[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]


 
   WHAT YOUR BROADBAND PROVIDER KNOWS ABOUT YOUR WEB USE: DEEP PACKET
            INSPECTION AND COMMUNICATIONS LAWS AND POLICIES

=======================================================================

                                HEARING

                               BEFORE THE

          SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 17, 2008

                               __________

                           Serial No. 110-137


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov


                  U.S. GOVERNMENT PRINTING OFFICE
58-071                    WASHINGTON : 2008
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                    COMMITTEE ON ENERGY AND COMMERCE

    JOHN D. DINGELL, Michigan,       JOE BARTON, Texas
             Chairman                    Ranking Member
HENRY A. WAXMAN, California          RALPH M. HALL, Texas
EDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan
RICK BOUCHER, Virginia               CLIFF STEARNS, Florida
EDOLPHUS TOWNS, New York             NATHAN DEAL, Georgia
FRANK PALLONE, Jr., New Jersey       ED WHITFIELD, Kentucky
BART GORDON, Tennessee               BARBARA CUBIN, Wyoming
BOBBY L. RUSH, Illinois              JOHN SHIMKUS, Illinois
ANNA G. ESHOO, California            HEATHER WILSON, New Mexico
BART STUPAK, Michigan                JOHN SHADEGG, Arizona
ELIOT L. ENGEL, New York             CHARLES W. ``CHIP'' PICKERING, 
GENE GREEN, Texas                        Mississippi
DIANA DeGETTE, Colorado              VITO FOSSELLA, New York
    Vice Chairman                    ROY BLUNT, Missouri
LOIS CAPPS, California               STEVE BUYER, Indiana
MIKE DOYLE, Pennsylvania             GEORGE RADANOVICH, California
JANE HARMAN, California              JOSEPH R. PITTS, Pennsylvania
TOM ALLEN, Maine                     MARY BONO MACK, California
JAN SCHAKOWSKY, Illinois             GREG WALDEN, Oregon
HILDA L. SOLIS, California           LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas           MIKE FERGUSON, New Jersey
JAY INSLEE, Washington               MIKE ROGERS, Michigan
TAMMY BALDWIN, Wisconsin             SUE WILKINS MYRICK, North Carolina
MIKE ROSS, Arkansas                  JOHN SULLIVAN, Oklahoma
DARLENE HOOLEY, Oregon               TIM MURPHY, Pennsylvania
ANTHONY D. WEINER, New York          MICHAEL C. BURGESS, Texas
JIM MATHESON, Utah                   MARSHA BLACKBURN, Tennessee        
G.K. BUTTERFIELD, North Carolina     
CHARLIE MELANCON, Louisiana          
JOHN BARROW, Georgia                 
DORIS O. MATSUI, California          
                                     
_________________________________________________________________

                           Professional Staff

 Dennis B. Fitzgibbons, Chief of 
               Staff
Gregg A. Rothschild, Chief Counsel
   Sharon E. Davis, Chief Clerk
 David L. Cavicke, Minority Staff 
             Director

                                  (ii)
          Subcommittee on Telecommunications and the Internet

               EDWARD J. MARKEY, Massachusetts, Chairman
MIKE DOYLE, Pennsylvania             CLIFF STEARNS, Florida
    Vice Chairman                        Ranking Member
JANE HARMAN, California              FRED UPTON, Michigan
CHARLES A. GONZALEZ, Texas           NATHAN DEAL, Georgia
JAY INSLEE, Washington               BARBARA CUBIN, Wyoming
BARON P. HILL, Indiana               JOHN SHIMKUS, Illinois
RICK BOUCHER, Virginia               HEATHER WILSON, New Mexico
EDOLPHUS TOWNS, New York             CHARLES W. ``CHIP'' PICKERING, 
FRANK PALLONE, Jr., New Jersey           Mississippi
BART GORDON, Tennessee               VITO FOSELLA, New York
BOBBY L. RUSH, Illinois              STEVE BUYER, Indiana
ANNA G. ESHOO, California            GEORGE RADANOVICH, California
BART STUPAK, Michigan                MARY BONO MACK, California
ELIOT L. ENGEL, New York             GREG WALDEN, Oregon
GENE GREEN, Texas                    LEE TERRY, Nebraska
LOIS CAPPS, California               MIKE FERGUSON, New Jersey
HILDA L. SOLIS, California           JOE BARTON, Texas (ex officio)
JOHN D. DINGELL, Michigan (ex 
    officio)
  


                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, opening statement...............     1
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     3
Hon. Gene Green, a Representative in Congress from the State of 
  Texas, opening statement.......................................     4
Hon. Bart Stupak, a Representative in Congress from the State of 
  Michigan, opening statement....................................     5
Hon. John D. Dingell, a Representative in Congress from the State 
  of Michigan, prepared statement................................   132

                               Witnesses

Alissa Cooper, Chief Computer Scientist, Center for Democracy and 
  Technology.....................................................     6
    Prepared statement...........................................     8
Robert R. Dykes, Chairman and CEO, NebuAd, Inc...................    40
    Prepared statement...........................................    43
David P. Reed, Ph.D., Adjunct Professor, The Media Lab, 
  Massachusetts Institute of Technology..........................    61
    Prepared statement...........................................    64
Bijan Sabet, General Partner, Spark Capital......................    85
    Prepared statement...........................................    88
Scott Cleland, President, Precursor LLC..........................    94
    Prepared statement...........................................    96


  WHAT YOUR BROADBAND PROVIDER KNOWS ABOUT YOUR WEB USE: DEEP PACKET 
            INSPECTION AND COMMUNICATIONS LAWS AND POLICIES

                              ----------                              


                        THURSDAY, JULY 17, 2008

              House of Representatives,    
         Subcommittee on Telecommunications
                                  and the Internet,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:40 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Edward J. 
Markey (chairman) presiding.
    Members present: Representatives Markey, Doyle, Gonzalez, 
Inslee, Eshoo, Stupak, Green, Solis, Stearns, Radanovich, and 
Walden.
    Staff present: Amy Levine, Mark Seifert, Tim Powderly, 
David Vogel, Philip Murphy, Neil Fried, and Garrett Golding.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

    Mr. Markey. Good morning, and welcome to the Subcommittee 
on Telecommunications and the Internet and our hearing on deep 
packet inspection technology and consumer privacy and issues 
that are related to it.
    Privacy is a cornerstone of freedom. Without question, the 
digital era in communications technologies will heighten 
concern about the sensitivity of personal information that can 
be collected or disclosed about individual citizens and the 
ever-increasing pervasiveness of such data collection. 
Obviously this is happening across our society, from video 
cameras at crosswalks and federal buildings, checkout scanners 
in supermarkets to the collection of information by national 
security entities and the gleaning of information from a 
consumer's Web use. I have long fought for privacy provisions 
to be added to our Nation's communications statutes to keep 
pace with changes in technology and markets. I successfully 
offered amendments that became law in previous Congresses to 
protect children's online privacy, to extend the privacy 
provisions of the Cable Act to direct broadcast satellite 
television providers, to add privacy protections for wireless 
location information and to strengthen telemarketing privacy 
protections. In previous Congresses, I also offered legislative 
proposals to establish a privacy bill of rights for Internet 
users that would have covered Web sites like Google, eBay, 
Amazon, and others, as well as separate legislation that 
required search engine sites to destroy data collected from 
users that was no longer needed for any legitimate purpose, and 
so I obviously have long supported the idea of legislating 
where needed and to do so in a way that strengthened and 
harmonized our Nation's communications privacy laws. In this 
subcommittee, we have direct jurisdiction over the Federal 
Communications Commission and providers of telecommunications 
capabilities and services. As such, providers of broadband 
access to the Internet fall squarely into our oversight role.
    Today we look at how so-called deep packet inspection 
technologies affect consumer privacy and related issues 
following up on letters that ranking Republican Joe Barton, 
Chairman John Dingell, and I have recently sent raising 
questions about these technologies. There are a couple of 
notable differences between the data-gathering that individual 
Web sites can and do conduct and that posed by the deployment 
of deep packet inspection technologies in broadband networks. 
First, there is a distinction in the detail, the type and the 
amount of data collected. As opposed to individual Web sites 
that know certain information about visitors to its Web sites 
and affiliates, deep packet inspection technologies can 
indicate every Web site a user visits and much more about a 
person's Web use. Second, there is already an array of laws on 
the books that arguably address a broadband provider's 
treatment of these technologies and services, including the 
Cable Act, the Electronic Communications Privacy Act, and the 
Communications Act, among other laws.
    From a privacy perspective, given the sheer sophistication 
of the technology capability and the obvious sensitivity of the 
personal information that can be gleaned from a consumer's Web 
use, I believe broadband providers deploying deep packet 
inspection technologies must adopt clear privacy policies. In 
my view, consumers deserve, at the least, at the minimum, one, 
clear, conspicuous and constructive notice about what broadband 
providers' use of deep packet inspection will be; two, 
meaningful opt-in consents for such use; and three, no 
monitoring or data interception of those consumers who do not 
grant consent for such use.
    Deep packet inspection technologies can be deployed not 
only with the intent to serve targeted advertisements tailored 
to a user's Web habits, they can also be utilized to manage 
traffic on the network, detect network threats, and discover 
the presence of copyrighted or illegal material and other 
applications. As a result, these technologies raise not only 
significant privacy concerns, but also highlight broader policy 
questions, including how they impact the evolution of the 
Internet itself and its future prospects for driving innovation 
and fostering competition and job creation. Today's hearing 
will allow the subcommittee to better understand the 
implications of deep packet inspection technologies on 
consumers, broadband providers, and the broader Internet.
    We welcome our witnesses to the subcommittee. We thank them 
for their willingness to be here today.
    Mr. Markey. Now I turn and recognize the ranking member of 
the Subcommittee on Telecommunications and the Internet, the 
gentleman from Florida, Mr. Stearns.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Good morning, and thank you, Mr. Chairman. The 
use of consumer Internet information for marketing purposes is 
not a new issue to all of us. Both the Energy and Commerce 
Committee and, of course, this subcommittee have previously 
held hearings to examine a multitude of concerns under the 
broad banners of online privacy and marketing, including the 
online collection of personally identifiable information and 
the use of cookies and other tracking tools.
    My colleagues, our goal today should be to broadly examine 
how companies are using consumer Internet behavior to tailor 
online advertising; both the benefit to consumers, as well as 
any potential concerns that have not already been addressed by 
industry. Why then are we just focusing on broadband providers? 
Why are we not talking about search engines and Internet 
advertising networks as well? Wouldn't we have the same 
concerns with those folks?
    Broadband providers are considering limited trials of 
tailored Internet advertising, but companies such as Google and 
Yahoo and Microsoft all have search engines, have long used 
tailored Internet advertising. Certainly we cannot have this 
discussion without addressing them as well. Whatever the 
appropriate standards are, I think everybody agrees they should 
apply to everyone.
    We can all agree that consumers should be notified, but one 
of the questions is whether we should require explicit consent 
through opt-in procedures or whether opt-out procedures are 
sufficient. That is the core question. Whatever we decide, we 
need to be consistent. Consumers don't care if you are a search 
engine or a broadband provider. They want to ensure you are not 
violating their privacy either way.
    I am particularly interested in learning from the witnesses 
the ways in which the use of behavioral information for 
marketing has been shown to have already harmed the consumers. 
It is imperative that there be some evidence of harm if we are 
going to regulate this practice or we run the risk of 
prematurely restricting the latest technological advancements 
that are related to online marketing.
    As the overall economy continues to take a significant 
downturn, the government should not be contemplating how to 
make it harder for small businesses to succeed. Targeted 
advertising may be essential for small businesses to compete 
with larger ones. They don't have the budget of General Motors 
or Ford. Small businesses don't have hundreds of millions of 
dollars to spend on this advertising. So being able to target 
their ads on the Internet to consumers most likely to use their 
products gives them a better chance to succeed.
    Overreaching privacy regulation at this time could possibly 
do more damage to this fragile economy. Companies should be as 
transparent as possible about what information they collect and 
how they are using it. That way, consumers will be empowered 
with better information to make obviously better decisions.
    The Federal Trade Commission began inquiring into targeted 
online advertising practices with workshops. This effort 
culminated with it publishing proposed industry self-regulatory 
principles. Those principles were designed to ensure that 
companies that engage in behavioral targeting voluntarily adopt 
best practices that provide increased transparency and choice 
to consumers about these practices. This approach seemed to be 
working. In fact, the FTC testified in a Senate Commerce 
Committee hearing just last week that it continues to believe 
we have not reached the point where legislation to address 
online behavioral targeting is immediately necessary.
    I have a long track record of talking very seriously about 
this committee's mandate to consider online privacy and 
marketing issues, which was evidenced by the many hearings I 
helped organize in my former role as chairman and ranking 
member of the Subcommittee on Commerce, Trade, and Consumer 
Protection. I look forward to working with the chairman and 
continuing that work on privacy issues as a member and ranking 
member of this subcommittee. I think the hearing is important. 
I look forward to its results.
    As we examine these issues today, I hope this panel can 
keep in mind that premature regulation of such practices, 
particularly in the absence of evidence of consumer harm, could 
have a significant negative economic impact at a time that many 
businesses, and particularly small businesses, are struggling, 
so I will look very closely at these issues before we leap to 
legislative proposals that even the FTC is not calling for at 
this time.
    And with that, Mr. Chairman, thank you.
    Mr. Markey. I thank the gentleman. The chair recognizes the 
gentleman from Michigan, Mr. Stupak. I apologize. I should have 
recognized the gentleman from Texas, Mr. Green, first. Excuse 
me.

   OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Green. Thank you, Mr. Chairman, for holding this 
hearing on the deep packet inspection technology, and I want to 
thank you and Chairman Dingell and Ranking Member Barton for 
your leadership and action on this issue over several months.
    It is important we look at this issue in light of recent 
news regarding Embarq and Charter Communications. The potential 
for invasion of privacy posed by DPI technology if used in the 
wrong way is extremely troubling. There are necessary and 
legitimate uses for DPI, specifically for quality of service 
reasons, monitoring for worms or viruses, use by law 
enforcement and using it to monitor traffic to the extent 
necessary to maintain network integrity and prevent congestion 
in the last mile of the network. Use of DPI by a service 
provider network operator to protect network infrastructure and 
systems is one thing; using DPI to monitor Web users' patterns 
and habits by a third party to direct advertising or other 
content their way is a separate and troubling issue.
    I am most concerned about the privacy implications of 
targeted advertising based on data collected on Internet users 
without their knowledge, and our subcommittee has a history of 
being concerned about it, whether a few years ago it was called 
a cookie or whatever. At the minimum, this should be something 
that a consumer is notified of and must opt into specifically 
outside of agreeing to some service terms and conditions, and I 
can't imagine most of my constituents agreeing to have their 
activities monitored. Some people may want this kind of 
information directed toward them, but I and I imagine most of 
my folks, want to know if data being collected on us and should 
not have to opt out or install a cookie on our own Web site 
browser to prevent the collection of data. The idea that this 
would take place without the affected consumers or Web sites 
knowing it, without consumers having to specifically agree to 
have their information collected and analyzed for uses other 
than for the network operator to ensure quality service, is 
contemptible.
    I am aware Google and Yahoo and others do similar targeting 
using other technology, and I believe this should be looked 
into as well, but primary jurisdiction for that falls under 
another subcommittee. To the extent we can address privacy 
issues under this subcommittee's jurisdiction, I believe we can 
and should.
    Again, Mr. Chairman, I want to thank you for the hearing 
today on deep packet inspection, and I look forward to hearing 
more about the various uses and impacts it has both in improved 
network performance but also the potential privacy 
implications. Thank you.
    Mr. Markey. The gentleman's time has expired. The chair 
recognizes the gentleman from Michigan, Mr. Stupak.

  OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Stupak. Thank you, Mr. Chairman, and thank you for 
holding this hearing on deep packet inspection technology. It 
is important that we discuss the policy implications of this 
newest advancement in network technology.
    Applications of DPI technology provide a number of 
benefits. Internet users are protected from the latest viruses 
through better filtering security, network administrators have 
more efficient means of managing traffic, and law enforcement 
can use these powerful tools to combat cybercrime. However, 
while we stand to gain from DPI technology, we need to ensure 
the protections Congress has put in place on behalf of a 
consumer's personal information are upheld. One of our 
witnesses today, NebuAd, offers targeted and behavioral 
advertising services by taking information from the network to 
create detailed profiles of the Internet service provider 
subscribers. While NebuAd has stated that the information they 
collect is completely anonymous, there are legitimate consumer 
privacy questions. The ISPs that partner with NebuAd should be 
offering consumers an option to opt in for having their data 
collected, not opt out. If the hardware of the network is 
configured to collect their data, they are only opting out of 
having their information sold while it continues to be 
collected. This is especially important to broadband 
subscribers with only one choice for an ISP. They do not have 
the option to choose a different ISP if they feel uncomfortable 
knowing that the network they are accessing tracks their every 
move. As broadband providers continue to integrate this 
technology, will future application of DPI technology be as 
transparent to the public?
    Mr. Chairman, thank you again for holding today's hearing. 
I look forward to hearing from our witnesses about the 
application of DPI technology and its implications, good and 
bad, for the future of the Internet.
    Mr. Markey. The gentleman's time has expired. The chair 
recognizes the gentleman from Pennsylvania, Mr. Doyle.
    Mr. Doyle. Thank you. Mr. Chairman. I am going to waive an 
opening statement and just add it on to my questions.
    Mr. Markey. The gentleman from Pennsylvania will have that 
time added to his question period, and seeing no other members 
here to make opening statements, we will turn to our panel, and 
we will recognize our first witness, Alissa Cooper, who is the 
chief computer scientist for the Center for Democracy and 
Technology. Her work focuses on the intersection of computer 
and networking technologies with consumer privacy. We welcome 
you, Ms. Cooper. Whenever you are ready, please begin.

 STATEMENT OF ALISSA COOPER, CHIEF COMPUTER SCIENTIST, CENTER 
                  FOR DEMOCRACY AND TECHNOLOGY

    Ms. Cooper. Chairman Markey and members of the 
subcommittee, on behalf of the Center for Democracy and 
Technology, I thank you for the opportunity to testify today. 
CDT is a nonprofit public policy organization dedicated to 
keeping the Internet open, innovative and free. The legal and 
policy implications of the technique known as deep packet 
inspection are of great importance to us.
    The Internet was built on the principle that data could 
travel from one end of the network to the other, largely 
without interference along the way. Likewise, privacy laws in 
this country were crafted to protect our communications, 
whether they be phone calls, e-mails, or Web site visits, from 
being intercepted in transit. The confluence of technology and 
policy in this respect was no accident, and it has resulted in 
the emergence of the Internet that we know and love today, a 
trusted platform that supports astounding levels of economic 
activity and individual expression. Deep packet inspection, or 
DPI, could be used in ways that upend this paradigm by giving 
network operators the ability to intercept and analyze the 
Internet communications of their subscribers. While some uses 
of DPI technology are benign and even beneficial, others raise 
serious questions about the future of privacy, innovation and 
openness online. Though all these issues are near and dear to 
CDT, today I will focus specifically on privacy.
    The bottom line is this: Certain uses of DPI allow 
consumers' communications to be centralized, scrutinized, and 
monetized. Absent careful privacy safeguards, DPI systems run 
the risk of damaging the consumer confidence in the Internet 
that has allowed the medium to flourish. DPI has recently been 
put to a new use: the tracking of consumers' online activities 
for the purpose of showing them targeted ads. Traditionally, ad 
network companies have contracted with Web sites to collect 
data about consumers. In the new model, ad networks partner 
instead with Internet service providers and do their collection 
using DPI.
    As it has been implemented thus far, this model poses 
unique risks to consumer privacy. CDT values advertising as 
potent fuel for Internet growth, and we all cherish the free 
content that it supports, but ad networks that use DPI may gain 
access to the bulk of consumers' Web-browsing activities, 
including visits to political, religious, and government Web 
sites. While traditional ad networks may be large, few, if any, 
provide the opportunity to collect information as 
comprehensively as with DPI. Furthermore, most consumers would 
be quite surprised to find a middleman lurking between them and 
the Web sites they visit. The DPI model defies consumer 
expectations.
    As several members of this subcommittee have rightly 
pointed out, the Cable Act prohibition against collecting or 
disclosing personally identifiable information without consent 
is relevant here. We believe that a view into most everything a 
person does on the Web constitutes personally identifiable 
information, PII, under the statute. So far, cable ISPs have 
not only failed to obtain consent, but also they have not even 
told their subscribers that their Internet communications will 
be captured and shared with a third party.
    The Federal Wiretap Act is also applicable. The Wiretap Act 
prohibits the interception and disclosure of electronic 
communications without consent. Importantly, the Act applies 
regardless of whether communications are highly personal and 
sensitive or completely anonymous. Think of it this way: if an 
eavesdropper were listening in on your phone calls but didn't 
know your identity or record the calls, you would likely still 
feel that your privacy had been violated. The same logic 
applies to DPI systems.
    Though consent is merely one of many critical factors in 
designing a DPI system, these laws raise the question: how 
should consent be obtained? Notice must be uncomplicated and 
unavoidable, and it should mention the third party if one is 
involved. Consent should be expressly provided, not assumed. If 
a consumer does not consent, her communication should not be 
intercepted, and consumers should have the opportunity to 
change their minds, revoking their consent at any time through 
an easy-to-find, simple-to-use process. DPI has not emerged in 
a vacuum but rather in a digital environment where more data is 
collected and retained for longer periods than ever before. 
Although our communications privacy laws apply to the model I 
have described today, our Nation still has no comprehensive 
consumer privacy law to protect personal data across the board.
    Congress needs to take a broad look at both DPI and online 
privacy concerns at large. Among other recommendations, my 
written statement suggests that, one, the subcommittee should 
urge the Federal Trade Commission to address DPI in its 
proposed privacy guidelines and to exercise its full 
enforcement authority over online advertising, and two, the 
subcommittee should set a goal of enacting in the next year 
baseline consumer privacy legislation that would protect 
consumers from inappropriate collection and misuse of their 
information.
    Thank you, and I look forward to your questions.
    [The prepared statement of Ms. Cooper follows:]

    [GRAPHIC] [TIFF OMITTED] T8071.001
    
    [GRAPHIC] [TIFF OMITTED] T8071.002
    
    [GRAPHIC] [TIFF OMITTED] T8071.003
    
    [GRAPHIC] [TIFF OMITTED] T8071.004
    
    [GRAPHIC] [TIFF OMITTED] T8071.005
    
    [GRAPHIC] [TIFF OMITTED] T8071.006
    
    [GRAPHIC] [TIFF OMITTED] T8071.007
    
    [GRAPHIC] [TIFF OMITTED] T8071.008
    
    [GRAPHIC] [TIFF OMITTED] T8071.009
    
    [GRAPHIC] [TIFF OMITTED] T8071.010
    
    [GRAPHIC] [TIFF OMITTED] T8071.011
    
    [GRAPHIC] [TIFF OMITTED] T8071.012
    
    [GRAPHIC] [TIFF OMITTED] T8071.013
    
    [GRAPHIC] [TIFF OMITTED] T8071.014
    
    [GRAPHIC] [TIFF OMITTED] T8071.015
    
    [GRAPHIC] [TIFF OMITTED] T8071.016
    
    [GRAPHIC] [TIFF OMITTED] T8071.017
    
    [GRAPHIC] [TIFF OMITTED] T8071.018
    
    [GRAPHIC] [TIFF OMITTED] T8071.019
    
    [GRAPHIC] [TIFF OMITTED] T8071.020
    
    [GRAPHIC] [TIFF OMITTED] T8071.021
    
    [GRAPHIC] [TIFF OMITTED] T8071.022
    
    [GRAPHIC] [TIFF OMITTED] T8071.023
    
    [GRAPHIC] [TIFF OMITTED] T8071.024
    
    [GRAPHIC] [TIFF OMITTED] T8071.025
    
    [GRAPHIC] [TIFF OMITTED] T8071.026
    
    [GRAPHIC] [TIFF OMITTED] T8071.027
    
    [GRAPHIC] [TIFF OMITTED] T8071.028
    
    [GRAPHIC] [TIFF OMITTED] T8071.029
    
    [GRAPHIC] [TIFF OMITTED] T8071.030
    
    [GRAPHIC] [TIFF OMITTED] T8071.031
    
    [GRAPHIC] [TIFF OMITTED] T8071.032
    
    Mr. Markey. Thank you, Ms. Cooper, very much.
    Our second witness is Mr. Robert Dykes. He is the founder, 
chairman, and chief executive officer of NebuAd, a behavioral 
advertising firm. Prior to forming NebuAd, Mr. Dykes held 
senior positions with Symantec Corporation and the Ford Motor 
Company. We welcome you, sir. Whenever you are ready, please 
begin.

  STATEMENT OF ROBERT R. DYKES, CHAIRMAN AND CEO, NEBUAD, INC.

    Mr. Dykes. Thank you, Mr. Chairman, Mr. Stearns, and other 
members of the committee. My name is Bob Dykes, CEO of NebuAd, 
a recent entry into the online advertising industry.
    My objectives today are to recognize that our business 
process, which involves partnering with the Internet Service 
Providers, the ISPs, raises legitimate privacy issues, but also 
I want to explain how we have addressed those issues and 
continue to do so and to enlighten the members of the 
subcommittee in as much detail as possible within the time 
allotted about NebuAd's service and technology. In doing so, I 
hope to dispel the many myths and misconceptions that have 
surfaced about our company.
    In many ways, I feel like Galileo when he was viewed with 
skepticism on demonstrating that the earth revolved around the 
sun. Members of the subcommittee, the science exists today, and 
NebuAd is using it to create truly anonymous profiles that 
cannot be hacked or reverse-engineered, and it is possible to 
provide ISP subscribers prior robust notification and a 
meaningful opportunity to express their informed choice whether 
to participate in NebuAd's targeted advertising so that they 
are in control of their online experience.
    I come from a security background, serving for many years 
as executive vice president of Symantec Corporation. When we 
launched NebuAd several years ago, it was a time when many 
people had particularly heightened concerns about data 
security. As part of its mission, NebuAd sought to address 
these privacy and security concerns. As you will see, NebuAd 
systems are designed so that no one, not even the government, 
can determine the identity of our users.
    Currently, online advertising solutions and data collection 
methods operate in many locations throughout the Internet 
ecosystem, from users' computers to individual Web sites to 
networks of Web sites. The NebuAd service, in partnership with 
ISPs, provides consumers with significant benefits, serving 
them with more relevant ads, which they want, while ensuring 
they have robust privacy protections and control over their 
online experience.
    NebuAd's ad network also is designed to benefit two groups 
that provide substantial value on the Internet, the many 
smaller Web sites and general use sites that have difficulty 
maintaining free access to their content and the ISPs who need 
to upgrade their infrastructure to provide increased bandwidth 
for consumers who increasingly want access to Internet-
delivered videos. NebuAd creates these benefits by using a 
select set of a user's Internet activities to construct 
anonymous inferences about likely interests, which are then 
used to select and serve the most relevant advertisements.
    We appreciate that there are groups who would like the 
Internet service providers to be like the post office, but ISPs 
and the many other entities that operate the Internet are in 
fact commercial enterprises, not nonprofit, quasi-government 
organizations. As such, they can see that much of the Internet 
is well supported by advertising revenue, and it is legitimate 
for them to seek ways to also increase their advertising 
revenues. NebuAd enables that endeavor while allowing its ISP 
partners to maintain their subscribers' trust by giving them 
control over their online experience. The NebuAd service is 
architected and its operations are based on principles central 
to strong privacy protection. That is, we provide users with 
prior robust notice about the service and the opportunity to 
express informed choice about whether to participate both 
before the service takes effect and persistently thereafter. We 
do not collect or use personally identifiable information, that 
is PII. We do not store raw data linked to identifiable 
individuals, and we provide state-of-the-art security for the 
limited amount of information we do store.
    I listened to comments from members of the Senate Commerce 
Committee last week and the CDT's testimony during that 
hearing. Immediately after the Senate hearing last week, I made 
plans to sit down with the CDT to discuss practical solutions 
to issues they and Members of Congress have raised around 
notice and informed choice. We met yesterday with staff of the 
CDT for a few hours and believe that a common ground can be 
reached on a framework that involves prior and unavoidable, 
simple, but complete notice to ISP subscribers about NebuAd's 
operations and an easy and obvious means for consumers to 
express their informed choice both before NebuAd's behavioral 
advertising takes effect and thereafter. We also reached a high 
level of understanding of how a mechanism can be designed that 
would honor consumers' choice not to participate in NebuAd's 
targeted advertising and not to have information about their 
browsing behavior flow to our service. I am extremely 
encouraged by this and have set a goal of being a privacy 
leader since I started NebuAd. I will continue to work with CDT 
on the framework we discussed yesterday, and I am happy to keep 
members of this committee informed of our progress.
    In the meantime, we continue to innovate on privacy. NebuAd 
last week announced that it was enhancing the industry standard 
notice options of regular mail and e-mail with a new 
interstitial or online service, which would appear on a user 
screen prior to the NebuAd service being enacted. We have 
designed this notice to be easily readable and understandable, 
so that users can exercise informed choice. In addition, we are 
working with our ISP partners to make users' choice of 
participating in the service more persistent. The NebuAd opt-
out system is a more robust mechanism than traditional cookie-
based opt-out systems, and as a default, users are considered 
opted out of the NebuAd system until such time that the system 
can confirm the consumer has not opted out. So for example, if 
your Web browser blocks cookies, the NebuAd system will 
consider you to be an opted-out user and will exclude you from 
NebuAd's information collection and targeted ads. Further, we 
are developing a network-based opt-out and working with ISPs on 
other mechanisms that can be offered to users to honor even 
more robust and persistent choice, and these will be able to be 
configured to ensure that traffic from opted-out users is not 
diverted.
    We understand that to gain the public's trust, we need to 
adopt strong privacy protections. Ours have been reviewed by 
such entities as the Ponemon Institute, and we are engaging a 
Big Four audit firm to conduct an audit to verify that we do 
what we say we do.
    This committee has long been involved with the creation of 
privacy statutes covering the cable and telecommunications 
industries, as well as specific statutes addressing online 
privacy for children and telemarketing. Yet even these and 
other privacy statutes have been developed one at a time. There 
is a common thread running through them all, that is, the more 
sensitive data that is collected and when the collection or 
disclosure of the data could harm or embarrass a consumer, more 
rigorous disclosure and consent requirements tend to be 
imposed. When raw data is linked to identifiable individuals, 
there is an emerging trend that more rigorous disclosure, 
consent, and security requirements should be imposed.
    NebuAd supports this privacy paradigm, which provides users 
with consistent expectations and substantial protections. This 
paradigm also is technology and business neutral, and it is the 
basis on which NebuAd built its technology and operations. 
NebuAd urges the committee to maintain both the paradigm and 
the principle of technology and business neutrality, and we are 
in favor or a baseline privacy law consistent with that 
principle. Thank you.
    [The prepared statement of Mr. Dykes follows:]

