[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]




 OPINION SURVEYS: WHAT CONSUMERS HAVE TO SAY ABOUT INFORMATION PRIVACY

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                COMMERCE, TRADE AND CONSUMER PROTECTION

                                 of the

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 8, 2001

                               __________

                           Serial No. 107-35

                               __________

      Printed for the use of the Committee on Energy and Commerce


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house

                               __________

                   U.S. GOVERNMENT PRINTING OFFICE
72-825                     WASHINGTON : 2001

_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001


                    COMMITTEE ON ENERGY AND COMMERCE

               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman

MICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan
JOE BARTON, Texas                    HENRY A. WAXMAN, California
FRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio                RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania     EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California          FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia                 SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma              BART GORDON, Tennessee
RICHARD BURR, North Carolina         PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa                    ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia             BART STUPAK, Michigan
BARBARA CUBIN, Wyoming               ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois               TOM SAWYER, Ohio
HEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona             GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING,          KAREN McCARTHY, Missouri
Mississippi                          TED STRICKLAND, Ohio
VITO FOSSELLA, New York              DIANA DeGETTE, Colorado
ROY BLUNT, Missouri                  THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia                  BILL LUTHER, Minnesota
ED BRYANT, Tennessee                 LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland     MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana                 CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California        JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska

                  David V. Marventano, Staff Director

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

        Subcommittee on Commerce, Trade, and Consumer Protection

                    CLIFF STEARNS, Florida, Chairman

NATHAN DEAL, Georgia                 EDOLPHUS TOWNS, New York
  Vice Chairman                      DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky               LOIS CAPPS, California
BARBARA CUBIN, Wyoming               MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois               CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona             JANE HARMAN, California
ED BRYANT, Tennessee                 HENRY A. WAXMAN, California
STEVE BUYER, Indiana                 EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California        BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire       PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania        BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon                  ANNA G. ESHOO, California
LEE TERRY, Nebraska                  JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana       (Ex Officio)
  (Ex Officio)

                                  (ii)


                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Bauman, Sandra, Vice President, Marketing and Business 
      Development, Wirthlin Worldwide............................    23
    Newport, Frank, Editor-in-Chief, Gallup Poll.................    20
    Rainie, Lee, Director, Pew Internet & American Life Project..     5
    Taylor, Humphrey, Chairman, The Harris Poll, Harris 
      Interactive................................................    11
    Westin, Alan F., Professor Emeritus, Columbia University, 
      President, Privacy and American Business...................    14

                                 (iii)

  

 
 OPINION SURVEYS: WHAT CONSUMERS HAVE TO SAY ABOUT INFORMATION PRIVACY

                              ----------                              


                          TUESDAY, MAY 8, 2001

              House of Representatives,    
              Committee on Energy and Commerce,    
                       Subcommittee on Commerce, Trade,    
                                   and Consumer Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 3 p.m., in 
room 2123, Rayburn House Office Building, Hon. Cliff Stearns 
(chairman) presiding.
    Members present: Representatives Stearns, Shimkus, Bryant, 
Walden, Terry, Tauzin (ex officio), and Doyle.
    Staff present: Ramsen Betfarhad, majority counsel; Mike 
O'Rielly, majority professional staff; Kelly Zerzan, majority 
counsel; Anthony Habib, legislative clerk; M. Bruce Gwinn, 
minority counsel.
    Mr. Stearns. I welcome you all to the Subcommittee on 
Commerce, Trade and Consumer Protection. This is the fourth in 
a series of hearings on Information Privacy. I thank all of you 
for attending this hearing this afternoon, especially our 
witnesses.
    Today's witnesses include representatives of four major 
national polling organizations that have surveyed public 
opinion on the issue of information privacy. One such survey 
was just completed last week. We are also pleased to have Dr. 
Westin, a prominent researcher in the field of information 
privacy, who began his research and surveys on the issue over 
30 years ago.
    Credible and scientific public opinion surveys on multi-
faceted public policy issues such as information privacy can be 
at times both instructive and perplexing. Still, at no time are 
surveys dispositive, nor should they be.
    In reviewing the polling data, I realize that like most 
important things in life, there is more to the story being told 
by the data than a cursory first glance would suggest. 
Therefore, after reviewing the survey results, I found myself 
facing more questions rather than answers regarding Americans' 
views on information privacy.
    I look to our witnesses to answer some of those questions, 
and maybe one or two questions on other mysteries of life, like 
how do you do a good jump shot.
    I walk away with a somewhat puzzled, but concrete, 
conclusive feeling from some of these surveys. They suggest 
that most Americans are anxious about what they perceive to be 
a loss of control over the dissemination and use of their 
personal information. It seems that this anxiety has been 
exacerbated with the advent of the Internet. Still, some of 
those same polls also indicate that different people mean 
different things when they talk about their information privacy 
and their anxieties.
    As one of today's witnesses observes, for some Americans 
information privacy means anonymity. They want no information 
about them traced or disclosed in any circumstance. For others, 
information privacy means confidentiality. They are not 
comfortable letting information be passed along to third 
parties without permission. For many Americans, information 
privacy equals simply security. Yet, where poll results are 
seemingly clear and thus instructive is the fact that Americans 
are most anxious about the improper use of their personal 
information, when that improper use can lead to real harm. 
Those real harms, in turn, seem to be intimately related to 
Americans' information security concerns.
    For example, polls indicate that the vast majority, 87 
percent, fear financial loss through disclosure of their credit 
card information, while 80 percent of Americans fear that the 
Internet can be used to commit wide-scale fraud, and 70 percent 
are anxious about criminals or pranksters sending out computer 
viruses that alter or wipe out personal computer files.
    In addition, the fact that Americans are particularly 
concerned about protecting their information privacy against 
government intrusions is consistent with the proposition that 
Americans are most anxious about their information privacy when 
they perceive a real harm attaching.
    The survey results also seem to reflect a truism--different 
people think differently about the same issue. It seems that 
older Americans, women, parents and, most importantly, Internet 
novices, are more anxious about losing control over their 
personal information. There is an inverse correlation between 
time spent online and the increased willingness to engage in 
what is called ``trusting behavior online.'' Trusting behavior 
online includes buying and selling goods, banking, getting 
health information, communicating via email or instant 
messaging with strangers, joining support groups and making 
friends and dates online.
    The surveys seem also to suggest that what we as Americans 
say in response to a survey question may be different from what 
we actually do. Two-thirds of American Internet users having 
expressed serious information privacy concerns have, 
nevertheless, engaged in at least one trusting activity online, 
such as purchasing a book online.
    Moreover, while the majority of Americans have a negative 
visceral reaction to online tracking and profiling, a 
relatively few take steps to shield their identities. For 
example, one survey reports that only 1 in 10 Internet users 
has set his or her browser to reject ``cookies.'' This brings 
me to another observation.
    Surveys suggest that Americans as a whole lack knowledge as 
to when, how and for what purpose information about them is 
collected and used. For example, according to one survey, 56 
percent of Internet users do not know what a ``cookie'' is. Yet 
another survey reports that 48 percent of Americans who 
regularly surf the World-Wide-Web admit to paying little or no 
attention to matters such as online tracking and profiling.
    And, finally, one of the more interesting survey results is 
that as most Americans are anxious about the loss of control 
over their personal information, they want rules, but they 
reject the notion that the Government and/or Internet companies 
are the best stewards of their personal information privacy.
    When asked who would do the best job setting those rules, 
50 percent said Internet users themselves would be best adept 
at setting those rules, while only 24 percent said the Federal 
Government, and 18 percent said Internet companies would be 
best adept at setting those rules.
    Another survey registered some 71 percent of Internet users 
saying they themselves, rather than the Government or online 
businesses, would have the most say over how Internet companies 
track Web activities.
    My colleagues, if the public opinion poll suggests one 
thing definitely, it is that the American public consumer, with 
the issues of information privacy, is as complex as the issue 
is itself. So, I look forward to the witnesses' testimony, and 
the gentleman from Pennsylvania, Mr. Doyle, is recognized for 
an opening comment, as Ranking Member.
    Mr. Doyle. Thank you, Mr. Chairman. I am happy to join my 
friend here on the panel. Mr. Chairman, I would ask unanimous 
consent that the opening statement of Mr. Towns be included.
    Mr. Stearns. Without objection, so ordered.
    Mr. Doyle. Thank you, Mr. Chairman. I want to thank you for 
convening today's hearing providing us insight as to what 
American consumers are saying about their information privacy. 
I want to thank our invited witnesses for taking the time this 
afternoon to share with us the results of these efforts.
    I have received a good deal of mail from my constituents 
concerning information privacy issues, some expressing concern 
that the Government is not doing enough to protect personal 
information, and others advocating that the Government is doing 
too much. But regardless of their particular opinion on the 
issue, the bottom line is, the majority of the contact I 
receive sends a clear message that people in Pennsylvania are 
very concerned about what happens to and with their personal 
information, no matter if they are on- or off-line or if the 
Government or a private entity is managing the affairs.
    I can tell you that as a consumer I am concerned about the 
extent of information on my family's Internet usage and how 
that is gathered through the use of cookies, and by whom that 
information is used.
    Establishing guidelines and limits of information usage and 
ensuring proper enforcement presents significant challenges on 
a national scale, especially considering the varying degrees 
the general populace feels comfortable allowing the Government 
or industry to establish regulations related to information 
privacy.
    Additionally, concerns about private health information 
online or off remains very critical to most people and the 
Nation. Perhaps most telling is the statistic Mr. Rainie of the 
Pew Internet and Life Project gives us. Eighty-five percent of 
those who seek health information online are concerned that an 
insurance company may raise their rates or deny them coverage 
because of the health sites they have visited. Of that, 72 
percent are very concerned this may occur.
    Without a doubt, protection from discrimination based on 
personal health information is a great concern to many 
Americans. That is why many of us have supported the Genetic 
Nondiscrimination and Health Insurance and Employment Act, H.R. 
602, again this session, and will continue to do so until this 
important bill is signed into law.
    Many of my colleagues on this committee and 229 Members of 
Congress support this legislation. No person should be denied 
coverage or forced to pay higher premiums because they are 
genetically predisposed to develop a certain health condition. 
Entities that compile such information while consumers are 
online must be held accountable for such actions.
    My colleagues, I look forward to the information that our 
panel of witnesses will provide us today. I think it will come 
as no surprise that the American public want to be secure 
online and want their Government to take the appropriate 
measures to ensure their desires are protected. Thank you, Mr. 
Chairman.
    Mr. Stearns. Thank my colleague. The gentleman from 
Nebraska, Mr. Terry.
    Mr. Terry. Pass, Mr. Chairman.
    Mr. Stearns. The gentleman from Illinois, Mr. Shimkus, is 
recognized.
    Mr. Shimkus. Thank you, Mr. Chairman. I, too, appreciate 
you having this hearing. I just quote Diana DeGette, you know, 
the public, the individuals have a hard time understanding the 
benefit we have through sharing information as much as some 
individual folks who don't understand the benefits of holding 
classified or important information to themselves.
    The scary thing about going into privacy is it is kind of 
like opening Pandora's Box because there are going to be so 
many conflicting concerns and emotions involved. Where do you 
start? How do you finish? Nobody will be satisfied. And it is 
into this muddle mess that the Chairman is venturing, and I 
commend him because it is, as I think we are going to find out 
from the testimony today, really a pressing concern and 
something we need to get our hands around, reluctantly probably 
from many corners.
    So, thank you for taking the time. Your testimony is very, 
very important, and I look forward to hearing your testimony 
and asking questions. And I yield back my time, Mr. Chairman. 
Thank you.
    Mr. Stearns. I thank my colleague. We will now hear from 
our panel: Mr. Harrison Lee Rainie, Director of Pew Internet & 
American Life Project; Mr. Humphrey Taylor, Chairman of The 
Harris Poll, Harris Interactive; Dr. Alan Westin, Professor 
Emeritus, Columbia University, President, Privacy and American 
Business; Dr. Newport, Editor-in-Chief, Gallup Poll, and Dr. 
Sandra Bauman, Vice President of Marketing and Business 
Development, the Wirthlin Worldwide Group. I want to thank all 
of you for your attendance here, and we will start from my left 
and go to my right and, Mr. Rainie, we will have your opening 
statement.

