[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
WHAT YOUR BROADBAND PROVIDER KNOWS ABOUT YOUR WEB USE: DEEP PACKET
INSPECTION AND COMMUNICATIONS LAWS AND POLICIES
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
JULY 17, 2008
__________
Serial No. 110-137
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
U.S. GOVERNMENT PRINTING OFFICE
58-071 WASHINGTON : 2008
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
JOHN D. DINGELL, Michigan, JOE BARTON, Texas
Chairman Ranking Member
HENRY A. WAXMAN, California RALPH M. HALL, Texas
EDWARD J. MARKEY, Massachusetts FRED UPTON, Michigan
RICK BOUCHER, Virginia CLIFF STEARNS, Florida
EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia
FRANK PALLONE, Jr., New Jersey ED WHITFIELD, Kentucky
BART GORDON, Tennessee BARBARA CUBIN, Wyoming
BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois
ANNA G. ESHOO, California HEATHER WILSON, New Mexico
BART STUPAK, Michigan JOHN SHADEGG, Arizona
ELIOT L. ENGEL, New York CHARLES W. ``CHIP'' PICKERING,
GENE GREEN, Texas Mississippi
DIANA DeGETTE, Colorado VITO FOSSELLA, New York
Vice Chairman ROY BLUNT, Missouri
LOIS CAPPS, California STEVE BUYER, Indiana
MIKE DOYLE, Pennsylvania GEORGE RADANOVICH, California
JANE HARMAN, California JOSEPH R. PITTS, Pennsylvania
TOM ALLEN, Maine MARY BONO MACK, California
JAN SCHAKOWSKY, Illinois GREG WALDEN, Oregon
HILDA L. SOLIS, California LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas MIKE FERGUSON, New Jersey
JAY INSLEE, Washington MIKE ROGERS, Michigan
TAMMY BALDWIN, Wisconsin SUE WILKINS MYRICK, North Carolina
MIKE ROSS, Arkansas JOHN SULLIVAN, Oklahoma
DARLENE HOOLEY, Oregon TIM MURPHY, Pennsylvania
ANTHONY D. WEINER, New York MICHAEL C. BURGESS, Texas
JIM MATHESON, Utah MARSHA BLACKBURN, Tennessee
G.K. BUTTERFIELD, North Carolina
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
DORIS O. MATSUI, California
_________________________________________________________________
Professional Staff
Dennis B. Fitzgibbons, Chief of
Staff
Gregg A. Rothschild, Chief Counsel
Sharon E. Davis, Chief Clerk
David L. Cavicke, Minority Staff
Director
(ii)
Subcommittee on Telecommunications and the Internet
EDWARD J. MARKEY, Massachusetts, Chairman
MIKE DOYLE, Pennsylvania CLIFF STEARNS, Florida
Vice Chairman Ranking Member
JANE HARMAN, California FRED UPTON, Michigan
CHARLES A. GONZALEZ, Texas NATHAN DEAL, Georgia
JAY INSLEE, Washington BARBARA CUBIN, Wyoming
BARON P. HILL, Indiana JOHN SHIMKUS, Illinois
RICK BOUCHER, Virginia HEATHER WILSON, New Mexico
EDOLPHUS TOWNS, New York CHARLES W. ``CHIP'' PICKERING,
FRANK PALLONE, Jr., New Jersey Mississippi
BART GORDON, Tennessee VITO FOSELLA, New York
BOBBY L. RUSH, Illinois STEVE BUYER, Indiana
ANNA G. ESHOO, California GEORGE RADANOVICH, California
BART STUPAK, Michigan MARY BONO MACK, California
ELIOT L. ENGEL, New York GREG WALDEN, Oregon
GENE GREEN, Texas LEE TERRY, Nebraska
LOIS CAPPS, California MIKE FERGUSON, New Jersey
HILDA L. SOLIS, California JOE BARTON, Texas (ex officio)
JOHN D. DINGELL, Michigan (ex
officio)
C O N T E N T S
----------
Page
Hon. Edward J. Markey, a Representative in Congress from the
Commonwealth of Massachusetts, opening statement............... 1
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 3
Hon. Gene Green, a Representative in Congress from the State of
Texas, opening statement....................................... 4
Hon. Bart Stupak, a Representative in Congress from the State of
Michigan, opening statement.................................... 5
Hon. John D. Dingell, a Representative in Congress from the State
of Michigan, prepared statement................................ 132
Witnesses
Alissa Cooper, Chief Computer Scientist, Center for Democracy and
Technology..................................................... 6
Prepared statement........................................... 8
Robert R. Dykes, Chairman and CEO, NebuAd, Inc................... 40
Prepared statement........................................... 43
David P. Reed, Ph.D., Adjunct Professor, The Media Lab,
Massachusetts Institute of Technology.......................... 61
Prepared statement........................................... 64
Bijan Sabet, General Partner, Spark Capital...................... 85
Prepared statement........................................... 88
Scott Cleland, President, Precursor LLC.......................... 94
Prepared statement........................................... 96
WHAT YOUR BROADBAND PROVIDER KNOWS ABOUT YOUR WEB USE: DEEP PACKET
INSPECTION AND COMMUNICATIONS LAWS AND POLICIES
----------
THURSDAY, JULY 17, 2008
House of Representatives,
Subcommittee on Telecommunications
and the Internet,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 9:40 a.m., in
room 2123 of the Rayburn House Office Building, Hon. Edward J.
Markey (chairman) presiding.
Members present: Representatives Markey, Doyle, Gonzalez,
Inslee, Eshoo, Stupak, Green, Solis, Stearns, Radanovich, and
Walden.
Staff present: Amy Levine, Mark Seifert, Tim Powderly,
David Vogel, Philip Murphy, Neil Fried, and Garrett Golding.
OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS
Mr. Markey. Good morning, and welcome to the Subcommittee
on Telecommunications and the Internet and our hearing on deep
packet inspection technology and consumer privacy and issues
that are related to it.
Privacy is a cornerstone of freedom. Without question, the
digital era in communications technologies will heighten
concern about the sensitivity of personal information that can
be collected or disclosed about individual citizens and the
ever-increasing pervasiveness of such data collection.
Obviously this is happening across our society, from video
cameras at crosswalks and federal buildings, checkout scanners
in supermarkets to the collection of information by national
security entities and the gleaning of information from a
consumer's Web use. I have long fought for privacy provisions
to be added to our Nation's communications statutes to keep
pace with changes in technology and markets. I successfully
offered amendments that became law in previous Congresses to
protect children's online privacy, to extend the privacy
provisions of the Cable Act to direct broadcast satellite
television providers, to add privacy protections for wireless
location information and to strengthen telemarketing privacy
protections. In previous Congresses, I also offered legislative
proposals to establish a privacy bill of rights for Internet
users that would have covered Web sites like Google, eBay,
Amazon, and others, as well as separate legislation that
required search engine sites to destroy data collected from
users that was no longer needed for any legitimate purpose, and
so I obviously have long supported the idea of legislating
where needed and to do so in a way that strengthened and
harmonized our Nation's communications privacy laws. In this
subcommittee, we have direct jurisdiction over the Federal
Communications Commission and providers of telecommunications
capabilities and services. As such, providers of broadband
access to the Internet fall squarely into our oversight role.
Today we look at how so-called deep packet inspection
technologies affect consumer privacy and related issues
following up on letters that ranking Republican Joe Barton,
Chairman John Dingell, and I have recently sent raising
questions about these technologies. There are a couple of
notable differences between the data-gathering that individual
Web sites can and do conduct and that posed by the deployment
of deep packet inspection technologies in broadband networks.
First, there is a distinction in the detail, the type and the
amount of data collected. As opposed to individual Web sites
that know certain information about visitors to its Web sites
and affiliates, deep packet inspection technologies can
indicate every Web site a user visits and much more about a
person's Web use. Second, there is already an array of laws on
the books that arguably address a broadband provider's
treatment of these technologies and services, including the
Cable Act, the Electronic Communications Privacy Act, and the
Communications Act, among other laws.
From a privacy perspective, given the sheer sophistication
of the technology capability and the obvious sensitivity of the
personal information that can be gleaned from a consumer's Web
use, I believe broadband providers deploying deep packet
inspection technologies must adopt clear privacy policies. In
my view, consumers deserve, at the least, at the minimum, one,
clear, conspicuous and constructive notice about what broadband
providers' use of deep packet inspection will be; two,
meaningful opt-in consents for such use; and three, no
monitoring or data interception of those consumers who do not
grant consent for such use.
Deep packet inspection technologies can be deployed not
only with the intent to serve targeted advertisements tailored
to a user's Web habits, they can also be utilized to manage
traffic on the network, detect network threats, and discover
the presence of copyrighted or illegal material and other
applications. As a result, these technologies raise not only
significant privacy concerns, but also highlight broader policy
questions, including how they impact the evolution of the
Internet itself and its future prospects for driving innovation
and fostering competition and job creation. Today's hearing
will allow the subcommittee to better understand the
implications of deep packet inspection technologies on
consumers, broadband providers, and the broader Internet.
We welcome our witnesses to the subcommittee. We thank them
for their willingness to be here today.
Mr. Markey. Now I turn and recognize the ranking member of
the Subcommittee on Telecommunications and the Internet, the
gentleman from Florida, Mr. Stearns.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Good morning, and thank you, Mr. Chairman. The
use of consumer Internet information for marketing purposes is
not a new issue to all of us. Both the Energy and Commerce
Committee and, of course, this subcommittee have previously
held hearings to examine a multitude of concerns under the
broad banners of online privacy and marketing, including the
online collection of personally identifiable information and
the use of cookies and other tracking tools.
My colleagues, our goal today should be to broadly examine
how companies are using consumer Internet behavior to tailor
online advertising; both the benefit to consumers, as well as
any potential concerns that have not already been addressed by
industry. Why then are we just focusing on broadband providers?
Why are we not talking about search engines and Internet
advertising networks as well? Wouldn't we have the same
concerns with those folks?
Broadband providers are considering limited trials of
tailored Internet advertising, but companies such as Google and
Yahoo and Microsoft all have search engines, have long used
tailored Internet advertising. Certainly we cannot have this
discussion without addressing them as well. Whatever the
appropriate standards are, I think everybody agrees they should
apply to everyone.
We can all agree that consumers should be notified, but one
of the questions is whether we should require explicit consent
through opt-in procedures or whether opt-out procedures are
sufficient. That is the core question. Whatever we decide, we
need to be consistent. Consumers don't care if you are a search
engine or a broadband provider. They want to ensure you are not
violating their privacy either way.
I am particularly interested in learning from the witnesses
the ways in which the use of behavioral information for
marketing has been shown to have already harmed the consumers.
It is imperative that there be some evidence of harm if we are
going to regulate this practice or we run the risk of
prematurely restricting the latest technological advancements
that are related to online marketing.
As the overall economy continues to take a significant
downturn, the government should not be contemplating how to
make it harder for small businesses to succeed. Targeted
advertising may be essential for small businesses to compete
with larger ones. They don't have the budget of General Motors
or Ford. Small businesses don't have hundreds of millions of
dollars to spend on this advertising. So being able to target
their ads on the Internet to consumers most likely to use their
products gives them a better chance to succeed.
Overreaching privacy regulation at this time could possibly
do more damage to this fragile economy. Companies should be as
transparent as possible about what information they collect and
how they are using it. That way, consumers will be empowered
with better information to make obviously better decisions.
The Federal Trade Commission began inquiring into targeted
online advertising practices with workshops. This effort
culminated with it publishing proposed industry self-regulatory
principles. Those principles were designed to ensure that
companies that engage in behavioral targeting voluntarily adopt
best practices that provide increased transparency and choice
to consumers about these practices. This approach seemed to be
working. In fact, the FTC testified in a Senate Commerce
Committee hearing just last week that it continues to believe
we have not reached the point where legislation to address
online behavioral targeting is immediately necessary.
I have a long track record of talking very seriously about
this committee's mandate to consider online privacy and
marketing issues, which was evidenced by the many hearings I
helped organize in my former role as chairman and ranking
member of the Subcommittee on Commerce, Trade, and Consumer
Protection. I look forward to working with the chairman and
continuing that work on privacy issues as a member and ranking
member of this subcommittee. I think the hearing is important.
I look forward to its results.
As we examine these issues today, I hope this panel can
keep in mind that premature regulation of such practices,
particularly in the absence of evidence of consumer harm, could
have a significant negative economic impact at a time that many
businesses, and particularly small businesses, are struggling,
so I will look very closely at these issues before we leap to
legislative proposals that even the FTC is not calling for at
this time.
And with that, Mr. Chairman, thank you.
Mr. Markey. I thank the gentleman. The chair recognizes the
gentleman from Michigan, Mr. Stupak. I apologize. I should have
recognized the gentleman from Texas, Mr. Green, first. Excuse
me.
OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Green. Thank you, Mr. Chairman, for holding this
hearing on the deep packet inspection technology, and I want to
thank you and Chairman Dingell and Ranking Member Barton for
your leadership and action on this issue over several months.
It is important we look at this issue in light of recent
news regarding Embarq and Charter Communications. The potential
for invasion of privacy posed by DPI technology if used in the
wrong way is extremely troubling. There are necessary and
legitimate uses for DPI, specifically for quality of service
reasons, monitoring for worms or viruses, use by law
enforcement and using it to monitor traffic to the extent
necessary to maintain network integrity and prevent congestion
in the last mile of the network. Use of DPI by a service
provider network operator to protect network infrastructure and
systems is one thing; using DPI to monitor Web users' patterns
and habits by a third party to direct advertising or other
content their way is a separate and troubling issue.
