[Senate Hearing 110-791]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 110-791

                          BROADBAND PROVIDERS 
                          AND CONSUMER PRIVACY

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 25, 2008

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation















                   U.S. GOVERNMENT PRINTING OFFICE
48-450 PDF                  WASHINGTON : 2009
----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, 
Washington, DC 20402-0001







       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                   DANIEL K. INOUYE, Hawaii, Chairman
JOHN D. ROCKEFELLER IV, West         KAY BAILEY HUTCHISON, Texas, 
    Virginia                             Ranking
JOHN F. KERRY, Massachusetts         TED STEVENS, Alaska
BYRON L. DORGAN, North Dakota        JOHN McCAIN, Arizona
BARBARA BOXER, California            OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida                 GORDON H. SMITH, Oregon
MARIA CANTWELL, Washington           JOHN ENSIGN, Nevada
FRANK R. LAUTENBERG, New Jersey      JOHN E. SUNUNU, New Hampshire
MARK PRYOR, Arkansas                 JIM DeMINT, South Carolina
THOMAS R. CARPER, Delaware           DAVID VITTER, Louisiana
CLAIRE McCASKILL, Missouri           JOHN THUNE, South Dakota
AMY KLOBUCHAR, Minnesota             ROGER F. WICKER, Mississippi
   Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Lila Harper Helms, Democratic Deputy Staff Director and Policy Director
   Christine D. Kurth, Republican Staff Director and General Counsel
                  Paul Nagle, Republican Chief Counsel














                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 25, 2008...............................     1
Statement of Senator Dorgan......................................     1
Statement of Senator Hutchison...................................     2
Statement of Senator Klobuchar...................................    26
Statement of Senator Thune.......................................    29
Statement of Senator Vitter......................................     3
Statement of Senator Wicker......................................    31

                               Witnesses

Attwood, Dorothy, Senior Vice President, Public Policy and Chief 
  Privacy Officer, AT&T Inc......................................     4
    Prepared statement...........................................     5
Sohn, Gigi B., President, Public Knowledge.......................    15
    Prepared statement...........................................    16
Stern, Peter, Executive Vice President, Chief Strategy Officer, 
  Time Warner Cable..............................................     8
    Prepared statement...........................................    10
Tauke, Thomas J., Executive Vice President, Verizon..............    11
    Prepared statement...........................................    13

                                Appendix

Inouye, Hon. Daniel K., U.S. Senator from Hawaii, prepared 
  statement......................................................    37

 
                          BROADBAND PROVIDERS 
                          AND CONSUMER PRIVACY

                              ----------                              


                      THURSDAY, SEPTEMBER 25, 2008

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:06 a.m., in 
room SR-253, Russell Senate Office Building, Hon. Byron L. 
Dorgan, presiding.

          OPENING STATEMENT OF HON. BYRON L. DORGAN, 
                 U.S. SENATOR FROM NORTH DAKOTA

    Senator Dorgan. The hearing will come to order.
    This is a hearing of the Senate Commerce Committee. We have 
a hearing today on broadband providers and consumer privacy, a 
subject which is interesting and new, relatively new, to this 
Committee. It is the second of a number of hearings on this 
subject.
    I wish all of you good morning.
    I am joined by Senator Hutchison who is the Ranking Member. 
Senator Inouye is not able to be with us and has asked me to 
chair the hearing. I chaired the previous hearing on this 
subject as well at his request, and I am happy to do that.
    This hearing is to provide an examination of the privacy 
rights of Internet users and the practices of broadband 
providers. The Commerce Committee has had a long interest in 
the subject of protecting privacy, and now I feel we need to 
take a closer look at Internet users' privacy as the field of 
online advertising develops.
    I want to make it clear that I understand and I think all 
of my colleagues in the Congress would understand that there 
are many benefits to online advertising. It is an architecture 
that is important to our economy. It allows many of the sites 
and services that we all know and understand to grow and 
thrive. So this is not an inquiry about whether advertising is 
relevant or important. Advertising on the Internet plays an 
important role in Internet commerce.
    While most of the conversation about Internet advertising 
in the past years has been focused on economic benefits, 
however, consumers say in surveys that they worry about 
privacy. Survey results released today from Consumer Reports 
shows that 72 percent of consumers are concerned that their 
online behavior is being tracked or profiled, and they are 
concerned about that. The poll found that 93 percent of 
Americans think Internet companies should always ask permission 
before using personal information.
    I think it is the case that the invisibility of data 
collection practices and users' ability to control their 
information is a concern, and I think it is time that the 
Senate and regulators try to understand and focus on what are 
the privacy questions and the aspects of the issue of privacy 
that we should be dealing with.
    In July, we held a hearing on privacy to examine concerns 
about consumers being profiled and being tracked online. There 
is a lot the Committee has yet to learn about data collection 
practices. We learned some things at the last hearing. We heard 
from NebuAd, a company that was working with some Internet 
service providers to gain access to the content on their 
networks in order to provide advertisers profiles of broadband 
providers' customers. NebuAd later halted those plans.
    In July, the broadband providers were not able to attend 
our hearing. For many of them, this was a new area, and today 
we appreciate the participation of AT&T, Verizon, and Time 
Warner Cable. It should be noted that these companies had not 
previously agreed to provide customer data to NebuAd or similar 
companies.
    We also appreciate the participation today of Public 
Knowledge at this hearing.
    We will focus on privacy expectations for customers of 
Internet service providers. People do expose themselves online 
by where they go and what they do, and often type in sensitive 
information, personal information, and financial information. 
We have very little competition in the broadband market. As a 
matter of fact, around most of this country, most Americans 
have one or at the most perhaps two choices for broadband. And 
as broadband service is so vital to the American people and to 
our communities, we want to make sure that providers are 
respecting the privacy protections of consumers and that those 
protections are in place. Internet service providers have 
access to all of that customer's information and behavior, and 
the question is what is being done with it.
    Again, let me emphasize that I appreciate the Internet 
service providers being willing to come to us today and talk 
about these issues because the issues are not just important to 
policymakers. These issues I think are important in the long 
term to Internet service providers as well.
    I do think we need to update our privacy laws and we need 
to ensure we have similar protection across platforms. We need 
to protect sensitive information, make sure customers know what 
companies are doing with their information so that customers 
can make informed choices about their participation, and are 
given clear information about opt-in or dealing with other 
regimes that might be established.
    This is the second hearing, and I assume that the Commerce 
Committee will want to hear more as we enter the next session 
of Congress. Now the Committee is here to listen and to thank 
the witnesses for testifying.
    Let me call on my colleague from Texas, Senator Hutchison.

            STATEMENT OF HON. KAY BAILEY HUTCHISON, 
                    U.S. SENATOR FROM TEXAS

    Senator Hutchison. Well, thank you, Senator Dorgan. I 
appreciate your calling attention to this issue, and I want to 
say that it is an important issue that we look at because we 
know that there are many advertising opportunities now on the 
Internet, which is a good thing, as the Senator said. It is 
good for the economy. It is also good for business to be able 
to target advertising and be able to have efficient use of the 
advertising dollars.
    I also think it is helpful to consumers to be able to find 
the products they are looking for, the services that they are 
looking for in a targeted way, and that provides more free 
service on the Internet, which is what we all want. So that is 
the good side of advertising.
    On the other side, we surely need to be informed. Consumers 
need to be informed about what online entities are doing with 
their personal data information, and of course, since so many, 
especially in our rural areas, depend on broadband for 
commerce, as well as health care and education, people are 
putting more of their personal information online. So I think 
transparency and disclosure are very important.
    I would say I hope we do not charge into legislating in 
this area before we do fully understand what is possible, what 
is not possible, what is helpful, and what is not helpful, and 
what would help the right type of opportunities but not hinder 
the overall ways that we can have access to advertising. So it 
is a complicated area and one that we ought to look at, fully 
understand before we rush into legislation that could curb our 
economy.
    I want to say that I am not going to be able to stay. I 
have to be on the floor at 10:30, but I appreciate your calling 
this hearing and I will certainly look at the testimony later.
    Senator Dorgan. Senator Hutchison, thank you very much.
    I share the view. I do not think that there will be a 
stirring here to rush toward some sort of legislative approach. 
I think, first, it is very important that we understand this. 
There may well need to be legislative solutions at some point 
in the future, but first, I think it is a complicated area and 
we need to understand it. I certainly agree with that.
    Senator Vitter?

                STATEMENT OF HON. DAVID VITTER, 
                  U.S. SENATOR FROM LOUISIANA

    Senator Vitter. Thank you very much, Mr. Chairman, for 
calling this hearing as well. We examined this issue earlier 
this year in a hearing with other online companies. So I am 
looking forward to the views of these Internet service 
providers and others on this very important issue.
    I agree we need to look at this carefully. We need to 
attack bad behavior. We need to do it in a way that will not be 
out of date tomorrow as technology advances, and I think we 
need to do it in a way that is not technology-specific, picking 
winners and losers, but sets a broad-based policy in a way that 
can effectively be implemented.
    So I look forward to listening closely to the testimony to 
figure out how we can best accomplish that. Thank you.
    Senator Dorgan. Thank you, Senator Vitter.
    We have four witnesses today. We will, by consent, include 
their entire statements as a part of the permanent record and 
ask the witnesses to summarize their statements.
    First, we will hear from Ms. Dorothy Attwood, who is the 
Senior Vice President for Public Policy and Chief Privacy 
Officer for AT&T Services. Ms. Attwood, thank you for being 
with us. You may proceed.

                  STATEMENT OF DOROTHY ATTWOOD

              SENIOR VICE PRESIDENT, PUBLIC POLICY

              AND CHIEF PRIVACY OFFICER, AT&T INC.

    Ms. Attwood. Thank you very much. Thank you, Senator Dorgan 
and other Committee Members, for providing AT&T the opportunity 
to discuss online behavioral advertising and its important 
privacy implications.
    My name is Dorothy Attwood and I am AT&T's Senior Vice 
President and Chief Privacy Officer.
    Senator Dorgan, AT&T appreciates your leadership on this 
issue. It has fomented a necessary and productive discussion 
among all key stakeholders, and it has encouraged our industry 
to listen closely to our customers and take a careful look at 
how best to engage in different modes of online advertising. 
Indeed, you will hear today a remarkable consensus about the 
overriding importance of a consumer-focused approach to online 
advertising and the need to ensure that consumers maintain 
ultimate and effective control over their information.
    American consumers benefit immeasurably from our Internet 
ecosystem, which is rich in innovative services and varied 
content information and entertainment. Online advertising is a 
key component of this ecosystem as it fuels investment and 
enables many free and discounted services and funds today's 
vast diversity of Internet content.
    But online advertising, especially new forms of highly 
targeted behavioral advertising, also raise important consumer 
privacy concerns that policymakers and industry must carefully 
weigh. Setting proper policy in this area is crucial to 
maximizing the consumer benefit of a healthy Internet 
marketplace.
    Online behavioral advertising is the practice of tracking a 
consumer's web browsing and search activity across unrelated 
Websites. Notably, both the tracking and the association of the 
websites are largely invisible to the end user and the 
resulting information is used to create a distinct user profile 
and deliver highly targeted or personalized advertising. It is, 
indeed, a next generation capability and it can clearly be 
distinguished from the simple and longstanding practice of 
tracking a consumer's use of an individual Website or obviously 
related Websites.
    AT&T does not today engage in online behavioral advertising 
either through the so-called ``deep packet'' inspection or any 
other technique. Of course, if done properly, the practice can 
be valuable to consumers and can measurably improve their 
online experience. But we believe just as strongly that it is 
essential to include strong privacy protections in the design 
of any online behavioral advertising program and that any 
privacy framework should shed clarifying light on what is today 
something quite invisible to the consumer.
    Thus, we will engage in online behavioral advertising only 
after validating the various technologies and only after 
establishing clear and consistent methods to ensure the 
protection of and ultimate consumer control over consumer 
information. Our deployment of any online behavioral 
advertising practice will be governed by the imperative of 
meaningful consent and a consumer-focused privacy framework 
based on the following principles: transparency, customer 
control, privacy protection, and customer value.
    More specifically, we believe that a forward-looking 
advertising practice requires a forward-looking customer notice 
and consent model. For this reason, AT&T will not use consumer 
information for online behavioral advertising without an 
affirmative advance action by the customer that is based on a 
clear explanation of how the consumer's action will affect the 
use of her information. This means that a consumer's failure to 
act will not result in any collection and use of that 
consumer's information for online behavioral advertising 
purposes by default.
    Even though AT&T and most other Internet service providers 
do not engage in online behavioral advertising, make no 
mistake, this practice is well underway today. Already ad 
networks and search engines track and store a vast trove of 
data about consumers' online activities, and the technologies 
they use have evolved just beyond tracking consumers' web 
surfing activity at sites at which they sell advertising. They 
now also have the ability to observe a user's entire web 
browsing experience at a granular level. If anything, this 
largely invisible practice of ad networks and search engines 
raise at least the same privacy concerns as do other online 
behavioral techniques that ISPs could employ.
    For this reason, we believe that any privacy framework for 
online behavioral advertising must apply to all entities 
involved in Internet advertising, including ad networks, search 
engines, and ISPs. A policy regime that applies only to one set 
of actors will arbitrarily favor one business model or 
technology over another, but most importantly represent only a 
partial and entirely unpredictable solution for consumers.
    Thus, we urge all entities that engage in online behavioral 
advertising, including especially those who already are 
engaging in the practice, to join AT&T in committing to a 
policy of advance, affirmative consumer consent.
    Again, thank you for the opportunity to speak here today, 
and I look forward to your questions.
    [The prepared statement of Ms. Attwood follows:]