  STATEMENTS OF LEE RAINIE, DIRECTOR, PEW INTERNET & AMERICAN 
   LIFE PROJECT; HUMPHREY TAYLOR, CHAIRMAN, THE HARRIS POLL, 
    HARRIS INTERACTIVE; ALAN F. WESTIN, PROFESSOR EMERITUS, 
COLUMBIA UNIVERSITY, PRESIDENT, PRIVACY AND AMERICAN BUSINESS; 
FRANK NEWPORT, EDITOR-IN-CHIEF, GALLUP POLL; AND SANDRA BAUMAN, 
 VICE PRESIDENT, MARKETING AND BUSINESS DEVELOPMENT, WIRTHLIN 
                           WORLDWIDE

    Mr. Rainie. Thank you. Chairman Stearns, honorable members 
of the subcommittee, it is an honor for the Pew Internet & 
American Life Project to be asked to testify at this important 
hearing. The project is an independent, nonpartisan, research 
operation created to examine the social impact of the Internet 
with a grant from the Pew Charitable Trusts. We have no agenda 
except analytical research.
    Our surveys show that Americans with Internet access would 
like the presumption of privacy when they are online, and they 
would like to be in control of when pieces of their identity 
are given out. If they could craft a Golden Rule for the 
Internet, it would be: ``Nobody should know what I do on the 
Web or anything else about me unless I say so.''
    Not surprisingly, these Americans have great concerns about 
their privacy being compromised, but it is also clear that 
different people mean different things when they are talking 
about privacy. For some, privacy means absolute anonymity; for 
others, it means absolute confidentiality. They are comfortable 
letting some Web-based organizations know about them, but they 
do not want that information passed along to third parties 
without their permission. And for others, privacy means 
security; More than two-thirds of Internet users worry that 
hackers will steal their credit card information.
    Americans are most anxious, of course, about highly 
sensitive information that might be used to cause them harm. 
For instance, most Internet users fear insurance companies 
learning about their searches for medical information and 
perhaps changing their insurance status or canceling their 
insurance. Many fear their employers might find out about their 
health searches and worry how that would affect their job 
status.
    At the same time they express anxiety about their privacy, 
Internet users do a striking number of intimate and trusting 
things online. More than two-thirds of those who have serious 
privacy concerns have done at least one of the things that is 
on the chart to your right. It starts in the upper, left-hand 
corner with seeking medical information, using credit cards for 
online purchases, seeking financial information, making travel 
reservations. About a third of Internet users have customized 
Web sites or have gotten registration for email alerts on 
various subjects including news, health concerns, weather, and 
even horoscopes. Some have responded to email from strangers, 
some have participated by giving their full name and discussing 
both medical problems and personal problems in online support 
groups, and some have gone to dating sites.
    To some degree then, there is a gap between Internet users 
expressed fears and their actual behavior. Perhaps one of the 
reasons for that apparent contradiction is that few Internet 
users have ever had a serious problem online. Another reason is 
that the majority of Internet users do not know if, or how, 
they are being tracked. Most feel they are anonymous online 
unless they take affirmative steps to disclose information 
about themselves. The majority, 56 percent, of Internet users 
do not know what a ``cookie'' is. They don't know the basic 
mechanics of how they are tracked and profiled through the use 
of cookies, and they don't know this is going on almost all of 
the time they have access to the Web.
    One useful way to measure the gap between Internet users' 
attitudes and their behaviors is to look at the privacy 
protection steps they have taken, and that is on the next chart 
before you. If you compare this chart, the privacy protection 
steps they have taken, to the previous one, you will see that 
Internet users are much less likely to take privacy protection 
steps than they are to do things online where significant 
pieces of information about them are disclosed.
    The most serious Internet users, of course, know how to lie 
to protect their identity. They have set up secondary email 
accounts. Some of them, a pretty small percentage, know how to 
use encryption to protect their email in anonymizing 
technology, but it is a very small number. These tools are not 
being used by the vast majority of Internet users.
    Even though Internet users have fears about their online 
privacy, these sentiments do not translate into a universal 
yearning for anonymity. In fact, almost two-thirds of them are 
comfortable with disclosing information under the terms of the 
basic Information Age bargain: ``I give you a piece of 
information about me in return for something of value from 
you.''
    In addition, there is at least one other context in which 
the strong public concern about privacy is tempered by other 
fears, and that is when Americans express their anxiety about 
online crime. We found recently that 54 percent of all 
Americans and 60 percent of Internet users approve of the FBI 
or law enforcement agencies intercepting email sent to or from 
people suspected of criminal activities. At the same time, 62 
percent of Americans say new laws should be written to make 
sure that ordinary citizens' privacy is protected from 
government agency interceptions like the ones that they approve 
of.
    It is also important to understand that concern about 
privacy is notably higher among some groups, especially 
parents, older Americans, women, African Americans, and 
Hispanics who have Internet access. In general, those who are 
most worried about privacy tend to be the ones who do the least 
online.
    One of the biggest questions hanging over the Internet is 
whether today's newcomers will eventually act like today's 
veterans in their online behavior and their beliefs. The 
veteran population is dominated by young, upscale, well 
educated, white men. The Internet novice population looks a lot 
more like the rest of American because it has large numbers of 
women, African Americans, Hispanics, and those from modest 
economic circumstances.
    As you can see from the final chart that is over here and 
in your material, veterans are much more likely to have 
exploited key features of the Internet. They are more likely to 
have clicked on advertisements. They are more likely to have 
purchased goods online. They are more likely even in their 
beliefs to be tolerant of tracking. They are more likely to 
have responded to emails from strangers. They are a more 
trusting crowd.
    The issue, of course, is whether this large, newcomer group 
which is more concerned about privacy issues, will feel less 
anxious as time passes, and will do more activities online.
    Several weeks ago, we wrapped up a survey of people that we 
also interviewed a year ago, so we have year-to-year 
comparisons of their behavior and their beliefs. Our 
preliminary analysis suggests that experience online 
significantly increases the commercial transactions of Internet 
users as well as their willingness to do trusting things 
online.
    What are the policy implications of these findings? 
Internet users embrace principles of notice, choice, access to 
information about them, and security. Internet users would 
prefer a different tilt on the privacy playing field, one where 
the burden of effort is shifted away from them to be vigilant 
about managing their identity and toward those who want to 
collect information about them.
    Internet users would profit from an industry-led education 
campaign that focuses on the mechanics and virtues of tracking. 
Companies would gain in users' eyes if they offered a clearer 
and more convincing explanation for the value of cookies, 
specifically how cookies enhance user experiences and how their 
use is tied to advertisers' support of much of the free content 
on the Web.
    Finally, Internet users would appreciate more technology 
tools to give them a sense of control, or at least 
transparency, in letting them know what is happening to pieces 
of their identities as they move through Internet space. Thank 
you.
    [The prepared statement of Lee Rainie follows:]

  Prepared Statement of Lee Rainie, Director, Pew Internet & American 
                              Life Project

    Chairman Stearns and honorable members of the Subcommittee, it is a 
distinct honor for the Pew Internet & American Life Project to be asked 
to testify at this important hearing. I am the director of the project. 
It is an independent, nonpartisan, center created to examine the social 
impact of the Internet with a grant from the Pew Charitable Trusts. We 
do not have an advocacy agenda. I will be talking today about our 
findings from several polls we conducted last year and in February this 
year that illustrate some fascinating cross currents on the privacy 
issue.
    At the most fundamental level, Americans would like the presumption 
of privacy when they are online and they would like to be in control of 
when pieces of their identity are given out. This is the Information 
Age corollary to the classic American formulation of privacy: the right 
to be left alone. In the 21st Century, they want right to control their 
identities. If they could craft a Golden Rule of the Internet it would 
be: ``Nobody should know what I do on the Web or anything else about me 
unless I say so.''
    Not surprisingly, these Americans have great concerns about their 
privacy being compromised. Still, it has become clear in our work 
related to this issue that different people mean different things when 
they are talking about privacy. The context of the questions and of the 
behavior needs to be understood in order to grasp how Americans feel 
about privacy. For instance, the definition of the term is very 
important. For some it means anonymity. About a quarter of Internet 
users say they want no information about them traced or disclosed in 
any circumstance.
    For others, the concept of ``privacy'' means confidentiality. They 
are comfortable letting some Web sites or organizations know about 
them, but they do not want that information passed along to third 
parties without permission. And for others it means security; they are 
anxious that information about them is going to be discovered by 
hackers (68% of Internet users worry hackers will steal their credit 
card information) or that important personal data will be inadvertently 
disclosed by a sloppy Web operation.
    Americans also are most anxious about improper use of their 
information when it could do them real harm. Most Internet users fear 
insurance companies learning about their health and medical information 
searches and, as a result, changing or canceling insurance because of 
the kinds of Web sites that were visited. Many fear their employers 
might find out and that could affect their job status. And the vast 
majority fear financial loss through disclosure of their credit card 
information.

                           TRUSTING BEHAVIOR

    At the same time they overwhelmingly express concern about their 
online privacy, American Internet users do a striking number of 
intimate and trusting things online. This is another aspect of how the 
context of privacy discussions is important to understand. More than 
two-thirds of Internet users who have serious privacy concerns have 
done at least one of these things online: purchase goods, make travel 
reservations, get health information, respond to email and instant 
messages from strangers, make friends and dates with people they have 
never met face-to-face, join support groups, place their calendars and 
address books online, and participate in online auctions.
    Perhaps one of the reasons for that level of trustful behavior is 
that few Internet users have ever had a serious problem online. Just 4% 
of Internet users say they have felt threatened in some way while they 
were online; 3% say they have been cheated when they tried to buy 
something online; and fewer than 3% believe their credit card 
information has been stolen online. The irksome issue is ``spam,'' the 
online equivalent of junk mail, which makes about a third of Internet 
users unhappy to varying degrees. And about a quarter of Internet users 
say they have gotten an offensive email from a stranger.
    Yet another reason for the high level of trusting activity online 
is the majority of Internet users do not know if or how they are being 
tracked. Most feel they are anonymous online unless they take 
affirmative steps to disclose information about themselves. This is 
enormously important, for instance, to some who seek health 
information, especially when they are conducting their searches in the 
privacy of their den or recreation room. Most are unaware, of course, 
that many of the health-related Web sites they visit plant cookies--
small bits of encrypted information deposited on a computer's hard 
drive so the online firm can track the user's clicks through the site 
(and sometimes other sites) and to identify that computer the next time 
it visits the health site. Fully 56% of Internet users do not know what 
a cookie is; and just a tenth of Internet users have set their browsers 
to reject cookies.
    In principle, Americans do not much like the idea of online 
tracking and profiling--by a two-to-one margin they say that tracking 
is an invasion of privacy, rather than a tool to help Web sites provide 
customized information to users. Still, relatively few take steps to 
shield their identities: 24% of Internet users have provided a fake 
name or personal information in order to avoid giving a Web site real 
information; 9% have used encryption to scramble their email; 5% have 
used ``anonymizing'' software that hides their computer identity from 
Web sites they visit.

                        INFORMATION TRANSACTIONS

    Internet users' preference for a presumption of privacy does not 
translate into a universal yearning for anonymity. In fact, most are 
comfortable with disclosing information under the terms of basic 
information transaction of the Internet age in which the bargain 
between a user and a Web site is: ``I give you a piece of my identity 
in return for something of value from you.'' Some 54% of Internet users 
have chosen to provide personal information in order to use a Web site 
and an additional 10% say would be willing to provide it under the 
right circumstances.
    They want rules, but they reject the notion that the government and 
Internet companies are the best stewards of their personal privacy. 
Asked who would do the best job setting those rules, 50% of online 
Americans said Internet users' themselves would be best, 24% said the 
federal government would be best; and 18% said Internet companies would 
be best.
    And they are clear in their gut-level preference for what they 
would like the rule to be: 86% of Internet users say that Internet 
companies should ask people for permission to use their personal 
information. It is important to add that at the time we measured this 
sentiment last spring, we knew that most Internet users would not know 
the intricacies of the policy debate about the different kinds of 
options--opt-in or opt-out or robust-opt-out and everything in between. 
So, we did not pose our questions in a way that would sort out 
Americans' views on these matters. We know they express every way they 
can that they would like to control the process of information 
collection and disclosure.
    Finally, there is also at least one other context in which the 
strong public concern about privacy is tempered by another fear: the 
anxiety about online crime. In a survey in February, we found that 
substantial majorities of Americans were concerned about every kind of 
online crime. As a result, 54% of all Americans (and 60% of Internet 
users) approve of the FBI or law enforcement agencies intercepting 
email over the Internet sent to and from people suspected of criminal 
activities; 34% of all Americans said they disapprove; 12% said they 
don't know. At the same time, 62% of Americans say new laws should be 
written to make sure that ordinary citizens' privacy is protected from 
government agencies.

                          DEMOGRAPHIC CONTEXT

    Concerns about privacy are notably higher among some groups, 
especially Internet novices (those who first got online within the past 
six months), parents, older Americans, and women. In some cases, these 
fears also apply to online African-Americans, Hispanics, and those in 
households with modest income levels. These fears are often associated 
with lower participation in online life and some online activities, 
especially commercial transactions. For instance, one of our surveys 
suggested that those who had the strongest fears about privacy 
violations online were 20% less likely to have shared information with 
a Web site; 15% less likely to have used their credit cards online, and 
15% less likely to have clicked on an ad.
    One of the biggest questions hanging over the Internet is whether 
today's newcomers will eventually act like today's veterans in their 
online behavior and in their beliefs. The veteran population is 
dominated by young, upscale, well-educated, white men. They are much 
more likely than others to say they are unconcerned about their privacy 
being compromised in the online world and much more likely to spend 
money and manage money (through online banking and brokerage 
activities) than other Internet groups. On the other hand, the novice 
Internet population looks a lot more like the rest of America with lots 
of women, minorities, and those from modest-income households, and 
without college educations. The issue is whether this large newcomer 
group, which is more concerned about privacy issues, will feel less 
anxious as time passes and will do more business online.
    We are just getting some preliminary information that suggests 
experience online significantly increases the commercial activities of 
Internet users as well as their willingness to do other trusting 
activities online, such as seeking health information. In March 2001, 
we reinterviewed about 90 Internet users who told us in March 2000 they 
had recently gotten Internet access. In the course of a year of gaining 
experience online, this group showed a 15% increase in the number of 
trusting activities this group had performing online and a nearly 50% 
increase in the commercial activities it had performed online. This is 
too small a group from which to draw strong conclusions, but it 
suggests that experience breeds higher levels of trust.
    Privacy concerns are an even bigger issue to those who do not now 
have Internet access. More than 82 million American adults to not have 
Internet connections and more than half of them say they have no plans 
to get access. One of the major concerns they cite is the danger and 
unreliability of the online world. These worries are most acute among 
older Americans.

