[Senate Hearing 110-1179]
[From the U.S. Government Publishing Office]



                                                       S. Hrg. 110-1179

 
               PRIVACY IMPLICATIONS OF ONLINE ADVERTISING

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                              JULY 9, 2008

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation



                  U.S. GOVERNMENT PRINTING OFFICE
76-329                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  



       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                   DANIEL K. INOUYE, Hawaii, Chairman
JOHN D. ROCKEFELLER IV, West         TED STEVENS, Alaska, Vice Chairman
    Virginia                         JOHN McCAIN, Arizona
JOHN F. KERRY, Massachusetts         KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota        OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California            GORDON H. SMITH, Oregon
BILL NELSON, Florida                 JOHN ENSIGN, Nevada
MARIA CANTWELL, Washington           JOHN E. SUNUNU, New Hampshire
FRANK R. LAUTENBERG, New Jersey      JIM DeMINT, South Carolina
MARK PRYOR, Arkansas                 DAVID VITTER, Louisiana
THOMAS R. CARPER, Delaware           JOHN THUNE, South Dakota
CLAIRE McCASKILL, Missouri           ROGER F. WICKER, Mississippi
AMY KLOBUCHAR, Minnesota
   Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Lila Harper Helms, Democratic Deputy Staff Director and Policy Director
   Christine D. Kurth, Republican Staff Director and General Counsel
                  Paul Nagle, Republican Chief Counsel


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 9, 2008.....................................     1
Statement of Senator Carper......................................    80
Statement of Senator DeMint......................................    71
Statement of Senator Dorgan......................................     1
    Prepared statement of Hon. Daniel K. Inouye..................     3
    Prepared statement by Hon. Ted Stevens.......................    68
Statement of Senator Klobuchar...................................    68
Statement of Senator Nelson......................................    75
Statement of Senator Thune.......................................    72
Statement of Senator Vitter......................................    66

                               Witnesses

Crews, Jr., Clyde Wayne, Vice President for Policy/Director of 
  Technology Studies, Competitive Enterprise Institute...........    47
    Prepared statement...........................................    48
Dykes, Robert R., CEO, NebuAd, Inc...............................    17
    Prepared statement...........................................    19
Harris, Leslie, President/CEO, Center for Democracy and 
  Technology.....................................................    22
    Prepared statement...........................................    24
Hintze, Michael D., Associate General Counsel, Microsoft 
  Corporation....................................................    55
    Prepared statement...........................................    57
Horvath, Jane, Senior Privacy Counsel, Google, Inc...............    11
    Prepared statement...........................................    12
Kelly, Chris, Chief Privacy Officer, Facebook, Inc...............    40
    Prepared statement...........................................    42
Parnes, Lydia B., Director, Bureau of Consumer Protection, 
  Federal Trade Commission.......................................     4
    Prepared statement...........................................     5

                                Appendix

Letter, dated July 9, 2008, to Hon. Daniel K. Inouye and Hon. Ted 
  Stevens from Hon. Richard Blumenthal, Attorney General, State 
  of Connecticut.................................................    87
Response to written questions submitted by Hon. Maria Cantwell 
  to:
    Robert R. Dykes..............................................    97
    Leslie Harris................................................    96
    Jane Horvath.................................................    93
    Chris Kelly..................................................    92
    Lydia B. Parnes..............................................    87
Response to written questions submitted by Hon. David Vitter to:
    Clyde Wayne Crews, Jr........................................   107
    Robert R. Dykes..............................................    98
    Leslie Harris................................................    97
    Michael D. Hintze............................................   108
    Jane Horvath.................................................    95
    Chris Kelly..................................................    93
    Lydia B. Parnes..............................................    90


               PRIVACY IMPLICATIONS OF ONLINE ADVERTISING

                              ----------                              


                        WEDNESDAY, JULY 9, 2008

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SR-253, Russell Senate Office Building, Hon. Byron L. Dorgan, 
presiding.

          OPENING STATEMENT OF HON. BYRON L. DORGAN, 
                 U.S. SENATOR FROM NORTH DAKOTA

    Senator Dorgan. We are going to begin the hearing this 
morning. This is a hearing of the Senate Commerce Committee. I 
am going to begin the hearing now. We will have other Senators 
join us, but at the moment there is scheduled a series of five 
votes beginning at 11:15. That may slip a bit. It may slip to 
11:30, which means that I would have until 11:45 to leave the 
room in order to still make the vote. That would give us an 
hour and 45 minutes. If we do not finish the hearing in an hour 
and 45 minutes, we will have to recess. The recess will last at 
least an hour to an hour and a half because five votes take 
that long.
    So my hope would be that we can finish this hearing in 
about an hour and 45 minutes. I do not want to shortchange the 
subject. This is a very important subject. We will be holding 
another hearing on this subject, but for now, as an opening, I 
want to at least give an opening statement, and then I am going 
to call on all of the witnesses to provide the testimony. And 
then we will have time for questions by Senators who come to 
the hearing.
    I want to thank all of you for joining us today to discuss 
an important topic of privacy in the context of marketing for 
online advertising. The Commerce Committee has always had an 
interest in this subject of protecting privacy and doing so in 
a way that is thoughtful and appropriate. And we need to take a 
closer look, I think, at Internet users' privacy as the field 
of online advertising develops.
    I understand, first of all, there are many, many benefits 
to online advertising. I understand that the free Internet and 
the open architecture of the Internet allows Internet service 
providers and Internet companies to provide services and 
products and information in a way that is almost breathtaking, 
and I understand the backbone of much of that is supported by 
advertising, by online Internet advertising.
    The questions that we discuss and raise today are not meant 
to suggest that advertising has no value as it relates to the 
Internet. Quite the contrary is the case. But I think there are 
issues that are developing that are important issues and those 
are issues about the invisibility of data collection, the 
collection of information about online users, the security of 
the information that has been collected, and the use of that 
information. I am concerned about the ability of users of the 
Internet to choose to allow others access to their data with an 
understanding of where it will be transferred and how it will 
be used. I am concerned about the users' ability to control 
this information.
    Most of the discussion about advertising on the Internet 
these days is about--not all of the discussion, but most of it 
is about behavioral advertising. The companies that have been 
gathering information about those who use the Internet are 
companies that wish to find ways to better target advertising.
    I was actually this morning visiting with my college-aged 
daughter about this subject, and she was asking about the 
hearing. And I said, well, think about going to a big shopping 
center and going to four stores, and you stop at the cosmetics 
section, you stop at the shoe section, you shop for a dress, 
and you go to CVS, and there is someone behind you with a 
notebook making notes about every place you are stopping and 
the products you are searching and looking at. That becomes 
part of a data bank they send to someone.
    Well, that is what happens in many cases now with respect 
to your use of the Internet. Someone is gathering information 
about where you traveled and what you viewed, and that goes 
into a data bank and it can be sold or resold and becomes the 
process by which companies will use the information in which to 
target advertising directly to you.
    I think that the issue here of privacy, who is collecting 
what kind of information, how does that information exist in 
what identifiable form or how might that be used, who is it 
sold to, does the consumer know, all of those issues I think 
are very, very important. And the issues that surround them I 
think need to be discussed by the Congress in the context of 
trying to decide are there protections, further protections, 
necessary, not only what protections now exist, but are further 
protections necessary.
    Companies believe that by gathering information about 
online users, they can serve more relevant advertisements to 
individuals and increase the amount that they can charge per 
ad. And I understand all that. And revenue is important to the 
operation of diverse websites, but it is also important for us 
to ask the questions about protection for users' privacy and 
whether they should have a choice about whether they want to 
have data shared about what they are doing on the Internet.
    There is some discussion about self-regulation, and the 
principles proposed by the Federal Trade Commission I think 
some would suggest are a good start. Some would suggest they 
are short of what is necessary. The FTC might need to go 
further and ensure the enforcement of any guidelines. Congress 
may need to address our patchwork of privacy laws because all 
of this is a developing area, and when you are talking about 
the individual's right to privacy, it is very, very important.
    I do want to mention additionally that I had invited the 
Internet service providers to testify today, and they declined 
the invitation. So I am going to do another hearing and that 
hearing will only be with the Internet service providers 
because I think they have to be a part of this discussion.
    I do appreciate all of those who have decided to come at 
our invitation and give us their perspective on these important 
issues. And we are going to begin today by hearing from Lydia 
Parnes, who is the Director of the Bureau of Consumer 
Protection at the Federal Trade Commission. Then I have asked 
the panelists to be seated at the table, and we are going to 
hear from all of those on panel two and then we will ask 
questions.
    I say to Senator Vitter I do not want to do opening 
statements. I will be happy to recognize you for a moment, but 
what I want to do--we have a vote starting at 11:15. What I 
would like to do--if that slips, we may be able to stay here 
until 11:45, but I want to get all the witnesses to testify and 
then have an opportunity for questions.
    Senator Vitter. All right.
    Senator Dorgan. All right.
    Ms. Parnes, you have testified before this Committee 
before. We appreciate your being here again. Let me ask 
consent, as I recognize you, for the statement by Senator 
Inouye to be made a part of the permanent record.
    [The prepared statement of Senator Inouye follows:]

 Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii

    In the United States of America, privacy is a treasured right, but 
it is also a right that seems to come under regular attack.
    Today, commercial entities using digital means can track nearly all 
of our marketplace moves. Websites and Internet service providers can 
watch where we go online, what we purchase over the web, and where we 
linger on the Internet.
    Too many consumers spend time on the Internet without knowledge or 
notice that they are under commercial surveillance. They assume they 
are in the privacy of their own home and that this privacy will be 
respected. Unfortunately, this is not always the case.
    I am troubled by the current state of affairs. I fear that our 
existing patchwork of sector-specific privacy laws provides American 
consumers with virtually no protection. At the same time consumers in 
other countries are treated with more respect and concern by the very 
same companies who so freely collect our most private information 
without warning.
    American consumers deserve better. With so much of our commerce and 
entertainment migrating to the Internet, consumers should not be asked 
to surrender their privacy each time they go online.
    Ensuring that every consumer's right to privacy is appropriately 
protected will require the Congress's continued attention. Today's 
hearing on privacy and online advertising represents merely a start, 
and I look forward to holding additional hearings on these matters 
later this year.

    Senator Dorgan. Ms. Parnes, you may proceed. We have asked 
all of you to take 5 minutes for your oral testimony, and the 
permanent record will include your full statements.

  STATEMENT OF LYDIA B. PARNES, DIRECTOR, BUREAU OF CONSUMER 
              PROTECTION, FEDERAL TRADE COMMISSION

    Ms. Parnes. Thank you, Chairman Dorgan. I appreciate the 
opportunity to appear before you today to discuss the 
Commission's work on issues related to online behavioral 
advertising.
    Balancing consumers' online privacy interests against the 
development of successful online business models has been a top 
priority for the Commission over the past decade. Behavioral 
advertising, the use of tracking data to target advertisements 
to online consumers, is a challenging issue. It may provide 
benefits to consumers in the form of advertising that is more 
relevant to their interests, as well as a reduction in unwanted 
ads. It may also help support a diverse range of free online 
content that consumers would otherwise have to pay for, for 
example, blogging, search engines, social networking, and 
instant access to newspapers from around the world.
    At the same time, many consumers express discomfort about 
the privacy and data security implications of being tracked. 
Without adequate safeguards in place, consumer tracking data 
could fall into the wrong hands or be used for unanticipated 
purposes. These concerns are exacerbated when tracking 
involves, for example, sensitive information about children's 
health or a consumer's finances. Further, particular concerns 
have been raised about tracking done by network advertisers 
across many sites, and most recently we saw significant 
consumer concern when one ISP announced and then abandoned 
plans to track every move of its customers as they navigate 
online.
    The FTC has examined behavioral advertising for more than a 
decade, almost since the Internet transformed into a commercial 
medium. Our most recent efforts began in November of 2006 when 
we held 3 days of public hearings on technology issues likely 
to affect consumers in the next decade. Following these 
hearings, Commission staff held a series of meetings with 
stakeholders to learn more about behavioral advertising, and in 
November 2007, the Commission hosted a town hall devoted 
exclusively to behavioral advertising.
    Several key points emerged at the town hall.
    First, participants confirmed that online behavioral 
advertising may provide valuable benefits to consumers.
    Second, the invisibility of the practice to consumers 
raises privacy concerns, as does the risk that data collected 
for behavioral advertising could be misused.
    And third, business and consumer groups alike expressed 
support for transparency and consumer control in the online 
marketplace.
    In December 2007, following the town hall, Commission staff 
issued and requested comments on proposed principles for online 
behavioral advertising to spur continuing public dialogue and 
encourage meaningful self-regulation. In brief, the proposed 
principles identify four issues to consider in developing a 
self-regulatory scheme.
    First, companies that collect information for behavioral 
advertising should provide meaningful disclosures to consumers 
about the practice, as well as choice about whether their 
information is collected for this purpose.
    Second, companies should provide reasonable security for 
behavioral data so that it does not fall into the wrong hands 
and should retain data only as long as necessary to fulfill a 
legitimate business or law enforcement need.
    Third, before a company uses behavioral data in a manner 
that is materially different from promises made when the data 
was initially collected, it should obtain affirmative express 
consent from the consumer.
    Fourth, companies should obtain affirmative express consent 
before they use sensitive data for behavioral advertising.
    Commission staff received over 60 thoughtful, constructive, 
and diverse comments on the principles. The comment period has 
closed, and we are carefully evaluating the comments that we 
have received. Included in the comments were a number of 
specific proposals for how self-regulation could be 
implemented, as well as reports about steps taken to address 
privacy concerns since the town hall. Although there clearly is 
more work to be done, the Commission is cautiously optimistic 
that the privacy issues raised by online behavioral advertising 
can be effectively addressed through self-regulation. In such a 
dynamic and diverse environment, self-regulation may, indeed, 
be the best means to develop workable approaches to privacy.
    The Commission, of course, will continue to monitor the 
marketplace to keep pace with developments, gain a better 
understanding of the issues, and take appropriate action to 
protect consumers as circumstances warrant.
    Thank you for your attention, and I would, of course, be 
happy to answer any questions.
    [The prepared statement of Ms. Parnes follows:]

           Prepared Statement of Lydia B. Parnes, Director, 
        Bureau of Consumer Protection, Federal Trade Commission

I. Introduction
    Chairman Inouye, Vice Chairman Stevens, and Members of Committee, I 
am Lydia Parnes,\1\ Director of the Bureau of Consumer Protection at 
the Federal Trade Commission (the ``FTC'' or ``Commission''). I 
appreciate the opportunity to appear before you today to discuss the 
Commission's activities regarding online behavioral advertising, the 
practice of collecting information about an individual's online 
activities in order to serve advertisements that are tailored to that 
individual's interests. Over the past year or so, the Commission has 
undertaken a comprehensive effort to educate itself and the public 
about this practice and its implications for consumer privacy. This 
testimony will describe the Commission's efforts, which have included 
hosting a ``Town Hall'' meeting and issuing for public comment FTC 
staff's proposed online behavioral advertising principles.\2\
---------------------------------------------------------------------------
    \1\ The views expressed in this statement represent the views of 
the Commission. My oral presentation and responses to any questions are 
my own, however, and do not necessarily reflect the views of the 
Commission or any individual Commissioner.
    \2\ See Federal Trade Commission, ``Ehavioral Advertising: 
Tracking, Targeting, and Technology,'' available at http://www.ftc.gov/
bcp/workshops/ehavioral/index.shtml.
---------------------------------------------------------------------------
    The Commission's examination of behavioral advertising has shown 
that the issues surrounding this practice are complex, that the 
business models are diverse and constantly evolving, and that 
behavioral advertising may provide benefits to consumers even as it 
raises concerns about consumer privacy. At this time, the Commission is 
cautiously optimistic that the privacy concerns raised by behavioral 
advertising can be addressed effectively by industry self-
regulation.\3\
---------------------------------------------------------------------------
    \3\ Although FTC staff has proposed self-regulation to address the 
general privacy concerns raised by behavioral advertising, the 
Commission will of course continue to bring enforcement actions to 
challenge law violations in appropriate cases.
---------------------------------------------------------------------------
II. Behavioral Advertising
    Many businesses use online behavioral advertising in an attempt to 
increase the effectiveness of their advertising by targeting 
advertisements more closely to the interests of their audience. The 
practice generally involves the use of ``cookies'' to track consumers' 
activities online and associate those activities with a particular 
computer or device. In many cases, the information collected is not 
personally identifiable in the traditional sense--that is, the 
information does not include the consumer's name, physical address, or 
similar identifier that could be used to identify the consumer in the 
offline world. Many of the companies engaged in behavioral advertising 
are so-called ``network advertisers,'' companies that serve 
advertisements across the Internet at websites that participate in 
their networks.\4\
---------------------------------------------------------------------------
    \4\ The advertisements are typically based upon data collected 
about a given consumer as he or she travels across the different 
websites in the advertising network. A website may belong to multiple 
networks.
---------------------------------------------------------------------------
    An example of how behavioral advertising might work is as follows: 
a consumer visits a travel website and searches for airline flights to 
New York City. The consumer does not purchase any tickets, but later 
visits the website of a local newspaper to read about the Washington 
Nationals baseball team. While on the newspaper's website, the consumer 
receives an advertisement from an airline featuring flights to New York 
City.
    In this simple example, the travel website where the consumer 
conducted his research might have an arrangement with a network 
advertiser to provide advertising to its visitors. The network 
advertiser places on the consumer's computer a cookie, which stores 
non-personally identifiable information such as the web pages the 
consumer has visited, the advertisements that the consumer has been 
shown, and how frequently each advertisement has been shown. Because 
the newspaper's website is also part of the advertising network, when 
the consumer visits the newspaper website, the network advertiser 
recognizes the cookie from the travel website as its own and identifies 
the consumer as likely having an interest in traveling to New York. It 
then serves the corresponding advertisement for airline flights to New 
York.
    In a slightly more sophisticated example, the information about the 
content that the consumer had selected from the travel website could be 
combined with information about the consumer's activities on the 
newspaper's website. The advertisement served could then be tailored to 
the consumer's interest in, not just New York City, but also baseball 
(e.g., an advertisement referring to the New York Yankees).
    As these examples illustrate, behavioral advertising may provide 
benefits to consumers in the form of advertising that is more relevant 
to their interests. Consumer research has shown that many online 
consumers value more personalized ads, which may facilitate shopping 
for the specific products that consumers want.\5\ Further, by providing 
advertisements that are likely to be of interest to the consumer, 
behavioral advertising also may reduce the number of unwanted, and 
potentially unwelcome, advertisements consumers receive online.
---------------------------------------------------------------------------
    \5\ See Larry Ponemon, ``FTC Presentation on Cookies and Consumer 
Permissions,'' presented at the FTC's Town Hall ``Ehavioral 
Advertising: Tracking, Targeting, and Technology'' (Nov. 1, 2007), at 
7, available at http://www.ftc.gov/bcp/workshops/ehavioral/
presentations/31ponemon.pdf (survey found that 55 percent of 
respondents believed that an online ad that targeted their individual 
preferences or interests improved, to some degree, their online 
experience). See also TRUSTe/TNS Presentation, TRUSTe and TNS Global, 
``Consumer Attitudes about Behavioral Advertising'' at 10 (March 28, 
2008) (72 percent of respondents found online advertising annoying when 
it was not relevant to their interests or needs). But see infra note 13 
and accompanying text.
---------------------------------------------------------------------------
    More broadly, the revenue model for the Internet is, to a large 
extent, advertising-based, and using behavioral techniques can increase 
the cost-effectiveness of online advertising. Thus, behavioral 
advertising may help subsidize and support a diverse range of free 
online content and services that otherwise might not be available or 
that consumers would otherwise have to pay for--content and services 
such as blogging, search engines, social networking, and instant access 
to newspapers and information from around the world.
    At the same time, however, behavioral advertising raises consumer 
privacy concerns. As described below, many consumers express discomfort 
about the privacy implications of being tracked, as well as the 
specific harms that could result. In particular, without adequate 
safeguards in place, consumer tracking data may fall into the wrong 
hands or be used for unanticipated purposes.\6\ These concerns are 
exacerbated when the tracking involves sensitive information about, for 
example, children, health, or a consumer's finances.
---------------------------------------------------------------------------
    \6\ As a result of these concerns, a number of consumer groups and 
others have asked the Commission to take action in this area. See, 
e.g., Center for Digital Democracy and U.S. Public Interest Research 
Group Complaint and Request for Inquiry and Injunctive Relief 
Concerning Unfair and Deceptive Online Marketing Practices (Nov. 1, 
2006), available at http://www.democraticmedia.org/files/pdf/
FTCadprivacy.pdf; Ari Schwartz and Alissa Cooper, Center for Democracy 
and Technology, ``CDT Letter to Commissioner Rosch,'' (Jan. 19, 2007), 
available at http://www.cdt.org/privacy/20070119rosch-behavioral-
letter.pdf; Mindy Bockstein, ``Letter to Chairman Majoras Re: 
DoubleClick, Inc. and Google, Inc. Merger,'' New York State Consumer 
Protection Board (May 1, 2007), available at http://epic.org/privacy/
ftc/google/cpb.pdf.
---------------------------------------------------------------------------
    Recent high-profile incidents where tracking data has been released 
have magnified consumers' concerns. In August 2006, for example, an 
employee of Internet service provider and web services company AOL made 
public the search records of approximately 658,000 customers.\7\ The 
search records were not identified by name, and, in fact, the company 
had taken steps to anonymize the data. By combining the highly 
particularized and often personal searches, however, several 
newspapers, including the New York Times,\8\ and consumer groups were 
able to identify some individual AOL users and their queries, 
challenging traditional notions about what data is or is not personally 
identifiable.
---------------------------------------------------------------------------
    \7\ See, e.g., Jeremy Kirk, ``AOL Search Data Reportedly 
Released,'' Computerworld (Aug. 6, 2007), available at http://
computerworld.com/action/article.do?command=viewArticleBasic&
taxonomyName=privacy&articleId=9002234&taxonomyId=84.
    \8\ See Michael Barbaro and Tom Zeller, ``A Face Is Exposed for AOL 
Searcher No. 4417749,'' www.nytimes.com, Aug. 9, 2006, available at 
http://www.nytimes.com/2006/08/09/technology/09aol.html.
---------------------------------------------------------------------------
    Another incident involved the social networking site Facebook. In 
November 2007, Facebook released a program called Beacon, which allowed 
users to share information about their online activities, such as the 
purchases they had made or the videos they had viewed. The Beacon 
service tracked the activities of logged-in users on websites that had 
partnered with Facebook. If a user did not opt out of this tracking, 
Facebook's partner sites would send to Facebook information about the 
user's purchases at the partner sites. Facebook then published this 
information on the user's profile page and sent it to the user's 
Facebook ``friends.''
    The Beacon program raised significant concerns among Facebook 
users.\9\ Approximately 30 groups formed on Facebook to protest Beacon, 
with one of the groups representing over 4,700 members,\10\ and over 
50,000 Facebook users signed a petition objecting to the new 
program.\11\ Within a few weeks, Facebook changed its program by adding 
more user controls over what information is shared with ``friends'' and 
by improving notifications to users before sharing their information 
with others on Facebook.\12\
---------------------------------------------------------------------------
    \9\ In one now-famous example, a man had bought a ring for his wife 
as a surprise; the surprise was ruined when his wife read about his 
purchase on the man's user profile page. See, e.g., 
Ellen Nakashima, ``Feeling Betrayed, Facebook Users Force Site to Honor 
Privacy,'' Washingtonpost.com, (Nov. 30, 2007), available at http://
www.washingtonpost.com/wp-dyn/content/article/2007/11/29/
AR2007112902503_pf.html.
    \10\ See Facebook home page, http://www.facebook.com, viewed on 
March 21, 2008.
    \11\ MoveOn.org Civic ActionTM created an online 
petition for consumers to express their objection to Facebook's Beacon 
program. The petition stated, ``Sites like Facebook must respect my 
privacy. They should not tell my friends what I buy on other sites--or 
let companies use my name to endorse their products--without my 
explicit permission.'' MoveOn.org Civic Action Petition, available at 
http://www.civic.moveon.org/facebookprivacy/, viewed June 9, 2008.
    \12\ See Reuters News, ``Facebook Makes Tweak After Privacy 
Protest,'' RedHerring.com, Nov. 30, 2007, available at http://
www.redherring.com/Home/23224.
---------------------------------------------------------------------------
    Surveys confirm that consumers are concerned about the privacy of 
their activities as they navigate online. For example, in two recent 
surveys, a majority of consumers expressed some degree of discomfort 
with having information about their online activities collected and 
used to serve advertising.\13\ Similarly, only 20 percent of consumers 
in a third survey stated that they would allow a marketer to share 
information about them in order to track their purchasing behaviors and 
to help predict future purchasing decisions.\14\ Another survey found 
that 45 percent of consumers believe that online tracking should be 
banned, and another 47 percent would allow such tracking, but only with 
some form of consumer control.\15\ These surveys underscore the 
importance of online privacy to consumers and highlight the fundamental 
importance of maintaining trust in the online marketplace.
---------------------------------------------------------------------------
    \13\ See Alan Westin, ``Online Users, Behavioral Marketing and 
Privacy: Results of a National Harris/Westin Survey'' (March 2008) 
(almost 60 percent of respondents were ``not comfortable'' to some 
degree with online behavioral marketing); TRUSTe/TNS Presentation, 
``Behavioral Advertising: Privacy, Consumer Attitudes and Best 
Practices,'' at 10 (April 23, 2008) (57 percent of respondents were not 
comfortable with advertisers using browsing history to serve ads, even 
if the information is not connected to personally identifiable 
information).
    \14\ See Ponemon Presentation, supra note 5, at 11.
    \15\ See George R. Milne, ``Information Exchange Expectations of 
Consumers, Marketing Managers and Direct Marketers,'' University of 
Massachusetts Amherst (presented on Nov. 1, 2007), available at http://
www.ftc.gov/bcp/workshops/ehavioral/presentations/3gmilne.pdf.
---------------------------------------------------------------------------
III. FTC Initiatives Concerning Consumer Privacy and Behavioral 
        Advertising
    Since privacy first emerged as a significant consumer protection 
issue in the mid-1990s, it has been one of the Commission's highest 
priorities. The Commission has worked to address privacy issues through 
consumer and business education, law enforcement, and policy 
initiatives. For example, the FTC has promulgated and enforced the Do 
Not Call Rule to respond to consumer complaints about unsolicited and 
unwanted telemarketing; \16\ has waged a multi-faceted war on identity 
theft; \17\ has encouraged better data security practices by businesses 
through educational initiatives \18\ and a robust enforcement program; 
\19\ has brought numerous enforcement actions to reduce the incidence 
of spun and spyware; \20\ and has held numerous workshops to examine 
emerging technologies and business practices, and the privacy and other 
issues they raise for consumers.\21\ In early 2006, recognizing the 
ever-increasing importance of privacy to consumers and to a healthy 
marketplace, the Commission established the Division of Privacy and 
Identity Protection, a division devoted exclusively to privacy-related 
issues.
---------------------------------------------------------------------------
    \16\ Telemarketing Sales Rule: Final Rule, 16 C.F.R. Part 310 
(2003), available at http://www.ftc.gov/os/2003/01/tsrfrn.pdf.
    \17\ See, e.g., FTC ID theft website, available at www.ftc.gov/
idtheft. In one recent effort, the FTC coordinated with the U.S. Postal 
Service to send a letter to every American household containing 
information about how to protect against identity theft. See Press 
Release, ``Postmaster General Sends Advice to Prevent ID Theft,'' U.S. 
Postal Service (Feb. 19, 2008), available at http://www.usps.com/
connnunications/newsroom/2008/pr08_014.htm.
    \18\ See, e.g., Federal Trade Commission, ``Protecting Personal 
Information: A Guide for Business,'' available at http://www.ftc.gov/
infosecurity/; see also http://onguardonline.gov/index.html.
    \19\ Since 2001, the Commission has obtained twenty consent orders 
against companies that allegedly failed to provide reasonable 
protections for sensitive consumer information. See In the Matter of 
The TJX Companies, FTC File No. 072-3055 (Mar. 27, 2008, settlement 
accepted for public comment); In the Matter of Reed Elsevier Inc. and 
Seisint Inc., FTC File No. 052-3094 (Mar. 27, 2008, settlement accepted 
for public comment); United States v. ValueClick, Inc., No. CV08-01711 
(C.D. Cal. Mar. 13, 2008); In the Matter of Goal Financial, LLC, FTC 
Docket No. C-4216 (April 15, 2008); In the Matter of Life is Good, 
Inc., FTC Docket No. C-4218 (Apr. 18, 2008); United States v. American 
United Mortgage, No. CV07C 7064, (N.D. Ill. Dec. 18, 2007); In the 
Matter of Guidance Software, Inc., FTC Docket No. C-4187 (Apr. 3, 
2007); In the Matter of CardSystems Solutions, Inc., FTC Docket No. C-
4168 (Sept. 5, 2006); In the Matter of Nations Title Agency, Inc., FTC 
Docket No. C-4161 (June 19, 2006); In the Matter of DSW, Inc., FTC 
Docket No. C-4157 (Mar. 7, 2006); United States v. ChoicePoint, Inc., 
No. 106-CV-0198 (N.D. Ga. Feb. 15, 2006); In the Matter of Superior 
Mortgage Corp., FTC Docket No. C-4153 (Dec. 14, 2005); In the Matter of 
BJ's Wholesale Club, Inc., FTC Docket No. C-4148 (Sept. 20, 2005); In 
the Matter of Nationwide Mortgage Group, Inc., FTC Docket No. 9319 
(Apr. 12, 2005); In the Matter of Petco Animal Supplies, Inc., FTC 
Docket No. C-4133 (Mar. 4, 2005); In the Matter of Sunbelt Lending 
Services, FTC Docket No. C-4129 (Jan. 3, 2005); In the Matter of MTS 
Inc., d/b/a Tower Records/Books/Video, FTC Docket No. C-4110 (May 28, 
2004); In the Matter of Guess?, Inc., FTC Docket No. C-4091 (July 30, 
2003); In the Matter of Microsoft Corp., FTC Docket No. C-4069 (Dec. 
20, 2002); In the Matter of Eli Lilly & Co., FTC Docket No. C-4047 (May 
8, 2002).
    \20\ Since 2004, the Commission has initiated eleven spyware-
related law enforcement actions. Detailed information regarding each of 
these law enforcement actions is available at http://www.ftc.gov/bcp/
edu/microsites/spyware/law_enfor.htm. Since 1997, when the FTC brought 
its first enforcement action targeting unsolicited commercial e-mail, 
or ``spam,'' the FTC has brought 94 law enforcement actions. See 
generally Report on ``Spam Summit: The Next Generation of Threats and 
Solutions'' (Nov. 2007), available at http://www.ftc.gov/os/2007/12/
071220spamsummitreport.pdf.
    \21\ See discussion infra pp. 9-12.
---------------------------------------------------------------------------
    In developing and implementing its privacy program, the FTC has 
been mindful of the need for flexibility and balance--that is, the need 
to address consumer concerns and harms without stifling innovation or 
imposing needless costs on consumers and businesses.
A. 1999 Workshop on Online Profiling
    The Commission first examined the issue of behavioral advertising 
in 1999, when it held a joint public workshop with the Department of 
Commerce on the practice--then called ``online profiling.'' The 
workshop examined the practice of tracking consumers' activities 
online, as well as the role of self-regulation in this area.
    In response to the concerns highlighted at the workshop, industry 
members formed the Network Advertising Initiative (``NAI''), a self-
regulatory organization addressing behavioral advertising by network 
advertisers. Shortly thereafter, the NAI issued the NAI Self-Regulatory 
Principles (``NAI Principles'') governing collection of information for 
online advertising by network advertisers.\22\ In the early 2000s, 
however, with the ``burst'' of the dot com bubble, many network 
advertisers--including most of the NAI membership--went out of 
business.
---------------------------------------------------------------------------
    \22\ Briefly, the NAI Principles set forth guidelines for online 
network advertisers and provide a means by which consumers can opt out 
of behavioral advertising at a centralized website. For more 
information on the FTC workshop and NAI, see Online Profiling: A Report 
to Congress (June 2000) at 22 and Online Profiling: A Report Congress 
Part 2 Recommendations (July 2000), available at http://www.ftc.gov/os/
2000/06/onlineprofilingreportjune2000.pdf and http://
www.networkadvertising.org. As discussed further below, NAI recently 
proposed for public comment revised NAI Principles.
---------------------------------------------------------------------------
    Emblematic of the highly dynamic nature of the online environment, 
by the time the FTC held its public hearings on Protecting Consumers in 
the Next Tech-ade (``Tech-ade'') only a few years later,\23\ the issue 
of online tracking and advertising had reemerged. In the intervening 
years, behavioral advertising had become a highly successful business 
practice, and a number of Tech-ade participants raised concerns about 
its effects on consumer privacy.
---------------------------------------------------------------------------
    \23\ The purpose of the Tech-ade hearings, held in November 2006, 
was to examine the technological and consumer protection developments 
anticipated over the next decade. See generally http://www.ftc.gov/bcp/
workshops/techade/index.html.
---------------------------------------------------------------------------
B. The FTC Town Hall on Online Behavioral Advertising
    Beginning in Fall 2006, the Commission staff held a series of 
meetings with numerous industry representatives, technology experts, 
consumer and privacy advocates, and academics to learn more about the 
practice of behavioral advertising. The purpose of these meetings was 
to explore further the issues raised at Tech-ade, learn about 
developments since the FTC's 1999 Workshop, and examine concerns about 
behavioral advertising that had been raised by privacy advocates and 
others.\24\ Seeking a broader forum in which to examine and discuss 
these issues, and particularly the privacy issues raised by the 
practice, the FTC held a two-day Town Hall meeting on behavioral 
advertising in November 2007.
---------------------------------------------------------------------------
    \24\ See CDD et al., Complaint and Request for Inquiry and 
Injunctive Relief, supra note 6. Many of these concerns were amplified 
by the announcement of the proposed merger between Google and 
DoubleClick in April 2007. The Commission approved the merger on 
December 20, 2007, at the same time that it issued FTC staff's proposed 
self-regulatory guidelines. See ``Staff Proposes Online Behavioral 
Advertising Policy Principles,'' Federal Trade Commission (Dec. 20, 
2008), available at http://www.ftc.gov/opa/2007/12/principles.shtm. The 
Principles are discussed infra at 13.
---------------------------------------------------------------------------
    From the Town Hall, as well as the meetings preceding it, several 
key points emerged. First, as discussed above, online behavioral 
advertising may provide many valuable benefits to consumers in the form 
of free content, personalization that many consumers value, and a 
potential reduction in unwanted advertising. Second, the invisibility 
of the practice to consumers raises privacy concerns, as does the risk 
that data collected for behavioral advertising--including sensitive 
data about children, health, or finances--could be misused. Third, 
business and consumer groups alike expressed support for transparency 
and consumer control in the online marketplace.
    Many participants at the Town Hall also criticized the self-
regulatory efforts that had been implemented to date. In particular, 
these participants stated that the NAI Principles had not been 
sufficiently effective in addressing the privacy concerns raised by 
behavioral advertising because of the NAP s limited membership, the 
limited scope of the NAI Principles (which apply to network advertisers 
but not to other companies engaged in behavioral advertising), and the 
NAI Principles' lack of enforcement and cumbersome opt-out system.\25\ 
Further, while other industry associations had promulgated online self-
regulatory schemes to address privacy issues, these schemes had not 
generally focused on behavioral advertising.\26\
---------------------------------------------------------------------------
    \25\ According to critics, the NAI Principles' opt-out mechanism is 
difficult to locate and use because it is located on the NAI website, 
where consumers would be unlikely to find it. As noted above, in April 
of this year, the NAI issued a proposed revised set of self-regulatory 
principles designed to address criticisms of the original NAI 
Principles and to respond to the FTC staff's call for stronger self-
regulation. The NAI has sought comment on its proposed revised 
principles, and comments were due June 12, 2008. See ``Self-Regulatory 
Principles for Online Preference Marketing By Network Advertisers,'' 
Network Advertising Initiative (issued April 10, 2008), available at 
http://www.networkadvertising.org/pdfs/NAI_principles.pdf.
    \26\ Since the Town Hall, some of these industry groups, as well as 
several online companies and privacy groups, have sought to address the 
concerns raised about behavioral advertising. See, e.g., Interactive 
Advertising Bureau, ``Privacy Principles,'' (adopted Feb. 24, 2008), 
available at http://www.iab net/iab_products_and_industry_services/
1421/1443/1464; Comment ``Online Behavioral Advertising: Moving the 
Discussion Forward to Possible Self-Regulatory Principles,'' Microsoft 
Corp. (April 11, 2008), available at http://www.ftc.gov/os/comments/
behavioraladprinciples/080411microsoft.pdf; Comment ``FTC Staff 
Proposed Online Behavioral Advertising Principles: Comments of AOL, 
LLC,'' AOL, LLC (April 11, 2008), available at http://www.ftc.gov/os/
comments/behavioraladprinciples/080411aol.pdf; Ari Schwartz, Center for 
Democracy and Technology, et al., ``Consumer Rights and Protections in 
the Behavioral Advertising Sector,'' (Oct. 31, 2007) (proposing a ``Do 
Not Track List'' designed to increase consumers' control over tracking 
of their activities online), available at http://www.cdt.org/privacy/
20071031consumerprotectionsbehavioral.pdf.
---------------------------------------------------------------------------
C. The FTC's Proposed Self-Regulatory Principles
    In December 2007, in response to the issues discussed at the Town 
Hall and in public comments received in connection with that event, 
Commission staff issued and requested comment on a set of proposed 
principles titled, ``Behavioral Advertising: Moving the Discussion 
Forward to Possible Self-Regulatory Principles'' (the ``Principles''). 
The proposed Principles address the central concerns about online 
behavioral advertising expressed by interested parties; they also build 
upon existing ``best practices'' in the area of privacy, as well as (in 
some cases) previous FTC guidance and/or law enforcement actions. At 
the same time, the Principles reflect FTC staff's recognition of the 
potential benefits provided by online behavioral advertising and the 
need to maintain vigorous competition in this area.
    The purpose of the proposed Principles is to encourage more 
meaningful and enforceable self-regulation. At this time, the 
Commission believes that self-regulation may be the preferable approach 
for this dynamic marketplace because it affords the flexibility that is 
needed as business models continue to evolve.
    In brief, the staff proposal identifies four governing principles 
for behavioral advertising.\27\ The first is transparency and consumer 
control: companies that collect information for behavioral advertising 
should provide meaningful disclosures to consumers about the practices, 
as well as choice about whether their information is collected for this 
purpose.\28\ The second principle is reasonable security: companies 
should provide reasonable security for behavioral data so that it does 
not fall into the wrong hands, and should retain data only as long as 
necessary to fulfill a legitimate business or law enforcement need.\29\ 
The third principle governs material changes to privacy policies: 
before a company uses behavioral data in a manner that is materially 
different from promises made when the data was collected, it should 
obtain affirmative express consent from the consumer.\30\ This 
principle ensures that consumers can rely on promises made about how 
their information will be used, and can prevent contrary uses if they 
so choose. The fourth principle states that companies should obtain 
affirmative express consent before they use sensitive data--for 
example, data about children, health, or finances--for behavioral 
advertising.\31\
---------------------------------------------------------------------------
    \27\ Recent news reports have highlighted concerns about behavioral 
advertising involving Internet Service Providers (``ISPs''). The ISP-
based model for delivering behaviorally-targeted advertising may raise 
heightened privacy concerns because it could involve the tracking of 
subscribers wherever they go online and the accumulation of vast stores 
of data about their online activities. Further, information about the 
subscriber's activities potentially could be combined with the 
personally identifiable information that ISPs possess about their 
subscribers. In issuing the proposed Principles for public comment, FTC 
staff intended the Principles to apply to ISPs.
    \28\ For more information and guidance on the use of disclosures in 
online advertising, see Dot Com Disclosures, Information About Online 
Advertising, http://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/
index.shtml (May 2000).
    \29\ The FTC has highlighted the need for reasonable security in 
numerous educational materials and enforcement actions to date. See 
supra notes 18-19.
    \30\ See, e.g., Gateway Learning Corp., Docket No. C-4120 (Sept. 
10, 2004), http://www.ftc.gov/opa/2004/07/gateway.shtm (company made 
material changes to its privacy policy and allegedly applied such 
changes to data collected under the old policy; opt-in consent required 
for future such changes).
    \31\ Commission staff also sought comment on the potential uses of 
tracking data beyond behavioral advertising.
---------------------------------------------------------------------------
IV. Next Steps
    In response to the request for public comment, Commission staff 
received over 60 comments on the Principles, representing many 
thoughtful and constructive views from diverse business sectors, 
industry self-regulatory bodies, privacy advocates, technologists, 
academics, and consumers. The comment period for the Principles has 
closed, and Commission staff is carefully evaluating the comments 
received.
    Included in the comments were a number of specific proposals for 
how self-regulation could be implemented, as well as reports regarding 
steps taken to address privacy concerns since the Town Hall. The FTC is 
encouraged by the efforts that have already been made by the NAI \32\ 
and some other organizations and companies \33\ and believes that the 
self-regulatory process that has been initiated is a promising one. 
Although there is more work to be done in this area, the Commission is 
cautiously optimistic that the privacy issues raised by online 
behavioral advertising can be effectively addressed through meaningful, 
enforceable self-regulation. The dynamic and diverse online environment 
demands workable and adaptable approaches to privacy that will be 
responsive to the evolving marketplace. Nevertheless, the Commission 
will continue to closely monitor the marketplace so that it can take 
appropriate action to protect consumers as the circumstances warrant.
---------------------------------------------------------------------------
    \32\ Current NAI members include DoubleClick, Yahoo! Inc., TACODA, 
Inc., Acerno, AlmondNet, BlueLithium, Mindset Media, Revenue Science, 
Inc., 24/7 Real Media Inc., and Undertone Networks.
    \33\ See supra note 26. Although many organizations and consumer 
groups have undertaken efforts to address FTC staff's proposed 
Principles, a few organizations have expressed concern that 
implementing the Principles would be too costly and would undermine 
continued development of the online marketplace. FTC staff is 
evaluating all of these comments as it considers next steps in this 
area.
---------------------------------------------------------------------------
V. Conclusion
    The Commission appreciates this opportunity to discuss its work on 
behavioral advertising. The Commission is committed to addressing new 
and emerging privacy issues such as online behavioral advertising and 
looks forward to working further with the Committee on this important 
consumer issue.