    [GRAPHIC] [TIFF OMITTED] T8071.033
    
    [GRAPHIC] [TIFF OMITTED] T8071.034
    
    [GRAPHIC] [TIFF OMITTED] T8071.035
    
    [GRAPHIC] [TIFF OMITTED] T8071.036
    
    [GRAPHIC] [TIFF OMITTED] T8071.037
    
    [GRAPHIC] [TIFF OMITTED] T8071.038
    
    [GRAPHIC] [TIFF OMITTED] T8071.039
    
    [GRAPHIC] [TIFF OMITTED] T8071.040
    
    [GRAPHIC] [TIFF OMITTED] T8071.041
    
    [GRAPHIC] [TIFF OMITTED] T8071.042
    
    [GRAPHIC] [TIFF OMITTED] T8071.043
    
    [GRAPHIC] [TIFF OMITTED] T8071.044
    
    [GRAPHIC] [TIFF OMITTED] T8071.045
    
    [GRAPHIC] [TIFF OMITTED] T8071.046
    
    [GRAPHIC] [TIFF OMITTED] T8071.047
    
    [GRAPHIC] [TIFF OMITTED] T8071.048
    
    [GRAPHIC] [TIFF OMITTED] T8071.049
    
    [GRAPHIC] [TIFF OMITTED] T8071.050
    
    Mr. Markey. Thank you, Mr. Dykes.
    Our next witness, Dr. David Reed, is an adjunct professor 
of engineering at the Massachusetts Institute of Technology. He 
is affiliated with MIT's renowned media lab, where he focuses 
on communications technologies, and he was also a pioneer in 
the development early on of the Internet. We welcome you, Dr. 
Reed. Whenever you are ready, please begin.

STATEMENT OF DAVID P. REED, PH.D., ADJUNCT PROFESSOR, THE MEDIA 
           LAB, MASSACHUSETTS INSTITUTE OF TECHNOLOGY

    Mr. Reed. Thank you. Mr. Chairman and distinguished 
members, good morning. I want to thank you all for the 
opportunity to testify on this matter, which I think is very 
important. I have been involved, as you mentioned, with the 
Internet's design and development since 1976, when I joined the 
Internet project as one its architects working with Vint Cerf 
and Bob Kahn and many others. As one of those who designed the 
Internet, I feel I have a duty to those who use the Internet 
today and will use it tomorrow. That personal duty, rather than 
any commercial interest, is why I am here today.
    Though we all use the Internet, let me set some context 
that relates to its technology and that can explain my 
testimony. First of all, participating in the Internet as a 
transport or access provider implies adherence to a set of 
technical protocols and standards and standard technical 
practices that are essential for the proper functioning of the 
collective Internet as a whole. These rules and practices are 
analogous in many ways to the rules and practices of global 
banking or international commerce. There is a strong 
distinction made in the Internet design between information 
needed to transport Internet datagrams, or packets, and the 
information that the end users request to be transported. This 
distinction is crucial to the scalability, innovation rate, and 
economic impact of the Internet, as well as playing an 
important role in ensuring the privacy and safety of users of 
the Internet and limiting liability for the companies that 
invest in providing the Internet infrastructure.
    The speed of digital systems has changed dramatically over 
the last 30 years and has led to a new, innovative technology 
that allows the inspection of packets as they transit the 
Internet at full speed and in complete depth. This set of 
technologies, often called deep packet inspection, make it 
possible on a large scale to dig into the content of all end-
to-end messages at almost any point in the network, do 
selective recording and analysis of such messages, and to 
modify and to inject messages into the Internet that appear to 
be messages from a particular source but in fact are partially 
the result of actions by a third party unrelated to that source 
and without the ability of the end-point system to detect the 
modifications or insertions.
    These technical innovations are being packaged into 
applications and sold as solutions to Internet access providers 
and Internet transport providers by a number of vendors, 
notably Phorm, NebuAd, Sandvine, and Ellacoya Networks, but 
hardly limited to those vendors. A subset of these 
technologies, called deep packet inspection technologies, 
targeted at marketing are particularly worrisome because they 
involve inspection of end-user to end-user information content, 
decoding that content and making of inferences about the 
meaning of that content and modifying the content in flight 
without particularly making that inference or the other 
activities an aspect of the agreement between the end-users on 
both ends.
    In my testimony today I draw several conclusions that 
Congress may want to consider as it explores use of these 
technologies. First, and this is most important, that DPI 
technologies are not at all necessary to operating the Internet 
or to profitable operation of Internet operators. In fact, they 
actually violate long-agreed standards and principles of 
Internet design since the beginning, and these principles that 
have been around from the beginning have led to the Internet's 
enormous impact and continued success.
    Second, DPI technologies pose major risks to the economic 
success of the Internet as a whole. They do so by normalizing 
nonstandard and risky technical activity on the part of telecom 
operators and broadband operators who may choose to exploit 
their captive customers rather than transparently deliver the 
communications services for which their customers have paid.
    Third, that protecting themselves from the negative impact 
of these technologies on their private business imposes 
significant additional costs on the knowledgeable customers of 
Internet transport operators and on developers of new Internet 
services while at the same time exploiting the unwitting and 
captive customers of service providers who choose to deploy 
them.
    Let me start off by saying, it is best to think of the 
Internet as a shipping service, in some sense a collection of 
shipping modes like airplanes and ships and railroads and so 
forth, that carry packages. The end-users put their information 
in these packages, which will be called packets, and put 
addressing information on the outside of the packet, and they 
present them to a shipping agent, who chooses a path and a set 
of warehouses along the way, that might be called routers, that 
deliver these packets. What makes deep packet inspection deep 
is the use of this technology to collect and modify the 
internal contents of these packages as if they were a high-
speed X-ray technology that was able to examine packets without 
changing them and also high-speed manufacturing technology that 
can actually open up the packets, manufacture something new, 
stick it in, and send it along, and I think that analogy is 
actually very strong. Note that it is unnecessary for the 
carriers to look inside the packages to do their job. This 
separation of concerns that was built into the Internet, that 
of transport versus packet access, is part of the economic 
success of the Internet and also part of the privacy 
functionality that was built in from the beginning. There 
should be no reason to look inside these packets.
    One more thing about the Internet that is different is that 
the Internet is constructed based on protocols or conversations 
between the endpoints, and these protocols are an understanding 
between the end-users, not the end-users and their carrier.
    When DPI systems make inferences about packet contents, 
they do not have access to the meaning that is intended by the 
endpoints of those protocols, and because of that, it poses 
significant risks, and with that, I will finish here and await 
your questions.
    [The prepared statement of Mr. Reed follows:]

    [GRAPHIC] [TIFF OMITTED] T8071.059
    
    [GRAPHIC] [TIFF OMITTED] T8071.060
    
    [GRAPHIC] [TIFF OMITTED] T8071.061
    
    [GRAPHIC] [TIFF OMITTED] T8071.062
    
    [GRAPHIC] [TIFF OMITTED] T8071.063
    
    [GRAPHIC] [TIFF OMITTED] T8071.064
    
    [GRAPHIC] [TIFF OMITTED] T8071.065
    
    [GRAPHIC] [TIFF OMITTED] T8071.066
    
    [GRAPHIC] [TIFF OMITTED] T8071.067
    
    [GRAPHIC] [TIFF OMITTED] T8071.068
    
    [GRAPHIC] [TIFF OMITTED] T8071.069
    
    [GRAPHIC] [TIFF OMITTED] T8071.070
    
    [GRAPHIC] [TIFF OMITTED] T8071.071
    
    [GRAPHIC] [TIFF OMITTED] T8071.072
    
    [GRAPHIC] [TIFF OMITTED] T8071.073
    
    [GRAPHIC] [TIFF OMITTED] T8071.074
    
    [GRAPHIC] [TIFF OMITTED] T8071.075
    
    [GRAPHIC] [TIFF OMITTED] T8071.076
    
    [GRAPHIC] [TIFF OMITTED] T8071.077
    
    [GRAPHIC] [TIFF OMITTED] T8071.078
    
    [GRAPHIC] [TIFF OMITTED] T8071.079
    
    Mr. Markey. Thank you, Dr. Reed, very much.
    And our next witness is Mr. Bijan Sabet. He is a general 
partner at Spark Capital, a venture capital fund focused on the 
media, technology, and entertainment industries. Mr. Sabet has 
led numerous investments in startup technology companies and 
has worked for Apple Computer. We welcome you, sir. Please 
begin.