     Prepared Statement of Dorothy Attwood, Senior Vice President, 
           Public Policy and Chief Privacy Officer, AT&T Inc.
    Thank you, Chairman Inouye and Ranking Member Hutchison, for 
providing AT&T Inc. the opportunity to discuss online advertising and, 
more specifically, the issue that has received a good deal of recent 
attention, so-called online behavioral advertising. We trust that this 
hearing will help the discussion evolve past slogans and rhetoric to a 
more thoughtful examination of the facts and the development of a 
holistic consumer privacy policy framework that all participants in the 
online behavioral advertising sphere can and will adopt.
    Your interest in these matters surely is warranted. Online 
advertising fuels investment and innovation across a wide range of 
Internet activities, and provides the revenue that enables consumers to 
enjoy many free and discounted services. Likewise, website publishers 
make most of their money from advertising, which revenue in turn funds 
today's vast wealth and diversity of Internet content and information--
most of which consumers enjoy, again, for free. On the other hand, 
online advertising, especially next-generation forms of highly targeted 
behavioral advertising that involve tracking consumer web browsing and 
search activities, raise important consumer-privacy concerns that 
policymakers and industry must carefully weigh. In short, setting 
proper policy in this area will be crucial to a healthy and growing 
Internet ecosystem that benefits consumers.
    AT&T does not today engage in online behavioral advertising, but we 
understand the uniquely sensitive nature of this practice. We have 
listened to our customers and watched the debate unfold, and are 
responding by advocating for a consumer-focused framework. As described 
in more detail herein, the pillars of this framework--transparency, 
consumer control, privacy protection, and consumer value--can be the 
foundation of a consistent regime applicable to all players in the 
online behavioral advertising sphere--including not just Internet 
Service Providers (``ISPs''), but also search engines and third party 
advertising networks--that both ensures that consumers have ultimate 
control over the use of their personal information and guards against 
privacy abuses.\1\
---------------------------------------------------------------------------
    \1\ The policy framework that AT&T proposes here is informed by and 
should complement the Online Behavioral Advertising Self-Regulatory 
Principles issued by staff of the Federal Trade Commission in December 
of last year. Online Behavioral Advertising: Moving the Discussion 
Forward to Possible Self-Regulatory Principles, available at http://
www.ftc.gov/05/2007/12/P85900stmt.pdf.
---------------------------------------------------------------------------
    In particular, we believe that effective customer control for 
online behavioral advertising requires meaningful consent and therefore 
commit that AT&T will not use consumer information for online 
behavioral advertising without an affirmative, advance action by the 
consumer that is based on a clear explanation of how the consumer's 
action will affect the use of her information. This concept--often 
generically referred to as ``opt-in''--means that a consumer's failure 
to act will not result in any collection and use by default of that 
consumer's information for online behavioral advertising purposes. This 
affirmative consent model differs materially from the default-based 
privacy policies that advertising networks and search engines--which 
already are engaged in online behavioral advertising--currently employ. 
Given the obvious consumer benefits of such a model, we encourage all 
companies that engage in online behavioral advertising--regardless of 
the nature of their business models or the technologies they utilize--
likewise to adopt this affirmative-advance-consent paradigm.
What is Online Behavioral Advertising?
    There is no single, settled definition of online behavioral 
advertising in statute or case law, but the FTC and others have used 
the term to refer to it as the tracking of a consumer's web search and 
web browsing activities--by tracking either the person or a particular 
Internet access device, be it a computer, data-enabled mobile phone, or 
some other communications vehicle--to create a distinct profile of the 
consumer's online behavior. In this sense, it can clearly be 
distinguished from the simple practice of tracking a consumer's use of 
an individual website or obviously-related websites (such as those 
operated under a common trademark, trade name or conspicuously 
disclosed corporate affiliation), which practice does not necessarily 
raise the same privacy concerns as online behavioral advertising but 
which nonetheless can and should expressly be disclosed to Internet 
users. Privacy concerns about online behavioral advertising are not 
new--indeed, DoubleClick's (now a Google subsidiary) use of tracking 
cookies to collect and use information about consumer web browsing 
activity was the subject of an FTC proceeding in 2000.\2\ More 
recently, the FTC and Congress have appropriately asked questions about 
the privacy implications of emerging online advertising businesses that 
involve the tracking of consumer web browsing and search activity. 
Thus, consistent with the focus of recent public discussion, we 
consider online behavioral advertising to be: (1) the tracking of user 
web browsing and search activity across unrelated websites, (2) when 
the tracking and association of the websites or their components are 
largely invisible to the user, and (3) the resulting information is 
used to create a distinct user profile and deliver targeted advertising 
content.
---------------------------------------------------------------------------
    \2\ Letter from Joel Winston, Acting Associate Director, Division 
of Financial Practices, Bureau of Consumer Protection, Federal Trade 
Commission, to ChristineVarney, Hogan & Hartson, Re: DoubleClick Inc. 
(Jan. 22, 2001)(memorializing closure of FTC staff investigation).
---------------------------------------------------------------------------
    Online behavioral advertising can take many forms. It can, for 
instance, involve the use by an ISP of technologies to capture and 
analyze a user's Internet browsing activities and experience across 
unrelated websites. These more ISP-specific methodologies are not, 
however, the only--and certainly are not nearly the most prevalent--
forms of online behavioral advertising. Advertising-network 
technologies have evolved beyond solely tracking consumer web surfing 
activity at sites on which they sell advertising. They now also have 
the ability to observe a user's entire web browsing experience at a 
granular level. Techniques include the ad network ``dropping'' third-
party tracking ``cookies'' on a consumer's computer to capture consumer 
visits to any one of thousands of unrelated websites; embedding 
software on PCs; or automatically downloading applications that--
unbeknownst to the consumer--log the consumer's full session of 
browsing activity.
    Ad networks and other non-ISPs employ these capabilities at the 
individual browser or computer level and they are as effective as any 
technique that an ISP might employ at creating specific customer 
profiles and enabling highly targeted advertising. Already ad networks 
and search engines track and store a vast trove of data about 
consumers' online activities. Google's practices exemplify the already 
extensive use of online behavior advertising, particularly by nonISPs. 
Google logs and stores users' search requests, can track the search 
activity by IP address and a cookie that identifies the user's unique 
browser, and can even correlate search activities across multiple 
sessions, leading to the creation of a distinct and detailed user 
profile. Through DoubleClick, Google can drop tracking cookies on 
consumers' computers so that whenever the consumer visits websites that 
contain a display ad placed by DoubleClick (which can be for virtually 
any product or service), the consumer's web browsing activity can be 
tracked across seemingly unrelated sites (e.g., CNN.com or ESPN.com). 
Google further has access to enormous amounts of personal information 
from its registered users, which its privacy policy expressly confirms 
can be combined with information from other Google services or third 
parties for the ``display of customized content and advertising.'' And 
it even scans e-mails from nonGmail subscribers sent to Gmail 
subscribers for contextual advertising purposes.
    Thus, if anything, the largely invisible practices of ad-networks 
and search engines raise at least the same privacy concerns as do the 
online behavioral advertising techniques that ISPs could employ, such 
as deep-packet-inspection, which have application beyond mere targeted 
advertising, including managing network congestion, detecting viruses 
and combating child pornography. In short, the privacy and other policy 
issues surrounding online behavioral advertising are not technology-
specific. The relevant touchstones are the manner in which consumer 
information is tracked and used, and the manner in which consumers are 
given notice of and are able to consent to or prohibit such practices. 
Those factors are entirely technology-neutral.
AT&T's Approach to Online Behavioral Advertising
    AT&T does not today engage in online behavioral advertising.\3\ 
This is not because AT&T sees no value in this next-generation form of 
online advertising. Indeed, if done properly, online behavioral 
advertising could prove quite valuable to consumers and could 
dramatically improve their online experiences. We do, however, believe 
it is essential to include strong privacy protections in the design of 
any online behavioral advertising program, which is why we will 
initiate such a program only after testing and validating the various 
technologies and only after establishing clear and consistent methods 
and procedures to ensure the protection of, and ultimate consumer 
control over, consumer information. We further intend to work with 
privacy advocates, consumer privacy coalitions and fellow industry 
participants in a cooperative, multifaceted effort that we trust can 
and will lead to a predictable consumer driven framework in this area. 
In any event, if AT&T deploys these technologies and processes, it will 
do so the right way.
---------------------------------------------------------------------------
    \3\ AT&T does engage in some of the more ordinary and established 
aspects of online advertising. Like virtually every entity with a 
retail Internet presence, AT&T tracks usage on its own websites, such 
as att.com, in order to improve the online experience, optimize a 
particular site's capabilities and ease-of-use, and provide the most 
useful information to consumers about AT&T's products and services. In 
addition, like thousands of other businesses that operate websites, 
AT&T does business with advertising networks and has partnered with 
providers of online search. For example, on the AT&T broadband Internet 
access portal, AT&T makes space available for advertising provided by 
the Yahoo! advertising network, and users of the portal may be shown 
advertising that is based on their activity across sites signed up to 
the Yahoo! advertising network. Also by way of example, we have 
arranged for the Google search box to appear on our my.att.net site. In 
this regard, then, we are no different than any other website 
publisher.
---------------------------------------------------------------------------
    Against this backdrop, AT&T has already listened closely to its 
customers and will adopt meaningful and flexible privacy principles 
that will guide any effort to engage in online behavioral advertising. 
We summarize this framework as follows:

   Transparency: Consumers must have full and complete notice 
        of what information will be collected, how it will be used, and 
        how it will be protected.

   Consumer Control: Consumers must have easily understood 
        tools that will allow them to exercise meaningful consent, 
        which should be a sacrosanct precondition to tracking online 
        activities to be used for online behavioral advertising.

   Privacy protection: The privacy of consumers/users and their 
        personal information will be vigorously protected, and we will 
        deploy technology to guard against unauthorized access to 
        personally identifiable information.

   Consumer Value: The consumer benefits of an online 
        behavioral advertising program include the ability to receive a 
        differentiated, secure Internet experience that provides 
        consumers with customized Internet advertisements that are 
        relevant to their interests. But we think the future is about 
        much more than just customized advertising. Consumers have 
        shown that in a world of almost limitless choices in the 
        content and services available on the Internet, they see great 
        value in being able to customize their unique online 
        experience. That is the ultimate promise of the technological 
        advances that are emerging in the market today.
Call to Action
    We believe these principles offer a rational approach to protecting 
consumer privacy while allowing the market for Internet advertising and 
its related products and services to grow. But, in order for consumers 
truly to be in control of their information, all entities involved in 
Internet advertising, including ad networks, search engines and ISPs, 
will need to adhere to a consistent set of principles. A policy regime 
that applies only to one set of actors will arbitrarily favor one 
business model or technology over another and, more importantly, 
represent only a partial and entirely unpredictable solution for 
consumers. After all, consumers do not want information and control 
with respect to just a subset of potential online advertising or the 
tracking and targeting that might underlie those ads. Thus, we urge all 
entities that engage in online behavioral advertising--including 
especially those who already engage in the practice--to join AT&T in 
committing to a policy of advance, affirmative consumer consent.

    Senator Dorgan. Ms. Attwood, thank you very much for your 
testimony.
    Next, we will hear from Mr. Peter Stern who is the Chief 
Strategy Officer for Time Warner Cable. Mr. Stern, you may 
proceed.

   STATEMENT OF PETER STERN, EXECUTIVE VICE PRESIDENT, CHIEF 
              STRATEGY OFFICER, TIME WARNER CABLE

    Mr. Stern. Good morning, Mr. Chairman, Members of the 
Committee. My name is Peter Stern. I am Executive Vice 
President and Chief Strategy Officer at Time Warner Cable.
    I am pleased to testify before you today and appreciate 
this Committee's diligent effort to grapple with the complex 
and still-evolving Internet advertising marketplace and to 
assess its impact on consumer privacy.
    Presently, Time Warner Cable does not engage in targeted 
Internet advertising as an ISP or as a Website operator.
    If Time Warner Cable decides to engage in such activities, 
our customers' privacy will be a fundamental consideration. The 
protection of subscriber privacy is not only important as a 
matter of public policy. Our ability to succeed depends on 
winning and retaining the trust of our customers. Accordingly, 
we support a framework that would provide consumers with the 
opportunity to affirmatively consent to receive online targeted 
advertising.
    We believe that achieving and sustaining our subscribers' 
trust requires adhering to a privacy framework that addresses 
four principles: first, giving customers control; second, 
providing transparency and disclosure; third, safeguarding 
personal information; and fourth, providing customers with 
value.
    Let me also add, however, that any such framework can only 
truly protect the privacy interests of consumers if it is 
universally adopted by all providers of targeted online 
advertising. Quite simply, it makes no difference to a consumer 
whether a targeted online ad is based on data collected by an 
ISP, an ad network, or an applications provider. A framework 
that leaves any provider uncovered would leave all users 
unprotected. In addition, common rules are the only way to 
ensure all businesses can compete on a level playing field.
    Let me elaborate briefly on the four principles I have 
mentioned.
    First, customer control means consumers will be able to 
exercise affirmative consent before having their online 
activities collected and used for targeted online advertising. 
Internet subscribers that decline to consent or fail to act 
should not have their online activities tracked or used for 
targeted online advertising. Control also means that the 
consent mechanism should be easy to use. Customers should be 
free to change their election at any time, and their election 
will remain in effect unless they change it.
    Second, transparency and disclosure means ensuring that a 
customer's consent to targeted online advertising is informed. 
This means giving Internet users clear and timely notice 
regarding what is collected, how it is used, and what consumers 
need to do if they do not want to participate. And by this, we 
do not mean fine print. We mean prominent and plain English.
    Third, safeguarding information means preventing 
unauthorized access to customers' personal information. It also 
means preventing disclosure or sale of such information to 
third parties absent consent of the customer.
    Last, providing value means offering targeted online 
advertising in a manner that enhances the Internet experience 
for consumers. Instead of a barrage of irrelevant ads, 
consumers can receive ads tailored to reflect their interests. 
Targeted online advertising can also be used to protect 
consumers from seeing ads they do not want. Advertising can be 
a public good when it educates consumers about relevant 
choices.
    Most companies that provide services on the Internet are 
presently under no obligation to disclose or obtain consent for 
the collection and use of consumers' online information. While 
some provide disclosure and give consumers the ability to opt 
out, this falls short of the principle of consumer control I 
have articulated.
    Therefore, Time Warner Cable believes that the four 
principles I have outlined should serve as a policy framework 
that would apply to all companies involved in targeted online 
advertising. Time Warner Cable stands ready to work with this 
Committee and other stakeholders to help foster the development 
and implementation of such a framework.
    I thank the Members of this Committee for the opportunity 
to appear before you today on this important issue, and I would 
be happy to answer any questions you might have.
    [The prepared statement of Mr. Stern follows:]