I am most concerned about the privacy implications of
targeted advertising based on data collected on Internet users
without their knowledge, and our subcommittee has a history of
being concerned about it, whether a few years ago it was called
a cookie or whatever. At the minimum, this should be something
that a consumer is notified of and must opt into specifically
outside of agreeing to some service terms and conditions, and I
can't imagine most of my constituents agreeing to have their
activities monitored. Some people may want this kind of
information directed toward them, but I and I imagine most of
my folks, want to know if data being collected on us and should
not have to opt out or install a cookie on our own Web site
browser to prevent the collection of data. The idea that this
would take place without the affected consumers or Web sites
knowing it, without consumers having to specifically agree to
have their information collected and analyzed for uses other
than for the network operator to ensure quality service, is
contemptible.
I am aware Google and Yahoo and others do similar targeting
using other technology, and I believe this should be looked
into as well, but primary jurisdiction for that falls under
another subcommittee. To the extent we can address privacy
issues under this subcommittee's jurisdiction, I believe we can
and should.
Again, Mr. Chairman, I want to thank you for the hearing
today on deep packet inspection, and I look forward to hearing
more about the various uses and impacts it has both in improved
network performance but also the potential privacy
implications. Thank you.
Mr. Markey. The gentleman's time has expired. The chair
recognizes the gentleman from Michigan, Mr. Stupak.
OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Stupak. Thank you, Mr. Chairman, and thank you for
holding this hearing on deep packet inspection technology. It
is important that we discuss the policy implications of this
newest advancement in network technology.
Applications of DPI technology provide a number of
benefits. Internet users are protected from the latest viruses
through better filtering security, network administrators have
more efficient means of managing traffic, and law enforcement
can use these powerful tools to combat cybercrime. However,
while we stand to gain from DPI technology, we need to ensure
the protections Congress has put in place on behalf of a
consumer's personal information are upheld. One of our
witnesses today, NebuAd, offers targeted and behavioral
advertising services by taking information from the network to
create detailed profiles of the Internet service provider
subscribers. While NebuAd has stated that the information they
collect is completely anonymous, there are legitimate consumer
privacy questions. The ISPs that partner with NebuAd should be
offering consumers an option to opt in for having their data
collected, not opt out. If the hardware of the network is
configured to collect their data, they are only opting out of
having their information sold while it continues to be
collected. This is especially important to broadband
subscribers with only one choice for an ISP. They do not have
the option to choose a different ISP if they feel uncomfortable
knowing that the network they are accessing tracks their every
move. As broadband providers continue to integrate this
technology, will future application of DPI technology be as
transparent to the public?
Mr. Chairman, thank you again for holding today's hearing.
I look forward to hearing from our witnesses about the
application of DPI technology and its implications, good and
bad, for the future of the Internet.
Mr. Markey. The gentleman's time has expired. The chair
recognizes the gentleman from Pennsylvania, Mr. Doyle.
Mr. Doyle. Thank you. Mr. Chairman. I am going to waive an
opening statement and just add it on to my questions.
Mr. Markey. The gentleman from Pennsylvania will have that
time added to his question period, and seeing no other members
here to make opening statements, we will turn to our panel, and
we will recognize our first witness, Alissa Cooper, who is the
chief computer scientist for the Center for Democracy and
Technology. Her work focuses on the intersection of computer
and networking technologies with consumer privacy. We welcome
you, Ms. Cooper. Whenever you are ready, please begin.
STATEMENT OF ALISSA COOPER, CHIEF COMPUTER SCIENTIST, CENTER
FOR DEMOCRACY AND TECHNOLOGY
Ms. Cooper. Chairman Markey and members of the
subcommittee, on behalf of the Center for Democracy and
Technology, I thank you for the opportunity to testify today.
CDT is a nonprofit public policy organization dedicated to
keeping the Internet open, innovative and free. The legal and
policy implications of the technique known as deep packet
inspection are of great importance to us.
The Internet was built on the principle that data could
travel from one end of the network to the other, largely
without interference along the way. Likewise, privacy laws in
this country were crafted to protect our communications,
whether they be phone calls, e-mails, or Web site visits, from
being intercepted in transit. The confluence of technology and
policy in this respect was no accident, and it has resulted in
the emergence of the Internet that we know and love today, a
trusted platform that supports astounding levels of economic
activity and individual expression. Deep packet inspection, or
DPI, could be used in ways that upend this paradigm by giving
network operators the ability to intercept and analyze the
Internet communications of their subscribers. While some uses
of DPI technology are benign and even beneficial, others raise
serious questions about the future of privacy, innovation and
openness online. Though all these issues are near and dear to
CDT, today I will focus specifically on privacy.
The bottom line is this: Certain uses of DPI allow
consumers' communications to be centralized, scrutinized, and
monetized. Absent careful privacy safeguards, DPI systems run
the risk of damaging the consumer confidence in the Internet
that has allowed the medium to flourish. DPI has recently been
put to a new use: the tracking of consumers' online activities
for the purpose of showing them targeted ads. Traditionally, ad
network companies have contracted with Web sites to collect
data about consumers. In the new model, ad networks partner
instead with Internet service providers and do their collection
using DPI.
As it has been implemented thus far, this model poses
unique risks to consumer privacy. CDT values advertising as
potent fuel for Internet growth, and we all cherish the free
content that it supports, but ad networks that use DPI may gain
access to the bulk of consumers' Web-browsing activities,
including visits to political, religious, and government Web
sites. While traditional ad networks may be large, few, if any,
provide the opportunity to collect information as
comprehensively as with DPI. Furthermore, most consumers would
be quite surprised to find a middleman lurking between them and
the Web sites they visit. The DPI model defies consumer
expectations.
As several members of this subcommittee have rightly
pointed out, the Cable Act prohibition against collecting or
disclosing personally identifiable information without consent
is relevant here. We believe that a view into most everything a
person does on the Web constitutes personally identifiable
information, PII, under the statute. So far, cable ISPs have
not only failed to obtain consent, but also they have not even
told their subscribers that their Internet communications will
be captured and shared with a third party.
The Federal Wiretap Act is also applicable. The Wiretap Act
prohibits the interception and disclosure of electronic
communications without consent. Importantly, the Act applies
regardless of whether communications are highly personal and
sensitive or completely anonymous. Think of it this way: if an
eavesdropper were listening in on your phone calls but didn't
know your identity or record the calls, you would likely still
feel that your privacy had been violated. The same logic
applies to DPI systems.
Though consent is merely one of many critical factors in
designing a DPI system, these laws raise the question: how
should consent be obtained? Notice must be uncomplicated and
unavoidable, and it should mention the third party if one is
involved. Consent should be expressly provided, not assumed. If
a consumer does not consent, her communication should not be
intercepted, and consumers should have the opportunity to
change their minds, revoking their consent at any time through
an easy-to-find, simple-to-use process. DPI has not emerged in
a vacuum but rather in a digital environment where more data is
collected and retained for longer periods than ever before.
Although our communications privacy laws apply to the model I
have described today, our Nation still has no comprehensive
consumer privacy law to protect personal data across the board.
Congress needs to take a broad look at both DPI and online
privacy concerns at large. Among other recommendations, my
written statement suggests that, one, the subcommittee should
urge the Federal Trade Commission to address DPI in its
proposed privacy guidelines and to exercise its full
enforcement authority over online advertising, and two, the
subcommittee should set a goal of enacting in the next year
baseline consumer privacy legislation that would protect
consumers from inappropriate collection and misuse of their
information.
Thank you, and I look forward to your questions.
[The prepared statement of Ms. Cooper follows:]
[GRAPHIC] [TIFF OMITTED] T8071.001
[GRAPHIC] [TIFF OMITTED] T8071.002
[GRAPHIC] [TIFF OMITTED] T8071.003
[GRAPHIC] [TIFF OMITTED] T8071.004
[GRAPHIC] [TIFF OMITTED] T8071.005
[GRAPHIC] [TIFF OMITTED] T8071.006
[GRAPHIC] [TIFF OMITTED] T8071.007
[GRAPHIC] [TIFF OMITTED] T8071.008
[GRAPHIC] [TIFF OMITTED] T8071.009
[GRAPHIC] [TIFF OMITTED] T8071.010
[GRAPHIC] [TIFF OMITTED] T8071.011
[GRAPHIC] [TIFF OMITTED] T8071.012
[GRAPHIC] [TIFF OMITTED] T8071.013
[GRAPHIC] [TIFF OMITTED] T8071.014
[GRAPHIC] [TIFF OMITTED] T8071.015
[GRAPHIC] [TIFF OMITTED] T8071.016
[GRAPHIC] [TIFF OMITTED] T8071.017
[GRAPHIC] [TIFF OMITTED] T8071.018
[GRAPHIC] [TIFF OMITTED] T8071.019
[GRAPHIC] [TIFF OMITTED] T8071.020
[GRAPHIC] [TIFF OMITTED] T8071.021
[GRAPHIC] [TIFF OMITTED] T8071.022
[GRAPHIC] [TIFF OMITTED] T8071.023
[GRAPHIC] [TIFF OMITTED] T8071.024
[GRAPHIC] [TIFF OMITTED] T8071.025
[GRAPHIC] [TIFF OMITTED] T8071.026
[GRAPHIC] [TIFF OMITTED] T8071.027
[GRAPHIC] [TIFF OMITTED] T8071.028
[GRAPHIC] [TIFF OMITTED] T8071.029
[GRAPHIC] [TIFF OMITTED] T8071.030
[GRAPHIC] [TIFF OMITTED] T8071.031
[GRAPHIC] [TIFF OMITTED] T8071.032
Mr. Markey. Thank you, Ms. Cooper, very much.
Our second witness is Mr. Robert Dykes. He is the founder,
chairman, and chief executive officer of NebuAd, a behavioral
advertising firm. Prior to forming NebuAd, Mr. Dykes held
senior positions with Symantec Corporation and the Ford Motor
Company. We welcome you, sir. Whenever you are ready, please
begin.
STATEMENT OF ROBERT R. DYKES, CHAIRMAN AND CEO, NEBUAD, INC.
Mr. Dykes. Thank you, Mr. Chairman, Mr. Stearns, and other
members of the committee. My name is Bob Dykes, CEO of NebuAd,
a recent entry into the online advertising industry.
My objectives today are to recognize that our business
process, which involves partnering with the Internet Service
Providers, the ISPs, raises legitimate privacy issues, but also
I want to explain how we have addressed those issues and
continue to do so and to enlighten the members of the
subcommittee in as much detail as possible within the time
allotted about NebuAd's service and technology. In doing so, I
hope to dispel the many myths and misconceptions that have
surfaced about our company.
In many ways, I feel like Galileo when he was viewed with
skepticism on demonstrating that the earth revolved around the
sun. Members of the subcommittee, the science exists today, and
NebuAd is using it to create truly anonymous profiles that
cannot be hacked or reverse-engineered, and it is possible to
provide ISP subscribers prior robust notification and a
meaningful opportunity to express their informed choice whether
to participate in NebuAd's targeted advertising so that they
are in control of their online experience.
I come from a security background, serving for many years
as executive vice president of Symantec Corporation. When we
launched NebuAd several years ago, it was a time when many
people had particularly heightened concerns about data
security. As part of its mission, NebuAd sought to address
these privacy and security concerns. As you will see, NebuAd
systems are designed so that no one, not even the government,
can determine the identity of our users.
Currently, online advertising solutions and data collection
methods operate in many locations throughout the Internet
ecosystem, from users' computers to individual Web sites to
networks of Web sites. The NebuAd service, in partnership with
ISPs, provides consumers with significant benefits, serving
them with more relevant ads, which they want, while ensuring
they have robust privacy protections and control over their
online experience.
NebuAd's ad network also is designed to benefit two groups
that provide substantial value on the Internet, the many
smaller Web sites and general use sites that have difficulty
maintaining free access to their content and the ISPs who need
to upgrade their infrastructure to provide increased bandwidth
for consumers who increasingly want access to Internet-
delivered videos. NebuAd creates these benefits by using a
select set of a user's Internet activities to construct
anonymous inferences about likely interests, which are then
used to select and serve the most relevant advertisements.
We appreciate that there are groups who would like the
Internet service providers to be like the post office, but ISPs
and the many other entities that operate the Internet are in
fact commercial enterprises, not nonprofit, quasi-government
organizations. As such, they can see that much of the Internet
is well supported by advertising revenue, and it is legitimate
for them to seek ways to also increase their advertising
revenues. NebuAd enables that endeavor while allowing its ISP
partners to maintain their subscribers' trust by giving them
control over their online experience. The NebuAd service is
architected and its operations are based on principles central
to strong privacy protection. That is, we provide users with
prior robust notice about the service and the opportunity to
express informed choice about whether to participate both
before the service takes effect and persistently thereafter. We
do not collect or use personally identifiable information, that
is PII. We do not store raw data linked to identifiable
individuals, and we provide state-of-the-art security for the
limited amount of information we do store.