    STATEMENT OF BIJAN SABET, GENERAL PARTNER, SPARK CAPITAL

    Mr. Sabet. Thank you, Mr. Chairman and Ranking Member 
Stearns, for the opportunity to testify today. I am from 
Boston, but I am a Yankee fan, so please don't hold that 
against me.
    Mr. Markey. Thank for you helping us to win the All-Star 
Game so the final game in the World Series can be at Fenway 
Park. We thank all the Yankee players for helping us.
    Mr. Sabet. All right. Well, my name is Bijan Sabet. I am a 
general partner at Spark Capital based in Boston, 
Massachusetts. Spark Capital, as you said, is a venture capital 
firm, and we are managing and investing in excess of $620 
million. We make direct investments in early-stage companies, 
in the Internet, media and technology industries. To date, we 
have made 25 investments in this area. We are being very 
aggressive, and it probably will be over 30 companies next 
year, and our companies are generating real value, real 
technology, real revenue, and real jobs.
    Deep packet inspection is something I care a great deal 
about, as well as my partners, and will directly impact the 
Internet ecosystem, which is beginning to thrive. As a 
technology, I believe there is nothing wrong with DPI. It is a 
significant technology breakthrough, and up until fairly 
recently, DPI could not be achieved at scale at any reasonable 
cost. So I don't have any criticism about NebuAd specifically 
or any vendors that have DPI technology. The issue at hand is 
how DPI is implemented and how it is managed. It is less about 
whether these vendors have certain features or not. It is about 
what can and cannot be done with DPI.
    So to start off, just a quick definition of DPI. I think 
Wikipedia cites it well when it states that deep packet 
inspection, or sometimes complete packet inspection, is a form 
of computer network packet filtering that examines the data or 
header form of packets as it passes an inspection point 
searching for non-protocol compliance, viruses, spam, 
intrusion, or predefined criteria to decide if the packet can 
pass or if it needs to be routed to a different destination or 
for the purpose of collecting statistical information. This is 
in contrast to shallow packet inspection, usually just called 
packet inspection, which just checks the header portion of a 
packet.
    So we need to understand the impact of DPI. DPI can provide 
significant economic and consumer benefit if used correctly, 
but it can cause significant problems if used incorrectly. 
There are really two issues to consider. One is privacy, which 
I think Dr. Reed and Ms. Cooper summarized very well, and I 
largely agree with them. I think the other issue is how DPI 
relates to the open Internet.
    My interest in providing this testimony is less about 
privacy per se and more about DPI's impact on the open Internet 
and the Internet ecosystem. The important question is, do we 
want an open Internet or a closed Internet, where ISPs can 
decide what content and applications should be available? 
Specifically, should ISPs decide if a competitor's product will 
be able to flow to the home or not? That is just one example. 
That is the topic I would very much like to discuss with all of 
you.
    We have all seen the explosion and growth of the Internet 
in the business and consumer markets. It has been a large 
success. High-speed Internet to the home has fueled this 
growth, with applications such as Apple iTunes, Google's 
YouTube, joint ventures such as Hulu by NBC and Fox. This world 
is moving quite fast. Consider Netflix, which was once only a 
mail order DVD rental company. It is now streaming full-length 
movies on demand over the Internet. Thus, the impact of high-
speed Internet has just begun. Hundreds and hundreds of 
startups by venture capitalists like myself are investing in 
this space, because entrepreneurs and investors alike see the 
value in the open Internet.
    And while the Internet is growing rapidly and investors are 
pouring money into the new ideas and new opportunities and new 
businesses and new jobs funding new technology, U.S. broadband 
penetration is not as good as it should or could be. The chart 
I provided in my testimony is from the Organization for 
Economic Co-operation and Development, and it shows that as 
recently as 2007, the United States was ranked 15th in terms of 
broadband penetration, so we are behind many countries such as 
Canada, France, Germany, Korea, Iceland, Denmark, etc.
    The other interesting note here is there is not a very good 
definition of what high-speed or broadband access is. Up until 
recently, broadband in this country was defined as 200 kilobits 
per second, which by today's standards would not be considered 
high-speed data.
    Hopefully, we would all believe that it is in our economic 
self-interest to explore ways to make the United States a 
leader in high-speed Internet. We need more applications and 
consumer benefit to increase broadband adoption in the United 
States. We need lower cost of service, and we need a national 
coverage plan. The open Internet and growing broadband 
penetration are the key economic drivers of the Internet 
ecosystem and economy from my perspective as a venture 
capitalist.
    And that brings me back to the topic of DPI and its 
potential negative impact on the open Internet. Many are 
calling this topic of the open Internet and DPI a discussion 
around network neutrality, which is the principle about an open 
network with restrictions potentially only for legal purposes. 
The danger is that ISPs would and could use DPI as a way to 
turn off or slow down third-party applications or third-party 
services. Recently, the FCC discovered that this was happening 
with a large ISP and a third party. In this case, it was a 
startup called BitTorrent.
    We don't have to imagine what would happen if ISPs continue 
to do this. We have only to look at the mobile industry. Many 
venture capital firms like mine are investing in the mobile 
space, but cautiously compared to the open Internet sector. Why 
are we doing that? Well, consider the biggest success startup 
stories in the last 15 years, and the vast majority of them 
were companies that were a result of the open Internet 
ecosystem. Ask yourself, which startup companies have created 
billions of dollars of value and thousands of jobs in the 
mobile space? There are few, but these examples are far less 
than those that are coming from the open Internet ecosystem. 
That is because the mobile Internet, the mobile system, is 
closed. There is no ecosystem in the United States. Carriers 
are able to block Web sites. They are able to block third-party 
applications and services, and as a result of this closed 
network, most consumers in the United States are not signing up 
for Internet access on their mobile phones, which means a less 
attractive market for innovation, a less attractive market for 
investors, a less attractive market for entrepreneurs----
    Mr. Markey. Mr. Sabet, could you summarize, please?
    Mr. Sabet. So we need a healthy and growing broadband 
market in the United States. I would like to see our cable 
companies and telephone companies thrive and grow their 
businesses with new technology and capabilities and new 
applications. New applications will help them sell services, 
too, but it should not be at the consumer's expense or the 
Internet ecosystem's expense.
    Thank you for your time and consideration.
    [The prepared statement of Mr. Sabet follows:]

    [GRAPHIC] [TIFF OMITTED] T8071.080
    
    [GRAPHIC] [TIFF OMITTED] T8071.081
    
    [GRAPHIC] [TIFF OMITTED] T8071.082
    
    [GRAPHIC] [TIFF OMITTED] T8071.083
    
    [GRAPHIC] [TIFF OMITTED] T8071.084
    
    [GRAPHIC] [TIFF OMITTED] T8071.085
    
    Mr. Markey. Thank you, Mr. Sabet, very much.
    Our final witness, Mr. Scott Cleland, is a founder and 
President of Precursor LLC, a research and consulting firm. He 
blogs and speaks frequently on issues related to the Internet 
economy. We welcome you, sir.

      STATEMENT OF SCOTT CLELAND, PRESIDENT, PRECURSOR LLC

    Mr. Cleland. Mr. Chairman and members, thank you for the 
opportunity to testify. I am Scott Cleland, President of 
Precursor LLC, an industry research consulting firm. Full 
disclosure: I am also chairman of NetCompetition.org, which is 
a pro-competition e-forum funded by telecom, cable, wireless, 
and broadband companies. My testimony today reflects my 
personal views, not those of my clients.
    I believe the real problem here is not necessarily the 
prospect of deep packet inspection but the current patchwork of 
U.S. privacy laws, a lack of holistic approach to Internet 
privacy, and selective oversight of privacy problems. I believe 
they all combine to create perverse incentives for some 
companies to arbitrage privacy laws and to push the privacy 
envelope. As a result, abuse of privacy is among the most 
serious problems that face users of the Internet. I believe the 
lack of a holistic, comprehensive, and balanced approach to 
privacy law and oversight is a serious threat to Americans' 
privacy.
    Now, broadband companies have long been subject to strict 
privacy laws, sections 222, 551, and the ECPA. These laws 
create serious consequences for the misuse of private 
information without a user's permission. Consequently, 
broadband companies have developed extensive policies, 
practices, and procedures to respect users' privacy and protect 
private information. Now, the subcommittee's oversight of deep 
packet inspection for advertising purposes is very appropriate, 
and existing laws, I believe, appear to cover these practices.
    What I am concerned about is that the selective oversight 
of only broadband privacy matters fosters a blind eye to the 
arbitrage of privacy laws by companies like Google, Yahoo, and 
others. This creates perverse incentives for companies not 
covered by U.S. privacy laws to push the envelope on privacy to 
gain competitive advantage. Now, Americans' privacy should not 
be an unrestricted commodity to sell to the highest bidder or 
to gain competitive advantage. Specifically, I am troubled with 
the broadband focus of this hearing, because privacy is a 
cross-cutting, big picture issue that knows no boundaries 
between the application, the transport or the content layers of 
the Internet. By turning a blind eye to Google, which I believe 
is the worst privacy offender on the Internet, it is 
systematically invading and abusing Americans' expectation of 
privacy.
    Now, my feeling about this hearing is, it is here to create 
fear about what broadband providers could do while it is 
ignoring what Google and others are actually doing today that 
hurts Americans' privacy. Now, the irony here is the worry 
about whether broadband privacy blinds are perfect when the 
Internet house has no privacy walls at all. Let us consider the 
depth and the breadth of the intimate blackmailable information 
that Google already collects on you: everything you have 
searched for; everywhere you have gone on the Web; what you 
watch through YouTube; what you read through Google news 
Feedburner blogger; what you say in your e-mails; what you 
produce in Google Docs; what your family and friends look like 
through Picasa; your medical conditions and history, through 
Google Health; your purchase habits through Checkout; your call 
habits and voice prints through Google Talk; your travel habits 
and interests via Google Maps; your interest in places through 
Google Earth and StreetView; your personal information through 
Orca, G-mail, Checkout, and otherplaces where you go and hang 
out, which will come through Android; where you will be or 
where you work through Google Calendar.
    The scale and scope of Google's unauthorized Web 
surveillance, and I use that term, that should be as concerning 
to people as deep packet inspection, unauthorized Web 
surveillance, and I commend the chairman today in the 
Washington Post for talking about this. He said surreptitiously 
tracking individual users' Internet activity cuts to the heart 
of consumer privacy. I couldn't agree more with the chairman on 
that. So this is truly Orwellian Big Brother stuff. While 
Google is not the government, all this information that Google 
collects is on Google's servers, it is not on your PC where you 
own it, and it is available to the government via subpoena.
    So in sum, information is power. Power corrupts. Absolute 
power corrupts absolutely. Google's market power over private 
information is corrupting Google. Just like former FBI Director 
J. Edgar Hoover was corrupted by his power and mastery of 
personally sensitive information, Google's unprecedented 
arbitrage of privacy law combined with its exceptional lack of 
accountability is fast creating this era's privacy-invading, 
unaccountable equivalent, which I call J. Edgar Google. 
Remember the timeless insight: Those who don't learn from the 
past are doomed to repeat it.
    Thank you for the opportunity to testify.
    [The prepared statement of Mr. Cleland follows:]