                          POLICY IMPLICATIONS

    Internet users would be happier if their online experiences were 
governed by the strong preference to be in charge of their identities. 
They embrace principles of notice, choice, access to information about 
them, and security. Internet users would prefer a different tilt on the 
privacy playing field, where the burden of effort was shifted away from 
them and towards those who want to collect information about them.
    Internet users would surely profit from an industry-led education 
campaign that focused on the mechanics of tracking. Companies would 
gain in users' eyes if they offered a clearer and more convincing 
explanation of the virtues of cookies--specifically, how their use 
enhances users' experiences and makes it simpler and more efficient for 
them to use the Web, and how their use enables advertisers to support 
the vast amount of free content on the Web. Our surveys show that most 
Americans viscerally oppose the ideas of online tracking and profiling 
and they will need a lot of convincing before they accept some of the 
benefits of those activities.
    Finally, users would appreciate more technological tools that would 
give them a sense of control, or at least transparency in letting them 
know what is happening to the pieces of their identity they are 
divulging as they move through Internet space.
  addendum: other significant findings in pew internet project surveys
 86% of Internet users think Internet companies should ask 
        people for permission to use personal information when people 
        give it to them.
 71% of Internet users say they themselves, rather than the 
        government or online businesses, should have the most say over 
        how Internet companies track Web activities,
 54% of Internet users believe that Web sites' tracking of 
        users is harmful because it invades their privacy; 27% say 
        tracking is helpful because it allows the sites to provide 
        information tailored to specific consumers.
 89% of those who seek health information online (we call them 
        ``health seekers'') are concerned that a health-related Web 
        site might sell or give away information about what they did 
        online; 71% are ``very concerned'' about such privacy 
        violations.
 85% of health seekers are concerned that an insurance company 
        might raise their rates or deny them coverage because of the 
        health sites they have visited; 72% are ``very concerned'' 
        about this possibility.
 52% of health seekers are concerned that their employer might 
        find out what health sites they have visited. This ranks 
        comparatively low in part because most health seekers are 
        getting their information online from home.
 60% of Internet users think that putting medical records 
        online is a bad thing, even if the records are on a secure, 
        password-protected site, because they worry about other people 
        seeing their personal information. The rest think it's a good 
        thing because they and their doctors would have easy access to 
        patients' medical records.
 94% of Internet users want privacy violators to be 
        disciplined. If an Internet company violated its stated privacy 
        policy and used personal information in ways that it said it 
        would not, 11% of Internet users say the company's owners 
        should be sent to prison; 27% say the owners should be fined; 
        26% say the site should be shut down; 30% say the site should 
        be placed on a list of fraudulent Web sites.
 Internet users are pretty savvy about at least one privacy 
        safeguard: passwords. Sixty-eight percent of Internet users use 
        different passwords when they register at various Web sites.
 While many are concerned about their privacy online, there is 
        no evidence that the Internet is a more menacing threat to 
        privacy, in most Americans' opinion, than activities in the 
        offline world. That applies, for instance, to credit card 
        information. Of all those Americans who had used their credit 
        card to buy something over the phone, 56% said they worried 
        about someone else getting their credit card number. In 
        comparison, of all those with Internet access who used their 
        credit card to buy something online, 54% said they worried 
        about someone else getting their credit card number.
 Similarly, Americans are just as likely to approve FBI or law 
        enforcement surveillance of criminal suspects' phone calls and 
        postal mail as they are to approve surveillance of suspects' 
        email. Fully 56% of all Americans approve of the FBI or law 
        enforcement agencies intercepting telephone calls to and from 
        people suspected of criminal activities; 55% of all Americans 
        approve of the FBI or law enforcement agencies intercepting 
        letters and packages sent by mail to and from people suspected 
        of criminal activities; 54% of all Americans approve of the FBI 
        or law enforcement agencies intercepting email over the 
        Internet sent to and from people suspected of criminal 
        activities.
 11% of all Americans and 17% of Internet users know someone 
        who was fired or disciplined because of an email they sent or a 
        Web site they went to at work.
 25% of Internet users have been hit by computer viruses. The 
        vast majority of the viruses have been sent to them via email.
 Older Americans are more likely than younger Americans to 
        express concerns about privacy and the Internet. Fully 67% of 
        those between the ages of 50 and 64 years old say they are 
        ``very concerned'' about businesses and people they don't know 
        getting personal information about them or their families, 
        compared to 46% of between 18 and 29.
 81% of those who get health information online would like to 
        have the right to sue a medical company that gave away or sold 
        information in violation of its privacy promises.
 92% of Americans say they are concerned about child 
        pornography on the Internet and 50% of Americans cite child 
        porn as the single most heinous crime that takes place online. 
        In other areas, 87% of Americans say they are concerned about 
        credit card theft online; 82% are concerned about how organized 
        terrorists can wreak havoc with Internet tools; 80% fear that 
        the Internet can be used to commit wide scale fraud; 78% fear 
        hackers getting access to government computer networks; 76% 
        fear hackers getting access to business networks; and 70% are 
        anxious about criminals or pranksters sending out computer 
        viruses that alter or wipe out personal computer files.
 62% of Americans say new laws should be written to make sure 
        that ordinary citizens' privacy is protected from government 
        agencies.
 Among the relatively small number of Americans (21%) who have 
        heard about the FBI's email sniffing program called 
        ``Carnivore'' or ``DCS1000,'' there is much more evenly divided 
        opinion. Forty-five percent of people who have heard of it say 
        Carnivore is good because it will allow the FBI a new way of 
        tracking down criminals. Another 45% say Carnivore is bad 
        because it could be used to read emails to and from ordinary 
        citizens.
 79% of Internet users who did not buy gifts during the holiday 
        season of 2000 said they do not like to send credit card or 
        other personal information over the Internet.

    Mr. Stearns. Mr. Taylor.

                  STATEMENT OF HUMPHREY TAYLOR

    Mr. Taylor. Mr. Chairman, Members of Congress, many thanks 
for inviting me to give this testimony. I am delighted to be 
here. I will slightly abbreviate my written remarks in the 
interest of time.
    Harris Interactive, formerly Lewis Harris and Associates, 
sometimes known as the Harris Poll, has conducted some 30 
surveys on privacy issues over more than 20 years. Many of 
these surveys were done with my friend and privacy mentor, Dr. 
Westin over here, whose knowledge and wisdom and judgment on 
this subject has been invaluable to us.
    In the interest of time, I am going to talk only really 
about privacy on the Internet, and not about the many other 
things we have covered. Because of the need for brevity, 
however, it is important to make three general comments. One is 
that public opinion, as I think Dr. Westin will tell you, is 
not at all homogeneous.
    Second, the public opinion on privacy issues is not stable, 
it changes, and will continue to change. Third, that privacy 
is, as you have said, a very multi-faceted issue covering 
everything from identity fraud and discrimination to 
embarrassment--for example, if it lets people know that you 
have been visiting porno sites--or just plain nuisance from 
being repeatedly spammed.
    We have described privacy as a ``landmine issue'' because 
it is something which may blow up in the faces of people who 
are not expecting it. They are not aware that it is there as an 
issue until it blows up.
    When we ask people to tell us what issues are important to 
them spontaneously, they very rarely mention privacy. It is not 
usually a top-of-the-mind issue. But whenever we ask people 
about the importance of privacy, they almost invariably tell us 
that it is important or very important.
    And, indeed, the public concern about privacy and the 
public perceptions of the importance of privacy and the 
feelings that they have lost control of their privacy have all 
been increasing over the last two decades.
    When somebody does tread on an issue like this and it does 
explode, the potential for public outrage is very substantial, 
and there can be very strong demands for punitive government 
regulations of industries, most of which are entirely innocent 
of any wrongdoing, but where there are a few bad apples in the 
barrel.
    What are the biggest concerns about privacy online? The 
largest numbers in our surveys, between 50 and 65 percent, say 
they are very concerned about Web sites which provide 
information, personal information about them to other 
organizations without their knowledge, Web sites which collect 
information about them without their knowledge, Web sites which 
merge their shopping and browsing habits to develop profiles of 
their behaviors and tastes, and their financial or other 
sensitive information being stolen.
    Now, you should know that the public differentiates quite 
sharply between different companies and different industries 
and different organizations, and that the public is much more 
trusting of some than of others so it depends who you are, and 
clearly trust is something which can be earned and can equally 
easily, or much more easily, be lost.
    I interpret our data as showing that having and displaying 
strong privacy policies is not just something which is ethical, 
but which is something actually good marketing and good 
business, whether or not people actually read them and, in most 
cases, or in many cases, only a small minority of Internet 
users actually read the privacy notices.
    There is clear evidence of the public's willingness to 
trade information, personal information, in return for 
benefits. However, most people have very little idea about how 
companies are now using that information in ways which are 
helpful to them, and they don't therefore see why it is 
necessary to provide that information. But when the use of that 
information is explained to them in terms of specific benefits 
to them, they become much, much more willing to provide it.
    We also see that the use of the Internet over time 
increases trust and decreases concern about privacy because, as 
you just heard, relatively few people have suffered any adverse 
consequences.
    Familiarity with the Internet generally breeds not 
contempt, but comfort and trust. This is also true of the user 
purchasing online and the use of credit cards.
    Finally, what does the public want from government? Well, 
ours and other surveys show that on balance the public doesn't 
have much confidence in government's ability to protect their 
privacy and, indeed, often views them as a greater potential 
threat to their privacy than the private sector. And, ideally, 
people say that it would be better if industry or companies 
could self-regulate to protect their privacy.
    Having said that, our surveys also show that the majority 
of the public favor government regulation to protect their 
privacy because they actually do not believe that the 
industries will self-regulate effectively. In other words, 
there will be enough bad apples in the barrel to make 
regulation necessary.
    We also have information as to the specific things that the 
public wants in the way of protection. Overwhelming majorities 
want people who collect information about them to ask their 
permission before using their personal information for any 
other purpose than it was originally given for. They want the 
companies to explain to consumers what personal information is 
collected about them and how it is used. They want these 
companies to allow consumers to see the information the company 
has stored about them. And they want to be told exactly how 
their sensitive information is secured in both transmission and 
storage.
    Finally, as I said, I think that having good, strong 
privacy protection policies and notices is not only something 
which the public wants, but which is also actually good for 
legitimate business. Thank you, Mr. Chairman.
    [The prepared statement of Humphrey Taylor follows:]

   Prepared Statement of Humphrey Taylor, Chairman, The Harris Poll, 
                           Harris Interactive

                              INTRODUCTION

    Thank you for inviting me to today's hearing.
    Harris Interactive, formerly Louis Harris & Associates (and often 
known as The Harris Poll) has conducted more than 30 surveys over the 
last 23 years on privacy issues for clients such as IBM, Equifax, The 
Privacy Leadership Initiative, The Wall Street Journal, Business Week, 
and the National Consumers League. Many of these surveys were done with 
the invaluable advice of my privacy mentor, Dr. Alan Westin. I should 
note that Harris Interactive conducts many research projects using the 
Internet, that we have strong privacy protection for our respondents, 
and that we are member of the Privacy Leadership Initiative (PLI). 
However, today I speak only for myself. My opinions are not necessarily 
those of anyone else.
    Much of this research, relating to issues such as direct mail, 
consumer databases and marketing generally, in relation to credit, 
insurance, medical records, employment, telecommunications, law 
enforcement and the Census for example, had nothing to do directly with 
the Internet. In my brief time today, I will try to give you the big 
picture of what we found in our research about privacy on the Internet, 
and not mention the many other privacy issues we have addressed in our 
research.
    Because of the need for brevity, three words of caution are 
necessary:

1. Public opinion--as I hope Alan Westin will tell you--is not at all 
        homogeneous.
2. Public opinion is not stable. It has changed and will continue to 
        change.
3. Privacy is a multi-faceted issue involving everything from identity 
        fraud and discrimination or embarrassment to minor annoyances.
              how important is privacy online as an issue?
    I have often described privacy as a ``landmine issue.'' It is only 
rarely mentioned spontaneously by the public as a ``top of mind'' issue 
but, when asked about privacy, large majorities of the public say it is 
an important issue, that they do not believe their privacy is 
adequately protected and they are very concerned about it. We use the 
word ``landmine'' because we believe privacy can very quickly become a 
major issue based either on bad personal experience or on negative 
media coverage of offensive violations of privacy. (This is what 
happened with credit ratings.)
    When this happens public outrage can grow rapidly and support 
strong, even punitive, government regulations of industries most of 
whose members are blameless.

        WHAT ARE PEOPLE'S BIGGEST CONCERNS ABOUT PRIVACY ONLINE?

    The largest number of online users are ``very concerned'' that:

------------------------------------------------------------------------

------------------------------------------------------------------------
Websites will provide personal information about them to          64%
 other organizations without their knowledge...............
Websites will collect information about them without their        59%
 knowledge.................................................
Websites will merge their shopping and browsing habits to         53%
 develop profiles of their behavior and tastes.............
Their financial, or other sensitive information, will be          53%
 stolen....................................................
------------------------------------------------------------------------

  THE PUBLIC DIFFERENTIATES BETWEEN DIFFERENT COMPANIES AND DIFFERENT 
                               INDUSTRIES

    Several surveys have shown that the public is much more trusting of 
some industries and of some companies, than of others. This trust must 
be earned--and can easily be lost. Having, and displaying, strong 
privacy protection policies is one factor consumers use to 
differentiate between them.
                       what online consumers want
    Very large majorities of online users think it is ``absolutely 
essential'' or ``very important'' that sites:

------------------------------------------------------------------------

------------------------------------------------------------------------
Ask consumers permission before using their personal              94%
 information for any other purpose than it was originally
 given for.................................................
Explain to consumers what personal information is collected       87%
 about them and how it is used.............................
Allow consumers to see the information the company has            82%
 stored about them.........................................
Tell consumers exactly how their sensitive information is         82%
 secured in transmission and storage.......................
------------------------------------------------------------------------

  PRIVACY CONCERNS INFLUENCE ONLINE ACTIVITY, PARTICULARLY PURCHASING 
                                 ONLINE

    While concerns about privacy are only a modest barrier to the use 
of the Internet and the Web, they do inhibit it. This is particularly 
true of the public's reluctance to purchase goods or services online 
and to use credit cards to do so.

