. Imagine \napplying the issues described in the example across hundreds of \ndatabases and business processes in HP.\n    Opt-in is difficult because many companies, like HP, do not have \nthe computer and database architecture or resources to manage the \nchange, at least not rapidly. To accommodate the business, process and \ntechnology change requires time and resources. It requires a major \nbusiness process re-engineering. AND, its tougher in the US than Europe \nbecause in the US, the web systems, technology and processes are \nalready in built vs. those in Europe, still in the embryonic stage of \nweb commerce.\n    Opt-in is difficult because companies fear the loss of valuable \ncustomers and their means to communicate with them, inhibiting revenue \nand eroding brand value.\n    Opt-in is difficult because opt-out has a tong tradition in the \nU.S. that many feel is more appropriate to U.S. culture.\n    Opt-in has limited practicality for support or administrative \ncontact and would negatively impact customer satisfaction and \nexperience across the board. Opt-out makes more sense for support or \nadministrative contact.\n    Even when opt-in is well in place, HP must still have an opt-out \nprocess, so that customers can remove themselves from contact/databases \nthey originally opted-in to.\n    Opt-in for aggregated non-personal data is impractical and would \nnegatively impact customer experience, customer satisfaction and web-\nsite/e-commerce use. It would be an experience comparable or worse than \nturning on ``notify all cookies\'\' option in your web browser. And what \nwould be the comparable process in regard to offline data? When the \nimplementation of P3P technology becomes pervasive on both web sites \nand user tools, customers and a web site could engage in a better \nexperience based on personal choice.\n    HP does believe customers should be given an easy simple way to \nopt-out of unknown 3 party cookies, like those from advertisers. HP.com \npolicy prevents the placement of advertising on our web sections. HP \ndoes obtain aggregate data only reports from advertising banners (and \nprint ads) placed on other web sites (publications) for the purpose of \nunderstanding web effectiveness.\n\nC. Collection of data in general\n    1. Personal data. Customers can go anywhere on hp.com without the \nrequirement to provide personal data. As described above in section B, \ncertain specific types of services do require varying levels of \npersonal information. Opt-in at this level doesn\'t apply in a practical \nway because the customer chooses to engage in a specific transaction to \nstart the process. This applies to non-web (offline) services such as \ncall center activity, trade shows and market research.\n\n    2. Aggregated data. HP.com collects aggregate, non-personal data \nused to understand web navigation, ease of use, popular sections, \nunpopular sections and so on. This data is generally kept within the \nspecific hp.com web section rather than any kind of broad sharing \nacross the whole of hp. Broad sharing across hp would be interesting, \nbut is not a top priority, may not be relevant and would be expensive \nfunctionality to build. Applying opt-in, or even opt-out practices at \nthis level would be hugely annoying, cumbersome and a just plain awful \ncustomer experience.\n\n    Offline aggregate data collection is common, examples are market \nresearch, product warranty databases, support diagnostic tools, and \nsales representative records. There is no practical application of opt-\nin/opt-out practices here.\n                                 ______\n                                 \n Response to Written Questions Submitted By Hon. Ernest F. Hollings to \n                George Vradenburg, America Online, Inc.\n\n    Question. While more and more companies are adopting Opt-in, you \nclaim Opt-in is impractical and will interfere with the functionality \nof the Internet and even with the economic viability of certain \ncompanies. Please provide the Committee with a memorandum explaining in \ndetail the reasons behind these claims. What are the problems you \nbelieve will be realized? What specifically are you or other Internet \ncompanies doing now that Opt-in will prevent? What are the economic \ncosts you fear will occur? Please be specific, answer each of these \nquestions, explain your reasoning in detail, and provide examples for \neach of your answers.\n    Answer. AOL supports a comprehensive approach to online privacy \nthat will ensure that consumers are provided with meaningful notice and \nchoice about the collection and use of their personal data by online \ncompanies. We believe that, in most situations, the specific approach \nto choice should be determined by the marketplace and the demands of \nconsumers; in some instances, the marketplace will require companies to \nuse an ``opt-in\'\' approach, and in other cases an ``opt-out\'\' approach \nmay be appropriate. As we work through this issue in the marketplace \nand in Congress, we should design a system that best serves consumers, \nrather than by a ``one-size-fits-all\'\' regulatory regime. Indeed, we \nbelieve that ``choice\'\' can be provided in many different ways, and \nthat it is not even possible to force all choice mechanisms into the \nopt-in or opt-out category, because many choice mechanisms actually \nhave characteristics of both categories.