    [GRAPHIC] [TIFF OMITTED] T8071.086
    
    [GRAPHIC] [TIFF OMITTED] T8071.087
    
    [GRAPHIC] [TIFF OMITTED] T8071.088
    
    [GRAPHIC] [TIFF OMITTED] T8071.089
    
    [GRAPHIC] [TIFF OMITTED] T8071.090
    
    [GRAPHIC] [TIFF OMITTED] T8071.091
    
    [GRAPHIC] [TIFF OMITTED] T8071.092
    
    [GRAPHIC] [TIFF OMITTED] T8071.093
    
    [GRAPHIC] [TIFF OMITTED] T8071.094
    
    [GRAPHIC] [TIFF OMITTED] T8071.095
    
    [GRAPHIC] [TIFF OMITTED] T8071.096
    
    [GRAPHIC] [TIFF OMITTED] T8071.097
    
    [GRAPHIC] [TIFF OMITTED] T8071.098
    
    [GRAPHIC] [TIFF OMITTED] T8071.099
    
    Mr. Markey. Great. Thank you, Mr. Cleland, very much.
    Now we are going to turn to questions from the panel, and I 
want to begin by agreeing with Mr. Cleland, that absolute power 
corrupts absolutely. So Mr. Dykes, not only do you get access 
to all of Google, but you get access to all of eBay, Amazon, 
everyone. If there were 56 companies up here, not just Google 
but everyone else at a company, you would get access to all of 
the information, so you are Google times 100 in terms of the 
information you can with this deep packet inspection 
coordinating with a broadband carrier get access to. So I would 
like to get crystal clear, Mr. Dykes, what your privacy 
position is, and I would like a simple yes or no, please. One, 
do you support giving consumers clear, conspicuous notice?
    Mr. Dykes. Yes, sir.
    Mr. Markey. Two, do you support a meaningful opt-in 
standard for authorizing use of a consumer's data?
    Mr. Dykes. Well, sir, I would say that to characterize opt-
in or opt-out is probably not as important as to say there has 
to be a very robust notice----
    Mr. Markey. No, no, no. The difference is that you have got 
to get the consumer to say yes, OK. Do you support a policy 
that says the consumer must say yes before you are allowed to 
roam through all of their personal data and turn it into an 
information product which is then sold to other companies? Yes 
or no on that question.
    Mr. Dykes. Mr. Chairman, I think you are forcing me into 
one of those, ``Have you stopped beating your wife recently.''
    Mr. Markey. No, no, no, no, no, have you stopped beating 
the consumer is the question, OK, and I want to know, Mr. 
Dykes, do you support getting permission affirmatively from the 
consumer before you start beating them up by sending them other 
information that they have not asked for? Mr. Dykes, yes or no.
    Mr. Dykes. I really must protest and say that it is much 
more important to ensure that the consumer is well informed on 
the decision being made than to use the----
    Mr. Markey. Oh, I already asked you that first question. 
You already answered that one. That is yes. Now I want to know 
what you mean by that, and by that, should you get permission 
from the consumer first, Mr. Dykes? You have absolute power, as 
Mr. Cleland just pointed out. You are going to have access to 
all the information. Do you want to give them--will you give 
them opt-in?
    Mr. Dykes. Mr. Chairman, I really have to say that how what 
we do is characterized is going to be characterized by----
    Mr. Markey. All right. Let me ask you the third question. 
Do you agree that consumers who do not grant consent should not 
have their Web use tracked, intercepted, or profiled?
    Mr. Dykes. Yes, Mr. Chairman, we in fact have explained 
that recently we have created innovation that will enable that.
    Mr. Markey. So that is a yes, they should not get 
information if they have not granted consent?
    Mr. Dykes. That is right. If they have opted out, for 
example, they should not be tracked.
    Mr. Markey. No, I am not saying that. I am saying, if they 
have not granted consent, that they should not have their Web 
use tracked.
    Mr. Dykes. As we go through this process of informing them, 
if we are not convinced that somebody has not opted either 
way----
    Mr. Markey. Are you going to then consider that to be 
consent if they have not----
    Mr. Dykes. If they have not opted either way, then they are 
not tracked. For example, if somebody has deleted all their----
    Mr. Markey. Well, I don't think that is a high enough 
standard, Mr. Dykes. I think that that is basically saying that 
silence is consent and that as a result you can do whatever you 
want with their information. I don't think unless you have 
gotten their affirmative permission that you should be allowed 
to be able to take this incredible leap into the breaching of 
the privacy of Americans. It is like saying that the mailman 
can open up any letter, can open up any package, find out what 
is in it, and then start to partner with other companies, 
letting them know what individual Americans are receiving in 
the mail, what kind of packages are coming to their house, but 
it is OK because the consumer doesn't know that you are doing 
it and hasn't given you the opportunity to say to the mailman, 
stop opening my packages, stop opening my mail, I don't want 
anyone to know about it, and so we have a real problem here.
    Dr. Reed, can you tell me, sir, how this concept is 
consistent with the history of the Internet or inconsistent 
with the history of the Internet?
    Mr. Reed. Sure. I should clarify that the definition of 
deep packet inspection used by Mr. Sabet is not quite right. It 
doesn't involve only looking at label information. It does 
indeed involve looking at everything in the packet, so the 
Wikipedia is wrong, as sometimes it is.
    What is inconsistent about the history of the Internet, the 
history of the Internet was designed with the shipping of goods 
and essentially the ideas that lurk behind common carriage as 
its background, and it relates to the idea that the only people 
who should be interested in the actual contents of these 
messages are the endpoints involved that are the addressee or 
source of the message, and we carefully chose that design in 
the original design because we didn't want to make the network 
more complex, and we knew, A, and B, we knew that the Internet, 
it was the first network that had multiple jurisdictions 
involved in the transport of packets. AT&T was only one company 
but the packets in the Internet flow through many autonomous 
systems, all of which could potentially cause trouble to the 
endpoints and which are not under control of a central 
authority. So the reason we built into the design that the 
contents of the packets was sacrosanct from both examination 
and action was specifically to deal with the diversity of the 
network and to deal with the expectations that could be 
standardized at the endpoints, that when you sent a packet, it 
would get there with best efforts. That was the fundamental 
principle and without examination.
    Mr. Markey. Thank you, Dr. Reed.
    My time is expired. The chair recognizes the gentleman from 
Florida, Mr. Stearns.
    Mr. Stearns. Thank you, Mr. Chairman.
    Mr. Dykes, I can give you a little help on your answers 
from Mr. Markey. You can say ``I don't know.'' We oftentimes 
have----
    Mr. Dykes. No, I think the way Mr. Chairman further 
explained it, I think the answer would actually be yes, that we 
do not track people who we are convinced don't want to be 
tracked.
    Mr. Stearns. Obviously if the chairman wants to say every 
time this occurs there has to be an opt-in, then a dialog box 
would come up all the time, and I am saying if Congress 
mandated that, isn't it possible that when I go on the Internet 
and whether we are doing deep packets of information 
exploration or whether we are doing, as Mr. Cleland talked 
about, unauthorized surveillance, a dialog box would pop up? 
Isn't that true under what Mr. Markey--there would be a 
constant dialog box, and every consumer would have to click in, 
click out? I mean, isn't that what would happen? Give me the 
practicality if we went along the reasoning that Mr. Markey is 
saying is, we need to have an opt-in every time something 
happens, whether it is a surveillance--because Dr. Reed made a 
very good point. He is making the analogy between sending a box 
from Europe to the United States, and there is an address on 
this box, and we are supposing we let your company go into the 
box, and there is an implication, Dr. Reed is saying, that you 
are messing up the box. So you have to make the case here 
strongly this morning that this is not the same analogy and 
that the personally identifiable information has nothing to do 
with health, it has nothing to do with financial records. The 
compilation that Mr. Cleland is talking about is onerous, and 
there is lots of stuff coming together, I understand that, but 
the only way they can get back is through an IP address, and 
you have to be very clever to do that, but some of the things 
you are doing are very simple things that you are trying to 
say, does Stearns enjoy this type of DVD, does he like this 
movie or does he like such and such, and maybe we will 
advertise to let him know there is a new war novel coming out 
that he might like. So I mean, you are on the pivotal point 
here. Whether opt-in or opt-out, this is the key question. So 
you have to make the case, and maybe, Mr. Cleland, you can 
comment too.
    Mr. Dykes. So, the laws--Congress over time has balanced a 
whole series of factors in deciding what laws require opt-in, 
and opt-in is actually pretty rare, when there is sensitive 
information, personal information that could harm or embarrass 
somebody, and so we made a particular point of not having any 
personally identifiable information, not having any sensitive 
information, and so by staying at a very high level, broad 
categories characterized against anonymous profiles, we believe 
that in the general sense of the law that this country has, we 
are really in the opt-out mode. But I really don't think the 
opt-in or opt-out is nearly as important as robust notice to 
the consumers, so that they truly understand what is going on 
and then the opportunity to control that. So obviously you 
don't want to be too intrusive with the notices, but I think 
there is----
    Mr. Stearns. Tell me how you are giving notices today. How 
do you give notice to the average consumer?
    Mr. Dykes. Today our ISPs generally give notice by either a 
separate letter in the mail or separate notice in the billing 
statement or an e-mail in----
    Mr. Stearns. Does that come before or after you have gone 
through the deep packet information?
    Mr. Dykes. Before. We need to have a notice happen at least 
30 days before any of the service commences so that we can be 
sure that people have the opportunity to opt out, and people do 
opt out.
    Mr. Stearns. So you are saying you already have an opt-out 
notice in place?
    Mr. Dykes. Yes, sir, we do. We have these notices, and 
these are the notices that in general privacy rules are 
considered to be very robust notice today. We are going to go 
beyond that when we introduce or are introducing technology to 
allow that notice to be online.
    Mr. Stearns. OK.
    Mr. Dykes. And we will work with CDT to improve that 
process and ensure that we find a way to meld the needs of 
privacy with users' expectations and good user----
    Mr. Stearns. Mr. Cleland?
    Mr. Cleland. Yes. Thank you. The point I want to reiterate 
is, broadband companies are subject to strict privacy laws. 
They respect privacy laws. They have cultures that embed 
policies, practices, and procedures that respect privacy. That 
is the law. My point here is, we are worried about whether the 
blinds on the window are perfect when the house doesn't have 
any walls, and so people are worried about broadband and deep 
packet inspection that is covered by the law, and there is 
oversight like this hearing, and there are regulators that can 
look into it, yet what happens with Google and Yahoo and some 
of these others is, there is no privacy law, and there is no 
oversight, and so there is huge arbitrage.
    Mr. Stearns. Dr. Reed?
    Mr. Reed. Yes, I will just comment that two broadband 
providers, one noted in this document from Robert Tolpolski, 
who works with Free Press and Public Knowledge, and another, 
Charter Communications in the United States, are considering 
using--or have used, so they have already violated the privacy 
laws if the privacy laws apply, or are considering using this 
technology with American citizens with whatever is going on, 
and Phorm Technology has been actively operating a very similar 
service based on similar technology in partnership with British 
Telecom in the UK. So it is a little bit unreasonable to claim 
that the providers feel they are constrained from using this 
technology by those laws today. Maybe they haven't consulted 
their legal department.
    Mr. Markey. The gentleman's time is expired. The chair 
recognizes the gentleman from Michigan, Mr. Stupak.
    Mr. Stupak. Thank you, Mr. Chairman.
    Mr. Dykes, if you are on one of the ISPs, how do I know, 
how am I given notice that your company is tracking my 
information?
    Mr. Dykes. Today, sir, we provide notice via a----
    Mr. Stupak. You provide notice or the ISP?
    Mr. Dykes. The ISP provides notice. There is a separate 
note in your billing statement or separate letter, or if they 
are confident it will be read, an e-mail to you. But as I said 
previously, we are now introducing newer technology so that 
notice can be online so you can read it directly there as well.
    Mr. Stupak. And if I opt out and I don't want to be part of 
this program, you can still track everything I do and every 
site and where my interests might lie, correct?
    Mr. Dykes. Well, the very point of your opting out is that 
we then don't do that, and if we were already doing it and you 
opted out, we immediately delete all of the records that we 
have on such an opted out----
    Mr. Stupak. And you don't track after that?
    Mr. Dykes. Correct, sir. We don't collect any data once you 
have opted out. We delete all the data we might have had. But 
by providing that notice 30 days before a system begins in your 
neighborhood, there is a good chance that it never would have 
been collected.
    Mr. Stupak. What if people don't return, don't respond? Do 
you just start tracking them?
    Mr. Dykes. Sir, that is why we make sure that we are not 
tracking any personally identifiable information or----
    Mr. Stupak. So the answer is, if I don't respond, I get 
tracked?
    Mr. Dykes. Sir, that is the way the general privacy laws 
are written today is that where there is no personally 
identifiable information or sensitive information----
    Mr. Stupak. Well, I think most Americans would state that 
is not the law. I think most Americans would believe that the 
information they have about themselves is theirs. Just because 
I belong to an ISP doesn't give you the right to track me. If I 
want to be tracked, it should be affirmative. As I said in my 
opening statement, there really should be an opt-in. Why do I 
have to opt out? Why should the burden be on the American 
consumer? Should it not be on the ISP or your company that 
wants to track my information?
    Mr. Dykes. Well, sir, I think that there should be a common 
set of laws around privacy in this country that generally 
treats the various technologies in exactly the same manner. 
What we do with the Internet or offline, et cetera, should have 
a common set of principles, and I don't think that one set of 
companies should be penalized versus another set of companies. 
Given a general law, we are very happy to comply with however 
that law is set up.
    Mr. Stupak. So if we pass a law that says you can't do any 
deep packet unless the consumer actually opts in, you would be 
satisfied with that?
    Mr. Dykes. Well, we would be satisfied with any law you 
pass, sir, so we will work within that.
    Mr. Stupak. OK. Dr. Reed, you spoke about how deep packet 
technology can be used to assist law enforcement, but you also 
expressed concerns regarding how it may negatively affect the 
network's ability to function. How do you reconcile the two?
    Mr. Reed. In specific law enforcement or----
    Mr. Stupak. Yes.
    Mr. Reed. Well, first of all, there are two things going on 
here. Law enforcement use of these technologies, which is in 
some cases mandated by CALEA, the law you have passed, 
generally only inspects the packets, generally uses the 
information derived from those packets in legally sanctioned 
ways and I presume is using the rules of the government to 
guard and safeguard that information and how it is used. So 
while I am----
    Mr. Stupak. So law enforcement more goes for an information 
packet. From there if there is reason to believe a crime may be 
committed, that is when they go deeper to identify the 
individual?
    Mr. Reed. Well, in fact, a number of these technologies I 
believe are used currently by law enforcement selectively and 
by intelligence agencies on foreign traffic----
    Mr. Stupak. Sure, like----
    Mr. Reed [continuing]. And those technologies are 
collecting the information but in very safeguarded locations, 
government-owned or controlled locations. The analysis 
performed on them is subject to review by various processes 
ranging from--so they are not just used immediately to react, 
and the review is a legal review in many cases where, for 
example, the standards of evidence are required to actually act 
on that information, so an FBI agent may in fact be using deep 
packet inspection to derive information, but whether it can be 
presented in court or used for exploration, those are matters 
that I, not being a lawyer, am not deeply expert in, but my 
understanding is that that is quite a different kettle of fish 
than here. I don't think commercial companies have the ability 
to carry out such a duty of care.
    Mr. Stupak. Are DPI devices accessible remotely? In other 
words, what I mean, are they susceptible to hackers who may 
wish to commit identity theft, in your estimation?
    Mr. Reed. They could be. I have not examined them. I would 
be happy to examine, for example, NebuAd's devices and 
technology, but what I know about them is based on observations 
by people who detect them in the network and analyze them as 
black boxes based on what they do and what they seem to do plus 
their marketing materials, and I have no specific knowledge of 
how easy it is to break into them. I believe Mr. Dykes is 
correct that you can make them quite secure if you put that 
amount of energy into them, but nearly every technology can be 
broken.
    Mr. Stupak. Thank you.
    Mr. Markey. The gentleman's time is expired. The chair 
recognizes the gentleman from Oregon, Mr. Walden.
    Mr. Walden. Thank you, Mr. Chairman, and I appreciate the 
hearing on this very important matter, I think, and I concur 
with the chairman's comments and others that I think the 
average consumer out there views this more, or wants to, their 
time on the Internet more like they view the postal system, and 
I realize that is in disagreement with some on the panel, but I 
thought the chairman hit it on the head. If I order a package 
from some site, I don't expect the postal person to go through 
it on the way, figure out what it is--I thought that was a 
great analogy, Mr. Chairman--and then decide who they think 
ought to come and market me, and that is different than walking 
into a store and realizing I am public and shopping around, I 
think. And so I think for the Internet to really survive as an 
engine of commerce, you have to have opt-in, and I think that 
is what consumers want. That is what I would want. I get enough 
junk mail. I am not sure I am going to plow through every 
letter I get or every whatever it is you are--do you have a 
copy of what you send out, by the way, Mr. Dykes?
    Mr. Dykes. Yes, sir, we can provide that to you.
    Mr. Walden. I would love to see it, but the fact that I 
have to take affirmative action so that I can stop you from 
making money on my transactions on the Internet seems sort of 
backwards. Isn't that really what you are saying I have to do? 
I have to opt out under your scheme.
    Mr. Dykes. Sir, as I said, I think it is most important 
that we inform you what we are doing. That is----
    Mr. Walden. That you do what?
    Mr. Dykes. That we inform you of what we are doing, robust 
information, a notice that you can clearly understand what is 
happening, and then you can make your choice. The----
    Mr. Walden. But why is the burden on me to make the choice, 
because the choice you are asking me as a consumer to make is 
to prevent you from taking an action that enriches you, right?
    Mr. Dykes. Sir, the----
    Mr. Walden. You are in this to make money. That is not a 
bad thing. But you are building a business model here, and 
aren't you in part betting that there are going to be consumers 
who ignore those notices or don't understand them or whatever, 
so you get to work that angle, plus those who affirmatively say 
you bet, I like your concept, and there will be some who say 
yes, update me on the latest from whatever organization.
    Mr. Dykes. Sir, the Internet is not like the post office 
inasmuch as it is actually run by commercial organizations, and 
the ISPs have noted that more than half of Internet funding is 
coming from advertising today, and I think it is a legitimate 
desire on their part to increase the amount of advertising that 
they receive to help fund the Internet, and so this is a manner 
to do it with very robust privacy controls.
    Mr. Walden. Wouldn't the most robust privacy control be 
that of opt in?
    Mr. Dykes. Well, as long as we are not collecting any 
personally identifiable information or sensitive information, 
then we believe it is possible to note innocuous commercial 
categories mapped against anonymous profiles so that there is 
no consumer harm in that regard and then derive additional 
value from that.
    Mr. Walden. But you have the ability to personally track 
identifiable sensitive information, right? You could get access 
to that.
    Mr. Dykes. Well, we can't access any secure information. If 
it is an HTTPS transaction, for example, it is just physically 
not possible for us to track secure transactions such as when 
you go to your bank. So no, sir, we can't track everything on--
--
    Mr. Walden. But if you are an Internet consumer and you are 
just looking at different sites, you are planning a vacation 
somewhere and so you go to the site on the Virgin Islands or 
Crater Lake Lodge in Oregon, you could track that I am looking 
at that site?
    Mr. Dykes. That is an example where we wouldn't then keep 
track of the fact that you went literally to that site. We 
would note the fact that you are interested in travel.
    Mr. Walden. Right, but you would know who I am.
    Mr. Dykes. No, we do not know who you are.
    Mr. Walden. You just know that my IP address?
    Mr. Dykes. We don't keep the IP address either, sir.
    Mr. Walden. But you have access to it?
    Mr. Dykes. We don't keep it. We don't----
    Mr. Walden. That is a different question. Do you ever have 
access to it?
    Mr. Dykes. What we do with the IP address is, we translate 
them immediately in real time to an anonymous identifier in a 
one-way cryptology so that we can't find our way back to the IP 
address. So we don't have access to the IP address.
    Mr. Walden. Dr. Reed, does that track? I am not questioning 
what you said. I am just trying to figure out how all this----
    Mr. Reed. Actually, there is a distinction that I am making 
that Mr. Dykes may not be making, which is that he is talking 
about the Internet including all the services that are on the 
Internet, such as Google and so forth, and I am speaking 
specifically of the transport part of the Internet. It is the 
case that banks, for example, while they take your password 
over a secure link, present things like account information and 
so forth using HTTP transactions in the clear. That is not true 
of all banks, but it relates to the point I made earlier about 
the extra expense. If the banks were to respond properly to 