      THE IMPACT OF STRONG PRIVACY PROTECTION POLICIES AND NOTICES

    Many of those who are unwilling, or reluctant, to use the Internet 
and in particular to purchase products and services online, say they 
would be much more likely to do so if companies had strong privacy 
protection policies and displayed them prominently. This willingness to 
do business with such companies increases even more when respondents 
believe that such policies are observed and enforced.
    Having, and displaying, strong privacy policies is good marketing 
and good business, whether or not people actually read them (only a 
modest minority of Internet users do so regularly).

       THE PUBLIC'S WILLINGNESS TO TRADE INFORMATION FOR BENEFITS

    Many people do not seem to have much understanding of how companies 
who are selling financial services or other goods or services use 
information about consumers to target their sales efforts to those who 
are most likely to buy them. As a result, they do not see why they 
should provide the information.
    However, when the use of the information, and benefits to 
consumers, are explained to them they become much more willing to 
provide it.
    In other words, many people who are initially reluctant to provide 
personal information are willing to do so when this is seen to be of 
some benefit to them.

   USE OF THE INTERNET INCREASES TRUST AND DECREASES CONCERNS ABOUT 
                                PRIVACY

    Familiarity with the Internet generally breeds comfort and trust, 
not contempt. The more people use the Internet without suffering 
adverse effects, the less they are concerned that their privacy might 
be violated. This is true of online purchasing and credit card use.

               WHAT DOES THE PUBLIC WANT FROM GOVERNMENT?

    On balance, the public trusts the government rather less than it 
trusts business to protect its privacy. Ideally people would prefer 
that industries adopt sound privacy protection policies to having 
government regulation. However, substantial majorities of the public 
believe government regulation to protect consumer privacy on the 
Internet is necessary, presumably because they do not believe that 
self-regulation will be successful. Absent adequate legal protection, 
people seem to believe that consumer protection will be abused.

    Mr. Stearns. Thank you.
    Dr. Westin, welcome.

                   STATEMENT OF ALAN F. WESTIN

    Mr. Westin. Mr. Chairman and members of the subcommittee, I 
am appearing today at your invitation as a long-time privacy 
expert. Some people think my first article on privacy was 
published the same year as Lewis Brandeis' in the Harvard Law 
Review but, of course, his was in 1890, mine was in 1952, so 
that gives me about 50 years of pioneering with the privacy 
issue, endlessly fascinating. Also, I appear as someone who, 
for his sins, has participated as the Academic Advisor in 45 
national surveys of the American public and leadership groups 
on privacy, starting in 1970.
    I think it helps to start by recognizing that surveys are a 
complex blend of art, science and advocacy, and whenever you 
get survey findings you always have to, as I am sure Members of 
Congress alone are accustomed to do, take a careful look at how 
the questions are framed and the order in which they are 
presented, and the kind of sample, and also the sponsors and 
what their perspectives are.
    So, with that background, the subcommittee asked me to 
address three questions and to give my view as to what the 
surveys--not only my own, but my organization, Privacy and 
American Business, has literally 120 national surveys on 
privacy in our library--some excellent, some poor, mixed bag, 
and I did do a review of a lot of them in order to answer the 
three questions which the counsel asked me to address.
    First, has there been a transformation of consumer privacy 
attitudes over the past decade? And I think good surveys tell 
us absolutely ``yes.'' That whereas once only about a third of 
the American public expressed any concern about threats to 
their privacy, we now have nine out of ten Americans saying 
they are concerned about the potential misuse of their 
information and threats to their privacy in America today, and 
what is important is, 77 percent expressed themselves as very 
concerned.
    Equally important, we find that there is a new wave of what 
I call ``privacy assertive behavior'' on the part of American 
consumers. Three out of four, 78 percent, report that they 
refuse to give information to businesses because they felt it 
was too personal and not really needed by the businesses, and 
over 80 percent think businesses collect too much personal 
information for the services they provide.
    Majorities tell us that they have declined to patronize 
companies that they thought were going to misuse their 
information or create profiles about them.
    We also know that when people are given a list of reasons 
why they are not on the Internet or why they are not buying on 
the Internet, majorities say that privacy is the single, most 
important reason for that behavior.
    At the same time--this is what makes privacy such an 
interesting issue--American consumers, by large majorities, 
want all the benefits and opportunities of a consumer service 
society and of a market-driven social system. As long as you 
give them proper notice and choice, more than three out of four 
respondents again and again say it is all right for the 
businesses they patronize to look at their transactions and 
their interests, and to communicate with them things that they 
think will be of interest to them.
    So, we have concern about privacy, but also a desire to 
enjoy the benefits of a consumer society, and the question is, 
how do Americans divide in those balances between those two 
values?
    Over the years, surveys that I have done with Harris and 
with Opinion Research Corporation have produced a profile of 
three segments of the American public. First, you have what we 
call ``Privacy Fundamentalists,'' about 25 percent of the 
public. These are people intensely concerned about privacy, who 
generally will reject benefits offered to them by business or 
will be skeptical about government's need for information, and 
will want to see legislation to control business collection and 
use of personal information.
    At the opposite end, you have what I call the ``Privacy 
Unconcerned,'' used to be 20 percent but now it is down to 12 
percent, who really don't know what the privacy issue is all 
about. I like to think that for 5 cents off, they will give you 
any information you want about their family, their lifestyle, 
their travel plans, and so forth.
    In between are what we call the ``Privacy Pragmatists,'' 
and that is 63 percent which represents approximately 126 
million American adults and, essentially, they go through a 
very structured process when concerned with their privacy.
    First, they want to know what is the benefit to them as a 
consumer if their personal information is provided or if they 
give it, what is collected about them.
    Second, they want to know what privacy risks they run if 
the information is collected and used.
    Third, they look to see what safeguards the company or the 
industry offers to protect them against those risks.
    Finally, and most important, they ask do they trust you, do 
they trust the company or the industry, and if they want the 
benefit and they are worried about the risks but they don't 
trust the company or the industry, then they want legislation 
to protect them and a governmental role of oversight and 
implementation.
    Second question the committee asked me to address is, do we 
understand what are the driving sources of these privacy 
attitudes which all the witnesses are reporting? I think good 
surveys tell us a great deal about that.
    My own work suggests that there is a correlation between 
the distrust level of American consumers and citizens and their 
attitudes on privacy. We have a ``distrust index'' that 
measures people's attitudes toward government, voting, the 
business community, and technology, and when people score high 
in distrust, they tend to take the strongest ``privacy 
attitude,'' and when they have low distrust or even no 
distrust, then they tend to be much more accepting of 
information collection and its use.
    But when you dig down at a deeper level, I think privacy 
has three components that the surveys truly illuminate. First 
is what I call ``anti-intrusion.'' People are hostile to 
unwanted mail and especially to telemarketing. Seventy-eight 
percent of respondents are angry about telemarketing to them 
without their consent.
    Second element is ``anti-manipulation.'' People fear that 
profiles are going to be collected about them that will allow 
the kind of hidden persuader type of marketing we associate 
with Vance Packard and the Naked Society and the other anti-
manipulation themes.
    Third, they worry about discrimination, that information 
will be collected and secretly used through credit scoring or 
algorithms that they don't know about in order to decide 
whether they get credit or insurance or whether they are 
employed.
    I think those three are components of what the privacy 
concern is all about.
    More recently, we have some new elements that are in some 
ways even more powerful. First is the Internet leads people to 
make astounding self-revelation, if you think about it. People 
are going to places and looking at things and revealing things 
about themselves that has no precedent really in Western 
history in terms of self-revelation and communication. And 
people are worried about tracking or hacking them in terms of 
that kind of experimental and revelatory behavior.
    Second, people are concerned about identity theft. Another 
survey I did found that one out of five households in America 
report that a victim in their household has been the object of 
identity theft.
    Finally, what do consumers want? I think good surveys 
indicate that what consumers want is systems for informed 
privacy choices to be implemented and enforced. Majorities 
think it would be better if business did this, but they are 
ready and anxious that government step in if business fails to 
do so or if there is outlaw behavior.
    We know that a majority of the American public does not 
favor the European Union style of omnibus national privacy 
legislation and a national privacy regulatory agency, but when 
it comes to sensitive information such as financial information 
or health information, overwhelming majorities are looking to 
legislative protections to set the rules and the standards for 
that kind of activity.
    We also know that in terms of where Congress is going, 
large majorities would like to see Congress pass anti-spam 
legislation, would like to see genetic privacy legislation 
enacted, and that some kind of framework legislation for online 
privacy is heavily favored.
    Let me close, though, by noting that surveys are not a very 
good way to write legislation. Surveys are a dun to the general 
public, they are not policy wonks, they can't get down into the 
guts and details of good legislation. Also, we are really just 
opening up some meaningful debate about what the costs and 
dislocations of some of the proposals for online privacy 
legislation would bring to the fore. And I think it is going to 
take a lot of legislative wisdom and expert input to get to 
good legislation.
    What the surveys tell us is that the overwhelming majority 
of the American public is looking for systems of protection, 
but crafting good legislation is not something you should look 
to surveys for much help on.
    [The prepared statement of Alan F. Westin follows:]

    Prepared Statement of Alan F. Westin, Professor of Public Law & 
 Government Emeritus, Columbia University, and President, Privacy and 
                           American Business

                           EXECUTIVE SUMMARY

    This testimony is based on my experience as the academic advisor to 
45 national privacy surveys between 1979 and 2001, and my analysis of 
more than 120 privacy surveys held in the Privacy & American Business 
survey library. I am answering questions posed by the subcommittee as a 
political scientist and privacy expert.
    1. There has been a well-documented transformation in consumer 
privacy attitudes over the past decade, moving concerns from a modest 
matter for a minority of consumers in the 1980s to an issue of high 
intensity expressed by more than three-fourth of American consumers in 
2001. In addition, a majority of consumers has become quite privacy 
assertive in their relations with businesses, making decisions on who 
to use and what information to provide based on their own privacy 
judgments.
    2. But US consumers also want the benefits of a consumer-service 
economy, and they are not monolithic in their privacy views. Tracked 
across the past decade, they divide into three segments with very 
different general approaches to privacy views and tradeoffs--a high, 
medium, and low privacy perspective described in the main testimony. 
About 125 million American adults fall into the moderate--Privacy 
Pragmatist--category. How to merit and secure the trust of this group 
should be the focus of businesses and lawmakers alike.
    3. The driving factors behind high privacy concerns stem from high 
levels of distrust of institutions and the fears of technology abuse. 
Privacy concerns are centered on intrusions, manipulation, and 
discrimination; on special concerns about third parties capturing the 
sensitive self-revelations users are making on the internet; and on 
consumer concerns about identity theft and stalking through capture of 
personal information.
    4. The great majority of consumers favor a notice and choice 
approach to privacy policies. They hope that business will do this well 
but stand ready to invoke government intervention if business fails. 
For especially sensitive types of information--financial and health--
and for online protection, large majorities favor legislative 
standards. However, surveys generally do not offer much useful data, on 
the details of such legislation, since consumers are not policy wonks, 
and the debates over costs and economic dislocations in adopting 
policies such as ``all-opt-in'' are just beginning in to be heard in 
the legislative chambers.

Three Subcommittee Questions
    The Subcommittee has asked me to present a critical analysis of 
privacy surveys published over the past decade, offering my views on 
three questions. Has there been a transformation of the privacy 
concerns of American consumers in the Internet age? If so, what are the 
sources of this development? And what do these concerns suggest about 
legislative choices on privacy protection?
    My perspective in responding is that of a political scientist and 
privacy expert (author of Privacy and Freedom, 1967) who has been the 
academic advisor to 45 national public and leadership surveys on 
privacy since 1970 that were sponsored by a wide variety of 
foundations, government-research agencies, and business organizations. 
(A short bio has been provided in Appendix One, along with a Selected 
List in appendix Two of the privacy surveys on which I have been the 
academic advisor.) Since the 1970's, I have been presenting the results 
of my privacy surveys to Congressional committees, the FTC and FCC, and 
various Federal Executive Agencies.
    At the outset, of course, legislators should recognize that 
contemporary survey research is a complex blend of art, science, and 
advocacy. No one should accept ``survey findings''--on privacy or any 
other social or political issue--without examining the content and 
order of the questions, the representativeness of the sample, and the 
perspectives of the sponsors.
    Based on my reading of the solid surveys within a larger pool of 
over 120 U.S. privacy survey reports collected in the Privacy & 
American Business library, I believe these offer useful answers to the 
questions posed by the Subcommittee:

1. Has There Has Been A Transformation In Consumer Privacy Attitudes 
        Over The Past Decade? Definitely yes.
    Surveys show that today nine out of ten Americans are concerned 
about the potential misuse of their personal information; three fourths 
of them (77%) say they are now ``very concerned.'' Even more 
significantly, a majority of American consumers have become privacy-
assertive. They are refusing to give their personal information to 
businesses when they feel it is too personal or not really needed, 
asking not to be marketed to, and declining to patronize a business 
because of uncertainty about how their personal information would be 
used. Concern about privacy is the single most cited reason Net users 
give for not making purchases and for non-Net-users declining to go 
onto the Net.
    At the same time, however, surveys show that most consumers want 
the opportunities and benefits of our consumer-service and marketing-
driven society. With proper notice and choice, more than three out of 
four consider it acceptable that businesses compile profiles of their 
interests and communicate offers to them.
    Further, consumers continue to divide into three basic segments 
that my surveys have been tracking since the early 1990's, when it 
comes to overall consumer privacy preferences. these are Privacy 
Fundamentalists (25%), who reject offers of benefits, want only opt-in, 
and seek legislative privacy rules; Privacy Unconcerned (now down to 
12% from 20% three years ago), who are comfortable giving their 
information for almost any consumer value; and--the most important 
group for Congresspersons to understand--the Privacy Pragmatists (63% 
or 125 million strong). Privacy Pragmatists ask what's the benefit to 
them, what privacy risks arise, what protections are offered, and do 
they trust the company or industry to apply those safeguards and to 
respect their individual choice. How to create conditions of trust for 
the Privacy Pragmatists is the challenge for businesses and law-makers 
alike.
    Overall, surveys show that privacy now scores as one of the top 
consumer and social-policy issues in the U.S., especially intense among 
women, a strong concern of both conservatives and liberals, and a 
political imperative for both Republicans and Democrats.