     Prepared Statement of Peter Stern, Executive Vice President, 
               Chief Strategy Officer, Time Warner Cable
    Good morning, Mr. Chairman, Members of the Committee, my name is 
Peter Stern. I am Executive Vice President and Chief Strategy Officer 
at Time Warner Cable, where I am responsible for strategy and planning, 
including for our Road Runner high-speed online service.
    I am pleased to testify before you today and appreciate this 
Committee's diligent effort to grapple with the complex and still-
evolving Internet advertising marketplace and to assess its impact on 
consumer privacy.
    Presently, Time Warner Cable does not engage in targeted Internet 
advertising as an ISP or as a website operator.
    Should Time Warner Cable decide to engage in such activities, our 
customers' privacy will be a fundamental consideration. The protection 
of subscriber privacy is not only important as a matter of public 
policy, but it is also central to the success of our business. The 
bedrock foundation of our business is our relationship with our 
subscribers. We operate in a highly competitive marketplace, and our 
ability to succeed depends on winning and retaining the trust of those 
customers. Accordingly, we support a framework that would provide 
consumers with the opportunity to affirmatively consent to receive 
online targeted advertising.
    In the context of targeted online advertising, we believe that 
achieving and sustaining our subscribers' trust requires adherence to a 
privacy framework that addresses four principles: first, giving 
customers control; second, providing transparency and disclosure; 
third, safeguarding personal information; and fourth, providing 
customers with value.
    Let me also add, however, that we strongly believe that any such 
framework can only truly protect the privacy interests of consumers if 
it is universally adopted by all providers of targeted online 
advertising, including ad networks, application providers and ISPs. 
Quite simply, it makes no difference to a consumer whether a targeted 
online ad is based on data collected by an ISP, an ad network or an 
applications provider. A framework that leaves any provider uncovered 
would leave all users unprotected. In addition, a common set of rules 
protecting consumer privacy is the only way to ensure that all 
businesses that provide online advertising can compete and innovate on 
a level playing field.
    Before I go any further, allow me to clarify our definition of 
targeted online advertising for the purposes of applying the framework 
I described. At Time Warner Cable, we define it as displaying different 
online ads to a consumer based on that consumer's behavior on unrelated 
websites. So, if ads are delivered to a consumer based on that 
consumer's particular history of visits to multiple unrelated websites, 
that's targeted online advertising.
    On the other hand, delivering relevant ads to a consumer based on 
their behavior on an individual website (or group of related websites) 
is not targeted online advertising. For example, if you go to Apple's 
website and search for an iPod, and Apple delivers ads and promotions 
for iPods while you are still on the Apple website, that's not targeted 
online advertising. That's being responsive to what you asked for, when 
and where you wanted it. It becomes targeted online advertising, 
however, if this information is retained in order to deliver ads for 
iPods and other portable music players while you are visiting unrelated 
websites.
    Let me elaborate briefly on the four principles I've mentioned.
    First, customer control means consumers will be able to exercise 
affirmative consent to having their activities collected and used for 
targeted online advertising. Internet subscribers that decline to 
consent or fail to act should not have their online activities tracked 
or used for targeted online advertising. Control also means that the 
consent mechanisms should be easy to use, to ensure that customers are 
free to change their election at any time, and that their election will 
remain in effect unless they change it.
    Second, transparency and disclosure means ensuring that a 
customer's consent to targeted online advertising is informed. This 
means giving Internet users clear and timely notice regarding what type 
of online usage information is tracked and collected, how that 
information is used to provide targeted online advertising, and what 
steps consumers can take should they decline to participate. And by 
this, we don't mean fine print. We mean prominent and plain English.
    Third, safeguarding personal information means preventing 
unauthorized access to customers' personal information. It also should 
mean preventing disclosure or sale of such information to third parties 
absent consent of the customer. We also believe that policymakers and 
the public should continue to discuss whether there are categories of 
particularly sensitive information, such as personal medical 
information, that should be entirely off limits to targeted online 
advertising or subject to special controls.
    Last, providing value means offering targeted online advertising in 
a manner that enhances the Internet experience for consumers. Time 
Warner Cable firmly believes that targeted online advertising can 
benefit consumers. Instead of a barrage of irrelevant ads, subscribers 
can receive information about services and offerings tailored to 
reflect their interests. Targeted online advertising can also be used 
to protect consumers from seeing ads they don't want. Advertising can 
be a public good, when it educates consumers about relevant choices. 
Properly implemented, technology can help advertising achieve this 
potential, possibly even increasing the number of ads consumers want to 
see.
    In addition, targeted online advertising provides important 
benefits for advertisers and providers of Internet applications and 
services. Revenues from such advertising can offset the costs of 
providing services to consumers, and can allow businesses to offer 
services at discounts or even without direct payment from end users. In 
this manner, targeted online advertising can deliver value to consumers 
while helping to preserve and promote access to and enjoyment of the 
rich diversity of the Internet.
    Most companies that provide services on the Internet are presently 
under no obligation to disclose, or obtain consent for, the collection 
and use of consumers' online usage information. And in the case of some 
of the largest ad networks and applications providers, the amount of 
information such companies possess about consumers dwarfs that obtained 
by ISPs.
    It is certainly true that many providers of targeted online 
advertising already voluntarily disclose the extent to which they 
collect and use data about consumers. And some may also provide 
consumers the ability to ``opt out'' of participating in such an 
arrangement. But the extent of such disclosure varies greatly and is 
often opaque; and the process for opting out can be complicated, and in 
any case falls short of the principle of consumer control I have 
articulated.
    Therefore, Time Warner Cable believes that the four principles I 
have outlined--customer control, transparency and disclosure, 
safeguarding personal information, and providing value--should serve as 
the cornerstone of a uniform policy framework that would apply to all 
companies involved in targeted online advertising. Time Warner Cable 
stands ready to work with this Committee and other stakeholders to help 
foster the development and implementation of such a framework.
    I thank the Members of this Committee for the opportunity to appear 
before you today on this important issue, and I would be happy to 
answer any questions you might have.

    Senator Dorgan. Mr. Stern, thank you very much for being 
with us.
    Next, we will hear from Mr. Tom Tauke, the Executive Vice 
President of Public Affairs, Policy and Communications at 
Verizon Communications. Mr. Tauke, you may proceed.

                 STATEMENT OF THOMAS J. TAUKE, 
               EXECUTIVE VICE PRESIDENT, VERIZON

    Mr. Tauke. Verizon is not engaged in behavioral 
advertising, but we are very much aware of the concerns that 
have been expressed by consumers and this Committee about some 
of the practices that other Internet players are engaged in to 
send targeted advertising to consumers. Therefore, we have 
focused attention within Verizon on what policies and practices 
related to online advertising we should follow to keep faith 
with our own customers. And we've looked at what practices 
would work for the entire on-line industry.
    Perhaps it would be useful if I just outlined the framework 
of our thinking.
    First, we focused on the consumer and tried to look at the 
issue from his or her perspective. It seemed clear to us that 
consumers want information so they know what is going on. They 
want to be in control of their online experience, and they want 
to be able to choose whether or not their online usage is 
tracked and used to send them targeted advertising.
    Second, we concluded that any policy governing online 
advertising should be centered around the notion of meaningful 
consent by the consumer. We had a lot of discussion about opt 
in and opt out. We concluded that those terms are not 
particularly meaningful in the online world. Most consumers, I 
suspect, are like me. We are trying to do something online. The 
screen pops up. We hit ``OK'' or ``continue'' and move on, not 
really aware of what we just opted into.
    So we focused on the concept of meaningful consent and what 
that means. Our sense is that meaningful consumer consent in 
this context requires three elements.
    One, transparency. That means conspicuous and clearly 
explained disclosure to consumers about what types of data are 
collected for what purposes and how it will be used.
    Affirmative choice is the second principle. With knowledge 
of what they are choosing, consumers would have to 
affirmatively act, affirmatively agree to permit tracking of 
their online activity.
    And third, consumer control. Consumers should have the 
ongoing ability to change their choice.
    Senator Dorgan, you put this pretty well in a previous 
hearing on this issue when you talked about a consumer going 
into the mall. I believe it was your daughter. If you walk into 
the store and the store keeps track of what you are doing and 
buying so they can bill you at the end, you know, you probably 
think that is OK. And if you do not like it, you walk out. But 
if someone starts following you around the mall tracking your 
activity from store to store, you would feel pretty uneasy 
about that, I suspect, unless you had invited them along.
    Using that analogy, what we believe is that before anyone 
follows a consumer around online to target them for 
advertising, that the consumer must know what is going on, must 
make an affirmative choice to permit that activity, and should 
be able to turn around at any time and say, I do not want you 
following me around anymore.
    We have been talking to other companies engaged in online 
services, and we believe that there is a lot of support, as 
evidenced here today, for the recommendations we are making in 
the testimony I submitted to the Committee. Really, everyone 
should embrace policies that put the consumer in control of the 
online experience, and from consumers' perspective, it really 
does not matter who is doing the behavioral advertising, 
whether it is companies providing their browser or their search 
engine, their access, or any other online service. All online 
players should protect the privacy of online users.
    The advertising industry, importantly, also appears to be 
interested in establishing a set of consistent best practices. 
That industry has a pretty good record of self-policing, with 
the Federal Trade Commission helping ensure that the 
advertising industry's best practices are enforced to protect 
consumers.
    With that model in mind, we are reaching out to the online 
industry to see if we can develop a set of best practices for 
online advertising that will protect consumers. And we will 
work with this Committee and other interested organizations to 
figure out how we can make sure the consumers feel secure and 
in charge when they are online, that the rapidly advancing 
communications and information processing technology is used to 
enhance consumers' online experience, not spoil it, and that 
the Internet continues to open new worlds of opportunities for 
each of us.
    Thank you very much.
    [The prepared statement of Mr. Tauke follows:]