\n    For example, although subscribers to the AOL service must ``opt-\nin\'\' to the AOL Terms of Service--which includes the AOL privacy \npolicy--as a condition of AOL membership, the choices offered within \nthat privacy policy for the use of personal data for marketing purposes \nare provided in the form of an ``opt-out.\'\' Under AOL\'s current privacy \npolicy, which is considered to be among the most robust in the online \nindustry, new subscribers to the AOL service are provided with a \ncomplete explanation of how their personal data can be collected and \nused. Where members do not want their data to be used or disclosed to \nthird parties for marketing purposes, they are given clear instructions \non how to opt-out of such uses, so that they are able to maintain \ncomplete control over the use of their personal information. AOL \nmembers can change these marketing preferences at any time, and may \neasily access the AOL privacy at any time by typing in the keyword \n``privacy.\'\' We believe the AOL policy is a prime example of how a \nmeaningful ``choice\'\' mechanism can empower consumers to protect their \nown privacy online, as well as provide consumers with the ability to \nreceive maximum benefit from the online medium.\n    In examining this question, it is critical to understand exactly \nwhat is meant by the term ``opt-in.\'\' We presume that ``opt-in\'\' \nclearly cannot apply to information collection in cases where such \ninformation is collected voluntarily from the consumer and is required \nfor the provision of a particular service. For instance, AOL members \nmay choose to provide us with information about their stock portfolio \nso that they can receive personalized financial information or stock \nquotes on the AOL service. However, there is no formal ``opt-in\'\' for \nthis feature; rather, consumers can simply choose to provide the \ninformation and receive the service, or not to provide this information \nand not receive the service. Where information is collected as a \ncondition of using a particular product or feature (i.e. registration \ninformation), there may not be any ``choice\'\' offered with respect to \nthe collection of that information (beyond simply choosing not to use \nthe service), although a company may offer the consumer choice as to \nwhether and how that information is used for purposes other than \nproviding the service itself.\n    Certain merchants may use information that you provide voluntarily, \nsuch as registration information or information about transactions \nconducted with that merchant, to customize their services to your \nparticular interests or needs. For instance, an online bookseller might \nuse information about the books you\'ve purchased to provide you with \nrecommendations for other books you might be interested in. Presumably, \nthe information was initially collected with your permission (i.e. you \nchose to provide your name and address so that your book could be \ndelivered directly to you). But must the merchant obtain affirmative \nconsent for each additional use of that data, such as sending you \npersonalized marketing offers or recommending products that might be of \nparticular interest to you? The breadth of an opt-in requirement would \ndetermine the extent to which we and other companies would need to \nalter our business models. Depending on how an opt-in provision is \nstructured, Web sites and online service providers might be required to \nrecontact consumers in order to obtain consent in every instance when \ntheir data is used, to retrofit their systems to code data previously \ncollected for the specific uses for which consumers consent, to \ncategorize and store the consents obtained, and to match any future \nuses of the data with these categories.\n    In general, we believe that there may be some practical business, \ntechnological, and convenience issues associated with an opt-in model \nthat could make such a model inappropriate as a governmental mandate \nfor all non-sensitive information, and could actually reduce the value \nof the online medium to consumers. An opt-out approach--not an opt-in--\nis widely used today in both the online and offline marketplace, and \ncreates the proper balance between protecting privacy and allowing \nconsumers to enjoy the benefits of personalization and customization. \nUnder an opt-out approach, the default always favors ``free information \nflow,\'\' a goal that maximizes the inherent strengths of the medium and \nits potential to improve consumers lives.