2. Do We Understand The Driving Sources Of This Transformation? Yes, We 
        do
    Consumers report that their views on privacy do not come solely 
from what they read or hear in the media but strongly reflect their own 
personal experiences and those of family and friends. As far as driving 
factors, my surveys since 1978 have shown that the higher a 
respondent's general distrust of institutions and fears of technology 
abuse by organizations, the greater will be the concerns about privacy. 
We also know that ``privacy'' in the consumer-business relationship has 
three components expressed by survey respondents: anti-intrusion 
(against unwanted mail or telemarketing); anti-manipulation (against 
compiling profiles that allow ``hidden persuader'' marketing); and 
anti-discrimination (against secret standards being used for making 
consumer risk-assessments, as for credit or insurance).
    Three additional underlying factors fueling current high privacy 
concerns have been documented in surveys: (a) fears about tracking or 
hacking the unprecedented self-revelation that most Internet users 
engage in (with email, forums, information-seeking, and purchasing); 
(b) concerns about tangible and serious harm from identity theft, 
through capture of consumer's personally-identifying information, and 
(c) fears, especially by women, of stalkers or child-predators gaining 
location information from either public-record sources or Internet 
communications.

3. So, What Do Consumers Want? Systems for Informed Privacy Choices, 
        Implemented and Enforced.
    In general, majorities of consumers think it would be best if 
businesses put good privacy policies in place voluntarily, and saw to 
their wide implementation; if they fail to do so, consumers want law to 
step in.
    Organizational surveys in 2000-2001 show that a majority of 
American businesses have--at last--gotten the message that most 
consumers really care, and will make decisions to assert their 
interests on the basis of privacy. Surveys of business conduct on and 
off the Net show most businesses are now adopting meaningful privacy 
policies, and a majority of consumers say in public surveys that they 
think this is happening. Surveys have also shown that a majority of the 
American public does not favor a European-Union-style omnibus national 
privacy law and a national data protection regulatory agency.
    There are some new issues we have yet to test in surveys but are 
beginning to do. A survey that Privacy & American Business is now 
putting in the field, for example, asks consumers whether they think 
that the appointment of Corporate Privacy Officers (CPOs) by companies 
is a positive development, what consumers want CPOs to do, and whether 
such institutionalization of privacy responsibility in individual firms 
would enhance consumer confidence in such companies.
    However, it is clear that where especially sensitive consumer 
information is being collected and exchanged today--in the financial 
and health areas in particular--surveys show the public wants to see 
legal privacy-protection rules enacted and enforcement actively 
pursued. Reflecting that overwhelming sentiment, Congress included 
Title V in the Financial Modernization Act of 1999 and both Presidents 
Clinton and Bush supported the health privacy regulations of HIPAA. 
Surveys showing overwhelming Net-user hostility to spam will, and in my 
judgment should, lead Congress to pass anti-spam legislation at this 
session. Similar survey results showing strong public opposition to 
uses of genetic information for employment or health-insurance purposes 
suggest that well-designed legislation here would be responsive to the 
public's deep concerns.
    As for online privacy legislation, surveys show strong majorities 
favoring ``action'' by Congress to set framework rules. But general-
public surveys do not provide good data on what kind of online privacy 
legislation consumers would support, since the public is not made up of 
policy wonks and the key policy issues lie in the legislative details. 
Debates are just developing on what true costs and market dislocations 
would be created by some of the sweeping, ``all-opt-in'' proposals for 
online privacy legislation, and these remain to be tested--if indeed 
they can be--through survey methods.
Summing Up
    A decade of extensive survey research, much of it solid and 
credible, documents a steadily rising rational and justified public 
demand to set new, privacy-protecting rules for collection and use of 
consumer personal information by businesses. The work of this decade. 
among survey researchers and Congresspersons alike, is to discover what 
will persuade the 125 million American Privacy Pragmatists that we have 
the right blend of business initiatives and legal oversight for good 
consumer information relationships with business.

    Mr. Stearns. Thank you.
    Dr. Newport.

                   STATEMENT OF FRANK NEWPORT

    Mr. Newport. Good morning, Mr. Chairman, members of the 
committee. I appreciate having this opportunity to review with 
the subcommittee the findings of our Gallup polls relating to 
privacy over the Internet.
    Although there are concerns about privacy that relate to a 
wide variety of settings in today's society, my testimony today 
will focus on concerns relating to personal information and use 
patterns of the Internet.
    Our data suggest that roughly 50 to 55 percent of adult 
Americans say they use the Internet on a regular basis either 
at home, work or at school, and it is this population that I 
will be referring to in the rest of this very brief testimony.
    One key question that we asked Internet users in one poll 
last fall that is particularly germane to this subcommittee is, 
``What is the role of the Federal Government in these 
matters?'' The response of about half of our Internet users 
said that the Federal Government should be ``paying more 
attention to matters of Internet privacy.'' About a third said 
that what the Federal Government was doing now was about right. 
And--and this relates to what Representative Doyle, I think, 
mentioned just briefly in his introductory remarks--about 13 
percent, a relatively low number, said that the Government 
should, in fact, be paying less attention to matters of 
Internet privacy.
    We obtained roughly the same answers when we asked in a 
slightly different way if the Federal Government should do more 
or less to ensure citizens' privacy online. In this case, 
however, only 6 percent said that the Government should do 
less. That same rough number, about half, said the Government 
should ``do more,'' and 40 percent said what the Government was 
doing now was about right.
    The interpretation of these types of responses, for myself 
and ourselves at the Gallup Poll, is a challenge in part 
because this is a new area of research. We have very little 
trend data. It is not a question about Internet privacy and 
what the Government should be doing that Dr. Gallup was asking 
back in the 1930's and the 1940's, obviously, so we can't go 
back in time and see whether that is relatively high or 
relatively low. It is tough to place the current sentiment in 
the context of historical patterns, and we also have few pre-
existing hypotheses against which we are testing the data.
    Now, we do know that roughly half of Internet users say 
that they are very concerned about the ``privacy of personal 
information you give out on the Internet, as well as privacy 
regarding what you do on the Internet.'' Another three in ten 
are somewhat concerned, meaning that only about 20 percent, 
echoing what we have been hearing, say that they are not 
concerned.
    But, on the other hand--and I think this is a very 
important point--the issue itself does not appear at this point 
to be highly salient to Internet users. Just about 16 percent 
in our poll last fall said that they were following issues 
related to privacy of personal information and use patterns on 
the Internet very closely, half said that they were not 
following the issue closely at all--and, again, this sample was 
a sample of those who told us that they regularly use the 
Internet. In a way, I think this goes back to Mr. Rainie's 
testimony that at this point most people have not had a major 
privacy concern and therefore it is not a very highly salient 
issue.
    Our overall conclusion is that this is an issue which is of 
significant potential concern--I would underscore the word 
``potential''--but one which has not yet moved to the point 
where it is currently a front-burner problem to many Americans 
who regularly use the Internet. As my colleague, Humphrey, 
said, we do not find it hardly at all in our most important 
problem questions when we ask Americans what it is that are 
burning concerns on their mind at this point.
    We can be a little more specific. In one poll last fall, we 
gave our respondents six different dimensions of Internet 
privacy and asked which ones they were most concerned about. 
Interestingly for the subcommittee, at the top of the list were 
concerns about the Government being able to tap into Internet 
email. Sixty-three percent of Internet users said they were 
very concerned about this issue, putting it No. 1 out of the 6 
that we tested. Second was the issue of large, online data 
bases,. Sixty percent said they were very concerned about that 
issue. There was less concern about the Government's ability to 
tap into suspects' computers, and at the bottom of our list, 
relatively less concerned about Internet advertisers who gather 
marketing information about people who click on ads and 
corporate Web sites which gather marketing information about 
consumers by tracking their habits. The percentage of Americans 
were very concerned about all of these issues ranges from 
roughly 43 to 63 percent.
    In summary, I would repeat that in our opinion the issue of 
Internet privacy is not one of the greatest concerns to 
Internet users today, but one which has the potential--and I 
heard the word ``landmine'' used a moment ago, which seems a 
reasonable term to use--to be a significant perceived problem 
in the years ahead. It is not a problem at this point which a 
lot of consumers have had trouble with, and therefore is not 
one which comes readily top-of-mind when you stop Internet 
users on the street, figuratively speaking, and ask what it is 
that is a pressing concern to them at this point.
    In terms of what the Federal Government should be doing, 
remedies and actions, as mentioned, about half of the Internet 
user population said the Government should get more involved. 
On a relative basis, this does not put this high on the list, 
in our opinion, of priorities that the average American or even 
average Internet user has for the Federal Government.
    One last point. Our polls show--and we did ask Americans 
this--that when asked which political party would do a better 
job handling this issue, it came to almost an absolute tie 
between Republicans and Democrats. So, at this point, at least 
as of last fall, it was not perceived as a highly partisan 
issue in terms of who would do the better job of trying to 
address these issues. Thank you.
    [The prepared statement of Frank Newport follows:]

 Prepared Statement of Frank Newport, Editor-in-Chief, The Gallup Poll

    Mister Chairman, members of the committee, and guests.
    I appreciate having this opportunity to review with the 
Subcommittee on Commerce, Trade and Consumer Protection the findings of 
our Gallup polls relating to privacy over the Internet.
    Although there are concerns about privacy that relate to a wide 
variety of settings in today's society, my testimony today focuses 
exclusively on concerns relating to personal information and use 
patterns of the Internet.
    Our data suggest that about 53% of adult Americans use the Internet 
on a regular basis either at home, work or at school. It is to this 
population that I will be referring in the rest of this testimony.
    One key question we asked Internet users in our poll last fall 
related to the role of the Federal government in these matters. About 
half of Internet users said that the Federal government should be 
``paying more attention to matters of Internet'' privacy. About a third 
said that what the federal government was doing now was about right, 
while 13% said that the government should in fact pay ``less 
attention'' to matters of Internet privacy.
    We obtained roughly the same answers when we asked in a slightly 
different way if the federal government should do more or do less to 
ensure citizens' privacy on line. In this case, however, only 6% said 
that the government should do less. Half said ``do more'' and forty 
percent said what the government was doing now was about right.
    The interpretation of these types of responses is a challenge. In 
this particular situation, we have no trend data. This is the first 
time we have asked about Internet privacy in this fashion, and 
therefore we cannot place the current sentiment in the context of 
historical patterns. We also have few pre-existing hypotheses.
    We do know that roughly half of Internet users say that they are 
very concerned about the `privacy of personal information you give out 
on the Internet, as well as privacy regarding what you do on the 
Internet''. Another three out of ten are somewhat concerned, meaning 
that only about twenty percent say they are not concerned.
    But, on the other hand, the issue itself does not appear to be 
highly salient to Internet users. Just about 16% said in our poll last 
fall that they were following issues relating to privacy of personal 
information and use patterns on the Internet very closely, while about 
half said that they weren't following the issue closely at all.
    Our conclusion is that this is an issue which is of significant 
potential concern, but one which has not yet moved to the point where 
it is a currently front-burner problem to many Americans who regularly 
use the Internet.
    We can get a little more specific. We gave our respondents six 
different dimensions of the Internet privacy issue and asked them to 
rate their concern over each.
    At the top of the list are concerns about the government being able 
to ``tap'' into Internet e-mail. For whatever reason, some 63% of 
Internet users are ``very concerned'' about this issue. Second in the 
list comes the issue of ``large online databases which publish 
telephone directories, property tax information, legal information and 
other publicly available records which allow database subscribers to 
investigate the lives of ordinary Americans''. Sixty percent of 
Internet users are very concerned about this issue.
    There is somewhat less concern about the government's ability to 
``tap'' into suspects' computers, and still less concern about Internet 
advertisers gathering marketing information about people who click on 
their ads, and corporate websites which gather marketing information 
about consumers by tracking their habits.
    Although the percentage of Americans who are ``very'' concerned 
about these issues ranges from 43% to 63%, most of the rest say that 
they are at least ``somewhat'' concerned. Relatively few web users say 
that they are not too or not at all concerned.
    In summary, I would say that the issue of Internet privacy is not 
one of the gravest concern to Internet users today, but one which has 
the potential to be a significant perceived problem in the years ahead. 
In terms of specific governmental remedies and actions, about half of 
the Internet user population feels that the federal government should 
get more involved, but most of the rest think that the government is 
doing today is just about right.
    One last point. Our poll shows that Americans have no preconceived 
notion as to which political party will do a better job handling this 
issue.
    Thank you.

    Mr. Stearns. Thank you.
    Dr. Bauman.