   Prepared Statement of Thomas J. Tauke, Executive Vice President, 
                                Verizon
    Chairman Inouye, Ranking Member Hutchison and Members of the 
Committee: thank you for the opportunity to discuss the important 
concerns and perspectives surrounding consumer privacy in the area of 
online advertising.
    Today, more than 60 million American homes are connected to the 
Internet via broadband, and the wide range of content, services, and 
applications online--most offered for free--draws more people online 
every day.
    While Verizon does not rely on online advertising as a significant 
source of revenue, we recognize that it has been a key business model 
that has helped make the Internet a growth engine for the U.S. economy.
    Yet, using consumers' web-surfing data to foster targeted online 
advertising raises complex and important issues surrounding online 
privacy. Consumers and policymakers want to understand what personal 
information is being collected and used for advertising purposes. They 
want to know what privacy and consumer protections are in place, and 
what choices are available to participate--or not--in behavioral 
advertising models.
    In a rapidly changing and innovative environment like the Internet, 
maintaining consumer trust is essential. It is critical that consumers 
understand what forms of targeted online advertising their service 
providers and favorite websites employ. If certain practices cause 
consumers to believe that their privacy will not be protected, or their 
preferences won't be respected, they will be less likely to trust their 
online services, and the tremendous power of the Internet to benefit 
consumers will be diminished. So, maintaining consumer trust in the 
online experience is critical to the future success of the Internet.
    With that in mind, let me begin by describing the online 
advertising techniques Verizon uses today over its wireline networks.
    Verizon's online advertising involves the practices commonly 
accepted throughout the Internet, such as the use of cookies or ad 
delivery servers to provide advertising that is limited to users of 
Verizon's own services or websites. We also provide ad-supported search 
results to help consumers find the websites they are looking for when 
they mistype an address. These practices, which are neither new nor 
unique, improve consumers' interaction with our websites and services, 
and increase the relevance of the advertising displayed to our 
customers or to visitors of our sites.
    One technology that has received attention of late is ``packet 
inspection.'' To be clear, Verizon has not used--and does not use--
packet inspection technology to target advertising to customers, and we 
have not deployed the technology in our wireline network for such 
purposes.
    Packet inspection can be a helpful engineering tool to manage 
network traffic and enable online services and applications consumers 
may wish to use. The perceived problem with ``packet inspection'' is 
not the technology. Many useful technologies can be used for nefarious 
purposes. The problem arises if packet inspection is used to 
inappropriately track customers' online activity without their 
knowledge and consent and invade their personal privacy.
    In fact, any technology that is used to track and collect consumer 
online behavior for the purposes of targeted advertising--regardless of 
which company is doing the collecting--should only be used with the 
customer's knowledge and consent in accordance with the law, a 
company's specific privacy policies, and the privacy principles 
outlined below.
    Protecting our customers' privacy has long been, and will continue 
to be, a priority at Verizon. We are committed to maintaining strong 
and meaningful privacy protections for consumers in this era of rapidly 
changing technological advances. We are strong proponents of 
transparency and believe that consumers are entitled to know what kinds 
of information we collect and use, and should have ready access to 
effective tools that allow them to control the use of that information.
    At Verizon we have worked to craft--and communicate to our 
customers--responsible policies aimed at protecting online privacy.
    We can commit--and believe that all companies should commit--to a 
set of best practices in the area of online behavioral advertising. The 
principles and best practices should apply to all online companies 
regardless of their technology or the platform used. The principles 
underlying the consumer protection practices we support are these:
    First, meaningful consent.
    Verizon believes that before a company captures certain Internet-
usage data for targeted or customized advertising purposes, it should 
obtain meaningful, affirmative consent from consumers. Meaningful 
consent requires: (1) transparency, (2) affirmative choice, and (3) 
consumer control.
    Transparency involves conspicuous, clearly explained disclosure to 
consumers as to what types of data are collected and for what purpose 
that data is being used, how that data is retained and for how long, 
and who is permitted access to the data.
    Consumers would then be able to use these clear explanations to 
make an affirmative choice that their information can be collected and 
used for online behavioral advertising. Importantly, a consumer's 
failure to consent should mean that there is no collection and use of 
that consumer's information for online behaviorally targeted 
advertising based on tracking of the consumer's Internet usage.
    Finally, consumer control means that consumers have an ongoing 
opportunity to make a different choice about behavioral advertising. In 
other words, should consumers at some later time choose not to 
participate in the behavioral advertising, there are equally clear and 
easy-to-use instructions to make that change. That preference should 
remain in effect unless and until the consumer changes it.
    Second, security practices.
    Any company engaged in tracking and collecting consumer online 
behavioral information must have appropriate access, security, and 
technological controls to guard against unauthorized access to any 
personal information.
    Third, safeguards for sensitive information.
    Special attention must be given to the protection of information of 
a sensitive nature (e.g., accessing medical websites). This information 
should not be collected and used for online behavioral advertising 
unless specific, affirmative consent, and customer controls are in 
place to limit such use. Specific policies may be necessary to deal 
with this type of information.
    Consistent with our long-standing policies and practices, Verizon 
also believes that the content of communications, such as e-mail, 
instant messages, or VoIP calls, should not be used, analyzed, or 
disclosed for purposes of Internet-based targeted advertising.
    Fourth, certification.
    It is critical that all participants in online advertising--ad 
networks, publishers, search engines, Internet service providers, 
browser developers and other application providers--commit to these 
common sense principles and best practices through a broad-based, third 
party coalition. To achieve this, we plan to work with stakeholders in 
the Internet and advertising arenas, including other companies, 
industry groups and policy organizations.
    The focus of this coalition and the principles should be the 
protection of consumers, not the technology or applications that happen 
to enable the data collection. Widespread and uniform adoption of 
principles will greatly enhance the public trust, address expressed 
privacy concerns regarding web tracking practices, and serve as a 
foundation for further discussion with policymakers and consumer 
groups.
    We believe that companies engaged in online behavioral advertising 
should agree to participate in a credible, third-party certification 
process to demonstrate to consumers that they are doing what they say 
with regard to the collection and use of information for online 
behavioral advertising. This process would confirm that companies are 
complying with and respecting consumers' expressed choices regarding 
such data collection.
    We believe a framework such as this is a rational approach that 
protects consumer privacy, while allowing the market for Internet 
advertising and its related products and services to grow.
    Should a company fail to comply with these principles, we believe 
the Federal Trade Commission has authority over abuses in the privacy 
area and can take appropriate measures against companies that 
intentionally violate applicable consumer protection laws.
    We hope to use the next few months to work with all players in the 
Internet space to create and agree to live by industry best practices 
for online advertising.
    Thank you.

    Senator Dorgan. Mr. Tauke, thank you very much for your 
testimony.
    Finally, we will hear from Ms. Gigi Sohn, the President and 
Co-Founder of Public Knowledge. Ms. Sohn, you may proceed.

             STATEMENT OF GIGI B. SOHN, PRESIDENT, 
                        PUBLIC KNOWLEDGE

    Ms. Sohn. Senator Dorgan, Members of the Committee, thanks 
for giving me the opportunity today to testify on behalf of 
Internet users.
    I would like to focus my comments on the growing use of 
technologies known as deep packet inspection, or DPI.
    The use of DPI technology has serious implications for the 
privacy rights of Americans. Public Knowledge, in partnership 
with Free Press, has been analyzing these technologies and 
their impact on both privacy and an open Internet. Our 
organizations published a white paper entitled NebuAd and 
Partner ISPs: Wiretapping, Forgery, and Browser Hijacking, 
which examined the technical and policy aspects of DPI. I 
applaud the Committee for its scrutiny of the use of these 
technologies.
    Simply put, DPI is the Internet equivalent of the Postal 
Service reading your mail. While a postal worker might read 
your mail for any number of reasons, the fact remains that your 
letter is being read by the very person whose job it is to 
deliver it.
    When you use the Internet for web browsing, e-mail, or any 
other purpose, the data you send and receive is broken up into 
small chunks called packets. These packets are wrapped in 
envelopes which, much like paper envelopes, contain addresses 
for both the sender and the receiver, though they contain 
little information about what is inside.
    Until recently, when you handed that envelope to your ISP, 
the ISP simply read the address, figured out where to send the 
envelope, and handed it off to the proper mail carrier.
    Now we understand that some ISPs are opening these 
envelopes, reading their contents, and keeping varying amounts 
of information about the communications inside for their own 
purposes. In many cases, ISPs are actually passing copies of 
the envelopes on to third parties who, in turn, read and make 
use of that information. For the most part, customers are not 
aware that their ISPs are engaging in this behavior. The end 
result is much like if the Postal Service were to open your 
letter, photocopy it, hand that copy to a third party, and then 
reseal the letter so that you would never know it had been 
opened in the first place.
    So far, we have seen ISPs like Comcast use DPI as a means 
to identify and block certain types of Internet traffic, in 
violation of the FCC's Internet policy statement. We have also 
seen advertising companies like NebuAd use DPI to collect 
browsing histories, online habits, and other potentially 
personal information about users in order to display 
advertisements targeted to a specific user's interests.
    The very nature of DPI raises grave privacy concerns.
    As a result, when evaluating an implementation of DPI, 
there are three basic questions that must be answered in order 
to assess both the impact on the user's privacy and the 
acceptability of the use of the technology in question. First, 
what purpose is the collected data being used for? Second, how 
is the data collected and utilized? Third, how is affirmative 
informed consent obtained?
    Given the power of DPI and the scope of its possible uses, 
it is critical that we establish industry guidelines and legal 
protections for users. And while the use of personal data by 
web service providers is not the focus of today's hearing, such 
uses raise separate, yet important privacy questions.
    Thus, any solution should strive to be comprehensive in 
scope and ensure that the basic principles of privacy 
protection are applied across the entire Internet ecosystem. 
These protections must ensure, first, that the purpose of the 
use of consumer data is one that is consistent with users' 
privacy expectations; second, that the amount and type of data 
collected is narrowly tailored to the proposed use and that the 
data is not kept or disseminated to third parties past what is 
necessary; and third, that customers have access to and 
actually receive adequate information about the proposed use 
and have affirmatively and actively consented to any practices 
that might violate their privacy expectations.
    To achieve these goals, Congress should pass legislation 
that encapsulates these requirements and makes clear that the 
FCC has the power to enforce them.
    Even though the Communications Act aims to provide 
comprehensive privacy protection for users of all 
communications technologies, gaps in the law have allowed the 
privacy of some Internet users to fall through the cracks. The 
time has now come to address these inequalities and guarantee 
the right to privacy for all Internet users.
    In closing, I want to make one extra comment about the 
legislation. I want to commend the ISPs to my right for 
adopting the principles they have announced today, 
transparency, control, privacy protection, consumer value. But 
the problem is that the ISPs that are not here are the ones 
that use NebuAd and the ones that told Representative Markey 
and Representative Barton that they thought that they were 
acting within the law. And that is why I believe you need 
comprehensive legislation to ensure that all ISPs and not just 
the good guys are protecting users' privacies.
    Public Knowledge is eager to work with the Committee to 
craft privacy legislation that will protect all Internet users.
    I look forward to your questions.
    [The prepared statement of Ms. Sohn follows:]

    Prepared Statement of Gigi B. Sohn, President, Public Knowledge
    Chairman Inouye, Ranking Member Hutchison and Members of the 
Committee, thank you for giving me the opportunity to testify about 
broadband providers and consumer privacy. I'd like to focus today on 
the growing use of the collection of technologies known as ``Deep 
Packet Inspection,'' or DPI, which has immense implications for the 
privacy rights of the American public. Over the past several months, 
Public Knowledge, in partnership with Free Press, has been analyzing 
these technologies and their impact on privacy and an open Internet. In 
June, our organizations published a white paper entitled NebuAd and 
Partner ISPs: Wiretapping, Forgery and Browser Hijacking, which 
examined the technical and policy aspects of DPI. I applaud the 
Committee for its continued scrutiny of the use of these 
technologies.\1\
---------------------------------------------------------------------------
    \1\ I would like to thank Public Knowledge's Equal Justice Works 
Fellow Jef Pearlman, Policy Analyst Mehan Jayasuriya, and Law Clerk 
Michael Weinberg for assisting me with this testimony.
---------------------------------------------------------------------------
I. Introduction
    Today's hearing on consumer privacy comes in the wake of two high-
profile online consumer privacy violations, both of which involved the 
use of Deep Packet Inspection (DPI) technology on an Internet Service 
Provider's (ISP) network.
    The first instance came to light in October 2007, when an 
Associated Press report revealed that Comcast was interfering with its 
customers' BitTorrent traffic.\2\ The report confirmed earlier tests 
conducted by independent network researcher Robb Topolski, who found 
that Comcast was analyzing its users' web traffic in order to determine 
the types of applications and protocols being used. The company then 
used a technique called ``packet spoofing'' to delay, degrade and in 
some cases, block traffic that was identified as being used for 
BitTorrent, a popular peer-to-peer file sharing protocol. Public 
Knowledge and Free Press filed a formal complaint with the FCC in 
November 2007, calling for the Commission to open a formal 
investigation into the ISP's practices.\3\
---------------------------------------------------------------------------
    \2\ See Associated Press article, `' Comcast blocks some Internet 
traffic", (October 19, 2007), available at http://www.msnbc.msn.com/id/
21376597.
    \3\ See Free Press and Public Knowledge, Formal Complaint of Free 
Press and Public Knowledge Against Comcast Corporation for Secretly 
Degrading Peer to Peer Applications, (November 1, 2007), available at 
http://www.publicknowledge.org/pdf/fp_pk_comcast_complaint.pdf 
[hereinafter Comcast Complaint].
---------------------------------------------------------------------------
    In January 2008, the FCC announced that it had opened a formal 
investigation into Comcast's blocking of BitTorrent traffic. This 
investigation concluded in August 2008 with the FCC upholding the 
Public Knowledge and Free Press complaint and reprimanding Comcast for 
its degradation of its users' traffic. In its ruling against 
Comcast,\4\ the FCC ordered the company to stop blocking BitTorrent 
traffic and to develop a new set of network management practices that 
did not violate the FCC's Broadband Policy Statement.\5\ In its letter 
of response to the FCC, Comcast confirmed that it had used DPI 
equipment from the Sandvine Corporation in order to identify and block 
BitTorrent traffic.\6\
---------------------------------------------------------------------------
    \4\ See Federal Communications Commission, Memorandum Opinion and 
Order (August 1, 2008), available at http://hraunfoss.fcc.gov/
edocs_public/attachmatch/FCC-08-183A1.pdf.
    \5\ See FCC, Policy Statement, (August 5, 2005), available at 
http://www.publicknowledge.org/pdf/FCC-05-151A1.pdf.
    \6\ See Comcast Corporation, Attachment A: Comcast Corporation 
Description of Current Network Management Practices, (September 19, 
2008), available at http://downloads.comcast.net/docs/
Attachment_A_Current_Practices.pdf.
---------------------------------------------------------------------------
    The second instance surfaced in May 2008, when it was revealed that 
various regional ISPs had contracted with Knobbed, a company that 
provided highly targeted behavioral advertising solutions using DPI 
equipment. In test deployments of this technology, all of the traffic 
traveling over an ISP's network was routed through a DPI appliance 
which collected data on specific users, including websites visited, 
terms searched for and services and applications used. This data was 
then sent to Knobbed, which in turn, used the data to create detailed 
user profiles. These profiles were used to display highly targeted 
advertisements, which were dynamically displayed to the user as he or 
she surfed the Web.
    In May 2008, Representatives Edward Markey (Chairman, Subcommittee 
on Telecommunications and the Internet) and Joe Barton (Ranking Member, 
Senate Committee on Energy and Commerce) sent a letter to Knobbed,\7\ 
asking the company to put its pilot tests on hold, pending an 
investigation into the company's practices. A coalition of 15 consumer 
advocacy and privacy groups publicly voiced their support for this 
letter and urged the Congressmen to continue their investigation of 
Knobbed and other behavioral advertising companies.\8\ In June 2008, 
Public Knowledge and Free Press released a technical analysis of 
Knobbed's behavioral advertising system, authored by networking 
researcher Robb Topolski.\9\ The report revealed that Knobbed and its 
partner ISPs repeatedly violated the privacy of users, with little or 
no notification that DPI equipment was being used. Following the 
release of the report, the House Committee on Energy and Commerce 
convened a hearing on the topic of DPI, wherein Knobbed CEO Bob Dykes 
was asked to testify.
---------------------------------------------------------------------------
    \7\ Representative Edward J. Markey and Representative Joe Barton, 
Letter to Neil Smit, President and CEO, Charter Communications (May 16, 
2008), available at http://markey.house.gov/docs/telecomm/
letter_charter_comm_privacy.pdf.
    \8\ Center for Democracy and Technology et al., Letter to 
Representatives Markey and Barton (June 6, 2008), available at http://
www.cdt.org/privacy/20080606markeybarton.pdf.
    \9\ See Public Knowledge and Free Press, Knobbed and Partner ISPs: 
Wiretapping, Forgery and Browser Hijacking (June 18, 2008) available at 
http://www.publicknowledge.org/pdf/nebuad-report-20080618.pdf.
---------------------------------------------------------------------------
    On August 1, 2008, the House Committee on Energy and Commerce 
followed up with a letter to 33 ISPs and software companies asking for 
details regarding how they were using DPI and whether and how they were 
disclosing those uses to their customers.\10\ As a result of the 
Congressional scrutiny, all of Knobbed's ISP partners, including WOW! 
(Wide Open West), CenturyTel, Charter, Bresnan and Embarq, have decided 
to put a hold on their test deployments with Knobbed. In September 
2008, Bob Dykes announced that he was leaving Knobbed and following his 
departure, the company announced that it was abandoning its behavioral 
advertising initiatives, in favor or more traditional advertising 
technologies.
---------------------------------------------------------------------------
    \10\ See John D. Dingell (Chairman, Senate Committee on Energy and 
Commerce), Joe Barton (Ranking Member, Senate Committee on Energy and 
Commerce), Edward J. Markey (Chairman, Subcommittee on 
Telecommunications and the Internet), Cliff Stearns (Ranking Member, 
Subcommittee on Telecommunications and the Internet), Letter to ISPs 
(Aug. 1, 2008), available at http://markey.house.gov/docs/telecomm/
letter_dpi_33_companies.pdf.
---------------------------------------------------------------------------
II. Deep Packet Inspection
    To put it simply, Deep Packet Inspection is the Internet equivalent 
of the postal service reading your mail. They might be reading your 
mail for any number of reasons, but the fact remains that your mail is 
being read by the people whose job it is to deliver it.
    When you use the Internet for web browsing, e-mail or any other 
purpose, the data you send and receive is broken up into small chunks 
called ``packets.'' These packets are wrapped in envelopes, which, much 
like paper envelopes, contain addresses for both the sender and the 
receiver--though they contain little information about what's inside. 
Until recently, when you handed that envelope to your ISP, the ISP 
simply read the address, figured out where to send the envelope in 
order to get it to its destination, and handed it off to the proper 
mail carrier.
    Now, we understand that more and more ISPs are opening these 
envelopes, reading their contents, and keeping or using varying amounts 
of information about the communications inside for their own purposes. 
In some cases, ISPs are actually passing copies of the envelopes on to 
third parties who do the actual reading and use. In others, ISPs are 
using the contents to change the normal ways that the Internet works. 
And for the most part, customers are not aware that their ISPs are 
engaging in this behavior--much like if the postal service were to open 
your letter, photocopy it, hand that copy to a third party and then re-
seal the letter, so that you would never know it had even been opened 
in the first place.
III. The Privacy Implications of DPI
    It should be clear that the very nature of DPI technology raises 
grave privacy concerns. An ISP, by necessity, sees every piece of data 
a user sends or receives on the Internet. In the past, ISPs had little 
incentive to look at this information and the related privacy concerns 
provided a strong deterrent against doing so. However, now that 
technology is widely available to make use of and monetize this 
information, companies are exploring the limits of what they can do 
permissibly.
    When evaluating an implementation of DPI technology, there are 
three basic questions that must be answered in order to assess both the 
impact on a user's privacy and acceptability of use of the technology 
in question:

        1. Purpose: What purpose is the collected data being used for?

        2. Collection: How is the data collected and utilized?

        3. Consent: How was affirmative informed consent obtained?

    An understanding of these questions can inform legislators and 
policymakers in the formation of policies, which will adequately 
protect users of Internet connections and services. The uses for DPI 
are myriad, and most raise serious privacy concerns, but each use 
should be measured individually against a comprehensive privacy policy.
    It is also important to note that there are two parties to any 
Internet communication. In almost all cases, the party on the other end 
of a user's line will have no meaningful ability at all to know what 
kind of monitoring is being employed by that user's ISP or what is 
being done with the collected data, and will have no opportunity at all 
to give or to deny consent. For example, if I send you an e-mail and my 
ISP is using DPI to read the contents of my e-mails, your privacy has 
just been violated without your knowledge or consent. Any comprehensive 
privacy policy that addresses technologies like DPI must take into 
account not only the privacy rights of an ISP's customers, but also 
those of anyone who communicates with these customers.
A. Purpose
    Given DPI's potential to be used as an intrusive tool, we must 
first ask why the user's traffic is being collected or analyzed at all. 
Is the use of DPI integral to the functioning of the network or is the 
technology simply being used to provide the ISP with an additional 
revenue stream? Does the technology in question primarily benefit the 
ISP's bottom line, or does it give direct benefits to the customer's 
use of the Internet? Is it used to protect users or the integrity of 
the network, or simply to offer new or improved additional services?
    Not all uses of DPI are inherently problematic. The first 
widespread uses of DPI were for security purposes: to stop malicious 
programs like viruses and worms from passing from one infected computer 
to another over the Internet. However, as seen in the recent complaint 
and decision against Comcast at the Federal Communications Commission 
(FCC), DPI can also be used to engage in impermissible, discriminatory 
network management practices. Taken to an extreme, we can even imagine 
a future where DPI is used to record and disseminate every single move 
a user makes on the Internet--from web browsing, e-mail and instant 
messaging to VoIP phone calls and video chats--to the ISP's own 
business advantage.
    Understanding the purpose of DPI use is the first step to 
understanding whether that use will violate a user's expectations of 
privacy.
B. Collection
    After we understand the purpose of a particular use of DPI, we can 
analyze how the data is collected and used toward that purpose. Is the 
user's data being collected by the ISP for its own use, or is it being 
passed to a third party with no connection to the user? Is all of the 
user's data collected, or a smaller subset of the data? Is the amount 
collected narrowly tailored to achieve the stated purpose, or broader 
than necessary, or is the amount of data actually used smaller than 
that collected?
    It is important to note here that we should evaluate both the 
amount of data which reaches the party using it, and the amount of that 
data which is used. This is because additional data that is sent to a 
third party provides more opportunity for abuse of user privacy--even 
if that third party later chose to discard some of the more personal 
information. For instance, even though companies like Knobbed may 
choose to ignore the personal medical records or e-mails of its 
partner's customers, they were provided the data to do exactly that. 
This problem is compounded by the fact that an ISP or partner must 
engage in DPI to even discover what type of data is being transmitted, 
thereby possibly violating the user's privacy before any decision is 
made regarding what is to be done with the data.
    It is also necessary to identify the ways in which the collected 
data might be tied to the user's actual identity. Is the data obtained 
using DPI explicitly tied to data obtained through other means--for 
example, the ISP's billing information, demographic information, or 
personal information stored on a third-party website? Can the collected 
data be later aggregated with this type of information? Will the data 
itself contain personally identifying information (PII), such as names, 
addresses, and credit card information submitted to websites? These 
questions are important because if the data in question contains PII or 
if it is later connected with other user data, the privacy implications 
are multiplied.
    Implicit in the data collection question are also questions about 
data storage. Is the collected data kept by the party using it? If so, 
for how long? Is it kept in its original, complete form, or in some 
type of summary? Is any PII kept with the stored data?
    Understanding what and how data is collected and how well that 
comports with the stated purpose of the collection is necessary to 
evaluating whether the collection will violate users' privacy 
expectations.
C. Consent
    No inspection of a user's data will be acceptable without that 
user's affirmative, informed consent or law enforcement obligations. To 
ensure this is obtained, we must evaluate both how users are notified 
of the ways in which their ISP and its partners intend to use DPI, and 
the method by which those users affirmatively consent (or decline to 
consent) to those uses. To do this, we must ensure that before a user's 
data is inspected, the user actually receives complete, useful 
information, and that the user knowingly and affirmatively assents to 
the stated uses.
    Are the answers to the above questions about purpose and collection 
accessible for users, and complete in the information they divulge? If 
any third parties are involved in the monitoring, are their identities 
provided for the user? Are the answers written so that the average user 
can make sense of them? Are the policies in question detailed in a 
place and manner that ensures that the user is likely to read them? Is 
the user actively notified of the presence of and changes to policies 
and monitoring activities, or are changes made to web pages and written 
into the Terms of Service--without any notification to the user? 
Without accurate and easily understandable information that a user is 
actually aware of, that user cannot make informed choices about how 
best to manage his or her privacy online.
    Finally, what is the process by which users agree (or decline to 
agree) to the use of these technologies? Are they subject to DPI before 
they receive meaningful notice of its use, or is the user required to 
take an affirmative action before his or her data is recorded or 
analyzed? Is the information and the action specific to the monitoring 
activities, or is it hidden in a larger ``Acceptable Use Policy,'' 
``End User License Agreement,'' or other document? Does the user have 
the meaningful ability to change his or her choice later? Is the user 
actively offered a periodic chance to withdraw consent, or is he or she 
only asked once? And is the option not to consent a real one, without 
crippling or disabling of the user's service as the only alternative?
    Without meaningful, informed, affirmative consent on the part of 
the user, personal data should not be used for any purpose that is not 
necessary to providing basic Internet service.
IV. ISP Disclosures
    In response to Chairman Dingell and Ranking Member Barton's letter, 
33 ISPs and software companies described whether and how they were 
using DPI and whether and how they were disclosing those uses to their 
customers.\11\ These responses are helpful in understanding how, to 
date, the above three questions have been answered unsatisfactorily.
---------------------------------------------------------------------------
    \11\ All 33 response letters are available at the House Energy and 
Commerce Committee's Subcommittee on Telecommunications and the 
Internet website at http://energycommerce.house
.gov/Press_110/080108.ResponsesDataCollectionLetter.shtml.
---------------------------------------------------------------------------
    Carriers that responded to the letter fell into two basic camps. 
The first group of ISPs did not employ Knobbed's services and did not 
use any similar DPI equipment. These ISPs generally had not deployed 
any technologies that could track individual users' browsing habits or 
correlate advertising information with personal information possessed 
by the ISP.\12\
---------------------------------------------------------------------------
    \12\ See, e.g., Response Letters of AT&T, Verizon, and Time-Warner.
---------------------------------------------------------------------------
    The second camp contained those ISPs who performed trials of or 
deployed third-party DPI-based behavioral advertising systems.\13\ 
Importantly, these ISPs generally did not inspect user data themselves, 
but passed it off to their partners for analysis. According to these 
ISPs, they were assured that measures were in place to ensure that 
those partners did not retain medical information, personal data, e-
mails, or other types of especially sensitive data.\14\ Also, all of 
these ISPs stated that they and Knobbed did not tie the tracked 
Internet data to personal customer data already known to the ISP 
(billing information, etc.).\15\
---------------------------------------------------------------------------
    \13\ See, e.g., Response Letters of WOW!, Charter Communications, 
Knology, and CenturyTel.
    \14\ See Response Letter of Charter Communications 2.
    \15\ See Response Letter of Knology 1.
---------------------------------------------------------------------------
    However, as a technical matter, the personal data embedded in a 
user's Internet communications was handed off to the ISP's partners, 
when the ISP itself is actually responsible for safeguarding its users 
data. In some cases, the identity of the partner was not divulged to 
the user. These partners had no direct interactions with the user, 
meaning that final control of what data was used and how rested not 
with the user or even the ISP, but with this third party. To return to 
the postal service analogy, it is as if the ISPs photocopied users' 
letters and handed these copies to third parties, who agreed to only 
write down which commercial products were mentioned in the letters, and 
not anything else that someone might consider sensitive. However, the 
decision as to what, exactly, should be considered `sensitive,' is not 
made by the user but rather, by this third-party company.
    Customer notification and consent varied from ISP to ISP, but there 
were significant trends. ISPs generally posted modified terms of 
service and often updated the `Frequently Asked Questions' section on 
their websites, but usually declined to directly contact users or call 
attention to the significance of the new service. Knology, for 
instance, updated their Customer Service Agreement on their website, 
which is presented to new users, but apparently made no other attempt 
to draw attention to the change.\16\
---------------------------------------------------------------------------
    \16\ See Response Letter of Knology 2.
---------------------------------------------------------------------------
    The level of detail in the disclosures also fell far short of the 
minimum that is necessary for customers to make an informed decision. 
For example, CenturyTel sent an e-mail informing users only that it had 
``updated its Privacy Policy concerning Internet Access Services'' and 
provided a web link to the updated policy.\17\ The policy in question 
stated only:
---------------------------------------------------------------------------
    \17\ Response Letter of CenturyTel 3. 18 Id. 3 (emphasis added).

        Online Advertising and Third-party Ad Servers.
        CenturyTel partners with a third party to deliver or facilitate 
        delivery of advertisements to our users while they are surfing 
        the Web. This delivery of advertisements may be facilitated by 
        the serving of ad tags outside the publisher's existing HTML 
        code. These advertisements will be based on those users' 
        anonymous surfing behavior while they are online. This 
        anonymous information will not include those users' names, e-
        mail addresses, telephone number, or any other personally 
        identifiable information. By opting out, you will continue to 
        receive advertisements as normal; except these advertisements 
        will be less relevant and less useful to you. If you would like 
        to opt out, click here or visit http://www.nebuad.com/privacy/
        servicesPrivacy.php.\18\
---------------------------------------------------------------------------
    \18\ Id. 3.

---------------------------------------------------------------------------
    A later letter sent out by CenturyTel stated the following:

        CenturyTel continually looks for ways to improve your overall 
        online experience. In that regard, we have enhanced our High-
        Speed Internet service by working with partners to provide 
        targeted, online advertising for your convenience and benefit. 
        Targeted, online advertising minimizes irrelevant or unwanted 
        ads that clutter your web pages. If you do not wish to receive 
        targeted, online advertisements, or if you would simply like 
        more information about CenturyTel's use of online advertising, 
        third-party ad servers and the measures you can take to protect 
        your privacy, please review our Privacy Policy by visiting 
        http://www.centurytel.com/Pages/PrivacyPolicy/#adv.\19\
---------------------------------------------------------------------------
    \19\ Id. 3-4.