I listened to comments from members of the Senate Commerce
Committee last week and the CDT's testimony during that
hearing. Immediately after the Senate hearing last week, I made
plans to sit down with the CDT to discuss practical solutions
to issues they and Members of Congress have raised around
notice and informed choice. We met yesterday with staff of the
CDT for a few hours and believe that a common ground can be
reached on a framework that involves prior and unavoidable,
simple, but complete notice to ISP subscribers about NebuAd's
operations and an easy and obvious means for consumers to
express their informed choice both before NebuAd's behavioral
advertising takes effect and thereafter. We also reached a high
level of understanding of how a mechanism can be designed that
would honor consumers' choice not to participate in NebuAd's
targeted advertising and not to have information about their
browsing behavior flow to our service. I am extremely
encouraged by this and have set a goal of being a privacy
leader since I started NebuAd. I will continue to work with CDT
on the framework we discussed yesterday, and I am happy to keep
members of this committee informed of our progress.
In the meantime, we continue to innovate on privacy. NebuAd
last week announced that it was enhancing the industry standard
notice options of regular mail and e-mail with a new
interstitial or online service, which would appear on a user
screen prior to the NebuAd service being enacted. We have
designed this notice to be easily readable and understandable,
so that users can exercise informed choice. In addition, we are
working with our ISP partners to make users' choice of
participating in the service more persistent. The NebuAd opt-
out system is a more robust mechanism than traditional cookie-
based opt-out systems, and as a default, users are considered
opted out of the NebuAd system until such time that the system
can confirm the consumer has not opted out. So for example, if
your Web browser blocks cookies, the NebuAd system will
consider you to be an opted-out user and will exclude you from
NebuAd's information collection and targeted ads. Further, we
are developing a network-based opt-out and working with ISPs on
other mechanisms that can be offered to users to honor even
more robust and persistent choice, and these will be able to be
configured to ensure that traffic from opted-out users is not
diverted.
We understand that to gain the public's trust, we need to
adopt strong privacy protections. Ours have been reviewed by
such entities as the Ponemon Institute, and we are engaging a
Big Four audit firm to conduct an audit to verify that we do
what we say we do.
This committee has long been involved with the creation of
privacy statutes covering the cable and telecommunications
industries, as well as specific statutes addressing online
privacy for children and telemarketing. Yet even these and
other privacy statutes have been developed one at a time. There
is a common thread running through them all, that is, the more
sensitive data that is collected and when the collection or
disclosure of the data could harm or embarrass a consumer, more
rigorous disclosure and consent requirements tend to be
imposed. When raw data is linked to identifiable individuals,
there is an emerging trend that more rigorous disclosure,
consent, and security requirements should be imposed.
NebuAd supports this privacy paradigm, which provides users
with consistent expectations and substantial protections. This
paradigm also is technology and business neutral, and it is the
basis on which NebuAd built its technology and operations.
NebuAd urges the committee to maintain both the paradigm and
the principle of technology and business neutrality, and we are
in favor or a baseline privacy law consistent with that
principle. Thank you.
[The prepared statement of Mr. Dykes follows:]
[GRAPHIC] [TIFF OMITTED] T8071.033
[GRAPHIC] [TIFF OMITTED] T8071.034
[GRAPHIC] [TIFF OMITTED] T8071.035
[GRAPHIC] [TIFF OMITTED] T8071.036
[GRAPHIC] [TIFF OMITTED] T8071.037
[GRAPHIC] [TIFF OMITTED] T8071.038
[GRAPHIC] [TIFF OMITTED] T8071.039
[GRAPHIC] [TIFF OMITTED] T8071.040
[GRAPHIC] [TIFF OMITTED] T8071.041
[GRAPHIC] [TIFF OMITTED] T8071.042
[GRAPHIC] [TIFF OMITTED] T8071.043
[GRAPHIC] [TIFF OMITTED] T8071.044
[GRAPHIC] [TIFF OMITTED] T8071.045
[GRAPHIC] [TIFF OMITTED] T8071.046
[GRAPHIC] [TIFF OMITTED] T8071.047
[GRAPHIC] [TIFF OMITTED] T8071.048
[GRAPHIC] [TIFF OMITTED] T8071.049
[GRAPHIC] [TIFF OMITTED] T8071.050
Mr. Markey. Thank you, Mr. Dykes.
Our next witness, Dr. David Reed, is an adjunct professor
of engineering at the Massachusetts Institute of Technology. He
is affiliated with MIT's renowned media lab, where he focuses
on communications technologies, and he was also a pioneer in
the development early on of the Internet. We welcome you, Dr.
Reed. Whenever you are ready, please begin.
STATEMENT OF DAVID P. REED, PH.D., ADJUNCT PROFESSOR, THE MEDIA
LAB, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
Mr. Reed. Thank you. Mr. Chairman and distinguished
members, good morning. I want to thank you all for the
opportunity to testify on this matter, which I think is very
important. I have been involved, as you mentioned, with the
Internet's design and development since 1976, when I joined the
Internet project as one its architects working with Vint Cerf
and Bob Kahn and many others. As one of those who designed the
Internet, I feel I have a duty to those who use the Internet
today and will use it tomorrow. That personal duty, rather than
any commercial interest, is why I am here today.
Though we all use the Internet, let me set some context
that relates to its technology and that can explain my
testimony. First of all, participating in the Internet as a
transport or access provider implies adherence to a set of
technical protocols and standards and standard technical
practices that are essential for the proper functioning of the
collective Internet as a whole. These rules and practices are
analogous in many ways to the rules and practices of global
banking or international commerce. There is a strong
distinction made in the Internet design between information
needed to transport Internet datagrams, or packets, and the
information that the end users request to be transported. This
distinction is crucial to the scalability, innovation rate, and
economic impact of the Internet, as well as playing an
important role in ensuring the privacy and safety of users of
the Internet and limiting liability for the companies that
invest in providing the Internet infrastructure.
The speed of digital systems has changed dramatically over
the last 30 years and has led to a new, innovative technology
that allows the inspection of packets as they transit the
Internet at full speed and in complete depth. This set of
technologies, often called deep packet inspection, make it
possible on a large scale to dig into the content of all end-
to-end messages at almost any point in the network, do
selective recording and analysis of such messages, and to
modify and to inject messages into the Internet that appear to
be messages from a particular source but in fact are partially
the result of actions by a third party unrelated to that source
and without the ability of the end-point system to detect the
modifications or insertions.
These technical innovations are being packaged into
applications and sold as solutions to Internet access providers
and Internet transport providers by a number of vendors,
notably Phorm, NebuAd, Sandvine, and Ellacoya Networks, but
hardly limited to those vendors. A subset of these
technologies, called deep packet inspection technologies,
targeted at marketing are particularly worrisome because they
involve inspection of end-user to end-user information content,
decoding that content and making of inferences about the
meaning of that content and modifying the content in flight
without particularly making that inference or the other
activities an aspect of the agreement between the end-users on
both ends.
In my testimony today I draw several conclusions that
Congress may want to consider as it explores use of these
technologies. First, and this is most important, that DPI
technologies are not at all necessary to operating the Internet
or to profitable operation of Internet operators. In fact, they
actually violate long-agreed standards and principles of
Internet design since the beginning, and these principles that
have been around from the beginning have led to the Internet's
enormous impact and continued success.
Second, DPI technologies pose major risks to the economic
success of the Internet as a whole. They do so by normalizing
nonstandard and risky technical activity on the part of telecom
operators and broadband operators who may choose to exploit
their captive customers rather than transparently deliver the
communications services for which their customers have paid.
Third, that protecting themselves from the negative impact
of these technologies on their private business imposes
significant additional costs on the knowledgeable customers of
Internet transport operators and on developers of new Internet
services while at the same time exploiting the unwitting and
captive customers of service providers who choose to deploy
them.
Let me start off by saying, it is best to think of the
Internet as a shipping service, in some sense a collection of
shipping modes like airplanes and ships and railroads and so
forth, that carry packages. The end-users put their information
in these packages, which will be called packets, and put
addressing information on the outside of the packet, and they
present them to a shipping agent, who chooses a path and a set
of warehouses along the way, that might be called routers, that
deliver these packets. What makes deep packet inspection deep
is the use of this technology to collect and modify the
internal contents of these packages as if they were a high-
speed X-ray technology that was able to examine packets without
changing them and also high-speed manufacturing technology that
can actually open up the packets, manufacture something new,
stick it in, and send it along, and I think that analogy is
actually very strong. Note that it is unnecessary for the
carriers to look inside the packages to do their job. This
separation of concerns that was built into the Internet, that
of transport versus packet access, is part of the economic
success of the Internet and also part of the privacy
functionality that was built in from the beginning. There
should be no reason to look inside these packets.
One more thing about the Internet that is different is that
the Internet is constructed based on protocols or conversations
between the endpoints, and these protocols are an understanding
between the end-users, not the end-users and their carrier.
When DPI systems make inferences about packet contents,
they do not have access to the meaning that is intended by the
endpoints of those protocols, and because of that, it poses
significant risks, and with that, I will finish here and await
your questions.
[The prepared statement of Mr. Reed follows:]
[GRAPHIC] [TIFF OMITTED] T8071.059
[GRAPHIC] [TIFF OMITTED] T8071.060
[GRAPHIC] [TIFF OMITTED] T8071.061
[GRAPHIC] [TIFF OMITTED] T8071.062
[GRAPHIC] [TIFF OMITTED] T8071.063
[GRAPHIC] [TIFF OMITTED] T8071.064
[GRAPHIC] [TIFF OMITTED] T8071.065
[GRAPHIC] [TIFF OMITTED] T8071.066
[GRAPHIC] [TIFF OMITTED] T8071.067
[GRAPHIC] [TIFF OMITTED] T8071.068
[GRAPHIC] [TIFF OMITTED] T8071.069
[GRAPHIC] [TIFF OMITTED] T8071.070
[GRAPHIC] [TIFF OMITTED] T8071.071
[GRAPHIC] [TIFF OMITTED] T8071.072
[GRAPHIC] [TIFF OMITTED] T8071.073
[GRAPHIC] [TIFF OMITTED] T8071.074
[GRAPHIC] [TIFF OMITTED] T8071.075
[GRAPHIC] [TIFF OMITTED] T8071.076
[GRAPHIC] [TIFF OMITTED] T8071.077
[GRAPHIC] [TIFF OMITTED] T8071.078
[GRAPHIC] [TIFF OMITTED] T8071.079
Mr. Markey. Thank you, Dr. Reed, very much.
And our next witness is Mr. Bijan Sabet. He is a general
partner at Spark Capital, a venture capital fund focused on the
media, technology, and entertainment industries. Mr. Sabet has
led numerous investments in startup technology companies and
has worked for Apple Computer. We welcome you, sir. Please
begin.
STATEMENT OF BIJAN SABET, GENERAL PARTNER, SPARK CAPITAL
Mr. Sabet. Thank you, Mr. Chairman and Ranking Member
Stearns, for the opportunity to testify today. I am from
Boston, but I am a Yankee fan, so please don't hold that
against me.
Mr. Markey. Thank for you helping us to win the All-Star
Game so the final game in the World Series can be at Fenway
Park. We thank all the Yankee players for helping us.
Mr. Sabet. All right. Well, my name is Bijan Sabet. I am a
general partner at Spark Capital based in Boston,
Massachusetts. Spark Capital, as you said, is a venture capital
firm, and we are managing and investing in excess of $620
million. We make direct investments in early-stage companies,
in the Internet, media and technology industries. To date, we
have made 25 investments in this area. We are being very
aggressive, and it probably will be over 30 companies next
year, and our companies are generating real value, real
technology, real revenue, and real jobs.
Deep packet inspection is something I care a great deal
about, as well as my partners, and will directly impact the
Internet ecosystem, which is beginning to thrive. As a
technology, I believe there is nothing wrong with DPI. It is a
significant technology breakthrough, and up until fairly
recently, DPI could not be achieved at scale at any reasonable
cost. So I don't have any criticism about NebuAd specifically
or any vendors that have DPI technology. The issue at hand is
how DPI is implemented and how it is managed. It is less about
whether these vendors have certain features or not. It is about
what can and cannot be done with DPI.
So to start off, just a quick definition of DPI. I think
Wikipedia cites it well when it states that deep packet
inspection, or sometimes complete packet inspection, is a form
of computer network packet filtering that examines the data or
header form of packets as it passes an inspection point
searching for non-protocol compliance, viruses, spam,
intrusion, or predefined criteria to decide if the packet can
pass or if it needs to be routed to a different destination or
for the purpose of collecting statistical information. This is
in contrast to shallow packet inspection, usually just called
packet inspection, which just checks the header portion of a
packet.
So we need to understand the impact of DPI. DPI can provide
significant economic and consumer benefit if used correctly,
but it can cause significant problems if used incorrectly.
There are really two issues to consider. One is privacy, which
I think Dr. Reed and Ms. Cooper summarized very well, and I
largely agree with them. I think the other issue is how DPI
relates to the open Internet.
My interest in providing this testimony is less about
privacy per se and more about DPI's impact on the open Internet
and the Internet ecosystem. The important question is, do we
want an open Internet or a closed Internet, where ISPs can
decide what content and applications should be available?
Specifically, should ISPs decide if a competitor's product will
be able to flow to the home or not? That is just one example.
That is the topic I would very much like to discuss with all of
you.
We have all seen the explosion and growth of the Internet
in the business and consumer markets. It has been a large
success. High-speed Internet to the home has fueled this
growth, with applications such as Apple iTunes, Google's
YouTube, joint ventures such as Hulu by NBC and Fox. This world
is moving quite fast. Consider Netflix, which was once only a
mail order DVD rental company. It is now streaming full-length
movies on demand over the Internet. Thus, the impact of high-
speed Internet has just begun. Hundreds and hundreds of
startups by venture capitalists like myself are investing in
this space, because entrepreneurs and investors alike see the
value in the open Internet.