                   STATEMENT OF SANDRA BAUMAN

    Ms. Bauman. Thank you, Mr. Chairman and honorable Members, 
for the opportunity to speak before you today. My name is 
Sandra Bauman. I am a Vice President at Wirthlin Worldwide, a 
30-plus-year-old international public opinion research and 
consulting company with headquarters in McLean, Virginia.
    It is an honor to speak with you today about the research 
we have conducted regarding information privacy. Let me first 
start by acknowledging that in some sense Americans are 
generally concerned about how companies are using their 
personal information. What they fear most is that somehow their 
personal information will get into the wrong hands and cause 
them some harm, such as hurting their credit history or having 
their identity stolen. At the same time, consumers also 
understand that in order to get information or complete a 
transaction, they need to give some information. Whether it be 
online or distance shopping, consumers are willing to give 
personal information that is deemed necessary for a particular 
transaction, rather than some possibly sensitive personal 
information that doesn't seem necessary or relevant.
    This is intuitive, of course. The challenge is to 
understand what types of information are more sensitive and 
what types of information customers deem necessary to that 
particular transaction. If we were to generically ask in a 
poll, ``Are you concerned about your privacy?'' of course a 
majority would say yes because there is no context. Why 
wouldn't you be concerned about your privacy? It depends on why 
it is necessary to share information in the first place.
    Different situations may require different types of 
disclosure of personal information. Consumers may be very 
comfortable providing a specific piece of information in one 
context, yet uncomfortable providing that very same piece of 
information in another context.
    At Wirthlin Worldwide, we have conducted a great deal of 
opinion research in the recent years on the subject of privacy, 
most of which is proprietary to a number of different clients, 
but last year we conducted a multi-phase, in-depth qualitative 
study, including several focus groups and 85 in-depth one-on-
one values-based laddering interviews. The interviews were 
designed to provide a thorough, in-depth understanding of the 
general public's attitudes about privacy issues by uncovering 
their perceptions of the direct marketing industry and related 
industries at both rational attribute and benefit levels, and 
emotional and values levels. These interviews are very in-
depth. They last on average 2 hours each.
    Findings from these qualitative studies and generally from 
our experience in our 30-year history indicate that people make 
choices and form opinions based on closely held personal 
values. The rational elements of decisionmaking process are 
important in supporting the emotional components that they tap 
into.
    As individuals feel protected and that they have control, 
the physical benefits from sharing information satisfy 
emotional needs. In fact, we summarize the way people think 
about the need to provide personal information similarly to how 
the panelists articulated it today: I want to give what I want 
to give when I want, and I want to get what I want when I want. 
In other words, consumers are willing to part with information 
they perceive necessary to commence or complete a transaction 
of their choice, as long as their values of control and safety 
are intact.
    Most recently, we conducted a nationwide telephone study to 
obtain an up-to-date picture of how the public is viewing 
privacy issues. Our survey was conducted late last week and has 
a margin of error of about 4 percentage points.
    We found that there are categories of information that 
consumers are willing to share in order to conduct a 
transaction, and other information they believe should never be 
shared, which you can see on the chart here to your right. It 
is also in your materials.
    For example, the majority of people say they are never 
comfortable sharing their Social Security number, financial 
information, medical information, or information about their 
children. These types of information are deemed sensitive and, 
therefore, individuals are less likely to share information 
which falls into the category of ``not necessary'' or ``none of 
your business.''
    Conversely, people are usually comfortable revealing their 
gender, age, education, occupation, hobbies and interests, and 
how they heard about a particular company.
    There are actions businesses can take to further satisfy 
consumers' needs for safety and control of personal 
information. A second chart here to your right. For example, 
our study finds that 6 in 10 consumers are more confident in 
sharing their personal information, knowing that they can opt-
out of direct marketing and telemarketing lists. Three-quarters 
tell us they are more supportive of allowing industry to 
address the use of personal data knowing that the opt-out 
policy is in effect. Other things that comfort consumers are 
using technology to prevent identity theft, restricting access 
to medical and financial data for marketing purposes, and 
communications campaigns about highlighting consumer rights and 
privacy protections. If businesses champion a series of safety 
and security measures, consumers would have a better sense of 
control and feel that by providing personal information they 
have made a smart choice, saving themselves time and money.
    The Internet, which is still a relatively new medium, is 
not completely understood by the public, even by many users. 
Most aren't sure exactly how it works. They know it is a 
communications tool, they can receive information, provide 
information, but they don't know when information travels over 
the Internet where it goes and who is at the other end. It is 
this fear of the unknown that raises the level of skepticism 
for many consumers and reduces their feelings of control.
    For example, most people will provide their credit card to 
a stranger to process a transaction at a traditional business 
or restaurant without concern for their personal credit data. 
These practices have a tradition of being secure and are 
therefore widely accepted by consumers. The same is true for 
catalog purchases. Of 11 factors that are important to a 
purchase decision, concern over privacy of personal information 
or credit card information rank 9th and 10th out of a list of 
11.
    With a new medium such as the Internet, consumers' level of 
comfort is tied to their experience. Our research shows that as 
people have positive experiences with Internet commerce, their 
level of skepticism is diminished. Over time, as more and more 
people experience Internet commerce, the unknown nature of the 
medium will fade as it becomes part of our daily lives.
    In summary, companies that voluntarily enact good privacy 
policies, ones that are easily understood by everyday 
consumers, can help comfort consumers that their information 
will not be abused. Industry can achieve this effectively by 
engaging in self-regulating policies concerning the collection, 
use, storage and exchange of personal information. Thank you.
    [The prepared statement of Sandra Bauman follows:]

        Prepared Statement of Sandra Bauman, Wirthlin Worldwide

    Americans are generally concerned about how companies who collect 
personal information use the information. What they fear most is that 
somehow this personal information they share gets into the wrong hands 
and some harm comes to them, such as having their identity stolen. At 
the same time, consumers understand that in order to get information, 
they need to give information. That said, in order to conduct a 
transaction, whether it be online or distance shopping, they are more 
willing to give personal information that is deemed necessary for that 
transaction, rather than some possibly sensitive personal information 
that doesn't seem necessary.
    This is intuitive, of course. The challenge is to understand what 
types of information are more sensitive and what types of information 
customers deem necessary to a transaction. If we were to generically 
ask in a poll: ``Are you concerned about your privacy?,'' of course a 
large percentage would say yes because it is taken out of context in 
terms of why the information was necessary to share in the first place. 
Different situations may require different types of disclosure of 
personal information.
    Wirthlin Worldwide has conducted a great deal of opinion research 
in the past three years on the subject of privacy (most of which is 
proprietary to a number of different clients), but in the aggregate as 
we drill down into what the consumer receives in returnfor the sharing 
of personal information ``both from the internet transactions and 
direct shopping--the picture is painted differently than what some 
would have you think.
    In March 2000, we conducted a multi-phase qualitative study on 
privacy. Our approach began with four group discussions in 
Philadelphia, PA and Grand Rapids, MI, which were designed to uncover 
initial impressions of the public's attitudes toward privacy issues. 
Following these group discussions, we conducted a total of 85 in-depth 
one-on-one values-based laddering interviews. These interviews were 
designed to provide a thorough, in-depth understanding of the general 
public's attitudes about privacy issues by uncovering respondent's 
perceptions of the direct marketing industry at both the rational and 
emotional level. These interviews lasted approximately 2 hours and were 
conducted in New York, NY, Chicago, IL, Los Angeles, CA and Washington, 
DC.
    Most recently, we conducted a nationwide telephone study to obtain 
an up-to-date picture of how the public views privacy issues. Our 
survey was conducted late last week, on May 2-3, 2001. We contacted 617 
respondents to participate in the 13-minute survey, the results of 
which we have prepared for you. The margin of error for a study of this 
size is +3.9 percentage points.
    Findings from the two qualitative studies indicate that people make 
choices and form opinions based on personally held values. The rational 
elements of the decision-making process are important in supporting the 
emotional components they tap into. As long as individuals feel 
protected and that they have control, the physical benefits from 
sharing information satisfy emotional needs. In fact, we summarize the 
way people think about the need to provide personal information in this 
way: I want to give what I want when I want, and I want to get what I 
want when I want. In other words, consumers are willing to part with 
information they perceive as necessary to commence or complete a 
transaction of their choice.
    There are categories of information consumers are willing to share 
in order to conduct a transaction and other personal information they 
believe should never be shared. In our most recent research, for 
example, the majority of people say they are ``never comfortable'' 
sharing their social security number, financial information, medical 
information or information about their children. These types of 
information are deemed sensitive and therefore individuals are less 
likely to share information which falls into the category of ``not 
necessary'' or ``none of your business.'' Conversely, people are 
usually comfortable revealing their gender, age, education, occupation, 
hobbies and interests, and how they heard about the site.
    There are actions businesses can take to make the information that 
is shared more secure, which would result in raising consumers' 
confidence to give personal information in the first place. For 
example, actions that make consumers more comfortable include: using 
industry services to opt-out of direct marketing and telemarketing 
lists, using technology to prevent identity theft, restricting access 
to medical and financial data for marketing purposes and communications 
campaigns about highlighting consumer rights and privacy protections. 
If businesses champion a series of safety and security measures, 
consumers would have a better sense of control and feel that by 
providing personal information they have made a smart choice, saving 
time and money.
    The Internet, which is still a relatively new medium, is not 
completely understood by the public, even by many users. Most do not 
know how it operates. They know the Internet is a communication tool 
for receiving and providing information. However, they do not know how 
information travels over the Internet and who is at the other end of 
the monitor. It is a fear of the unknown that raises the level of 
skepticism for many consumers and reduces their feelings of control
    For example, most people will provide their credit card to a 
stranger to process a transaction at a traditional business or 
restaurant without concern for their personal credit data. These 
practices have a tradition of being secure and are therefore widely 
accepted. With a new medium such as the Internet, consumers' level of 
comfort is tied to their experience. Those who participate in Internet 
commerce tend to feel more knowledgeable about the Internet and more 
comfortable with providing personal information. Our research shows 
that as people have positive experiences with Internet commerce, their 
level of skepticism is diminished. Over time, as more and more people 
experience Internet commerce, the unknown nature of the medium will 
fade as it become more a part of our daily lives.
    In summary, companies that voluntarily enact good privacy 
policies--ones that are easily understood by everyday consumers--can 
help comfort consumers that their information will not be abused. 
Industry can achieve this effectively through self-regulating policies 
concerning the collection, use, storage and exchange of personal 
information.
    Thank you.