    No mention is made at all of providing actual user data (let alone 
all of a user's packets) to third parties. Only a single mention of ads 
being ``based on those users' anonymous surfing behavior'' is offered 
in the first notice, and the second presents the service only as 
enhanced, ``targeted advertising for your convenience and benefit'' 
without mention of the methods involved to deliver said advertisements. 
It's worth noting that these examples are not unique to CenturyTel or 
even unusual; rather, they are indicative of the level of detail 
provided in many ISP notices. Such notices do not make clear to the 
user what is actually being done with the data they send and receive 
over the Internet. None of the ISPs appears to have required that a 
user take any affirmative action at all before having their data handed 
wholesale to a third party. Inaction or failure to read the notice was 
simply treated as an `opt-in'.
    It is important to note that nearly every ISP that responded 
mentioned that they run their own websites, and use traditional 
tracking methods such as cookies to observe and record the behavior of 
their customers on their sites, much like Google, Yahoo, Microsoft, and 
many other web service providers do. Likewise, many ISPs also use what 
is called a ``DNS redirect,'' which, rather than returning an error to 
a user's web browser when he or she types in an incorrect web address, 
redirects the user to another web page which may have related 
suggestions, advertisements, or other information.
    These non-DPI practices have privacy implications that overlap with 
the ones being discussed today, but which are different in kind and 
scope. It is the difference between you writing down what I tell you on 
the phone and my phone company recording my conversation with you 
because unlike my phone company, you cannot record what I've said on my 
phone calls to other people. Nonetheless, the privacy practices of and 
personal information available to application providers raise their own 
serious questions of legal policy, and any regulatory regime we 
consider must be comprehensive and attempt to ensure the protection of 
Internet users against privacy invasions from all such sources.
V. Current Law
    Independent analysis by the Center for Democracy and Technology 
suggests that although it is far from clear, despite ISP claims,\20\ 
past experiments with DPI and behavioral advertising of the type 
engaged in by Knobbed may run afoul of existing law. Critically, 
however, some of the laws in question might not apply if the ISP 
engaged in this behavior internally, instead of delegating 
responsibility to a third party.\21\ Thus, an ISP might legally be able 
to read and analyze all of its customers' communications as long as it 
does so itself--hardly an improvement in privacy.
---------------------------------------------------------------------------
    \20\ See Center for Democracy and Technology, An Overview of the 
Federal Wiretap Act, Electronic Communications Privacy Act, and State 
Two-Party Consent Laws of Relevance to the Knobbed System and Other 
Uses of Internet Traffic Content from ISPs for Behavioral Advertising, 
(July 8, 2008), available at http://www.cdt.org/privacy/
20080708ISPtraffic.pdf [hereinafter CDT Behavioral Advertising 
Overview].
    \21\ See id. at 6-9.
---------------------------------------------------------------------------
    It is extremely important to note that without apparent exception, 
every ISP that responded to Chairman Markey's letter concluded that 
both the tracking and opt-out mechanism were legal, or at the very 
least, were ``not unlawful or impermissible.'' \22\ One ISP even went 
so far as to claim that it ``offered customers easy-to-use opt-out 
mechanisms as recommended by the FTC.'' \23\ However, even the ``opt-
out'' method was questionable, as the act of opting out did not stop 
the delivery to and monitoring by the third-party partner but only the 
presentation of targeted ads and stored profiles.\24\
---------------------------------------------------------------------------
    \22\ Response Letter of CenturyTel 2-3 (Aug. 7, 2008). Cable One 
does describe their disclosures in their Acceptable Use Policies as 
``opt-in'' because the user must check and acceptance box, but this 
does not qualify as either an affirmative step specific to monitoring 
or a meaningful opportunity to deny consent, because the alternative is 
no Internet service at all. See Response Letter of Cable One 3 (Aug. 8, 
2008).
    \23\ Response Letter of Charter Communications 2 (Aug. 8, 2008) 
(emphasis added).
    \24\ Ryan Singel, Congressmen Ask Charter to Freeze Web Profiling 
Plan, Threat Level from Wired.com (May 16, 2008). See also Ryan Singel, 
Can Charter Broadband Customers Really Opt-Out of Spying? Maybe Not, 
Wired (May 16, 2008).
---------------------------------------------------------------------------
    Yet to date, no enforcement actions have been taken against a 
practice that is of significant concern to citizens and lawmakers 
alike. Regardless of whether or not the actions taken by ISPs are 
technically legal, the existing legal regime is clearly not effective 
at preventing such privacy violations. And if ISPs believe they can 
legally and profitably engage in this behavior with only a minimal 
effort made to notify and protect users, they will continue to do so.
    To the credit of the ISPs here today, several providers have made 
commitments to ensuring that there is transparency, affirmative 
consent, and ongoing control by customers. For example, Time-Warner's 
testimony suggests control, transparency, disclosure, and safeguarding 
personal information as principles on which to base a privacy 
framework. AT&T states that the company will not engage in behavioral 
advertising without affirmative, advance action by the consumer that is 
based on a clear explanation of how that information will be used. But 
while these are laudable principles and we applaud the carriers here 
today for their stated commitment to customer privacy, promises by 
individual ISPs are not enough and do not obviate the need for a 
comprehensive governmental policy.
    Part of the reason for the current lack of enforcement can be 
traced to ambiguity in the FCC's authority to protect the privacy of 
Internet users, despite the FCC's time-honored role in protecting the 
privacy of communications as a whole. Congress has long recognized that 
providers of communications services occupy an especially sensitive 
position in society. As data conduits, communications services are 
uniquely positioned to track customers and collect information about 
their daily lives. The Communications Act, which created the FCC, 
contains provisions designed to protect the privacy of telephone and 
cable customers. But those same protections have yet to be 
unambiguously extended to Internet customers. As a result, customers 
cannot be confident that their sensitive information is protected from 
unwanted intrusion. In a society where Internet services are 
increasingly used to transmit personal and sensitive information, this 
is clearly problematic.
    Section 222 of the Communications Act applies to the privacy of 
customer information collected by common carriers.\25\ The statute 
recognizes that ``individually identifiable consumer proprietary 
network information'' is created by, and critical to the functioning 
of, telecommunications services.\26\ However, the statute strictly 
limits the use of that information to applications that handle tasks 
like billing and the maintenance of network integrity.\27\ Carriers are 
allowed to provide aggregate consumer information to third parties, but 
this information must have both ``individual customer identities and 
characteristics'' removed.\28\ Viewed holistically, this section 
manifests a Congressional understanding that common carriers have 
access to sensitive personal information, and that common carriers have 
legitimate reasons to use that data. However, this understanding is 
balanced by strict prohibitions against any non-essential use or the 
disclosure of sensitive data.
---------------------------------------------------------------------------
    \25\ 47 U.S.C.  222.
    \26\ See 47 U.S.C.  222(c)(1).
    \27\ See 47 U.S.C.  222(d).
    \28\ See 47 U.S.C.  222(c)(3), (h)(2).
---------------------------------------------------------------------------
    Although many common carriers provide Internet services to 
consumers,\29\ such Internet services are not covered under Section 
222.\30\ As a result, plain old telephone customers can be confident 
that sensitive information contained in their phone records will be 
kept confidential, but they cannot enjoy the same level of confidence 
when it comes to sensitive information that Verizon might compile using 
their DSL Internet activity.
---------------------------------------------------------------------------
    \29\ See, e.g., Verizon, http://www.verizon.com/.
    \30\ See National Cable & Telecommunications Assn. v. Brand X 
Internet Services, 545 U.S. 967 (2005).
---------------------------------------------------------------------------
    Section 631 of the Communications Act also marks an attempt by 
Congress to protect the privacy of consumers, this time from cable 
system operators. Again, the statute recognizes the fact that operators 
will need to collect and use some personally identifiable information 
in order to operate their systems. However, these operators are 
required to obtain written permission from consumers in order to 
collect any personally identifiable information that is not crucial to 
the operation of the system.\31\ Additionally, operators are required 
to obtain prior written or electronic consent before disclosing any 
personally identifiable information.\32\ The statute does not impose 
these same protections on aggregate data that does not identify a 
particular customer,\33\ and allows an operator to disclose names and 
addresses of subscribers as long as that information is not tied to use 
or transactional information.\34\
---------------------------------------------------------------------------
    \31\ See 47 U.S.C.  551(b).
    \32\ See 47 U.S.C.  551(c)(1).
    \33\ See 47 U.S.C.  551(a)(2)(A).
    \34\ See 47 U.S.C.  551(c)(2).
---------------------------------------------------------------------------
    As with Section 222, Section 631 specifically protects sensitive 
information that network operators are uniquely positioned to collect. 
However, unlike Section 222, which applies to phone customers but not 
Internet service customers, Section 631 is written to apply to both 
cable television subscribers and cable Internet subscribers.\35\
---------------------------------------------------------------------------
    \35\ See 47 U.S.C.  551(a)(2)(C)(ii).
---------------------------------------------------------------------------
    Unfortunately, not all customers access the Internet by way of a 
cable system. In addition to unprotected DSL service, customers can 
access the Internet via a fiber optic network, a satellite based 
service, or by using one of many wireless Internet standards. Instead 
of relying on old categories that may protect some (but certainly not 
all) consumers, Congress must recognize that all Internet service 
providers share the same privileged position of access to their users' 
personal data. As a result, Congress should collectively protect 
customers with legislation that specifically addresses all Internet 
service providers, rather than legislation that effectively forces 
customers to access the Internet via a single, protected pathway.
    The time has come for a comprehensive regulatory structure that 
will ensure that the privacy rights of all Internet users are 
protected, and one that, like the Telecommunications Act of 1996, 
``expands very important privacy protections to individuals in their 
relationships with these very large companies.'' \36\
---------------------------------------------------------------------------
    \36\ Statement of Congressman Edward Markey, 142 Cong. Rec. H1145-
06 (Feb. 1, 1996).
---------------------------------------------------------------------------
VI. Fixing the Law
    Given the power of the technology and the scope of possible uses, 
it is critical that we establish industry guidelines and legal 
protections for users. And while the use of personal data by 
application providers is not the focus of our discussion today, as 
discussed above, any solution should strive to be comprehensive in 
scope and ensure that the basic principles of privacy protection are 
applied across the entire Internet ecosystem. These protections should 
meet three major goals that parallel the privacy inquiries described 
above:

   They must ensure that the purpose of the use of customer 
        data is one which can be consistent with consumers' privacy 
        expectations.

   They must ensure that the amount and type of data collected 
        is narrowly tailored to the proposed use, and that the data is 
        not kept or disseminated to third parties past what is 
        necessary to that use.

   They must ensure that customers have access to and actually 
        receive adequate information about the proposed use, and have 
        affirmatively and actively consented to any practices which 
        could violate customers' expectations of privacy.\37\
---------------------------------------------------------------------------
    \37\ The FCC has already presented us with an example of how 
Commission action and ISP disclosures can be used to help protect 
Internet users from privacy invasions and impermissible network 
management practices. In its order finding that Comcast's interference 
with customer traffic was not reasonable network management, the 
Commission ordered Comcast to fully disclose the details of its past 
and planned practices, including use of DPI. See Federal Communications 
Commission, Memorandum Opinion and Order  54-56 (August 1, 2008), 
available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-
183A1.pdf. Given the authority, the Commission could make this type of 
disclosure an industry-wide baseline to ensure that customer's 
decisions about granting consent are based on good, complete 
information backed the force of law.
---------------------------------------------------------------------------
    In order to achieve these goals, the Committee should seek to pass 
legislation to encapsulate these requirements and to make it clear that 
the FCC has the power to enforce them. As the Commission observed in 
1998, ``The [Communications Act] recognizes that customers must be able 
to control information they view as sensitive and personal from use, 
disclosure, and access by carriers.'' \38\ The Committee and Congress 
need only make it clear that Internet user privacy is another area of 
communications where the Commission is empowered to protect consumer 
privacy.
---------------------------------------------------------------------------
    \38\ Federal Communications Commission, Common Carrier News Release 
(Feb. 19, 1998), available at http://www.fcc.gov/Bureaus/
Common_Carrier/News_Releases/1998/nrcc8019.html (clarifying permissible 
uses of Customer Proprietary Network Information).
---------------------------------------------------------------------------
VII. Conclusion
    I would like to thank the Committee again for giving me the 
opportunity to testify today. Public Knowledge is eager to work with 
the Committee to craft comprehensive privacy legislation that will 
protect Internet users. I look forward to your questions.