this and to their mandate to keep consumer information private, 
they would have to start using encrypted links for far more 
than they are currently using them for, and we could have an 
escalation on encryption. We might have an encryption war, at 
which point if every piece of traffic were encrypted, there 
would be no market if you add services. I think there are 
policy implications to having all the traffic encrypted, and I 
am not sure I want to go there. But the user at great cost to 
themselves and the services could avoid this problem, and it 
just shifts the problem elsewhere.
    Mr. Walden. My time has run out. I just have a unanimous 
consent request. I know that the ranking member had sent 
letters to the chairman of Google in 2007 and 2008, and I 
wondered if I can just ask for those to be put in the record?
    Mr. Markey. Without objection, they will be included into 
the record.
    Mr. Walden. Thank you, Mr. Chairman. I appreciate it.
    [The information was unavailable at the time of printing.]
    Mr. Markey. And I say to the gentleman from Oregon as well 
that Mr. Dykes said that the postman is public and he is 
private, but FedEx and UPS are also private, but they can't 
open up our packages. They can't open up the mail that we put 
inside. They are private, too, but we all have an expectation 
when we put something in FedEx that Mr. FedEx can't open it up 
before he puts it at our front door.
    Mr. Walden. Exactly.
    Mr. Markey. So let us not confuse that issue. It is the 
same level of privacy expectation.
    Let me turn now and recognize the gentleman from 
Pennsylvania, Mr. Doyle.
    Mr. Doyle. Thank you, Mr. Chairman. I think the post office 
analogy is important, because it is the way most Americans can 
relate to what is going on. People would be shocked if they 
thought the post office or FedEx or anybody else was looking at 
what is inside their packages, whether they knew who they were 
or not. People would be shocked to know that. And this all gets 
down to implied consent. Mr. Stearns talks about a dialog box 
popping up every time, you would have to say whether you opt in 
or opt out. It doesn't need to be like that at all. It really 
should just be with the Internet service provider. When I 
subscribe to America Online or when America Online changes its 
privacy policy to accept your service, Mr. Dykes, there should 
be something that pops up on my AOL site when I go on saying 
something has changed, or if I am just a new subscriber, and it 
should ask me clearly whether or not I want to be in on a 
service that is going to look at my information and possibly 
share that with other people, and do I want to do that or not, 
and if I say no, I don't want anybody knowing where I go online 
or what I am doing or if I travel or if am going and looking up 
information on prostate cancer, I don't want anybody to know 
that, that I can just check that ``no'' box, and I don't have 
to do anything after that. Any site I visit, I am saying I 
don't want anybody to be inspecting that packet. It could be a 
simple one opt in, opt out that is presented to you.
    Now, I don't know anybody that reads their privacy 
statements in their bills. If you ever saw them--I have looked 
at them a couple of times. Your bill comes. There are a couple 
pages, they are in that real thin paper that is folded. It is 
about a 2-point print, and if you are old like I am, you can't 
even see it, and then you are going through that with a 
magnifying glass, and somewhere in there I guess it tells you 
that if you don't want somebody to be able to know where you 
are going to check some sort of opt-out, but if you want to--
the big print says if you want to enhance your experience on 
the Internet, then just we will just take it from here, and you 
don't have to do anything, we are going to make sure you have a 
great experience on the Internet.
    People don't know this is happening. People do not know 
that they are implying their consent by saying nothing or the 
fact that they don't read the fine print in these boxes, and 
the idea that anybody can examine where you go, what you say, 
anywhere without expressly saying it is OK with me, I think 
goes against everything that the country has been founded on 
and what most Americans understand as their right to privacy 
under the Constitution of the United States, and I don't care 
whether an Internet service provider is doing it or Google is 
doing it, it shouldn't happen, and there should be a clear 
policy where Americans say I want this, and it should be right 
up front, and it doesn't need to be a box on every Web site you 
visit, just your ISP when you are looking at it. Now I will ask 
some questions.
    Mr. Dykes. May I respond?
    Mr. Doyle. Yes, go ahead.
    Mr. Dykes. I would like to say I agree with everything you 
said there. That is exactly my thinking, that there has to be a 
robust notice, not some big 20-page document, not something in 
a little box online. This is why I keep emphasizing robust 
notice as the most important----
    Mr. Doyle. Well, I don't know how you define robust notice, 
but I know you should have to check the box that says I want 
you to be able to do this, OK, and no implied consent. It has 
to be robust, I want to do this consent, and anything short of 
that I think is a violation of what most Americans understand 
as their right to privacy.
    Ms. Cooper, I have a question for you. Some people may not 
know, one of my constituents has released a new record: Girl 
Talk. He's a mash-up DJ. He released this new album, Feed the 
Animals, on the Internet, and he is charging like Radiohead, it 
is pay whatever you want. Now, if record companies and other 
companies encourage ISPs to use deep packet inspection for 
tracking copyrighted content and punishing copyright 
infringers, is it reasonable to worry that the technology would 
also scoop up consumers of lawful content and other fair uses 
of copyrighted material?
    Ms. Cooper. Well, I will say that I am a huge fan of Girl 
Talk, and I did download the most recent album at a very low 
price, but I think you have hit the nail on the head, which is 
that using technologies like deep packet inspection for 
applications like copyright filtering raise the question of how 
to know when you recognize a copyrighted work, whether it is an 
authorized use of that work or not, and the technology itself 
of inspecting the packets, assembling the packets into a piece 
of data that you could recognize as a copyrighted work cannot 
tell you whether a use is authorized or not. That is a judgment 
that needs to be made by a person, perhaps multiple people. It 
depends on the context. It depends on if it is a fair use or 
not. And so you cannot rely simply on this technology to be 
able to say yes, this is an illegal use of someone's work or 
no, it is not.
    Mr. Doyle. Dr. Reed, first of all, thank you for your years 
of service to the Internet. Tell me, I think you touched on 
this briefly, will deep packet inspection--don't you think this 
is really just going to lead to an encryption arms race, where 
everybody is just going to start to encrypt their packets to 
avoid detection, and what do you think the implications of that 
would be to the Internet if that starts to happen?
    Mr. Reed. Well, first of all, it would be a great boon for 
the sellers of encryption technology. But I think it would 
raise the barrier for many applications, because it is not 
simple to design actually secure encryption technologies. 
Although the basic idea of encrypting a packet from end to end 
is easy, the handing out of specific keys to the right set of 
people that need to receive that stuff is quite complex, and it 
depends on a notion of a key distribution network which would 
then have to exist over the top of the Internet, because 
everyone would need to get their keys reliably from reliable 
sources, so it would create a rather elaborate network 
structure for distribution of keys and security of those keys 
that is not currently in place to make it actually work. I have 
been involved in the research on that topic actually since 
about the same time the Internet started, and industry has not 
succeeded in doing it, partly because the demand has not been 
there, the expectation of privacy was good enough, but also for 
two other reasons. One is the reason that there is public 
interest in not having too strong encryption for law 
enforcement reasons. You want to be able to not depend on 
breaking the keys but hope that the bad guys will do something 
bad for at least discovering bad things, and then the other 
reason is that the actual physical security of those keys and 
physical distribution involves trust relationships that don't 
exist in society today. Who would you trust to get your key 
from? Maybe you trust your ISP, maybe not.
    Mr. Doyle. Thank you.
    One last question. Mr. Dykes, your testimony says basically 
that when I surf the Web and I don't opt out, I give you 
implied consent to share everything that I do, and that is a 
one-sided consent. Pennsylvania, where I come from, requires 
both ends of a conversation to consent to any wiretaps. Your 
service listens to all Web conversations that you sought or 
obtained consent from millions of people, if not billions of 
Web pages and content providers. If you have not specifically 
obtained consent from all these millions of Web page and 
content providers, why do you think that your service doesn't 
violate Pennsylvania's wiretap law, or why it wouldn't apply to 
you?
    Mr. Dykes. Sir, I am not a lawyer, but I have spoken to my 
lawyers, and they have not identified any legal barriers to our 
entry in any States, but we would be happy to work with you or 
your staff to go through that in more detail.
    Mr. Doyle. I see my time is up, Mr. Chairman.
    Mr. Cleland. Mr. Doyle, can I make a comment?
    Mr. Markey. I am sorry. The gentleman's time has expired. I 
am sorry.
    The gentleman from California, Mr. Radanovich.
    Mr. Radanovich. Thanks, Mr. Chairman, for this hearing.
    I do have a question of Dr. Reed. Mr. Cleland gave what I 
thought was a very interesting analogy about dealing with ISPs 
and trying to perfect the window shade on a window in a house 
with no walls. Would you respond to his comments about the 
difference between search engines and ISPs? I would be curious 
to know your comments on that.
    Mr. Reed. Well, I can respond on different levels. I agree 
with Mr. Cleland that there are strong concerns about the 
amount of private information that is captured and used by 
search engine companies and others and that there needs to be 
some thought given to that scale of collection. It is a 
different kind of collection, because it is captured by a site 
that you go to, but in the case of Google, for example, I know 
that they are kind of the only game in town for a certain kind 
of thing, not because of a mandate but because they are really 
good. So I see this particular focus on the transport part as 
relevant to this committee, and I am not really prepared to 
talk about the technology inside Google much further than that.
    Mr. Radanovich. All right. Thank you.
    Mr. Cleland, do you have a solution for this? Is it one 
type of--is it DPI, is it cookies? What is your answer to all 
this?
    Mr. Cleland. Well, I think, sir, the question also allows 
me to respond to Mr. Doyle and what he had said. There is a 
holistic problem here with privacy, and don't be fooled of 
thinking that there is only one way to be tracked or there is 
only way for somebody to violate your privacy. Now, packets 
going through, the expectation is that these packets should be 
delivered and not interfered with. OK. That is understood. Now, 
what you do when you are not an ISP, like when you are Google 
or Yahoo or these others, and they want to track you, they 
track clicks. Now, they can do the same thing. You said you 
didn't want anybody to know if you went to the prostate cancer 
page. Well, there is a packet that could transmit that, or a 
click. So there is more than one way to skin a cat, and the 
problem here is that you are focusing only on broadband deep 
packet inspection as one way to invade your privacy and turning 
a complete blind eye to the way that you can track clicks and a 
myriad of other ways that you can glean the same information 
and actually potentially a whole lot more. Does that answer 
your question?
    Mr. Radanovich. Yes, it does.
    Ms. Cooper, I would like to get a comment from you, as 
well. Do you recognize the advantage of DPI insofar as the 
potential protection of piracy and those issues as well, the 
value of something like DPI?
    Ms. Cooper. So I think DPI does have some beneficial uses. 
The one that comes to mind immediately is for detection of 
network attacks, viruses, spam, distributed denial of service 
attacks, and those sorts of things where an ISP might have an 
indication that an attack is coming from a certain IP address 
or from a certain location, and being able to look a little bit 
more deeply into the packet can help to thwart those kinds of 
attacks. So I certainly think that DPI has some beneficial 
uses, but I really think it needs to be evaluated on a case-by-
case basis where you can weigh the risks against the benefits 
and evaluate the other protections around how it is deployed 
with the notice and what the limits are on the data collection, 
so I really think it is a neutral technology. I don't think it 
is a good or a bad technology, as most technologies are, but I 
think it deserves a contextual evaluation.
    Mr. Radanovich. Consumers have to be able to check the box, 
basically, and say you consent.
    Ms. Cooper. Well, in some cases, yes, I think you can 
imagine certain applications of DPI that you would only want to 
have consumers, you know, fully informed and consenting to and 
other examples like with the spam example. If you had to 
consent to every time your ISP or your e-mail provider blocked 
a spam for you, that might be something that you would only 
want to consent to once, or the model would probably look 
different. So I really think it deserves a case-by-case 
evaluation.
    Mr. Radanovich. Thank you.
    Thank you, Mr. Chairman.
    Mr. Markey. The gentleman's time is expired. The chair 
recognizes the gentleman from Texas, Mr. Gonzalez.
    Mr. Gonzalez. Thank you very much, Mr. Chairman.
    Let me preface this question with a story, and actually the 
reporter's name is Luis Story. I think it was the New York 
Times. In January 2008, 14.6 billion searches were conducted. 
Yahoo, Google, Microsoft, AOL, and MySpace record at least 336 
billion transmission events in a month, not counting their 
networks. Yahoo has the most data collection points in a month 
on its own sites, about 110 billion collections, or 811 for the 
average user, plus 1,709 other opportunities to collect data 
about the average person on partner sites such as eBay, at 
which Yahoo sells the ads.
    So my question, should privacy rights and obligations begin 
and end at the doors of the ISPs solely? Ms. Cooper, just a yes 
or no. Should we only be--and I know that my colleague from 
California touched on it. Should that be our only concern? Do 
privacy rights and obligations that we seek to protect and 
impose on all players really begin and end only at the doors of 
the ISPs? Just a yes or no.
    Ms. Cooper. No, we should have comprehensive privacy 
protections.
    Mr. Gonzalez. Mr. Dykes?
    Mr. Dykes. I agree, we should have comprehensive privacy 
protection that is technology-neutral.
    Mr. Gonzalez. Dr. Reed?
    Mr. Reed. Yes.
    Mr. Gonzalez. Mr. Sabet?
    Mr. Sabet. Yes. One point, by the way, is Dr. Reed agrees 
with my definition from Wikipedia offline.
    Mr. Gonzalez. Mr. Cleland?
    Mr. Cleland. It should be holistic. It shouldn't just be on 
ISPs.
    Mr. Gonzalez. All right. And I know that we are 
concentrating on certain technology utilized by ISPs, but I 
would hope that no one leaves this room today or a viewer or 
listener thinks that this committee is not concerned about the 
overarching responsibility and duty that we wish to impose on 
everyone out there. Mr. Doyle is saying it is another 
jurisdiction, but we are actually discussing many things that 
may go way outside the jurisdiction of this committee and such, 
but nevertheless, you are going to have a collaboration along 
the way. It seems to me that everyone is--the holy grail here 
is some sort of an opt-in as opposed to what we generally 
follow in other models of opt-out, an affirmative act saying 
that you will agree after there is full, and as the chairman 
indicated, clear and conspicuous disclosure, which we all agree 
on, and then some affirmative act, in this case it would be an 
opt-in. So there are different ways to opt in, and I am just 
wondering, and I will be asking a couple of the witnesses if 
they would agree that this would be adequate and sufficient 
across the board, whether it is an ISP or an application 
company. What if they were able to obtain the opt-in in the 
following manner? One, that would tell the consumer check this 
box, whether it is on the screen or whatever or an envelope 
saying after full disclosure, conspicuous clear language, 
simply using the service will be interpreted as an opt-in. 
Would you be satisfied, Ms. Cooper, with an arrangement, simply 
using the service would be an affirmative act of opting in to 
all conditions and terms of the provider?
    Ms. Cooper. I think it depends on the service. I think at 
times affirmative express consent is absolutely necessary, and 
at other times it is not. I think it is dependent upon the data 
being collected, the sensitivity of the data, the laws that we 
have in place. All of those things are important to the 
decision----
    Mr. Gonzalez. We would have to have different standards on 
that type of opt-in language, depending on the type of 
information that is being gathered. I just think that may be an 
impossible task. I am not sure.
    Dr. Reed, would you be satisfied with that kind of an opt-
in arrangement? Simply using the service equates to an 
affirmative act of opting in.
    Mr. Reed. No, not in the case of ISP access to the 
Internet.
    Mr. Gonzalez. No, I am talking about everyone that should 
have a responsibility and duty to safeguard this particular 
information when they gather it and making sure there is full 
disclosure to the consumer that it is being collected and 
shared. What does it matter whether it is Embarq or whether it 
is Google? It is still my information. One, full disclosure; 
two, an adequate opt-in process. Why are we making that 
distinction is the real curious question. I think for the most 
part you all have distinctions without differences. It is 
whether we have--maybe because of the scope of the technology 
and the ISP status. You are saying, well, that is a mortal sin, 
we will let everyone get away with venial sins. Well, I hate to 
tell you, I think the consumer is just going to be concerned 
with the tremendous information out there that may constitute a 
lesser sin, but it is still a sin. And by the way, all these 
centers are all worshipping at the common altar of the 
advertising dollar, which promotes and supports the entire 
system, whether you are a network, ISP, or an application 
company, and that is the reality, and I know, I think the 
chairman has been very reasonable and generous with me, and he 
has let me go over my amount of time, and I yield back.
    Mr. Markey. The gentleman's time has expired. The 
gentlelady from California, Ms. Eshoo.
    Ms. Eshoo. Thank you, Mr. Chairman, for yet another 
substantive hearing on an all-important issue. It is great 
having you be chair, because that is what we have done since 
you have taken over, so thank you. And thank you to all the 
witnesses.
    First of all, I can't help but think of the following with 
my Intelligence Committee cap on, and that is that the 
penultimate intelligence is to know how people think, and I 
think that that applies to a lot of what we are talking about 
here. I think that users should be notified in the most 
meaningful way on what information is being collected, how it 
is being used, how they can opt out of certain forms of data 
collection, and I think that medical information collected 
really should be treated as one of the most sensitive or the 
most sensitive data. So I just want to state that.
    I apologize for coming in later than other members, but it 
gave me an opportunity to read what we didn't have yesterday 
and that is some of the testimony. Mr. Cleland, I derived from 
your testimony, from your statement, that you are not for net 
neutrality. Is that--that is pretty obvious.
    Mr. Cleland. Exactly.
    Ms. Eshoo. Yes, not for net neutrality. Let me ask you 
this. Are you paid any consulting fees by any of the Bells, 
cable or anyone?
    Mr. Cleland. As I disclosed when I came in here, I am 
testifying on my own behalf. However, another----
    Ms. Eshoo. Are you paid by anyone----
    Mr. Cleland. I am chairman of NetCompetition.org. It is 
funded by wireless telecom and cable companies. So that is----
    Ms. Eshoo. So the answer is yes?
    Mr. Cleland. Yes. I have always disclosed it every place I 
go.
    Ms. Eshoo. Well, I wasn't here when you disclosed that, so 
I am glad to hear that, and I think it is important for the 
record, and I think it is important to highlight it for the 
record.
    Now, in your statement, you said that broadband companies 
are subject to section 222 of the Communications Act. Now, I 
think for the record, we need to clarify this, because for 
telephone services, that is so, but not for broadband service. 
Do you agree with that?
    Mr. Cleland. Well, where we are is an evolution on that in 
the sense of telecom----
    Ms. Eshoo. Well, I mean, just yes or no. We don't have to--
--
    Mr. Cleland. No, because it is a very complicated question 
in the sense that law enforcement and other things----
    Ms. Eshoo. I mean, it is very important about the 
obligations under 222. Telephone services come under that 
obligation, but broadband services do not. So what I am doing 
is, I am differing with you in terms of what it is in your 
statement, so we are just going to leave it at that.
    Now, let me get to this whole issue of how we achieve the 
kind of privacy and the implementation of that as all of this 
continues to be broadened out, because the Internet is going to 
keep growing. There always are going to be new ways of getting 
to people, trying to attract them to buy things, to sell 
things, but we don't want that used against them. So let me ask 
you, Mr. Dykes, do you think that there should be legislation 
that provides a statutory framework for what data can be 
collected, how it can be used, and how consumers can either opt 
in or opt out of the collection?
    Mr. Dykes. Yes, I do.
    Ms. Eshoo. You do?
    Mr. Dykes. Yes, absolutely. I said in my testimony, we 
differently support a base privacy law across all industries 
that is technology neutral.
    Ms. Eshoo. Let me ask the whole panel this. I am concerned 
that greater innovations in network capacity, data speeds, 
storage, and that more data containing potentially harmful 
software will be encrypted and then escape the current network 
of firewalls. Is this a legitimate fear? I mean, should 
government be addressing this?
    Mr. Dykes. Well, in my view, no, it isn't. The Internet 
today operates with secure sites such as banks that do for the 
most part display their information in a secure manner, and 
that is appropriate because there really isn't--people 
shouldn't be looking at that date, and it doesn't really have 
commercial value for advertisers anyway. In other areas where 
it is a travel site, the innocuous categories that we track 
such as travel or automotive, for example, those are also 
subject to the search engines wanting--and they want the search 
engines to know that they have those subjects and so there is a 
natural process for sites to not want to be secure so that in 