And while the Internet is growing rapidly and investors are
pouring money into the new ideas and new opportunities and new
businesses and new jobs funding new technology, U.S. broadband
penetration is not as good as it should or could be. The chart
I provided in my testimony is from the Organization for
Economic Co-operation and Development, and it shows that as
recently as 2007, the United States was ranked 15th in terms of
broadband penetration, so we are behind many countries such as
Canada, France, Germany, Korea, Iceland, Denmark, etc.
The other interesting note here is there is not a very good
definition of what high-speed or broadband access is. Up until
recently, broadband in this country was defined as 200 kilobits
per second, which by today's standards would not be considered
high-speed data.
Hopefully, we would all believe that it is in our economic
self-interest to explore ways to make the United States a
leader in high-speed Internet. We need more applications and
consumer benefit to increase broadband adoption in the United
States. We need lower cost of service, and we need a national
coverage plan. The open Internet and growing broadband
penetration are the key economic drivers of the Internet
ecosystem and economy from my perspective as a venture
capitalist.
And that brings me back to the topic of DPI and its
potential negative impact on the open Internet. Many are
calling this topic of the open Internet and DPI a discussion
around network neutrality, which is the principle about an open
network with restrictions potentially only for legal purposes.
The danger is that ISPs would and could use DPI as a way to
turn off or slow down third-party applications or third-party
services. Recently, the FCC discovered that this was happening
with a large ISP and a third party. In this case, it was a
startup called BitTorrent.
We don't have to imagine what would happen if ISPs continue
to do this. We have only to look at the mobile industry. Many
venture capital firms like mine are investing in the mobile
space, but cautiously compared to the open Internet sector. Why
are we doing that? Well, consider the biggest success startup
stories in the last 15 years, and the vast majority of them
were companies that were a result of the open Internet
ecosystem. Ask yourself, which startup companies have created
billions of dollars of value and thousands of jobs in the
mobile space? There are few, but these examples are far less
than those that are coming from the open Internet ecosystem.
That is because the mobile Internet, the mobile system, is
closed. There is no ecosystem in the United States. Carriers
are able to block Web sites. They are able to block third-party
applications and services, and as a result of this closed
network, most consumers in the United States are not signing up
for Internet access on their mobile phones, which means a less
attractive market for innovation, a less attractive market for
investors, a less attractive market for entrepreneurs----
Mr. Markey. Mr. Sabet, could you summarize, please?
Mr. Sabet. So we need a healthy and growing broadband
market in the United States. I would like to see our cable
companies and telephone companies thrive and grow their
businesses with new technology and capabilities and new
applications. New applications will help them sell services,
too, but it should not be at the consumer's expense or the
Internet ecosystem's expense.
Thank you for your time and consideration.
[The prepared statement of Mr. Sabet follows:]
[GRAPHIC] [TIFF OMITTED] T8071.080
[GRAPHIC] [TIFF OMITTED] T8071.081
[GRAPHIC] [TIFF OMITTED] T8071.082
[GRAPHIC] [TIFF OMITTED] T8071.083
[GRAPHIC] [TIFF OMITTED] T8071.084
[GRAPHIC] [TIFF OMITTED] T8071.085
Mr. Markey. Thank you, Mr. Sabet, very much.
Our final witness, Mr. Scott Cleland, is a founder and
President of Precursor LLC, a research and consulting firm. He
blogs and speaks frequently on issues related to the Internet
economy. We welcome you, sir.
STATEMENT OF SCOTT CLELAND, PRESIDENT, PRECURSOR LLC
Mr. Cleland. Mr. Chairman and members, thank you for the
opportunity to testify. I am Scott Cleland, President of
Precursor LLC, an industry research consulting firm. Full
disclosure: I am also chairman of NetCompetition.org, which is
a pro-competition e-forum funded by telecom, cable, wireless,
and broadband companies. My testimony today reflects my
personal views, not those of my clients.
I believe the real problem here is not necessarily the
prospect of deep packet inspection but the current patchwork of
U.S. privacy laws, a lack of holistic approach to Internet
privacy, and selective oversight of privacy problems. I believe
they all combine to create perverse incentives for some
companies to arbitrage privacy laws and to push the privacy
envelope. As a result, abuse of privacy is among the most
serious problems that face users of the Internet. I believe the
lack of a holistic, comprehensive, and balanced approach to
privacy law and oversight is a serious threat to Americans'
privacy.
Now, broadband companies have long been subject to strict
privacy laws, sections 222, 551, and the ECPA. These laws
create serious consequences for the misuse of private
information without a user's permission. Consequently,
broadband companies have developed extensive policies,
practices, and procedures to respect users' privacy and protect
private information. Now, the subcommittee's oversight of deep
packet inspection for advertising purposes is very appropriate,
and existing laws, I believe, appear to cover these practices.
What I am concerned about is that the selective oversight
of only broadband privacy matters fosters a blind eye to the
arbitrage of privacy laws by companies like Google, Yahoo, and
others. This creates perverse incentives for companies not
covered by U.S. privacy laws to push the envelope on privacy to
gain competitive advantage. Now, Americans' privacy should not
be an unrestricted commodity to sell to the highest bidder or
to gain competitive advantage. Specifically, I am troubled with
the broadband focus of this hearing, because privacy is a
cross-cutting, big picture issue that knows no boundaries
between the application, the transport or the content layers of
the Internet. By turning a blind eye to Google, which I believe
is the worst privacy offender on the Internet, it is
systematically invading and abusing Americans' expectation of
privacy.
Now, my feeling about this hearing is, it is here to create
fear about what broadband providers could do while it is
ignoring what Google and others are actually doing today that
hurts Americans' privacy. Now, the irony here is the worry
about whether broadband privacy blinds are perfect when the
Internet house has no privacy walls at all. Let us consider the
depth and the breadth of the intimate blackmailable information
that Google already collects on you: everything you have
searched for; everywhere you have gone on the Web; what you
watch through YouTube; what you read through Google news
Feedburner blogger; what you say in your e-mails; what you
produce in Google Docs; what your family and friends look like
through Picasa; your medical conditions and history, through
Google Health; your purchase habits through Checkout; your call
habits and voice prints through Google Talk; your travel habits
and interests via Google Maps; your interest in places through
Google Earth and StreetView; your personal information through
Orca, G-mail, Checkout, and otherplaces where you go and hang
out, which will come through Android; where you will be or
where you work through Google Calendar.
The scale and scope of Google's unauthorized Web
surveillance, and I use that term, that should be as concerning
to people as deep packet inspection, unauthorized Web
surveillance, and I commend the chairman today in the
Washington Post for talking about this. He said surreptitiously
tracking individual users' Internet activity cuts to the heart
of consumer privacy. I couldn't agree more with the chairman on
that. So this is truly Orwellian Big Brother stuff. While
Google is not the government, all this information that Google
collects is on Google's servers, it is not on your PC where you
own it, and it is available to the government via subpoena.
So in sum, information is power. Power corrupts. Absolute
power corrupts absolutely. Google's market power over private
information is corrupting Google. Just like former FBI Director
J. Edgar Hoover was corrupted by his power and mastery of
personally sensitive information, Google's unprecedented
arbitrage of privacy law combined with its exceptional lack of
accountability is fast creating this era's privacy-invading,
unaccountable equivalent, which I call J. Edgar Google.
Remember the timeless insight: Those who don't learn from the
past are doomed to repeat it.
Thank you for the opportunity to testify.
[The prepared statement of Mr. Cleland follows:]
[GRAPHIC] [TIFF OMITTED] T8071.086
[GRAPHIC] [TIFF OMITTED] T8071.087
[GRAPHIC] [TIFF OMITTED] T8071.088
[GRAPHIC] [TIFF OMITTED] T8071.089
[GRAPHIC] [TIFF OMITTED] T8071.090
[GRAPHIC] [TIFF OMITTED] T8071.091
[GRAPHIC] [TIFF OMITTED] T8071.092
[GRAPHIC] [TIFF OMITTED] T8071.093
[GRAPHIC] [TIFF OMITTED] T8071.094
[GRAPHIC] [TIFF OMITTED] T8071.095
[GRAPHIC] [TIFF OMITTED] T8071.096
[GRAPHIC] [TIFF OMITTED] T8071.097
[GRAPHIC] [TIFF OMITTED] T8071.098
[GRAPHIC] [TIFF OMITTED] T8071.099
Mr. Markey. Great. Thank you, Mr. Cleland, very much.
Now we are going to turn to questions from the panel, and I
want to begin by agreeing with Mr. Cleland, that absolute power
corrupts absolutely. So Mr. Dykes, not only do you get access
to all of Google, but you get access to all of eBay, Amazon,
everyone. If there were 56 companies up here, not just Google
but everyone else at a company, you would get access to all of
the information, so you are Google times 100 in terms of the
information you can with this deep packet inspection
coordinating with a broadband carrier get access to. So I would
like to get crystal clear, Mr. Dykes, what your privacy
position is, and I would like a simple yes or no, please. One,
do you support giving consumers clear, conspicuous notice?
Mr. Dykes. Yes, sir.
Mr. Markey. Two, do you support a meaningful opt-in
standard for authorizing use of a consumer's data?
Mr. Dykes. Well, sir, I would say that to characterize opt-
in or opt-out is probably not as important as to say there has
to be a very robust notice----
Mr. Markey. No, no, no. The difference is that you have got
to get the consumer to say yes, OK. Do you support a policy
that says the consumer must say yes before you are allowed to
roam through all of their personal data and turn it into an
information product which is then sold to other companies? Yes
or no on that question.
Mr. Dykes. Mr. Chairman, I think you are forcing me into
one of those, ``Have you stopped beating your wife recently.''
Mr. Markey. No, no, no, no, no, have you stopped beating
the consumer is the question, OK, and I want to know, Mr.
Dykes, do you support getting permission affirmatively from the
consumer before you start beating them up by sending them other
information that they have not asked for? Mr. Dykes, yes or no.
Mr. Dykes. I really must protest and say that it is much
more important to ensure that the consumer is well informed on
the decision being made than to use the----
Mr. Markey. Oh, I already asked you that first question.
You already answered that one. That is yes. Now I want to know
what you mean by that, and by that, should you get permission
from the consumer first, Mr. Dykes? You have absolute power, as
Mr. Cleland just pointed out. You are going to have access to
all the information. Do you want to give them--will you give
them opt-in?
Mr. Dykes. Mr. Chairman, I really have to say that how what
we do is characterized is going to be characterized by----
Mr. Markey. All right. Let me ask you the third question.
Do you agree that consumers who do not grant consent should not
have their Web use tracked, intercepted, or profiled?
Mr. Dykes. Yes, Mr. Chairman, we in fact have explained
that recently we have created innovation that will enable that.
Mr. Markey. So that is a yes, they should not get
information if they have not granted consent?
Mr. Dykes. That is right. If they have opted out, for
example, they should not be tracked.
Mr. Markey. No, I am not saying that. I am saying, if they
have not granted consent, that they should not have their Web
use tracked.
Mr. Dykes. As we go through this process of informing them,
if we are not convinced that somebody has not opted either
way----
Mr. Markey. Are you going to then consider that to be
consent if they have not----
Mr. Dykes. If they have not opted either way, then they are
not tracked. For example, if somebody has deleted all their----
Mr. Markey. Well, I don't think that is a high enough
standard, Mr. Dykes. I think that that is basically saying that
silence is consent and that as a result you can do whatever you
want with their information. I don't think unless you have
gotten their affirmative permission that you should be allowed
to be able to take this incredible leap into the breaching of
the privacy of Americans. It is like saying that the mailman
can open up any letter, can open up any package, find out what
is in it, and then start to partner with other companies,
letting them know what individual Americans are receiving in
the mail, what kind of packages are coming to their house, but
it is OK because the consumer doesn't know that you are doing
it and hasn't given you the opportunity to say to the mailman,
stop opening my packages, stop opening my mail, I don't want
anyone to know about it, and so we have a real problem here.
Dr. Reed, can you tell me, sir, how this concept is
consistent with the history of the Internet or inconsistent
with the history of the Internet?
Mr. Reed. Sure. I should clarify that the definition of
deep packet inspection used by Mr. Sabet is not quite right. It
doesn't involve only looking at label information. It does
indeed involve looking at everything in the packet, so the
Wikipedia is wrong, as sometimes it is.
What is inconsistent about the history of the Internet, the
history of the Internet was designed with the shipping of goods
and essentially the ideas that lurk behind common carriage as
its background, and it relates to the idea that the only people
who should be interested in the actual contents of these
messages are the endpoints involved that are the addressee or
source of the message, and we carefully chose that design in
the original design because we didn't want to make the network
more complex, and we knew, A, and B, we knew that the Internet,
it was the first network that had multiple jurisdictions
involved in the transport of packets. AT&T was only one company
but the packets in the Internet flow through many autonomous
systems, all of which could potentially cause trouble to the
endpoints and which are not under control of a central
authority. So the reason we built into the design that the
contents of the packets was sacrosanct from both examination
and action was specifically to deal with the diversity of the
network and to deal with the expectations that could be
standardized at the endpoints, that when you sent a packet, it
would get there with best efforts. That was the fundamental
principle and without examination.
Mr. Markey. Thank you, Dr. Reed.
My time is expired. The chair recognizes the gentleman from
Florida, Mr. Stearns.
Mr. Stearns. Thank you, Mr. Chairman.