    Senator Dorgan. Ms. Parnes, thank you very much.
    Next we will hear from Ms. Jane Horvath, the Senior Privacy 
Counsel at Google, Incorporated. Ms. Horvath?

STATEMENT OF JANE HORVATH, SENIOR PRIVACY COUNSEL, GOOGLE, INC.

    Ms. Horvath. Senator Dorgan and Senator Vitter, the most 
important point I would like to make this morning is simple. 
Google makes privacy a priority because our business depends on 
it. If our users are uncomfortable with how we manage their 
personal information, they are only one click away from 
switching to a competitor's services.
    Putting our users first means that we are deeply committed 
to their privacy, and succeeding in online advertising and 
protecting our users' privacy are not mutually exclusive goals.
    This morning I will first discuss how online advertising 
benefits advertisers, website publishers, and Internet users. 
Second, I will discuss Google's approach to privacy. And 
finally, I will make recommendations for how government and 
industry can better protect Internet users' privacy.
    So let me first touch on the benefits of online 
advertising. Google's two primary advertising programs, AdWords 
and AdSense, provide users with highly relevant ads, match 
advertisers with users who are interested in their products, 
and provide revenue for website publishers who place our ads on 
their sites. For example, in Minneapolis, taxi driver Kenny 
Kormendy, built a website for out-of-state travelers called 
Gopher State Taxi and used Google's AdWords program to compete 
online with bigger taxi companies. Today Gopher State Taxi has 
grown to a network of over 36 cabs, and Mr. Kormendy credits 
Google with connecting 9 out of 10 of its customers.
    When someone clicks on one of our ads on a website, Google 
also shares revenue from that ad with the website owner. Last 
year we paid a total of $4.5 billion in ad revenue to website 
publishers across the United States.
    Next, let me talk about Google's approach to privacy. As I 
said earlier, Google makes privacy a priority because our 
business depends on it. We make sure that three design 
fundamentals are the bedrock of our privacy practices.
    First, transparency. We have been an industry leader in 
finding new ways to educate users about privacy such as through 
our Google Privacy Channel on YouTube where we feature videos 
that explain our privacy policies in plain language.
    Second, choice. We strive to design our products in a way 
that gives users meaningful choices about what information they 
provide to us. For example, our Google Talk instant messaging 
service includes an ``off the record'' feature that prevents 
either party from storing the chat.
    And third, security. We take seriously the protection of 
data that our users entrust with us. Google employs some of the 
world's best engineers in software and network security and has 
teams dedicated to developing information safeguards. Google's 
advertising products are primarily driven by context rather 
than behavior. Unlike other companies we have built our 
business on showing ads that are relevant to what a user is 
looking for, not by building detailed profiles based on a 
user's online behavior.
    As we continue to incorporate DoubleClick's display ad 
serving capabilities into our business, Google will continue to 
be a leader in offering products that respect privacy.
    Finally, let me turn to our efforts to innovate in the area 
of privacy protection. Feedback from our users and outside 
parties, as well as our own internal discussions, has led us to 
several privacy innovations, including our decision last year 
to anonymize our server logs after 18 months. In that spirit of 
innovation today, we offer the following recommendations for 
both government and the private sector.
    First, Google supports the passage of a comprehensive 
Federal privacy law that will establish a uniform framework for 
privacy and put penalties in place to punish and dissuade bad 
actors.
    Second, we support the Federal Trade Commission's efforts 
to develop principles relating to online privacy and behavioral 
advertising, and we hope that revised principles will be 
adopted widely by the online ad industry.
    And third, we believe that greater labeling of online 
display ads should be adopted as an industry standard.
    As I conclude my testimony this morning and welcome the 
Committee's questions, I would like to show a brief excerpt 
from one of the videos on our Google Privacy YouTube Channel. 
This video shows a user how to easily remove cookies from their 
web browsers. Thank you.
    [Video shown.]
    [The prepared statement of Ms. Horvath follows:]

  Prepared Statement of Jane Horvath, Senior Privacy Counsel, Google, 
 Inc. Chairman Inouye, Vice Chairman Stevens, Members of the Committee.

    I'm pleased to appear before you this morning to discuss online 
advertising and the ways that Google protects our users' privacy. My 
name is Jane Horvath, and I am Google's Senior Privacy Counsel. In that 
role I am responsible for working with our product teams and other 
privacy professionals at Google to ensure compliance with privacy laws 
and develop best practices for protecting our users' privacy.
    Google's mission is to organize the world's information and make it 
universally accessible and useful. The best known way that we do this 
today is through our search engine, which is available for free to 
Internet users throughout the world. The availability of Google search 
and our other products--and the improvements that we make to our 
products on a daily basis--is funded by online advertising, by far our 
primary source of revenue.
    Online advertising is relatively young and a very small piece of 
the advertising market as a whole. It is a dynamic business 
characterized by strong competition, significant innovation, and 
continuing growth. Online advertising has succeeded because it helps 
businesses find customers more efficiently and effectively than through 
other media. It has also helped to create entirely new and innovative 
small businesses that generate revenue through advertising, often in 
partnership with Google.
    At Google we believe that our online advertising business has 
succeeded because our most important advertising goal is to deliver ads 
that benefit our users. From its inception, Google has focused on 
providing the best user experience possible. We do this, for example, 
by ensuring that advertising on our site delivers relevant content that 
is not a distraction. In fact, our goal is to make our ads just as 
useful to Google's users as search results themselves.
    We've also made a commitment to never compromise the integrity of 
our search results, for example by manipulating rankings to place our 
partners higher in our search results. And advertising on Google is 
always clearly identified as a ``Sponsored Link'' to ensure that our 
users know the difference between our search results and any 
advertising that we provide.
    Putting our users first also means that we are deeply committed to 
their privacy, and our products and policies demonstrate that 
commitment. We believe that success in online advertising and 
protecting our users' privacy are not mutually exclusive goals. We work 
hard to provide advertising in a way that is transparent to users, 
provides them with appropriate choices, and protects any personal 
information that we collect from inappropriate access by third parties.
    In my testimony this morning, I would like to cover three key 
points:

        First, I'll explain Google's main advertising products and the 
        significant benefits that we at Google believe online 
        advertising brings to advertisers, online publishers, and 
        individual Internet users.

        Second, I'll discuss Google's approach to privacy, specific 
        steps that we take to protect our users' privacy, and privacy 
        issues involving our advertising business.

        And finally, I'll explore ideas and make recommendations for 
        how to better protect Internet users' privacy both with respect 
        to advertising as well as more generally as more and more 
        information moves to the Internet cloud.

The Benefits of Online Advertising
    Google offers three main advertising products: AdWords, AdSense for 
Search, and AdSense for Content. Our AdWords product allows us to 
provide ads on Google.com in response to search queries entered by our 
users, as well as to provide ads on our AdSense for Content and AdSense 
for Search services. AdSense for Search allows us to provide ads in 
response to search queries entered by users of our partners' search 
engines, including AOL and Ask.com. AdSense for Content allows us to 
provide ads to visitors of our third-party publisher partners' 
websites. AdSense for Content ads are provided based on the content of 
the page that is being viewed by a user. The vast majority of the 
revenue that Google generates comes from these three products.
    All three advertising products are primarily easy-to-create text 
ads, which is one of the many reasons that hundreds of thousands of 
small businesses advertise with us. We also provide the capability to 
show display ads--ads that incorporate graphics in addition to text--
through AdSense for Content, and we plan to enhance our display ad 
serving capabilities with our recent acquisition of DoubleClick, a 
display ad serving technology company.
    Advertisers, online publishers, and consumers all benefit from our 
advertising network. I'll start with consumers--our users--on whom our 
business depends.
    In our experience, users value the advertisements that we deliver 
along with search results and other web content because the ads help 
connect them to the information, products, and services they seek. The 
ads we deliver to our users complement the natural search results that 
we provide because our users are often searching for products and 
services that our advertisers offer. Making this connection is 
critical, and we strive to deliver the ads that are the most relevant 
to our users, not just the ones that generate the most revenue for us. 
We do this through our innovative ad auction system, which gives weight 
to the relevancy--the usefulness--of the ad to our users based on their 
search queries or the content that they are viewing. And in our pay-
per-click pricing model we only generate revenue when a user is 
interested enough to click on an ad.
    The revenue that we generate from online advertising makes it 
possible for Google to offer dozens of free products to our users--
everything from search and e-mail to our word processing application, 
Google Docs. Each of these products underscores our commitment to 
improving our users' online experience. For example, Google Docs allows 
multiple users to edit a single document, presentation, or spreadsheet 
at the same time. And, despite the popularity of tools like Google 
Earth and YouTube, each of our products is free to individuals for 
personal use. Our online advertising business model subsidizes the 
creation, development, and ongoing improvements to and support for 
these and future products.
    And our ads aren't always commercial. We run a program called 
Google Grants that provides free advertising to not-for-profit 
organizations engaged in areas such as science and technology, 
education, global public health, the environment, youth advocacy, and 
the arts. For example, we have provided Google Grants to non-profits 
such as Room to Read (www.roomtoread.org), which educates children in 
Vietnam, Nepal, India, and Cambodia, and CoachArt (www.coachart.org), 
which provides therapeutic art and athletic lessons to underprivileged 
children with life-threatening illnesses. Since April 2003, our 
grantees have collectively received almost $300 million in free 
advertising.
    Our advertising network also enables small businesses to connect 
with consumers that they otherwise would not reach, and to do so 
affordably, efficiently, and effectively. The advertiser decides the 
maximum amount of money it wishes to spend on advertising and, as noted 
above, in the cost-per-click payment model the advertiser only pays 
Google when a user actually clicks on an ad.
    Here are just two of many stories of small businesses succeeding 
thanks to Google advertising. Suzanne Golter owns the Happy Hound dog 
daycare (www.happyhound.com) in Oakland, California. She estimates that 
90 percent of her business is generated through Google AdWords, which 
helps her bring in approximately 40 new clients per month. In 
Minneapolis, Minnesota, Kenny Kormendy, a then-struggling taxi driver 
built a site for out-of-state travelers called Gopher State Taxi 
(www.gopherstatetaxi.com) and utilized AdWords to compete online with 
bigger taxi companies. In under 3 years, Gopher State Taxi has grown to 
a network of over 36 cabs, and Mr. Kormendy credits AdWords with 
connecting nine out of ten customers that his company services.
    Online advertising also promotes freer, more robust, and more 
diverse speech. It's no coincidence that blogs have proliferated over 
the past few years. Our AdSense product enables bloggers and other 
publishers to generate revenue from ads that we place on their 
websites. Without online advertising, the individuals who run these 
sites would not be able to dedicate as much time and attention to their 
publications as they do today. In fact, we know that many website 
owners can afford to dedicate themselves to their sites full time 
because of online advertising.
    AdSense revenues support hundreds of thousands of diverse websites, 
and a significant percentage of the revenue we earn from advertising 
ends up in the hands of the bloggers and website operators who partner 
with us by featuring ads provided by Google. Last year we paid $4.5 
billion in advertising revenue from our AdSense program to our 
publishing partners. In Nevada, Arizona, Florida, and Washington alone 
over 100,000 of our publishing partners collectively generated nearly 
$100 million from AdSense in 2007.
    The vast majority of these AdSense partners are small businesses. 
For example, in Oregon, Hope Pryor, a grandmother of four, uses AdSense 
on her site--Cooksrecipes.com--to generate her primary source of 
income. And in Massachusetts, honey bee aficionado and retiree Albert 
Needham uses AdSense revenue generated from his Bees-online.com website 
to fund personal vacations. Similar small business success stories are 
found all across the United States.
    It's no mistake that I've focused mainly on individual users, small 
publishers, and small advertisers. Google's business model has 
concentrated on what's known as the ``long tail'' of the Internet--the 
millions of individuals and small businesses that cater to and need to 
connect with niche interests and markets. Google's advertising programs 
lower the barrier to entry for small publishers and advertisers alike, 
and connect them with users who are interested in what they have to say 
or sell. As our advertising business continues to grow and evolve, we 
will continue working hard to encourage the development of the long 
tail.

Google and Privacy
    We believe user trust is essential to building the best possible 
products. With every Google product, we work hard to earn and keep that 
trust with a long-standing commitment to protect the privacy of our 
users' personal information. We make privacy a priority because our 
business depends on it. In fact, if our users are uncomfortable with 
how we manage their personal information, they are only one click away 
from switching to a competitor's services.
    Because user trust is so critical to us, we've ensured that privacy 
considerations are deeply embedded in our culture. Though I am Google's 
Senior Privacy Counsel, I am just one of many individuals at Google who 
work on privacy. For example, we have product counsels who work with 
engineers and product managers from the beginning of product 
development to ensure that our products protect our users' privacy. We 
also have product managers dedicated to privacy and other trust and 
safety issues. And we have a Privacy Council, which is comprised of a 
cross-functional group of Google employees that convenes on a regular 
basis to help Google address privacy issues.
    Google's focus on user trust and privacy means that our product 
teams are thinking about user privacy by building privacy protections 
into our products from the ground up. For example, we have designed 
most of our products to allow people to use them anonymously, and to 
ensure that none of our products use any personally identifiable data 
unless that use is fully disclosed in our privacy policy.
    We have also made sure that three design fundamentals--all of them 
rooted in fair information principles--are at the bedrock of our 
privacy products and practices:

   Transparency: We believe in being upfront with our users 
        about what information we collect and how we use it so that 
        they can make informed choices about their personal 
        information. We have been an industry leader in finding new 
        ways to educate users about privacy, such as through our Google 
        Privacy Channel on YouTube (found at www.youtube.com/
        googleprivacy) where we feature privacy videos that explain our 
        privacy policies, practices, and product features in simple, 
        plain language.

   Choice: We strive to design our products in a way that gives 
        users meaningful choices about how they use our services and 
        what information they provide to us. Many of our products, 
        including our Search service, do not require users to provide 
        any personally identifying information at all. When we do ask 
        for personal information, we also endeavor to provide features 
        that give users control over that information. For example, our 
        Google Talk instant messaging service includes an ``off the 
        record'' feature that prevents either party from storing the 
        chat.

   Security: We take seriously the protection of data that our 
        users entrust with us. Google employs some of the world's best 
        engineers in software and network security and has teams 
        dedicated to developing and implementing policies, practices 
        and technologies to protect this information. More information 
        about our approach to security can be found in a recent post at 
        the Official Google Blog located at googleblog.blogspot.com/
        2008/03/how-google-keeps-your-information.html.

    One of our newest products is Google Health, which enables 
individuals to consolidate and store their medical records and personal 
health information online. Google Health demonstrates our commitment to 
all three design fundamentals. For example, we have provided 
significant transparency about Google Health's privacy features through 
blog posts and the product's easy-to-understand privacy policy and 
frequently asked questions. In addition, Google Health provides users 
choice by empowering them with the decision of what information to 
import, share, and delete, and easy tools for accomplishing each.
    The online advertising products that we offer today are also 
privacy-friendly because they are primarily contextual in nature. That 
is, we generally provide ads in response to what a user is searching 
for or viewing at the time, rather than based on who we believe the 
user may be or an extended history of the user's activities either 
online or off.
    To respond to our users' desire for more relevant advertising, and 
to advertisers' desire to provide more relevant advertising to Internet 
users, we are experimenting with some forms of online advertising that 
do involve more than the current search query to provide an ad. For 
example, we are currently experimenting in Google.com search with 
providing ads based on both the current query and a previous search. A 
user who types ``Italy vacation'' into the Google search box, for 
instance, might see ads about Tuscany or affordable flights to Rome. If 
the user were to subsequently search for ``weather,'' we might assume 
that there is a link between ``Italy vacation'' and ``weather'' and 
deliver ads regarding local weather conditions in Italy. However, 
Google does not build a profile of the user to serve these ads that is 
stored and used later to serve other ads to the user.
    As we continue to incorporate DoubleClick into our business, our 
focus on display advertising--ads that feature images in addition to 
text--will increase across our advertising product offerings, as will 
our ability to provide metrics and an improved user experience to our 
AdSense network. We believe that expanding into display advertising 
products is one way that we can compete effectively in the highly 
competitive online advertising environment. This transition will not 
undermine Google's focus on privacy or our commitment to the 
fundamental principles of transparency, choice, and security. As we 
move to offer more display advertising and other advertising products, 
Google intends to continue to be a leader in offering products that 
protect and respect the privacy of our users.

Google's Efforts to Continue Innovating in Privacy
    In our quickly evolving business environment, ensuring that we earn 
and keep our users' trust is an essential constant for building the 
best possible products. With every Google product, we work hard to earn 
and keep that trust with a long-standing commitment to protect the 
privacy of our users' personal information. As stated above, the 
bedrock of our privacy practices are three design fundamentals: 
transparency, choice, and security.
    Another constant that we have found in our business is that 
innovation is a critical part of our approach to privacy. To best 
innovate in privacy, we welcome the feedback of privacy advocates, 
government experts, our users, and other stakeholders. This feedback, 
and our own internal discussions about how to protect privacy, has led 
us to several privacy innovations including our decision last year to 
anonymize our server logs after 18 months.
    In the interest of continuing to protect individuals' privacy, we 
offer the following policy and technology recommendations--some of 
which can be accomplished by the private sector and some of which 
involve a government role--in the spirit of continuing the effort to 
innovate on consumer privacy. Our ideas and recommendations endorse a 
baseline and robust level of privacy protections for all individuals. 
On top of that baseline platform we believe that the private sector and 
government should cooperate to educate and inform consumers about 
privacy issues and to establish best practices that will help guide the 
development of the quickly evolving and innovative online advertising 
space. Finally, we believe that Google and others in the online 
advertising industry should work to provide tools to better protect 
individuals' privacy, and that government should encourage companies to 
experiment with new and innovative ways of protecting consumers' 
privacy.

Comprehensive Federal Privacy Law
    Google supports the passage of a comprehensive Federal privacy law 
that would accomplish several goals such as building consumer trust and 
protections; establishing a uniform framework for privacy, which would 
create consistent levels of privacy from one jurisdiction to another; 
and putting penalties in place to punish and dissuade bad actors. We 
believe that as information flows increase and more and more 
information is processed and stored in the Internet cloud--on remote 
servers rather than on users' home computers--there is a greater need 
for uniform data safeguarding standards, data breach notification 
procedures, and stronger procedural protections relating to government 
and third party litigant access to individuals' information.

Behavioral Advertising Principles
    We have participated actively in the Federal Trade Commission's 
efforts to develop privacy principles relating to online privacy and 
behavioral advertising. Our hope is that revised principles will be 
adopted widely by the online advertising industry and serve as a model 
for industry self-regulation in jurisdictions beyond the United States. 
In order for the principles to achieve such broad adoption, however, 
they need to be revised to ensure that they can be operationalized by 
industry and that they will give consumers appropriate transparency, 
choice, and security. In order for that to happen, the principles 
would, among other things, need to make a distinction between 
personally identifiable information (PII) and non-PII.

Consumer Education
    Transparency is one of Google's bedrock design principles because 
we believe that informed and knowledgeable users are best able to 
protect their privacy. We believe that both the private sector and the 
government, including agencies like the FTC, can and should provide 
more information about what kinds of personal information are collected 
by companies, how such data is used, and what steps consumers can take 
to better protect their privacy.
    At Google, for example, we take great pride in our effort to 
provide our users with a better understanding of how we collect, use, 
and protect their data through a series of short videos available at 
Google.com and on YouTube, as well as through blog posts. Too often, 
website operators view their online privacy policy--which is typically 
impenetrable to the average user--as the beginning and end of their 
privacy obligations. Web companies that interact with individuals need 
to do more than simply provide and link to privacy policies; we need to 
offer consumer-friendly materials in different media to better help 
their users understand how their information is collected and used, and 
what choices they have to protect their privacy.

Transparency and Choice in Display Advertising
    Google text ads are generally labeled ``Ads by Google'' or 
``Sponsored Links'' and are accompanied by an explanation of what they 
are so that users understand that they are advertisements and that they 
have been provided by Google. We believe that this kind of notice and 
explanation should be adopted by industry and applied not only to text 
ads but also to display ads. We also believe that industry should 
continue working together to provide, for example, effective mechanisms 
that empower consumers with the ability to opt out of behaviorally 
targeted advertising.

Development of Technology to Empower Users
    Products like Google Toolbar let a user choose to not have data 
collected, and that choice persists even if all cookies are cleared and 
until the user chooses to have data collected. Google also offers 
features like Web History, which allows users to view and search all 
search queries they have made on Google search while logged into 
Google. Web History also lets users delete and thus disassociate from 
their account information any searches that they conduct while they are 
logged in. Users can also pause Web History altogether if they do not 
want their searches to be associated with their account information--
and this choice persists until users choose to resume Web History. We 
believe that more can be done by industry to ensure the persistence of 
users' choices, and we look forward to exploring such tools with 
industry and other stakeholders.

Conclusion
    Chairman Inouye, Vice Chairman Stevens, and Members of the 
Committee, thank you for the opportunity to testify today. I appreciate 
the opportunity to explain the benefits of our advertising business to 
consumers, advertisers, and publishers, and the chance to explain how 
Google protects our users' privacy.
    I look forward to answering any questions you might have about our 
efforts, and Google looks forward to working with Members of the 
Committee and others in the development of better privacy protections 
for Internet users everywhere.
    Thank you.

    Senator Dorgan. Ms. Horvath, does that complete your 
testimony?
    Ms. Horvath. Yes. Thank you very much.
    Senator Dorgan. Ms. Horvath, thank you very much.
    Next we will hear from Mr. Robert Dykes, who is the 
Chairman and CEO of NebuAd, Incorporated. Mr. Dykes, welcome. 
You may proceed.

   STATEMENT OF ROBERT R. DYKES, FOUNDER, CHAIRMAN, AND CEO, 
                          NebuAd, INC.

    Mr. Dykes. Thank you, Chairman Dorgan and Senator Vitter. 
My name is Bob Dykes, CEO of NebuAd, Inc., a recent entrant 
into the online advertising industry that partners with 
Internet service providers, otherwise known as ISP's. I come 
from a security background, serving for many years as Executive 
Vice President of Symantec Corporation.
    When we launched NebuAd several years ago, it was at a time 
when many people had particularly heightened concerns about 
data security. As part of its mission, NebuAd sought to address 
these privacy and security concerns. As you will see, NebuAd 
systems are designed so that no one, not even the government, 
can determine the identity of our users.
    Currently online advertising solutions and data collection 
methods operate in many locations throughout the Internet 
ecosystem, from users' computers to individual websites, to 
networks of websites. The NebuAd service, in partnership with 
ISP's, provides consumers with significant benefits serving 
them with more relevant ads which they want, while ensuring 
that they have robust privacy protections and control over 
their online experience.
    NebuAd's ad network also is designed to benefit two groups 
that provide substantial benefit to the Internet: many smaller 
websites and general use sites that have difficulty maintaining 
free access to their content; the ISP's who need to upgrade 
their infrastructure to provide increased bandwidth for 
consumers who increasingly want access to Internet delivered 
videos. NebuAd creates these benefits by using a select set of 
a user's Internet activities to construct anonymous inferences 
about likely interests which are then used to select and serve 
the most relevant advertisements.
    The NebuAd service is architected and its operations are 
based on principles essential to strong privacy protection. We 
provide users with prior robust notice about the service and 
opportunity to express informed choice about whether to 
participate both before the service takes effect and 
persistently thereafter. We do not collect or use personally 
identifiable information, or PII. We do not store raw data 
linked to identifiable individuals, and we provide state-of-
the-art security for the limited amount of information we do 
store. In other words, allegations by others that we do not 
provide an opportunity to opt out in our robust notice to users 
or that we collect entire web traffic of users are simply not 
accurate.
    To repeat, NebuAd provides robust notice and the 
opportunity to express informed choice, and there is no 
collection or use of any personally identifiable information or 
even a significant portion of users' web traffic, nor any 
information from password-protected sites, web mail, e-mail, 
instant messages, or VoIP traffic.
    We understand that to gain the public's trust, we need to 
adopt strong privacy protections. Ours have been reviewed by 
such entities as the Ponemon Institute, and we are engaging a 
Big Four audit firm to conduct an audit to verify that we do 
what we say we do.
    This Committee has long been involved with the creation of 
privacy statutes covering the cable and telecommunications 
industries, as well as specific statutes addressing online 
privacy for children, telemarketing, and spam. Yet even though 
these and other privacy statutes have been developed one at a 
time, there are common threads running through them all. When 
more sensitive data is collected and when the collection and 
disclosure of the data could harm or embarrass a consumer, more 
rigorous disclosure and consent requirements tend to be 
imposed. When raw data linked to an identifiable individual is 
stored for longer periods, there is an emerging trend that more 
rigorous disclosure, consent, and security requirements should 
be imposed.
    NebuAd supports the privacy paradigm which provides users 
with consistent expectations and substantial protections. This 
paradigm also is technology- and business-neutral, and it is 
the basis upon which NebuAd built its technology and 
operations. NebuAd urges the Committee to maintain both the 
paradigm and the principle of technology and business 
neutrality.
    Thank you.
    [The prepared statement of Mr. Dykes follows:]

           Prepared Statement of Bob Dykes, CEO, NebuAd, Inc.

    Chairman Inouye, Ranking Member Stevens, and Members of the 
Committee, thank you for inviting me to appear today regarding the 
privacy implications of online advertising. My name is Bob Dykes, CEO 
of NebuAd, Inc., a recent entrant into the online advertising industry 
that partners with Internet Service Providers (ISPs). I have spent 
considerable time over the past year with Federal policymakers at the 
Federal Trade Commission (FTC), Federal Communications Commission, and 
in Congress--as well as with consumer and privacy advocates--discussing 
NebuAd's technology, operations, and privacy protections and welcome 
the opportunity to discuss all of this further with the Committee.
Introduction
    Online advertising is a phenomenon of the Internet age. It permits 
advertisers to provide more relevant messages to consumers and in turn 
fuels the development of website publishers, both large and small. In 
fact, advertising is the engine for the free Internet. The FTC has 
found online advertising benefits consumers by enabling ``access to 
newspapers and information around the world, provided free because it 
is subsidized by online advertising; tailored ads that facilitate 
comparison shopping for the specific products that consumers want; and, 
potentially, a reduction in ads that are irrelevant to consumers' 
interests and that may therefore be unwelcome.'' \1\
---------------------------------------------------------------------------
    \1\ It is an axiom that advertising has more value when the 
advertiser believes the user is more interested in the advertiser's 
product. Such interest is not obvious when a user visits general-
purpose news and information sites, which are some of the very ones 
noted by the FTC Staff as standing to benefit from online advertising. 
Accordingly, the online advertising industry is constantly seeking 
other ways to infer user interest and then bring that knowledge to bear 
on the placement of ads on these sites. That is, behavioral advertising 
drives value and supports those sites on the Internet that provide 
society with great value.
---------------------------------------------------------------------------
    Within this world of online advertising, NebuAd is a newcomer, just 
entering among industry giants like Google, Yahoo!, Microsoft, Amazon, 
and countless website publishers. That means we have a steep hill to 
climb, but it also means we have great opportunities. We are able to 
learn the lessons of the industry and construct state-of-the-art 
technology that delivers ads that are more relevant to users while 
providing them with robust and industry-leading privacy protections. 
Indeed, as I will discuss, these privacy protections are built into our 
technology and designed into our policies from the ground up.
    Let me explain our privacy motivation more fully. I come from a 
security background, serving for many years as Executive Vice President 
of Symantec Corporation, a global leader in providing security 
solutions for computers and computer networks. When we launched NebuAd 
several years ago, it was at a time when many people had particularly 
heightened concerns about data security. Hackers were piercing 
firewalls, seeking to capture seemingly random strands of data to find 
the identity of users. The government was ordering ISPs and other 
network providers to turn over data on their users. As part of its 
mission, NebuAd sought to address these privacy and security concerns.
    The NebuAd service is architected and its operations are based on 
principles essential to strong privacy protection:

   Provide users with prior, robust notice and the opportunity 
        to express informed choice about whether to participate, both 
        before the service takes effect and persistently thereafter;

   Do not collect or use personally-identifiable information 
        (``PII'');

   Do not store raw data linked to identifiable individuals; 
        and

   Provide state-of-the art security for any information 
        stored.

    As a result, NebuAd's service is designed so that no one--not even 
the government--can determine the identity of our users. That means our 
service for ISP users, including the ad optimization and serving 
system, does not collect or use any PII. In addition, NebuAd requires 
its Internet service provider (``ISP'') partners to provide robust, 
advance notice about our operations and our privacy protections to 
their subscribers, who at any time can exercise their choice not to 
participate. And, finally, we have located our servers in highly secure 
data centers.
The NebuAd Technology and its Advertising Operations
    Currently, online advertising solutions operate in many locations 
throughout the Internet ecosystem--from users' computers to individual 
websites to networks of websites. When an Internet user visits the 
sites of web publishers, like Yahoo! or Amazon, these sites typically 
collect information about the user's activities to target ads based on 
that information. When an Internet user conducts a search, the search 
company may collect information from the user's activity, which in turn 
may be used to improve the relevance of the ads shown. And when a user 
visits a website within an online advertising network, some of which 
include thousands of sites, the visits help the network advertising 
company categorize a user for targeted advertising. All of these 
activities are well-entrenched in the Internet and, given the enormous 
and growing use of the Internet, have proven to have mutual benefits 
for users, publishers--large and small--advertisers, and ad networks.
    NebuAd provides online advertising in partnership with ISPs. The 
NebuAd advertising service has been architected to use only a select 
set of a user's Internet activities (only a subset of HTTP traffic) to 
construct anonymous inferences about the user's level of qualification 
for a predefined set of market segment categories (``anonymous user 
profiles''), which are then used to select and serve the most relevant 
advertisements to that user. The NebuAd advertising service does not 
collect or use any information from password-protected sites (e.g., 
HTTPS traffic), web mail, e-mail, instant messages, or VoIP traffic. 
Using only non-PII, NebuAd constructs and continuously updates these 
unique and anonymous user profiles.\2\
---------------------------------------------------------------------------
    \2\ The anonymous user profiles do not contain any original raw 
data, such as URLs navigated, but only consist of a set of numbers that 
represent the anonymous inferences about the user's level of 
qualification for a predefined set of market segment categories.
---------------------------------------------------------------------------
    In the course of these business operations, NebuAd's ad 
optimization and serving system does not collect PII or use information 
deemed to be sensitive (e.g., information involving a user's financial, 
sensitive health, or medical matters).\3\ In addition, NebuAd requires 
its ISP partners to provide robust disclosure notices to users prior to 
initiating any service and permits them to opt-out of having their data 
collected and receiving targeted ads. Once a user opts-out, NebuAd 
deletes that user's anonymous user profile and will ignore the user's 
subsequent web navigation activity.\4\
---------------------------------------------------------------------------
    \3\ NebuAd understands that the definition of ``sensitive'' 
information will evolve. We stated in our comments to the FTC on the 
``Staff's Proposed Principles for the Self-Regulation of Behavioral 
Advertising'' that we would adopt the Staff's definition of 
``sensitive'' information, assuming it is not limitless. We also would 
consider additional reasonable limitations proposed by other 
stakeholders.
    \4\ NebuAd has enhanced the industry-standard opt-out ``cookie'' 
based system with the use of proprietary techniques. This enables the 
opt-out to be more persistent. NebuAd's entire enhanced opt-out system 
is linked to individual computers and browsers, and it informs users of 
this fact in assisting them in understanding the nature of their opt-
out choice.
---------------------------------------------------------------------------
    Finally, NebuAd's ad optimization and serving system operates 
similar to traditional ad networks. It makes standard use of cookies 
for accepted ad serving purposes. It makes standard use of pixel tags 
that operate only within the security framework of the browser to 
invoke the placement of ad network cookies and that contain no uniquely 
identifying number, subscriber identifier, or any other subscriber 
information. In sum, NebuAd's code used for standard ad serving 
purposes is both clean in its purpose and function.

The Privacy Paradigm in the United States and NebuAd's Privacy 
        Protections
    In contrast to the European Community, where omnibus privacy law 
covers all industries, in the United States, privacy statutes have been 
developed in a largely sector-specific fashion. This Committee has long 
been part of that trend, having overseen the creation of privacy 
statutes generally covering the cable and telecommunications 
industries, as well as specific statutes addressing online privacy for 
children, telemarketing, and spam. Yet, even though these and other 
privacy statutes have been developed one at a time, there are common 
threads running through them:

   When more sensitive data is collected, and when the 
        collection and disclosure of the data could harm or embarrass a 
        consumer, more rigorous disclosure and consent requirements 
        tend to be imposed.

   When raw data linked to an identifiable individual is stored 
        for longer periods, there is an emerging trend that more 
        rigorous disclosure, consent, and security requirements should 
        be imposed.

    NebuAd supports this privacy paradigm, which provides users with 
consistent expectations and substantial protections. This paradigm also 
is technology and business-neutral, and it is the basis upon which 
NebuAd built its technology and operations. NebuAd urges the Committee 
to maintain both the paradigm and the principle of technology and 
business-neutrality.
    In implementing this privacy paradigm, NebuAd not only relied on 
the expertise of its own personnel, it turned to leading privacy 
experts, including Fran Maier, Executive Director and President of 
TRUSTe, the consumer privacy organization, Dr. Larry Ponemon of the 
Ponemon Institute, and Alan Chapell of Chapell & Associates. These 
experts provided important input into NebuAd's initial privacy program. 
They were particularly stringent in recommending that NebuAd should not 
collect PH or sensitive information and that it provide consumers with 
robust notice and choice. NebuAd followed that guidance in developing 
our privacy program.\5\
---------------------------------------------------------------------------
    \5\ A just released survey of U.S. Internet users by TRUSTe showed 
that 71 percent of online consumers are aware their web-surfing 
information may be collected for the purpose of advertising and 91 
percent wanted to have the tools to assure they could protect their 
privacy. NebuAd has strived to provide users with this transparency by 
educating users about its activities and their choices regarding 
whether to participate in NebuAd's services.
---------------------------------------------------------------------------
    The following are the key privacy protections upon which NebuAd has 
architected into its technology and based its operations:

        1. NebuAd's service does not collect or use PII from ISP 
        subscribers. The entire ad optimization and serving system does 
        not collect or use any PII, nor does it collect any information 
        from password-protected sites, web mail, e-mail, instant 
        messages, or VoIP traffic.

        2. NebuAd stores only a set of numbers that represent the 
        user's level of qualification for a predefined set of market 
        segment categories (``anonymous user profiles''). NebuAd does 
        not store raw data such as URLs navigated or IP addresses 
        associated with an identifiable individual. Rather, the NebuAd 
        service constructs anonymous inferences about the user's level 
        of qualification for a predefined set of market segment 
        categories, and then discards the raw data that was used to 
        create or update a user's anonymous profile. This mechanism of 
        constructing anonymous inferences about the user's level of 
        qualification and not storing raw data provides a strong 
        additional layer of privacy protection that goes beyond the 
        standards used by many Internet companies today.

        3. NebuAd's ISP Partners are required to provide robust, direct 
        notice in advance of launch of the service. The notice 
        discloses to the user that the ISP is working to ensure that 
        advertisements shown will be more relevant advertisements, that 
        to deliver these ads its partner creates anonymous profiles 
        based on part of the user's web-surfing behavior, which does 
        not include the collection of PII, and that the user may opt-
        out of the service. For existing subscribers, the notice is 
        required to be delivered 30 days prior to the launch of the 
        service by postal mail, e-mail, or both.\6\ For new 
        subscribers, the notice is required to be placed clearly and 
        conspicuously in the new subscriber sign-up flow and outside 
        the privacy policy. All subscribers can opt-out at any time, 
        and ongoing disclosure and opportunity to opt-out is required 
        to be provided within the ISP's privacy policy.
---------------------------------------------------------------------------
    \6\ NebuAd seeks to ensure that users are fully informed of its 
activities and are given full opportunity to choose whether to 
participate. To that end, we are developing enhanced notification 
mechanisms.

        4. NebuAd and its ISP partners offer users advance and on-going 
        choice of opting-out of the service. Users are provided with a 
        clear statement of what opt-out means and the way it operates. 
        Once the opt-out option is chosen, NebuAd honors that choice 
        and ignores the user's subsequent web surfing activity and thus 
        does not serve the user with behaviorally targeted ads.\7\
---------------------------------------------------------------------------
    \7\ The user, of course, will continue to receive ads.

        5. NebuAd's service only creates anonymous user profiles, which 
        contain no PII and no raw data, and its placement of ads is 
        completely anonymous. NebuAd uses proprietary algorithms and 
        techniques, including one-way encryption of data, so that no 
        one--not even NebuAd's engineers who designed the system--can 
        reverse-engineer an anonymous identifier, or the anonymous user 
---------------------------------------------------------------------------
        profile associated with it, to an identifiable individual.

        6. NebuAd avoids any sensitive websites or product categories. 
        NebuAd does not track or serve ads based on visits related to 
        adult content, sensitive medical information, racial or ethnic 
        origins, religious beliefs or content of a sexual nature, and 
        does not have market segment categories for illegal products.

        7. NebuAd does not permit either complexity of data or 
        narrowness of data to be reverse-engineered into PII. This 
        protection is accomplished because anonymous user profiles are 
        constructed by anonymous inferences about the consumer's level 
        of qualification for a predefined set of market segment 
        categories. Raw data is simply not stored as part of the 
        anonymous user profile. In addition, the NebuAd service does 
        not have narrowly-defined segments. Finally, the anonymous 
        profile identifier is the result of multiple encryptions, and 
        based on multiple data elements including the hashed IP 
        address.

        8. There is no connection or link between the ISP's 
        registration data systems and NebuAd. That means that no user-
        specific data is exchanged between NebuAd and ISP data systems. 
        This boundary is preserved further and inadvertent disclosure 
        is prevented because NebuAd immediately performs a one-way 
        encryption of the IP address and other anonymous user 
        identifiers used within the NebuAd system.

        9. NebuAd installs no applications on users' computers, has no 
        access to users' hard drives, and has no access to secure 
        transactions. As such, NebuAd does not control a user's 
        computer or web-surfing activity in any way (e.g., by changing 
        computer settings or observing private or sensitive 
        information).

        10. NebuAd's Data Centers are professionally operated and 
        secured. NebuAd's servers are located at secure sites with 
        state-of-the-art protections against any intrusion, electronic 
        or physical.

    NebuAd is proud of these protections--all of which were adopted to 
comply with both the spirit and letter of the government's privacy 
paradigm--and, it continuously seeks to enhance them.

Conclusion
    As I stated at the outset, I have spent years seeking to ensure 
that users have robust and transparent privacy protections. In a very 
real sense, NebuAd is the product of that work--It has adopted and 
implemented state-of-the-art privacy protections, and, equally as 
important, it has established a process to continuously improve on 
them. The Internet is a highly dynamic environment, where new 
technologies are constantly developed to address new challenges, and we 
both want and need to take advantage of them. NebuAd takes its 
responsibilities to its users very seriously. It looks forward to 
continuing to work with government policymakers as they examine online 
advertising and privacy issues.

    Senator Dorgan. Mr. Dykes, thank you very much. We 
appreciate your being here.
    Next we will hear from Ms. Leslie Harris, who is the 
President and Chief Executive Officer of the Center for 
Democracy and Technology. Ms. Harris, you may proceed.