fact they can be part of the search process and other links, et 
cetera, and so----
    Ms. Eshoo. But I don't know from your answer whether this 
is a legitimate fear on my part.
    Mr. Dykes. Well, my point is that--actually Mr. Reed 
previously expressed that fear, and what I am saying is, that I 
don't think that that is a fear, because we keep our 
characterizations at a sufficiently high level that people are 
not going to be fearful, and that is why we have to continue to 
publicize this, that we have very strong privacy controls, no 
personally identifiable information, and we are only tracking 
innocuous categories mapped against those anonymous profiles.
    Mr. Markey. The gentlelady's time has expired.
    Ms. Eshoo. Thank you, Mr. Chairman, and can I just make a 
very quick observation? It is the first time in 
telecommunications testimony that J. Edgar Hoover has come into 
it. I don't know whether Mr. Cleland is referring to some kind 
of telecom cross-dressing, or what. I just wanted to highlight 
that.
    Mr. Markey. I thank the gentlelady. The chair recognizes 
the gentlelady from California, Ms. Solis.
    Ms. Solis. Thank you, Mr. Chairman, and I want to applaud 
you for having this very important hearing. When I read about 
the background on this, of course I am concerned coming from 
California where we have, I think, a lot of stricter rules in 
place that look at two-party wiretapping, and I want to get 
feedback from Ms. Cooper and Mr. Dykes on that and how you are 
going to deal with States like mine, but I have a couple of 
questions, two concerns. One is, you are able to profile who I 
am because I go on the Internet. You can see my likes, dislikes 
or whatever. But what about those people that may have language 
barriers or that may be senior citizens who could be gullible 
to specific types of unscrupulous advertisers or individuals 
who at a certain point can determine some vulnerabilities, and 
people in my community, Latinos and others, at a certain age, 
what have you, could be vulnerable to folks that take advantage 
of them, and specifically targeting advertisements at them, 
which we know happens now even in the print media and 
television, but mostly print. Many in our community are taken 
advantage of. I am concerned about predatory types of movement 
that could happen and how we detect that and how we can really 
help consumers who are maybe not language literate or because 
they speak only Spanish. So I want to ask Ms. Cooper if you can 
talk about what I have raised. But those are some of the 
concerns that I am thinking about out loud right now.
    Ms. Cooper. I think the concern that you raise is 
legitimate, and the broader context in which we have discussed 
this concern is how these behavioral profiles that are getting 
created about consumers are really used. It is one thing to 
target a car ad to someone who has been interested in buying 
cars, but it is another thing to abuse the profiles as you are 
talking about to target vulnerable populations or to use the 
profiles for decisions about things like credit or employment 
or insurance, and because it is kind of a black box and we 
don't really know all of the ways that these profiles are being 
used and it is really invisible to the consumer. They, as we 
discussed already, don't even know that this kind of tracking 
is going on, but even if they do know, it is extremely 
difficult, if not impossible, for them to find out what the 
profile says, who it has been sold to, who else is using it, 
how it is being used, and so I think we still have a lot of 
work to do to find out what all of those secondary uses are and 
who is conducting them and if that is even OK. I think if 
information is collected for one particular purpose, even if 
consumers are informed and they opted in to that, that doesn't 
mean that there is a license to use it for all these other 
purposes.
    Ms. Solis. Can you address the two-party wiretapping issue?
    Ms. Cooper. Sure. So there are some States like California 
whose wiretapping laws require consent from both parties to the 
communication, so on the Internet, that would be both the 
consumer and the Web site that the consumer is visiting. In the 
context of the wiretapping laws, there is not a lot of case law 
about how those apply specifically to the Internet. There are 
telephone cases, and in some cases, if you have a call going 
from one State to another, the one-party-consent case trumps, 
so there only needs to be consent from one party. If you have a 
call coming from a two-party State to a one-party State, in 
California, there is some case law that shows that you still 
need consent from both parties, but it has only been applied in 
the telephone context.
    Ms. Solis. So would you encourage us as our subcommittee 
kind of mulls through this to look at potential frameworks or 
something that could address this issue?
    Ms. Cooper. Absolutely. I mean, there is the federal 
wiretapping laws on the books, which we think are fairly clear 
on their application to this model, but as we have been 
discussing today, there are all these other kinds of data 
collection going on which don't fall under that framework, and 
we certainly think that is an area of work good for this 
committee.
    Ms. Solis. I have 17 seconds. I am sorry. Mr. Dykes.
    Mr. Dykes. Well, on your first question, I agree with Ms. 
Cooper. It really is the responsibility of all advertisers and 
advertising companies to have responsible behavior, and so the 
questions that you raise are really not specific to ISP-based 
advertising because, as the panel has noted, there is lots of 
this data collected in many ways, and so, for example, as an 
industry, we don't advertise and the laws require us not to 
advertise to children, for example, and so--but as responsible 
advertisers, we observe the types of concerns that you have, 
and I don't think people in our industry would cross them, 
responsible companies.
    With regard to your second question, as I said previously, 
I have spoken to my lawyers on that, and they have not 
identified any legal barrier to operating in any State, but we 
would be happy to work with your staff to further elaborate on 
that.
    Ms. Solis. You said something earlier though that business 
has a legitimate role because they are paying for this access. 
So where do you draw the line to say that maybe some of these 
folks that are paying may not be--how could I say--honest in 
the way that they are targeting, for example, alcohol and 
tobacco? There are certain populations that we know industries 
target. Those are questions that I have concerns about.
    Mr. Dykes. So the way that is generally handled is that the 
industry through industry associations certifies certain 
companies to say that we act responsibly, we operate within 
these standards, and the advertisers advertise with companies 
who meet those standards, and so there is a role for the 
advertisers themselves to have some policing to only advertise 
with companies that operate in a responsible----
    Mr. Markey. The gentle----
    Mr. Dykes [continuing]. Manner, and that I think is the 
effective way short of a law on the subject. Self-policing does 
occur in this industry and I think has been reasonably 
effective.
    Mr. Markey. The gentlelady's time has expired. The 
gentleman from Florida has an additional question.
    Mr. Stearns. Just two questions, Mr. Chairman.
    The first is just to clarify. The gentlelady from 
California brought up Mr. Cleland, what his invested interest 
was. He disclosed it, and I think just to set the record 
straight, Ms. Cooper, since the gentlelady brought up funding, 
I note that according to CDT records, your organization 
received almost 10 percent of its funding from e-commerce 
companies such as Google and Yahoo. I just wanted to confirm 
that. Are you still receiving funding from these companies?
    Ms. Cooper. We are. We actually have a very broad base of 
funding. It is about 50 percent from foundations and 50 percent 
from high-tech companies, all kinds of different high-tech 
companies.
    Mr. Stearns. Including Google and Yahoo?
    Ms. Cooper. Yes.
    Mr. Stearns. And Mr. Dykes, I think this discussion we had 
today--and I commend the chairman for having this hearing. I 
think it is very enlightening, and I think you can sense from 
everybody's feelings that people are concerned that these deep 
pockets of information packets that you are going into without 
anybody knowing about it is a concern. Maybe you should just 
summarize and tell us this information you are seeking, what is 
it that everybody is getting so alarmed about so maybe you 
would allay their fears by just outlining just very simply what 
is the stuff that you are looking at?
    Mr. Dykes. The end result is simply our noting that an 
anonymous profile qualifies for certain innocuous categories 
such as travel, automotive, other subjects like that. So they 
are very innocuous categories, because we don't want to get 
into sensitive subjects, pharmaceutical ads, for example. We 
stay away from the sensitive subjects, so it is innocuous 
categories mapped against anonymous profiles is the end result, 
and that is why----
    Mr. Stearns. Mr. Doyle mentioned health information, going 
to look for prostate cancer.
    Mr. Dykes. We avoid that.
    Mr. Stearns. I mean, how do we know that you avoid that? Do 
we just take your word for it?
    Mr. Dykes. Well, that is one of the reasons why we are 
having our system audited, so a Big Four firm can actually say 
that yes, they do what they say they do. So that is one 
important element. The other is industry standards around 
sensitive subjects that they are still being formed, but to the 
extent that the FTC or other government bodies create a 
definition around sensitive subjects, we certainly observe 
that. Meantime, we stay very, very conservative on----
    Mr. Stearns. Who does this auditing? When you say you are 
audited, who----
    Mr. Dykes. We haven't named the firm, but we have indicated 
that we would have one of the Big Four audit firms audit our 
systems to ensure that we do what we say we do.
    Mr. Stearns. An accounting firm is going to audit you?
    Mr. Dykes. Well, those firms--correct. Those firms also do 
auditing of the subject, as well on privacy standards, as well 
as accounting standards.
    Mr. Stearns. I don't know if that is going to provide a 
degree of confidence to think that an accounting firm is going 
to audit you to----
    Mr. Dykes. There is such a thing as----
    Mr. Stearns [continuing]. Whether you are going into 
sensitive boxes of information, deep packets. I don't know, Mr. 
Dykes, whether that is going to calm the fears.
    Mr. Dykes. Sir, there are actually standards on privacy 
audits.
    Mr. Stearns. And you can't announce how that accounting 
firm is today? Have you selected that----
    Mr. Dykes. It hasn't been finally selected.
    Mr. Stearns. So you don't even have an accounting firm 
doing it yet?
    Mr. Dykes. Well----
    Mr. Stearns. You are speculating that you will.
    Mr. Dykes. Sir, we are a startup, so we are just--this is 
just----
    Mr. Stearns. This is the first stage, the early stage?
    Mr. Dykes. Yes.
    Mr. Markey. Can you try to pick a company, Mr. Dykes, that 
wasn't the accounting firm for the subprime loan scandal or the 
dot-com bubble or the Enron? Can you find an accounting company 
that maybe has a good track record over the last 6 or 7 years, 
not missing every major accounting scandal, and I don't know 
what company that might be, but you will be held responsible 
for anything they miss, by the way. I unfortunately have to say 
this. In most instances, the accounting firms miss the stuff 
that the industries want them to miss because they also have 
consulting contracts. It is not a good situation.
    Do any other members have any questions that they might 
want to ask? Yes, Mr. Gonzalez.
    Mr. Gonzalez. Thank you very much, Mr. Chairman. Just 
quickly because as you can tell, I think we may have some 
differences of opinion on application, the exact answer, but 
make no mistake about it, we all really share the chairman's 
concern regarding privacy and the duties and obligations that 
are out there, because we truly believe the American public 
will be concerned about it. I don't want to overlook the fact 
that many consumers today are the beneficiaries of, quote, 
``free services through application companies,'' and that is 
very, very valuable, and the reason that they are free is 
because of advertising dollars, and we have to really 
understand the role of the advertising dollar out there in the 
Internet and how it has actually promoted its use and the 
quality of it and so on, and that can be a scary proposition, 
depending on what we do. If we do act, I think we have to be 
careful again of going about business models and then going on 
what Mr. Sabet said about broadband, and that is, if those 
pipes are big enough and we keep increasing them, we take 
excuses away from people who may want to manage them in a way 
that really deprives the fair use of the Internet the way Dr. 
Reed envisioned it and has envisioned it for a number of years. 
So we can't do anything again to impact or restrict the build-
out. Again, I am going to use the word robust in a different 
context of a broadband network, and that really does concern 
me.
    Lastly, I am going to make this last observation. Whether 
it is an ISP and how they got to where they are or whether it 
is Google and how they got who they are, whatever we come up, I 
think we still have to acknowledge the reality of what Dr. Reed 
said, but I am going to go and use real quick, Mr. Chairman, a 
quote, and this was in regards to service by an ISP, and a Mr. 
Bob Williams said there really should be an onus on the 
regulators to see this kind of thing is done correctly, meaning 
the information sharing and collection, and Mr. Williams deals 
with telecom and media issues at Consumers Union, and this is 
what he said. He could have read some of the terms earlier when 
placing the order online, but he just clicked the accept 
button. Quote: ``I am a hard-nosed consumer advocate type. I 
really should have examined it better than I did,'' he said. 
But he added he acted like most consumers because of the lack 
of alternatives. ``You click the accept button because it is 
not like you are going somewhere else.'' And that is the 
backdrop and that is the reality, and I believe that we will be 
acting responsibly understanding those market forces.
    Thank you very much, Mr. Chairman.
    Mr. Markey. The gentleman's time has expired. Does the 
gentlelady from California have any additional questions?
    So we are going to turn to our panel, and we are going to 
ask each of you to give us your 1-minute summary of what you 
want us to remember about this issue of privacy and the 
American people, and it might help if you told us whether or 
not you thought opt-in was a good standard. We are talking 
privacy generally here, not individual companies but just tell 
us what you think. Should that be the standard? Mr. Cleland?
    Mr. Cleland. Well, I think that we need to have a holistic, 
comprehensive, balanced approach to privacy law.
    Mr. Markey. Would that be opt-in?
    Mr. Cleland. Since you have asked, I think what the problem 
is, when we now go to opt-in or opt-out and it is that binary 
question, we are a little bit like the problem we have with do-
not-call, and because it is complicated, we may end up with a 
do-not-track where people, just because nobody is minding what 
is going on in the Internet, people get fed up, and they say 
well, just let me say somewhere that I don't want to be tracked 
with anybody, and so when we go with just opt-in or opt-out, 
what we are doing is, we are basically making something that is 
not simple real simple when there are a lot of different ways 
to skin this cat. So I am big on privacy, but one size doesn't 
fit all. But you do need to look at it comprehensively.
    Mr. Markey. Mr. Sabet?
    Mr. Sabet. Yes, a quick summary here is, we really believe 
that privacy and the open Internet are directly linked, and 
what you do with the data as a customer of DPI technology is 
the key. So if you violate people's privacy to manage the 
Internet, the open Internet, we think that is the real harm 
here for consumers and the Internet ecosystem.
    Mr. Markey. Thank you.
    Dr. Reed?
    Mr. Reed. Well, I think opt-in is too glib. It really 
should be informed consent and understanding of what will 
happen to the information, that you are being tracked and in 
the case of the Internet where, for example, you could predict 
reliably the political affiliation and beliefs of somebody 
literally by who they are talking to, so if you just monitor 
who they are talking to, you don't have to know whether they 
are a Democrat or a Republican. You actually have a much more 
complex notion of--you have to know what kind of analysis and 
use will be made of the information and what limits are placed 
on it, whether it is just for advertising, just for advertising 
by certain advertisers, just for something, as opposed to 
selling the unvarnished analytical information for any possible 
use, and that I think is something that ought to be kept in 
mind. So start with opt-in, but go beyond it, to opt in to 
what.
    Mr. Markey. Mr. Dykes?
    Mr. Dykes. I think we need to recognize that the Internet 
today is more than 50 percent funded by advertising, and to 
adopt an across-the-board opt-in rule would substantially 
reduce the value of the advertising across the Internet, so I 
think that major harm could be incurred that way. So I think a 
more holistic view of it, but also a more fine-tuned view, such 
that we are sensitive to the type of data being collected 
before we decide what the rules should be, I think is the most 
appropriate way to answer that.
    Mr. Markey. Ms. Cooper?
    Ms. Cooper. I think consumers deserve to have informed, 
meaningful control over their data. Whether it is opt-in or 
opt-out, consumers need to be in the driver's seat with respect 
to what is happening to their data when they go online and when 
their data is existing offline. They need to be the ones who 
decide how their data gets to be used.
    Mr. Markey. Thank you, Ms. Cooper, very much.
    When people use the World Wide Web, they don't want it to 
turn into the wild, wild west when it comes to their personal 
information, and I think that this analogy which Dr. Reed 
introduced today is a good one, and it extends to the post 
office, it extends to FedEx or UPS, that this is just another 
means of delivering something that a consumer is interested in, 
and there should be a barrier that exists unless the consumer 
determines that they do want, in other words, this information 
to be compromised. What we have learned from Embarq and we have 
learned from Charter is that in their affiliation with NebuAd 
that these questions weren't asked from the get-go.
    This is a very serious subject. It is one that goes right 
to the heart of who we are as Americans. Back in 1775 in my 
congressional district in Lexington, one of the things that was 
just absolutely agitating the colonists was that the British 
felt they could come right into your home. There was no search 
warrant. There was no one that could stop them, and they could 
just come in. And so the very principles of individual freedom, 
individual liberty, you are right not to have either the 
government or a private sector company coming into your life 
without your permission, is central to who we are as Americans. 
That is what we fought for. That is what we continue to fight 
for and try to spread around the rest of the world. We don't 
believe that either the government or private sector companies 
have a right to come in without your permission unless there is 
a legally obtained warrant, and that is why we are talking 
about wiretapping laws here today. That is why we are talking 
about broad privacy laws that have been put on the books over 
the years. It is because it is a subject of constant debate in 
our country from our very inception.
    So I think that what we are hearing today is strong 
sentiment from most members that clear notice and meaningful 
opt-in must be the standard by which cable and phone companies 
like Verizon or Comcast, to take the names of two companies 
that are more well known than Charter or Embarq, but if this 
trend extends, then that is who we will be talking about. We 
will be talking about these larger carriers who will have the 
capacity, unless we have some standards, to be able to use this 
information as a product, and I don't think that Americans 
really want that to be the standard, notwithstanding the 
advertising base that the Internet might be based upon. There 
might be a few companies that suffer if Americans decide that 
they don't want all of their information to just become 
something that is put together as an advertising profile of 
that individual. That is a price just a little bit too high to 
pay in order to have the Internet the way that a private sector 
company might want it to be there, and the same way that 
politicians might want to know all of the private sentiments of 
voters in their district and be able to get access to it, we 
can't get access to it. We can hope that they are going to vote 
for us on Election Day, but there is a certain limit beyond 
which we can't go in intruding into the privacy of Americans. 
But it is a natural instinct. Each of us up here would love to 
know everything that is going on in the homes of all 650,000 
people in our district with regard to their political 
attitudes. That would be very helpful to us. But we can't, and 
there is a good reason why we can't, because these individuals 
have a right to their privacy, and the same thing extends over 
to their right to privacy from advertisers, their right to say 
no, I don't want you in my front door. When your mother is 
saying to you as a little kid, when you tell the person 
knocking on the door they are not home, tell them your mother 
is not home, but what are they really saying? What your mother 
is really saying is, we are not home to you, sir, on the front 
door knocking trying to get inside my home, and that is your 
right, and it should be your right as an American citizen not 
to let people inside your mail, inside your packages, inside 
your packets.
    This packet-switched network that Dr. Reed and others 
invented is something that really goes right to the heart, and 
the principles that were established really go right to the 
heart of who we are, and Ranking Member Joe Barton, Chairman 
John Dingell, and I have already written to a cable and a phone 
company where either the notice or the opt-in choice was 
inadequate or missing. So we need to have remedial legal 
courses for some corporate general counsels, and we need to 
have the phone and the cable companies step up and clearly say 
what their policies will be, and as I have proposed previously, 
we need a comprehensive online privacy bill to close the gaps 
that exist with search engines and other sites.
    So we thank each of you for your testimony. We intend on 
working very closely. We intend on really raising the profile 
of this issue and any companies that are engaging in it so they 
can become more famous, more well known in terms of what they 
are doing, and this is going to become an escalating subject of 
attention for this committee and for the Congress, because any 
time anyone learns about it, their first thought is, I didn't 
know that that was happening with all of my information, and 
that just demonstrates that there has not been notice given to 
people.
    So we thank all of you, and we intend on following up on 
this issue in the months and years ahead. With that, this 
hearing is adjourned.
    [Whereupon, at 11:47 a.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                   STATEMENT OF HON. JOHN D. DINGELL