Mr. Dykes, I can give you a little help on your answers
from Mr. Markey. You can say ``I don't know.'' We oftentimes
have----
Mr. Dykes. No, I think the way Mr. Chairman further
explained it, I think the answer would actually be yes, that we
do not track people who we are convinced don't want to be
tracked.
Mr. Stearns. Obviously if the chairman wants to say every
time this occurs there has to be an opt-in, then a dialog box
would come up all the time, and I am saying if Congress
mandated that, isn't it possible that when I go on the Internet
and whether we are doing deep packets of information
exploration or whether we are doing, as Mr. Cleland talked
about, unauthorized surveillance, a dialog box would pop up?
Isn't that true under what Mr. Markey--there would be a
constant dialog box, and every consumer would have to click in,
click out? I mean, isn't that what would happen? Give me the
practicality if we went along the reasoning that Mr. Markey is
saying is, we need to have an opt-in every time something
happens, whether it is a surveillance--because Dr. Reed made a
very good point. He is making the analogy between sending a box
from Europe to the United States, and there is an address on
this box, and we are supposing we let your company go into the
box, and there is an implication, Dr. Reed is saying, that you
are messing up the box. So you have to make the case here
strongly this morning that this is not the same analogy and
that the personally identifiable information has nothing to do
with health, it has nothing to do with financial records. The
compilation that Mr. Cleland is talking about is onerous, and
there is lots of stuff coming together, I understand that, but
the only way they can get back is through an IP address, and
you have to be very clever to do that, but some of the things
you are doing are very simple things that you are trying to
say, does Stearns enjoy this type of DVD, does he like this
movie or does he like such and such, and maybe we will
advertise to let him know there is a new war novel coming out
that he might like. So I mean, you are on the pivotal point
here. Whether opt-in or opt-out, this is the key question. So
you have to make the case, and maybe, Mr. Cleland, you can
comment too.
Mr. Dykes. So, the laws--Congress over time has balanced a
whole series of factors in deciding what laws require opt-in,
and opt-in is actually pretty rare, when there is sensitive
information, personal information that could harm or embarrass
somebody, and so we made a particular point of not having any
personally identifiable information, not having any sensitive
information, and so by staying at a very high level, broad
categories characterized against anonymous profiles, we believe
that in the general sense of the law that this country has, we
are really in the opt-out mode. But I really don't think the
opt-in or opt-out is nearly as important as robust notice to
the consumers, so that they truly understand what is going on
and then the opportunity to control that. So obviously you
don't want to be too intrusive with the notices, but I think
there is----
Mr. Stearns. Tell me how you are giving notices today. How
do you give notice to the average consumer?
Mr. Dykes. Today our ISPs generally give notice by either a
separate letter in the mail or separate notice in the billing
statement or an e-mail in----
Mr. Stearns. Does that come before or after you have gone
through the deep packet information?
Mr. Dykes. Before. We need to have a notice happen at least
30 days before any of the service commences so that we can be
sure that people have the opportunity to opt out, and people do
opt out.
Mr. Stearns. So you are saying you already have an opt-out
notice in place?
Mr. Dykes. Yes, sir, we do. We have these notices, and
these are the notices that in general privacy rules are
considered to be very robust notice today. We are going to go
beyond that when we introduce or are introducing technology to
allow that notice to be online.
Mr. Stearns. OK.
Mr. Dykes. And we will work with CDT to improve that
process and ensure that we find a way to meld the needs of
privacy with users' expectations and good user----
Mr. Stearns. Mr. Cleland?
Mr. Cleland. Yes. Thank you. The point I want to reiterate
is, broadband companies are subject to strict privacy laws.
They respect privacy laws. They have cultures that embed
policies, practices, and procedures that respect privacy. That
is the law. My point here is, we are worried about whether the
blinds on the window are perfect when the house doesn't have
any walls, and so people are worried about broadband and deep
packet inspection that is covered by the law, and there is
oversight like this hearing, and there are regulators that can
look into it, yet what happens with Google and Yahoo and some
of these others is, there is no privacy law, and there is no
oversight, and so there is huge arbitrage.
Mr. Stearns. Dr. Reed?
Mr. Reed. Yes, I will just comment that two broadband
providers, one noted in this document from Robert Tolpolski,
who works with Free Press and Public Knowledge, and another,
Charter Communications in the United States, are considering
using--or have used, so they have already violated the privacy
laws if the privacy laws apply, or are considering using this
technology with American citizens with whatever is going on,
and Phorm Technology has been actively operating a very similar
service based on similar technology in partnership with British
Telecom in the UK. So it is a little bit unreasonable to claim
that the providers feel they are constrained from using this
technology by those laws today. Maybe they haven't consulted
their legal department.
Mr. Markey. The gentleman's time is expired. The chair
recognizes the gentleman from Michigan, Mr. Stupak.
Mr. Stupak. Thank you, Mr. Chairman.
Mr. Dykes, if you are on one of the ISPs, how do I know,
how am I given notice that your company is tracking my
information?
Mr. Dykes. Today, sir, we provide notice via a----
Mr. Stupak. You provide notice or the ISP?
Mr. Dykes. The ISP provides notice. There is a separate
note in your billing statement or separate letter, or if they
are confident it will be read, an e-mail to you. But as I said
previously, we are now introducing newer technology so that
notice can be online so you can read it directly there as well.
Mr. Stupak. And if I opt out and I don't want to be part of
this program, you can still track everything I do and every
site and where my interests might lie, correct?
Mr. Dykes. Well, the very point of your opting out is that
we then don't do that, and if we were already doing it and you
opted out, we immediately delete all of the records that we
have on such an opted out----
Mr. Stupak. And you don't track after that?
Mr. Dykes. Correct, sir. We don't collect any data once you
have opted out. We delete all the data we might have had. But
by providing that notice 30 days before a system begins in your
neighborhood, there is a good chance that it never would have
been collected.
Mr. Stupak. What if people don't return, don't respond? Do
you just start tracking them?
Mr. Dykes. Sir, that is why we make sure that we are not
tracking any personally identifiable information or----
Mr. Stupak. So the answer is, if I don't respond, I get
tracked?
Mr. Dykes. Sir, that is the way the general privacy laws
are written today is that where there is no personally
identifiable information or sensitive information----
Mr. Stupak. Well, I think most Americans would state that
is not the law. I think most Americans would believe that the
information they have about themselves is theirs. Just because
I belong to an ISP doesn't give you the right to track me. If I
want to be tracked, it should be affirmative. As I said in my
opening statement, there really should be an opt-in. Why do I
have to opt out? Why should the burden be on the American
consumer? Should it not be on the ISP or your company that
wants to track my information?
Mr. Dykes. Well, sir, I think that there should be a common
set of laws around privacy in this country that generally
treats the various technologies in exactly the same manner.
What we do with the Internet or offline, et cetera, should have
a common set of principles, and I don't think that one set of
companies should be penalized versus another set of companies.
Given a general law, we are very happy to comply with however
that law is set up.
Mr. Stupak. So if we pass a law that says you can't do any
deep packet unless the consumer actually opts in, you would be
satisfied with that?
Mr. Dykes. Well, we would be satisfied with any law you
pass, sir, so we will work within that.
Mr. Stupak. OK. Dr. Reed, you spoke about how deep packet
technology can be used to assist law enforcement, but you also
expressed concerns regarding how it may negatively affect the
network's ability to function. How do you reconcile the two?
Mr. Reed. In specific law enforcement or----
Mr. Stupak. Yes.
Mr. Reed. Well, first of all, there are two things going on
here. Law enforcement use of these technologies, which is in
some cases mandated by CALEA, the law you have passed,
generally only inspects the packets, generally uses the
information derived from those packets in legally sanctioned
ways and I presume is using the rules of the government to
guard and safeguard that information and how it is used. So
while I am----
Mr. Stupak. So law enforcement more goes for an information
packet. From there if there is reason to believe a crime may be
committed, that is when they go deeper to identify the
individual?
Mr. Reed. Well, in fact, a number of these technologies I
believe are used currently by law enforcement selectively and
by intelligence agencies on foreign traffic----
Mr. Stupak. Sure, like----
Mr. Reed [continuing]. And those technologies are
collecting the information but in very safeguarded locations,
government-owned or controlled locations. The analysis
performed on them is subject to review by various processes
ranging from--so they are not just used immediately to react,
and the review is a legal review in many cases where, for
example, the standards of evidence are required to actually act
on that information, so an FBI agent may in fact be using deep
packet inspection to derive information, but whether it can be
presented in court or used for exploration, those are matters
that I, not being a lawyer, am not deeply expert in, but my
understanding is that that is quite a different kettle of fish
than here. I don't think commercial companies have the ability
to carry out such a duty of care.
Mr. Stupak. Are DPI devices accessible remotely? In other
words, what I mean, are they susceptible to hackers who may
wish to commit identity theft, in your estimation?
Mr. Reed. They could be. I have not examined them. I would
be happy to examine, for example, NebuAd's devices and
technology, but what I know about them is based on observations
by people who detect them in the network and analyze them as
black boxes based on what they do and what they seem to do plus
their marketing materials, and I have no specific knowledge of
how easy it is to break into them. I believe Mr. Dykes is
correct that you can make them quite secure if you put that
amount of energy into them, but nearly every technology can be
broken.
Mr. Stupak. Thank you.
Mr. Markey. The gentleman's time is expired. The chair
recognizes the gentleman from Oregon, Mr. Walden.
Mr. Walden. Thank you, Mr. Chairman, and I appreciate the
hearing on this very important matter, I think, and I concur
with the chairman's comments and others that I think the
average consumer out there views this more, or wants to, their
time on the Internet more like they view the postal system, and
I realize that is in disagreement with some on the panel, but I
thought the chairman hit it on the head. If I order a package
from some site, I don't expect the postal person to go through
it on the way, figure out what it is--I thought that was a
great analogy, Mr. Chairman--and then decide who they think
ought to come and market me, and that is different than walking
into a store and realizing I am public and shopping around, I
think. And so I think for the Internet to really survive as an
engine of commerce, you have to have opt-in, and I think that
is what consumers want. That is what I would want. I get enough
junk mail. I am not sure I am going to plow through every
letter I get or every whatever it is you are--do you have a
copy of what you send out, by the way, Mr. Dykes?
Mr. Dykes. Yes, sir, we can provide that to you.
Mr. Walden. I would love to see it, but the fact that I
have to take affirmative action so that I can stop you from
making money on my transactions on the Internet seems sort of
backwards. Isn't that really what you are saying I have to do?
I have to opt out under your scheme.
Mr. Dykes. Sir, as I said, I think it is most important
that we inform you what we are doing. That is----
Mr. Walden. That you do what?
Mr. Dykes. That we inform you of what we are doing, robust
information, a notice that you can clearly understand what is
happening, and then you can make your choice. The----
Mr. Walden. But why is the burden on me to make the choice,
because the choice you are asking me as a consumer to make is
to prevent you from taking an action that enriches you, right?
Mr. Dykes. Sir, the----
Mr. Walden. You are in this to make money. That is not a
bad thing. But you are building a business model here, and
aren't you in part betting that there are going to be consumers
who ignore those notices or don't understand them or whatever,
so you get to work that angle, plus those who affirmatively say
you bet, I like your concept, and there will be some who say
yes, update me on the latest from whatever organization.
Mr. Dykes. Sir, the Internet is not like the post office
inasmuch as it is actually run by commercial organizations, and
the ISPs have noted that more than half of Internet funding is
coming from advertising today, and I think it is a legitimate
desire on their part to increase the amount of advertising that
they receive to help fund the Internet, and so this is a manner
to do it with very robust privacy controls.
Mr. Walden. Wouldn't the most robust privacy control be
that of opt in?
Mr. Dykes. Well, as long as we are not collecting any
personally identifiable information or sensitive information,
then we believe it is possible to note innocuous commercial
categories mapped against anonymous profiles so that there is
no consumer harm in that regard and then derive additional
value from that.
Mr. Walden. But you have the ability to personally track
identifiable sensitive information, right? You could get access
to that.
Mr. Dykes. Well, we can't access any secure information. If
it is an HTTPS transaction, for example, it is just physically
not possible for us to track secure transactions such as when
you go to your bank. So no, sir, we can't track everything on--
--
Mr. Walden. But if you are an Internet consumer and you are
just looking at different sites, you are planning a vacation
somewhere and so you go to the site on the Virgin Islands or
Crater Lake Lodge in Oregon, you could track that I am looking
at that site?
Mr. Dykes. That is an example where we wouldn't then keep
track of the fact that you went literally to that site. We
would note the fact that you are interested in travel.
Mr. Walden. Right, but you would know who I am.
Mr. Dykes. No, we do not know who you are.
Mr. Walden. You just know that my IP address?
Mr. Dykes. We don't keep the IP address either, sir.
Mr. Walden. But you have access to it?
Mr. Dykes. We don't keep it. We don't----
Mr. Walden. That is a different question. Do you ever have
access to it?
Mr. Dykes. What we do with the IP address is, we translate
them immediately in real time to an anonymous identifier in a
one-way cryptology so that we can't find our way back to the IP
address. So we don't have access to the IP address.