\n    By contrast, a mandatory opt-in system sets the default rule to \n``no information flow,\'\' undermining the innovation and growth of the \nmedium while making it more inconvenient for the average consumer to \nengage in e-commerce transactions. More importantly, a mandatory opt-in \nrequirement would not account for technological developments that will \nallow consumers to access the Internet or exercise choice in completely \nnew ways. For example, the shift from PC-based Internet access to \nwireless Web access via a small handheld device is likely to make opt-\nin prior to information collection extraordinarily difficult, if not \nimpossible, in certain circumstances. As Internet usage expands to a \nnew array of handheld and portable devices, the idea of forcing \nconsumers to click through screens upon screens of marketing preference \nquestions becomes much less feasible and could easily turn many \nconsumers away from these new platforms by making the online \nregistration process extremely complex and difficult to navigate.\n    In fact, it is entirely possible that a more complicated process \ncould actually confuse or overwhelm users, especially those novice \nInternet users who comprise a vast segment of AOL\'s subscriber base. \nAnd for smaller companies, whose entire business model may rely on \nthese new platforms or devices, such complexities could drastically \nreduce their ability to attract consumers and their ability to compete \nin the online marketplace. In short, there is no way to tell what new \nproducts, business models, or devices will emerge over the next few \nyears or how those innovations will change the way that information is \nexchanged across the Internet. Creating a mandatory opt-in regime today \nwould be as counterproductive as if Congress had tried to set tough \nauto safety standards in 1880. Until this medium reaches maturity, we \nwon\'t even know the ways that consumers will want to exchange their \ninformation, let alone what restrictions should be placed on that \nexchange.\n    By setting the default rule against the collection of information \nin all situations, an opt-in rule would make it much more difficult for \nsome companies to personalize their services and reach the consumers \nmost likely to be interested in them. Under an opt-in regime, it will \nbe far more difficult for consumers to set up personalized features and \nreceive the many benefits of a tailored Internet experience. As a \nresult, companies will not have the incentives to provide these \nfeatures and take full advantage of the exciting new technologies \navailable in the online environment to provide consumers with \ncustomized services. Additionally, as e-mail marketing is nearly cost \nfree, limiting every advertiser\'s ability to reach a targeted audience \nmight encourage some companies to send untargeted solicitations to far \nlarger numbers of consumers. Such a requirement would inhibit \ncompanies\' ability to tailor their marketing efforts to consumer \npreferences, and could limit the effectiveness of their customer \nservice and customer relations efforts.\n    Furthermore, more onerous opt-in regulation could make it harder \nfor new entrants to find their ``niche\'\' in the Internet marketplace \nthrough innovative business models, and would likely reduce the \navailability of ``free\'\' content on the Web that may be supported in \nlarge part by advertising and marketing dollars. Because the average \nconsumer is more likely to choose whatever ``default\'\' option is \noffered in an online transaction, an over-regulatory privacy regime \ncould severely limit companies\' ability to balance consumer costs with \nadvertising revenue, which could ultimately lead to an increase in \nconsumer prices and a decrease in the diversity and richness of content \nand services that can be offered to consumers. A more sensible model is \nto allow companies the flexibility to provide privacy options in the \nmanner that works best for each particular business model, while \nensuring that consumers are always fully informed of all their privacy \nchoices.\n    Ultimately, we believe that true privacy protection rests on the \nfundamental principles of notice and choice, and that it is not \nnecessary to mandate exactly how such choice must be provided under \nevery business model. Both opt-in and opt-out approaches allow \nconsumers to exercise choice about how their information may and may \nnot be used, but there may be other approaches to choice available as \nwell. In some cases, ``opt-in\'\' may be the most appropriate choice \nmechanism. For example, we support an opt-in approach for the \ncollection and use of sensitive data such as medical, and financial \ninformation, and for children\'s personal information. Indeed, that is \nprecisely why AOL supported the passage of the Children\'s Online \nPrivacy Protection Act (COPPA), which addressed the unique concerns \nraised by the collection and use of children\'s information, and why we \nhave joined the Hi-Ethics (Health Internet Ethics) Coalition, a group \nof the most widely used health Internet sites committed to providing \nthe highest standards of privacy protection for health-related \ninformation.