   STATEMENT OF LESLIE HARRIS, PRESIDENT AND CEO, CENTER FOR 
                    DEMOCRACY AND TECHNOLOGY

    Ms. Harris. Thank you. Chairman Dorgan, Members of the 
Committee, I thank you for the opportunity testify today.
    I want to make three points and offer several 
recommendations for the Committee.
    First, while behavioral advertising is growing, consumers 
are largely uncomfortable with the practice and they are ill-
equipped to take meaningful steps to protect their privacy. We 
do recognize that advertising is an important engine of 
Internet growth and that ad revenue supports a rich diversity 
of online content. However, massive increases in data 
processing and storage have allowed advertisers to track, 
collect, and aggregate information about consumers' web 
browsing across sites over time and to compile individual 
profiles, and while each piece of consumer information in a 
profile may itself not be personally identifiable, the 
aggregation of this information into rich profiles means it may 
be more readily tied to a person's identity.
    All this is happening in an environment where more data is 
being collected, retained for longer periods of time, often in 
a form where it can be re-identified. Existing privacy 
protections are outstripped by technology and there is a lack 
of transparency about behavioral advertising practices and an 
absence of meaningful controls to help consumers make informed 
decisions about the use of their data.
    When consumers do find out about behavioral advertising, 
they are uncomfortable. In a recent study, 59 percent of the 
respondents said they were not comfortable with online 
companies using their browsing behavior to target advertising 
to their interests even when they were told that advertising 
supports free services.
    Second, there is an emerging behavioral advertising model 
that partners ISPs with ad networks, and this does add new 
legal complexity and additional risks for privacy. While online 
websites and networks can track what you see on their sites or 
the sites associated with their networks, an ISP model may--and 
I do say ``may''--provide access to everything you do online. 
And that would include noncommercial sites that could reveal 
political preferences, charitable, religious associations, and 
the like.
    Consumers simply do not have an expectation that their web 
traffic is being intercepted by their ISP and shared with an 
unknown third party for profiling. And in our view, the law 
does not permit it. We read the Wiretap Act which prohibits 
interception and disclosure of electronic communications, 
including the content of Internet traffic, to require 
unavoidable notice and affirmative express consent for ISP-
based behavioral targeting. And many state communications laws 
require two-party consent, which further complicates the legal 
landscape. And of course, the Cable Communications Policy Act 
also prohibits the collection or disclosure of personal 
information without prior consent.
    The implementation that we have seen thus far completely 
fails to acknowledge, let alone comply with, these laws. No one 
has sought consent.
    Finally, self-regulation is not a full answer. CDT has 
always been supportive of self-regulation, but the Network 
Advertising Initiative that was launched 8 years ago has been 
largely a failure. The model fell short when it was announced. 
It has failed to evolve over time. And only now when the FTC 
has turned its attention to the issues has the Initiative 
proposed modest improvements.
    We acknowledge that there are a number of individual 
companies that have worked hard to educate and improve their 
users' privacy. We are prepared to continue to work with them 
and the NAI to continue to improve privacy protection.
    Self-regulation was never expected to be a full solution. 
And when the NAI was created, the FTC at that point noted that 
backstop legislation would still be required to ensure 
consumers' privacy is protected.
    We have made a number of recommendations for Committee 
action in our written testimony. Let me just briefly highlight 
a few.
    First, Senator Dorgan, we agree with you that more hearings 
are necessary on the ISP question and on other questions like 
sensitive information and secondary use.
    Second, we really urge this Committee to set a goal of 
enacting general privacy legislation in the next year based on 
well-established fair information practices. We have been 
advocating for this for years. We think it is time to act.
    Third, we do think the FTC should issue its guidelines. We 
think they need to be enforceable whether they are under 
current authority or under targeted legislation. We think the 
Committee should make that clear to the FTC.
    And finally, we think Congress should encourage the FTC to 
investigate how technological solutions, including perhaps a 
``Do Not Track'' regime--we were part of a group that proposed 
that--can give consumers better control over their online 
information.
    We do think Congress has a critical role to play in 
ensuring privacy protection in this increasingly complex online 
advertising environment, and I look forward to answering your 
questions.
    [The prepared statement of Ms. Harris follows:]

          Prepared Statement of Leslie Harris, President/CEO, 
                  Center for Democracy and Technology

    Chairman Inouye and Members of the Committee:

    On behalf of the Center for Democracy and Technology (``CDT''), I 
thank you for the opportunity to testify today. We applaud the 
Committee's leadership in examining the privacy impact of new online 
advertising models.

I. Summary
    CDT recognizes that advertising is an important engine of Internet 
growth. Consumers benefit from a rich diversity of content, services 
and applications that are provided without charge and supported by 
advertising revenue. However, as sophisticated new behavioral 
advertising models are deployed, it is vital that consumer privacy be 
protected. Massive increases in data processing and storage 
capabilities have allowed advertisers to track, collect and aggregate 
information about consumers' web browsing activities, compiling 
individual profiles used to match advertisements to consumers' 
interests. All of this is happening in the context of an online 
environment where more data is collected--and retained for longer 
periods--than ever before and existing privacy protections have been 
far outpaced by technological innovation.
    Behavioral advertising represents a small but rapidly growing part 
of the online advertising market. Market research firm eMarketer 
reported last year that spending on behaviorally targeted online 
advertising is expected to reach $1 billion this year and to quadruple 
by 2011.\1\ The recent spate of acquisitions of the online advertising 
industry's largest players by major Internet companies is powerful 
evidence that the online advertising marketplace is headed toward more 
data aggregation tied to a single profile--and one that may be more 
readily tied to a person's identity.\2\ And while we have yet to see 
evidence that this new advertising model will reap the promised 
rewards, it is already migrating from individual websites to the 
infrastructure of the Internet itself: In the last year, Internet 
Service Providers (``ISPs'') have begun to form partnerships with ad 
networks to mine information from individual web data streams for 
behavioral advertising. Ad networks that partner with ISPs could 
potentially collect and record every aspect of a consumer's web 
browsing, including every web page visited, the content of those pages, 
how long each page is viewed, and what links are clicked. E-mails, 
chats, file transfers and many other kinds of data could all be 
collected and recorded.
---------------------------------------------------------------------------
    \1\ ``Behavioral Advertising on Target . . . to Explode Online,'' 
eMarketer (Jun. 2007), http://www.emarketer.com/
Article.aspx?id=1004989.
    \2\ No fewer than five major mergers and acquisitions have been 
completed in the last 18 months: Google purchased online advertising 
company DoubleClick, Inc.; WPP Group, a large ad agency, acquired the 
online ad company 24/7 Real Media; Yahoo! acquired ad firm RightMedia; 
Microsoft acquired online ad service provider aQuantive; AOL purchased 
Tacoda, a pioneering firm in the area of behavioral advertising.
---------------------------------------------------------------------------
    The ISP model raises particularly serious questions. Thus far, 
implementations appear to defy reasonable consumer expectations, could 
interfere with Internet functionality, and may violate communications 
privacy laws.
    Notwithstanding the recent growth of behavioral advertising, most 
Internet users today do not know that their browsing information may be 
tracked, aggregated and sold. After almost a decade of self-regulation, 
there is still a profound lack of transparency associated with these 
practices and an absence of meaningful consumer controls.
    There are several efforts underway to respond to the new online 
advertising environment. First, the Federal Trade Commission staff 
recently released a draft of proposed principles for self-regulation, 
which represent a solid step forward. However, it is not clear whether 
the FTC will formally adopt the principles or put its enforcement power 
behind them.
    The Network Advertising Initiative (``NAI'') is also in the process 
of revising its guidelines. This is a welcome but long-overdue 
development. Unfortunately, self-regulation has not worked to date and, 
even if strengthened, will never by itself fully protect consumers' 
privacy interests.
    Congress needs to take a comprehensive look at the current and 
emerging practices associated with behavioral advertising and the risks 
those practices pose to consumer privacy and control. We recommend that 
Congress take the following steps to address the significant privacy 
concerns raised by behavioral advertising:

   The Committee should hold a series of hearings to examine 
        specific aspects of behavioral advertising, in particular the 
        growing involvement of ISPs, the use of sensitive information, 
        and secondary uses of behavioral profiles.

   The Committee should set a goal of enacting in the next year 
        a simple, flexible baseline consumer privacy law that would 
        protect consumers from inappropriate collection and misuse of 
        their personal information, both online and offline.

   The Committee should strongly urge the Federal Trade 
        Commission to exercise its full enforcement authority over 
        online advertising practices.

   Congress should examine and strengthen existing 
        communications privacy laws to cover new services, technologies 
        and business models with consistent rules. The Electronic 
        Communications Privacy Act (``ECPA'') is decades old, and its 
        application in today's online world is often unclear.

   Congress should encourage the FTC to investigate how 
        technology can be harnessed to give consumers better control 
        over their online information. Simple tools that put consumers 
        in controls of their information, such as a ``Do Not Track'' 
        list, deserve consideration.

II. Understanding Online Advertising Practices
    Commercial websites that supply content to consumers free of charge 
are often supported by online advertising. These sites--known as 
``publishers'' in the advertising world--make available certain 
portions of space on their pages to display ads. That space is sold to 
advertisers, ad agencies, or online ad intermediaries that find and 
place advertisements into the space. These intermediaries may also make 
arrangements to collect information about user visits to the publisher 
pages. Since very few publishers supply their own advertising, it is 
common that when a consumer visits a publisher site, the consumer's 
computer also connects to one or more advertisers, ad agencies, or ad 
intermediaries to send data about the consumer's visit to the site and 
receive the advertising on the site.
    One type of ad intermediary is known as an ``advertising network.'' 
At their most basic level, ad networks contract with many different 
publishers on one side and many different advertisers on the other. 
Armed with a pool of space in which to display ads on publisher sites, 
and a pool of ads to display, ad networks are in the business of 
matching up the two by using the data they collect about consumers' 
site visits.

A. Contextual Advertising
    There are many different ways for an ad network to determine which 
advertisement should be placed in which space. The two most often 
discussed are ``contextual'' advertising and ``behavioral'' 
advertising. Contextual advertising, which is often used to generate 
ads alongside search results, matches advertisements to the content of 
the page that a consumer is currently viewing--a consumer who visits a 
sports site may see advertisements for golf clubs or baseball tickets 
on that site.
    The privacy risks associated with contextual advertising vary. If 
the practice is transparent to the user and data collection and 
retention is minimal, the practice poses little risk. By contrast, 
privacy concerns are heightened if the user data is retained in an 
identifiable or pseudonymous form (i.e., linked to a user identifier) 
for long periods of time even if it is not immediately used to create 
advertising profiles.

B. Behavioral Advertising
    By contrast, behavioral advertising matches advertisements to the 
interests of the consumer as determined over time. If a consumer visits 
several different travel sites before viewing a news site, he or she 
might see a behaviorally targeted travel advertisement displayed on the 
news page, even if the news page contains no travel content. A 
traditional behavioral ad network builds up profiles of individual 
consumers by tracking their activities on publisher sites in the 
network (although this model is evolving, as we discuss below). When 
the consumer visits a site where the ad network has purchased ad space, 
the ad network collects data about that visit and serves an 
advertisement based on the consumer's profile. Diagrams illustrating 
this process are included in Appendix A.
    Consumers' behavioral advertising profiles may incorporate many 
different kinds of data that are in and of themselves not personally 
identifiable. Many networks avoid linking profiles to what has 
traditionally been considered ``personally identifiable information'' 
(``PII''): names, addresses, telephone numbers, e-mail addresses, and 
other identifiers. But as the comprehensiveness of consumer advertising 
profiles increases, the ability of marketers and others to link 
specific individuals to profiles is also growing. In 2006, for example, 
AOL released 3 months' worth of search queries generated by half a 
million users; in the interest of preserving users' anonymity, AOL 
replaced individuals' screen names with numbers. Based solely on search 
terms associated with one number, reporters at The New York Times were 
able to pinpoint the identity of the user who generated them.\3\ The 
risk of supposedly non-personally identifying data being used to 
identify individuals has spurred several ad networks to take extra 
steps to de-identify or remove personal information from their data 
storage.\4\
---------------------------------------------------------------------------
    \3\ Michael Barbaro and Tom Zeller, Jr., ``A Face Is Exposed for 
AOL Searcher No. 4417749,'' The New York Times (Aug. 2006), http://
www.nytimes.com/2006/08/09/technology/ 09aol.
html?_r=1&ex=1312776000&adxnnl=1&oref=slogin&adxnnlx=1215021816 
2Dj7kbrLxHU1hCdcMyNqHEbA.
    \4\ See, e.g., Microsoft, Privacy Protections in Microsoft's Ad 
Serving System and the Process of ``De-identification'' (Oct. 2007), 
http://download.microsoft.com/download/3/1/d/31df6942-ed99
-4024-a0e0-594b9d27a31a/
Privacy%20Protections%20in%20Microsoft%27s%20Ad%20serving%20
system%20 and%20the%20Process%20of%20De-Identification.pdf.
---------------------------------------------------------------------------
    Profiles may also be intentionally tied to PII. For example, data 
collected online by a merchant or by a service provider may permit an 
advertising profile to be tied to an individual's e-mail account. 
Offline data may also be merged with online profiles. For years, data 
service companies have maintained profiles about consumers based on 
information gleaned from public sources such as property and motor 
vehicle records, as well as records from sources like catalog sales and 
magazine subscriptions. These data companies are now also entering the 
online advertising business, potentially allowing the linking of online 
and offline profiles.\5\
---------------------------------------------------------------------------
    \5\ Acxiom runs Relevance-X, an online ad network. Last year 
Experian acquired the online data analysis company Hitwise. See Acxiom, 
Acxiom: Relevance-X (last visited Jul. 2008), 
http://www.acxiom.com/Relevance-X; Experian, ``Acquisition of Hitwise'' 
(Apr. 2007), http://www.experiangroup.com/corporate/ news/releases/
2007/2007-904-17b/.
---------------------------------------------------------------------------
C. The Evolution of Behavioral Advertising--More Data, More Data 
        Sources
    As noted above, recent market consolidation facilitates more 
comprehensive data collection. Companies that run consumers' favorite 
web-based services--web search, web mail, maps, calendars, office 
applications, and social networks--have all purchased behavioral 
advertising networks within the last year. In the past, major Internet 
companies could gather information about how an individual used its 
services and applications such as search, but did not have direct 
access to information about the user's other web browsing habits. With 
the acquisition of behavioral advertising networks, these companies 
could potentially marry the rich data about an individual's use of one 
site with a broad view of his or her activities across the web. The 
concerns about this aggregation of consumer data are heightened because 
many online companies retain data for months or years on end in 
identifiable or pseudonymous form, creating a host of privacy risks.
    Finally, ad networks are now turning to the most comprehensive and 
concentrated source of information about Internet use: the individual 
web data streams that flow through ISPs.\6\ In this emerging model, the 
ISP intercepts or allows an ad network to intercept the content of each 
individual's web data stream. The ad network then uses this traffic 
data for behavioral advertising, serving targeted ads to the ISP's 
customers on publisher sites as the customers surf the web. We address 
the unique issues posed by this advertising model in detail below.
---------------------------------------------------------------------------
    \6\ See, e.g., Peter Whoriskey, ``Every Click You Make,'' The 
Washington Post (Apr. 2008), http://www.washingtonpost.com/wp-dyn/
content/article/2008/04/03/AR2008040304052.html? nav=hcmodule; Saul 
Hansell, ``I.S.P. Tracking: The Mother of All Privacy Battles,'' The 
New York Times: Bits Blog (Mar. 2008) at http://bits.blogs.nytimes.com/
2008/03/20/isp-tracking-the-mother-of-all-privacy-battles/?scp =1-
b&sq=the+mother+of+all+privacy+battles&st=nyt.
---------------------------------------------------------------------------
III. The Privacy Risks of Behavioral Advertising
    Behavioral advertising poses a growing risk to consumer privacy; 
consumers are largely unaware of the practice and are thus ill equipped 
to take protective action. They have no expectation that their browsing 
information may be tracked and sold, and they are rarely provided 
sufficient information about the practices of advertisers or others in 
the advertising value chain to gauge the privacy risks and make 
meaningful decisions about whether and how their information may be 
used. In a recently released Harris Interactive/Alan F. Westin study, 
59 percent of respondents said they were not comfortable with online 
companies using their browsing behavior to tailor ads and content to 
their interests even when they were told that such advertising supports 
free services.\7\ A recent TRUSTe survey produced similar results.\8\ 
It is highly unlikely that these respondents understood that this type 
of ad targeting is already taking place online every day.
---------------------------------------------------------------------------
    \7\ Alan F. Westin, How Online Users Feel About Behavioral 
Marketing and How Adoption of Privacy and Security Policies Could 
Affect Their Feelings (Mar. 2008).
    \8\ TRUSTe, ``TRUSTe Report Reveals Consumer Awareness and 
Attitudes About Behavioral Targeting'' (Mar. 2008), http://
www.marketwire.com/mw/release.do?id=837437&sourceType=1 (``71 percent 
of online consumers are aware that their browsing information may be 
collected by a third party for advertising purposes. . . . 57 percent 
of respondents say they are not comfortable with advertisers using that 
browsing history to serve relevant ads, even when that information 
cannot be tied to their names or any other personal information.'').
---------------------------------------------------------------------------
    In most cases, data collection for behavioral advertising operates 
on an opt-out basis. Opt-out mechanisms for online advertising are 
often buried in fine print, difficult to understand, hard to execute 
and technically inadequate. Only the most sophisticated and technically 
savvy consumers are likely to be able to successfully negotiate such 
opt-out processes. Moreover, in most cases, opt-out mechanisms offered 
for behavioral advertising only opt the user out of receiving targeted 
ads, but do not opt the user out of data collection about his or her 
Internet usage.
    For behavioral advertising to operate in a truly privacy-protective 
way, data collection needs to be limited and data retention limits 
should be tied to the original purposes for collecting the data. 
Consumers need to be informed about what data is being collected about 
their Internet activities, how the information will be used, whether 
the information will be shared with others, and what measures are being 
taken to ensure that any transfer of data remains secure. They should 
be presented with this information in a manner that supports informed 
choice over their information and that choice should be honored 
persistently over time. Consumers must also have opportunities for 
legal redress for misuse of the data. As a recent D.C. District Court 
opinion established, data leakage and the concern for potential abuses 
of that data are recognizable harms standing alone, without any need to 
show misuse of the data.\9\ Consumers do not need to become victims of 
identity theft to suffer from an invasion of privacy.
---------------------------------------------------------------------------
    \9\ Am. Fed'n of Gov't Employees v. Hawley, D.D.C., No. 07-00855, 
3/31/08 (ruling, inter alia, that concerns about identity theft, 
embarrassment, inconvenience, and damage to financial suitability 
requirements after an apparent data breach constituted a recognizable 
``adverse effect'' under the Privacy Act, 5 U.S.C.  552(a) (citing 
Kreiger v. Dep't of Justice, 529 F.Supp.2d 29, 53 (D.D.C. 2008)).
---------------------------------------------------------------------------
    There is also a risk that profiles for behavioral advertising may 
be used for purposes other than advertising. For example, ad networks 
that focus on ``re-targeting'' ads may already be using profiles to 
help marketers engage in differential pricing.\10\ Behavioral profiles, 
particularly those that can be tied to an individual, may also be a 
tempting source of information in making decisions about credit, 
insurance, and employment. While the lack of transparency makes it 
almost impossible to know whether behavioral profiles are being used 
for other purposes, the lack of enforceable rules around the collection 
and use of most personal information leaves the door wide open for a 
myriad of secondary uses.
---------------------------------------------------------------------------
    \10\ See Louise Story, ``Online Pitches Made Just For You,'' The 
New York Times (Mar. 2008), http://www.nytimes.com/2008/03/06/business/
media/06adco.html.
---------------------------------------------------------------------------
    Finally, because the legal standards for government access to 
personal information held by third parties are extraordinarily low, 
these comprehensive consumer profiles are available to government 
officials by mere subpoena, without notice to the individual or an 
opportunity for the individual to object.\11\
---------------------------------------------------------------------------
    \11\ See Center for Democracy and Technology, Digital Search & 
Seizure: Updating Privacy Protections to Keep Pace with Technology 
(2006), http://www.cdt.org/publications/digital-search-and-seizure.pdf 
at 7-9; Deirdre K. Mulligan, ``Reasonable Expectations in Electronic 
Communications: A Critical Perspective on the Electronic Communications 
Privacy Act,'' 72 Geo. Wash. L. Rev. 1557 (Aug. 2004); Daniel J. 
Solove, ``Digital Dossiers and the Dissipation of Fourth Amendment 
Privacy,'' 75 S. Cal. L. Rev. 1083, 1135 (2002).
---------------------------------------------------------------------------
IV. The Use of Sensitive Information for Behavioral Advertising
    The concerns about behavioral advertising practices are heightened 
because of the increasingly sensitive nature of the information that 
consumers are providing online in order to take advantage of new 
services and applications. Two data types of particular concern are 
health information and location information.

A. Personal Health Information--Increasingly Available Online
    Personal health data is migrating online through an ever-expanding 
array of health information and search sites, online support groups, 
and personal health record sites. Federal privacy rules under the 
Health Information Portability and Accountability Act (``HIPAA'') do 
not cover personal health information once it moves online and out of 
the control of HIPAA-covered entities. Once it is posted online, it may 
have no more legal protection than any other piece of consumer 
information. In addition, information provided by consumers that is not 
part of a ``medical record''--such as search terms--may nevertheless 
reveal highly sensitive information. We do not know the full extent to 
which personal health data is being collected for behavioral 
advertising. We do know that the limits placed on its collection by the 
industry are inadequate and that there is an urgent need to develop a 
definition for personal health information in the Internet context that 
is robust enough to protect privacy.

B. Location Information--Not Always Protected By Current Law
    As technologies converge and Internet services are provided over 
cellular phones and other mobile devices, the ability to physically 
locate consumers is spurring location-based advertising, targeted to 
where a user is at any given moment. Plans to incorporate location 
information into behavioral advertising are still in development. 
Although laws exist to protect location information collected by 
telecommunications carriers, applications providers are increasingly 
offering location-based services that fall completely out of that legal 
framework. Standards for government access to location information are 
also unclear, even as law enforcement has shown a greater interest in 
such information.\12\
---------------------------------------------------------------------------
    \12\ See Center for Democracy and Technology, Digital Search & 
Seizure: Updating Privacy Protections to Keep Pace with Technology 
(2006), http://www.cdt.org/publications/digital-search-and-seizure.pdf 
at 23-29.
---------------------------------------------------------------------------
V. The Emerging Use of ISP Data for Behavioral Advertising
    The use of ISP data for behavioral advertising is one area that 
requires close scrutiny from lawmakers. The interception and sharing of 
Internet traffic content for behavioral advertising defies reasonable 
user expectations, can be disruptive to Internet and Web functionality, 
and may run afoul of communications privacy laws.

A. How ISP Data is Used for Behavioral Advertising
    In this new model, an ad network strikes a deal with an ISP that 
allows the network to receive the contents of the individual web 
traffic streams of each of the ISP's customers. The ad network analyzes 
the content of the traffic in order to create a record of the 
individual's online behaviors and interests. As customers of the ISP 
surf the Web and visit sites where the ad network has purchased ad 
space, they see advertisements targeted based on their previous 
Internet behavior. While the model as it exists today involves an ISP 
contracting with a third party that operates such an ad network, it 
would also be possible for ISPs to do the traffic content inspection, 
categorization, and advertising delivery themselves.

B. Privacy Implications of the Use of ISP Data for Behavioral 
        Advertising
    The privacy implications of behavioral advertising at large are 
amplified in this ISP model. Ad networks that partner with ISPs may 
potentially gain access to all or substantially all of an individual's 
Web traffic as it traverses the ISP's infrastructure, including traffic 
to all political, religious, and other non-commercial sites. While 
traditional ad networks may be large, few if any provide the 
opportunity to collect information about an individual's online 
activities as comprehensively as in the ISP model, particularly with 
respect to activities involving non-commercial content. And although 
these ad networks currently inspect predominantly Web traffic, ISPs 
carry e-mails, chats, file transfers and many other kinds of data that 
they could decide to pass on to behavioral ad networks in the future.
    Moreover, the use of Internet traffic content for behavioral 
advertising defies user expectations about what happens when they surf 
the Web and communicate online. Absent unmistakable notice, consumers 
simply do not expect their ISP or its partners to be looking into the 
content of their Internet communications. Finding out that there is a 
middleman lurking between consumers and the websites they visit would 
come as a unwelcome surprise to most Internet users. ISPs are a 
critical part of the chain of trust that undergirds the Internet. 
Giving an unknown third party broad access to all or most consumer 
communications may undermine that trust.

C. Current Implementations May Interfere With Normal Internet Use
    Despite these concerns, several ad network companies are moving 
forward with plans to use ISP data for behavioral advertising. The two 
most prominent ad networks engaged in this practice are NebuAd in the 
United States and Phorm in the UK. Charter Communications, a cable 
broadband ISP, recently announced--and then delayed--a plan to conduct 
trials of the NebuAd behavioral advertising technology.\13\ Several 
other ISPs, such as Wide Open West (WOW!), CenturyTel, Embarq and 
Knology also announced plans with NebuAd to trial or deploy its 
behavioral advertising technology. Although a number of these ISPs have 
put their plans on hold in the wake of a firestorm of criticism, NebuAd 
continues to work with U.S. ISPs and seek new ISP partners. Phorm, 
which originally announced deals with three of the UK's largest ISPs 
and has sought partnerships with U.S. ISPs, is also now encountering 
hesitation from some of its partners.\14\
---------------------------------------------------------------------------
    \13\ Saul Hansell, ``Charter Suspends Plan to Sell Customer Data to 
Advertisers,'' The New York Times: Bits Blog (Jun. 2008), http://
bits.blogs.nytimes.com/2008/06/24/charter-suspends-plan-to-sell-
customer-data-to-advertisers/?scp=3-b&sq=charter+nebuad&st=nyt.
    \14\ Chris Williams, ``CPW builds wall between customers and 
Phorm,'' The Register (Mar. 2008), http://www.theregister.co.uk/2008/
03/11/ phorm_shares_plummet/.
---------------------------------------------------------------------------
    Independent analyses of both companies' systems have revealed that 
by virtue of their ability to intercept Internet traffic in the middle 
of the network--and based on their desire to track individual Internet 
users--they engage in an array of practices that are inconsistent with 
the usual flow of Internet traffic. NebuAd reportedly injects computer 
code into Web traffic streams that causes numerous cookies to be placed 
on users' computers for behavioral tracking, none of which are related 
to or sanctioned by the websites the users visit.\15\ When a user 
navigates to a particular website, Phorm reportedly pretends to be that 
website so that it can plant a behavioral tracking cookie linked to 
that site on the user's computer.\16\ In addition to the privacy 
implications of tracking all of an individual's Web activities, this 
kind of conduct has the potential to create serious security 
vulnerabilities in the network,\17\ hamper the speed of users' Internet 
connections, and interfere with ordinary Web functionality. At a time 
when many different kinds of companies are working to build a trusted 
computing platform for the Internet, having ISPs work with partners 
whose practices undermine trust raises future cyber-security concerns.
---------------------------------------------------------------------------
    \15\ Robert M. Topolski, NebuAd and Partner ISPs: Wiretapping, 
Forgery and Browser Hijacking, Free Press and Public Knowledge (Jun. 
2008), http://www.publicknowledge.org/ pdf/nebuad-report-20080618.pdf.
    \16\ Richard Clayton, The Phorm ``Webwise'' System (May 2008), 
http://www.cl.cam.ac.uk/rnc1/080518-phorm.pdf.
    \17\ These types of behaviors have much in common with well-
understood online security threats, and parts of the Internet security 
community are already investigating how to respond. See Anti-Spyware 
Coalition, ``Anti-Spyware Coalition Aims to Address Behavioral 
Targeting'' (Apr. 2008), http://antispywarecoalition.org/newsroom/
20080425press.htm.
---------------------------------------------------------------------------
D. Current Implementations May Violate Federal Law
    Depending on how this advertising model is implemented, it may also 
run afoul of existing communications privacy laws. The Federal Wiretap 
Act, as amended by the Electronic Communications Privacy Act 
(``ECPA''), prohibits the interception and disclosure of electronic 
communications--including Internet traffic content--without 
consent.\18\ Although exceptions to this rule permit interception and 
disclosure without consent, we seriously doubt that any of them apply 
to the interception or disclosure of Internet traffic content for 
behavioral advertising purposes. Accordingly, we believe that the 
Wiretap Act requires unavoidable notice and affirmative opt-in consent 
before Internet traffic content may be used from ISPs for behavioral 
advertising purposes. Certain state laws may take this one step 
further, requiring consent from both parties to the communication: the 
consumer and the website he or she is visiting. A detailed CDT legal 
memorandum on the application of the Wiretap Act, ECPA and relevant 
state wiretap laws to the use of ISP data for behavioral advertising is 
attached as Appendix B.
---------------------------------------------------------------------------
    \18\ 18 U.S.C.  2511.
---------------------------------------------------------------------------
    As several Members of Congress have noted, the Cable Communications 
Policy Act also applies here.\19\ The law prohibits cable operators 
from collecting or disclosing personally identifiable information 
without prior consent \20\ While the term ``personally identifiable 
information'' in the law is defined by what it does not include--``any 
record of aggregate data which does not identify particular persons'' 
\21\--we doubt that a user's entire Web traffic stream, unique to that 
individual, often containing both PII and non-PII, would be considered 
aggregate data as that term is commonly understood.
---------------------------------------------------------------------------
    \19\ House Representative Edward Markey and House Representative 
Joe Barton, Letter to Charter Communications CEO in Regards to the 
Charter-NebuAd Data Collection Scheme (May 2008) http://
markey.house.gov/docs/telecomm/ letter_charter_comm_privacy.pdf. A 1992 
amendment adding the phrase ``other services'' to the Cable Act's 
privacy provision made it clear that the law covers Internet services 
provided by cable operators.
    \20\ 47 U.S.C.  551(b)-(c).
    \21\ Id.  551(a)(2)(A).
---------------------------------------------------------------------------
    We do not believe that it is possible to shoehorn the collection 
and disclosure of a subscriber's entire browsing history for 
advertising purposes into the statute's exception for collection or 
disclosure of information that is necessary to render service.\22\ 
Thus, we conclude that cable-based ISPs that wish to disclose customer 
information to advertising networks would also have to meet the consent 
requirements of the Cable Communications Policy Act.
---------------------------------------------------------------------------
    \22\ Id.  551(a)(2)(B).
---------------------------------------------------------------------------
    The ISP models that have been deployed thus far have failed to 
obtain affirmative, express opt-in consent required by law. Several 
small U.S. ISPs, for example, have failed to meet this threshold 
requirement, burying vague information about their deals with NebuAd in 
the ISPs' terms of service.\23\ Charter Communications, the largest 
U.S. ISP that had planned to partner with NebuAd, notified its 
subscribers that they would be receiving more relevant ads, but did not 
explain its plans to intercept subscribers' traffic data, and did not 
provide a way for subscribers to give or withhold consent. Charter has 
since suspended its plans.
---------------------------------------------------------------------------
    \23\ See Mike Masnick, ``Where's The Line Between Personalized 
Advertising And Creeping People Out?,'' TechDirt (Mar. 2008), http://
www.techdirt.com/articles/ 20080311/121305499.shtml; Peter Whoriskey, 
``Every Click You Make,'' The Washington Post (Apr. 2008), http://
www.washingtonpost.com/wp-dyn/content/article/2008/04/03/
AR2008040304052.html?nav=hc
module.
---------------------------------------------------------------------------
    Designing a robust opt-in consent system for ISP-based behavioral 
advertising presents a formidable challenge. We are less than sanguine 
that such a system can be easily designed, particularly since it must 
not only provide a way for consumers to give affirmative consent, but 
it must also provide a method for them to revoke that consent. The 
burden is on those who wish to move forward with the model to 
demonstrate that an express notice and consent regime can work in this 
context.

VI. The Limits of Self-Regulation
    For almost a decade, the primary privacy framework for the 
behavioral advertising industry has been provided by the Network 
Advertising Initiative, a self-regulatory group of online advertising 
networks formed in response to pressure from the Federal Trade 
Commission and consumer advocates in the wake of privacy concerns over 
the merger of ad network DoubleClick and Abacus, an offline data 
broker. NAI members agree to provide consumers with notice and, at 
minimum, a method to opt out of behavioral advertising. They further 
pledged to use information collected only for marketing purposes. While 
at the time of their release CDT welcomed the NAI principles as an 
important first step, we also noted then that there were flaws in the 
approach that needed to be addressed and that self-regulation was not a 
complete solution. The FTC agreed, concluding in its July 2000 report 
to Congress that ``backstop legislation addressing online profiling is 
still required to fully ensure that consumers' privacy is protected 
online.'' \24\ That remains true today.
---------------------------------------------------------------------------
    \24\ Federal Trade Commission, Online Profiling: A Report to 
Congress (Jul. 2000), http://www.ftc.gov/os/2000/07/
onlineprofiling.htm.
---------------------------------------------------------------------------
    Eight years after the creation of the principles, few consumers are 
aware of behavioral advertising and fewer still have been able to 
successfully navigate the confusing and complex opt-out process.\25\ 
Although individual NAI companies have launched their own consumer 
awareness initiatives, more work remains to be done.\26\ For those 
consumers who successfully opt out, the NAI's reliance on flawed opt-
out cookies means that user preferences are often not persistently 
honored.
---------------------------------------------------------------------------
    \25\ The drawbacks of opt-out cookies have been well documented: 
they are confusing for the majority of consumers who do not understand 
the technology and counter-intuitive to those who are accustomed to 
deleting their cookies to protect their privacy. Cookies are 
susceptible to accidental deletion and file corruption. While the NAI 
is in the process of updating the principles, it has not proposed 
changes to the opt-out regime. See Center for Democracy and Technology, 
Applying the FTC's Spyware Principles to Behavioral Advertising: 
Comments of the Center for Democracy and Technology in regards to the 
FTC Town Hall, ``Ehavioral Advertising: Tracking, Targeting, and 
Technology'' (Oct. 2007), http://www.cdt.org/privacy/
20071019CDTcomments
.pdf at 8.
    \26\ See, e.g., AOL, Mr. Penguin (last visited Jul. 2008), http://
corp.aol.com/o/mr-penguin/; Yahoo!, Customized Advertising (last 
visited Jul. 2008), http://info.yahoo.com/relevantads/; Google, The 
Google Privacy Channel (last visited Jul. 2008), http://youtube.com/
user/googleprivacy.
---------------------------------------------------------------------------
    In addition, the NAI's guidelines for the use of sensitive 
information have never been adequate to guard consumer privacy. Until 
recently, the definition was limited to a narrowly defined set of PII. 
While the definition is being revised, it still falls far short of what 
is needed to address the increasingly sensitive nature of consumer 
information online.\27\
---------------------------------------------------------------------------
    \27\ Center for Democracy and Technology, Comments Regarding the 
NAI Principles 2008: The Network Advertising Initiative's Self-
Regulatory Code of Conduct for Online Behavioral Advertising (June 
2008), http://www.cdt.org/privacy/20080612_NAI_comments.pdf at 6-9.
---------------------------------------------------------------------------
    Finally, the NAI principles only apply to companies that 
voluntarily join the Initiative. The NAI has no way to force companies 
to join; the current membership is missing numerous behavioral 
advertising firms, including some key industry players. In addition, 
measures to ensure compliance and transparency have withered on the 
vine.\28\ The original NAI principles provided for independent audits 
and enforcement against noncompliant members, but the audit results 
were never made public, and reporting on compliance with the principles 
has been inconsistent.\29\
---------------------------------------------------------------------------
    \28\ CDT testing has revealed that only a tiny fraction of 
companies that collect data that could be used for behavioral 
advertising are NAI members. See Center for Democracy and Technology, 
Statement of The Center for Democracy and Technology before The 
Antitrust, Competition Policy and Consumer Rights Subcommittee of the 
Senate Committee on the Judiciary on ``An Examination of the Google-
DoubleClick Merger and the Online Advertising Industry: What Are the 
Risks for Competition and Privacy?'' (Sept. 2007), http://www.cdt.org/
privacy/20070927committee-statement.pdf.
    \29\ See Pam Dixon, The Network Advertising Initiative: Failing at 
Consumer Protection and at Self-Regulation (Nov. 2007), http://
www.worldprivacyforum.org/pdf/WPF_NAI_report_
Nov2_2007fs.pdf at 16-17.
---------------------------------------------------------------------------
    For all these reasons, while we encourage more robust self-
regulatory efforts, we continue to have doubts about the effectiveness 
of the self-regulatory framework. As online advertising becomes 
increasingly complex and data collection becomes more pervasive, 
Congress and the FTC must step in to ensure that consumer interests are 
fully protected.

VII. The Role of Congress
    Congress should take action to address the significant privacy 
concerns raised by behavioral advertising:

   As a first step, we urge the Committee to hold a series of 
        hearings to examine specific aspects of behavioral advertising. 
        In particular, we believe that further investigation of new 
        models of behavioral advertising using ISP data is warranted, 
        and that the Committee should explore how current laws such as 
        ECPA, the Wiretap Act and the Cable Communications Policy Act 
        apply. Secondary uses of behavioral advertising profiles for 
        purposes other than marketing also deserve additional 
        investigation and scrutiny, as does the use of sensitive 
        information.

   This Committee should set a goal of enacting in the next 
        year general privacy legislation covering both the online and 
        offline worlds. CDT has long argued for simple, flexible 
        baseline consumer privacy legislation that would protect 
        consumers from inappropriate collection and misuse of their 
        personal information while enabling legitimate business use to 
        promote economic and social value. In principle, such 
        legislation would codify the fundamentals of fair information 
        practices, requiring transparency and notice of data collection 
        practices, providing consumers with meaningful choice regarding 
        the use and disclosure of that information, allowing consumers 
        reasonable access to personal information they have provided, 
        providing remedies for misuse or unauthorized access, and 
        setting standards to limit data collection and ensure data 
        security.

   The Federal Trade Commission has played a helpful role in 
        consumer education efforts around behavioral advertising. But 
        it also must exercise its authority under its deception and 
        unfairness jurisdiction to issue enforceable guidelines for 
        behavioral advertising. We ask the Committee to strongly urge 
        the Commission to exercise the full measure of its enforcement 
        authority over online advertising practices.

   Congress should also examine and strengthen existing 
        communications privacy laws to cover new services, technologies 
        and business models with consistent rules. ECPA was passed more 
        than 20 years ago, long before there was a World Wide Web and 
        the Internet became integrated into Americans' daily lives. The 
        application of the law to common online activities including 
        Web search remains unclear and the legal protections it 
        provides for the enormous amounts of personal data stored 
        online are far too low.

   Finally, Congress should encourage the FTC to investigate 
        how technology can be harnessed to give consumers better 
        control over their online information. The lack of effective 
        controls and the difficulty that consumers have in exercising 
        choice about their participation in online tracking and 
        targeting was the motivation behind the ``Do Not Track'' list 
        idea proposed by CDT and nine other consumer and privacy 
        groups.\30\ Although the proposal has been controversial, the 
        idea behind Do Not Track is both simple and important: provide 
        consumers with an easy-to-use, technology-neutral, persistent 
        way to opt out of behavioral advertising. Congress should 
        promote further study of this idea and other innovative ways to 
        put consumers in control of their information.
---------------------------------------------------------------------------
    \30\ See Pam Dixon et al, Consumer Rights and Protections in the 
Behavioral Advertising Sector (Oct. 2007), http://www.cdt.org/privacy/
20071031consumerprotectionsbehavioral.pdf.
---------------------------------------------------------------------------
VIII. Conclusion
    I would like to thank the Committee again for holding this 
important hearing. We believe that Congress has a critical role to play 
in ensuring that privacy is protected in an increasingly complex online 
advertising environment. CDT looks forward to working with the 
Committee as it pursues these issues further.

                               Appendix A

Simplified Illustration of a Traditional Online Ad Network
    Figure 1 below shows a simplified version of a traditional online 
ad network. Ad networks contract with advertisers on one side and 
publishers on the other. They take the ads they receive from 
advertisers and match them to open ad spaces on publisher sites.



    Figure 1.
    Figure 2 shows how an ad network collects data about a consumer's 
web activities. When the consumer first visits a publisher site in the 
network (SF-hotel-review.com), the ad network places a cookie with a 
unique ID (12345) on the consumer's computer. When the user 
subsequently visits other publisher sites in the network (including 
dogzblogs.com and social-network.net), the cookie containing the ID is 
automatically transmitted to the ad network. This allows the ad network 
to keep track of what sites the consumer has visited and build a 
behavioral profile based on that information, linked to the cookie ID.