    Mr. Stearns. Thank you, Dr. Bauman.
    Just as a general comment here, the tendency after 
listening to you is to want to ask you a lot about the 
Internet, but obviously your expertise is basically a polling 
of information, so we can't get into, you know, what would you 
do if you were a policymaker and X, Y, Z because you are on 
this area of trying to understand what the American people 
perceive about the Internet. And it is interesting that it 
seems to come in almost all your opening statements, that the 
public is not really educated. I mean, one of you folks has 
broken down the understanding for this to the people who are 
basically the ``skeptics,'' the ``pragmatists,'' and the people 
who just don't know. And the fundamentalists are 25 percent, 
they are the skeptics, and the pragmatists are the 63 percent, 
and the unconcerned are 12 percent. And how much should the 
Government protect these unconcerned, you know, is a very 
difficult question.
    But I thought we will try, if we can, just to try and 
understand better what you are talking about in terms of the 
surveys, so let me just go to you, Mr. Rainie, and ask what you 
mean in your opening statement when you say ``demographic 
context''? Could you mention--explain what that means? Your 
survey highlights that term.
    Mr. Rainie. Yes. Different people in different groups have 
different senses of the privacy issues. Parents are much more 
concerned than nonparents because of information that might 
relate to their children. Women show a greater degree of 
concern, for instance, than men on some issues because they 
just feel like they are stewards of certain kinds of 
information that men don't feel as close to.
    So, there is a hierarchy of information values--you have 
heard it from other witnesses, too. Health information, 
financial information, credit information, information about 
children, matters most to people, and it matters most to 
specific groups of people.
    Mr. Stearns. The problem is, as a legislator, are we here 
to try and protect the consumer even though they are 
uneducated? You know, the person who really uses the Internet, 
like somebody who is like my younger son who has been using it 
for many years, doesn't have any concern at all. And you 
observed that although Americans do not much like online 
traffic tracking and profiling, a lot of them take relatively 
few steps to stop it. You know, a person can find out how to 
prevent the cookies from coming in through the preference on 
their Web browser, or they could stop the keystroking 
monitoring, they could probably do that. They could also do 
encryption. But they just don't seem to be interested.
    And so I guess is there something in the data that suggests 
why they have this fear but they don't take any action?
    Mr. Rainie. Well, I think they don't know the mechanism of 
how it is done, and I think in some cases it is expecting a lot 
of them to understand all the technologies that are at play, 
all the possible ways information can be gathered, bundled, 
disseminated and passed along. For some people, they are really 
into it and they are happy to be vigilant about checking 
privacy policies, be vigilant about checking the source of 
information, but for a lot of people that is a lot of work and 
they have got other things to do with their lives and they 
expect this technology to help them, not be an extra burden in 
their lives.
    And so I am not sure that throwing all the onus on them is 
one that they would be happy with. Clearly, for them, tracking 
is a dirty word. They haven't yet begun to comprehend all of 
the ways that it is a benefit to them, or potential benefit to 
them. Transactions haven't been very explicit to them. I think 
a lot of their concern would go away if a better case were made 
about how that were done.
    Mr. Stearns. Dr. Westin, you indicated in your statement 
that nine out of ten Americans are concerned about the 
potential misuse of their personal information and that three-
fourths of them say they are very concerned. What are they 
concerned about? I mean, can you give us specifically what 
their fears are?
    Mr. Westin. More and more, as I said, identity theft is one 
of the things that is in the minds of the respondents.
    Mr. Stearns. Identity theft--they get their Social 
Security, they get their pin numbers and they start walking off 
with their money out of their bank accounts.
    Mr. Westin. That is correct. And as I mentioned, one out of 
five households reported that there had been in their 
households someone who had been the victim of an identity 
theft. So, talk about harm as opposed to potential, one of the 
harms is that people perceive that if their telephone calling 
card can be obtained, if their credit card information can be 
obtained, their Social Security number can be obtained, that 
these are all the tools that the fraud artist can use.
    One of the largest causes of people not getting mortgages 
today is that they have had an identity theft and have not been 
able to clear up in time their credit history, and we found 
that it takes between 1 year and 1\1/2\ years for somebody to 
overcome the harm done to them in their credit report and in 
their relations with retailers and charge card companies as a 
result of identity theft. That's an example of where people are 
connecting the collection of their personal information to a 
concrete harm that has happened to them or somebody they know.
    Mr. Stearns. Dr. Bauman, you know, this is just, as we 
point out, this Internet privacy concern or fear is not just on 
the Internet, but they also have it about their personal sense 
of information--they are worried about it so much so that we 
have passed in Congress the Gramm-Leach-Bliley Act and also 
HIPPA regulations. I don't know if you are familiar with those, 
but I guess the question is, consumers seem to have a general 
concern, and maybe they are pushing the issue more than 
legislators need to be worried about. Have you seen any change 
in consumer perception after we have passed these two major 
pieces of legislation, the HIPPA regulations and the Gramm-
Leach-Bliley Act?
    Ms. Bauman. Our research didn't specifically ask about 
pieces of legislation, so I can't speak to that directly, but 
our findings in both our qualitative and our quantitative 
surveys are very consistent with the other research that has 
been presented here today.
    Mr. Stearns. Mr. Taylor, you have cited, for example, that 
privacy is a potential landmine issue. Perhaps you could give 
me a worst-case scenario of what you mean by a landmine issue.
    Mr. Taylor. Well, an example historically of where privacy 
did explode was in relation to credit and, to some extent, 
insurance, and it needs some highly publicized instance of 
somebody abusing somebody else's privacy for the landmine to go 
off.
    Now, it seems to me that this could occur in terms of 
identity fraud, such as Dr. Westin has described. It could 
certainly occur in relation to discrimination for health 
insurance or life insurance or employment or credit. It could 
certainly go off if, for example, a public figure's use of the 
Internet to access pornography sites was highly publicized, 
that would certainly trigger a few angry calls. Or, indeed, if 
the volume of spamming got so intense you might expect to see 
more and more people saying let us make spamming illegal, as I 
believe faxing, cold faxing marketing is illegal.
    Mr. Stearns. Right now, I could not find the history on 
your using the public library in your hometown, what books you 
took out. Likewise, I couldn't find out what videos you have 
taken out over a number of years or any length of period. So, 
likewise, it seemed to me that Congress might have a 
responsibility here to say we want to prevent this keystroke 
monitoring to protect the consumer, even though the consumer 
probably has no concern themselves on what we are talking 
about. So, it is a combination of the chicken or the egg. I 
mean, should we educate the consumer and then protect him, or 
just protect him before we go out and educate him?
    Mr. Taylor. Well, ``should'' is your decision, not mine, 
but historically I think that legislators have normally reacted 
after the landmine has gone off, not before. That isn't to say 
that that is the ideal way of doing it.
    Mr. Stearns. Maybe just as a general question before I 
complete, and just ask yes or no. If Congress went ahead and 
instituted an Internet privacy bill and presented it, you know, 
the White House signing in the Rose Garden and everything, do 
you think that would give a higher level of confidence to the 
consumer so that he or she, those folks that are in the one 
category here, might help the Internet, might increase business 
if we, by Congress being a leader here, could actually bring 
more trust to the Internet and increase ecommerce business? Do 
you follow what I am saying? Just yes or no, or just a slight 
comment. Mr. Rainie. It is a little off your survey question, 
but it may be, after all this information, you might have an 
intimate or innate ability to say, yes, we think it will help 
ecommerce and give more trust, or not.
    Mr. Rainie. I am going to steal Dr. Westin's thunder by 
repeating what he said. Writing legislation before-the-fact and 
particularly off survey work is tricky business. One of the 
things that we tried to do in several of our surveys was walk 
respondents through to the point where they actually were 
facing the clearest policy choice that I think is frame for all 
of you, which is, do you want Government to do it, or do you 
believe businesses can self-regulate? And invariably, as we 
walked the respondents through these questions, they wanted to 
stop right at the point where they were in charge. They wanted 
to assert that as the primary value that they want control over 
their identities, they want to have a seat at the table when 
any decisions are made, and we couldn't get them to help sort 
it out because they feel so disenfranchised as things stand 
right now.
    Mr. Taylor. Mr. Chairman, unlike, I think, the other 
polling organizations represented here, Harris Interactive 
conducts more surveys online than in person or by telephone, 
and we are very strong advocates of Federal legislation to 
establish high standards to which we want to adhere, and to 
have a level playing field.
    So, for our business, we think that legislation and 
regulation would be very good for our business and for the 
consumer.
    Mr. Westin. My other hat is a privacy expert, not a survey 
expert, and I think the time has come, the surveys would 
suggest, for what could be called ``framework'' legislation for 
online privacy. What I mean by that is that if you set in 
motion requirements that Web sites post privacy policies, step 
one, that you provide that the individual is well informed to 
exercise the choices that those policies provide, whether it is 
opt-out or clicking to opt-in. And, third, whether you have 
supervisory jurisdiction in a body like the Federal Trade 
Commission, for example, that under its existing Section 5 
jurisdiction can look for prosecuting or issuing cease-and-
desist orders for any Web site that violates its promises, you 
would have put in place what I think the Chairman is talking 
about when you ask what would it take to give confidence for 
people to use the Internet.
    It worries me if there would be any kind of legislative 
standard to opt-in as the requirement or the default because I 
think that all the survey research shows that consumers want 
choice, but they don't want somebody to dictate what their 
choice is. And I think notice and choice, to me, especially in 
the Internet environment, means stating what the Web site wants 
the information for, how it will use it, and to give the 
individual a choice then to opt-out or not to do business with 
the Web site.
    So, I would argue that all the survey material tells you 
that the public is seeking tools for confidence. What Congress 
can do, in my judgment, is to provide a piece of framework 
legislation that allows then the good businesses to have good 
relations with the consumers who come to their Web sites, but 
allows consumers not to do business with those companies that 
are not posting the kind of privacy policies that the consumer 
wants to expose themselves to.
    Mr. Newport. Mr. Chairman, Dr. Westin has good points. My 
initial reaction to your specific question was, I would not 
anticipate an enormous change if Congress did pass the 
legislation and it was signed in the Rose Garden of the White 
House. At this point, I don't think there is dramatic evidence 
that a lot of consumers are staying off the Internet or in any 
way restricting their behavior because of concerns over privacy 
except when we pollsters ask those questions, so I don't think 
at this point there is a pent up demand to use the Internet 
that once this legislation was signed we would see dramatic 
change, at least initially.
    Ms. Bauman. I agree with Mr. Rainie that our research finds 
that the public wants to retain control of their personal 
information and decide which information to divulge and when.
    To some degree, they can't be in full control without 
understanding their options and tools available to them in 
controlling these items of personal information.
    In our qualitative research, which was very in-depth, we 
heard from consumers that they want businesses to self-
regulate, they think that is important, but they also want 
businesses to collaborate with Government on these efforts, and 
that way builds trust between the consumers and the companies.
    Mr. Stearns. My time has obviously expired. Mr. Doyle.
    Mr. Doyle. Thank you, Mr. Chairman. It just seems to me--I 
mean, I remember the first time I gave my credit card online, 
there is a certain element of risk-reward. I think the public 
in general is just somewhat schizophrenic on this whole idea of 
what they really want with privacy. It seems to me, you know, 
if you are dealing with sensitive financial data or medical 
information, I think there seems--I mean, there seems to be 
more of a tendency of people wanting privacy there yet, on the 
other hand, you hear retailers say, ``Well, one of the ways to 
prohibit spamming or eliminating junk mail on the Internet is 
for us to learn more about the people that we are trying to 
serve, and we can reach a point where you are only receiving 
the kind of advertisement that you want to receive because you 
have indicated what some of your buying preferences are, or 
those types of things.''
    You go into a supermarket in Pittsburgh and you shop at 
Giant Eagle, they have got a thing--I think it is called the 
Advantage Card or something--that basically they scan your card 
going in, and the enticement is they give you some discounts on 
their products, but then they start to learn about your buying 
patterns, and they tell us, well, that helps them better serve 
the people that walk into the store because they know what to 
order, when to order it, and what you are going to buy.
    So, you see these tremendous benefits on the one hand where 
retailers can tailor-design advertising and products to people 
based on what they say they want. On the other hand, there is a 
real worry out there about giving information about your 
medical history. And I just wondered, does most of your 
surveying show that the greatest concern is really in the areas 
of medical privacy and financial records, and is there maybe a 
need for us to look more closely or deal more strictly with 
those areas as opposed to retail shopping or eBay buying? I 
mean, I am just wondering what--is that where the major concern 
is when you are talking with your--and just generally to the 
panel.
    Mr. Newport. In one survey we did last fall, we gave people 
a list and, indeed, financial and health care information was 
at the top of the list of concerns. The things which were lower 
were not so much retail--I am not sure they were on the list--
but employment history and educational background history, 
where you had degrees and things like that, seemed to be of 
much less concern.
    But you mentioned, Congressman Doyle, the two magic words, 
I think--financial and health.
    Ms. Bauman. Our study also found that, that was conducted 
late last week--medical information, financial information. The 
great majority of the people said they were ``never 
comfortable'' providing that information.
    Mr. Westin. Our surveys show that one of the apprehensions 
people have is that the mergers that have brought together 
banks, credit card companies, insurers and investment firms, 
has broken down what once was a great protection of privacy, 
which was the ``silo'' effect that your information was in one 
silo and, because of competitiveness and industry separation, 
it wasn't shared.
    There is a great concern today that the mergers and 
acquisitions have opened up much larger pools of sharing of 
information, and that is why Congress in Title 5, in the Gramm-
Leach-Bliley Act, tried to deal with the difference between 
sharing information outside with affiliates, and the choices 
that individuals are looking for in terms of the way their 
information circulates inside those merged institutions.
    Mr. Rainie. We found in a survey of people who use the 
Internet to get health information, that even in those 
circumstances where they are getting sensitive information 
online, they are adamantly opposed, for instance, to having 
their medical records put online. Sixty percent of those health 
seekers said ``We would not feel comfortable having our health 
records online even at a password-protected, secure Web site.'' 
We put that in the questionnaire to give them some level of 
assurance of it. Their default thought is this is way too 
sensitive. The harm that can come from improper disclosure of 
this is way too grave for me to risk it.
    Now, my guess is that over time, if people's doctors 
educate them and say to them, ``If you put your records online, 
the likelihood of a medical error being made when you are in an 
emergency situation or a loved one is in an emergency 
situation, that level of concern might go down,'' but no one in 
the people we were talking to had a great sense that that was 
the tradeoff. All they thought was, ``My gosh, this is 
horrible, and horrible things could happen to me or a loved one 
if this kind of information were disclosed.''
    Mr. Taylor. I agree with what you have heard from the other 
witnesses. We asked last year, people to say how concerned they 
were about different kinds of information not being protected, 
and the top five items were credit card number, Social Security 
number, financial assets and information about finances, name 
and address so that people could actually reach me, and, 
finally, medical and health records.
    Mr. Doyle. Thank you. Mr. Chairman, I see my time is up.
    Mr. Stearns. I thank my colleague. Mr. Shimkus.
    Mr. Shimkus. Thank you, Mr. Chairman. Mr. Doyle has got to 
learn how to be a Ranking Member, and don't you know you get to 
go way past your time like the Chairman.
    It is great to have you. I keep thinking of Richard Dawson 
saying, ``Survey says,'' boom, ``Survey says,'' and that brings 
up a little bit of controversy about this hearing of should we 
be making public policy based upon surveys. Of course, our 
President says no, but many of us use polling data quite 
frequently. In fact, Wirthlin Worldwide is mine, and I would 
like to welcome Dr. Bauman. I know she doesn't deal with me or 
in that spectrum, but there is a lot of credibility in what you 