Mr. Walden. Dr. Reed, does that track? I am not questioning
what you said. I am just trying to figure out how all this----
Mr. Reed. Actually, there is a distinction that I am making
that Mr. Dykes may not be making, which is that he is talking
about the Internet including all the services that are on the
Internet, such as Google and so forth, and I am speaking
specifically of the transport part of the Internet. It is the
case that banks, for example, while they take your password
over a secure link, present things like account information and
so forth using HTTP transactions in the clear. That is not true
of all banks, but it relates to the point I made earlier about
the extra expense. If the banks were to respond properly to
this and to their mandate to keep consumer information private,
they would have to start using encrypted links for far more
than they are currently using them for, and we could have an
escalation on encryption. We might have an encryption war, at
which point if every piece of traffic were encrypted, there
would be no market if you add services. I think there are
policy implications to having all the traffic encrypted, and I
am not sure I want to go there. But the user at great cost to
themselves and the services could avoid this problem, and it
just shifts the problem elsewhere.
Mr. Walden. My time has run out. I just have a unanimous
consent request. I know that the ranking member had sent
letters to the chairman of Google in 2007 and 2008, and I
wondered if I can just ask for those to be put in the record?
Mr. Markey. Without objection, they will be included into
the record.
Mr. Walden. Thank you, Mr. Chairman. I appreciate it.
[The information was unavailable at the time of printing.]
Mr. Markey. And I say to the gentleman from Oregon as well
that Mr. Dykes said that the postman is public and he is
private, but FedEx and UPS are also private, but they can't
open up our packages. They can't open up the mail that we put
inside. They are private, too, but we all have an expectation
when we put something in FedEx that Mr. FedEx can't open it up
before he puts it at our front door.
Mr. Walden. Exactly.
Mr. Markey. So let us not confuse that issue. It is the
same level of privacy expectation.
Let me turn now and recognize the gentleman from
Pennsylvania, Mr. Doyle.
Mr. Doyle. Thank you, Mr. Chairman. I think the post office
analogy is important, because it is the way most Americans can
relate to what is going on. People would be shocked if they
thought the post office or FedEx or anybody else was looking at
what is inside their packages, whether they knew who they were
or not. People would be shocked to know that. And this all gets
down to implied consent. Mr. Stearns talks about a dialog box
popping up every time, you would have to say whether you opt in
or opt out. It doesn't need to be like that at all. It really
should just be with the Internet service provider. When I
subscribe to America Online or when America Online changes its
privacy policy to accept your service, Mr. Dykes, there should
be something that pops up on my AOL site when I go on saying
something has changed, or if I am just a new subscriber, and it
should ask me clearly whether or not I want to be in on a
service that is going to look at my information and possibly
share that with other people, and do I want to do that or not,
and if I say no, I don't want anybody knowing where I go online
or what I am doing or if I travel or if am going and looking up
information on prostate cancer, I don't want anybody to know
that, that I can just check that ``no'' box, and I don't have
to do anything after that. Any site I visit, I am saying I
don't want anybody to be inspecting that packet. It could be a
simple one opt in, opt out that is presented to you.
Now, I don't know anybody that reads their privacy
statements in their bills. If you ever saw them--I have looked
at them a couple of times. Your bill comes. There are a couple
pages, they are in that real thin paper that is folded. It is
about a 2-point print, and if you are old like I am, you can't
even see it, and then you are going through that with a
magnifying glass, and somewhere in there I guess it tells you
that if you don't want somebody to be able to know where you
are going to check some sort of opt-out, but if you want to--
the big print says if you want to enhance your experience on
the Internet, then just we will just take it from here, and you
don't have to do anything, we are going to make sure you have a
great experience on the Internet.
People don't know this is happening. People do not know
that they are implying their consent by saying nothing or the
fact that they don't read the fine print in these boxes, and
the idea that anybody can examine where you go, what you say,
anywhere without expressly saying it is OK with me, I think
goes against everything that the country has been founded on
and what most Americans understand as their right to privacy
under the Constitution of the United States, and I don't care
whether an Internet service provider is doing it or Google is
doing it, it shouldn't happen, and there should be a clear
policy where Americans say I want this, and it should be right
up front, and it doesn't need to be a box on every Web site you
visit, just your ISP when you are looking at it. Now I will ask
some questions.
Mr. Dykes. May I respond?
Mr. Doyle. Yes, go ahead.
Mr. Dykes. I would like to say I agree with everything you
said there. That is exactly my thinking, that there has to be a
robust notice, not some big 20-page document, not something in
a little box online. This is why I keep emphasizing robust
notice as the most important----
Mr. Doyle. Well, I don't know how you define robust notice,
but I know you should have to check the box that says I want
you to be able to do this, OK, and no implied consent. It has
to be robust, I want to do this consent, and anything short of
that I think is a violation of what most Americans understand
as their right to privacy.
Ms. Cooper, I have a question for you. Some people may not
know, one of my constituents has released a new record: Girl
Talk. He's a mash-up DJ. He released this new album, Feed the
Animals, on the Internet, and he is charging like Radiohead, it
is pay whatever you want. Now, if record companies and other
companies encourage ISPs to use deep packet inspection for
tracking copyrighted content and punishing copyright
infringers, is it reasonable to worry that the technology would
also scoop up consumers of lawful content and other fair uses
of copyrighted material?
Ms. Cooper. Well, I will say that I am a huge fan of Girl
Talk, and I did download the most recent album at a very low
price, but I think you have hit the nail on the head, which is
that using technologies like deep packet inspection for
applications like copyright filtering raise the question of how
to know when you recognize a copyrighted work, whether it is an
authorized use of that work or not, and the technology itself
of inspecting the packets, assembling the packets into a piece
of data that you could recognize as a copyrighted work cannot
tell you whether a use is authorized or not. That is a judgment
that needs to be made by a person, perhaps multiple people. It
depends on the context. It depends on if it is a fair use or
not. And so you cannot rely simply on this technology to be
able to say yes, this is an illegal use of someone's work or
no, it is not.
Mr. Doyle. Dr. Reed, first of all, thank you for your years
of service to the Internet. Tell me, I think you touched on
this briefly, will deep packet inspection--don't you think this
is really just going to lead to an encryption arms race, where
everybody is just going to start to encrypt their packets to
avoid detection, and what do you think the implications of that
would be to the Internet if that starts to happen?
Mr. Reed. Well, first of all, it would be a great boon for
the sellers of encryption technology. But I think it would
raise the barrier for many applications, because it is not
simple to design actually secure encryption technologies.
Although the basic idea of encrypting a packet from end to end
is easy, the handing out of specific keys to the right set of
people that need to receive that stuff is quite complex, and it
depends on a notion of a key distribution network which would
then have to exist over the top of the Internet, because
everyone would need to get their keys reliably from reliable
sources, so it would create a rather elaborate network
structure for distribution of keys and security of those keys
that is not currently in place to make it actually work. I have
been involved in the research on that topic actually since
about the same time the Internet started, and industry has not
succeeded in doing it, partly because the demand has not been
there, the expectation of privacy was good enough, but also for
two other reasons. One is the reason that there is public
interest in not having too strong encryption for law
enforcement reasons. You want to be able to not depend on
breaking the keys but hope that the bad guys will do something
bad for at least discovering bad things, and then the other
reason is that the actual physical security of those keys and
physical distribution involves trust relationships that don't
exist in society today. Who would you trust to get your key
from? Maybe you trust your ISP, maybe not.
Mr. Doyle. Thank you.
One last question. Mr. Dykes, your testimony says basically
that when I surf the Web and I don't opt out, I give you
implied consent to share everything that I do, and that is a
one-sided consent. Pennsylvania, where I come from, requires
both ends of a conversation to consent to any wiretaps. Your
service listens to all Web conversations that you sought or
obtained consent from millions of people, if not billions of
Web pages and content providers. If you have not specifically
obtained consent from all these millions of Web page and
content providers, why do you think that your service doesn't
violate Pennsylvania's wiretap law, or why it wouldn't apply to
you?
Mr. Dykes. Sir, I am not a lawyer, but I have spoken to my
lawyers, and they have not identified any legal barriers to our
entry in any States, but we would be happy to work with you or
your staff to go through that in more detail.
Mr. Doyle. I see my time is up, Mr. Chairman.
Mr. Cleland. Mr. Doyle, can I make a comment?
Mr. Markey. I am sorry. The gentleman's time has expired. I
am sorry.
The gentleman from California, Mr. Radanovich.
Mr. Radanovich. Thanks, Mr. Chairman, for this hearing.
I do have a question of Dr. Reed. Mr. Cleland gave what I
thought was a very interesting analogy about dealing with ISPs
and trying to perfect the window shade on a window in a house
with no walls. Would you respond to his comments about the
difference between search engines and ISPs? I would be curious
to know your comments on that.
Mr. Reed. Well, I can respond on different levels. I agree
with Mr. Cleland that there are strong concerns about the
amount of private information that is captured and used by
search engine companies and others and that there needs to be
some thought given to that scale of collection. It is a
different kind of collection, because it is captured by a site
that you go to, but in the case of Google, for example, I know
that they are kind of the only game in town for a certain kind
of thing, not because of a mandate but because they are really
good. So I see this particular focus on the transport part as
relevant to this committee, and I am not really prepared to
talk about the technology inside Google much further than that.
Mr. Radanovich. All right. Thank you.
Mr. Cleland, do you have a solution for this? Is it one
type of--is it DPI, is it cookies? What is your answer to all
this?
Mr. Cleland. Well, I think, sir, the question also allows
me to respond to Mr. Doyle and what he had said. There is a
holistic problem here with privacy, and don't be fooled of
thinking that there is only one way to be tracked or there is
only way for somebody to violate your privacy. Now, packets
going through, the expectation is that these packets should be
delivered and not interfered with. OK. That is understood. Now,
what you do when you are not an ISP, like when you are Google
or Yahoo or these others, and they want to track you, they
track clicks. Now, they can do the same thing. You said you
didn't want anybody to know if you went to the prostate cancer
page. Well, there is a packet that could transmit that, or a
click. So there is more than one way to skin a cat, and the
problem here is that you are focusing only on broadband deep
packet inspection as one way to invade your privacy and turning
a complete blind eye to the way that you can track clicks and a
myriad of other ways that you can glean the same information
and actually potentially a whole lot more. Does that answer
your question?
Mr. Radanovich. Yes, it does.
Ms. Cooper, I would like to get a comment from you, as
well. Do you recognize the advantage of DPI insofar as the
potential protection of piracy and those issues as well, the
value of something like DPI?
Ms. Cooper. So I think DPI does have some beneficial uses.
The one that comes to mind immediately is for detection of
network attacks, viruses, spam, distributed denial of service
attacks, and those sorts of things where an ISP might have an
indication that an attack is coming from a certain IP address
or from a certain location, and being able to look a little bit
more deeply into the packet can help to thwart those kinds of
attacks. So I certainly think that DPI has some beneficial
uses, but I really think it needs to be evaluated on a case-by-
case basis where you can weigh the risks against the benefits
and evaluate the other protections around how it is deployed
with the notice and what the limits are on the data collection,
so I really think it is a neutral technology. I don't think it
is a good or a bad technology, as most technologies are, but I
think it deserves a contextual evaluation.
Mr. Radanovich. Consumers have to be able to check the box,
basically, and say you consent.
Ms. Cooper. Well, in some cases, yes, I think you can
imagine certain applications of DPI that you would only want to
have consumers, you know, fully informed and consenting to and
other examples like with the spam example. If you had to
consent to every time your ISP or your e-mail provider blocked
a spam for you, that might be something that you would only
want to consent to once, or the model would probably look
different. So I really think it deserves a case-by-case
evaluation.
Mr. Radanovich. Thank you.
Thank you, Mr. Chairman.
Mr. Markey. The gentleman's time is expired. The chair
recognizes the gentleman from Texas, Mr. Gonzalez.
Mr. Gonzalez. Thank you very much, Mr. Chairman.
Let me preface this question with a story, and actually the
reporter's name is Luis Story. I think it was the New York
Times. In January 2008, 14.6 billion searches were conducted.
Yahoo, Google, Microsoft, AOL, and MySpace record at least 336
billion transmission events in a month, not counting their
networks. Yahoo has the most data collection points in a month
on its own sites, about 110 billion collections, or 811 for the
average user, plus 1,709 other opportunities to collect data
about the average person on partner sites such as eBay, at
which Yahoo sells the ads.
So my question, should privacy rights and obligations begin
and end at the doors of the ISPs solely? Ms. Cooper, just a yes
or no. Should we only be--and I know that my colleague from
California touched on it. Should that be our only concern? Do
privacy rights and obligations that we seek to protect and
impose on all players really begin and end only at the doors of
the ISPs? Just a yes or no.
Ms. Cooper. No, we should have comprehensive privacy
protections.
Mr. Gonzalez. Mr. Dykes?
Mr. Dykes. I agree, we should have comprehensive privacy
protection that is technology-neutral.
Mr. Gonzalez. Dr. Reed?
Mr. Reed. Yes.
Mr. Gonzalez. Mr. Sabet?
Mr. Sabet. Yes. One point, by the way, is Dr. Reed agrees
with my definition from Wikipedia offline.
Mr. Gonzalez. Mr. Cleland?
Mr. Cleland. It should be holistic. It shouldn't just be on
ISPs.
Mr. Gonzalez. All right. And I know that we are
concentrating on certain technology utilized by ISPs, but I
would hope that no one leaves this room today or a viewer or
listener thinks that this committee is not concerned about the
overarching responsibility and duty that we wish to impose on
everyone out there. Mr. Doyle is saying it is another
jurisdiction, but we are actually discussing many things that
may go way outside the jurisdiction of this committee and such,
but nevertheless, you are going to have a collaboration along
the way. It seems to me that everyone is--the holy grail here
is some sort of an opt-in as opposed to what we generally
follow in other models of opt-out, an affirmative act saying
that you will agree after there is full, and as the chairman
indicated, clear and conspicuous disclosure, which we all agree
on, and then some affirmative act, in this case it would be an
opt-in. So there are different ways to opt in, and I am just
wondering, and I will be asking a couple of the witnesses if
they would agree that this would be adequate and sufficient
across the board, whether it is an ISP or an application
company. What if they were able to obtain the opt-in in the
following manner? One, that would tell the consumer check this
box, whether it is on the screen or whatever or an envelope
saying after full disclosure, conspicuous clear language,
simply using the service will be interpreted as an opt-in.