    Figure 2.
                               Appendix B

An Overview of the Federal Wiretap Act, Electronic Communications 
        Privacy Act, and State Two-Party Consent Laws of Relevance to 
        the NebuAd System and Other Uses of Internet Traffic Content 
        from ISPs for Behavioral Advertising--July 8, 2008
    Much of the content on the Internet (just like content in 
newspapers, broadcast TV, radio and cable) is supported in whole or 
part by advertising revenue. The Internet offers special opportunities 
to target ads based on the expressed or inferred interests of the 
individual user. There are various models for delivering targeted ads 
online. These range from the purely contextual (everyone who visits a 
travel site sees the same airline ad) to models that involve compiling 
information about the online behavior of individual Internet users, to 
be used in serving them advertisements. For years, websites have 
entered into agreements with advertising networks to use ``cookies'' to 
track individual users across websites in order to compile profiles. 
This approach has always been, and remains, a source of privacy 
concern, in part because the conduct usually occurs unbeknownst to most 
Internet users. Recent developments, including the mergers between 
online service providers and some of the largest online advertising 
networks, have heightened these concerns. The Center for Democracy and 
Technology has been conducting a major project on behavioral 
advertising, in which we have been researching behavioral advertising 
practices, consulting with Internet companies and privacy advocates, 
developing policy proposals, filing extensive comments at the FTC, and 
analyzing industry self-regulatory guidelines.
    This memo focuses on the implications of a specific approach to 
behavioral advertising being considered by Internet advertising 
networks and Internet Service Providers (ISPs). This new approach 
involves copying and inspecting the content of each individual's 
Internet activity with the cooperation of his or her ISP.\31\ Under 
this new model, an advertising network strikes a deal with an ISP, and 
the ISP allows the network to copy the contents of the individual Web 
traffic streams of each of the ISP's customers. The advertising network 
analyzes the content of these traffic streams in order to create a 
record of each individual's online behaviors and interests. Later, as 
customers of the ISP surf the Web and visit sites where the advertising 
network has purchased advertising space, they see ads targeted based on 
their previous Internet behavior.
---------------------------------------------------------------------------
    \31\ See, e.g., Peter Whoriskey, Every Click You Make, Wash. Post 
(Apr. 3, 2008), http://www.washingtonpost.com/wpdyn/content/article/
2008/04/03/AR2008040304052.html?nav=hc
module; Saul Hansell, I.S.P. Tracking: The Mother of All Privacy 
Battles, N.Y. Times: Bits Blog (Mar. 20, 2008), http://
bits.blogs.nytimes.com/2008/03/20/isp-tracking-the-mother-of-all-
privacy-battles/?scp=1-b&sq= the+mother+of+all+privacy+battles&st=nyt.
---------------------------------------------------------------------------
    NebuAd is one such advertising network company operating in the 
United States. In the past few months, it has come to light that NebuAd 
was planning to partner with Charter Communications, a cable broadband 
ISP, to conduct trials of the NebuAd behavioral advertising technology. 
Several other smaller ISPs, such as Wide Open West (WOW!), CenturyTel, 
Embarq, and Knology, have also announced plans with NebuAd to trial or 
deploy its behavioral advertising technology. In response to concerns 
raised by subscribers, privacy advocates, and policymakers, Charter, 
CenturyTel and Embarq have delayed these plans, but NebuAd and other 
similar companies are continuing to seek new ISP partners.
    The use of Internet traffic content from ISPs for behavioral 
advertising is different from the ``cookie''-based model in significant 
ways and raises unique concerns.\32\ Among other differences, it copies 
all or substantially all Web transactions, including visits to sites 
that do not use cookies. Thus, it may capture not only commercial 
activity, but also visits to political, advocacy, or religious sites or 
other non-commercial sites that do not use cookies.
---------------------------------------------------------------------------
    \32\ Privacy concerns also apply to advertising-based models that 
have been developed for services, such as e-mail, that ride over ISP 
networks. See CDT Policy Post 10.6, Google GMail Highlights General 
Privacy Concerns, (Apr. 12, 2004), http://www.cdt.org/publications/
policyposts/2004/6 (recommending express prior opt-in for advertising-
based e-mail service).
---------------------------------------------------------------------------
    In this memo, we conclude that the use of Internet traffic content 
from ISPs may run afoul of Federal wiretap laws unless the activity is 
conducted with the consent of the subscriber.\33\ To be effective, such 
consent should not be buried in terms of service and should not be 
inferred from a mailed notice. We recommend prior, express consent, but 
we do not offer here any detailed recommendations on how to obtain such 
consent in an ISP context. Also, we note that that the California law 
requiring consent of all the parties to a communication has been 
applied by the state Supreme Court to the monitoring of telephone calls 
when the monitoring is done at a facility outside California. The 
California law so far has not been applied to Internet communications 
and it is unclear whether it would apply specifically to the copying of 
communications as conducted for behavioral monitoring purposes, but if 
it or another state's all-party consent rule were applied to use of 
Internet traffic for behavioral profiling, it would seem to pose an 
insurmountable barrier to the practice.
---------------------------------------------------------------------------
    \33\ Additional questions have been raised under the Cable 
Communications Policy Act. See Rep. Edward Markey and Rep. Joe Barton, 
Letter to Charter Communications CEO in Regards to the Charter-NebuAd 
Data Collection Scheme (May 2008), http://markey.house.gov/docs/
telecomm/ letter_charter_comm_privacy.pdf. In this memo, we focus on 
issues arising under the Federal Wiretap Act, as amended by the 
Electronic Communications Privacy Act.
---------------------------------------------------------------------------
I. Wiretap Act
A. Service Providers Cannot ``Divulge'' The Contents of Subscriber 
        Communications, Except Pursuant to Limited Exceptions
    The Federal Wiretap Act, as amended by the Electronic 
Communications Privacy Act, protects the privacy of wire, oral, and 
electronic communications.\34\ ``[E]lectronic communication'' is 
defined as ``any transfer of signs, signals, writing, images, sounds, 
data, or intelligence of any nature transmitted in whole or in part by 
a wire, radio, electromagnetic, photoelectronic or photooptical system 
. . ..'' \35\ Web browsing and other Internet communications are 
clearly electronic communications protected by the Wiretap Act.
---------------------------------------------------------------------------
    \34\ 18 U.S.C.  2510-2522.
    \35\ Id.  2510(12).
---------------------------------------------------------------------------
    In language pertinent to the model under consideration,  2511(3) 
of the Act states that ``a person or entity providing an electronic 
communication service to the pubic shall not intentionally divulge the 
contents of any communications . . . while in transmission on that 
service to any person or entity other than an addressee or intended 
recipient. . . .'' \36\
---------------------------------------------------------------------------
    \36\ Id.  2511(3)(a). Lest there be any argument that the 
disclosure does not occur while the communications are ``in 
transmission,'' we note that the Stored Communications Act (SCA) states 
that ``a person or entity providing an electronic communication service 
to the public shall not knowingly divulge to any person or entity the 
contents of a communication while in electronic storage by that 
service.'' Id.  2702(a)(1). We do not comment further here on the SCA 
because, in our judgment, the approach that has been described so far 
clearly involves the divulging of communications ``while in 
transmission.''
---------------------------------------------------------------------------
    There are exceptions to this prohibition on disclosure, two of 
which may be relevant here. One exception specifies that ``[i]t shall 
not be unlawful under this chapter for an . . . electronic 
communication service, whose facilities are used in the transmission of 
a[n] . . . electronic communication, to intercept, disclose, or use 
that communication in the normal course of his employment while engaged 
in any activity which is a necessary incident to the rendition of his 
service or to the protection of the rights or property of the provider 
of that service.'' \37\ We will refer to this as the ``necessary 
incident'' exception. The second exception is for disclosures with the 
consent of one of the parties.\38\ We will discuss both exceptions 
below. We conclude that only the consent exception applies to the 
disclosure of subscriber content for behavioral advertising, and we 
will discuss preliminarily what ``consent'' would mean in this context.
---------------------------------------------------------------------------
    \37\ Id.  2511(2)(a)(i) (emphasis added). This analysis focuses on 
the capture of electronic communications and definitions are abridged 
accordingly.
    \38\ Id.  2511(3)(b)(ii).
---------------------------------------------------------------------------
B. With Limited Exceptions, Interception Is Also Prohibited
    The Wiretap Act regulates the ``interception'' of electronic 
communications. The Act defines ``intercept'' as the ``acquisition of 
the contents of any . . . electronic . . . communication through the 
use of any electronic, mechanical, or other device.'' \39\
---------------------------------------------------------------------------
    \39\ Id.  2510(4).
---------------------------------------------------------------------------
    The Wiretap Act broadly bars all intentional interception of 
electronic communications.\40\ The Act enumerates specific exceptions 
to this prohibition.\41\ Law enforcement officers, for example, are 
authorized to conduct interceptions pursuant to a court order. For ISPs 
and other service providers, there are three exceptions that might be 
relevant. Two we have mentioned already: the ``necessary incident'' 
exception and a consent exception.\42\
---------------------------------------------------------------------------
    \40\ Id.  2511(1).
    \41\ Id.  2511(2).
    \42\ Separate from the consent provision for disclosure, the 
consent exception for interception is set forth in 18 U.S.C.  
2511(2)(d): ``It shall not be unlawful under this chapter for a person 
not acting under color of law to intercept a[n] . . . electronic 
communication where such person is a party to the communication or 
where one of the parties to the communication has given prior consent 
to such interception. . . .''
---------------------------------------------------------------------------
    A third exception, applicable to interception but not to 
disclosure, arises from the definition of ``intercept,'' which is 
defined as acquisition by an ``electronic, mechanical, or other 
device,'' which in turn is defined as ``any device or apparatus which 
can be used to intercept a[n] . . . electronic communication other 
than--(a) any telephone or telegraph instrument, equipment or facility, 
or any component thereof . . . (ii) being used by a provider of . . . 
electronic communication service in the ordinary course of its 
business. . . .'' \43\ This provision thus serves to limit the 
definition of ``intercept,'' providing what is sometimes called the 
``telephone extension'' exception, but which we will call the 
``business use'' exception.
---------------------------------------------------------------------------
    \43\ Id.  2510(5) (emphasis added).
---------------------------------------------------------------------------
C. The Copying of Internet Content for Disclosure to Advertising 
        Networks Constitutes Interception
    When an ISP copies a customer's communications or allows them to be 
copied by an advertising network, those communications have undoubtedly 
been ``intercept[ed].'' \44\ Therefore, unless an exception applies, it 
seems likely that placing a device on an ISP's network and using it to 
copy communications for use in developing advertising profiles would 
constitute illegal interception under  2511(1)(a); similarly, the 
disclosure or use of the intercepted communications would run afoul of 
 2511(1)(c) or  2511(1)(d), respectively.
---------------------------------------------------------------------------
    \44\ See, e.g., United States v. Rodriguez, 968 F.2d 130, 136 (2d 
Cir. 1992) (holding in context of telephone communications that ``when 
the contents of a wire communication are captured or redirected in any 
way, an interception occurs at that time'' and that ``[r]edirection 
presupposes interception''); In re State Police Litig., 888 F. Supp. 
1235, 1267 (D. Conn. 1995) (stating in context of telephone 
communications that ``it is the act of diverting, and not the act of 
listening, that constitutes an `interception' '').
---------------------------------------------------------------------------
D. The ``Necessary Incident'' Exception Probably Does Not Permit the 
        Interception or Disclosure of Communications for Behavioral 
        Advertising Purposes
    The Wiretap Act permits interception of electronic communications 
when the activity takes place as ``a necessary incident to the 
rendition of [the ISP's] service or to the protection of the rights or 
property of the provider of that service.'' \45\ The latter prong 
covers anti-spam and anti-virus monitoring and filtering and various 
anti-fraud activities, but cannot be extended to advertising 
activities, which, while they may enhance the service provider's 
revenue, do not ``protect'' its rights. Courts have construed the 
``necessary incident'' prong quite strictly, requiring a service 
provider to show that it must engage in the activity in order to carry 
out its business.\46\ It is unlikely that the copying, diversion, or 
disclosure of Internet traffic content for behavioral advertising would 
be construed as a ``necessary incident'' to an ISP's business. 
Conceivably, an ISP could argue that its business included copying its 
subscribers communications and providing them to third parties for 
purposes of placing advertisements on websites unaffiliated with the 
ISP, but the ISP would probably have to state that that business 
existed and get the express agreement of its customers that they were 
subscribing to that business as well as the basic business of Internet 
access, which leads anyhow to the consent model that we conclude is 
necessary.
---------------------------------------------------------------------------
    \45\ 18 U.S.C.  2511(2)(a)(i).
    \46\ See United States v. Councilman, 418 F.3d 67, 82 (1st Cir. 
2005) (en banc) (holding that service provider's capture of e-mails to 
gain commercial advantage ``clearly'' was not within service provider 
exception); Berry v. Funk, 146 F.3d 1003, 1010 (D.C. Cir. 1998) 
(holding in context of telephone communications that switchboard 
operators' overhearing of a few moments of phone call to ensure call 
went through is a ``necessary incident,'' but anything more is outside 
service provider exception).
---------------------------------------------------------------------------
E. While It Is Unclear Whether the ``Business Use'' Exception Would 
        Apply to the Use of a Device Installed or Controlled by a Party 
        Other than the Service Provider, the Exception Does Not Apply 
        to the Prohibition Against Divulging a Subscriber's 
        Communications
    The ``business use'' exception,  2510(5)(a), constricts the 
definition of ``device'' and thereby narrows the definition of 
``intercept'' in the Wiretap Act. There are two questions involved in 
assessing applicability of this exception to the use of Internet 
traffic content for behavioral advertising: (1) whether the device that 
copies the content for delivery to the advertising network constitutes 
a ``telephone or telegraph instrument, equipment or facility, or any 
component thereof,'' and (2) whether an ISP's use of the device would 
be within the ``ordinary course of its business.''
    We will discuss the ``business use'' exception at some length, 
because there has been considerable discussion already about whether 
copying of an ISP subscriber's communications for behavioral 
advertising is an ``interception'' under  2511(1) of the Wiretap Act. 
However, even if the business use exception applied, an ISP would only 
avoid liability for the interception of electronic communications. It 
would still be prohibited from divulging the communications of its 
customers to an advertising network under the separate section of the 
Wiretap Act,  2511(3), which states that a service provider ``shall 
not intentionally divulge the contents of any communication . . . while 
in transmission on that service to any person or entity other than an 
addressee or intended recipient. . . .'' \47\ The business use 
exception does not apply to this prohibition against divulging.\48\
---------------------------------------------------------------------------
    \47\ 18 U.S.C.  2511(3)(a).
    \48\ By adopting two different exceptions--``necessary incident'' 
and ``ordinary course''--Congress apparently meant them to have 
different meanings. Based on our reading of the cases, the necessary 
incident exception is narrower than the ordinary course exception. It 
is significant that the ``necessary incident'' exception applies to 
both interception and disclosure while the ``ordinary course'' 
exception is applicable only to interception. This suggests that 
Congress meant to allow service providers broader latitude in examining 
(that is, ``intercepting'' or ``using'') subscriber communications so 
long as they did not disclose the communications to third parties. This 
permits providers to conduct a range of in-house maintenance and 
service quality functions that do not involve disclosing communications 
to third parties.
---------------------------------------------------------------------------
    At first glance, it would seem that the business use exception is 
inapplicable to the facilities of an ISP because the exception applies 
only to a ``telephone or telegraph instrument, equipment or facility, 
or any component thereof.'' However, the courts have recognized that 
ECPA was motivated in part by the ``dramatic changes in new computer 
and telecommunications technologies'' \49\ and therefore was intended 
to make the Wiretap Act largely neutral with respect to its treatment 
of various communications technologies. The Second Circuit, for 
example, concluded in a related context that the term ``telephone'' 
should broadly include the ``instruments, equipment and facilities that 
ISPs use to transmit e-mail.'' \50\ Therefore, as a general matter, it 
should be assumed that the business use exception is available to ISPs.
---------------------------------------------------------------------------
    \49\ S. Rep. No. 99-541, at 1 (1986), reprinted in 1986 
U.S.C.C.A.N. 3555.
    \50\ Hall v. Earthlink Network, Inc., 396 F.3d 500, 505 (2d Cir. 
2005) (quoting S. Rep. No. 99-541 at 8).
---------------------------------------------------------------------------
    However, it is not certain that the device used to copy and divert 
content for behavioral advertising would be considered to be a 
component of the service provider's equipment or facilities. In some of 
the behavioral advertising implementations that have been described, 
the monitoring device or process is not developed or controlled by the 
ISP but rather by the advertising network.
    The second question is whether an ISP's use of a device to copy 
traffic content for behavioral advertising falls within the ``ordinary 
course of its business.'' There are a number of cases interpreting this 
exception, but none of them clearly addresses a situation where a 
service provider is copying all of the communications of its customers. 
Many of the cases arise in situations where employers are monitoring 
the calls of their employees for purposes of supervision and quality 
assurance. ``These cases have narrowly construed the phrase `ordinary 
course of business.' '' \51\ Often such cases also involve notice to 
the employees and implied consent.\52\ One court has stated that, even 
if an entity could satisfy the business use exception, notice to one of 
the parties being monitored would be required.\53\ Other cases involve 
the monitoring of prisoners.
---------------------------------------------------------------------------
    \51\ United States v. Murdock, 63 F.3d 1391. 1396 (6th Cir 1995).
    \52\ E.g., James v. Newspaper Agency Corp., 591 F.2d 579 (10th Cir. 
1979).
    \53\ See, e.g., Adams v. City of Battle Creek, 250 F.3d 980, 984 
(6th Cir. 2001).
---------------------------------------------------------------------------
    Some cases have interpreted ``ordinary course'' to mean anything 
that is used in ``normal'' operations. The D.C. Circuit, for instance, 
has suggested that monitoring ``undertaken normally'' qualifies as 
being within the ``ordinary course of business.'' \54\ In the context 
of law enforcement taping of the phone calls of prisoners, the Ninth 
and Tenth Circuits have concluded that something is in the ``ordinary 
course'' if it is done routinely and consistently.\55\ It might be that 
courts would give equal or greater latitude to service providers in 
monitoring their networks than they would give to mere subscribers or 
users.
---------------------------------------------------------------------------
    \54\ Berry v. Funk, 146 F.3d 1003, 1009 (D.C. Cir. 1998) (workplace 
monitoring).
    \55\ See United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir. 
1996); United States v. Gangi, 57 Fed. Appx. 809, 814 (10th Cir. 2003).
---------------------------------------------------------------------------
    Other circuit courts have used a more limited interpretation, 
concluding that ``ordinary course'' only applies if the device is being 
used to intercept communications for ``legitimate business reasons.'' 
\56\ Although the courts have not been entirely clear as to what that 
means, some have suggested that it is much closer to necessity than to 
mere profit motive.\57\ One frequently-cited case explicitly holds that 
the business use exception does not broadly encompass a company's 
financial or other motivations: ``The phrase `in the ordinary course of 
business' cannot be expanded to mean anything that interests a 
company.'' \58\
---------------------------------------------------------------------------
    \56\ See Arias v. Mutual Central Alarm Serv., Inc., 202 F.3d 553, 
560 (2d Cir. 2000) (monitoring calls to an central alarm monitoring 
service).
    \57\ See id. (concluding that alarm company had legitimate reasons 
to tap all calls because such businesses ``are the repositories of 
extremely sensitive security information, including information that 
could facilitate access to their customers' premises''); see also First 
v. Stark County Board of Comm'rs, 234 F.3d 1268, at *4 (6th Cir. 2000) 
(table disposition).
    \58\ Watkins v. L.M. Berry & Co., 704 F.2d 577, 582 (11th Cir. 
1983). Watkins states: ``We hold that a personal call may not be 
intercepted in the ordinary course of business under the exemption in 
section 2510(5)(a)(i), except to the extent necessary to guard against 
unauthorized use of the telephone or to determine whether a call is 
personal or not. In other words, a personal call may be intercepted in 
the ordinary course of business to determine its nature but never its 
contents.'' 704 F.2d at 583. This language supports the conclusion that 
the business use exception could not cover wholesale interception of 
ISP traffic, no more than switchboard operators can perform wholesale 
monitoring of telephone traffic.
---------------------------------------------------------------------------
    Normal principles of statutory interpretation would require that 
some independent weight be given to the word ``ordinary,'' so that the 
exception does not encompass anything done for business purposes. It is 
unclear, however, how much weight courts would give to the word 
``ordinary'' in a rapidly changing market. It does not seem that the 
phrase ``ordinary course of business'' should preclude innovation, but 
courts might refer to past practices and normal expectations 
surrounding a line of business and specifically might look to what 
customers have come to expect.
    Viewed one way, it is hard to see how the copying of content for 
behavioral advertising is part of the ``ordinary course of business'' 
of an ISP. After all, the ISP is not the one that will be using the 
content to develop profiles of its customers; the profiling is done by 
the advertising network, which does not even disclose to the ISP the 
profiles of its own subscribers. (The profiles are proprietary to the 
advertising network and it is careful not to disclose them to anyone.) 
Very few (if any) of the ads that are placed using the profiles will be 
ads for the ISP's services; they will be ads for products and services 
completely unrelated to the ISP's ``ordinary course of business.'' 
Moreover, the ads will be placed on websites having no affiliation with 
the ISP. On the other hand, the ISP could argue that part of its 
business model--part of what keeps its rates low--is deriving revenue 
from its partnership with advertising networks.
    The legislative histories of the Wiretap Act and ECPA weigh against 
a broad reading of the business use exception. Through these laws, 
Congress intended to create a statutory regime generally affording 
strong protection to electronic communications. Congress included 
limited, specific and detailed exceptions for law enforcement access to 
communications, and other limited, specific and detailed exceptions to 
allow companies providing electronic communications service to conduct 
ordinary system maintenance and operational activities. Congress gave 
especially high protection to communications content. If the business 
use exception can apply any time an ISP identifies a new revenue stream 
that can be tapped though use of its customers' communications, this 
careful statutory scheme would be seriously undermined.

F. The Consent Exception: The Context Weighs Heavily in Favor of 
        Affirmative, Opt-In Consent from ISP Subscribers
    Consent is an explicit exception both to the prohibition against 
intercepting electronic communications under the Wiretap Act and to the 
Act's prohibition against disclosing subscriber communications. The key 
question is: How should consent be obtained for use of Internet traffic 
content for behavioral advertising? Courts have held in telephone 
monitoring cases under the Wiretap Act that consent can be implied, but 
there are relatively few cases specifically addressing consent and 
electronic communications. However, in cases involving telephone 
monitoring, one circuit court has stated that consent under the Wiretap 
Act ``is not to be cavalierly implied.'' \59\ Another circuit court has 
noted that consent ``should not casually be inferred'' \60\ and that 
consent must be ``actual,'' not ``constructive.'' \61\ Yet another 
circuit court has stated: ``Without actual notice, consent can only be 
implied when the surrounding circumstances convincingly show that the 
party knew about and consented to the interception.'' \62\ Furthermore, 
``knowledge of the capability of monitoring alone cannot be considered 
implied consent.'' \63\ The cases where consent has been implied 
involve very explicit notice; many of them involve the monitoring of 
prisoners' phone calls.\64\
---------------------------------------------------------------------------
    \59\ Watkins. 704 F.2d at 581 (``Consent under title III is not to 
be cavalierly implied. Title III expresses a strong purpose to protect 
individual privacy by strictly limiting the occasions on which 
interception may lawfully take place.'').
    \60\ Griggs-Ryan v. Smith, 904 F.2d 112, 117 (1st Cir. 1990).
    \61\ In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 20 (1st 
Cir. 2003); see also United States v. Corona-Chavez, 328 F.3d 974, 978 
(8th Cir. 2003).
    \62\ Berry v. Funk, 146 F.3d 1003, 1011 (D.C. Cir. 1998) (internal 
quotation omitted).
    \63\ Watkins, 704 F.2d at 581; see also Deal v. Spears, 980 F.2d 
1153, 1157 (8th Cir. 1992) (holding that consent not implied when 
individual is aware only that monitoring might occur, rather than 
knowing monitoring is occurring).
    \64\ ``The circumstances relevant to an implication of consent will 
vary from case to case, but the compendium will ordinarily include 
language or acts which tend to prove (or disprove) that a party knows 
of, or assents to, encroachments on the routine expectation that 
conversations are private. And the ultimate determination must proceed 
in light of the prophylactic purpose of Title III--a purpose which 
suggests that consent should not casually be inferred.'' Griggs-Ryan, 
904 F.2d at 117.
---------------------------------------------------------------------------
    Consent is context-based. It is one thing to imply consent in the 
context of a prison or a workplace, where notice may be presented as 
part of the daily log-in process. It is quite another to imply it in 
the context of ordinary Internet usage by residential subscribers, who, 
by definition, are using the service for personal and often highly 
sensitive communications. Continued use of a service after a mailed 
notice might not be enough to constitute consent. Certainly, mailing 
notification to the bill payer is probably insufficient to put all 
members of the household who share the Internet connection on notice.
    Thus, it seems that an assertion of implied consent, whether or not 
users are provided an opportunity to opt out of the system, would most 
likely not satisfy the consent exception for the type of interception 
or disclosure under consideration here. Express prior consent (opt-in 
consent) is clearly preferable and may be required. While meaningful 
opt-in consent would be sufficient, courts would likely be skeptical of 
an opt-in consisting merely of a click-through agreement--i.e., a set 
of terms that a user agrees to by clicking an on-screen button--if it 
displays characteristics typical of such agreements, such as a large 
amount of text displayed in a small box, no requirement that the user 
scroll through the entire agreement, or the opt-in provision buried 
among other terms of service.\65\
---------------------------------------------------------------------------
    \65\ See, e.g., Specht v. Netscape Commc'ns Corp., 306 F.3d 17 (2d 
Cir. 2002) (rejecting online arbitration agreement because, among other 
things, site permitted customer to download product without having 
scrolled down to arbitration clause and agreement button said only 
``Download''); United States v. Lanoue, 71 F.3d 966, 981 (1st Cir. 
1995) (``Deficient notice will almost always defeat a claim of implied 
consent.'').
---------------------------------------------------------------------------
    In regards to consent, the model under discussion here is 
distinguishable from the use of ``cookies,'' which were found to be 
permissible by a Federal district court in a 2001 case involving 
DoubleClick.\66\ In that case, the websites participating in the 
DoubleClick advertising network were found to be parties to the 
communications of the Internet users who visited those sites. As 
parties to the communications, the websites could consent to the use of 
the cookies to collect information about those communications. Here, of 
course, the ISPs are not parties to the communications being monitored 
and the interception or disclosure encompasses communications with 
sites that are not members of the advertising network. Therefore, the 
source of consent must be the IPS's individual subscribers, as it would 
be impossible to obtain consent from every single website that every 
subscriber may conceivably visit.
---------------------------------------------------------------------------
    \66\ In re DoubleClick Inc. Privacy Litig., 154 F.Supp.2d 497 
(S.D.N.Y. 2001).
---------------------------------------------------------------------------
II. State Laws Requiring Two-Party Consent to Interception

A. Summary
    In addition to the Federal Wiretap Act, a majority of states have 
their own wiretap laws, which can be more stringent than the Federal 
law. Most significantly, twelve states \67\ require all parties to 
consent to the interception or recording of certain types of 
communications when such interception is done by a private party not 
under the color of law.
---------------------------------------------------------------------------
    \67\ The twelve states are California, Connecticut, Florida, 
Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New 
Hampshire, Pennsylvania, and Washington.
---------------------------------------------------------------------------
    In several of these states--for example, Connecticut--the all-party 
consent requirement applies only to the recording of oral 
conversations. In others, the all-party consent rule extends to both 
voice and data communications. For example, Florida's Security of 
Communications Act makes it a felony for any individual to intercept, 
disclose, or use any wire, oral, or electronic communication, unless 
that person has obtained the prior consent of all parties \68\ 
Similarly, the Illinois statute on criminal eavesdropping prohibits a 
person from ``intercept[ing], retain[ing], or transcrib[ing an] 
electronic communication unless he does so . . . with the consent of 
all of the parties to such . . . electronic communication.'' \69\
---------------------------------------------------------------------------
    \68\ Fla. Stat.  934.03(1).
    \69\ Ill. Comp Stat. 5/14-1(a)(1).
---------------------------------------------------------------------------
    The most important all-party consent law may be California's, 
because the California Supreme Court held in 2006 that the law can be 
applied to activity occurring outside the state.

B. California
    The 1967 California Invasion of Privacy Act makes criminally liable 
any individual who ``intentionally taps, or makes any unauthorized 
connection . . . or who willfully and without the consent of all 
parties to the communication . . . reads, or attempts to read, or to 
learn the contents or meaning of any message . . . or communication 
while the same is in transit or passing over any wire, line, or cable, 
or is being sent from, or received at any place'' in California.\70\ It 
also establishes liability for any individual ``who uses, or attempts 
to use, in any manner . . . any information so obtained'' or who aids 
any person in doing the same.\71\ The law has a separate section 
creating liability for any person eavesdropping upon or recording a 
confidential communication ``intentionally and without the consent of 
all parties,'' whether the parties are present in the same location or 
communicating over telegraph, telephone, or other device (except a 
radio).\72\
---------------------------------------------------------------------------
    \70\ Cal. Pen. Code  631(a).
    \71\ Id.
    \72\ Id.  632(a). The statute explicitly excludes radio 
communications from the category of confidential communications.
---------------------------------------------------------------------------
    Consent can be implied only in very limited circumstances. The 
California State Court of Appeals held in People v. Garber that a 
subscriber to a telephone system is deemed to have consented to the 
telephone company's monitoring of his calls if he uses the system in a 
manner that reasonably justifies the company's belief that he is 
violating his subscription rights, and even then the company may only 
monitor his calls to the extent necessary for the investigation.\73\ An 
individual can maintain an objectively reasonable expectation of 
privacy by explicitly withholding consent for a tape recording, even if 
the other party has indicated an intention to record the 
communication.\74\
---------------------------------------------------------------------------
    \73\ 275 Cal. App. 2d 119 (Cal. App. 1st Dist. 1969).
    \74\ Nissan Motor Co. v. Nissan Computer Corp., 180 F. Supp. 2d 
1089 (C.D. Cal. 2002).
---------------------------------------------------------------------------
    In Kearney v. Salomon Smith Barney, Inc., the state Supreme Court 
addressed the conflict between the California all-party consent 
standard and Georgia's wiretap law, which is modeled after the Federal 
one-party standard.\75\ It held that, where a Georgia firm recorded 
calls made from its Georgia office to residents in California, the 
California law applied. The court said that it would be unfair to 
impose damages on the Georgia firm, but prospectively the case 
effectively required out-of-state firms having telephone communications 
with people in California to announce to all parties at the outset 
their intent to record a communication. Clear notice and implied 
consent are sufficient. ``If, after being so advised, another party 
does not wish to participate in the conversation, he or she simply may 
decline to continue the communication.'' \76\
---------------------------------------------------------------------------
    \75\ 39 Cal. 4th 95 (2006).
    \76\ Id. At 118.
---------------------------------------------------------------------------
C. The Implications of Kearney
    The Kearney case arose in the context of telephone monitoring, and 
there is a remarkable lack of case law addressing whether the 
California statute applies to Internet communications. If it does, or 
if there is one other state that applies its all-party consent rule to 
conduct affecting Internet communications across state lines, then no 
practical form of opt-in, no matter how robust, would save the practice 
of copying Internet content for behavioral advertising. That is, even 
if the ISP only copies the communications of those subscribers that 
consent, and the monitoring occurs only inside a one-party consent 
state, as soon as one of those customers has a communication with a 
non-consenting person (or website) in an all-party consent state that 
applies its rule to interceptions occurring outside the state, the ISP 
would seem to be in jeopardy. The ISP could not conceivably obtain 
consent from every person and website in the all-party consent state. 
Nor could it identify (for the purpose of obtaining consent) which 
people or websites its opted-in subscribers would want to communicate 
with in advance of those communications occurring.
    A countervailing argument could be made that an all-party consent 
rule is not applicable to the behavioral advertising model, since the 
process only copies or divulges one half of the communication, namely 
the half from the consenting subscriber.

III. Conclusion
    The practice that has been described to us, whereby an ISP may 
enter into an agreement with an advertising network to copy and analyze 
the traffic content of the ISP's customers, poses serious questions 
under the Federal Wiretap Act. It seems that the disclosure of a 
subscriber's communications is prohibited without consent. In addition, 
especially where the copying is achieved by a device owned or 
controlled by the advertising network, the copying of the contents of 
subscriber communications seems to be, in the absence of consent, a 
prohibited interception. Affirmative express consent, and a cessation 
of copying upon withdrawal of consent, would probably save such 
practices under Federal law, but there may be state laws requiring all-
party consent that would be more difficult to satisfy.

    Senator Dorgan. Ms. Harris, thank you very much. We 
appreciate your testimony.
    Mr. Chris Kelly is the Chief Privacy Officer for Facebook 
Incorporated. Mr. Kelly, you may proceed.

STATEMENT OF CHRIS KELLY, CHIEF PRIVACY OFFICER, FACEBOOK, INC.

    Mr. Kelly. Thank you very much, Chairman Dorgan and Members 
of the Committee, for the opportunity to address the Committee 
about the important privacy matters facing the online 
advertising industry.
    I am Chris Kelly, the Chief Privacy Officer of Facebook, a 
social service on the Internet that serves more than 80 million 
active users, about 30 million of whom are in the United 
States.
    Facebook aims to create social value by empowering people 
to share their lives and experiences with the people they care 
about. From the founding of the company in a dorm room in 2004 
until today, Facebook's privacy settings have given users 
control over who has access to their personal information by 
allowing them to choose the friends they accept and the 
networks they join.
    We are dedicated to developing advertising that is relevant 
and personal and to transparency with our users about how we 
use their information in the advertising context. We are 
pleased to discuss both Facebook's general approach to privacy 
and how these principles have been implemented in advertising 
provided by Facebook.
    With many mainstream media reports focusing on privacy 
concerns about social networking sites, we first want to 
clarify how our site differs from most. Though we will not 
always address user concerns perfectly--no site can--Facebook 
is committed to empowering users to make their own choices 
about what information they share and with whom they share it.
    The statement that opens our privacy policy, a short, plain 
English introduction, is the best place to start this 
discussion. It reads: ``We built Facebook to make it easy to 
share information with your friends and people around you. We 
understand you may not want everyone in the world to have the 
information you share on Facebook; that is why we give you 
control of your information. Our default privacy settings limit 
the information displayed in your profile to your networks and 
other reasonable community limitations we tell you about.''
    Facebook follows two core principles:
    First, you should have control over your personal 
information. Facebook helps you share information with your 
friends and people around you. You choose what information you 
put in your profile, including contact and personal 
information, pictures, interests and groups that you join. And 
you control the users with whom you share that information 
through the privacy settings on the Privacy page.
    Two, you should have access to the information that others 
want to share. There is an increasing amount of information 
available out there, and you may want to know what relates to 
you, your friends, and people around you. We want to help you 
easily get that information.
    Sharing information should be easy. And we want to provide 
you with the privacy tools necessary to control how and with 
whom you share that information. If you have any questions or 
ideas, please send them to [email protected], the e-mail 
address that we regularly monitor.
    We implement these principles through our friend and 
network architectures and through controls that are built into 
every one of our innovative products. Contrary to common public 
reports, full profile data on Facebook is not even available to 
most users on Facebook, let alone all users of the Internet. 
Users have extensive and precise controls available to choose 
who sees what among their networks and friends, as well as 
tools that give them the choice to make a limited set of 
information available to search engines and other outside 
entities.
    The privacy link that appears in the upper right-hand 
corner of every Facebook page allows users to make these 
choices whenever they are using the site, and everyday use of 
the site educates users as to the meaning of privacy controls. 
For instance, a user will see regularly that they have access 
to the profiles of their friends and those who share a network 
with them, but not to profiles of those who are neither friends 
nor network members.
    In February 2008, Facebook simplified and streamlined its 
presentation of privacy settings to users, adopting a common 
lock icon throughout the site to denote the presence of a user-
configurable privacy setting. We also introduced the concept of 
``Friends Lists'' which, when paired with privacy settings, 
allow users to easily configure subsets of their confirmed 
friends who may see certain content. We are constantly looking 
for means to give users more effective control over their 
information and to improve communications with users and the 
general public about our privacy architecture so that they can 
make their own choices about what they want to reveal.
    I want to say a few words about privacy and advertising on 
Facebook. It is important to stress in the first instance that 
targeting of advertising generally benefits users. But we have 
revealed in our privacy policy for nearly 3 years the 
following. We have had the following statement present. 
``Facebook may use information in your profile without 
identifying you as an individual to third parties. We do this 
for purposes such as aggregating how many people in a network 
like a band or a movie and personalizing advertisements and 
promotions so that we can provide you Facebook. We believe this 
benefits you. You can know more about the world around you and, 
where there are advertisements, they are more likely to be 
interesting to you. For example, if you put a favorite movie in 
your profile, we might serve you an advertisement highlighting 
a screening of a similar one in your town. But we don't tell 
the movie company who you are.''
    This critical distinction that we embrace in our policies 
and practices and that we want users to understand is between 
the use of personal information for advertisements in 
personally identifiable form and the use, dissemination, or 
sharing of information with advertisers in non-personally 
identifiable form. Ad targeting that shares or sells personally 
identifiable information to advertisers without user control is 
fundamentally different from targeting that only gives 
advertisers the ability to present their ads based on aggregate 
data.
    And with that, I see that my time is up. So I look forward 
to answering your questions. Thank you.
    [The prepared statement of Mr. Kelly follows:]

  Prepared Statement of Chris Kelly, Chief Privacy Officer, Facebook, 
                                  Inc.

    Thank you, Mr. Chairman, for the opportunity to address the 
Committee about the important privacy matters facing the online 
advertising industry.
    I am Chris Kelly, the Chief Privacy Officer of Facebook, a social 
service on the Internet that serves more than 80 million active users, 
roughly 30 million of whom are in the United States.
    Facebook aims to create social value by empowering people to share 
their lives and experiences with the people they care about. From the 
founding of the company in a dorm room in 2004 to today, Facebook's 
privacy settings have given users control over who has access to their 
personal information by allowing them to choose the friends they accept 
and networks they join.
    We are dedicated to developing advertising that is relevant and 
personal, and to transparency with our users about how we use their 
information in the advertising context. We are pleased to discuss both 
Facebook's general approach to privacy and how these principles have 
been implemented in advertising provided by Facebook.
    With many mainstream media reports focusing on privacy concerns 
about ``social networking sites,'' we first want to clarify how our 
site differs from most. Though we will not always address user concerns 
perfectly--no site can--Facebook is committed to empowering users to 
make their own choices about what information they share, and with whom 
they share it.

I. Facebook and Privacy
    The statement that opens our privacy policy, a short plain-English 
introduction, is the best place to start this discussion. It reads:

        We built Facebook to make it easy to share information with 
        your friends and people around you. We understand you may not 
        want everyone in the world to have the information you share on 
        Facebook; that is why we give you control of your information. 
        Our default privacy settings limit the information displayed in 
        your profile to your networks and other reasonable community 
        limitations that we tell you about.

    Facebook follows two core principles:

        1. You should have control over your personal information.
        Facebook helps you share information with your friends and 
        people around you. You choose what information you put in your 
        profile, including contact and personal information, pictures, 
        interests and groups you join. And you control the users with 
        whom you share that information through the privacy settings on 
        the Privacy page.

        2. You should have access to the information others want to 
        share.
        There is an increasing amount of information available out 
        there, and you may want to know what relates to you, your 
        friends, and people around you. We want to help you easily get 
        that information.

        Sharing information should be easy. And we want to provide you 
        with the privacy tools necessary to control how and with whom 
        you share that information. If you have questions or ideas, 
        please send them to [email protected].

    We implement these principles through our friend and network 
architectures, and through controls that are built into every one of 
our innovative products. Contrary to common public reports, full 
profile data on Facebook isn't even available to most users on 
Facebook, let alone all users of the Internet. Users have extensive and 
precise controls available to choose who sees what among their networks 
and friends, as well as tools that give them the choice to make a 
limited set of information available to search engines and other 
outside entities.
    The ``privacy'' link that appears in the upper-right hand corner of 
every Facebook page allows users to make these choices whenever they 
are using the site, and everyday use of the site educates users as to 
the meanings of privacy controls. For instance, a user will see 
regularly that they have access to the profiles of their friends and 
those who share a network, but not to the profiles of those who are 
neither friends nor network members.
    In February 2008, Facebook simplified and streamlined its 
presentation of privacy settings to users, adopting a common lock icon 
throughout the site to denote the presence of a user-configurable 
privacy setting. We also introduced the concept of ``Friends Lists,'' 
which, when paired with privacy settings, allow users to easily 
configure a subset of their confirmed friends who may see certain 
content. We are constantly looking for means to give users more 
effective control over their information and to improve communications 
with users and the general public about our privacy architecture so 
they can make their own choices about what they want to reveal.
    For instance, we participated in the Federal Trade Commission's 
workshop on new advertising technologies, and have been working with 
government officials and nongovernmental organizations throughout the 
globe. Facebook has also worked productively with state and Federal 
officials, as well as law enforcement, to explain our longstanding 
strategy to make the Internet safer by promoting responsibility and 
identity online, and is currently participating in the state Attorneys 
General Internet Safety Technical Task Force.

II. Privacy and Advertising on Facebook

A. Personally Identifiable and Non-Personally Identifiable Information
    It is important to stress here in the first instance that targeting 
of advertising generally benefits users. Receiving information that is 
likely to be relevant, whether paid for by an advertiser or not, leads 
to a better online experience. Facebook aims to be transparent with our 
users about the fact that advertising is an important source of our 
revenue and to explain to them fully the uses of their personal data 
they are authorizing by using Facebook. For instance, the following 
explanation of how we use information for advertising has been a 
prominent part of our privacy policy for nearly 3 years:

        Facebook may use information in your profile without 
        identifying you as an individual to third parties. We do this 
        for purposes such as aggregating how many people in a network 
        like a band or movie and personalizing advertisements and 
        promotions so that we can provide you Facebook. We believe this 
        benefits you. You can know more about the world around you and, 
        where there are advertisements, they're more likely to be 
        interesting to you. For example, if you put a favorite movie in 
        your profile, we might serve you an advertisement highlighting 
        a screening of a similar one in your town. But we don't tell 
        the movie company who you are.

    The critical distinction that we embrace in our policies and 
practices, and that we want users to understand, is between the use of 
personal information for advertisements in personally-identifiable 
form, and the use, dissemination, or sharing of information with 
advertisers in non-personally-identifiable form. Ad targeting that 
shares or sells personal information to advertisers (name, e-mail, 
other contact oriented information) without user control is 
fundamentally different from targeting that only gives advertisers the 
ability to present their ads based on aggregate data. Most Facebook 
data is collected transparently in personally identifiable form--users 
know they are providing the data about themselves and are not forced to 
provide particular information.\1\ Sharing information on the site is 
limited by user-established friend relationships and user-selected 
networks that determine who has access to that personal information. 
Users can see how their data is used given the reactions of their 
friends when they update their profiles, upload new photos or videos, 
or update their current status.
---------------------------------------------------------------------------
    \1\ Currently, only four pieces of data are required to establish 
and maintain a Facebook account--e-mail address to provide a unique 
login identifier, birthdate to calculate age, name to provide a 
standard identifier (our Terms of Use require real name), and gender to 
promote the accuracy of grammar through the site infrastructure.
---------------------------------------------------------------------------
    On Facebook, then, a feedback loop is established where people know 
what they are uploading and receive timely reactions from their 
friends, reinforcing the fact they have uploaded identifiable 
information. The privacy policy and the users' experiences inform them 
of how advertising on the service works--advertising that enables us to 
provide the service for free to users is targeted to the expressed 
attributes of a profile and presented in the space on the page 
allocated for advertising, without granting an advertiser access to any 
individual user's profile.
    Furthermore, advertising on Facebook is subject to guidelines 
designed to avoid deceptive practices, and with special restrictions 
and review with respect to any advertising targeted at minors.
    I cannot stress strongly enough that Facebook does not authorize 
access by the Internet population at large, including advertisers, to 
the personally identifiable information that a user willingly uploads 
to Facebook. Facebook profiles have extensive user-configurable rules 
limiting access to information contained in them. Unless a user decides 
otherwise by willingly sharing information with an advertiser--for 
instance, through a contest--advertisers may only target advertisements 
against non-personally identifiable attributes about a user of Facebook 
derived from profile data.
    We recognize that other Internet services may take a different 
approach to advertisers and the information available to them. 
Advertising products that sell personally identifiable information to 
advertisers without user permission, that rely on transforming non-
personally identifiable information into personally identifiable 
information without robust notice and choice to users, or that rely on 
data collection that a user has scant notice of and no control over, 
raise fundamentally different privacy concerns. Facebook does not offer 
such products today and has no intention of doing so. Advertising 
products founded on the principles of transparency and user control, 
where data is collected directly from users in personally identifiable 
space and targeting is done based on aggregate or characteristic data 
in non-personally identifiable space, respect the principle that sits 
at the heart of privacy concerns.