    Senator Dorgan. Ms. Sohn, thank you for your testimony.
    Why do we not start with where you concluded on deep packet 
inspection? I know that our colleagues in the House had sent 
questionnaires to Internet service providers and have received 
some responses. How extensive do you think is this tactic of 
deep packet inspection?
    Ms. Sohn. Well, it was more extensive than it is now. 
Because of the scrutiny over on the House side and also over 
here, several of the ISPs that were using deep packet 
inspection have ceased using deep packet inspection. There was 
such an outcry. However, some are still using deep packet 
inspection.
    And as I said before, a number of those--actually all of 
the providers that were using deep packet inspection who 
responded to the House said that they believed that they were 
fully acting within the law and that what they did to protect 
consumers was adequate. And speaking to some of the folks--I 
will let them speak for themselves--on my right, I know some of 
them are considering using DPI as well, albeit with the 
protections that they have outlined today.
    Senator Dorgan. Is there a beneficial use of deep packet 
inspection, for example, attempting to determine who is out 
there that is providing viruses? So is deep packet inspection a 
process that in some cases can be beneficial?
    Ms. Sohn. Absolutely. Public Knowledge has been saying in 
the 7 years of its existence, that you do not outlaw 
technology. You outlaw bad uses of technology, and DPI, as you 
stated, can be used for lawful and very beneficial purposes.
    Senator Dorgan. But the testimony and knowledge we have, 
for example, of NebuAd and others says that the purpose of deep 
packet inspection is to track people's behavior in a wide range 
of areas and then profile and do targeted advertising to that 
profile, which is done, I assume, largely without the knowledge 
of the user, which is very troublesome.
    Ms. Attwood, you indicated to me that the fact that the 
Senate and the House are beginning to evaluate these things was 
helpful to your company because these are relatively new issues 
and it really caused your company to be thinking what kind of 
policies do we employ, how do we go through this and develop 
policies internally. And I think that is commendable.
    The question I think for the three providers here is what 
kind of information do you collect at this point. What kind of 
movements do you track and for what purpose?
    Ms. Attwood. Well, it is a great question. I guess I would 
elaborate. Here we are talking about behavioral advertising.
    Senator Dorgan. Right.
    Ms. Attwood. And in that context, we are not engaged in 
that practice today. And we commend you and this Committee and 
the attention and the effort to look at the way in which 
collection of material has affected or prompted our consumers 
to identify what they are concerned about.
    That allows us to actually look as we enter into these 
phases to say can we use privacy as a design element. Rather 
than as a regulatory requirement or as something after the fact 
that we have to look at, let us look and say our products and 
services--privacy will be by design. And that is what this 
dialogue allows us to do. It allows us to as an industry 
galvanize around how we can construct the right framework so 
that we can bring the benefits of both the advantages of an 
advertising-supported model, which is really an innovation in 
the Internet area, as well as the capabilities of protecting 
the privacy of our customers.
    So we have millions of customers, and therefore we have 
lots of information that we use to improve the services and 
products of our customers. There is a lot of value that can be 
created and innovation that can be created in offering 
additional targeted advertising, as well as additional value 
propositions to the customer. We think that is something today 
that has proved itself, whether it is affinity cards or whether 
it is in some things that you already see. Those are areas 
where we are hopeful we can help innovate, as long as we 
consider privacy by design.
    Senator Dorgan. As a consumer and an Internet user, I see 
the value of targeted advertising because if I am on the 
Internet wanting perhaps buy a pair of shoes and then I see 
targeted advertising coming at me advertising certain kinds of 
shoes, perhaps even that same brand, I understand that someone 
saw I was looking at shoes, and so they were trying to provide 
additional advertising about shoes. In many ways that is 
useful, perhaps in some cases annoying, but in many other cases 
useful.
    But the other side of this is that an Internet service 
provider would have a substantial body of knowledge. Let us 
assume that my two colleagues, Senator Klobuchar and Senator 
Thune, are customers of the same provider. You would have a 
substantial amount of information about each of them, what they 
have done, what their travels have been on the Internet, where 
they have visited, and so on. And that could have enormous 
financial value to a company. And someone comes to your company 
and says, you know what? That information you are sitting on 
has great, great value. We will pay a lot of money for it. So 
that is where the advertising model on the Internet confronts 
the issue of privacy that is very, very important.
    So I appreciate the testimony today. I think all three of 
you have said that your companies have had to sink their teeth 
into this question of how do you deal with the privacy issue. 
You have all talked, I think, about the opt-in strategy doing 
so in a manner that has a customer that is fully informed.
    I have seen a number of opt-in strategies that I think, Mr. 
Tauke, you mentioned. People do not have the foggiest idea 
whether they have opted in or opted out. They have simply 
pushed the ``OK'' button with the cursor, and so there they 
are.
    This is a really interesting set of issues. I did indicate 
that if somebody followed you into a mall with a clipboard and 
traced everything you not just bought or store you visited, but 
every single item you looked at, you have great angst about 
that. Who on earth is doing this? And yet, that potential 
exists. And so that is why we have to try to deal with this 
tension between constructive advertising models on the Internet 
and the right to privacy.
    Senator Klobuchar is next.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Chairman Dorgan. 
Thank you for having this hearing. Thank you to our witnesses.
    At the last hearing on this, I expressed my views that 
Americans have a love-hate relationship with advertising on the 
Internet. We want to see some of it, and then some of it we do 
not want.
    I made the mistake, Mr. Chair, of using the example at the 
last hearing of how I liked to see ads pop up for deals on 
clothes, but I do not like it when my daughter who is 13 sees 
ads for American Girls. And as a result, I would just like the 
record to reflect, I got several letters from defenders of 
American Girl dolls. It was in the Los Angeles Times--my quote. 
And I just want the record to reflect that I have nothing 
against the American Girl dolls, including Kirsten, Molly, 
Kaya, and Kit Kittredge, which movie I just saw. So if you 
could just make that clear.
    Senator Dorgan. Well, the permanent record will reflect----
    [Laughter.]
    Senator Klobuchar. Thank you very much.
    I actually just had some questions looking at your 
testimony and thinking about what we talked about last time. 
You know how when you have your credit record, you are able to 
go back and clear it up and see what information is on there. 
Do you think you should have the same ability to do that as a 
consumer with any information that might be on there on your 
shopping record or the information on you on the Internet? I do 
not know who wants to take that.
    Ms. Attwood. I am happy to address that. I think that is 
one of the issues that would be interesting to develop, the 
question of whether the customer not only can control the 
information that is collected, but also can identify and see 
what they look like online. And even more to your point--and I 
do not want letters either, although I do not think I would get 
them from American Girl.
    Senator Klobuchar. These were just consumers for American 
Girl, not the company.
    Ms. Attwood. Maybe ultimately down the line you would be 
able to have some flexibility in identifying what 
advertisements you want to see and what you do not want to see. 
So those could be age-specific. Those could be related to your 
household, a particular interest in your household.
    So the concept of customer control, the concept of using 
the capabilities and enhancements of the technology to help 
customize that experience is something of an exciting prospect 
so long as we protect and really embrace the notion of privacy.
    Senator Klobuchar. Mr. Stern?
    Mr. Stern. Thank you, Senator.
    If I may just add, not only does customer consent allow the 
consumer to opt in, if they want to have online advertising be 
targeted, but they can also opt out. And that gives them a 
unique ability to do something that they cannot do with their 
credit report, which is to wipe the slate clean. And so we 
think that that is actually an important part of this, giving 
customers the ability to make a decision and later change their 
mind.
    Senator Klobuchar. Very good. And the technology is 
available to do that?
    Mr. Stern. Yes, it is.
    Senator Klobuchar. If we were to put together some 
legislation at some point--and I know all three of you would 
rather have it be self-regulating, but if Federal privacy 
regulation is considered in Congress, what would you think the 
key would be to this potential legislation? What do you think 
should be in that? Are there any models you would look at like 
the European data privacy law, or what would you look at to do 
that? Mr. Tauke?
    Mr. Tauke. Well, Senator, first of all, you are right. At 
this juncture, we are not prepared to embrace legislation. We 
actually think that there are some models on the books already 
that could be useful. I mentioned in my testimony the 
advertising industry's model where the FTC is the enforcing 
agency.
    One of the reasons why we are a little unsure about 
legislation at this juncture is because this technology is 
developing so rapidly, and there are different technologies 
that are being used to do different things. As I think all of 
us have alluded to in one way or another, the technology is not 
in and of itself bad. The technology can do terrific things in 
order to enhance online experiences. It is how it is handled 
and what the consumer role is.
    So having said that, with legislation I believe the notion 
of meaningful consent and the consumer in charge of their 
online experience are the two key elements. Exactly how that 
translates into the technology of today and the technology and 
practices of tomorrow is a little uncertain yet. That is why I 
think if the industry could, in a sense, help establish some 
best practices ourselves, try to keep up to date with that 
stuff, get all the players involved, because the consumer does 
not care who is tracking--you know, it is the same impact no 
matter who is doing it--if we could do that and then that might 
inform the Committee too of what we are doing and where gaps 
may be and if you should step forward with some additional 
legislation.
    Senator Klobuchar. Do you think competition could push, 
though, some of your fellow competitors not to keep up with 
those regulations?
    Mr. Tauke. Competition works both ways on this issue, 
Senator. I mean, I think what we have found in our history on 
some of these issues is being on the side of the consumer and 
privacy is not a bad deal. We have had some fairly highly 
publicized lawsuits over the last few years trying to protect 
our consumers' privacy, and we think that benefited us in the 
marketplace.
    When we have dealt with issues like--I remember a couple 
decades ago now, I guess, when we were dealing with caller ID. 
In other words, there were a lot of fits and starts with caller 
ID. Initially it was thought to be a great privacy protector 
because you could see who is calling you. Then, of course, 
there was concern that, oh, now the estranged husband knows 
something about who is calling the wife and various other 
things that happened. And so there was concern from a domestic 
violence perspective and so on. Then we had blocking that came 
into play and various other things happened with the 
technology.
    So we evolved to the place today I think where most 
consumers really like the technology, the information it 
provides. They know how to protect themselves if they do not 
want their number following their call.
    So I think it is the same thing here. We have to, over 
time, figure out how to do this the right way.
    But I think it is in our company's interest to be on the 
side of privacy. I think that is a marketing advantage. I think 
that for the industry as a whole, it is essential that we get 
there. The worst thing for our industry is the consumers are 
afraid to use the Internet.
    Senator Klobuchar. And I would agree with you, especially 
from larger, mainstream companies that do not want to be tarred 
with having not protected privacy rights. But not all the 
companies in the game might care about that as much. And that 
is why I am looking at some rules that could maybe protect your 
own industry if you had some rules that you already believe are 
in your best interest that could protect the consumers from 
other companies which might not share your interests in 
protecting privacy as a marketing and as a good thing to do as 
a company.
    Ms. Attwood. Yes. I would like to underscore that because 
not all folks in this space have consumers that they answer to. 
We fully agree with Verizon's position about this being a 
marketing advantage. AT&T views that absolutely as a great 
opportunity here. But right now there is behavioral targeting 
in the online environment, and it is by web actors who do not 
have direct customers to answer to.
    The beauty of an advertising-supported model is that it is 
free. The disadvantage is that your customer is your 
advertising industry. It is not retail. It is not our 
customers. So while I think that there is a direct advantage 
that we have to our customers, I think we would, at AT&T, say 
another key element to any legislative proposal would be that 
it apply to all actors because that is really the only way. I 
mean, we talk a lot about from a competitive point of view, and 
clearly that is of interest to AT&T.
    But I would say from a customer confusion question, without 
really addressing this issue holistically, when the customer 
turns on the computer and goes to a web page and on that web 
page there is advertising and on that advertising, that 
customer has indicated to AT&T that they do not want to be 
tracked, I cannot do anything to protect that customer from 
being tracked by other entities that are, in fact, appearing in 
that advertising space.
    So until we address this holistically, even efforts from 
companies such as ours suggesting that there ought to be 
control and ought to be affirmative selection by the customer 
cannot be implemented fully, and the customer can be confused.
    Senator Klobuchar. Thank you.
    Senator Dorgan. We had other companies testifying at the 
first hearing, and at that point we did not have the Internet 
service providers, which is why we wanted to have Internet 
service providers at this hearing. I understand the point you 
are making.
    Senator Thune?