\n    But it is the marketplace--businesses and consumers together--that \nmust determine how choice can best be provided in each particular \ninstance. We should not get caught up in a debate over the terminology \nof ``opt-in\'\' and ``opt-out,\'\' but should focus rather on the ultimate \ngoal of a choice requirement, which is to empower consumers to control \ntheir personal data while maximizing the value of the online medium to \nconsumers. As long as consumers have a clear understanding of what \ninformation is being collected about them, how it may be used, and how \nthey may limit its use and disclosure, consumers will be able to \nexercise control over their privacy while still enjoying the full \nbenefits of customization and personalization that the Internet can \nprovide.\n    We agree that privacy policies that are buried in fine print or \nwritten in incomprehensible legalese do not constitute adequate notice \nand choice, and to the extent that some companies try to defend such \npractices as consistent with an ``opt-out\'\' model, such practices \nshould be strictly prohibited. However, where consumers are properly \ninformed of their options for controlling the use of their personal \ndata, it is unnecessary and potentially harmful to mandate a particular \nmechanism for providing choice to consumers in all circumstances. \nBaseline requirements backed up by market-led technological solutions \nwill provide businesses and consumers with enough flexibility to adapt \nto the changing online marketplace while ensuring that consumer privacy \nis appropriately safeguarded.\n                                 ______\n                                 \n             Simson L. Garfinkel Letter to Hon. John McCain\n                                        Simson L. Garfinkel\n                                     Cambridge, MA, October 3, 2000\nHon. John McCain,\nChairman,\nCommittee on Commerce, Science and Transportation,\nWashington, DC.\n\n    Subject: LIs it a violation of a privacy for lists of campaign \ncontributors to be sold?\n\n    Dear Senator McCain:\n\n    Thank you for giving me the opportunity to testify before your \nCommittee earlier today. I would like to apologize to you for my \ninability to answer your final question, and I would like to attempt to \ndo so now.\n    You asked me, roughly paraphrased, Is it a violation of a privacy \nfor lists of campaign contributors to be sold? This is a deep question. \nInstead of stumbling through several answers, I simply should have \nasked your leave to send you an answer in writing.\n    Please allow me, Mr. McCain, to answer your question now:\n\n    Lists of campaign contributors that are sold do violate the \nprivacy of those contributors, if the lists are used in a manner that \nis inconsistent with the purpose for which the information was \ncollected.\n\n    Clearly, the privacy of campaign contributors is violated when \ntheir names and that information is made publicly available. Thus, my \nfirst answer to your question was that, as a democracy, we have decided \nthat this violation of privacy is preferable to the corrosive power of \nsecret money in politics. You rightfully said that that you knew all \nabout the disclosure laws, and that was not the question that you were \nasking me.\n    Once we have made the decision to make campaign contribution \ninformation public, the next question is ``how will this information be \nused.\'\' My second answer to your question was that this information \nshould not be sold by businesses, but given freely in electronic form \nby the federal government. You again told me that I was not answering \nthe question that you were asking.\n    In fact, you were asking if the selling of this information by \nthird parties further violates the privacy of the campaign \ncontributors.\n    The answer to that question depends on what is done with the \ninformation:\n\n  <bullet> If the information is used to perform an analysis of the \n        role of money in politics, or to correlate donations with \n        voting patterns, its does not further violate the contributors\' \n        privacy; this is the reason that the information was originally \n        collected.\n\n  <bullet> If the information is used to solicit the contributors for \n        donations to museums, or public radio, or to join a country \n        club, then it does violate the contributors\' privacy; these \n        uses run counter to the original reason that the information \n        was collected.\n\n    I believe this analysis shows the importance of passing a national \ndata protection act. Since 1973, the third item of the Code of Fair \nInformation Practices has held that ``[t]here must be a way for a \nperson to prevent information about the person that was obtained for \none purpose from being used or made available for other purposes \nwithout the person\'s consent.\'\' I believe that adopting these \nprinciples into US law is the best way to protect the privacy interests \nof campaign contributors, and indeed of all Americans.\n    Thank you for your time.\n        Sincerely,\n                                        Simson L. Garfinkel\n\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'