Would you be satisfied, Ms. Cooper, with an arrangement, simply
using the service would be an affirmative act of opting in to
all conditions and terms of the provider?
Ms. Cooper. I think it depends on the service. I think at
times affirmative express consent is absolutely necessary, and
at other times it is not. I think it is dependent upon the data
being collected, the sensitivity of the data, the laws that we
have in place. All of those things are important to the
decision----
Mr. Gonzalez. We would have to have different standards on
that type of opt-in language, depending on the type of
information that is being gathered. I just think that may be an
impossible task. I am not sure.
Dr. Reed, would you be satisfied with that kind of an opt-
in arrangement? Simply using the service equates to an
affirmative act of opting in.
Mr. Reed. No, not in the case of ISP access to the
Internet.
Mr. Gonzalez. No, I am talking about everyone that should
have a responsibility and duty to safeguard this particular
information when they gather it and making sure there is full
disclosure to the consumer that it is being collected and
shared. What does it matter whether it is Embarq or whether it
is Google? It is still my information. One, full disclosure;
two, an adequate opt-in process. Why are we making that
distinction is the real curious question. I think for the most
part you all have distinctions without differences. It is
whether we have--maybe because of the scope of the technology
and the ISP status. You are saying, well, that is a mortal sin,
we will let everyone get away with venial sins. Well, I hate to
tell you, I think the consumer is just going to be concerned
with the tremendous information out there that may constitute a
lesser sin, but it is still a sin. And by the way, all these
centers are all worshipping at the common altar of the
advertising dollar, which promotes and supports the entire
system, whether you are a network, ISP, or an application
company, and that is the reality, and I know, I think the
chairman has been very reasonable and generous with me, and he
has let me go over my amount of time, and I yield back.
Mr. Markey. The gentleman's time has expired. The
gentlelady from California, Ms. Eshoo.
Ms. Eshoo. Thank you, Mr. Chairman, for yet another
substantive hearing on an all-important issue. It is great
having you be chair, because that is what we have done since
you have taken over, so thank you. And thank you to all the
witnesses.
First of all, I can't help but think of the following with
my Intelligence Committee cap on, and that is that the
penultimate intelligence is to know how people think, and I
think that that applies to a lot of what we are talking about
here. I think that users should be notified in the most
meaningful way on what information is being collected, how it
is being used, how they can opt out of certain forms of data
collection, and I think that medical information collected
really should be treated as one of the most sensitive or the
most sensitive data. So I just want to state that.
I apologize for coming in later than other members, but it
gave me an opportunity to read what we didn't have yesterday
and that is some of the testimony. Mr. Cleland, I derived from
your testimony, from your statement, that you are not for net
neutrality. Is that--that is pretty obvious.
Mr. Cleland. Exactly.
Ms. Eshoo. Yes, not for net neutrality. Let me ask you
this. Are you paid any consulting fees by any of the Bells,
cable or anyone?
Mr. Cleland. As I disclosed when I came in here, I am
testifying on my own behalf. However, another----
Ms. Eshoo. Are you paid by anyone----
Mr. Cleland. I am chairman of NetCompetition.org. It is
funded by wireless telecom and cable companies. So that is----
Ms. Eshoo. So the answer is yes?
Mr. Cleland. Yes. I have always disclosed it every place I
go.
Ms. Eshoo. Well, I wasn't here when you disclosed that, so
I am glad to hear that, and I think it is important for the
record, and I think it is important to highlight it for the
record.
Now, in your statement, you said that broadband companies
are subject to section 222 of the Communications Act. Now, I
think for the record, we need to clarify this, because for
telephone services, that is so, but not for broadband service.
Do you agree with that?
Mr. Cleland. Well, where we are is an evolution on that in
the sense of telecom----
Ms. Eshoo. Well, I mean, just yes or no. We don't have to--
--
Mr. Cleland. No, because it is a very complicated question
in the sense that law enforcement and other things----
Ms. Eshoo. I mean, it is very important about the
obligations under 222. Telephone services come under that
obligation, but broadband services do not. So what I am doing
is, I am differing with you in terms of what it is in your
statement, so we are just going to leave it at that.
Now, let me get to this whole issue of how we achieve the
kind of privacy and the implementation of that as all of this
continues to be broadened out, because the Internet is going to
keep growing. There always are going to be new ways of getting
to people, trying to attract them to buy things, to sell
things, but we don't want that used against them. So let me ask
you, Mr. Dykes, do you think that there should be legislation
that provides a statutory framework for what data can be
collected, how it can be used, and how consumers can either opt
in or opt out of the collection?
Mr. Dykes. Yes, I do.
Ms. Eshoo. You do?
Mr. Dykes. Yes, absolutely. I said in my testimony, we
differently support a base privacy law across all industries
that is technology neutral.
Ms. Eshoo. Let me ask the whole panel this. I am concerned
that greater innovations in network capacity, data speeds,
storage, and that more data containing potentially harmful
software will be encrypted and then escape the current network
of firewalls. Is this a legitimate fear? I mean, should
government be addressing this?
Mr. Dykes. Well, in my view, no, it isn't. The Internet
today operates with secure sites such as banks that do for the
most part display their information in a secure manner, and
that is appropriate because there really isn't--people
shouldn't be looking at that date, and it doesn't really have
commercial value for advertisers anyway. In other areas where
it is a travel site, the innocuous categories that we track
such as travel or automotive, for example, those are also
subject to the search engines wanting--and they want the search
engines to know that they have those subjects and so there is a
natural process for sites to not want to be secure so that in
fact they can be part of the search process and other links, et
cetera, and so----
Ms. Eshoo. But I don't know from your answer whether this
is a legitimate fear on my part.
Mr. Dykes. Well, my point is that--actually Mr. Reed
previously expressed that fear, and what I am saying is, that I
don't think that that is a fear, because we keep our
characterizations at a sufficiently high level that people are
not going to be fearful, and that is why we have to continue to
publicize this, that we have very strong privacy controls, no
personally identifiable information, and we are only tracking
innocuous categories mapped against those anonymous profiles.
Mr. Markey. The gentlelady's time has expired.
Ms. Eshoo. Thank you, Mr. Chairman, and can I just make a
very quick observation? It is the first time in
telecommunications testimony that J. Edgar Hoover has come into
it. I don't know whether Mr. Cleland is referring to some kind
of telecom cross-dressing, or what. I just wanted to highlight
that.
Mr. Markey. I thank the gentlelady. The chair recognizes
the gentlelady from California, Ms. Solis.
Ms. Solis. Thank you, Mr. Chairman, and I want to applaud
you for having this very important hearing. When I read about
the background on this, of course I am concerned coming from
California where we have, I think, a lot of stricter rules in
place that look at two-party wiretapping, and I want to get
feedback from Ms. Cooper and Mr. Dykes on that and how you are
going to deal with States like mine, but I have a couple of
questions, two concerns. One is, you are able to profile who I
am because I go on the Internet. You can see my likes, dislikes
or whatever. But what about those people that may have language
barriers or that may be senior citizens who could be gullible
to specific types of unscrupulous advertisers or individuals
who at a certain point can determine some vulnerabilities, and
people in my community, Latinos and others, at a certain age,
what have you, could be vulnerable to folks that take advantage
of them, and specifically targeting advertisements at them,
which we know happens now even in the print media and
television, but mostly print. Many in our community are taken
advantage of. I am concerned about predatory types of movement
that could happen and how we detect that and how we can really
help consumers who are maybe not language literate or because
they speak only Spanish. So I want to ask Ms. Cooper if you can
talk about what I have raised. But those are some of the
concerns that I am thinking about out loud right now.
Ms. Cooper. I think the concern that you raise is
legitimate, and the broader context in which we have discussed
this concern is how these behavioral profiles that are getting
created about consumers are really used. It is one thing to
target a car ad to someone who has been interested in buying
cars, but it is another thing to abuse the profiles as you are
talking about to target vulnerable populations or to use the
profiles for decisions about things like credit or employment
or insurance, and because it is kind of a black box and we
don't really know all of the ways that these profiles are being
used and it is really invisible to the consumer. They, as we
discussed already, don't even know that this kind of tracking
is going on, but even if they do know, it is extremely
difficult, if not impossible, for them to find out what the
profile says, who it has been sold to, who else is using it,
how it is being used, and so I think we still have a lot of
work to do to find out what all of those secondary uses are and
who is conducting them and if that is even OK. I think if
information is collected for one particular purpose, even if
consumers are informed and they opted in to that, that doesn't
mean that there is a license to use it for all these other
purposes.
Ms. Solis. Can you address the two-party wiretapping issue?
Ms. Cooper. Sure. So there are some States like California
whose wiretapping laws require consent from both parties to the
communication, so on the Internet, that would be both the
consumer and the Web site that the consumer is visiting. In the
context of the wiretapping laws, there is not a lot of case law
about how those apply specifically to the Internet. There are
telephone cases, and in some cases, if you have a call going
from one State to another, the one-party-consent case trumps,
so there only needs to be consent from one party. If you have a
call coming from a two-party State to a one-party State, in
California, there is some case law that shows that you still
need consent from both parties, but it has only been applied in
the telephone context.
Ms. Solis. So would you encourage us as our subcommittee
kind of mulls through this to look at potential frameworks or
something that could address this issue?
Ms. Cooper. Absolutely. I mean, there is the federal
wiretapping laws on the books, which we think are fairly clear
on their application to this model, but as we have been
discussing today, there are all these other kinds of data
collection going on which don't fall under that framework, and
we certainly think that is an area of work good for this
committee.
Ms. Solis. I have 17 seconds. I am sorry. Mr. Dykes.
Mr. Dykes. Well, on your first question, I agree with Ms.
Cooper. It really is the responsibility of all advertisers and
advertising companies to have responsible behavior, and so the
questions that you raise are really not specific to ISP-based
advertising because, as the panel has noted, there is lots of
this data collected in many ways, and so, for example, as an
industry, we don't advertise and the laws require us not to
advertise to children, for example, and so--but as responsible
advertisers, we observe the types of concerns that you have,
and I don't think people in our industry would cross them,
responsible companies.
With regard to your second question, as I said previously,
I have spoken to my lawyers on that, and they have not
identified any legal barrier to operating in any State, but we
would be happy to work with your staff to further elaborate on
that.
Ms. Solis. You said something earlier though that business
has a legitimate role because they are paying for this access.
So where do you draw the line to say that maybe some of these
folks that are paying may not be--how could I say--honest in
the way that they are targeting, for example, alcohol and
tobacco? There are certain populations that we know industries
target. Those are questions that I have concerns about.
Mr. Dykes. So the way that is generally handled is that the
industry through industry associations certifies certain
companies to say that we act responsibly, we operate within
these standards, and the advertisers advertise with companies
who meet those standards, and so there is a role for the
advertisers themselves to have some policing to only advertise
with companies that operate in a responsible----
Mr. Markey. The gentle----
Mr. Dykes [continuing]. Manner, and that I think is the
effective way short of a law on the subject. Self-policing does
occur in this industry and I think has been reasonably
effective.
Mr. Markey. The gentlelady's time has expired. The
gentleman from Florida has an additional question.
Mr. Stearns. Just two questions, Mr. Chairman.
The first is just to clarify. The gentlelady from
California brought up Mr. Cleland, what his invested interest
was. He disclosed it, and I think just to set the record
straight, Ms. Cooper, since the gentlelady brought up funding,
I note that according to CDT records, your organization
received almost 10 percent of its funding from e-commerce
companies such as Google and Yahoo. I just wanted to confirm
that. Are you still receiving funding from these companies?
Ms. Cooper. We are. We actually have a very broad base of
funding. It is about 50 percent from foundations and 50 percent
from high-tech companies, all kinds of different high-tech
companies.
Mr. Stearns. Including Google and Yahoo?
Ms. Cooper. Yes.
Mr. Stearns. And Mr. Dykes, I think this discussion we had
today--and I commend the chairman for having this hearing. I
think it is very enlightening, and I think you can sense from
everybody's feelings that people are concerned that these deep
pockets of information packets that you are going into without
anybody knowing about it is a concern. Maybe you should just
summarize and tell us this information you are seeking, what is
it that everybody is getting so alarmed about so maybe you
would allay their fears by just outlining just very simply what
is the stuff that you are looking at?
Mr. Dykes. The end result is simply our noting that an
anonymous profile qualifies for certain innocuous categories
such as travel, automotive, other subjects like that. So they
are very innocuous categories, because we don't want to get
into sensitive subjects, pharmaceutical ads, for example. We
stay away from the sensitive subjects, so it is innocuous
categories mapped against anonymous profiles is the end result,
and that is why----
Mr. Stearns. Mr. Doyle mentioned health information, going
to look for prostate cancer.
Mr. Dykes. We avoid that.
Mr. Stearns. I mean, how do we know that you avoid that? Do
we just take your word for it?