B. History of Facebook Ads and Beacon
    Perhaps because our site has developed so quickly, we have 
sometimes been inartful in communicating with our users and the general 
public about our advertising products. It therefore may be fruitful to 
provide a brief history of the current Facebook advertising offerings, 
including Facebook Ads and Social Ads, as well as the Beacon product 
that garnered significant public attention late last year.
    In November 2007, Facebook introduced Facebook Ads, which consisted 
of both a basic self-service targeting infrastructure based on the non-
personally identifiable use of keywords derived from profile data, and 
Social Ads, which allow for the paid promotion of certain interactions 
users take online to those users' friends in conjunction with an 
advertiser message. The basic targeting infrastructure of Facebook Ads 
is quite similar to many other Internet advertising systems, where 
media buyers and agencies can purchase guarantees that their 
advertisements will run to people who have certain characteristics, 
often expressed (as they are in Facebook Ads) in ``keywords,'' or in 
demographic categories such as men between 29 and 34.
    Social Ads are an innovation in that they allow advertisers to pay 
for promotion of certain interactions users take online to those users' 
friends. For example, if I become a supporter of a particular political 
figure on Facebook, their campaign could pay to promote that fact to 
more of my friends than would have been informed of it otherwise 
through the Facebook News Feed, and potentially pair a message from the 
campaign with it. It is notable first that only my action can trigger a 
Social Ad and that Social Ads are only presented to confirmed friends 
as opposed to the world at large; there will be no Social Ad generated 
noting my action to anyone but a confirmed friend. It is also notable 
that in this paid promotion context through Social Ads, an advertiser 
is not purchasing and does not have access to users' personal data--
they are only told that a certain number of users have taken relevant 
actions and the number of ads generated by those actions.
    We introduced at the same time as Facebook Ads a product called 
Beacon to allow users to bring actions they take on third-party sites 
into Facebook. Our introduction of this product with advertising 
technology led many to believe that Beacon was an ad product when it 
really was not. Participating third party sites do not pay Facebook to 
offer Beacon, nor must a third party site that wants to use Beacon 
purchase Facebook Ads. No Facebook user data is sold to or shared with 
these third party sites. In most cases, Beacon pertains to non-
commercial actions like the playing of a game or the adding of a recipe 
to an online recipe box. In other cases, we and the participating third 
party sites experimented with capturing purchases for sharing within a 
user's Facebook friend network, obviously a more commercial enterprise. 
In both the non-commercial and commercial contexts, we discovered in 
the weeks after launch that users felt they did not have adequate 
control over the information and how it was being shared with their 
friends.
    We quickly reached the conclusion that Beacon had inadequate built-
in controls driving user complaints, helped along by an organized 
campaign by MoveOn.org to get us to alter the product. We made 
significant changes within weeks after its launch to make it a fully 
opt-in system. We remain convinced that the goal of helping users share 
information about their activities on the web with their friends is 
desirable and appreciated. Indeed, a number of services now exist which 
attempt to help users in this way. While Beacon was cast in the 
mainstream press as an advertising product, it operates fundamentally 
as a means to connect, with a user's permission and control, actions 
elsewhere on the web with a user's Facebook friend network.
    We are currently working on the next generation of Facebook's 
interactions with third party websites, called Facebook Connect, to 
empower users further to share content and actions with their friends 
using the Facebook infrastructure, and are focused on assuring that 
proper controls are built into this system.

III. FTC Principles on Behavioral Targeting
    Finally, we would like to reinforce our earlier positive public 
comments about the Federal Trade Commission's leadership in addressing 
privacy concerns about how data is collected and shared online.
    As explained above, Facebook Ads are materially different from 
behavioral targeting as it is usually discussed, but given our goals of 
transparency and user control, the important corollary of ensuring 
appropriate security and the goal of providing users notice and choice 
with respect to service changes, we applaud the FTC's desire to 
establish principles in the online advertising area. We believe the FTC 
should expand and enhance the discussion in the principles about the 
distinction between personally and non-personally identifiable 
information to clarify the need for different treatment of advertising 
based on those different types of information. We will continue our 
participation in discussion of the principles as they evolve.
    Thank you again, Mr. Chairman, for the opportunity to share our 
views, and I am happy to answer any questions you may have.

                               Attachment
         Microsoft's Leadership on Consumer Privacy--July 2008

    Microsoft has a long-standing commitment to consumer privacy and we 
have put that commitment into action. Here are some examples:

    Broad Self-regulatory Approach for Online Advertising. Microsoft 
recently filed comments with the Federal Trade Commission explaining 
the need for a broad self-regulatory privacy approach to online 
advertising, noting that all online advertising activities involve data 
collection from users and therefore have privacy implications.
    Meaningful Online Advertising Principles. In July 2007, Microsoft 
announced five fundamental privacy principles for online search and ad 
targeting. These principles include commitments to user notice, user 
control, search data anonymization, security, and best practices.
    Clear and Upfront User Notice. Microsoft was one of the first 
companies to develop so-called ``layered'' privacy notices that give 
clear and concise bullet-point summaries of our practices and direct 
users to a place where they can find more information. We post a link 
to this user-friendly privacy notice on every one of our web pages.
    Robust User Control. Microsoft has recently deployed a robust 
method to enable users to opt out of behavioral advertising. 
Specifically, users can now tie their opt-out choice to their Windows 
Live ID so their choice can work across multiple computers and be more 
persistent (for example, deleting cookies will not erase their opt-out 
selection). We also highlight the availability of this opt-out choice 
on the first layer of our privacy notice.
    Unique Steps To De-Identify Data. Microsoft is unique in our use of 
a technical method (known as a one-way cryptographic hash) to separate 
search terms from account holders' personal information, such as name, 
e-mail address, and phone number, and to keep them separated in a way 
that prevents them from being easily recombined. We have also relied on 
this method to ensure that we use only data that does not personally 
identify individual consumers to serve ads online.
    Strict Search Data Anonymization. Microsoft will anonymize all 
search data after 18 months, which we believe is an appropriate time-
frame in our circumstances to enable us to maintain and improve the 
security, integrity and quality of our services. In addition, unlike 
other companies, we will irreversibly remove the entire IP address and 
other cross-session identifiers, such as cookies and other machine 
identifiers, from search terms after 18 months.
    Support for Federal and State Privacy Legislation. Microsoft has 
actively supported state legislation that would impose baseline notice, 
choice, and security requirements on entities that collect data to 
serve online ads. We also were one of the first companies to advocate 
for comprehensive Federal privacy legislation in the United States.
    Dedicated Privacy Personnel and Processes. Microsoft was one of the 
first companies to appoint a chief privacy officer, an action we took 
nearly a decade ago, and we currently employ over 40 employees who 
focus on privacy full-time, and another 400 who focus on it as part of 
their jobs. We have made significant investments in privacy in terms of 
dedicated personnel and training and by building robust privacy 
standards into our product development and other business processes.
    Guidelines for Third Parties. Microsoft is committed to helping 
others in industry protect consumers' privacy interests. For example, 
we have released a set of privacy guidelines designed to help 
developers build meaningful privacy protections into their software 
programs and online services.
    Consumer Education and Private-Public Sector Partnerships. 
Microsoft has taken steps to educate consumers about ways to protect 
themselves while online, and we have worked closely with industry 
members and law enforcement around the world to identify security 
threats, share best practices, and improve our coordinated response to 
privacy, security and other Internet safety issues.

    Senator Dorgan. Mr. Kelly, thank you very much. We 
appreciate your testimony.
    We will now hear from Mr. Clyde Wayne Crews, Jr., Vice 
President for Policy, Director of Technology Studies at the 
Competitive Enterprise Institute. Mr. Crews, welcome.

      STATEMENT OF CLYDE WAYNE CREWS, JR., VICE PRESIDENT

           FOR POLICY/DIRECTOR OF TECHNOLOGY STUDIES,

                COMPETITIVE ENTERPRISE INSTITUTE

    Mr. Crews. Thank you very much. Good morning, Mr. Chairman. 
I appreciate the opportunity to appear.
    Online behavioral marketing is not the devil, but with 
emergent technologies like biometrics on the horizon, data 
privacy debates like the ones we are facing today are only 
going to intensify. Targeted advertising helps fuel today's 
flood of information, frictionless e-commerce, and the global 
blogger soapbox. It has become cliche to note that the Internet 
is one of the most important wealth-creating and democratizing 
technologies ever known.
    But behavioral marketing stokes privacy fears. Is my data 
personally identifiable? Can it become so? Will my identity be 
stolen, and if a breach occurs, who is punished?
    Note that we were all angry when ads were untargeted spam. 
Now that ads are relevant, well, we are still not satisfied.
    Behavioral advertising employs heretofore unexploited 
capabilities of the Internet, reinforcing the reality that 
there is much more to the Internet than the web at any one 
juncture. It is only 2008.
    User preferences preclude one-size-fits-all privacy policy. 
Online some hide behind digital gated communities. Others 
parade in front of personal webcams. Privacy is not a thing to 
legislate. It is a relationship expressed in countless ways. 
Legislation would be complex. If online privacy is regulated, 
what about offline? Should the standard be opt-in or opt-out? 
Who defines behavioral or sensitive? Should state laws be 
preempted? What about noncommercial information collection?
    Industry already follows principles like the FTC's proposed 
opt-out for sensitive information even when the information is 
not personally identifiable, but the rise of the information 
society amid a homeland security culture is an unfortunate 
coincidence. Blurring of public and private databases 
complicates things. Programs like Total Information Awareness, 
CAPPSII, and a national ID undermine privacy when data cannot 
be confined to an agreed-upon business purpose.
    Government often does not need to protect privacy but to 
allow it in the first place. One is reminded of the old Peanuts 
cartoon of Snoopy sitting on top of the doghouse typing ``Dear 
IRS, please remove my name from your mailing list.''
    Another old joke goes that if McDonald's were giving away 
free Big Macs in exchange for a DNA sample, there would be 
lines around the block.
    But consumers do care. The Net itself enables collective 
consumer discontent, such as blog backlashes we have seen 
against companies. The result: firms alter their information 
handling procedures without law. Consumers can also avoid 
certain sites or use Anonymizer or Scroogle or TrackMeNot or a 
virtual private network. Choice mandates are not persuasive 
when choice is increasingly the default.
    This debate's fury implies that real market opportunities 
exist in providing online anonymity. A marketer does not 
necessarily want to know who you are but how somebody like you 
acts. No one in a free market is really lucky enough to self-
regulate as FTC puts it. Firms are regulated by consumer fury, 
rivals, by Wall Street, by intolerant investors. There is no 
such thing as no regulation. The choice we face is between 
political discipline or competitive discipline in an impatient 
market. Even companies on the frontier of behavioral 
advertising like Phorm and NebuAd face discipline. One's 
sympathies there are going to depend upon the ownership status 
one accords to a web page. But today's web page is not what 
tomorrow's web page is going to be with information and ads 
coming into the page from numerous sources.
    Privacy standards best thrive as a war between computer 
scientists. Marketing to an unidentified customer is today's 
happy goal, but at the very same time, there is great value in 
technologies that prevent others from posing as us. That is one 
reason the use of personally identifiable data should not be 
ruled out altogether.
    Meanwhile, we need improved cyberinsurance products and 
enhanced liability products to evolve online. Regulating can 
short-circuit such market innovations. The private sector needs 
practice for the really difficult cases like the emergence of 
biometrics.
    Privacy policies are already legally binding. Thus, a more 
fitting Federal agenda would target identity theft and computer 
crime and enforce privacy policies and stay neutral on computer 
science, keep compulsory databases separate from private ones, 
stabilize Government's own insecure networks, and avoid 
interventions like data retention that undermine security 
guarantees.
    To protect consumers online, we must consciously avoid 
entrenching regulations such that effective private 
alternatives and institutions, however warranted, simply cannot 
emerge. Online marketers are today's battered business bureau, 
but they need battering by competitive discipline, not just 
legislation.
    Thank you very much.
    [The prepared statement of Mr. Crews follows:]

   Prepared Statement of Clyde Wayne Crews, Jr., Vice President for 
Policy/Director of Technology Studies, Competitive Enterprise Institute

    The Competitive Enterprise Institute (CEI) is a non-profit public 
policy research foundation dedicated to individual liberty, limited 
government, and markets. We appreciate the opportunity to discuss 
policy issues surrounding online advertising.
    Privacy dilemmas are inevitable on the frontiers of an evolving 
information era, but CEI maintains that competitive approaches to 
online privacy and security will be more nimble and effective than 
rigid political mandates at safeguarding and enhancing consumer well-
being, facilitating commerce and wealth creation, and even contributing 
to the rise of the anonymous approaches to commerce we'd like to see.

The Rise of Privacy and Cybersecurity as Public Policy Issues
    The marvelous thing about the Internet is that one can contact and 
learn about anyone and anything. The downside is that the reverse is 
often true. The digital information age--against a backdrop of rising 
globalization--offers consumers unprecedented access to news, 
information, democratized credit and much more. Anyone may collect and 
share information on any subject, corporation, government--or in many 
cases, other individuals.
    Companies from retailers to search engines to software makers all 
collect consumer data--enough to fill vast server warehouses. Of 
course, websites have long collected and marketed information about 
visitors. The latest twist is that behavioral marketing firms ``watch'' 
our clickstreams to develop profiles or inform categories to better 
target future advertisements. Unarguably beneficial, the process stokes 
privacy concerns. Fears abound over the data's security; is any of it 
personally identifiable? If not, can it conceivably become so? Will 
personal information fall into the wrong hands? Will it become public? 
And if a breach occurs, who's punished? While Capitol Hill, beltway 
regulators or state governments are seen often as the first line of 
defense, regulatory and legislative proposals, much like the anti-spam 
law, can fall short of success. Aspirations can exceed actual 
legislative capability.
    Clearly, as a technological phenomenon, mass transactional data 
tracking and collection are here to stay; and with nascent technologies 
like biometrics that could fully authenticate users on the horizon, the 
debates will only intensify.
    Along with behavioral advertising, new data-mining and biometrics 
technologies promise higher levels of convenience and, ultimately, more 
secure commerce online. Beyond the ``merely'' commercial, the 
technologies also hint at greater physical security in the ``homeland'' 
and in our workplaces via authentication.
    On the upside, online advertising enables today's familiar 
subscription-fee-free cornucopia of news and information, and the free 
soapbox enjoyed by bloggers worldwide. It's become cliche to note the 
commercialized Internet is one of the most important wealth-creating 
sectors and democratizing technologies ever known. Benefits to society 
range from frictionless e-commerce, to the democratization of 
privileges once available only to the rich, to a megaphone for all.
    This online bounty has also brought real and imagined privacy 
vulnerabilities to the forefront, ranging from personal identity theft 
to exposure of private thoughts and behavior online. Once, we could 
contend merely with nuisances like spam, cookie-collection practices 
and the occasional spyware eruption. Since policies today are being 
formulated in the context of a post-Sept. 11 world, cybersecurity and 
computerized infrastructure access and security join routine privacy as 
prime policy issues. Adding complexity is the noted emergence of 
biometric technologies and highly engineered data mining that could 
alter the future of behavioral marketing. Thus we must contend not just 
with run of the mill commercial aspects of privacy policies, but with 
national security themes and what some consider a dangerous new 
surveillance state.
    The question is, do newfangled data collection techniques threaten 
fundamental expectations of privacy, and in the case of government data 
collection, even liberty itself?
    What principles distinguish between proper and improper uses of 
personal information, and what policies maximize beneficial e-commerce 
and consumer welfare? Business use of behavioral advertising can be 
irritating, but many have made peace with advertisers' using personal 
information. One-size-fits-all privacy mandates will undermine e-
commerce and the consumer benefits we take for granted. Sweeping 
regulations can especially harm start-ups that lack the vast data 
repositories already amassed by their larger competitors. Our policies 
should be consistent with tomorrow's entrepreneurs (and consumers) 
starting businesses of their own to compete with the giants of today.
    Thus, privacy policies need to be filtered through the lens of the 
entire society's needs. We must consider the impact on: (1) consumers, 
(2) e-commerce and commerce generally, (3) broader security, 
cybersecurity, homeland security and critical infrastructure issues, 
and finally (4) citizen's 4th amendment protections.
    Happily the prospect of billions in economic losses from mistakes 
incentivize the market's efforts to please consumers and safeguard 
information and networks.

Web Functionality Continues to Unfold
    The recent emergence of behavioral advertising reinforces the 
easily forgotten reality that there's more to the Internet than the 
``Web'' at any given juncture; it's only 2008, and there are doubtless 
more commercially valuable avenues for marketing yet to be discovered 
in the decades ahead. Targeted, behavioral and contextual advertising 
make use of heretofore unexploited underlying capabilities of the 
Internet, possibilities that hadn't yet occurred to anyone else, just 
as the original banner ad trailblazers first did years ago--and, yes, 
just as the spammers did.

At the Outset: Policy Must Distinguish Between Public and Private Data
    Parameters are needed to talk coherently about the treatment of 
individual's data. Information acquired through the commercial process 
must be kept separate from that extracted through government mandates. 
Similarly, private companies generally should not have access to 
information that government has forced individuals to relinquish (what 
one might call the ``Social Security'' problem). Private industry 
should generate its own marketing-related information (whether 
``personally identifiable'' or not), for purposes limited by consumer 
acceptance or rejection, rather than piggyback on government IDs. 
Confidentiality is a value, and should be a competitive feature.
    Conversely, for any debate over behavioral advertising to make 
sense, corporate America needs to be able to make credible privacy 
assurances to the public. People need to know that the data they 
relinquish is confined to an agreed-upon business, transactional or 
record-keeping purpose, not incorporated in a government database. If 
regulators end up routinely requiring banks, airlines, hotels, search 
engines, software companies, Internet service providers and other 
businesses to hand over private information (in potentially vulnerable 
formats), they will not only undermine evolving commercial privacy 
standards, including behavioral, but make them impossible. Government's 
own information security practices is the elephant in the room when it 
comes to contemplating e-commerce sector's stance with respect to 
privacy. It's all too easy to give the online marketing industries a 
black eye and risk turning society against the technologies, and ensure 
regulation and politicization. Private data and public data policies 
are potentially on a collision course, but need not be.
    The benefits that personalization brings, like easier, faster 
shopping experiences, are in their infancy. Sensible data collection 
improves search, communication, ability to innovate, U.S. 
competitiveness--all the things we associate with a well-functioning 
economy and evolution in healthy consumer convenience and power.

Privacy Legislation: Premature and Overly Complex
    In contemplating government's role with respect to privacy and 
information security, we must recognize the realities of differing user 
preferences that preclude one-size-fits-all privacy and security 
policy. Online, there are exhibitionists and hermits. Some hide behind 
the equivalent of gated communities; others parade less-than-fully 
clothed before personal webcams.
    Note how we work ourselves up into a lather: policymakers were 
concerned about privacy when ads were untargeted and irrelevant (spam); 
now a solution--behavioral and contextual marketing--makes ads 
relevant, and we're hand-wringing about privacy there too. 
Incidentally, spam was framed as a privacy problem, but in reality the 
spammer didn't typically know who you were. Likewise, a positive early 
development in behavioral advertising is that personally identifiable 
information is not always crucial to the marketer (although sensible 
uses of personally identifiable information should not be thwarted). 
Too often, the complaint seems to be commerce as such. For example, the 
Federal Communications Commission recently decided to investigate the 
``problem'' with embedded ads in TV programming.\1\
---------------------------------------------------------------------------
    \1\ Associated Press, ``FCC to look into embedded advertising on 
TV,'' MSNBC.com. June 26, 2008. http://www.msnbc.msn.com/id/25401193/.
---------------------------------------------------------------------------
    Policy should recognize privacy is not a single ``thing'' for 
government to protect; it is a relationship expressed in countless 
ways. That relationship is best facilitated by emergent standards and 
contracts--like the Network Advertising Initiative's behavioral 
advertising principles \2\ that predate the Federal Trade Commission's 
late 2007 principles \3\--and in emergent market institutions like 
identity theft insurance. Apart from varied privacy preferences, any 
legislative effort to regulate behavioral advertising gets exceedingly 
complex:
---------------------------------------------------------------------------
    \2\ http://www.networkadvertising.org/networks/
principles_comments.asp.
    \3\ Federal Trade Commission, ``Behavioral Advertising, Moving the 
Discussion Forward to Possible Self-Regulatory Principles,'' December 
20, 2007. http://www.ftc.gov/os/2007/12/P859900stmt.pdf.

---------------------------------------------------------------------------
   If online privacy is regulated, what about offline?

   Should behavioral advertising be opt-in or opt-out? (Why and 
        when?)

   Who defines which advertising is ``behavioral''?

   What is the legislative line between sensitive, and non-
        sensitive, personally identifiable information?

   Should the Federal Government pre-empt state privacy laws?

   Will the privacy rules apply to government?

   Will government abstain from accessing or seizing private 
        databases?

   What about non-commercial information collection? (Will the 
        rules apply to bloggers? Or to Facebook activism?)

   What about consumer harm caused by privacy legislation 
        (Given that in the business world, most transactions occur 
        between strangers.)

   What of practical problems of written privacy notices? 
        (Especially given the declining importance of the desktop, the 
        emergent web-like multi-sourced nature of web-pages themselves, 
        smaller wireless-device screens, and the ``thing-to-thing'' Net 
        that bypasses humans altogether.)

   Could disclosure and reporting mandates create a burdensome 
        paperwork requirements detrimental to small businesses? (A 
        privacy ``Sarbanes-Oxley'')

   What about the right to remain anonymous; Behavioral 
        marketing appears to be on course to facilitate anonymous 
        transactions; will government permit it? How should tolerance 
        of anonymity differ in commercial and political contexts?

    The Internet was designed as an open, non-secure network of semi-
trusted users. Thus one interpretation of the nature of the cyberspace 
is that advertisers may legitimately assemble information on what is 
clearly a very public network that never offered any real pretense of 
security. But even assuming one's online pursuits can be tracked, 
privacy tools nonetheless are emerging, and vendors must be held to 
commitments. Given legislation's complications and the Internet's 
inherent security limitations, a rational policy prescription should be 
more limited: Hold the private sector accountable to the contracts and 
guarantees it makes, and target identity theft and the criminals who 
perpetrate it. If legislation merely does such things as send bad 
actors overseas, we merely create regulatory hassles for mainstream 
companies that already follow ``best practices,'' and for small 
businesses trying to make a go of legitimate e-commerce.
    As in spam debate, we face less a legislative problem than a 
technological one. It's true that social norms and expectations have 
yet to gel--but those are as varied as individuals are.

Marketing Is Not Today's Dominant Information Collection Threat
    The emphasis on online privacy legislation could represent a case 
of misdirected energy. The most important information collection issues 
of the day are not related to mere marketing; rather, criminals who 
ignore already existing laws and will ignore any new law, are the ones 
creating mischief online, abusing the trust we have or would like to 
have in vendors. Meanwhile, government surveillance and information 
collection threaten liberties and genuine privacy--and one cannot ``opt 
out.'' (One is reminded of the Peanuts cartoon of Snoopy sitting on his 
doghouse typing, ``Dear IRS . . . Please remove my name from your 
mailing list.'') \4\
---------------------------------------------------------------------------
    \4\ http://www.freerepublic.com/focus/f-news/1384722/posts.
---------------------------------------------------------------------------
    The stringent opt-in standard some seek in the behavioral marketing 
debate is not one government tolerates for itself. The post-Sept. 11 
push for compulsory national ID cards, warrant-less wiretapping and 
escalating data retention mandates signify a government more inclined 
toward infringing privacy than acting as guarantor.
    The rise of the information society amid a ``homeland security 
culture'' is an unfortunate coincidence, an accident, but one that 
colors debates over marketing that would otherwise be more pedestrian. 
The tendency of government to interfere with privacy practices is 
undeniable: Total Information Awareness, CAPPSII, and a national ID are 
examples of expansive government efforts that would undermine the 
private sector's freedom and ability to make privacy assurances in the 
first place.
    Worse, when technology companies contract with government for 
information services, they would very likely request immunity for data 
breaches by extension of the Homeland Security Act that grants similar 
immunities for failed security technologies; so if markets are tempted 
to repudiate self-regulation and liability for privacy standards, 
government oversight becomes the default. The ``homeland security 
culture'' can undermine the market's entrepreneurial tendency to 
resolve the dilemmas created by information sharing.
    Deliberations over privacy and online security should start with 
the recognition that government often doesn't need to protect our 
privacy, it needs to allow it in the first place. Business, whatever 
missteps happen in behavioral marketing, can deliver. As it stands, 
nobody's in any position to make ironclad security guarantees given the 
open nature of the Internet, but the Web is a giant research 
experiment, and techniques will improve. In fact, as behavioral 
tracking does begin to employ personally identifiable information, 
security benefits in ways that people will approve. The Net's 
governmental origins have left privacy expectations and rights somewhat 
ill-defined in many online contexts. But we all at times need to 
identify ourselves and validate the identity of others.

Consumers are Not Powerless: The Redundancy of FTC Standards
    In spite the Net's vulnerabilities, consider how legislation pales 
compared to unforgiving competitive discipline. An old joke holds that 
if McDonald's was giving away free Big Macs in exchange for a DNA 
sample, there would be lines around the block. But consumers do care; 
and thanks to the Internet itself, they are hardly a voiceless mass.
    Every few weeks brings new headlines about government data-handling 
debacles, such as governmental bodies forcing employees to carry Social 
Security cards on their person, or the IRS requirement that payment 
checks feature the SSN.\5\ Confidence isn't inspired when the 
government's information practices lag the private sector's.
---------------------------------------------------------------------------
    \5\ Associated Press, ``U.S. Contradicts Itself Over Its Own ID 
Protection Advice,'' SiliconValley.com, July 2, 2008. http://
www.siliconvalley.com/news/ci_9762027?nclick
_check=1.
---------------------------------------------------------------------------
    Contrast that with what happens to a careless private firm. Google 
and its recent mergers and alliances put it under scrutiny, but why? 
(Recall it was Google that in 2006 refused to hand over user search 
data to the Justice Department; and Google's YouTube division is now 
being forced by a New York district court to hand over user viewing 
records in a video piracy case. Google not unsurprisingly objects.) But 
imagine if Google suffered a serious data breach. Consumers would lose 
trust, and Google could lose millions. Examples abound of consumer 
sovereignty, such as the backlash against Facebook's Beacon that cross-
posted users shopping activities on friends' sites,\6\ and Comcast's 
de-prioritizing of certain file sharing transfers. Today's Internet 
users are empowered to educate the world about business practices of 
which they disapprove. The blogosphere transforms Web users into 
citizen-journalists, harnessing the power of collective discontent. The 
result: Companies routinely change and improve their information 
handling procedures without law.
---------------------------------------------------------------------------
    \6\ Caroline McCarthy, ``MoveOn.org takes on Facebook's `Beacon' 
ads,'' CNet News.com. November 20, 2007. http://news.cnet.com/8301-
13577_3-9821170-36.html.
---------------------------------------------------------------------------
    Policies proposed in the name of what consumers want or should want 
are all too common, as if the ideas hadn't occurred to anyone in the 
competitive marketplace already, or as if the markets hadn't been 
forced to adapt already, or as if issues weren't more complicated than 
the regulators suppose.
    For example, the November 2007 FTC proposal on behavioral 
advertising offers pedestrian principles that have long been in play: 
\7\ Paraphrasing, sites should declare that info is being collected and 
used and users can opt out; data should be ``reasonably secured,'' and 
retained only as long as necessary; affirmative consent be given for 
privacy policy changes; and sensitive information should not be 
collected at all, or only with affirmative opt-in.
---------------------------------------------------------------------------
    \7\ Federal Trade Commission, 2007.
---------------------------------------------------------------------------
    Where do the real incentives lie? Industry looks at what consumers 
actually want; industry often already embraces opt-in for sensitive 
information categories, even when the information is not personally 
identifiable. And if not so empowered by a benevolent vendor, users can 
already exercise the choice allegedly sought in privacy legislation; 
they can simply choose not to disclose sensitive information on certain 
sites, or employ privacy software that can thwart unwanted data 
collection and allow anonymous Web browsing. ``Anonymizer'' is still 
out there for encrypted, anonymous surfing. People can switch to 
``Scroogle'' to disguise their Google searches; A consumer can use a 
dedicated tool to nullify his identity prior to a sensitive search like 
``HIV''; TrackMeNot can send out ``white noise'' search queries to 
disguise the real one. No mandates for choice are needed; choice is the 
default, whether vendors prefer it or not.
    In terms of competitive enterprise, the divisiveness of a debate 
like behavioral marketing implies that real market opportunities exist 
in providing online anonymity. After all, despite all the hand-wringing 
over personally identifiable information, any given marketer doesn't 
necessarily need to know who you are, but how somebody like you acts. 
(Much like a politician seeking a vote, incidentally.) Again, the worry 
is less that the market is invading our privacy and more whether that 
anonymity will be permitted politically when it finally is available to 
us commercially.

``Self-Regulation'' Is a Misnomer
    Privacy and security need to be competitive features. We need to 
foster competition in reputations. And we need flexibility when the 
inevitable mistakes are made.
    Businesses compete; and one area in which they can compete is in 
the development of technologies that enhance security. Washington's 
inclination toward regulating online consumer relationships threatens 
to undermine the market's catering to diverse individual privacy 
preferences, and hinder the evolution of competitive research and 
innovation in secure applications. Privacy encompasses innumerable 
relationships between consumers and businesses, and no single set of 
privacy safeguards is appropriate. While government demands information 
disclosure, profit-driven firms compete to offer robust privacy 
assurances. As businesses respond to evolving consumer preferences, 
stronger privacy policies will emerge.
    Businesses are disciplined by responses of their competitors. 
Political regulation is pre-mature; but ``self-regulation'' like that 
described in the FTC principles is a misnomer; it is competitive 
discipline that market processes impose on vendors. Nobody in a free 
market is so fortunate as to be able to ``self regulate.'' Apart from 
the consumer rejection just noted, firms are regulated by the 
competitive threats posed by rivals, by Wall Street and intolerant 
investors, indeed by computer science itself.
    Neither the government nor private sector has a spotless ``self-
regulatory'' record, but FTC seems unconcerned about the former. Data 
breaches at businesses, governments and universities rose 69 percent in 
2008.\8\ Government can contribute to data security by ensuring that 
its own policies--like data sharing or data retention mandates, or 
sweeping subpoenas--do not interfere with competitive discipline.
---------------------------------------------------------------------------
    \8\ Brian Krebs, ``Data Breaches Are Up 69% This Year, Nonprofit 
Says,'' Washington Post. July 1, 2008. p. D3. http://
www.washingtonpost.com/wp-dyn/content/article/2008/06/30/
AR2008063002123.html.
---------------------------------------------------------------------------
    Even governmental calls for self-regulation seem lukewarm. Along 
with the Federal Trade Commission's Principles on what personally 
identifiable information firms may collect, a bill in the New York 
state legislature would impose drastic opt-in standards, preventing 
companies from gathering personalized information without explicit user 
permission. When Microsoft bid for Yahoo! this year, the Justice 
Department almost immediately wondered whether the combined firm would 
possess ``too much'' consumer data. Canada recently announced an 
investigation into Facebook's privacy protections. Now the Department 
of Justice is investigating the Google-Yahoo deal.\9\
---------------------------------------------------------------------------
    \9\ Peter Whoriskey, ``Google Ad Deal Is Under Scrutiny,'' 
Washington Post, July 2, 2008. 
Page D1. http://www.washingtonpost.com/wp-dyn/content/article/2008/07/
01/AR200807010
2622.html.
---------------------------------------------------------------------------
    Everybody's heard of Google and Microsoft, but fewer have heard of 
companies like Phorm and NebuAd, which present the more pertinent 
behavioral marketing issues; their new techniques give ISPs a dog in 
the fight, since online advertising is a commercial opportunity 
impossible for ISPs to ignore. ISPs see Google and Microsoft and they 
want a piece of the online advertising action too. These companies' 
techniques have been called spyware, but again, they incorporate the 
Net's underlying capabilities in novel ways, and they too are subject 
to competitive discipline. One's sympathies will depend upon the 
``ownership'' status one accords to Web pages, and what one regards as 
online ``trespass.'' The only certainty is a Web page today is not what 
a Web page tomorrow will be. Was there ever a real reason for 
publishers and advertisers to think they could control everything a 
user saw, given the open-ended potential of software's obvious ability 
to route content to browsers in novel ways? At many sites, like 
Facebook, each page is a ``Web'' in its own right, containing widgets 
drawing information and ads from numerous sources. The debate has 
really only just begun, and online marketing trade groups are truly the 
``Battered Business Bureau.'' But they're battered by competitive 
discipline, not merely regulators.
Lessons from Personally Identifiable Data Use Can Inform Future Online 
        Security Practices
    A frontier industry requires the flexibility to learn from 
mistakes. We must distinguish between proper and improper uses of 
surveillance by both the private and public sectors. Not many want to 
be tracked by the authorities, or treated like human bar code. Myriad 
benefits will accrue from the further deployment of identification 
techniques--even personally identifiable--into various facets of daily 
life. But where is the line crossed, and who is capable of crossing it?
    In private hands, techniques like behavioral marketing, biometric 
and data-mining technologies enlarge our horizons. They expand the 
possibilities of a market economy by bolstering security in private 
transactions ranging from face-to-face authentication to long-distance 
commerce. The best, most secure technologies are those that prevent 
others from posing as us--that's why the value of personally 
identifiable data cannot be ruled out. The Web is desperately short of 
that kind of clarity and authentication, in a world of cyber-risks, 
identity theft, and the need to conduct ever more sensitive 
transactions. But nothing is automatic. The marketplace imperative 
requires private sector experimentation in privacy: It's messy, but 
necessary.
    On the one hand, policy should not create situations where 
companies are required to ask for personal info that otherwise wouldn't 
be needed. (Google declares in its comments on the FTC advertising 
principles that obeying certain rules would require it to collect 
information it otherwise would not need.) On the other hand, certain 
forms of identifiable behavioral tracking may prove important in 
specific contexts and shouldn't be prohibited.
    Disallowing personally identifiable information is the wrong thing 
to do. We often need to identify those we're dealing with on line, and 
for them to be able to identify us; such instruments will be governed 
by heretofore unknown contracts and privacy polices. It's not ``self-
regulation,'' but the needs of the world at large driving this 
evolution. Rather than legislating, it's likely better to keep this a 
war between computer scientists; between those working on behavioral 
advertising with personal information and/or authentication, and those 
working on behavioral without authentication. Being able to sell to a 
customer but not have that customer identified is a key research area 
in computer science. The consumer-control ethos--the notion that we 
don't have to be tracked--puts consumers, not advertisers, in the 
drivers' seat Let the computer scientists duke it out.
    In many transactions and contexts, the Web needs better 
authentication, not the abandonment of personally identifiable 
information. The private sector should experiment with generating such 
data in ways that consumers can accept. Some say we must regulate 
because online risks exist; this report argues for not regulating 
because there are online risks. The firms that reduce risks in ways 
palatable to consumers offer a great service. New products and 
institutions still need to emerge around online commerce.

Expanding the Marketplace for Liability and Private Security Insurance
    Privacy is one subset of the much broader issues of online security 
and cybersecurity. It's been noted that a basic problem today is that 
no one stands in any position to make guarantees to anybody about 
anything. That doesn't mean improved insurance products and enhanced 
liability contracts won't develop online, however. Lessons learned from 
spam, privacy, and preventing piracy of intellectual property will 
carry over to the security issues of tomorrow.
    Government shouldn't grant immunity to software companies for 
breaches, but at the same time it should not impose liability on them 
either. It's not so clear whom to sue on an Internet not amenable to 
authentication, but standards will emerge. Government interference can 
impede private cyber-insurance innovations.
    Certain innovations can be sacrificed by regulating. The private 
sector needs to ``practice'' now for the really difficult cases like 
the integration of biometrics into the online world; meanwhile the 
Federal Government needs to focus on cyber-crime.

A Positive Agenda for the Federal Government
    Policymakers should appreciate the government's inherent 
limitations as well as the vulnerabilities that can be created by 
Federal policies and procedures.
    From lost laptops to hacks into the Pentagon e-mail system, to 
``D'' grades for the Department of Homeland Security's own information 
security practices, regulators' ability to rationally guide others on 
privacy is questionable. In many areas it makes sense to circumscribe 
regulators' sphere of influence, while increasing that of the market.
    Recognizing that governments can fail just as markets can, there 
are numerous ways government within its limitations can properly foster 
private sector innovation in security:

   Foster competitive discipline.

   Emphasize protecting government's own insecure networks, not 
        regulating markets. This means many things, including: removing 
        sensitive information from government websites; limit the size 
        and scope of government databases to ensure government doesn't 
        create artificial cybersecurity risks; avoiding data retention 
        mandates and other interventions that undermine private-sector 
        security guarantees.

   Focus on computer criminals, not cyber-regulations.

   Assess areas where it's best to liberalize private sector 
        data-sharing rules. For example, facilitating private sector 
        medical data sharing could deliver benefits to suffering 
        patients. More broadly, some firms cannot share data among 
        their own divisions because of antitrust and privacy 
        strictures. Enhancing cross-firm coordination can improve 
        reliability and security.

   Recognize that commercial anonymity and political anonymity 
        differ; we may need ``less'' of the former, even as we expand 
        the latter. Research should continue on the seemingly opposed 
        agendas of authentication of users on the one hand, and 
        anonymizing technologies on the other.
Conclusion: Affirming Private Sector Primacy Over Information Practices
    Our greatest privacy concern should be government collection of our 
information, not the emergence of targeted marketing.
    In the changing world of e-commerce, the role of government is not 
to predetermine commercial privacy arrangements, but to enforce 
information-sharing contracts that companies make between themselves or 
with individuals. Privacy policies are legally binding. Government's 
role is not to dictate the structure of privacy contracts through such 
means as opt-in or opt-out policies; it is to halt deceptive practices 
and hold private firms accountable to the guarantees they make. 
Government's other role is to protect citizens from identity theft, 
which is not a commercial enterprise, but a criminal one.
    If anonymity and the inability to exclude bad actors are at the 
root of genuine online security problems, legislation doesn't make them 
go away. When contemplating centralized government vs. decentralized 
market approaches to protection consumers online, we must strive, 
before regulating, to follow the ``cybersecurity commandment'': Don't 
entrench regulation to such a degree that effective private 
alternatives and institutions, however warranted as conditions change, 
simply cannot emerge.

Related Reading
    Wayne Crews and Ryan Radia, ``Rigid Federal Mandates Hinder Privacy 
Technologies,'' San Jose Mercury News, June 15, 2008, http://
www.mercurynews.com/opinion/ci_9593341.
    Wayne Crews, ``Cybersecurity Finger-pointing: Regulation vs. 
Markets for Software Liability, Information Security, and Insurance,'' 
CEI Issue Analysis 2005 No. 7, May 31, 2005, 
http://cei.org/pdf/4569.pdf.
    Wayne Crews, ``Cybersecurity and Authentication: The Marketplace 
Role in Rethinking Anonymity--Before Regulators Intervene,'' CEI Issue 
Analysis 2004 No. 2, November 8, 2004, http://cei.org/pdf/4281.pdf.
    Wayne Crews, Comments to the FTC on e-mail authentication themes, 
September 30, 2004, http://www.cei.org/pdf/4229.pdf.
    Alberto Mingardi and Wayne Crews, EU takes a Swipe at Google, 
International Herald Tribune, March 9, 2007, http://www.iht.com/
articles/2007/03/09/opinion/edmingardi.php.
    Wayne Crews and Brooke Oberwetter, ``Preventing Identity Theft and 
Data Security Breaches: The Problem With Regulation,'' CEI Issue 
Analysis 2006 No. 2, May 9, 2006, http://cei.org/pdf/5316.pdf.
    Wayne Crews ``Giving Chase in Cyberspace: Does Vigilantism Against 
Hackers and File-sharers Make Sense?'' CEI OnPoint No. 109, October 2, 
2006. http://cei.org/pdf/5569.pdf.
    Wayne Crews, ``Trespass in Cyberspace: Whose Ether Is It Anyway?'' 
TechKnowledge #19, Cato Institute, September 10, 2001, http://
www.cato.org/tech/tk/010910-tk.html.
    Wayne Crews, ``Human Bar Code: Monitoring Biometrics Technologies 
In a Free Society,'' Cato Institute Policy Analysis No. 452, September 
17, 2002, http://www.cato.org/pubs/pas/pa452.pdf.

    Senator Dorgan. Mr. Crews, thank you very much.
    Finally, we will hear from Mr. Mike Hintze.
    Mr. Hintze. Hintze.
    Senator Dorgan. Mr. Mike Hintze. I am sorry. Mike Hintze is 
the Associate General Counsel at Microsoft Corporation. Mr. 
Hintze, you may proceed.