    Thank you, Mr. Chairman, for holding this hearing, and I 
thank the witnesses for being here.
    Deep packet inspection (DPI) is part of the Internet now, 
and it will be part of the Internet in the future. That much is 
clear. However, any industry that includes a company whose 
motto is, ``See Everything. Know Everything.'' is worthy of 
close scrutiny.
    Our job today is to consider how best to balance the 
deployment of DPI with adequate protection of consumers' 
privacy. We must also consider the effects of DPI on 
competition and investment across the Internet.
    An immediate concern is the targeted advertising that DPI 
makes possible. On Monday, Chairman Markey, Ranking Member 
Barton, and I sent a letter to the phone company Embarq. We 
expressed concern that Embarq conducted a trial in an unnamed 
community in its service area of a targeted advertising system 
that tracked customers' Web use without providing clear notice 
of the trial to subscribers. Not only did Embarq fail to give 
its subscribers a chance to opt in to the tracking, but it did 
not directly notify affected customers that they had a chance 
to opt out. I find the notion that a broadband provider would 
implement such tracking with no real notice to the customer to 
be deeply troubling.
    We are in this position, because the Federal Communications 
Commission (FCC) has yet to establish any clear privacy 
protections for customers of wireline broadband services. In 
its rush over the last several years to deregulate broadband 
services, the Commission has failed to adequately protect 
consumers. When Chairman Martin testified before this Committee 
in March of 2007, I asked him when he would remedy this 
problem. He responded that the Commission would endeavor to act 
by the end of 2007. Clearly, much work remains to be done at 
the FCC.
    We must also consider what DPI means for the future of the 
Internet. DPI can be used for legitimate and necessary purposes 
by broadband providers, such as to reasonably manage network 
congestion and protect against viruses. To the extent that they 
utilize DPI for these purposes, I have no quarrel with 
broadband providers. Unfortunately, DPI can also be used for 
nefarious purposes, such as unfairly blocking certain 
applications or slowing one Web site's traffic at the expense 
of another. We in Congress must be vigilant in the face of 
these and other abuses. The importance of an open and 
competitive Internet cannot be understated.
    I hope today's witnesses will help the Committee in its 
examination of DPI by addressing a few questions. How should 
broadband providers notify subscribers they are planning to 
track customer Web use? Should providers be required to obtain 
opt-in consent? What privacy rules should apply to broadband 
providers? And how do we ensure that DPI does not stifle 
innovation on, and investment in, the Internet?
    I thank the witnesses for being here, and I look forward to 
the testimony.
                              ----------                              


                                 