Mr. Dykes. Well, that is one of the reasons why we are
having our system audited, so a Big Four firm can actually say
that yes, they do what they say they do. So that is one
important element. The other is industry standards around
sensitive subjects that they are still being formed, but to the
extent that the FTC or other government bodies create a
definition around sensitive subjects, we certainly observe
that. Meantime, we stay very, very conservative on----
Mr. Stearns. Who does this auditing? When you say you are
audited, who----
Mr. Dykes. We haven't named the firm, but we have indicated
that we would have one of the Big Four audit firms audit our
systems to ensure that we do what we say we do.
Mr. Stearns. An accounting firm is going to audit you?
Mr. Dykes. Well, those firms--correct. Those firms also do
auditing of the subject, as well on privacy standards, as well
as accounting standards.
Mr. Stearns. I don't know if that is going to provide a
degree of confidence to think that an accounting firm is going
to audit you to----
Mr. Dykes. There is such a thing as----
Mr. Stearns [continuing]. Whether you are going into
sensitive boxes of information, deep packets. I don't know, Mr.
Dykes, whether that is going to calm the fears.
Mr. Dykes. Sir, there are actually standards on privacy
audits.
Mr. Stearns. And you can't announce how that accounting
firm is today? Have you selected that----
Mr. Dykes. It hasn't been finally selected.
Mr. Stearns. So you don't even have an accounting firm
doing it yet?
Mr. Dykes. Well----
Mr. Stearns. You are speculating that you will.
Mr. Dykes. Sir, we are a startup, so we are just--this is
just----
Mr. Stearns. This is the first stage, the early stage?
Mr. Dykes. Yes.
Mr. Markey. Can you try to pick a company, Mr. Dykes, that
wasn't the accounting firm for the subprime loan scandal or the
dot-com bubble or the Enron? Can you find an accounting company
that maybe has a good track record over the last 6 or 7 years,
not missing every major accounting scandal, and I don't know
what company that might be, but you will be held responsible
for anything they miss, by the way. I unfortunately have to say
this. In most instances, the accounting firms miss the stuff
that the industries want them to miss because they also have
consulting contracts. It is not a good situation.
Do any other members have any questions that they might
want to ask? Yes, Mr. Gonzalez.
Mr. Gonzalez. Thank you very much, Mr. Chairman. Just
quickly because as you can tell, I think we may have some
differences of opinion on application, the exact answer, but
make no mistake about it, we all really share the chairman's
concern regarding privacy and the duties and obligations that
are out there, because we truly believe the American public
will be concerned about it. I don't want to overlook the fact
that many consumers today are the beneficiaries of, quote,
``free services through application companies,'' and that is
very, very valuable, and the reason that they are free is
because of advertising dollars, and we have to really
understand the role of the advertising dollar out there in the
Internet and how it has actually promoted its use and the
quality of it and so on, and that can be a scary proposition,
depending on what we do. If we do act, I think we have to be
careful again of going about business models and then going on
what Mr. Sabet said about broadband, and that is, if those
pipes are big enough and we keep increasing them, we take
excuses away from people who may want to manage them in a way
that really deprives the fair use of the Internet the way Dr.
Reed envisioned it and has envisioned it for a number of years.
So we can't do anything again to impact or restrict the build-
out. Again, I am going to use the word robust in a different
context of a broadband network, and that really does concern
me.
Lastly, I am going to make this last observation. Whether
it is an ISP and how they got to where they are or whether it
is Google and how they got who they are, whatever we come up, I
think we still have to acknowledge the reality of what Dr. Reed
said, but I am going to go and use real quick, Mr. Chairman, a
quote, and this was in regards to service by an ISP, and a Mr.
Bob Williams said there really should be an onus on the
regulators to see this kind of thing is done correctly, meaning
the information sharing and collection, and Mr. Williams deals
with telecom and media issues at Consumers Union, and this is
what he said. He could have read some of the terms earlier when
placing the order online, but he just clicked the accept
button. Quote: ``I am a hard-nosed consumer advocate type. I
really should have examined it better than I did,'' he said.
But he added he acted like most consumers because of the lack
of alternatives. ``You click the accept button because it is
not like you are going somewhere else.'' And that is the
backdrop and that is the reality, and I believe that we will be
acting responsibly understanding those market forces.
Thank you very much, Mr. Chairman.
Mr. Markey. The gentleman's time has expired. Does the
gentlelady from California have any additional questions?
So we are going to turn to our panel, and we are going to
ask each of you to give us your 1-minute summary of what you
want us to remember about this issue of privacy and the
American people, and it might help if you told us whether or
not you thought opt-in was a good standard. We are talking
privacy generally here, not individual companies but just tell
us what you think. Should that be the standard? Mr. Cleland?
Mr. Cleland. Well, I think that we need to have a holistic,
comprehensive, balanced approach to privacy law.
Mr. Markey. Would that be opt-in?
Mr. Cleland. Since you have asked, I think what the problem
is, when we now go to opt-in or opt-out and it is that binary
question, we are a little bit like the problem we have with do-
not-call, and because it is complicated, we may end up with a
do-not-track where people, just because nobody is minding what
is going on in the Internet, people get fed up, and they say
well, just let me say somewhere that I don't want to be tracked
with anybody, and so when we go with just opt-in or opt-out,
what we are doing is, we are basically making something that is
not simple real simple when there are a lot of different ways
to skin this cat. So I am big on privacy, but one size doesn't
fit all. But you do need to look at it comprehensively.
Mr. Markey. Mr. Sabet?
Mr. Sabet. Yes, a quick summary here is, we really believe
that privacy and the open Internet are directly linked, and
what you do with the data as a customer of DPI technology is
the key. So if you violate people's privacy to manage the
Internet, the open Internet, we think that is the real harm
here for consumers and the Internet ecosystem.
Mr. Markey. Thank you.
Dr. Reed?
Mr. Reed. Well, I think opt-in is too glib. It really
should be informed consent and understanding of what will
happen to the information, that you are being tracked and in
the case of the Internet where, for example, you could predict
reliably the political affiliation and beliefs of somebody
literally by who they are talking to, so if you just monitor
who they are talking to, you don't have to know whether they
are a Democrat or a Republican. You actually have a much more
complex notion of--you have to know what kind of analysis and
use will be made of the information and what limits are placed
on it, whether it is just for advertising, just for advertising
by certain advertisers, just for something, as opposed to
selling the unvarnished analytical information for any possible
use, and that I think is something that ought to be kept in
mind. So start with opt-in, but go beyond it, to opt in to
what.
Mr. Markey. Mr. Dykes?
Mr. Dykes. I think we need to recognize that the Internet
today is more than 50 percent funded by advertising, and to
adopt an across-the-board opt-in rule would substantially
reduce the value of the advertising across the Internet, so I
think that major harm could be incurred that way. So I think a
more holistic view of it, but also a more fine-tuned view, such
that we are sensitive to the type of data being collected
before we decide what the rules should be, I think is the most
appropriate way to answer that.
Mr. Markey. Ms. Cooper?
Ms. Cooper. I think consumers deserve to have informed,
meaningful control over their data. Whether it is opt-in or
opt-out, consumers need to be in the driver's seat with respect
to what is happening to their data when they go online and when
their data is existing offline. They need to be the ones who
decide how their data gets to be used.
Mr. Markey. Thank you, Ms. Cooper, very much.
When people use the World Wide Web, they don't want it to
turn into the wild, wild west when it comes to their personal
information, and I think that this analogy which Dr. Reed
introduced today is a good one, and it extends to the post
office, it extends to FedEx or UPS, that this is just another
means of delivering something that a consumer is interested in,
and there should be a barrier that exists unless the consumer
determines that they do want, in other words, this information
to be compromised. What we have learned from Embarq and we have
learned from Charter is that in their affiliation with NebuAd
that these questions weren't asked from the get-go.
This is a very serious subject. It is one that goes right
to the heart of who we are as Americans. Back in 1775 in my
congressional district in Lexington, one of the things that was
just absolutely agitating the colonists was that the British
felt they could come right into your home. There was no search
warrant. There was no one that could stop them, and they could
just come in. And so the very principles of individual freedom,
individual liberty, you are right not to have either the
government or a private sector company coming into your life
without your permission, is central to who we are as Americans.
That is what we fought for. That is what we continue to fight
for and try to spread around the rest of the world. We don't
believe that either the government or private sector companies
have a right to come in without your permission unless there is
a legally obtained warrant, and that is why we are talking
about wiretapping laws here today. That is why we are talking
about broad privacy laws that have been put on the books over
the years. It is because it is a subject of constant debate in
our country from our very inception.
So I think that what we are hearing today is strong
sentiment from most members that clear notice and meaningful
opt-in must be the standard by which cable and phone companies
like Verizon or Comcast, to take the names of two companies
that are more well known than Charter or Embarq, but if this
trend extends, then that is who we will be talking about. We
will be talking about these larger carriers who will have the
capacity, unless we have some standards, to be able to use this
information as a product, and I don't think that Americans
really want that to be the standard, notwithstanding the
advertising base that the Internet might be based upon. There
might be a few companies that suffer if Americans decide that
they don't want all of their information to just become
something that is put together as an advertising profile of
that individual. That is a price just a little bit too high to
pay in order to have the Internet the way that a private sector
company might want it to be there, and the same way that
politicians might want to know all of the private sentiments of
voters in their district and be able to get access to it, we
can't get access to it. We can hope that they are going to vote
for us on Election Day, but there is a certain limit beyond
which we can't go in intruding into the privacy of Americans.
But it is a natural instinct. Each of us up here would love to
know everything that is going on in the homes of all 650,000
people in our district with regard to their political
attitudes. That would be very helpful to us. But we can't, and
there is a good reason why we can't, because these individuals
have a right to their privacy, and the same thing extends over
to their right to privacy from advertisers, their right to say
no, I don't want you in my front door. When your mother is
saying to you as a little kid, when you tell the person
knocking on the door they are not home, tell them your mother
is not home, but what are they really saying? What your mother
is really saying is, we are not home to you, sir, on the front
door knocking trying to get inside my home, and that is your
right, and it should be your right as an American citizen not
to let people inside your mail, inside your packages, inside
your packets.
This packet-switched network that Dr. Reed and others
invented is something that really goes right to the heart, and
the principles that were established really go right to the
heart of who we are, and Ranking Member Joe Barton, Chairman
John Dingell, and I have already written to a cable and a phone
company where either the notice or the opt-in choice was
inadequate or missing. So we need to have remedial legal
courses for some corporate general counsels, and we need to
have the phone and the cable companies step up and clearly say
what their policies will be, and as I have proposed previously,
we need a comprehensive online privacy bill to close the gaps
that exist with search engines and other sites.
So we thank each of you for your testimony. We intend on
working very closely. We intend on really raising the profile
of this issue and any companies that are engaging in it so they
can become more famous, more well known in terms of what they
are doing, and this is going to become an escalating subject of
attention for this committee and for the Congress, because any
time anyone learns about it, their first thought is, I didn't
know that that was happening with all of my information, and
that just demonstrates that there has not been notice given to
people.
So we thank all of you, and we intend on following up on
this issue in the months and years ahead. With that, this
hearing is adjourned.
[Whereupon, at 11:47 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
STATEMENT OF HON. JOHN D. DINGELL
Thank you, Mr. Chairman, for holding this hearing, and I
thank the witnesses for being here.
Deep packet inspection (DPI) is part of the Internet now,
and it will be part of the Internet in the future. That much is
clear. However, any industry that includes a company whose
motto is, ``See Everything. Know Everything.'' is worthy of
close scrutiny.
Our job today is to consider how best to balance the
deployment of DPI with adequate protection of consumers'
privacy. We must also consider the effects of DPI on
competition and investment across the Internet.
An immediate concern is the targeted advertising that DPI
makes possible. On Monday, Chairman Markey, Ranking Member
Barton, and I sent a letter to the phone company Embarq. We
expressed concern that Embarq conducted a trial in an unnamed
community in its service area of a targeted advertising system
that tracked customers' Web use without providing clear notice
of the trial to subscribers. Not only did Embarq fail to give
its subscribers a chance to opt in to the tracking, but it did
not directly notify affected customers that they had a chance
to opt out. I find the notion that a broadband provider would
implement such tracking with no real notice to the customer to
be deeply troubling.
We are in this position, because the Federal Communications
Commission (FCC) has yet to establish any clear privacy
protections for customers of wireline broadband services. In
its rush over the last several years to deregulate broadband
services, the Commission has failed to adequately protect
consumers. When Chairman Martin testified before this Committee
in March of 2007, I asked him when he would remedy this
problem. He responded that the Commission would endeavor to act
by the end of 2007. Clearly, much work remains to be done at
the FCC.
We must also consider what DPI means for the future of the
Internet. DPI can be used for legitimate and necessary purposes
by broadband providers, such as to reasonably manage network
congestion and protect against viruses. To the extent that they
utilize DPI for these purposes, I have no quarrel with
broadband providers. Unfortunately, DPI can also be used for
nefarious purposes, such as unfairly blocking certain
applications or slowing one Web site's traffic at the expense
of another. We in Congress must be vigilant in the face of
these and other abuses. The importance of an open and
competitive Internet cannot be understated.
I hope today's witnesses will help the Committee in its
examination of DPI by addressing a few questions. How should
broadband providers notify subscribers they are planning to
track customer Web use? Should providers be required to obtain
opt-in consent? What privacy rules should apply to broadband
providers? And how do we ensure that DPI does not stifle
innovation on, and investment in, the Internet?
I thank the witnesses for being here, and I look forward to
the testimony.
----------