  STATEMENT OF MICHAEL D. HINTZE, ASSOCIATE GENERAL COUNSEL, 
                     MICROSOFT CORPORATION

    Mr. Hintze. Thank you, Mr. Chairman, for inviting me to 
testify today about the privacy implications of online 
advertising. This is a critically important topic that 
Microsoft takes very seriously, and we applaud the Committee 
for its leadership in this area.
    Online advertising, as you acknowledged, has become the 
engine that drives the Internet economy. Millions of websites 
are able to offer content and services for free to consumers 
because of the revenue they derive from advertising online. In 
the United States, the amount spent on online advertising 
already exceeds spending for advertising through radio, 
magazines, and cable television. It accounted for $21 billion 
in 2007 and is expected to grow to $50 billion in the next 3 
years.
    Online advertising has been so successful because it is 
interactive and can be targeted to users' online activities and 
other characteristics. This targeting benefits users not only 
because it enables free services and content they enjoy, but 
also because they are likely to see more relevant ads. And it 
benefits advertisers because they can reach users who are more 
likely to respond to their ads.
    Each search, click, and other user action online reveals 
valuable information about the user's likely interests, and 
online ads can be automatically tailored to those interests. In 
general, most data collection online happens in conjunction 
with a display of ads. This means the entity with the greatest 
market share and therefore who serves the most ads online will 
collect the most data about users.
    As this Committee recognizes, the collection of user data 
to serve ads on the Internet has important privacy 
implications. Microsoft is here today because we have a deep 
commitment to consumer privacy. We were one of the first 
companies to appoint a chief privacy officer, an action we took 
nearly a decade ago, and we currently have over 40 employees 
who focus on privacy full-time and another 400 throughout the 
business who focus on privacy as part of their jobs. We have a 
robust set of internal privacy policies and standards that 
guide how we do business and how we design our products and 
services in a way that protects consumer privacy.
    With respect to online advertising, we have taken more 
concrete steps to protect privacy than any of our competitors. 
Last July, we released Microsoft's Privacy Principles for Live 
Search and Online Ad Targeting. We are committed to these 
principles which focus on three core themes: transparency, 
control, and security. Let me explain how we have put each of 
these principles into action in ways that go beyond others in 
the industry.
    The first principle is transparency. We post a clear link 
to our privacy notice on every page of our websites, including 
the home page, and we have for several years. We also were one 
of the first companies to develop so-called layered privacy 
notice, which gives concise and easy-to-understand bullet-point 
summaries of our practices with links to more detailed 
information. And our privacy statement is clear about the data 
we collect and use for online advertising.
    The second principle is control. Microsoft enables users to 
opt out of behavioral ad targeting, but we also give consumers 
the option to tie their opt-out choice to their Windows online 
account. Unlike methods used by other companies, this means 
that even if they delete cookies on their machine, when they 
sign back in, their opt-out selection will persist. It also 
means that a single choice can apply across multiple computers 
they use.
    The third principle is security. For Microsoft, this means 
not only protecting data from unauthorized access, but also 
designing our systems and processes in ways that minimize their 
privacy impact from the outset. We create an anonymized 
identifier for each of our registered users. Search query data 
and web surfing behavior used for ad targeting is associated 
with this anonymized identifier. We also irreversibly and 
completely remove the IP addresses and other identifiers from 
search queries after 18 months.
    We believe that our commitment to these three principles, 
transparency, control, and security, and more importantly, the 
steps we have taken to implement them make us the industry 
leader in online privacy.
    These principles also form the basis for our support for 
comprehensive baseline privacy legislation, supplemented by 
robust self-regulation. For example, we have advocated a 
broader self-regulatory framework than that proposed by the 
FTC, one that is tailored to account for the type of 
information collected and how it is used. We have also long 
supported meaningful privacy legislation which, as CDT 
appropriately notes, can protect consumers without hampering 
business.
    We view these efforts as part of our multi-faceted approach 
to protecting consumer privacy, which also includes developing 
technical solutions and educating consumers about how to 
protect themselves online. In short, at Microsoft, we are 
prepared to work collaboratively on all these fronts to protect 
consumer privacy.
    Thank you for giving us the opportunity to testify today, 
and I look forward to answering any questions you may have.
    [The prepared statement of Mr. Hintze follows:]

  Prepared Statement of Michael D. Hintze, Associate General Counsel, 
                         Microsoft Corporation

    Chairman Inouye, Vice Chairman Stevens, and honorable Members of 
the Committee, my name is Michael Hintze, and I am an Associate General 
Counsel of Microsoft Corporation. Thank you for the opportunity to 
share Microsoft's views on the important privacy issues presented by 
advertising on the Internet. We appreciate the initiative that this 
Committee has taken in holding this hearing, and we are committed to 
working collaboratively with you, the Federal Trade Commission, 
consumer groups, and other stakeholders to protect consumers' privacy 
interests online.
    Much is at stake with respect to the issues we will be considering 
today. Online advertising has become the very fuel that powers the 
Internet and drives the digital economy. It supports the ability of 
websites to offer their content and services online; it has created new 
opportunities for businesses to inform consumers about their products 
and services; and it allows consumers to receive ads they are more 
likely to find relevant. Simply stated, the Internet would not be the 
diverse and useful medium it has become without online advertising.
    At the same time, online advertising is unique because it can be 
tailored automatically to a computer user's online activities and 
interests. An online ad can be served based on the website a user is 
visiting, the searches a user is conducting, or a user's past Internet 
browsing behavior, among other things. In each instance, serving the 
online advertisement involves the collection of information about 
consumers' Internet interactions. And this data collection has 
implications for consumer privacy.
    The objective we face is to maintain the growth of online 
advertising while protecting consumer privacy. This is a commitment 
Microsoft embraces. We recognize that consumers have high expectations 
about how we and other Internet companies collect, use, and store their 
information. Consumers must trust that their privacy will be protected. 
If the Internet industry fails to meet that standard, consumers will 
make less use of online technologies, which will hurt them and industry 
alike.
    It also could hurt the U.S. economy. E-commerce sales reached 
$136.4 billion in 2007, an increase of 19 percent from 2006, according 
to the U.S. Census Bureau.\1\ In comparison, total retail sales in 2007 
increased only 4 percent from 2006. If consumers feel that Internet 
companies are not protecting their privacy, the Internet's ability to 
serve as an engine of economic growth will be threatened. This means 
that Microsoft, and all companies operating online, must adopt robust 
privacy practices that build trust with consumers.
---------------------------------------------------------------------------
    \1\ U.S. Census Bureau, Quarterly Retail E-Commerce Sales: 4th 
Quarter 2007, Feb. 15, 2008, available at http://www.census.gov/mrts/
www/data/html/07Q4.html.
---------------------------------------------------------------------------
    Microsoft has a deep and long-standing commitment to consumer 
privacy. Microsoft was one of the first companies to appoint a chief 
privacy officer, an action we took nearly a decade ago, and we 
currently employ over 40 employees who focus on privacy full-time, and 
another 400 who focus on it as part of their jobs. We have a robust set 
of internal policies and standards that guide how we do business and 
how we design our products and services in a way that respects and 
protects user privacy.\2\ And we have made significant investments in 
privacy in terms of training and by building our privacy standards into 
our product development and other business processes.
---------------------------------------------------------------------------
    \2\ Some of these standards are set forth in Microsoft's Privacy 
Principles for Live Search and Online Ad Targeting, attached as 
Appendix 1.* This document is also available at http://
www.microsoft.com/privacy. Additionally, Microsoft's Privacy Guidelines 
for Developing Software Products and Services, which are based on our 
internal privacy standards, are available at http://www.microsoft.com/
privacy.
---------------------------------------------------------------------------
    In general, three key principles have guided our approach to 
privacy issues:

   Transparency. We believe consumers should be able to easily 
        understand what information will be collected about them and 
        when. They also should know how such information will be used 
        and whether it will be combined with other information 
        collected from or about them.

   Control. We believe consumers should be able to control 
        whether their personal information is made available to others 
        and should have a choice about whether information about their 
        online activities is used to create profiles for targeted 
        advertising.

   Security. Consumers and their information should be 
        protected against outside threats and from unwanted disclosure. 
        Data that directly identifies individual consumers, such as 
        name and e-mail address, should not be stored in direct 
        association with search terms or data about Web surfing 
        behavior used to deliver ads online. And strict data retention 
        policies should apply to search data.

    Today, I will discuss why we believe these principles are 
important, how we have put each of these principles into action, and 
how they underlie Microsoft's approach to privacy in online 
advertising. But first I would like to provide an overview of how 
online advertising works, the role that consumer data plays in serving 
online ads, and the online advertising market.

I. Online Advertising and the Role of User Data
    Consumers today are able to access a wealth of information and a 
growing array of services online for free. Websites can offer this 
content and these services for free because of the income they receive 
from advertising.\3\ Just as newspapers and TV news programs rely on 
traditional advertising, online news sites and other commercial 
websites rely on online advertising for their economic survival. Online 
advertising is particularly critical for the thousands of smaller 
websites that do not publish through offline channels and thus depend 
entirely on the revenue they receive from selling space on their 
websites to serve ads online. It is also critical for smaller 
businesses that serve niche markets (e.g., out-of-print books on 
European history) who rely on online advertising to reach those niche 
audiences cost-effectively; indeed, many of these businesses could not 
survive without it.
---------------------------------------------------------------------------
    \3\ It has become a standard approach to the online economy that 
there is a value exchange in which companies provide online content and 
services to consumers without charging a fee and, in return, consumers 
see advertisements that may be targeted.
---------------------------------------------------------------------------
    The importance of online advertising is evident from its growing 
share of the overall advertising market. It accounted for $21 billion 
of the market in 2007 and is expected to grow to $50 billion in the 
next 3 years.\4\ In the United States, online advertising spending 
already exceeds spending for advertising through radio, magazines, and 
cable television.\5\
---------------------------------------------------------------------------
    \4\ See Interactive Advertising Bureau, IAB Internet Advertising 
Revenue Report, 7, May 2008, available at http://www.iab.net/media/
file/IAB_PwC_2007_full_year.pdf; Yankee Group, Yankee Group Forecasts 
U.S. Online Advertising Market to Reach $50 Billion By 2011, Jan. 18, 
2008, available at http://www.yankeegroup.com/
pressReleaseDetail.do?actionType=getDetail
PressRelease&ID=1805.
    \5\ See Brian Morrissey, IAB: Web Ad Spend Tops Cable, Radio, 
Adweek, May 15, 2008, available at http://www.adweek.com/aw/
content_display/news/digital/e3ibcf6d45fc7a036dff28457
a85c838ff1.
---------------------------------------------------------------------------
    One reason for this rapid growth is the ability to target online 
ads to Internet users. Newspaper, magazine, and television 
advertisements can, of course, be targeted based on the broad 
demographics of readers or viewers. But the Internet is interactive, 
and this interaction yields a wealth of data about users' activities 
and preferences. Each search, click, and other user action reveals 
valuable information about that user's likely interests. The more 
information an entity collects, the greater that entity's ability to 
serve an advertisement that is targeted to the user's interests. This 
targeting benefits users, not only because it enables the free services 
and content they enjoy, but also because the ads they see are more 
likely to be relevant. And it benefits advertisers because users are 
more likely to respond to their ads.\6\
---------------------------------------------------------------------------
    \6\ It is for this reason advertisers are willing to pay more for 
targeted ads. For example, although Merrill Lynch has reported that the 
average cost per 1,000 impressions (``CPM'') is $2.50, entities engaged 
in behavioral targeting have reported average CPMs as high as $10. See 
Brian Morrissey, Aim High: Ad Targeting Moves to the Next Level, 
Adweek, Jan. 21, 2008, available at http://www.adweek.com/aw/magazine/
article_display.jsp?vnu_content_id=1003695822. Data also shows that 57 
percent of 867 search engine advertisers and search engine marketing 
agencies polled ``were willing to spend more on demographic targeting, 
such as age and gender.'' Search Engine Marketing Professional 
Organization, Online Advertisers Are Bullish on Behavioral Targeting, 
May 15, 2008, available at http://www.sempo.org/news/releases/05-15-08.
---------------------------------------------------------------------------
    There are a variety of ways in which data can be collected about 
users to serve targeted ads on the Internet. Users reveal information 
about what they are looking for when they search online, and ads can be 
targeted to their search queries.\7\ Advertising networks enter into 
agreements with websites that allow them to display ads; to deliver and 
target those ads, data is gathered about the pages users view and the 
links users click on within those sites.\8\ And new business models are 
emerging where data about users' online activities can be collected 
through a user's Internet service provider, and ads can be served based 
on that information. In general, most data collection happens in 
connection with the display of ads. This means the entity that serves 
the most ads (search and/or non-search ads) will also collect the most 
data about users.
---------------------------------------------------------------------------
    \7\ Search ads are selected based on the search term entered by a 
user and sometimes on data that has been collected about the user, such 
as the user's history of prior searches. Search ads generally appear 
either at the top of the search results or along the right-hand side of 
the page. They often are displayed as text, but they may include 
graphics as well. Advertisers bid against each other for the right to 
have their ads appear when a specific search term is entered (known as 
a ``keyword'').
    \8\ These non-search ads are what users see when they visit 
virtually any site on the Internet other than a search engine site. 
They can be based on the content of the page the user is viewing 
(typically referred to as ``contextual'' ads) or on a profile of a 
user's activities that has been collected over time (referred to as 
``behavioral'' ads). But in either case, the company serving the ad 
would log the pages users view--typically in association with a cookie 
ID from the user's computer and/or an IP address.
---------------------------------------------------------------------------
II. The Online Advertising Environment
    The online advertising ecosystem has undergone significant changes 
in the past few years. There continue to be millions of websites that 
display online ads and thousands of advertisers who use online 
advertising. However, there is a relatively small number of so-called 
advertising networks, or ``middlemen,'' to bring advertisers and 
websites together to buy and sell online ad space. And the number of 
companies playing this intermediary role has decreased significantly in 
recent months as a result of consolidation in the industry.\9\
---------------------------------------------------------------------------
    \9\ Three examples of this are Microsoft's acquisition of 
aQuantive, Yahoo!'s acquisition of RightMedia and Google's acquisition 
of DoubleClick. For more information about the key players in the 
advertising market and the impact of consolidation in the market, see 
the testimony of Microsoft General Counsel Brad Smith before the Senate 
Judiciary Committee, available at http://www.microsoft.com/presspass/
exec/bradsmith/09-27googledoubleclick.mspx.
---------------------------------------------------------------------------
    This market consolidation impacts the privacy issues we are 
discussing today in several ways. First, it is important to recognize 
that in the past, advertising networks typically did not have direct 
relationships with consumers. Today, however, the major ad networks are 
owned by entities--such as Microsoft, Google, and Yahoo!--that provide 
a wide array of Web-based services and, therefore, often have direct 
relationships with consumers. This increases the potential that data 
collected through online advertising will be combined with personally 
identifiable information. While Microsoft has designed its online 
advertising system to address this concern,\10\ no ad network is 
required to do so.
---------------------------------------------------------------------------
    \10\ See section III.C below.
---------------------------------------------------------------------------
    Further, as noted above, there is a direct connection between the 
market share of an advertising network or an online search provider and 
the amount of data collected about a user's online activity. For 
example, the larger the share of search ads a company delivers, the 
larger number of users' online search queries it collects and stores. 
Similarly, the larger the share of non-search ads an advertising 
network delivers across the Web, the larger number of users' page views 
it collects and stores, and the more complete picture of individuals' 
online surfing behavior it is able to amass. Today, Google AdWords is 
the leading seller of search advertising.\11\ Google also has the 
leading non-search ad network, AdSense. Google recently expanded its 
reach into non-search by acquiring DoubleClick.\12\ By comparison, 
Microsoft is a relatively small player in search ads, and its reach in 
non-search advertising is also smaller than Google's.\13\ Google's 
growing dominance in serving online ads means it has access to and 
collects an unparalleled amount of data about people's online 
behavior.\14\
---------------------------------------------------------------------------
    \11\Based on comScore's Core Search Report, in May of this year, 62 
percent of searches were performed in the U.S. on Google, amounting to 
roughly 6.7 billion searches. comScore, comScore Releases May 2008 U.S. 
Search Engine Rankings, June 19, 2008, available at http://
www.comscore.com/press/release.asp?press=2275. Google also has 
strategic agreements with AOL and Ask that allow Google to serve ads to 
those companies' search engine sites. Adding AOL's (4.5 percent) and 
Ask.com's (4.5 percent) share of the search queries, Google's share 
rises to 71 percent. See id.
    \12\ Following its acquisition of DoubleClick, Google now serves in 
the range of 70 percent of all non-search advertisements. See, e.g., 
Lots of Reach in Ad . . ., April 1, 2008, available at http://
battellemedia.com/archives/004356.php.
    \13\ Microsoft's Live Search has approximately 8.5 percent of Core 
Search queries in the United States. comScore, comScore Releases May 
2008 U.S. Search Engine Rankings, June 19, 2008, available at http://
www.comscore.com/press/release.asp?press=2275.
    \14\ Concerns have been raised about this dominance as well as the 
privacy protections surrounding the enormous amount of information 
about users' online behavior that this dominance enables. See, e.g., 
Electronic Privacy Information Center, Supplemental Materials in 
Support of Pending Complaint and Request for Injunction, Request for 
Investigation and for Other Relief, June 6, 2007, available at http://
epic.org/privacy/ftc/google/supp_060607.pdf (``The combination of 
Google (the world's largest Internet search engine) with DoubleClick 
(the world's largest Internet advertising technology firm) would allow 
the combined company to become the gatekeeper for Internet content. . . 
. The detailed profiling of Internet users raises profound issues that 
concern the right of privacy. . . .''); see also, Jaikumar Vijayan, 
Google Asked to Add Home Page Link to Privacy Policies, Computerworld, 
June 3, 2008, available at http://www.computerworld.com/action/
article.do?command=viewArticleBasic&articleId=9092838; Privacy 
International, A Race to the Bottom: Privacy Ranking of Internet 
Service Companies, Sept. 6, 2007, available at http://
www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-553961 
(We ``witnessed an attitude to privacy within Google that at its most 
blatant is hostile, and at its most benign is ambivalent.'').
---------------------------------------------------------------------------
    There also is a critical relationship between competition and 
privacy that must not be overlooked in this discussion. Competition 
ensures companies have an incentive to compete on the basis of the 
privacy protections they offer. On the other hand, a dominant player 
who is insulated from competitive pressure has little reason to heed 
consumer demand for stronger privacy protections and faces no 
significant competitive pressure from other firms offering superior 
privacy practices. Indeed, if a dominant player could generate 
additional profits by diluting its privacy practices, there is a 
significant risk it may do so. This could bring about a ``race to the 
bottom'' on privacy as other companies weaken their privacy practices 
in an effort to catch up to the market leader.
    Yahoo! and Google's recently announced agreement raises important 
questions in this regard. Under the agreement, Yahoo! will outsource to 
Google the delivery of ads appearing alongside Yahoo!'s search engine 
results.\15\ This has the potential to give Google, the market leader, 
further control over the sites and services where ads are served, 
enabling Google to collect even more data about computer users and 
potentially to combine that data with the personal information it has 
on those users.\16\ It also will reduce competition in the search 
advertising market, and thereby weaken Google's incentives to compete 
on the quality of its privacy practices. Both of these outcomes have 
implications for consumer privacy.\17\
---------------------------------------------------------------------------
    \15\ See http://www.google.com/intl/en/press/pressrel/
20080612_yahoo.html.
    \16\ With Google's 71 percent search query share in the U.S. based 
on its relationship with AOL and Ask.com (see supra fn. 11), in 
combination with Yahoo's 20.6 percent share of the core search query 
market, Google will be able to gather information on up to 92 percent 
of online searches. See comScore, comScore Releases May 2008 U.S. 
Search Engine Rankings, June 19, 2008, available at http://
www.comscore.com/press/release.asp?press=2275.
    \17\ See Jeff Chester, A Yahoo! & Google Deal Is Anti-Competitive, 
Raises Privacy Concerns, May 22, 2008, available at http://
www.democraticmedia.org/jcblog/?p=596.
---------------------------------------------------------------------------
III. Microsoft's Commitment to Privacy in Online Advertising
    Microsoft recognizes the role that data plays in online advertising 
and the corresponding importance of protecting consumer privacy. To 
guide our approach to data collection for online advertising, we 
released Microsoft's Privacy Principles for Live Search and Online Ad 
Targeting last July.\18\ We are deeply committed to these principles, 
which focus on bringing the benefits of transparency, control and 
security to the protection of consumers' data and privacy online.
---------------------------------------------------------------------------
    \18\ See Appendix 1. Microsoft's Privacy Principles for Live Search 
and Online Ad Targeting are also available at http://www.microsoft.com/
privacy.
---------------------------------------------------------------------------
A. Transparency
    I want to first touch upon the importance of transparency. 
Transparency is significant because it provides consumers with an 
informed understanding of a company's data collection practices, of how 
their data might be used, and the privacy controls available to users. 
Without transparency, consumers are unable to evaluate a company's 
services, to compare the privacy practices of different entities to 
determine which online products and services they should use, or to 
exercise the privacy controls that may be available to them. 
Transparency also helps ensure that when consumers are dealing with a 
company that has adopted responsible privacy practices, they do not 
needlessly worry about unfounded privacy concerns, which could prevent 
them from taking advantage of new technologies.
    Transparency is also essential to ensure accountability. 
Regulators, advocates, journalists and others have an important role in 
helping to ensure that appropriate privacy practices are being 
followed. But they can only examine, evaluate and compare practices 
across the industry if companies are transparent about the data they 
collect and how they use and protect it.
    Transparency is especially important with respect to online 
advertising. This is because consumers may not understand the types of 
information that entities collect or log in providing advertisements 
online. For example, many consumers may not realize that information 
about the pages they are viewing, the searches they are conducting, or 
the services they are using may be collected and used to deliver online 
ads.
    For this reason, Microsoft believes that any entity that collects 
or logs any information about an individual or computer for the purpose 
of delivering advertisements online should provide clear notice about 
its advertising practices. This means posting a conspicuous link on the 
home page of its website to a privacy statement that sets forth its 
data collection and use practices related to online advertising. 
Consumers should not be required to search for a privacy notice; it 
should be readily available when they visit a website. This obligation 
should apply to entities that act as ad networks, as well as to 
websites on which ads appear--whether they display ads on their own or 
rely on third parties to deliver online advertising.
    In addition to being easy to find, the privacy notice must be easy 
to understand. While many websites have publicly posted a privacy 
notice, this alone is not enough. Too often, the posted privacy notice 
is complex, ambiguous and/or full of legalese. These notices make 
privacy practices more opaque, not more transparent. Instead, short and 
simple highlights are essential if consumers are to easily understand a 
company's information practices. It helps avoid the problem of 
information overload, while enabling consumer awareness.
    Finally, to ensure that the consumer can be fully informed, the 
privacy notice should also describe the website's data collection and 
use activities in detail. This includes, at a minimum, descriptions of 
the types of information collected for online advertising; whether this 
information will be combined with other information collected from or 
about consumers; and the ways in which such information may be used, 
including whether any non-aggregate information may be shared with a 
third party.
    Microsoft has embraced these obligations. We post a link to our 
privacy notice on every page of our websites, including the home page. 
We also were one of the first companies to develop so-called 
``layered'' privacy notices that give clear and concise bullet-point 
summaries of our practices in a short notice, with links to the full 
privacy statement for consumers and others who are interested in more 
detailed information. And our privacy statement is clear about the data 
we collect and use for online advertising. Further, we have released 
more detailed information about our practices, such as a white paper 
that describes the methods we use to ``de-identify'' data used for ad 
targeting.\19\ To illustrate our efforts to be transparent about our 
practices, we have included in Appendix 2* screen shots of 
the privacy link available on the home page of our Windows Live search 
service and of our layered privacy notice, including both the short 
notice and our full online privacy statement.
---------------------------------------------------------------------------
    \19\ See section III.C below.
---------------------------------------------------------------------------
B. Control
    The second core principle Microsoft looks to in protecting our 
customers' privacy is user control. Consumers should have a choice 
about how information about their online activities is used, especially 
when that information can be aggregated across multiple websites or 
combined with personal information. Microsoft has made consumer control 
a key component of our practices online.
    As an example, Microsoft has recently deployed a robust method to 
enable users to opt out of behavioral ad targeting. As background, most 
industry players that offer consumers a choice about having information 
about their online activities used to serve behaviorally targeted ads 
do so by offering consumers the ability to place an ``opt-out'' cookie 
on their machines. In general, this process works well, but it does 
have some inherent limitations. For example, opt-out cookies are 
computer-specific--if a consumer switches computers, he or she will 
need to specify any opt-out preferences again. Further, if cookies are 
deleted from the user's PC, that user's opt-out choice is no longer in 
effect. To address these limitations, Microsoft now gives consumers the 
option to tie their opt-out choice to their Windows Live ID. This means 
that even if they delete cookies on their machine, when they sign back 
in their opt-out selection will persist. It also means that a single 
choice can apply across multiple computers that they use. This will 
help ensure that consumers' choices are respected.\20\
---------------------------------------------------------------------------
    \20\ Microsoft's personalized advertising opt-out page is available 
at https://choice.live.com/advertisementchoice/Default.aspx.
---------------------------------------------------------------------------
    Microsoft also has committed to respecting consumers' opt-out 
choice on all sites where it engages in behavioral advertising. This 
means that consumers are offered a choice about receiving behaviorally 
targeted ads across both third-party websites on which Microsoft 
delivers behaviorally targeted ads, as well as Microsoft's own 
websites. This is important because consumers reasonably expect that 
the opt-out choice offered by a company would apply on all websites 
where that company engages in behavioral advertising practices. This is 
another example of where we have committed to going beyond standard 
industry practice to better protect the interests of consumers.
    We also recognize it is appropriate that the level of consumer 
control may vary depending on the data that will be used to serve an 
online ad. For example, many consumers have serious reservations about 
the receipt of targeted advertising based on the use of certain 
categories of personally identifiable information, particularly those 
that may be considered especially sensitive. Thus, we have proposed 
that companies should obtain additional levels of consent for the use 
of such information for behavioral advertising--including affirmative 
opt-in consent for the use of sensitive personally identifiable 
information.\21\
---------------------------------------------------------------------------
    \21\ See, for example, Microsoft's comments to the Federal Trade 
Commission's proposed self-regulatory framework for online advertising, 
included as Appendix 4* and available at http://www.ftc.gov/
os/comments/behavioraladprinciples/080411microsoft.pdf.
---------------------------------------------------------------------------
C. Security
    The third principle we look to in protecting consumers' privacy is 
that strong, simple, and effective security is needed to strengthen 
consumers' trust in our products, the Internet, and all information 
technologies. Security has been fundamental at Microsoft for many years 
as part of our Trustworthy Computing initiative. And it plays a key 
role with respect to our online advertising practices.
    We have taken a broad approach to protecting the security of 
computer users with respect to serving ads online. This approach 
includes implementing technological and procedural protections to help 
guard the information we maintain. We also have taken steps to educate 
consumers about ways to protect themselves while online, and we have 
worked closely with industry members and law enforcement around the 
world to identify security threats, share best practices, and improve 
our coordinated response to security issues.
    In addition, we have designed our systems and processes in ways 
that minimize their privacy impact from the outset while simultaneously 
promoting security. For example, we use a technical method (known as a 
one-way cryptographic hash) to separate search terms from account 
holders' personal information, such as name, e-mail address, and phone 
number, and to keep them separated in a way that prevents them from 
being easily recombined. We have also relied on this method to ensure 
that we use only data that does not personally identify individual 
consumers to serve ads online. As a result of this ``de-
identification'' process, search query data and data about Web surfing 
behavior used for ad targeting is associated with an anonymized 
identifier rather than an account identifier that could be used to 
personally and directly identify a consumer.\22\
---------------------------------------------------------------------------
    \22\ A white paper describing Microsoft's ``de-identification'' 
process is attached to these comments as Appendix 3.* It is 
also available at http://www.microsoft.com/privacy.
---------------------------------------------------------------------------
    Finally, we have implemented strict retention policies with respect 
to search query data. Our policy is to anonymize all such data after 18 
months, which we believe is an appropriate time-frame in our 
circumstances to enable us to maintain and improve the security, 
integrity and quality of our services. We intend to continue to look 
for ways to reduce this time-frame while addressing security, integrity 
and quality concerns. In addition, unlike other companies, our 
anonymization method involves irreversibly removing the entire IP 
address and other cross-session identifiers, such as cookies and other 
machine identifiers, from search terms. Some companies remove only the 
last few digits of a consumer's IP address, which means that an 
individual search query may still be narrowed down to a small number of 
computers on a network. We think that such partial methods do not fully 
protect consumer privacy, so we have chosen an approach that renders 
search terms truly and irreversibly anonymous.

IV. Microsoft's Support for Self-regulation and Privacy Legislation
    Microsoft believes that these core principles of transparency, 
control, and security are critical to protecting consumers' privacy 
interests online. These principles form the basis for our support of 
robust self-regulation in the online advertising market and for 
baseline privacy legislation.
    We have been an active participant in self-regulatory efforts. 
Microsoft has been engaging with the Network Advertising Initiative 
(``NAI''), a cooperative of online marketing and advertising companies 
that addresses important privacy and consumer protection issues in 
emerging media.\23\ The NAI is currently in the process of revising its 
guidelines to address changes in the online advertising industry. The 
NAI's efforts have been critical to understanding the privacy issues 
associated with online advertising, and we will continue to work with 
them as they finalize their draft proposal.
---------------------------------------------------------------------------
    \23\ Atlas, which was part of Microsoft's recent acquisition of 
aQuantive, was a founding member of NAI.
---------------------------------------------------------------------------
    We also filed comments responding to the Federal Trade Commission's 
request for input on a proposed self-regulatory framework for online 
advertising. In our comments, we explained the need for a broad self-
regulatory approach since all online advertising activities have 
potential privacy implications and some may be contrary to consumers' 
expectations. To this end, we proposed a tiered approach to self 
regulation that is appropriately tailored to account for the types of 
information being collected and how that information will be used. It 
would set a baseline set of privacy protections applicable to all 
online advertising activity and would establish additional obligations 
for those companies that engage in practices that raise additional 
privacy concerns. We are attaching a copy of our comments to the FTC 
for your convenience.\24\
---------------------------------------------------------------------------
    \24\ See Appendix 4. Our comments are also available at http://
www.ftc.gov/os/comments/behavioraladprinciples/080411 microsoft.pdf.
---------------------------------------------------------------------------
    In addition to supporting self-regulatory efforts, we have long 
advocated for legislation as a component of effective privacy 
protections. We were one of the first companies to actively call for 
comprehensive Federal privacy legislation.\25\ More recently, we have 
supported balanced and well-crafted state legislation on privacy in 
online advertising that would follow the general structure proposed in 
our FTC comments.\26\ And we would be glad to work with the Committee 
on similar national privacy standards that would protect both privacy 
and opportunities for innovation in the online advertising industry.
---------------------------------------------------------------------------
    \25\ See http://www.microsoft.com/presspass/download/features/2005/
PrivacyLegislationCall
WP.doc.
    \26\ A. 9275-C, 2007-2008 Reg. Sess. (N.Y. 2008), available at 
http://assembly.state.ny.us/leg/?bn=A09275&sh=t (imposing minimum 
notice and choice obligations on certain website publishers and 
advertising networks); S. 6441-B, 2007-2008 Reg. Sess. (N.Y. 2008), 
available at http://assembly.state.ny.us/leg/?bn=S06441&sh=t (imposing 
baseline notice, choice, security, and consumer access obligations on 
certain third-party advertising networks); H.B. 5765, 2008 Gen. Assem., 
Feb. Sess. (Conn. 2008), available at http://www.cga.ct.gov/2008/FC/
2008HB-05765-R000148-FC.htm (imposing minimum notice, choice, security, 
and use limitations on third-party advertising networks).
---------------------------------------------------------------------------
    Our support of self regulation in the online advertising market and 
prudent privacy legislation is only a part of our comprehensive 
approach to protecting consumer privacy. We will continue to support 
consumer education efforts to inform users of how to best protect 
themselves and their information online. And we will persist in our 
efforts to develop technology tools that promote the principles of 
transparency, control, and security. In short, we are prepared to work 
collaboratively on all fronts to maintain the growth of online 
advertising while fostering consumer trust online.

V. Conclusion
    Microsoft recognizes that the protection of consumer privacy is a 
continuous journey, not a single destination. We can and will continue 
to develop and implement new privacy practices and protections to bring 
the benefits of transparency, choice, and security to consumers. Thank 
you for giving us the opportunity to testify today. We look forward to 
working with you to ensure consumers' privacy interests are protected 
as they continue to enjoy the proliferation of free services and 
information that online advertising supports.
    * The information referred to has been retained in 
Committee files.

    Senator Dorgan. Mr. Hintze, thank you very much. I 
appreciate your testimony.
    To my colleagues, I would say time is not our friend this 
morning. The vote is supposed to start at 11:15, although I am 
told it may slip. We will probably know shortly. If it starts 
at 11:30, that means that we would have perhaps until 11:45 
before we would have to depart this room.
    I will do 5-minute rounds here, and if we finish at 11:45, 
we will not have to come back. We have five votes in 
succession, which means we probably would not be able to come 
back until 1 o'clock. So my hope would be that for the next 45 
minutes to an hour, we will all be able to have an opportunity 
to ask relevant questions.
    And I thank very much the witnesses for being here.
    I have 100 questions, regrettably. Let me take just 4 and a 
half or 5 minutes and then call on my colleagues.
    First of all, online advertising is helpful and useful in 
my judgment. I understand that. It helps support the Internet 
itself, which has some wonderful companies and sites providing 
useful information services, entertainment. I understand all of 
that.
    The question today is not, as Mr. Crews indicated, are 
certain kinds of advertising the devil. I think advertising is 
a necessary component of the Internet and is helpful to 
consumers. The question is about the collection of information 
about consumers as they travel the Internet.
    And Mr. Dykes, I will ask you the first question. The 
stories that I have seen about maybe an Internet service 
provider deciding we are going to allow NebuAd to come in, and 
whenever anybody does anything on our system, as someone who 
has signed up for our Internet service provider service, we are 
going to essentially shovel all that information over to you as 
it is being done. I mean, what is the difference between that 
and tapping into somebody's wire, using the pejorative term 
``wiretapping''? Is that not just wiretapping?
    Mr. Dykes. No, sir. We believe that we are not violating 
the wiretap law. I am not a lawyer, but my lawyers have told me 
we are in compliance with the law, and they have prepared a 
memo on the subject and I would be prepared to submit that for 
the record. [The information requested is published on pp. 101-
107 of this transcript.]
    But it is important to note that the information that we 
are looking at as people surf the web does not involve any 
personally identifiable information. All we are doing is taking 
an anonymous identifier. We are taking their IP address, for 
example, and transforming that into an anonymous number with a 
one-way hash. And against that anonymous identifier all we are 
examining is qualification for market segments. So we are not 
keeping the raw data. It is just qualification for market 
segments against an anonymous identifier.
    Senator Dorgan. But your approach and the approach of the 
Internet service provider would not be an opt-in approach. It 
would be an opt-out approach. I would think if my Internet 
service provider said to me, you know what, Mr. Dorgan? We have 
a proposition. Is it OK if we give everything you do to another 
company? I would say, of course, it is not OK. You kidding me? 
The answer is no, capital N-O. So from an opt-in standpoint, I 
am guessing that this would not be a workable model. It only 
works if you require people to opt-out. I mean, I think that is 
the difficulty.
    Ms. Harris, do you want to comment on that?
    Ms. Harris. Yes, I do. I think, first of all, it is 
important to understand that our wiretap laws do not care if 
the information is personally identifiable or not personally 
identifiable. The laws are agnostic on that point. It is 
important to understand that.
    Second, they may not be using all the information, but they 
are mirroring. They are capturing the data stream and then 
somehow mirroring or copying it. So the ISPs are providing that 
information to an unknown third party, a man in the middle. I 
take Mr. Dykes' word that they are then not using all of that 
information, but you have to have a way to separate out the 
information you are using from the information you are not 
using. I do not think you can pretend----
    Senator Dorgan. Mr. Dykes, do you wish to respond to that?
    Mr. Dykes. Yes, I would, Mr. Chairman. So although the 
information flows through our system, information that does not 
conform to one of the market segments we are looking at is 
simply ignored and flushed permanently. And so we are only 
looking at these select innocuous market segments.
    I would also point out that we do provide very robust 
notice to the user and an opportunity to opt out. These notices 
are sufficiently robust that people do opt out. So it is not 
like people are ignoring them. They are informed, and as I 
said, we are confident that we do not break the law and we have 
a memo on the subject that we would submit.
    Senator Dorgan. Mr. Kelly, on Facebook, I do not know 
whether this has changed, but my understanding is that when 
someone would order an application, which they could on 
Facebook, called Dogbook or Scrabble, that that application 
then would allow the person selling the application access to 
all that which exists in Facebook. Was that the case?
    Mr. Kelly. So, first of all, a user has to affirmatively 
add an application to a profile and----
    Senator Dorgan. I understand, but when they do that----
    Mr. Kelly.--box that informs them that they are adding this 
application and sharing information with the third party in 
that case. At that point, the application has the ability to 
request certain data. We do not hand over all the data at that 
point. They have the ability to request it in a session basis 
and limit it to the data that the user who has installed the 
application can see on Facebook. So the privacy settings 
persist.
    That application is allowed to, for caching purposes, 
retain the information they have requested for only 24 hours, 
and if they exceed that amount, we have a policy enforcement 
team which will take action, including potentially shutting 
down the application. And in the last few weeks, we have shut 
down a number of applications over violations until they come 
into compliance.
    Senator Dorgan. I have just received some good news. The 
U.S. Senate was not constructed to ever be accused of speeding, 
and all of us who serve here know that. It actually has 
exhibited that this morning. We have actually an 11:45 start 
time, which means we have a full hour for questions. The 11:45 
start time will be the first vote. So that is good news.
    Let me call on Senator Vitter.

                STATEMENT OF HON. DAVID VITTER, 
                  U.S. SENATOR FROM LOUISIANA

    Senator Vitter. Thank you, Mr. Chairman. I have some 
general questions and I would invite very concise responses 
from anyone who has a response.
    What is the best estimate available regarding the use of 
this type of information not for behavioral advertising--put 
that on the side--but for other purposes that all of us would 
consider an abuse, identity theft or other abusive uses, not 
behavioral advertising? Does anyone have a sense of the size of 
that problem?
    Ms. Harris. Mr. Vitter, I think that the answer is nobody 
knows and there are no rules in place that would prevent any of 
that. And so the question is, and I will say that for members 
of the Network Advertising Initiative that they have made a 
commitment not to do that, but it is a big Internet. And we do 
not know what everybody is doing. But basic fair information 
practices say that if you collect information for a purpose, 
you should use it for that purpose, and not use it for another 
purpose. We have no legal way of enforcing that.
    Senator Vitter. Does anyone else have a sense of the size 
of that problem?
    Mr. Dykes. Well, I would point out that when NebuAd was 
being founded back in 2006, it was when AOL search data became 
public and people determined that a large amount of raw search 
data could represent personally identifiable information. We 
also had the Government asking Verizon and AT&T to provide 
click stream data.
    And it was for those reasons that when NebuAd was founded, 
we resolved never to be in a position to have such data that, 
which if found by others, could ever have a problem. That is 
why we do not keep the raw data mapped against a user ID. We 
only keep this qualification for market segments and all our 
user ID's are anonymized. So we keep very limited data to avoid 
any of those risks.
    Senator Vitter. I understand.
    Does anyone else have a sense of the global size of that 
problem? OK.
    Now, with regard to that problem--again, put behavioral 
advertising on the side. With regard to that problem, would 
ensuring that all of this collection of data is made anonymous 
in the ways that several of you do presumably already solve 
that problem or not?
    Ms. Harris. I do not think you can do that. The industry 
wants us to believe that this information is anonymous. I think 
at best it is pseudo-anonymous. They are building profiles. And 
I think a couple of years ago when AOL released search data for 
a good purpose, for research purposes, it took very little time 
for people to take a single set of search data and identify 
somebody. So that we are moving to a point where there is 
enough information----
    Senator Vitter. Can I interrupt for a second?
    Ms. Harris. Yes.
    Senator Vitter. Explain that to me as a layperson because 
my reaction to that is there are a gazillion people on the 
Internet. How do you possibly take that anonymous information 
and come up with an individual?
    Ms. Harris. Well, it cannot be entirely anonymous because 
you are trying to put--I mean, even for NebuAd--and we can talk 
about this--they keep refreshing the information about an 
individual. You have to. Right?
    Mr. Dykes. We only keep information in market segments. The 
way AOL's data became identifiable is that people did numerous 
searches on houses in their neighborhood, and soon it was 
fairly clear who the person was who was doing the search 
because there was just so much data centered on a particular 
name and address and things like that.
    Ms. Harris. But profiles can include that. Profiles can 
include that you have been on a particular website looking at a 
particular thing, that you have searched for your own name, 
that you--it depends what is in the profile.
    Mr. Dykes. Exactly. If the profiles had that information, 
that is when it becomes pseudo-anonymous, and therefore, you 
can derive PII.
    Senator Vitter. Let me reask the question. Could there be a 
regime ensuring true anonymity in terms of the collection, 
number one? Is that possible?
    Mr. Dykes. I believe so.
    Senator Vitter. And number two, is any legitimate purpose 
that is of any arguable benefit to consumers sacrificed through 
that regime?
    Mr. Dykes. Well, the effectiveness does decline as you move 
toward eliminating pseudo-anonymous data. But we have chosen to 
make that choice. We do not have very sensitive ads. We have 
chosen not to take very sensitive ads from big pharmaceutical 
companies, for example. There are a lot of choices we have made 
to protect consumer choices that do reduce the economic value, 
but these I think are important choices.
    Senator Vitter. Does anyone else have a reaction to that 
idea of what most folks would regard as true anonymity? Number 
one, how possible it is; number two, what if anything would be 
sacrificed.
    Mr. Crews. I think you are always taking a risk when you 
think that the Internet, with the kind of network that it is--
if pure privacy is what you want, the Internet is probably the 
wrong network for you because everybody here has a business 
card, and the people that we talk about with most of these new 
technologies--and I talked about warring computer scientists. 
Some are trying to offer anonymity.
    But on the other hand, there are going to be cases where 
you do not want somebody to pose as you and you are going to 
want to use personally identifiable information. The 
technologies are going to change as biometrics get integrated 
into commerce and things like that. So we are not going to want 
anonymity ultimately in some respects, if we are dealing with 
our insurance company, dealing with a finance company.
    Senator Vitter. Let me back up. I am not talking about 
anonymity dealing with your insurance company. I am talking 
about anonymity in terms of the collection of data for the 
purposes that we are talking about.
    Mr. Crews. I do not think so because of the openness of the 
Internet and the criminal element that is always going to be 
there. You know, anybody can go into Starbucks and the library 
and get on the Net. It is always going to be an open network 
that nobody has a proprietary stake and can offer that kind of 
a guarantee. We are going to have to have activities on the 
consumer side and institutions like identity theft insurance 
and all those sorts of things too. We can try our best, and I 
think that is what scientists are trying to do. But the 
Internet is not the network for privacy in a sense.
    Senator Vitter. Thank you.
    Senator Dorgan. Senator Stevens was here and he had to go 
to an Appropriations Committee markup, and he asked that we put 
his statement in the record. We will do that by unanimous 
consent.
    [The prepared statement of Senator Stevens follows:]

    Prepared Statement of Hon. Ted Stevens, U.S. Senator from Alaska
    Mr. Chairman, thank you for scheduling this hearing.
    As we recently learned in last month's hearing on spyware, we must 
be increasingly vigilant in ensuring that Americans' personally 
identifiable information is protected. On one hand, legitimate online 
advertising provides many benefits to our economy--for example in 
Alaska it helps our newspapers, radio stations and television stations 
to provide free online news. But, on the other hand there are concerns 
about protecting individuals' privacy and preventing against identity 
theft.
    For the Internet economy to continue to grow, Americans need to 
have confidence that their personal identifiable information is safe 
when they enter their data online. Moreover, consumers should be fully 
informed about what information is being collected online, who is 
collecting the data, and what options consumers have to protect 
themselves.
    At this hearing, it will be important that the Committee gets a 
sense of how online behavioral advertising works, and how consumers can 
guard their personally identifiable information. I also anticipate that 
today's hearing will help us better understand what roles the Federal 
Trade Commission and the industry should play in educating consumers on 
how information is collected online and how to protect themselves.
    I thank the witnesses for participating today and look forward to 
hearing their testimony.