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    Senator Thune. Thank you, Mr. Chairman.
    And that was an interesting hearing, and this is an issue 
that is getting a lot of attention, as you would expect. And I 
do not think there is any question that online advertising is 
the fuel for this economic engine that is really driving the 
world right now. It has resulted in substantial access to free 
content for people on the worldwide Web.
    But I do want to pick up on the previous discussion here 
because I think, Mr. Tauke, you had mentioned in your remarks 
that the industry is working to develop self-regulating privacy 
standards for online advertising. And to get back to Ms. 
Attwood's point, one entity cannot do this. There has got to be 
some sort of an agreement, I think, within the industry.
    So I guess my question is, what is the time line for those 
standards? Who is participating in developing those standards? 
What are those standards going to look like? And will you keep 
us updated as you progress down that road?
    Mr. Tauke. First, we have signed some nondisclosure 
agreements with some other companies that would not permit me 
to today publicly disclose who all the players are. But I think 
it is fair to say that there are ISPs, there are 
representatives of other online types of activities. So I think 
we are seeing people from all parts of the online sector, the 
search engines, the browsers, and so on, who are interested in 
participating in this kind of thing.
    We also have talked to and engaged with some in the 
advertising industry who also have an interest.
    I cannot tell you we will get there, but I am encouraged by 
the progress so far. And I think it is feasible that in over a 
matter of a few months we would be able to get a pretty strong 
group of players in the industry to move forward with best 
practices.
    Then the question becomes how do you enforce those. First, 
there is a lot to be said for shining the light of day on a lot 
of practices, and if industry is focused on doing that, it is 
able to do that, and force change. That happened with this 
Committee. This Committee held a hearing, and as the witnesses 
have pointed out, people stopped their behavior because the 
light of day was shined upon it. That is what an industry group 
can do.
    Second, as we have alluded to earlier, the Federal Trade 
Commission also has jurisdiction in this area, has indicated it 
intends to assert jurisdiction, and if informed by good 
industry practices and standards, then I think the FTC would 
have greater ability to act appropriately.
    Senator Thune. Do you have a time line for when all this 
might----
    Mr. Tauke. What I would like to say to you is it will all 
happen in 2 months. I do not know that I can say that. I think 
this is a process. You are familiar with that, of course, in 
the Senate. It is a process. I think we have made good 
progress. I think as you have heard this morning, several 
companies are endorsing very similar principles here. So I 
think that there is a consensus developing. And I hope by the 
end of the year, certainly by the time you come back, that we 
can report back to you and give you progress on where we are. I 
think we will have something fairly good to say.
    Senator Thune. That would be really helpful because I think 
that that is a preferable solution to having us try and 
legislate something in this area. But it has to be at least, I 
think, somewhat comprehensive in terms of the scope of those 
from industry who are participating in order to make it 
effective. So I would encourage you as you continue down that 
track.
    And I would direct this, I guess, to any of our panelists. 
But you talk about sensitive information deserving a greater 
degree of protection than regular online uses. And I guess the 
question would be, what is considered sensitive personal 
information? Is that a health record? Is that a credit card 
history, e-mails? What qualifies in your judgment in that 
category of sensitive information?
    Mr. Stern. Senator, all of those could count as sensitive 
information. Certainly medical information is sensitive. And we 
believe that this opt-in framework ensures that we will protect 
those forms of sensitive information.
    We also think that there are certain types of information--
and medical information may be one of those--that merits a 
dialogue between policymakers and participants in industry that 
would put even more stringent controls around certain types of 
information, including making it possibly entirely off limits 
for activities like targeted online advertising.
    Ms. Sohn. I think it is critical that it is the Internet 
user who makes that choice as to what is sensitive. Right now 
with deep packet inspection, sometimes it is a third party or 
the NebuAd that is deciding what is sensitive and not. As you 
point out, there is not a commonly understood definition of 
what sensitive is. So that is, to me, a critical part of 
putting control back in the Internet users' hands. They decide 
what is sensitive as opposed to a third party with whom they 
are not even contracting.
    Mr. Tauke. Let me just say first this is a tough area. It 
is hard to define exactly what the sensitive information is and 
precisely how you handle it.
    So, for example, we all agree, I think, that medical 
records would be sensitive information. Yet, I get my 
prescriptions online. I do not know about the rest of you. And 
I want my online pharmacist to keep track of what I have. I am 
happy when they send me a notice saying, you know, it is time 
to renew your prescription. If I would get another prescription 
that interacted inappropriately with what I have today, I would 
hope that they would notify me and tell me that. So that means 
we are asking them, on the one hand, to keep track of some of 
these things. On the other hand, this is certainly information 
that most of us would say should not be tracked.
    So there are some fine lines here to draw. It is tough, but 
I think that this is part of what we hope we can make progress 
on in an industry process.
    Ms. Attwood. I would also underscore what Gigi said, which 
is absolutely creating tools to enable our users to be able to 
individually assess what is sensitive will be a critical thing, 
again, another potentially wonderful advance that we could use 
the technology to actually empower the customer to orient 
themselves around what is sensitive.
    The last thing that the provider wants to do is make that 
judgment. I can tell you whether Government makes it or the 
user makes it, the last thing that we want to do is try to make 
some judgment as to what is important to our customers when it 
comes to sensitive information.
    Senator Thune. Mr. Chairman, I have one more question. My 
time is expired.
    Senator Dorgan. Why don't you proceed?
    Senator Thune. OK. I would like to have you describe--Mr. 
Stern, you mentioned the difference between relevant online 
advertising and targeted online advertising. Could you 
elaborate on the difference between those two, and from your 
perspective, are those different types of targeted online 
advertising that are more problematic for consumer privacy?
    Mr. Stern. Ads can be relevant for a number of reasons, 
Senator. For example, when customers come to a Website and they 
go to the sports page of that Website and then they see 
advertisements for team memorabilia, that context was used in 
order to make the ad relevant. However, if the relevance is 
based on the customer's behavior on other unrelated Websites, 
then we would consider that targeted online advertising, the 
type of advertising that should be governed under the four 
principles that we talked about earlier, informed consent, plus 
safeguarding consumer privacy, and value.
    Senator Thune. Thanks, Mr. Chairman. Thank you all very 
much for your testimony.
    Senator Dorgan. Senator Wicker?

              STATEMENT OF HON. ROGER F. WICKER, 
                 U.S. SENATOR FROM MISSISSIPPI

    Senator Wicker. Thank you, Chairman Dorgan, for having this 
follow up hearing.
    You know, I was sitting here thinking John Thune came to 
the House of Representatives in 1996. I got here in 1994. We 
were talking about this thing called the worldwide Web. If we 
had a little time during the orientation, we could go to a room 
and surf the worldwide Web. And to think how far this industry 
has come in 12 or 14 short years is just breathtaking.
    I pay my bills. I check my balance. I make purchases. And 
it is the engine that is largely driving the international 
economy, and we want to be able to facilitate that for the 
economy and for job creation and for consumers' convenience.
    So I appreciate the fact that there seems to be a feeling 
that the Congress should defer perhaps and see if these issues 
of privacy and behavioral advertising can be worked out among 
the participants rather than as a result of legislation.
    I will begin with Mr. Tauke. Maybe within 2 months, we 
might have an agreement announced among the providers. How will 
they compare to the proposed behavioral advertising guidelines 
of the FTC?
    Mr. Tauke. I think all of the companies that are engaged in 
discussion on this issue are well aware of the FTC's 
principles. And of course, you never know the outcome of a 
discussion until it is completed. But I think what the FTC laid 
out has been very helpful and informative, and in turn, we 
would hope what the industry could come up with would also be 
helpful and informative to the FTC.
    Senator Wicker. OK. Other panelists?
    Mr. Stern. Senator, we think the principles that we have 
proposed are very similar to what was laid out by the FTC, but 
they actually go one step further in protecting consumer 
privacy. And that is that we are seeking affirmative customer 
consent for the use of any type of information for the purposes 
of targeted online advertising, not just personally 
identifiable information.
    Senator Wicker. And would you explain what you mean by that 
to a layman?
    Mr. Stern. Absolutely. When you held your testimony in July 
and met with NebuAd, they talked about the ability that they 
had with their technology to anonymize the data that they 
received so that they would track the customer's behavior, but 
it could not be attributed to any individual. It would be used 
to deliver relevant ads to that individual while they browsed, 
but they could not tie it back to a person. They could not tell 
that that browsing behavior was your browsing behavior, 
although they could change your browsing experience based on 
the information.
    What we are proposing is that we would not even do what 
NebuAd talked about, absent affirmative customer consent. In 
other words, we would not use your information whether or not 
we could attribute it to you personally to deliver targeted 
online advertising to you.
    Senator Wicker. I see.
    Other members of the panel?
    Ms. Attwood. Well, I would just say I think that the FTC 
process has greatly informed our industry discussions. They 
were able to, along with great work that has been done in the 
privacy consumer community by Ms. Sohn's group, by CDT, others 
that have helped shed light on the issue, helped identify the 
practices that are most concerning to consumers, and have 
through the imprimatur of the FTC and its process created 
importance, as has this Committee, creating the incentive for 
the industry to come together to talk, to make sure that we 
understand how we can, in fact, achieve ultimately a greater 
sense of privacy assurance for consumers so that they use our 
services and use the Internet even more. I think that there is 
no question that the FTC process has been quite involved in the 
development of that.
    Ms. Sohn. Can I be the skunk at the self-regulatory party? 
Because----
    Senator Wicker. That would be a lot of fun.
    Ms. Sohn. I want to make two points.
    Number one is to address something that Senator Klobuchar 
said about competition. The problem is that, at least in 
broadband, there is not that much competition. This is 
something my organization has talked about for a long, long 
time. And a lot of the ISPs that were using deep packet 
inspection and NebuAd were not subject to great competition. A 
lot of them were rural ISPs. So the notion that there is going 
to be this competitive pressure, I'm dubious.
    The second thing--and this is the point that I discussed in 
my oral testimony but discuss in more detail in my written 
testimony--is that the Communications Act already does cover 
some ISPs. There is a lot of talk about a level playing field, 
but right now cable Internet services are covered by stricter 
privacy regulation than broadband telephone information ISP 
services. So there is already in the law gaps where Mr. Tauke's 
company is being treated differently than a Comcast. So I do 
think that at a minimum you need to amend the Communications 
Act to fix those gaps because right now you do not have a level 
playing field between broadband ISPs.
    Senator Wicker. Response?
    Mr. Tauke. Part of that highlights the point. Yes, there 
are all kinds of rules that apply to all different companies 
differently. If you guys could take on the Communications Act 
and level the playing field, most of us would applaud heartily. 
But rewriting that act--it has been a long process and it is 
very hard to get anything to fruition when you take on that 
major a task.
    So we are not saying that we are opposed to the Committee 
addressing the issue, but what you are doing here, having a 
hearing, forcing industry to address the issue is helpful. We 
have the FTC that has some authority already. We have an 
industry that I think wants to get its act together. It is in 
our own interest to clean up the act. Right? So I think that 
can help.
    If all that should happen, if the Senate--God bless you if 
you go forward and do your thing. That is terrific. But in the 
meanwhile, I think there is a need for this other activity to 
go on. That will inform what you do. It may turn out this is 
not such a big issue, or it may turn out there are other 
problems that arise as this goes on. But we ought to go forward 
with the self-regulatory approach, try to use what is there, 
and that will help inform you, I think, what the challenges are 
and where we may need additional legislation.
    Senator Wicker. Thank you.
    Senator Dorgan. Senator Wicker, thank you.
    This issue of self-regulation--I think the process that is 
ongoing is very valuable. But in the ultimate, self-regulation 
works if there is, number one, adequate criteria established, 
and number two, if it is enforceable. And one of my concerns is 
that what is happening now and what will happen in the future 
with respect to Internet advertising is various entities, 
content providers, Internet service providers, and others, have 
information that is going to become increasingly valuable, and 
it is tempting product to sell to someone who would like to 
purchase it. And so the question is under what conditions does 
that happen.
    I want to come back to this question. Mr. Stern, you talked 
about when NebuAd appeared before this Committee and the 
anonymizing of information. It seems to me, however, that if 
NebuAd gathers all of this information and develops the 
strategies for targeted advertising and profiling, that if they 
are able to deliver that advertisement back to the Internet 
address, it is really not anonymous, is it?
    Mr. Stern. Senator, there is a separation between the 
information that NebuAd has, which is a profile attached to an 
anonymous identifier, and the information that the ISP has, 
which is the connection between that anonymous identifier and 
the individual. As a consequence, there is--and I am not an 
expert on NebuAd's technology, given that we have not engaged 
in targeted online advertising and we have not done any sort of 
a deal with NebuAd or anyone like that--but there is, in fact, 
a set of technologies that are used in that approach to protect 
the customer's identity and anonymity.
    Senator Dorgan. But there has to be a string somewhere from 
the information gathered and then ultimately delivered to the 
Internet address of the person whose tendencies on the Internet 
have been profiled. I mean, this reminds me of the discussion I 
sat in last night for 2 hours on the financial rescue issue, 
the discussion about firewalls that exist. It turns out the 
firewalls were not so fireproof.
    Mr. Stern. That is correct, Senator. There is no perfect 
technology here.
    But the principles that we have outlined ensure that 
targeted online advertising would only take place if consumers 
affirmatively consent after being informed of how their 
information will be used. As a consequence, we think that the 
harm that you have raised is one that customers will be able to 
evaluate and weigh against the benefits that they will enjoy by 
being able to see more relevant ads.
    Senator Dorgan. It is interesting. I was just looking at a 
report that was released this morning. The information was 
provided me last evening of what was to be released this 
morning. It is a poll released today by Consumer Reports' 
National Research Center, and it has a lot of interesting 
information in it. There is a lot of misinformation out there 
and a great deal of lack of information.
    Consumers are aware that information about their surfing 
habits, that is, movements on the Web, is being collected 
online. And here is what they believe.
    Sixty-one percent of consumers are confident that what they 
do online is private and not shared without their permission. 
That is what people now believe.
    Fifty-seven percent believe that companies must identify 
themselves and indicate why they are collecting data and 
whether they intend to share it with other organizations.
    Forty-eight percent believe that their consent is now 
required for companies to use personal information they collect 
from online activities.
    Forty-three percent believe a court order is now required 
to monitor activities online.
    I only describe that to you because this is just released 
this morning. What it does show is while people, I think almost 
all of us would understand, are very concerned about privacy, 
they have very little understanding about what exists or what 
might not exist to create fences or gates or protections for 
their online privacy.
    I think that the work that our colleagues in the House have 
done with their data gathering and hearings, the work that we 
have done, and the work that the FTC is now doing and the 
efforts by people in your industry to come together and develop 
approaches--again, I think in many ways these hearings kind of 
provoke and require people to be thinking what are we doing and 
how does it relate to what our responsibilities are and what 
the law is. I think all of this is constructive for us, as we 
move down the road here, to understand what is necessary. Is 
this something that can be self-regulated with enforcement 
capabilities, or will there need to be, both at the FTC and 
also will there need to be here in the Congress, some 
legislative guidelines developed that will inform us as we move 
forward.
    I do not think any of us fully know the answer to that, but 
we are now learning a great deal more than we knew, which I 
think is progress.
    I want to thank the three Internet service providers for 
making themselves available for this hearing. Your testimony, I 
think, is instructive for us.
    Ms. Sohn, the title of your organization is Public 
Knowledge, which is pretty all-encompassing I was thinking, as 
I read that last evening. So we thank you for providing public 
knowledge about these issues from your perspective, which I 
think is also very valuable to this Committee.
    This hearing is adjourned.
    [Whereupon, at 11:10 a.m., the hearing was adjourned.]
                            A P P E N D I X

 Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
    For the American people, privacy is a treasured right, but it is 
also a right under regular attack. In this digital age, commercial 
forces can amass treasure troves of data about each and every one of 
us. This is especially true when it comes to where we go and what we do 
on the Internet.
    Today we focus on the on-ramps to the Internet, and explore in 
greater depth the consumer privacy policies of our Nation's largest 
broadband providers. We will consider the abilities these providers 
have to view our online behavior and discuss what notice they should 
provide to consumers when they seek to do so. Further, we must examine 
whether our communications laws governing consumer privacy have kept up 
with rapidly changing technology or require adjustment.
    I look forward to hearing from our witnesses.

                                  