all bring to the table, and I appreciate you all being here 
today.
    Dr. Westin, I want to follow up on a comment that you made, 
first of all. You said one in every five people have been a 
victim of identity theft. That probably needs some more 
clarification. That is two out of every ten people.
    I have heard of identity theft because I serve on this 
committee, it is my fifth year. But I bet you I could go 
through quite a few people before I know of anybody. I don't 
know of anybody in my immediate realm, and I come from a family 
of seven kids, or identity theft. Can you help us and tell us 
where you get this one in every five?
    Mr. Westin. We asked a question that said, ``Have you or a 
member of your household been the victim of an identity theft, 
which is defined as someone assuming your identity to charge 
goods or services, or assume your identity for financial 
gain.'' Keep in mind then, that that could be somebody who 
watches you put in your telephone calling card at an airport, 
or somebody who has obtained your credit card in the ways we 
have been discussing. So, it is not one out of five adults or 
people, it is one out of five households.
    In my own household, almost every member of my household 
has had one or another of these happen--credit card charge pops 
up on an Internet account or a credit card account. Twice I 
have had my telephone calling card obtained by somebody who 
must have seen me putting it in in an airport.
    So, I don't think that that is out of line with some 
figures that the Treasury Department, the Secret Service and 
others have put out recently, indicating how enormously 
widespread these kinds of identity thefts have become.
    So, it is true that this is self-reporting, and survey 
people always are cautious when people report things and you 
don't have objective verification. But if you ask in a survey 
has this happened to you, and there is no shame in saying it 
has or hasn't, and there is no advantage in saying it has or 
hasn't, and if the question really described concretely what 
you mean by identity theft, I think that you have to take the 
finding fairly seriously.
    Mr. Shimkus. Does anyone, based upon their research, 
corroborate the two out of ten, or--as far as identity--not to 
cause a fight between the brethren here and the industry, but 
anyone want to add to that?
    Mr. Rainie. We have data which is similar to that, so we 
will corroborate, yes.
    Mr. Shimkus. Thank you. Survey says two out of five 
panelists agree. What is a better judge of the impact of this? 
We are mostly focusing on consumers or mostly ecommerce. I 
mean, we will go into a whole brave, new world when we deal 
with medical privacy. My opening statement talks about the 
conflict between the two. I don't know if they can be handled 
similarly. But on the ecommerce end, what is the ability of a 
projection on business based upon having good privacy 
protection versus real-world data on what really occurs in a 
market? A survey is a projection. Real data as far as sales and 
commerce is a real deal.
    I think, Dr. Newport, you mentioned that were we to move in 
with some of these privacy provisions--correct me if I am 
wrong--your point was we may not see an automatic jump in 
ecommerce, is that correct?
    Mr. Newport. Yes, that is what I said. I don't know that we 
have strong evidence which suggests that lots of people are 
restraining from buying things or doing other things on the 
Internet because of concerns about privacy. And as I mentioned 
in some of my data, although when we asked people ``Are you 
concerned'' and they say ``yes,'' it is not, as others have 
mentioned, a highly spontaneous problem that comes up when we 
talk to people in our polling and, therefore, that is why I 
think several of us have said right now I am not sure that 
there is an enormous front-runner concern over it.
    Mr. Shimkus. Dr. Bauman, I have one--the question that I 
wanted to ask Dr. Bauman, and anyone else can add--in your 
questioning, did you address the additional cost-benefit 
analysis that may occur, and what would the consumer accept as 
reasonable cost for protection, or was there in essence no 
boundaries?
    Ms. Bauman. That is an interesting question, Congressman. 
We didn't----
    Mr. Shimkus. Yes, it is my job.
    Ms. Bauman. We didn't exactly specifically go into the 
cost-benefit analysis. What we did ask them about is if certain 
provisions were in place, would that make you more comfortable 
and more supportive of industry engaging in self-regulation, 
and overwhelmingly they said yes to all of those various types 
of self-regulating policies and actions.
    Mr. Shimkus. Anyone else want to add--and my time, Mr. 
Chairman--on the cost-benefit analysis of moving forward?
    Mr. Westin. In 1994, we did a survey of how consumers felt 
about consumer reporting. What we found was overwhelmingly 
consumers accepted the fact that if credit grantors did not get 
good credit information about payment of bills and bankruptcies 
and liens, that it would cost more for every consumer, it would 
take much longer for their applications to be approved, that 
minorities would not get the advantages that they seek because 
they would be not enhanced in any way in the marketing to them, 
and so forth.
    So, I think consumers, in fact, are quite accepting of the 
benefits that come from information being used for quality risk 
assessment, and in the tradeoff there, they are very aware that 
there are costs in not having information for making these 
kinds of judgments.
    Mr. Shimkus. Thank you very much. Mr. Chairman, I yield 
back.
    Mr. Taylor. Could I just add one note. At the risk of 
sounding arrogant, we are very, very proud of the very strong 
privacy protection policy we have for our online surveys, which 
I described earlier, and it is interesting that in our 
telephone surveys we get about 2 percent of people who will 
willingly self-identify as gay, lesbian or bisexual. When we do 
this with in-person surveys with a ballot box so that the 
anonymous form is put in the ballot box, that goes up to 4 
percent. In our online surveys, we are consistently getting 6 
percent who self-identify in that way. We believe it is because 
they trust us not to reveal that information to anyone, and we 
think they would not do so if we did not have strong privacy 
protection.
    Mr. Shimkus. Mr. Chairman, if I could.
    Mr. Stearns. Sure.
    Mr. Shimkus. Is that because on your survey when it pops 
up, you have got, as was stated before, you post the privacy 
provisions and that you believe that the consumer or the 
individual will be well informed and will make a judgment based 
upon the trust they put in your ability to keep that 
information private?
    Mr. Taylor. Yes.
    Mr. Shimkus. Thank you, Mr. Chairman.
    Mr. Stearns. The gentleman from Tennessee, Mr. Bryant.
    Mr. Bryant. In this committee, I am going to go by John 
Shimkus from here on. You have your identity stolen now.
    I want to welcome the panel and apologize for being late. 
We just landed from back home, and so I have kind of caught up 
with some of what you are saying. I do appreciate, as Mr. 
Shimkus does, your value in polling and what you do add to this 
hearing.
    I would suspect, from personal experience, a lot of the 
concern that people would have online would be just--many 
haven't developed a comfort zone yet in the use of the 
Internet, and aren't as skilled as they believe many others 
are, and they have a fear, I am sure, of hackers and things 
like that getting in the records, but probably, by and large, I 
think it is more as people get comfortable using it and their 
own abilities and realize that it can be safely used with 
adequate protections, that you will find the so-called consumer 
confidence going up in this.
    I am wondering--I think, Mr. Taylor, if I could ask you--is 
there something that the companies can do in making a 
compelling case to these consumers that in exchange for this 
personal information, there is a benefit, a consumer benefit 
there, and how can they do this, if they can?
    Mr. Taylor. Well, I think that you have heard from several 
of us that they certainly can do that and that they should do 
that, and it is necessary because, in general, people are often 
unaware of the benefits themselves as opposed to the company 
they are dealing with of providing that information.
    If you take, for example, information about automobile 
accidents for insurance, people realize pretty quickly that if 
you obtain that information and if you have got a good, 
accident-free record, you will get a better insurance rate, but 
initially that probably had to be explained to people. So, you 
have to spell out the benefits and they have to be real 
benefits, and I would say that sometimes they may not be real 
benefits, in which case you have got a problem.
    Mr. Bryant. In sort of a follow-up to that, your work for 
PLI indicates that the presence of privacy statements and seals 
are valued by the public. Further, your work indicates that 
consumers rarely take advantage of these privacy tools. In 
essence, is it accurate to say that if the consumers see 
privacy statements and seals, that they are less likely to 
leave a site than not, notwithstanding whether the company 
actually provides technology solutions to help the consumer?
    Mr. Taylor. Yes, it is clear that the posting of privacy 
policies has a positive impact, even though, in some of our 
surveys, very few people are actually reading all of them, and 
there is also a fair amount of skepticism as to whether 
companies actually enforce their privacy policy. So, it is both 
a question of having good policies and displaying them and, of 
course, enforcing them.
    Mr. Bryant. Dr. Bauman, we have talked about this issue a 
little bit, but I want to follow up in terms of Gramm-Leach-
Bliley and HIPPA. It seems that consumers are most concerned 
about sharing their personal sensitive information such as 
medical or financial information. Many of these poll results 
have indicated that consumers believe that legislative action 
is needed. Have you seen a change in consumer confidence as a 
result of the passage of these bills, Gramm-Leach-Bliley and 
the HIPPA regulations, and, if not, would you expect to see a 
change? These basically incorporate privacy protections. Do you 
see anything out there in your polling results that would 
reflect the passage of this legislation?
    Ms. Bauman. Like I said before, we haven't specifically 
asked people about pieces of legislation or even their 
awareness of them, so I can't speak directly to that question, 
although it is definitely a logical one that could be tested.
    People generally are uncomfortable providing that type of 
information, and when we do our in-depth qualitative work, we 
find the two values that emerge here are people wanting that 
peace of mind protecting their personal security, and also 
having that personal control to determine that destiny.
    So, I would think that those two pieces of legislation 
would be comforting, although our research hasn't directly 
tested it either before or--so, therefore, I can't speak about 
it changing over time either.
    Mr. Bryant. This is, I think, a question for Dr. Westin. 
Your site evidence that consumers fear privacy keeps them from 
participating in the Internet or going on the Net. However, you 
state in your testimony that surveys to-date haven't been 
helpful in determining what consumers want in terms of 
legislation to protect privacy.
    Mr. Westin. Yes. If I could go back to your earlier 
question, Congressman, isn't it important to know that Gramm-
Leach-Bliley is just beginning to kick in in terms of behavior 
toward consumers? It is the flood of notices that people are 
now getting from the banks, insurance companies, an avalanche 
of them, two or three dozen for a typical family, very 
complicated. Federal regulators require that you say things 
that nobody would ever want to say to a consumer, but you have 
got to follow the regulations both with a litany of what they 
tell you you must do.
    So, I don't think we know yet how consumers are reacting to 
the Gramm-Leach-Bliley structure of rights. It is going to play 
out as they begin to understand the way their information is 
going to be used and what rights they have.
    As far as HIPPA is concerned, it is going to be 2 more 
years before those regulations go into full effect, so you 
can't really expect consumers to feel anything yet about the 
medical and health privacy. Most of the providers are just 
beginning to get themselves organized to bring in compliance 
with that in 2 years.
    So, especially in the survey sense, I don't think you will 
find much knowledge on the part of consumers about those two 
interventions by Congress, and only one is an enacted, in-force 
regulation, the other is something that has to play out across 
2 more years.
    As to the question you asked me, I think that what I was 
trying to say was that in crafting legislation, putting the 
choices between, let us say, an opt-in or an opt-out regime 
into a survey in a way that you give much credence to the 
response of the individual, it is very difficult because that 
is a question in which you are really struggling to figure out 
what the effects would be of one regime in terms of the 
confidence of consumers to business and the business model, as 
to how they are going to make money on the Internet.
    So, what I was trying to suggest is that consumers can 
express concern, but when legislators go to decide what the way 
to respond to that concern is, that is where legislative skills 
and policy analysis and cost-benefit analysis is what you have 
to bring to bear. I have never seen a good survey on cost-
benefit analysis in privacy that I would put much credence in.
    Mr. Bryant. Thank you, and I thank each member of the panel 
for your appearance and testimony today. Thank you, Mr. 
Chairman.
    Mr. Stearns. Thank you. Mr. Walden.
    Mr. Walden. Thank you, Mr. Chairman. I wanted to follow up 
on what Dr. Westin was saying, especially your comment about 
the Gramm-Leach-Bliley notices. Probably like a lot of people 
in this room, we have been getting them. I think to myself, it 
is a good thing it is an opt-out as opposed to an opt-in 
because we probably have all kinds of things getting canceled 
because after a while you just--have any of you actually read 
those notices in detail?
    Mr. Westin. I have to for my job.
    Mr. Walden. If you weren't required for your job to have 
read them, would they--it seems to me we have raised the issue 
a bit, but in a very complex, grammatical way. Does anybody 
want to comment on the effect of that notification process?
    Mr. Taylor. There is an interesting analogy. In the 1980's, 
I think, and early 1990's, the pharmaceutical industry was 
under a great deal of pressure to put in patient package 
inserts describing the risks and the potential side effects of 
medication. This was not something which large numbers of the 
public were demanding, but there were activists who were 
demanding it, and it was the reluctance of the industry to do 
this which made people very critical of them and very 
suspicious of them. They now are required to do it. Our data 
shows that almost nobody reads them, but the fact that they are 
there is a little bit reassuring, and the criticism of the 
industry has died down, so I actually think it was good for the 
industry even though they fought against it.
    Mr. Walden. Interesting. All right. Reading through the 
testimony and some of the data, am I correct in summarizing 
that the bulk of people don't look to the Federal Government 
for new legislation here, they would rather control their own 
destiny on the Internet, control their own information?
    Mr. Westin. I think it is complicated because sometimes 
survey research puts the question this way: Do you think 
Congress should enact legislation to protect your privacy on 
the Internet, and that is a motherhood-type question and it is 
not surprising that 60 or 70 percent will say, yes, they are in 
favor of it. But if you give them alternatives, if you say: 
Would you rather have an option to make your choices as to how 
your information is used, or do you think business ought to do 
this as a matter of self-regulation and Government should just 
police those who do not do it----
    Mr. Walden. The hackers and the violators.
    Mr. Westin. Exactly--you get a very different result, which 
suggests that it is in the framing in the question as to 
whether you make it motherhood or whether you give options and 
choices, that you really will get your data back.
    Mr. Newport. And, Congressman, even with the motherhood 
effect--Mother's Day is coming, that is an appropriate point--
we only had half of the individuals, regular Internet users, 
who said, yes, the Federal Government should be more involved 
than they are currently. Our interpretation contextually was 
that that is a fairly low number.
    It is easy--I think that Dr. Westin is absolutely correct--
it is easy for a respondent to say, ``Well, of course, 
Government should do more``, and the fact that only half said 
yes, the Federal Government should do more, to us suggested 
that there was not a strong clamoring on the part of 
constituents for the Government to intervene.
    Mr. Walden. Well, isn't it accurate, too, that a very small 
percentage of users even understand cookies and their ability 
to do anything about that? I read that in some testimony here.
    Mr. Rainie. Yes. Our finding is that more than half of 
Internet users and a significant portion even of veteran users 
do not know what cookies are, do not know the basic mechanisms 
of tracking. And so they would appreciate more knowledge about 
that, and they would appreciate a much better explanation of 
the virtues of what they get out of cookies.
    Mr. Stearns. Is the gentleman complete?
    Mr. Walden. I would yield back. Thank you, Mr. Chairman.
    Mr. Stearns. I thank the gentleman. We are going to close 
here. I think this member, this Chairman, is left with a little 
bit of ambivalence here because we were hoping in June to try 
to draft something. We feel from the previous hearings that 
although we might be ahead of the consumer, we thought it would 
be worthwhile to put something as a marker and not drop it as a 
bill, then get the response of people in industry--the 
software, the hardware companies, consumers--and try to get 
feedback on what they felt. And we thought we would do sort of 
a minimalist type of approach because the perception is that, I 
think even from the surveys, that a lot of people have some 
concerns, as Dr. Westin pointed out.
    But at this point, as many of the Members said, you really 
can't necessarily develop legislation based upon a survey, but 
there is the possibility of a landmine, and that is what we 
have to weigh. We haven't had any consumers running to us down 
in our districts saying, ``Please, please give me an Internet 
privacy bill,'' but I innately feel that if we did have 
provided a bill of some type and provided a consistency across 
the Internet for protection, and the consumer thought he or she 
had that, it would certainly increase, I think, ultimately, the 
consumer using ecommerce as a form of business.
    And so I think the hearing today has pointed out some of 
the ambivalence that we all felt. I think you have done a 
superb job of giving us your opinion on this, and we appreciate 
your time. And with that, the subcommittee is adjourned.
    [Whereupon, at 4:40 p.m., the subcommittee was adjourned.]