    Senator Dorgan. Senator Klobuchar?

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Senator Dorgan, for 
holding this hearing, and thank you to our witnesses. I was 
thinking, as I listened, how everyone sort of has a love-hate 
relationship with advertising on the Internet. I love it when 
it is something for a discount on clothes, and I hate it when 
my daughter sees the American Girl things put on the screen. 
But I think everyone feels like that.
    And I think we also know that advertising plays an 
important role in enhancing a consumer's online experience. It 
is revenue, and it also promotes the development of online 
news. So like Senator Dorgan, I would agree that we are not 
against advertising on the Internet, but the issue is, as it 
becomes more sophisticated, do we have a role here to play in 
making sure that consumers' privacy is protected as companies 
develop more technology and are able to dig deeper into that 
information, that we keep it anonymous.
    I guess my first questions are of you, Ms. Parnes. I know 
Mr. Kelly and Mr. Hintze were talking about how the FTC could 
go farther in terms of differentiating between the kind of 
information, whether it is anonymous information, whether it 
is--I think they were differentiating between the way you get 
the information based on personally identifiable information or 
advertising based on non-personally identifiable information. 
Could you do that as part of your rules?
    Ms. Parnes. Well, Senator, I think we could make those 
distinctions. In the first instance, let me just clarify that 
what the Commission put out was a set of proposed principles 
that would guide----
    Senator Klobuchar. Self-regulation.
    Ms. Parnes.--a self-regulatory scheme.
    Senator Klobuchar. Right. They were not rules.
    Ms. Parnes. Not Commission rules.
    But within the the principles, I think our proposal 
reflects some differences. For example, the proposal calls for 
express affirmative consent before an entity can collect 
sensitive personal information from a consumer for use in 
behavioral advertising. So we acknowledge that there are some 
areas that are more sensitive and that require a certain level 
of heightened transparency and control and choice for 
consumers. I think that as we are looking at all the comments 
that we received, that is certainly something that we will 
consider, whether we should provide a sliding scale type of 
scheme.
    Senator Klobuchar. The other thing is I know you have had 
60 comments, and I am sure a lot of them have been industry 
groups and privacy groups. But again, as Senator Dorgan was 
mentioning, I am not sure individuals out there even understand 
what is going on.
    I was reading about the European Union has some guidelines 
where you have to be able to access what people have on you and 
then correct it if it is false. Have you looked at that at all?
    Ms. Parnes. In these sets of principles, we have not looked 
at access to the information. I think what we have been more 
concerned about is the issue of transparency, consumers really 
understanding what is going on in behavioral advertising.
    I frankly was surprised that among the over 60 comments we 
received, we did get some comments from individual consumers, 
but I think that you are absolutely right. For the most part, 
consumers do not understand what is happening behind the 
screen, as it were.
    Senator Klobuchar. Mr. Hintze, you talked about the need 
for a Federal law, and I think Ms. Harris talked about updating 
Federal laws. What ideas do you have for changing Federal law 
that we could look at?
    Mr. Hintze. Well, going back a couple of years to 2005, we 
came out in support of a comprehensive Federal privacy 
legislation. We think that establishing a baseline at the 
Federal level across industries makes a lot of sense. It would 
require certain basic requirements that are consistent with 
good industry practices and self-regulation that exists today 
around user notice and security and user consent and even 
access, as you have mentioned. There are some very difficult 
issues there. We have some ideas of what a good Federal law 
might look like.
    We have also been supportive of State legislation in some 
cases where it was balanced and provided appropriate guidelines 
for the online advertising space. We have also been very 
supportive of the security breach notification laws and others.
    But I think that overall, legislation does play an 
appropriate part of the mix of protecting consumer privacy 
along with self-regulation and consumer education and 
technology tools.
    Senator Klobuchar. So the idea would be to take some of the 
things that Ms. Horvath has been talking about, some of these 
other things and actually put them into law. How would it work 
with the self-regulation?
    Mr. Hintze. Well, the Federal law would presumably provide 
a baseline common set of requirements, and then for particular 
industries, for example, there may be additional very specific 
self-regulatory additions that could go on top of that. I think 
online advertising is a perfect example of that where there are 
some specific aspects of online advertising around behavioral 
targeting and what consent looks like in those cases. That may 
be more appropriate for self-regulation, but could certainly 
build on top of the baseline requirement that is based in law.
    Senator Klobuchar. Mr. Kelly, did you want to add, since 
you raised that issue of different ways that we could 
differentiate between information? Are you in favor of some 
kind of Federal law?
    Mr. Kelly. We have not taken a position on a formal Federal 
law around that. We have been focused on creating innovative 
privacy technology to allow users to control the collection and 
use of data. An instructive example here would be that, for 
instance, in a classic behavioral targeting situation, an ad 
network would see that you visited five auto sites and 
determine from that that you might be interested in buying a 
car. Whereas, the Facebook approach has been, let us say, if we 
were, for instance, partnered with an auto site, the auto site 
would allow you to say--you know, give you a little pop-up that 
said, do you want to share the fact that you purchased a Chevy 
with your Facebook friends, and give you a real-time choice 
around that. So we are focusing on technology as a solution.
    Senator Klobuchar. Thank you very much.
    Senator Dorgan. Senator Klobuchar, thank you very much.
    Senator DeMint?

                 STATEMENT OF HON. JIM DeMINT, 
                U.S. SENATOR FROM SOUTH CAROLINA

    Senator DeMint. Thank you, Mr. Chairman. Thank you for 
holding the hearing. I appreciate your comments on the 
importance of advertising. I think we all agree that the 
ability to get all the free things we get on the Internet are 
important, and they do relate directly to advertising. And I 
think probably most of us would agree that the ability of 
advertisers to target their markets are important to continue 
to attract advertising revenue to the Internet, and I think we 
have heard a lot about how the industry has progressed.
    Just a couple of questions here. Mr. Dykes, just as a for 
instance so I can kind of get it, this anonymous versus not 
anonymous question, if the Department of Justice were to issue 
you a subpoena asking you for names of people who have searched 
for information about explosives, would you be able to provide 
the names or locations of individuals who had done that?
    Mr. Dykes. No, sir, we would not be able to provide names, 
nor even their IP addresses. We have no personally identifiable 
information in our system, and it would just simply not be 
possible to get back to an individual from any information we 
have in our system.
    Furthermore, we do not have advertisements and categories 
on bomb-making, for example, and therefore, that information is 
not even in our system either.
    Senator DeMint. So it appears that the technology has been 
developed and is being developed and improved that would allow 
increasing privacy and anonymity on the Internet, which is I 
think impressive, given the fact that this is all being done 
voluntarily.
    It would be my assumption that the incentives for--the 
businesses represented at the table have a lot of incentives to 
compete for the best privacy policies, that they would disclose 
their privacy policies to encourage users to use their 
particular service because of their ability to protect. I think 
the private market has a lot of incentives.
    Let me just direct a few questions at Ms. Parnes. How long 
do you think the rulemaking or even the development of these 
principles might take?
    Ms. Parnes. Well, I am reluctant to give a specific time-
frame, but we are moving quickly on this. As we noted, we 
received a lot of comments, and this is a challenging issue. We 
want to drill down, figure out what information we have, if we 
need additional information, and then move forward, as I said, 
very quickly.
    Senator DeMint. Do you think at least a year or 2?
    Ms. Parnes. I would doubt that.
    Senator DeMint. Do you think it is the responsibility of 
the FTC to regulate advertising on the Internet?
    Ms. Parnes. Well, in some ways we do regulate advertising 
on the Internet. The question about behavioral advertising--I 
think some of our principles are grounded in section 5, and we 
do have principles that govern behavioral advertising, as well 
as all other advertising.
    Senator DeMint. It would be my hope that you continue to 
see your responsibility as protecting consumers and not 
necessarily attempting to manage or regulate different aspects 
of our economy.
    I think in some ways we have got a solution in search of a 
problem, as the industry moves very quickly to try to cut these 
problems off before they occur. It is very likely that if 
rulemaking or even principle-making is going to take a year or 
2--and obviously, the FTC needs to look at it--that the 
technology that is being talked about today will advance--will 
make great strides over the next months and years. And it is 
very likely that by the time the FTC acts, that the industry 
will be far ahead of where you are.
    My concern is this. The Government's attempt at privacy 
certainly is well motivated, but rules, for instance, in the 
health care industry where, when I was with a family member 
having surgery, the physician was not able to give me 
information about actually what took place or I could not call 
a doctor's office and get information about my own daughter's 
bill. And you hear doctors talk about the inefficiencies that 
are created because of this well intended policy. I just have 
great concerns that if the Federal Government attempts to jump 
in in the middle of a situation where a problem has not yet 
exhibited itself, that we are likely to inhibit one of the 
showcases of free enterprise in America today.
    Ms. Parnes. Senator, I would just say that that is 
precisely why the Commission is encouraging self-regulation in 
this area. The principles that we have proposed are principles 
that would govern a self-regulatory scheme that industry itself 
adopts, and we think that self-regulation, at least at this 
point, is more appropriate in this kind of environment where, 
as you note, technology is changing so quickly.
    Senator DeMint. Well, that is a good philosophy, and I 
appreciate hearing it this morning. And I thank all the 
panelists.
    Mr. Chairman, I yield back.
    Senator Dorgan. Senator DeMint, thank you very much.
    Senator Thune?

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    Senator Thune. Thank you, Mr. Chairman. I too want to thank 
you for holding the hearing. I think this is an issue that is 
very important. It is being talked about, getting a lot of 
attention. It is going to get more attention, I think, in the 
future. I do believe that it is critical that consumers have 
knowledge of whom or what is tracking their online activity and 
additionally that they have every opportunity to learn more 
about the uses of their personal information.
    In that light, I have a question for Ms. Parnes, and that 
has to do with sensitive information which certainly, I 
believe, would deserve a greater degree of protection than just 
regular online uses. What do you consider to be sensitive 
personal information? Is that a health record, a credit card 
history, those sorts of things?
    Ms. Parnes. In our proposal, we identified several 
examples: medical information, financial information, and any 
information about children. It is not intended to be an 
exclusive list, though.
    Senator Thune. What is the relationship between market 
share in the search advertising business and the ability to 
attract advertisers and web publishers? And is there a tipping 
point where a company, for example, say a Google, could become 
so dominant in the market that advertisers and web publishers 
have no choice but to contract with the company?
    Ms. Parnes. I am afraid that----
    Senator Thune. Of venturing into that?
    Ms. Parnes.--I do not think I really have the information. 
Yes. It would be difficult to venture a guess on that. Perhaps 
one of the people here might want to.
    Senator Thune. All right. We will let you off the hook, but 
if anybody else would care to take a stab at that.
    Mr. Crews. Well, I do not think you have to worry so much 
about tipping points in the online world for a lot of reasons, 
but in particular, as long as people have the ability to click 
that button and there is no censorship online--you know, 
Government does not dictate where we go or anything like that--
no one can attain that kind of monopoly power because nobody 
operates in a vacuum.
    The joke way I put it when debating media ownership is that 
even if the biggest companies merge with others across other 
avenues, what happens? They could get together and try to abuse 
the trust or what have you. But what happens? Advertisers flee. 
Wall Street flees. Customers flee. The employees flee. The 
people who work in that business who know the technology and 
the science move and start another company.
    So all of the impulses in a market economy, especially in 
one where barriers to entry are so low, like in Internet 
businesses, there is not that kind of threat of monopoly power. 
It was not that long ago that all of us were using Yahoo! to 
search or Alta Vista to search, and then Google came along with 
another technology. It is one algorithm, but you can go on the 
search engine Colossus I believe. There are hundreds of search 
engines out there. Just a thought.
    Senator Thune. If Congress were to establish regulatory 
guidelines or core principles for online advertising privacy, 
what would those principles entail, and how would those align 
with some of the principles that the FTC is adopting? Does 
anybody want to venture----
    Ms. Harris. Yes. Mr. Thune, I think it is important to note 
CDT's position in support of a baseline privacy law is not 
about advertising. It is a step down. It is for all data 
collection and use practices. So those of us who are advocating 
adoption, I think you are looking at fair information 
practices. You collect for a particular use. You hold it only 
for the time that use exists. You do not hold data forever. 
People have a right to know what people are holding about them. 
They have a right to opt out or opt in, depending on the 
sensitivity of the data. The the devil here is in the details, 
but I do not think that the framework--you know, fair 
information practices is sort of infused throughout our legal 
system and certainly in terms of Government information, 
although somewhat outdated.
    Let me just add one thing. We do understand and have no 
interest in slowing down the technological innovation in terms 
of privacy-enhancing technologies. We do think that that is an 
important part of this, and we would not want to see any law 
that froze the Internet in a way that would make that 
impossible. So everything is a balance here.
    Mr. Hintze. I think that is right. We generally agree, and 
one of the reasons that we came out in favor of comprehensive 
Federal privacy legislation in 2005, which was before we were 
significantly involved in the online advertising space at all, 
is that there is just this emerging patchwork of Federal and 
State privacy laws with different standards depending on the 
industry, depending on the particular issue. And it just made a 
lot of sense to harmonize that, both from a compliance 
standpoint from a company's point of view and from a consumer 
standpoint so they can know that they have a common baseline 
protection across the board, regardless of the kind of industry 
that they are dealing with.
    As we get into online advertising, that kind of baseline 
Federal privacy standard could certainly help here. It does not 
answer all the questions, and that is why we need to supplement 
it with self-regulation and other practices. But I think the 
need for a Federal law is not specific to online advertising 
but is more general.
    And I would just like to make one other point about your 
other question earlier about the competition and dominance in 
this space. I think for the purposes of this hearing, we 
definitely see a nexus between competition and privacy in that 
if there does become a dominant player in the online 
advertising space, that means that there is a single company 
that is collecting more data. The more ads you serve, the more 
data you are collecting. And it could become the case where a 
single company has a nearly complete picture of people's online 
behavior.
    Beyond that, we also think that the need for competition in 
the space fosters competition in privacy. If there is a 
dominant player, there is little or no incentive to adopt 
better privacy practices because they are not facing 
competitive pressure from other companies that may be adopting 
superior privacy practices.
    Mr. Dykes. Senator, I would like to agree with both of the 
prior speakers. I think the law should be focused on privacy 
and what types of information are being collected. And they 
should be technology-neutral and business process-neutral and 
not necessarily advertising-focused either. It should really be 
focused on privacy.
    But I also think that the Government needs to be very 
careful in making policy to ensure that it does not stifle 
competition for the very reasons we just noted because there 
are new competitors springing up all the time. When we think we 
have one dominant competitor, past history has shown that there 
are other ones in the wings springing to life, and we would not 
want the Government to stifle that. So there is a role here for 
self-regulation as well to allow for flexibility as technology 
develops.
    Ms. Harris. Can I just make one brief point on this notion 
of technology neutrality in the law? We do have neutrality 
under ECPA. If you are acting as a conduit, you are treated one 
way. If you are not you are treated the other. And I think we 
have to be careful. We have wiretap laws. We have other 
communications laws that apply to the institutions that stand 
between the user and the ends of the network. I think we can 
sort of use this neutrality--everybody should be treated the 
same at all times--as a mantra and lose, I think, track of the 
fact that companies stand in different positions to a consumer, 
and we have to take that into account.
    Senator Thune. Thank you all for your testimony.
    Thank you, Mr. Chairman.
    Senator Dorgan. Senator Thune, thank you.
    Senator Nelson?

                STATEMENT OF HON. BILL NELSON, 
                   U.S. SENATOR FROM FLORIDA

    Senator Nelson. Mr. Chairman, I think the timing of this 
hearing is uncanny because we have on the floor right now the 
FISA bill which the whole question in FISA is about the 
protection of the rights of privacy and the civil liberty of 
Americans. I can tell you all that as a member of the 
Intelligence Committee, we have been struggling with this FISA 
issue for the last year and a half. We have come up with a 
compromise and a resolution of how you can allow our 
intelligence agencies to seek the information of a terrorist 
but at the same time protect the civil liberties of American 
persons, which is defined as an American citizen and a person 
not an American citizen who is legally within the United 
States.
    What I am struck with is that we have a similar issue here. 
Take, for example, I use the Internet to go online to read the 
newspapers back home in Florida. Now, if suddenly the kinds of 
articles that I am reading are going to be determined, the 
content of what I am reading is going to be identified with me 
so someone can target advertising, I want to question the 
underlying basis of this.
    In our discussion of snooping of terrorists before, we have 
carved out an exception that we do not want the Government--
now, here we are talking about the private sector, but we do 
not want the Government sector to go and examine what books 
that we are reading at the local libraries. Well, right here we 
have the question of whether or not we are going to let other 
private people within the private sector examine the same thing 
and then use it for a commercial advantage.
    Now, I am not naive enough not to understand that this is 
already happening. So the question is, how do we rein this in 
so that as this Internet continues to explode into something 
years down the road that we cannot even conceive now that will 
be totally ubiquitous, how do we support our Constitution and 
protect our civil rights?
    So let me just ask, is there a way that we can approach 
this where we would govern the type of Internet connection used 
instead of the content or the information collected? What do 
you think about that, Ms. Harris?
    Ms. Harris. Well, I think I am not entirely sure of what 
you are suggesting, Senator.
    Senator Nelson. Nor am I.
    [Laughter.]
    Ms. Harris. Well, I am not sure that that is really the 
answer.
    I will say this, that you are, I think, very prescient to 
connect what appears to be a totally unrelated matter of FISA 
with what is going on here. And the reason is that when we 
operate in an Internet regime where we have no limits on how 
long a company can collect data, where we have these other sets 
of laws, you know, the Electronic Communications Privacy Act, 
et cetera, that are 20 years old and did not anticipate the 
Internet. Whatever we are building here and whatever is being 
collected, to the extent that it can be pseudo-anonymously 
connected through user logs, et cetera, it is also available to 
the Government. So I do not think we can view these things as 
there is a consumer stream that is being collected out here and 
there is a Government stream.
    If you look at e-mail, for example, we have very little 
protection in this country for stored e-mail because we did not 
anticipate 20 years ago that it was going to be stored online. 
That information has very little legal protection. So we are in 
a perfect storm----
    Senator Nelson. Yes, we are.
    Ms. Harris.--between the commercial activity and national 
security----
    Senator Nelson. Yes, just like--you know, we hold it very 
dear in this country that we do not like other private citizens 
reading our personal mail, but in effect, what we have is the 
ability to read our personal communications here by other 
private individuals separating the issue from Big Brother and 
the Government.
    Ms. Harris. I do not think you can.
    Senator Nelson. Well, let me ask you this, Ms. Harris.
    Ms. Harris. That is not to suggest that they are acting as 
agents for the Government. I want to be really clear here. It 
is just that the laws we have, once we collect this data----
    Senator Nelson. But they could act--that information could, 
but I do not want to get off on that tangent.
    Let me ask you this, Ms. Harris. Do you believe consumers 
are entitled to an opt-in arrangement rather than the opt-out?
    Ms. Harris. I think it depends on the data and I think it 
depends on the context.
    Senator Nelson. Give me an example.
    Ms. Harris. Well, I think that we think that when you are 
operating in an environment where you are the ISP and you are 
standing between the ends of the network, that we already have 
law, the Electronic Communications Privacy law, Cable Act, and 
a myriad of State laws, that require an opt-in. The ISP stands 
as sort of the center of Internet chain of trust between the 
two ends.
    And so online in the advertising context, if we could 
figure out a robust way to do opt-in, but then where we have 
difficulty is separating PII and non-PII, personal information 
is starting to merge. It is much harder to separate them. We 
have profiles of what seemingly each piece looks like, you 
know, an innocuous piece of information, and they are tied to 
some kind of ID so they can be refreshed, and that ID can be 
tied to your Internet address. It is a very complicated area.
    That is why I am really pleased to hear Senator Dorgan talk 
about more hearings. I think we have to get a baseline privacy 
bill, but we are going to have to do a lot of work to go 
through----
    Senator Nelson. I want to commend Senator Dorgan for doing 
this, and this is the beginning of a long road as we try to 
grapple with this issue.
    May I ask one more question?
    Senator Dorgan. Yes. Your time is expired but we will 
recognize you for one more question. We are going to have a 
second round because we have until 11:45. So you may proceed.
    Senator Nelson. Right now we have got the Commission doing 
this self-regulatory principle and it deals with the internal 
information security, but it may not address the security of 
these third parties. I wanted to ask you, Ms. Parnes, has the 
Commission studied the types of data security or encryption 
associated with these activities?
    Ms. Parnes. The Commission has not specifically studied 
whether all of this information that is being collected is 
encrypted, but one of the principles that we have announced 
calls for data security so that the information that is 
collected is held in a secure way. And we have also called for 
information to be held only as long as it is needed for some 
legitimate business or law enforcement purpose. We do not focus 
particularly on encryption or any other type of technology in 
looking at data security. It is reasonable security measures in 
light of the nature of the information that is held.
    Senator Nelson. Thank you.
    Senator Dorgan. Senator Nelson, thank you very much.
    Let me make a couple of comments then ask some additional 
questions. To give you an example of, as a consumer, things 
that I think are beneficial in terms of online collection of 
information, I go to--maybe I should not use the site name--
Amazon as an example and am searching for a book or a couple 
books. And Amazon comes back to me and says here is what you 
searched for previously. So all of a sudden, I know they have 
kept information about me. Correct? And then they also come 
back and they say, and by the way, here are other books that 
people are looking at when they look at the book you are--so 
they are obviously collecting information about what other 
people have done. Very beneficial and very interesting to me to 
take a look at that. I do not walk away from that computer 
thinking, you know, that is a real serious problem. I think 
that is an advantage.
    But then there are other questions. For example, Ms. 
Horvath, Google. I use Google as a verb because I just google 
it. I am always googling something. Right? And so is Senator 
DeMint I will bet. And I also use MSN. So the two of you, 
Google and MSN, likely have information about where I have been 
traveling. Right?
    I did not do this. So I go to--well, I may not google this, 
but I may. I decide I am going to get to WebMD somehow or 
another and I am going to take a look at gout, dementia, and 
postnasal drip. Right? Now, I do not want the whole room to 
know that, not that I would do that.
    [Laughter.]
    Senator Dorgan. But that may apply to some others, but I 
disavow it.
    But my point is I do that and then I say, I want to find a 
flight to San Francisco. I want to go to the St. Francis Hotel, 
and then I want to go to a Flying Other Brothers concert. So I 
am doing all that.
    So now both of you perhaps know all of that about me or 
maybe that was all Senator DeMint that did that. So let me ask 
you a question. Do you know that about me?
    Ms. Horvath. Actually we do not. It would really depend on 
how you are using our service.
    Senator Dorgan. Well, let us say I use it so that you know 
it.
    Ms. Horvath. If you are signed-on account holder, if you 
are signed in, then we would know what you are searching for, 
but we know what you are doing only on the Google.com site. 
Once you leave the Google.com site, the connection is gone. We 
are not collecting----
    Senator Dorgan. If I am on MSN and pull up Goggle on MSN 
and use Google to go find something, you are saying that you do 
not keep a record of that?
    Ms. Horvath. We would know what your search query was.
    Senator Dorgan. Right.
    Ms. Horvath. If you came onto our service to Goggle.com and 
you were not logged in, what we would collect would be your IP 
address, the operating system that you are using, the browser 
type that you are using, the query that you have requested, and 
we would, if you do not have a correct cookie already----
    Senator Dorgan. That was my point.
    Ms. Horvath.--we would have a cookie.
    Senator Dorgan. That was my point.
    Ms. Horvath. And that is all we would collect.
    Senator Dorgan. Well, that is a lot.
    Ms. Horvath. If you went out to the airline site----
    Senator Dorgan. You know about postnasal drip then. Right?
    Ms. Horvath. No.
    Senator Dorgan. You do not know that is where I went?
    Ms. Horvath. But if you were searching on Google for 
postnasal drip, we would know that you were searching for that, 
but once you went off----
    Senator Dorgan. Right. That is my point.
    Ms. Horvath.--to WebMD, we would not know that you were 
searching for gout or----
    Senator Dorgan. So how long do you keep the postnasal drip 
inquiry?
    Ms. Horvath. Well, it is only connected to your IP address. 
There is an argument as to whether IP addresses are personally 
identifiable information because of the nonstatic nature. When 
you are assigned an IP address, it does not mean that you are 
going to have it 3 days from now, the same IP address. So it 
would be stored in our logs iteratively. So it would not be 
saying Senator Dorgan was looking for postnasal drip in our 
logs. No, we would not know that.
    Senator Dorgan. I am using a silly example, obviously.
    Ms. Horvath. No, I understand.
    Senator Dorgan. But if I am on MSN, as an example, and I am 
moving around, and then I go to Google and type in dementia, 
MSN has a record of what I am doing, I assume, and you have a 
record of what I am doing at Google. My question is, how long 
do you keep those records?
    Ms. Horvath. We store our search logs for 18 months, and 
after 18 months, we anonymize them by deleting what would be 
your cookie ID and also by redacting the IP address so it could 
no longer be connected to a computer that you used.
    Senator Dorgan. And how long do you store this information?
    Mr. Hintze. Ours is 18 months as well and our anonymization 
process goes a little bit further. We delete the entirety of 
the IP address and all cookie ID's.
    Senator Dorgan. And if you are a Gmail user and log in, 
then what?
    Ms. Horvath. Then the logs are exactly the same. It is 18 
months and then it is deleted after that.
    Senator Dorgan. And if Mr. Dykes comes to you at Google or 
MSN some day and says, I want to contract with you all, or goes 
to Verizon or whomever, a service provider or an online 
company, and says, I would like to contract, I would like to 
get everything that you have got, just stream it over to me, 
because he is an advertising agency and he is going to frame up 
advertising in the future that will have beneficial content for 
somebody, your reaction to that? He says, I can actually pay 
you some pretty big money if you just stream all your stuff to 
me at the same time you are collecting it.
    Mr. Hintze. It is a hypothetical. We would, obviously, look 
at all the privacy implications of any deal we would do. 
Currently we are not sharing that data with anybody. It is all 
used for our own internal operations. As far as I am aware, 
that is our plan going forward.
    Senator Dorgan. Yes, Mr. Dykes?
    Mr. Dykes. I would point out that if we were involved in 
that type of transaction, we would not be storing the sensitive 
medical information that you just cited, and we would not have 
the IP address because we do a one-way hash on that. So we 
would just keep it against an anonymous identifier the 
innocuous commercial categories that occurred there.
    Senator Dorgan. I understand.
    Ms. Harris, Senator DeMint, my colleague, indicated--and I 
think Mr. Crews also--that this is probably a solution in 
search of a problem, this discussion. And Mr. Crews' point, I 
think is that if somebody is doing something you do not like, 
you are going to go someplace else. If you back all the way up 
from that, that is like you do not need FDA inspecting food 
plants because if somebody is producing food that makes you 
sick, they will be out of business soon. But I mean, some make 
that point that are really against all regulation. But is this 
a solution in search of a problem?
    Ms. Harris. No, I do not think it is. You would have to 
have a level of transparency. And believe me, we encourage 
every day our colleagues at this table and some who are not and 
industry to compete with each other on privacy. But I do not 
think consumers understand at a level of granularity about the 
differences in policies. And I can say you are still keeping 
information far too long. We still have information tied to IP 
logs. I mean, this question about everything being anonymous, 
everything is not anonymous. At a minimum, we have got pseudo-
anonymous logs. We have got one-way hashes. Those identifiers 
can be linked back by somebody to the IP address because we are 
updating the profiles. So it is just not that simple.
    Senator Dorgan. One further point and then I will call on 
my colleague.
    Mr. Dykes. Could I interject to say that clearly represents 
a misunderstanding of how we operate? And I will take time to 
talk to Ms. Harris some more.
    Senator Dorgan. If we have time, we will come to that at 
the end.
    One final point. This Committee did, on behalf of 
consumers, a Do-Not-Call List, obviously having to do with 
telephone solicitation. I am assuming that there are technical 
difficulties with a Do Not Track List. I have just described, 
when I started my questioning, why tracking with respect to my 
search for a book on a site really is probably beneficial to 
me, but I do not know what is being tracked of Senator DeMint's 
or my or Senator Carper's activities on the web. I do not have 
the foggiest idea who is tracking it, how they are tracking it, 
how they might use it, whether that company has some scruples 
and might be very careful about how it handles it or whether it 
is somebody else that grabs a hold of it and says, you know 
what, Katie, bar the door, I will sell it to anybody.
    So that is the only question in my mind, that there are so 
many unanswered questions about information, how people 
navigate this web. The purpose of hearings, of course, is to 
try to inform and to understand, and that is the purpose of 
this hearing.
    Let me call on Senator Carper who has not yet had an 
opportunity, and then I will call on Senator DeMint.

              STATEMENT OF HON. THOMAS R. CARPER, 
                   U.S. SENATOR FROM DELAWARE

    Senator Carper. I apologize for missing your presentations. 
As you know, we have a number of Subcommittees we serve on, and 
I have been detained at another hearing trying to figure out 
how to save the Medicare Trust Fund a couple hundred millions 
of dollars before it goes defunct.
    And we are going to start voting I think in about 10 
minutes.
    Let me just use this as an opportunity to ask each of our 
witnesses to give me--maybe a minute apiece--a take-away. If we 
cannot remember everything you say--I would not pretend to. But 
each of you, give us a take-away. When we leave here, what 
would you have us keep in mind? Ms. Harris, why do we not start 
with you? Then we will just go to Mr. Kelly and Mr. Crews.
    Ms. Harris. I mean, I think the key take-away is that we 
are in a very robust online environment where we get great 
benefit from the advertising, but we are collecting more and 
more information about consumers at the time that the 
information that consumers are putting online is increasingly 
personal and sensitive, health data, location data. Self-
regulation is a piece, but self-regulation alone is not enough 
to protect privacy. And we need to have some baseline rules in 
place.
    We have hearings and we bring in the companies who are good 
actors, who are at least willing to talk to privacy groups. It 
is a very big Internet, and we have to have some baseline for 
everybody.
    Senator Carper. And who should provide the baseline 
guidance? Should the industry police itself?
    Ms. Harris. Well, I am saying self-regulation plays a key. 
It forces the boats up, but it is not in and of itself a 
solution and we think that Congress has to pass a baseline 
privacy law. We have been advocating for years for that.
    Senator Carper. All right. Thank you.
    Mr. Kelly?
    Mr. Kelly. Facebook has been focused on transparency in the 
collection of information about what people do online. Senator 
Nelson offered an excellent example earlier. If he was reading 
an article--let us say it was in the Miami Herald online, the 
only way that Facebook would know that he is reading that 
article is if he hits the share button on his browser and it 
says, you know, share it with my Facebook friends. And at that 
point, the information would be collected. There is real-time 
notice. It would show up in his mini-feed of activity on the 
site and be presented to him.
    And we are also committed to--if somebody wanted to target 
any advertising against that, if he wanted to become a fan of 
the Miami Herald on Facebook, that would be done in an 
anonymous space. The advertiser would not find out that Senator 
Nelson was a fan of the Miami Herald. They would just be able 
to target advertising toward fans of the Miami Herald on 
Facebook.
    Senator Carper. All right. Thank you.
    Mr. Crews?
    Mr. Dykes. So----
    Senator Carper. Go ahead, Mr. Dykes. You had a point on 
this?
    Mr. Dykes. Yes. I was going to say NebuAd would welcome 
regulation in this area that was technology- and business 
process-neutral and focused on the privacy elements. Obviously, 
there should be strong controls, for more sensitive information 
and more personal information, including pseudo-anonymous 
information as Ms. Harris mentioned. I think that would be the 
criteria on which rules should be established. But room should 
be left for innovation because we just do not know how the 
Internet is going to evolve in the future, and so there is 
definitely a role for self-regulation by industry groups in 
this sphere as well.
    Senator Carper. Does anybody on our panel agree with 
anything that Mr. Dykes just said? I saw some nodding.
    Ms. Harris. I came close.
    [Laughter.]
    Senator Carper. I think, Mr. Crews, it is your turn.
    Mr. Crews. I was just going to mention that if the kind of 
profiling that we are all worried about here today is an 
inherent feature of the Internet, one of the things we have to 
worry about is what criminal elements are doing. In this 
debate, it is not just self-regulation or no regulation. There 
is a lot of competitive discipline that has to take place and 
will take place here.
    But because of new technologies--as I said, it is only 
2008. There are a lot more technologies that are going to come 
to fruition, including biometrics, including the face scanners 
and that data getting incorporated. There are a lot of 
institutions that have to evolve. I mean, markets do not pop 
into being, but the institutions that surround them to 
legitimize what industries do and to legitimize and establish a 
set of business practices that make sense that consumers live 
with have to evolve along with those new technologies. You do 
not want regulations that impede that.
    I mean, take a look at the things that do work. Look at 
where opt-out is working. Look at where companies are already 
adopting opt-in procedures for certain kinds of information, 
and pay close attention to how important that is that those 
kinds of evolutions happen. Do not do something that thwarts 
them because there could be political failures just as there 
are market failures.
    One of the inherent problems here too is that compulsory 
databases that Government mandates of all sorts can get blurred 
with private databases, and then that creates a problem. I call 
it the Social Security problem sometimes. You know, one of the 
trickiest personally identifiable indicators is the Social 
Security number. Well, here we are with an Internet that has 
come out. We cannot pull the rug out from under commerce and 
ban the use of the Social Security number, but we can move 
toward a future where business generates its own identifiers 
apart from that.
    So those kinds of evolutions have to occur and we do not 
want to do specific regulations that might impede that because 
it is not a matter of self-regulation or no regulation. It is 
competitive discipline or----
    Senator Carper. Thank you.
    Is it Mr. Hintze or Mr. Hintze?
    Mr. Hintze. Hintze.
    Senator Carper. Hintze. OK. I was wrong on both counts. Mr. 
Hintze.
    Mr. Hintze. I think there are a couple of take-aways from 
today.
    One, we believe that protecting consumer privacy is not 
only compatible with the business of online advertising, it is 
essential to the success of the online advertising business. If 
consumers lose trust in this, if lawmakers are uncomfortable 
with how it is operating, the reaction could ultimately 
undermine this very important business model.
    Microsoft itself has taken a number of concrete steps to 
protect consumer privacy that we think show our leadership in 
this space, but we are a relatively small player in the online 
advertising space. So we believe that also baseline privacy 
legislation is appropriate, supplemented by robust self-
regulation, supplemented by technology tools, and supplemented 
by consumer education. They all need to work together to 
protect consumer privacy in the space.
    Senator Carper. Thank you.
    And Ms. Horvath?
    Ms. Horvath. I would agree with what the other panelists 
have said. I guess our key take-away would be the need for a 
baseline Federal privacy statute which would be based upon the 
fair information practices that have been around for 20 years 
and would give consumers some feeling of accountability, that 
the companies have accountability to them for what they say 
they are doing with their information.
    We would also support self-regulatory standards for the 
advertising sector. We also are already supportive of the NAI 
which has the first set of self-regulatory standards that are 
actually in effect right now.
    Senator Carper. Thank you.
    Ms. Parnes, you are here, but I believe----
    Senator Dorgan. Your time has expired.
    Senator Carper. OK, thank you very much.
    Senator Dorgan. Senator DeMint?
    Senator DeMint. Thank you, Mr. Chairman. I know we are out 
of time.
    A last comment. I spent all my career in advertising. So I 
know for many, many years we have been able to buy mailing 
lists that reflect behaviors. If someone subscribes to an 
outdoor magazine, you know they are likely to buy other things.
    One of the exciting things about the Internet is, 
recognizing that most of the jobs in our country are created 
and maintained by small businesses, the Internet gives small 
companies the opportunity to invest advertising in a very 
targeted way. And the ability to use behavioral data to create 
market baskets that would allow smaller companies to focus 
their ad dollars on people who are most likely to buy their 
products is very, very important. And it is important that we 
maintain this. And I think it is very important that our 
Government look at creating laws and not try to manage the 
business, which is a very difficult line for us to draw.
    My hope would be that the industry would recognize that 
consumers need to know what data about them is being collected 
and held, and that needs to be disclosed and very transparent 
so that the consumers become the regulators of the Internet. If 
they know, they will be able to switch to different content 
providers, different servers that are doing it better and 
better.
    So my encouragement to the panel, those of you who are 
involved in the industry, is not to ask the Federal Government 
to come in at this point and to attempt to regulate because 
that is much different than a law that says how you can use 
data. I think as you continue to develop your technology, the 
disclosure and transparency to consumers is the best way to 
make sure that we end up with a vehicle that not only benefits 
consumers but is great for our economy.
    So, again, Mr. Chairman, I thank you and I think this has 
been very eye-opening and enlightening. And I yield back.
    Senator Dorgan. Senator DeMint, thank you very much.
    Senator Carper, did you wish to ask additional questions?
    Senator Carper. On a lighter note, I have just come from a 
hearing where everyone spoke and testified to us using 
acronyms. And one guy used five acronyms in one sentence, and I 
had no idea what he said. I have no idea what he said.
    [Laughter.]
    Senator Carper. I walk in here and people are talking about 
one-way hashes and cookies. I think the Chairman threw in 
something I think called the Flying Other Brothers. I am pretty 
good on music, but that is a new one to me. I was not here 
long, but it certainly has been illuminating. I obviously have 
to update my dictionary.
    Thank you.
    Senator Dorgan. Did you understand dementia and postnasal 
drip?
    [Laughter.]
    Senator Carper. All too well.
    [Laughter.]
    Senator Dorgan. The Flying Other Brothers is actually a 
band that includes one of the Grateful Dead members, and they 
just have very bright tie-dyed T-shirts.
    [Laughter.]
    Senator Dorgan. Let me thank all of the witnesses for being 
here. I intend to have a hearing asking a number of the 
Internet service providers to come and visit with us. I think 
one of the most important elements coming from this hearing is 
how little we do understand. I think knowledge is important 
here. So I think most of us would like to understand what we 
can about what is happening, what kind of information is 
collected about our habits, about our movements, about our 
travels on the Internet. The Internet is really a wonderful 
thing. It brings the world to your fingertips.
    Because I come from a town of 250 or 280 people, in my high 
school we had a coat closet-sized library. I mean, literally a 
coat closet that they turned into a library, just a few books. 
I do not need someone suggesting that is obvious.
    [Laughter.]
    Senator Dorgan. But I do think now in those little schools, 
the libraries are accessible by the Internet, the best 
libraries in the world. It really brings the world to our 
fingertips.
    But there are legitimate questions raised about our 
traveling over the Internet and who watches us and how that 
information is used. I think we need to understand much more 
about it. There are those who raise questions about the use of 
information. I think those are very important questions. The 
reason that the Federal Trade Commission has developed a set of 
guidelines, self-regulatory guidelines, is because I think you 
understand the potential exists for abuse.
    And I think the last thing that Senator DeMint described is 
something I certainly agree with. I would hope that every 
consumer has an opportunity, when traveling on the Internet, to 
understand what kind of information trail they leave and who 
might want to use that, or who is using it, or how is 
information about what is happening or what they are doing on 
the Internet going to be used. Information will give people an 
opportunity to decide, do they like the policies of this 
particular site or that particular provider, or do they wish to 
move elsewhere where policies are, they feel, more beneficial 
to their privacy.
    So I think that this hearing has been instructive for us, 
and we will be announcing another hearing in which we will 
discuss this with the Internet service providers.
    Senator Carper. Mr. Chairman, would you yield for just a 
moment?
    Senator Dorgan. Senator Carper?
    Senator Carper. In terms of the consumers being empowered 
to shop and to use the knowledge and understanding of these 
policies, probably every week we receive in our mail policy 
disclosures from a financial services company that we deal 
with. And my guess is that most of us do not take the time to 
look at it, and if we did, a lot of us would not understand it. 
So it is important if we are going to really enable the 
marketplace to work and to harness market forces effectively, 
the information has to come in ways that consumers can actually 
internalize it, understand it, and find useful.
    So thank you.
    Senator Dorgan. I was just thinking that I frequently--and 
you perhaps do--get a letter in the mail from the North Dakota 
Drivers License Bureau saying someone made an inquiry about my 
driver's license and any potential infractions. I guess that is 
part of being in politics. Fortunately, it is clean and has 
nothing attached to the license. But that happens frequently. I 
assume there are a lot of people out there wondering about my 
driver's license. But at least we are notified. You are 
notified. I am notified when someone makes an inquiry and 
wishes to get that information.
    And so that represents kind of the overhanging question 
here about who wants information, how do they use that 
information that represents personal information or other 
information about your travels on the Internet.
    Let me thank the witnesses again. I appreciate your 
patience. And it works out that the vote, I believe, has just 
started.
    This hearing is adjourned.
    [Whereupon, at 11:48 a.m., the hearing was adjourned.]


                            A P P E N D I X

                                       State of Connecticut
                                         Hartford, CT, July 9, 2008
Hon. Daniel K. Inouye,
Chairman,

Hon. Ted Stevens,
Vice-Chairman,

Senate Committee on Commerce, Science, and Transportation,
Washington, DC.

Dear Senators Inouye and Stevens:

    I appreciate the Senate Committee on Commerce, Science, and 
Transportation holding a hearing on the critically important issue of 
tracking consumer Internet use for marketing purposes. I urge 
expeditious Federal action to stop Internet service provider and third 
party marketer tracking of consumer Internet use for marketing purposes 
without prior and explicit consumer approval.
    Monitoring consumer Internet browsing is a gross invasion of 
privacy for the sake of profit. It threatens to make every consumer's 
life an open book. Widely strewn to unknown websites and marketers 
would be highly sensitive and personal information such as medical 
conditions or family problems and financial interests.
    In this brave new world, every movement or activity by consumers on 
the Internet will be recorded, collected and compiled into huge 
databases and then sold to marketers. Consumers will be bombarded with 
relentless and repeated advertising. Their personal activities and 
interests will be exposed to potential security breaches, just as 
countless breaches nationwide have opened private confidential 
financial information to potential misuse and identity theft.
    This problem is neither speculative nor specious, It is very real 
and it is imminent. We are on the cusp of a new deep, enduring 
paradigm, fraught with perils to privacy.
    Charter Communications, a cable and Internet service provider with 
customers in Connecticut and throughout the nation, recently announced 
a pilot program to give consumers ``an enhanced Internet experience.'' 
These so-called enhanced services amounted to nothing more than spying 
on consumer web browsing by NebuAd. After I called on Charter to stop 
this initiative, it announced that it was canceling the pilot testing 
program. Charter has failed to disavow or deny future plans to track 
consumer Internet activities. Two phone companies--Embarq Corp. and 
CenturyTel--have completed trial tracking programs. Besides NebuAd, 
other tracking marketers are seeking targets of opportunity.
    While Congress has sought to protect consumer privacy by enacting 
legislation such as the Cable Communications Policy Act, 47 U.S.C. 551 
et seq., and the Electronic Communications Privacy Act, 18 U.S.C. 2510 
et seq., both laws must be strengthened to emphatically and effectively 
ban tracking by Internet service providers and third party marketers. 
Congress should act promptly to address this new Internet menace.
    I urge your quick and decisive action. I hope to be of assistance 
to the Committee in its work on this important initiative. Thank you.
            Very truly yours,
                                        Richard Blumenthal,
                                                  Attorney General.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                            Lydia B. Parnes

    Question 1. Ms. Parnes, do you believe consumers read online 
privacy policies?
    Answer. Available research suggests that some consumers read online 
privacy policies, but many do not. Moreover, those that do read online 
privacy policies may not do so consistently, and they typically do not 
review policies for changes after the initial read. For example, in a 
2006 survey, only 20 percent of consumers said that they read the 
privacy policy when first providing information to a website ``most of 
the time,'' although 43 percent said they had read an online privacy 
policy. Only 5 percent of consumers reported that they frequently check 
to see if privacy statements have been updated or revised.\1\
---------------------------------------------------------------------------
    \1\See TRUSTe/TNS Survey (December 2006), available at https://
www.truste.org/about/press_release/12_06_06.php.
---------------------------------------------------------------------------
    Although the reasons that consumers do not read online privacy 
policies may vary, we believe one key reason is that privacy policies 
are often too difficult to understand and/or too long. Research 
confirms this. For example, in a 2008 survey, the main reasons 
consumers reported for not reading privacy policies were because the 
polices contain too much legalese or jargon (57 percent) and that they 
take too long to read (58 percent).\2\ Another study found that typical 
privacy policies require college-level reading skills to understand.\3\ 
In addition, several studies show that significant numbers of consumers 
believe that the mere presence of a privacy policy on a website 
indicates some level of substantive privacy protection for their 
personal information.\4\ As a result, once these consumers see that a 
privacy policy exists, they may believe it unnecessary to read the 
policy.\5\
---------------------------------------------------------------------------
    \2\ See AOL/DMS, ``2008 AOL Consumer Survey on Behavioral 
Advertising'' (February 2008).
    \3\ Irene Pollach, ``What's Wrong with Online Privacy Policies?,'' 
Communications of the ACM, 50(9), 103-108 (2007).
    \4\ See, e.g., 2007 Golden Bear Omnibus Survey (47.8 percent of 
consumers surveyed believe that, if a website has a privacy policy, it 
cannot share information with affiliate companies, and 55.4 percent 
believe that it could not sell information to other companies); Joseph 
Turow, Lauren Feldman, and Kimberly Meltzer, ``Open to Exploitation: 
American Shoppers Online and Offline,'' Annenburg Public Policy Center, 
University of Pennsylvania (June 2000) (59 percent of consumers 
surveyed believe that a privacy policy on a website means that the site 
will not share consumer information with other websites or companies).
    \5\ See, e.g., Joseph Turow and Chris Jay Hoofnagle, ``The FTC and 
Consumer Privacy In the Coming Decade,'' at 17, presented at 
``Protecting Consumers in the Next Tech-Ade'' (Nov. 8, 2006), available 
at http://works.bepress.com/chris_hoofnagle/4/.
---------------------------------------------------------------------------
    The FTC staff recognized the concerns about online privacy policies 
when it issued its Proposed Self-Regulatory Principles. Because online 
behavioral advertising is largely invisible and unknown to consumers, 
the principles recommend that companies provide greater transparency 
about the practice through a ``clear, concise, consumer-friendly and 
prominent'' disclosure--that is, not through a disclosure cloaked in 
legalese and buried in a privacy policy. We are encouraging companies 
to develop creative ways to provide this disclosure, including by 
placing it outside of the privacy policy.

    Question 2. Ms. Parnes, does the Commission view an End User 
Licensing Agreement as a contract between the online consumer and the 
website visited?
    Answer. An ``End User License Agreement,'' ``Terms and Conditions'' 
page, or similar document available on a website may be an enforceable 
contract between the online consumer and the website visited, depending 
on the particular circumstances and applicable state contract law. 
Courts have frequently held that when consumers click an ``I Agree'' 
icon in an online transaction (a.k.a., ``clickwrap agreements''), and 
the terms and conditions to which they agree are readily available for 
review in advance via a hyperlink or in a scrollable window, those 
consumers are bound by those terms and conditions.\6\ It is less clear 
whether courts would hold that an ordinary consumer would be bound by 
an agreement or other document where the consumer uses the website 
without actual knowledge of the terms and conditions posted there.\7\
---------------------------------------------------------------------------
    \6\ See, e.g., Novak v. Overture Services, Inc., 309 F. Supp.2d 
446, 450-51 (E.D.N.Y. 2004) (court holds that plaintiff, by clicking an 
``I accept'' icon agreeing online to be bound by the ``Terms of 
Service'' governing use of an online discussion group set forth in a 
scrollable window, viewable ten lines at a time, was bound by the forum 
selection contained therein).
    \7\ See, e.g., Specht v. Netscape Commc'ns Corp., 306 F.3d 17, 23-
24, 35-38 (2d Cir. 2002) (refusing to enforce agreement against 
consumers); see also Douglas v. Talk America Inc., 495 F.3d 1062, 1066 
(9th Cir. 2007) (per curiam) (customer of long-distance service 
provider not bound by new contractual terms requiring arbitration of 
dispute when service provider merely posted them on its website and 
gave no notice to customer); Waters v. Earthlink, Inc., 91 F.App'x 697, 
698 (1st Cir. 2003) (refusing to enforce an arbitration clause posted 
on a website in the absence of proof the consumer had seen the clause).
---------------------------------------------------------------------------
    However, in enforcing Section 5 of the FTC Act, it is generally 
unnecessary for the Commission to determine whether a EULA is, or is 
not, a contract. Under core FTC deception principles, disclosures 
buried in a EULA cannot be used to contradict a company's other 
representations, nor are they adequate to correct misimpressions that 
the company's representations would otherwise leave.\8\ The Commission 
analyzes EULA-only disclosures on a case-by-case basis, weighing what 
information is material to consumers and the overall, net impression of 
the transaction.\9\
---------------------------------------------------------------------------
    \8\ See, e.g., Zango, Inc., FTC Docket No. C-4186 (2007) (complaint 
alleged that adware distributor represented that consumers could 
download free software and games and failed to disclose adequately that 
adware was bundled in the download; adware was often disclosed only in 
lengthy terms and conditions or through inconspicuous hyperlinks); FTC 
v. Odysseus Marketing, Inc., No. 1:05-CV-00330-SM (D. N.H. 2006) 
(complaint alleged that defendants deceptively failed to disclose 
adequately that their software would collect consumers' personal 
information and substantially alter behavior of computers where those 
functions were disclosed only in EULA accessible via inconspicuous 
hyperlink).
    \9\ See Sony BMG Music Entertainment, FTC Docket No. C-4195, Letter 
responding to comment from Jerry Berman, Center for Democracy and 
Technology (June 28, 2007); Zango, Inc., FTC Docket No. C-4186, Letter 
responding to comment from Mark Bohannon, Software & Information 
Industry Ass'n (Mar. 7, 2007).

    Question 3. Ms. Parnes, the FTC focuses on consumer harms. Can you 
give me a couple of examples of the types of potential consumer harms 
from online behavioral advertising? Does the Commission view a loss of 
any degree of personal privacy as being ``a harm?''
    Answer. The greatest risk of harm arises when information collected 
about a consumer's online activity is retained but not properly 
protected. Here, the Commission's work on data security informs our 
concern that information is sometimes retained beyond the point when it 
is needed, or without being well-protected. One possible harm from the 
collection of information for behavioral advertising is that it could 
be hacked or otherwise obtained and used for unauthorized purposes. 
Second, online behavioral advertising can lead to advertising and other 
communication with a consumer that reveals highly personal information 
and that can be unwelcome if it relates to sensitive issues, such as 
health or children, or is delivered in a shared computer environment. 
For example, in a situation where multiple users share the same 
computer, the delivery of behaviorally-targeted advertising might 
reveal the fact that a user conducted searches relating to AIDS, 
domestic abuse, or sexual preference.
    As to whether a loss of personal privacy constitutes a ``harm,'' it 
depends on the consumer. Different consumers may have different 
expectations about how their information is collected and used in this 
context, as well as different views about the information that they are 
willing to provide to obtain certain benefits--for example, coupons or 
free services. Indeed, in a survey conducted by Alan Westin,\10\ 59 
percent of the respondents were not comfortable with online tracking, 
yet 41 percent were ``very'' or ``somewhat'' comfortable.'' This is the 
main reason that Commission staff has proposed that companies provide 
consumers with choice concerning the collection of their data for the 
purpose of delivering behavioral advertising. Consumers who are 
comfortable with the practice can allow it, and consumers who are not 
comfortable can decline.
---------------------------------------------------------------------------
    \10\ See Alan Westin, ``How Online Users Feel About Behavioral 
Marketing and How Adoption of Privacy and Security Policies Could 
Affect Their Feelings,'' at 3 (March 2008).

    Question 4. Ms. Parnes, does the ability for advertisers to be able 
to link through a common field online, anonymous, behavioral marketing 
data and personally identifiable data typically used by marketers in 
the brick and mortar world provide any specific challenges to the 
Commission as it looks toward finalizing its principles on online 
behavioral advertising?
    Answer. The ability to link non-personally identifiable information 
with personally identifiable information, and the debate concerning 
what online information is personally identifiable and what is not, 
have been among the central issues discussed in this area and in the 
comments to our proposed principles. Especially as technology advances, 
the line between the two categories of information becomes less and 
less clear. To the extent that non-personally identifiable information 
can become personally identifiable through reasonable technological 
efforts or linkages with other data, we believe it raises a concern. We 
are considering this issue carefully as we analyze the comments to our 
proposed principles and consider next steps.

    Question 5. Ms. Parnes, I realize the Commission's principles on 
online behavioral advertising are just in a draft stage. In general, 
does the Commission have the authority to enforce any principle for 
self-regulation it may develop? If it does have this authority, how 
does the Commission intend to enforce the self regulatory principles on 
online behavioral advertising once they are finalized?
    Answer. Several of the proposed self-regulatory principles reflect 
requirements of existing law and the Commission has made enforcing 
these principles a high priority. The agency will continue to enforce 
laws within our jurisdiction as necessary to protect consumers. For 
example, the principles maintain that companies should provide 
reasonable security for behavioral data so that it does not fall into 
the wrong hands. The Commission has brought numerous enforcement 
actions focusing on the obligation of companies that collect or store 
consumer data to provide reasonable security for that data.\11\ In 
addition, the principles provide that before a company uses behavioral 
data in a manner that is materially different from promises made when 
the data was collected, it should obtain affirmative express consent 
from the consumer. The Commission has brought high-profile law 
enforcement actions against companies that violated this principle by 
using data in a manner materially different from promises the company 
made at the time of collection.\12\ In addition, if a company made 
material misrepresentations about the collection or use of behavioral 
advertising data, such misrepresentations would constitute a deceptive 
practice, in violation of Section 5 of the FTC Act.
---------------------------------------------------------------------------
    \11\ Since 2001, the Commission has obtained twenty consent orders 
against companies that allegedly failed to provide reasonable 
protections for sensitive consumer information. See In the Matter of 
The TJX Companies, FTC File No. 072-3055 (Mar. 27, 2008, settlement 
accepted for public comment); In the Matter of Reed Elsevier Inc. and 
Seisint Inc., FTC File No. 052-3094 (Mar. 27, 2008, settlement accepted 
for public comment); United States v. ValueClick Inc., No. CV08-01711 
(C.D. Cal. Mar. 13, 2008); In the Matter of Goal Financial, LLC, FTC 
Docket No. C-4216 (April 15, 2008); In the Matter of Life is Good, 
Inc., FTC Docket No. C-4218 (Apr. 18, 2008); United States v. American 
United Mortgage, No. CV07C 7064, (N.D. Ill. Dec. 18, 2007); In the 
Matter of Guidance Software, Inc., FTC Docket No. C-4187 (Apr. 3, 
2007); In the Matter of CardSystems Solutions, Inc., FTC Docket No. C-
4168 (Sept. 5, 2006); In the Matter of Nations Title Agency, Inc., FTC 
Docket No. C-4161 (June 19, 2006); In the Matter of DSW, Inc., FTC 
Docket No. C-4157 (Mar. 7, 2006); United States v. ChoicePoint, Inc., 
No: 106-CV-0198 (N.D. Ga. Feb. 15, 2006); In the Matter of Superior 
Mortgage Corp., FTC Docket No. C-4153 (Dec. 14, 2005); In the Matter of 
BJ's Wholesale Club, Inc., FTC Docket No. C-4148 (Sept. 20, 2005); In 
the Matter of Nationwide Mortgage Group, Inc., FTC Docket No. 9319 
(Apr. 12, 2005); In the Matter of Petco Animal Supplies, Inc., FTC 
Docket No. C-4133 (Mar. 4, 2005); In the Matter of Sunbelt Lending 
Services, FTC Docket No. C-4129 (Jan. 3, 2005); In the Matter of MTS 
Inc., d/b/a Tower Records/Books/Video, FTC Docket No. C-4110 (May 28, 
2004); In the Matter of Guess?, Inc., FTC Docket No. C-4091 (July 30, 
2003); In the Matter of Microsoft Corp., FTC Docket No. C-4069 (Dec. 
20, 2002); In the Matter of Eli Lilly & Co., FTC Docket No. C-4047 (May 
8, 2002).
    \12\ See, e.g., Gateway Learning Corp., Docket No. C-4120 (Sept. 
10, 2004), http://www.ftc.gov/opa/2004/07/gateway.shtm.
---------------------------------------------------------------------------
    The purpose of the FTC staff's proposed principles is to encourage 
more meaningful and enforceable self-regulation. Because strong 
enforcement mechanisms are necessary to ensure effective self-
regulation, it is our expectation that the organizations developing 
self-regulation will include in their regimes mechanisms for meaningful 
enforcement.

    Question 6. Ms. Parnes, as you know, in recent months, there have 
been deals announced between online search engines with strong online 
advertising market shares. Considering the implications these proposals 
have for market consolidation, is the Commission worried about the 
prospect of the vast majority of behavioral online information being in 
the hands of one company?
    Answer. Market consolidation that results in the creation of 
vaster, more detailed databases of online consumer data may raise 
concerns. Although companies with large stores of data can be just as 
privacy-protective as those with small ones, the risks associated with 
data collection and storage, such as the risk that data could fall into 
the wrong hands, may be heightened where one company maintains large 
quantities of rich data. Further, competition ensures that companies 
have incentives to protect customer privacy, and market consolidation 
could undermine competition in this area.
    However, whether there is cause for concern must be evaluated on a 
case-by-case basis. A given deal between online advertising companies 
may not involve the transfer or sharing of any data, or may not result 
in a more detailed database of consumer information than those already 
possessed by other companies in the online marketplace. The Commission 
can evaluate whether a proposed transaction would adversely affect non-
price attributes of competition, such as consumer privacy, and will 
continue to do so as appropriate.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. David Vitter to 
                            Lydia B. Parnes

    Question 1. Do you believe legislation mandating the FTC's pending 
self-regulatory principles is necessary at this time?
    Answer. I do not believe that legislation regarding online 
behavioral advertising is necessary at this time. As stated in the 
written testimony presented to the Committee on July 9, 2008,\1\ the 
Commission is cautiously optimistic that the privacy issues raised by 
online behavioral advertising can be addressed effectively through 
self-regulation.
---------------------------------------------------------------------------
    \1\ See Privacy Implications of Online Advertising: Hearing Before 
the S. Comm. on Commerce, Science, and Transportation, 110th Cong. 
(2008) (statement of the Federal Trade Commission), at 14.
---------------------------------------------------------------------------
    The online marketplace is undergoing rapid change. Many different 
types of businesses are entering the advertising market and the 
technologies utilized by these businesses are constantly evolving. At 
the same time, the costs and benefits of various types of behavioral 
advertising may be difficult to weigh. Although online behavioral 
advertising raises legitimate privacy concerns, it may provide benefits 
to consumers in the form of more personalized and relevant 
advertisements, as well as the free content that Internet users have 
come to expect. In this environment, industry self-regulation, which 
may afford the flexibility needed as online business models and 
technologies evolve, may be the preferred approach. Although there is 
much work to be done in this area, I believe that the self-regulatory 
processes that have been initiated by the Network Advertising 
Initiative (NAI) and other organizations should be given an opportunity 
to develop.

    Question 2. Do you believe the same principles about transparency 
and choice would be necessary for behavioral advertising based on 
``anonymous'' or non-personally-identifiable information?
    Answer. The FTC received considerable comment on this issue in 
response to the staff's proposed self-regulatory principles. Many 
commenters stated, for example, that the collection of data that is not 
personally identifiable is unlikely to cause consumer harm and 
therefore should not be subject to the notice and choice requirements 
in the staffs proposed principles. Other commenters stated that, even 
when information collected is not personally identifiable, its use can 
lead to advertising or other contacts with a consumer that can be 
unwelcome or embarrassing, especially if they relate to sensitive 
issues, such as health, children, or a consumer's finances, or are 
delivered in a shared computer environment.
    The comments also highlight the considerable debate that remains 
concerning what online information is personally identifiable and what 
is not, and the effect that advances in technology may have on the 
distinction. Further, incidents such as the AOL breach demonstrate that 
items of information that are considered anonymous standing alone may 
become personally identifiable when combined, challenging traditional 
notions about what data is or is not personally identifiable.\2\
---------------------------------------------------------------------------
    \2\ Although AOL took steps to anonymize the search records of its 
subscribers that were made public in 2006, several newspapers and 
consumer groups were able, to identify some individual AOL users and 
their queries by combining the data.
---------------------------------------------------------------------------
    FTC staff continues to carefully review the comments received on 
this issue, and we intend to address it as we develop our next steps in 
this area.

    Question 3. Based on your experience, how is online behavioral 
advertising different from offline direct marketing? Also, what would 
be the justification for regulating online advertising differently than 
offline advertising?
    Answer. Targeted marketing also exists in the offline environment. 
However, rapidly evolving Internet technologies permit online marketing 
companies to collect, store, and analyze significantly greater amounts 
of data than offline companies, and to do so through practices that are 
often invisible to consumers. Offline marketing generally involves the 
collection of a smaller quantity of less detailed behavioral 
information than is gathered online, and that collection is likely to 
be more consistent with consumer expectations.
    For example, brick-and-mortar stores often record a consumer's 
purchase history and use it to market to the consumer. They typically 
do not, however, follow individual consumers around their stores and 
collect detailed information about the other products the consumer 
might have looked at, nor do they share purchase or behavioral 
information with third parties. Similarly, consumers know that 
subscribing to a newspaper involves the sharing of personal information 
so that the newspaper can be delivered to their homes; however, they 
generally would not expect every article read in a newspaper to be 
tracked and recorded by multiple parties. Given the amount and type of 
data that is collected and stored in connection with online behavioral 
advertising, and the invisibility and typically unexpected nature of 
such practices, it may be appropriate to take different approaches to 
protecting consumer privacy between online behavioral advertising and 
offline marketing.

    Question 4. Based on your experience, has the FTC identified any 
specific harm to consumers that has resulted from the information used 
for online behavioral targeting?
    Answer. At this time, the FTC is unaware of any specific incidents 
in which a company's online behavioral advertising practices have led 
to such consumer harms as identity theft, financial fraud, or physical 
harm. Behavioral advertising, however, does raise unique concerns 
because of the amount, richness, and sensitivity of the consumer 
information that may be collected, used, and shared with third parties. 
For example, in a situation where multiple users share the same 
computer, the delivery of behaviorally-targeted advertising might 
reveal the fact that a user conducted searches relating to highly 
personal and sensitive topics, such as AIDS, domestic abuse, or sexual 
orientation. To the extent that the information collected is or could 
later become personally identifiable, the risk of harm may be greater.
    Many consumers express concern about the privacy and data security 
implications of behavioral tracking. For example, a 2008 survey showed 
that 59 percent of those surveyed are ``not very comfortable'' (34 
percent) or ``not comfortable at all'' (25 percent) with websites using 
online activity data to tailor advertisements or content to their 
hobbies and interests, whereas 41 percent were ``comfortable'' or 
``somewhat comfortable.'' \3\ As this survey indicates, consumers 
differ in their level of concern about this practice and in how they 
weigh the benefits of more relevant ads against the privacy 
implications. For this reason, the Commission staff's proposed 
principles would require that companies provide consumers with choice 
concerning the collection of their data for the purpose of delivering 
behavioral advertising.
---------------------------------------------------------------------------
    \3\ See Alan Westin, ``How Online Users Feel About Behavioral 
Marketing and How Adoption of Privacy and Security Policies Could 
Affect Their Feelings,'' at 3 (March 2008).
---------------------------------------------------------------------------
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                              Chris Kelly

    Question 1. Mr. Kelly, as you mentioned in your written statement, 
Facebook's privacy policy states clearly that you believe all of your 
users ``should have control over [their] personal information.'' 
However, as I understand it from my staff, many of whom have Facebook 
accounts, when members of Facebook wish to terminate the service, they 
are only allowed to ``deactivate.'' Do you currently offer your members 
an opportunity to control their personal information by completely 
terminating their account and allowing Facebook to then delete their 
personal information? If not, why hold onto their information?
    Answer. At Facebook, we reflect our desire to give users control 
over their information by providing them two options if they wish to 
suspend or terminate their relationship with us.
    Facebook users can make either a temporary or permanent decision to 
shut down their account--the former is called deactivation, and the 
latter deletion. Users choose to deactivate their accounts for a 
variety of reasons. Given Facebook's roots as a college site, one 
original driver for introducing the deactivation feature was user 
desire to ``disappear'' during their exams and then resume the service 
with their friend connections and network membership intact. More than 
50 percent of the users who deactivate their Facebook accounts return 
to reactivate them within weeks.
    Deletion is a fuller option that erases the personally identifiable 
information such as name, e-mail address, IM handle and other core 
information from a Facebook account. While we cannot certify that every 
single piece of data a user has ever given us is irretrievable after 
the deletion process is done--the distributed nature of databases and 
Internet site operations, especially for a longstanding user, makes 
that certification practically impossible--we have scrubbed our active 
databases of all contact information for a particular account. A 
deleted account cannot be reconstructed; a user who wants to come back 
to use the Facebook service after undergoing the deletion process must 
start over with regard to setting up their friends and networks. I am 
unaware of a similar deletion option offered by any other major 
Internet company.

    Question 2. Mr. Kelly, according to a Washington Post article from 
last month, Facebook requires 95 percent of its members that use one of 
the social network's 24,000 applications to give the applications' 
developers access to their personal online profile, except contact 
information, and their friends' profiles as well. While I understand 
these developers are not allowed to share with advertisers, this still 
leaves the 400,000 developers with access to personal information that 
is out of Facebook's control. A recent study at the University of 
Virginia found that about 90 percent of the most popular Facebook 
applications have unnecessary access to private data. So my question 
is, why does a Sudoku puzzle have to know that someone has two kids? 
And why does a book-sharing program need to know my birthday?
    Answer. Facebook's developer terms of use do not just forbid 
sharing with advertisers of the information that applications request. 
They only allow retention of most data called from the Facebook service 
for 24 hours in order to facilitate the more rapid operation of the 
application. Retention for a period beyond that is forbidden. Requests 
for data through the Facebook API are logged, and the platform policy 
enforcement team conducts investigations as necessary to discover 
potential violations. They then take action up to and including barring 
an application or a developer from further use of the service where 
violations are discovered.
    Users of course may choose to establish a deeper relationship with 
an application by providing more personal information directly, but 
Facebook's terms and policies work together to encourage strongly 
clarity with users about access to their data.
    In addition to the technical and policy enforcement measures 
outlined here, Facebook is always looking for means to enhance 
transparency to users with regard to data collection and use. We are 
currently exploring efficient and effective means to give users greater 
knowledge of and control over data requests by applications so that a 
user will know if an application is seeking more data than the user 
believes is necessary. At that point, the user could then choose to 
remove the application from their profile, or to use the ``block'' 
feature that has been present since the introduction of the Facebook 
platform in 2007 that prevents any data from flowing to that 
application.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. David Vitter to 
                              Chris Kelly

    Question 1. Does your company's business model already accommodate 
the FTC's proposed principles for industry self-regulation? If so, 
please explain how.
    Answer. In putting in place baseline privacy controls that users 
can adjust to their liking and allowing users to make their own choices 
about the sharing of personal information with advertisers, we 
generally reflect the FTC self-regulatory principles. Our commentary on 
the principles has suggested that the FTC offer greater clarity in 
distinguishing between how personally and non-personally identifiable 
information should be addressed by the principles, which we believe 
will lead to greater consumer understanding and confidence.

    Question 2. Does your system accommodate for a consumer's choice 
not to receive behavioral advertising, and in your systems, is that 
request honored permanently? If so, please explain how.
    Answer. While Facebook does not currently engage in many of the 
behavioral targeting practices that have been the main focus of the 
Committee's attention, it bears noting at the outset that Facebook is 
an opt-in system at its core. If a user does not sign up for and use 
Facebook, they will not receive advertising through our service.
    In addition to this fundamental user choice, we offer opt-outs for 
many of our advertising products within the Facebook ecosystem. For 
instance, those users who do not wish to participate in our Social Ads 
product have an easily available option to turn it off.
    User control is a critical part of Facebook's philosophy and our 
offerings in the product and advertising area will continue to reflect 
that principle.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                              Jane Horvath

    Question 1. Ms. Horvath, just a few months ago, in Google's 
comments to the FTC on self-regulatory principles for online 
advertising, the company said that ``contextual advertising . . . is 
not the type of advertising that ought to be the focus of the FTC's 
efforts to develop effective self regulatory principles.'' I understand 
that contextual advertising is less invasive than behavioral 
advertising. However, I am interested to hear the rationale behind 
Google's belief that it should be exempt from the FTC's self-regulatory 
principle.
    Answer. Google has not suggested that it or any other online 
advertiser be exempted from self-regulation with respect to behavioral 
advertising. We have said and continue to believe that further thought 
must be given to the definition of behavioral advertising in the 
Federal Trade Commission staff's draft self-regulatory principles. As 
currently written, the draft principles define ``behavioral 
advertising'' so broadly as to encompass virtually any collection and 
use of information about a user's online activities, including the 
collection and use of information to provide contextual advertising.
    AOL, Google, Microsoft, Yahoo!, and many other companies provide 
contextual advertising solutions, which, as you point out, are 
different from behaviorally targeted ads because they provide relevant 
advertising based on what an Internet user is searching for as well as 
relevant ads based on a page that a user is viewing. Though it is not 
the focus of our business today, Google believes that behavioral 
advertising can be done in ways that are responsible and protective of 
consumer privacy and the security of consumers' information.
    To ensure the continuation and proliferation of responsible 
behavioral advertising practices, we are supportive of efforts to 
establish strong self-regulatory principles for online advertising that 
involves the collection of user data for the purpose of creating 
behavioral and demographic profiles. For example, we believe that the 
FTC's efforts to address this type of advertising through self-
regulatory principles are appropriate and helpful. Likewise, we support 
the Network Advertising Initiative's recently-announced draft Self-
Regulatory Code of Conduct for Online Behavioral Advertising, which 
includes limitation on the use of sensitive information to create 
profiles of individuals for purposes of third-party advertising.
    For both the FTC's draft principles and the NAI's draft code of 
conduct, we believe that the focus on data collected across multiple 
web domains owned or operated by different entities to categorize 
likely consumer interest segments for use in online advertising is 
appropriate. We also believe that a strong and easy-to-find mechanism 
to permit consumers to opt out of this type of data collection is a 
goal that all companies should aspire to achieve. Finally, we believe 
that special attention should be given to rules around the creation of 
profiles based on sensitive information such as health status.

    Question 2. Ms. Horvath, one of the central issues in the Internet 
privacy debate is the protection, or lack thereof, of personally 
identifiable information. I'm interested to know, what measures Google 
is taking to ensure that the data it uses for ad targeting is not 
connected to personally identifiable information? What opt-out 
mechanisms do you currently offer your customers? How robust are these 
opt-out mechanisms and how easy are these mechanisms for consumers to 
use?
    Answer. Google protects its users' personally identifiable 
information--PII--in many ways. For example, we do not use PII to serve 
ads in connection with our AdWords and AdSense products. We also have 
strict policies and procedures in place to ensure that personal 
information is used only in accordance with our privacy policy, which 
is located at www.google.com/privacy.html, and that our users' personal 
information is secure.
    We collect non-PII through the DoubleClick cookie in order to 
enable enhanced functionality to advertisers that use DoubleClick and 
advertisers that advertise on the Google content network through our 
AdSense for Publishers product. For example, this data collection will 
enable advertisers that advertise through AdSense for Publishers to 
limit the number of times a user sees an ad through frequency capping. 
Users will have a better experience on Google content network sites 
because they will no longer see the same ad over and over again.
    Users are able to opt out of data collection through our 
DoubleClick ad serving cookie in several ways. For example, users can 
opt out by visiting the DoubleClick opt out page located at 
www.doubleclick.com/privacy. In addition, our ads privacy microsite has 
an above-the-fold opt out button located at www.google.com/
privacy_ads.html. Users are also able to opt out of the DoubleClick 
cookie's data collection through the Network Advertising Initiative's 
opt out page located at www.networkadvertising.org/managing/
opt_out.asp. This single opt-out is honored both in the DoubleClick 
network and in the Google content network.

    Question 3. Ms. Horvath, in your written testimony, you indicate 
Google is currently experimenting to deliver search results based on 
prior searches. Isn't this behavioral advertising by any other name? Is 
this consistent with Google's privacy policy regarding behavioral 
advertising?
    Answer. We are currently experimenting with providing ads on Google 
search based on both a user's current query and his or her recent prior 
queries. For example, a user who types ``Italy vacation'' into the 
Google search box might see ads about Tuscany or affordable flights to 
Rome. If the user were to subsequently search for ``weather,'' we might 
assume that there is a link between ``Italy vacation'' and ``weather'' 
and deliver ads regarding local weather conditions in Italy. In the 
above example, we are serving an ad based on a user's activity on our 
site, and not the sites of other parties. This is an example of the 
kind of first-party advertising that users expect to see in response to 
the search terms they enter into the Google search box. While we may 
use recent queries to better respond to the user's specific interests, 
this is done on the fly, and we are not building profiles based on a 
users' search activities.
    Google's privacy policy, which is located at www.google.com/
privacy.html, states clearly that we use this information to provide 
our services to users, including the display of customized content and 
advertising. We also provide plain English explanation of our 
advertising and privacy practices on our ads privacy microsite located 
at www.google.com/privacy_ads.html.

    Question 4. Ms. Horvath, with regard to Google's recently announced 
marketing deal with Yahoo!, are you able to tell us what information 
Yahoo! will share with Google? Will it include IP addresses? If so, has 
Google done its due diligence to ensure that the transfer of data from 
Yahoo won't violate Yahoo!'s privacy policy? As you know, Yahoo! has 
publicly announced it will retain information about consumer search 
queries for 13 months. I believe your company retains such information 
for 18 months. Does Google intend to conform to Yahoo!'s retention 
policy or is Yahoo! expected to conform to Google's?
    Answer. Under our advertising agreement with Yahoo!, there is no 
PII passed between Yahoo! and Google. In fact, for ads appearing 
(impressions) on Yahoo! Search, Yahoo! will remove the last octet of 
the IP address before sending us search queries, so Yahoo will never 
send the full IP address to Google. Moreover, in the search advertising 
context Google will set a cookie only if a user clicks on an ad 
delivered by Google.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. David Vitter to 
                              Jane Horvath

    Question 1. Does your company's business model already accommodate 
the FTC's proposed principles for industry self-regulation? If so, 
please explain how.
    Answer. We have participated actively in the Federal Trade 
Commission's efforts to develop privacy principles relating to online 
privacy and behavioral advertising. Our hope is that the FTC's privacy 
principles--once finalized and written to ensure that they can be 
realized by industry and will provide consumers with appropriate levels 
of transparency, choice, and security--will be adopted widely by the 
online advertising industry and will serve as a model for industry 
self-regulation in jurisdictions beyond the United States.
    Our comments on the FTC's principles are available at 
googlepublicpolicy.
blogspot.com/2008/04/our-comments-on-ftcs-behavioral.html. In addition, 
through DoubleClick we are members of and serve on the Board of 
Directors of the Network Advertising Initiative and abide by the NAI 
Self-Regulatory Principles.

    Question 2. Does your system accommodate for a consumer's choice 
not to receive behavioral advertising, and in your systems, is that 
request honored permanently? If so, please explain how.
    Answer. Though our business is focused on contextual advertising, 
we collect non-personally identifiable information through our 
DoubleClick ad serving cookie in order to enable enhanced functionality 
to advertisers that use DoubleClick and advertisers that advertise on 
the Google content network through our AdSense for Publishers product. 
For example, this data collection will enable advertisers that 
advertise through AdSense for Publishers to limit the number of times a 
user sees an ad through frequency capping. Users will have a better 
experience on Google content network sites because they will no longer 
see the same ad over and over again.
    Users are able to opt out of data collection through our 
DoubleClick ad serving cookie in several ways. For example, users can 
opt out by visiting the DoubleClick opt out page located at 
www.doubleclick.com/privacy. In addition, our ads privacy microsite has 
an above-the-fold opt out button located at www.google.com/
privacy_ads.html. Users are also able to opt out of the DoubleClick 
cookie's data collection through the Network Advertising Initiative's 
opt out page located at www.networkadvertising.org/managing/
opt_out.asp. This single opt-out is honored both in the DoubleClick 
network and in the Google content network.
    We believe that a strong and easy-to-find mechanism to permit 
consumers to opt out of this type of data collection is a goal that all 
companies should aspire to achieve.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                             Leslie Harris

    Question 1. Ms. Harris, do you believe consumers read online 
privacy policies?
    Answer. There is ample evidence that consumers do not read privacy 
policies and to the extent that they do, they do not understand them. 
Indeed, a recent study found that over half of respondents believed 
that the presence of a privacy policy on a website meant that the site 
did not share or sell personal information. Moreover, privacy policies 
often are in practice disclosure policies, making no promises to 
protect customer information and instead stating all the ways the site 
intends to use and disclose data. Consumers need clear, conspicuous and 
understandable notice of collection and disclosure practices.

    Question 2. Ms. Harris, do you view an End User Licensing Agreement 
as a contract between the online consumer and the website visited?
    Answer. End User Licensing Agreements are typically included when 
consumers purchase or download software. Courts generally have held 
that these EULAs do constitute contracts between consumers and the 
companies distributing the software, though it may depend on factors 
such as the prominence of the EULA and whether consumers affirmatively 
express agreement (by clicking an ``I Agree'' button, for example). As 
a practical matter, as we have seen in the case of malicious 
``spyware'' and as the FTC has recognized in its settlement agreements 
with spyware purveyors, long, complicated EULAs are wholly inadequate 
to inform consumers about the material effects that a particular piece 
of software will have on their computers. The FTC has set the right 
precedent in requiring simple explanations of such key information 
outside of any software EULA. Outside the software context, it is less 
clear that merely visiting a website would be sufficient to 
contractually bind a consumer to a Terms of Service agreement, 
particularly in the absence of some express indication of consumer 
acceptance. The FTC has made, clear, however, that websites must adhere 
to their publicly stated policies on matters such as privacy, or risk 
possible charges of deception.

    Question 3. Ms. Harris, as you know the FTC focuses on consumer 
harms. Do you believe that some of the issues surrounding online 
behavioral advertising go beyond what the Commission has traditional 
viewed as consumer harm?
    Answer. The FTC has traditionally focused on tangible harms such as 
practices which result in a financial loss or which induce a consumer 
to engage in a transaction through deceptive practices. We do not 
believe that the privacy concerns raised by behavioral advertising are 
limited to those which result in an adverse action against a consumer. 
The right of privacy is harmed when consumers have no reasonable 
expectation that information about them is being collected, they are 
not provided meaningful notice that would allow them to gauge the 
privacy risks, and they have no way to make meaningful decisions about 
whether and how their information may be used.

    Question 4. Ms. Harris, should online contextual advertising be 
exempt from any self regulatory framework or does the Commission only 
need to look at behavioral advertising?
    Answer. Contextual advertising, which is often used to generate ads 
alongside search results, matches advertisements to the content of the 
page that a consumer is currently viewing. The privacy risks associated 
with contextual advertising vary. If the practice is transparent to the 
user and data collection and retention is minimal, the practice poses 
little risk to the consumer. For example, if a site only looks at the 
consumer's activity and only serves ads based on that activity 
contemporaneously , i.e., at the moment the consumer is engaging in the 
activity and does not collect and save the consumer data, the privacy 
concern is low. But the privacy concerns are heightened if the user 
data is retained in an identifiable or pseudonymous form (i.e., linked 
to a user identifier) for long periods of time even if it is not 
immediately used to create advertising profiles.
    CDT has long advocated for a baseline privacy bill that would cover 
all collection and use of consumer data and require the full range of 
fair information practices, which include but are not limited to robust 
notice and consumer choice but also provide penalties for noncompliance 
and remedies for consumers. Self regulation is not enough. To the 
extent that self-regulation remains as one component of privacy 
protection in this area, consumers will certainly benefit from a self-
regulatory scheme that covers both contextual and behavioral 
advertising, with escalating protections for models with increased data 
collection, retention, use, and identifiability.

    Question 5. Ms. Harris, are you concerned with the recently 
announced marketing deal between Google and Yahoo! that one company 
will have under its control the vast majority of consumers' online 
behavioral information?
    Answer. The Google/Yahoo! marketing deal does have the potential to 
consolidate more data about search and search advertising under one 
roof. While this data is certainly one component of behavioral 
information, Google does not currently use search data to create 
behavioral profiles. Thus, the more relevant question is whether the 
consolidation of search information--not necessarily behavioral 
information--is of concern.
    This deal follows in the footsteps of a series of major mergers and 
acquisitions in the online advertising space over the past 18 months. 
All of this market consolidation means that more and more data about 
what consumers do online is housed by fewer companies, exacerbating 
existing privacy concerns about how such data is collected, used, 
safeguarded, and shared. We believe that recent market dynamics are 
even further evidence of the need for a general privacy law to protect 
consumer data at large.
                                 ______
                                 
           Question for the Record from Hon. David Vitter to 
                             Leslie Harris

    Question. As our committee continues to examine the issue of online 
privacy, should we focus on the variations in different technologies 
used to provide what appears to be essentially similar marketing 
services? Or, should we instead focus on the use of the information 
collected--by whatever method it is collected--to ensure that data is 
used for legitimate marketing purposes, that privacy is protected, and 
that we can go after those who misuse any data they collect?
    [The witness did not respond.]
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                            Robert R. Dykes

    Question 1. Mr. Dykes, over the last few weeks numerous Internet 
service providers, including CenturyTel, Charter and Wide Open West 
have either ceased using your service or shelved any plans they had to 
do so. What does this tell you about your proposed business model and 
consumer reaction to it?
    Answer. NebuAd and its Internet service provider (``ISP'') partners 
have always been and continue to be committed to the core privacy 
principles of transparency and consumer control regarding NebuAd's 
services. We support our ISP partners' decisions to delay their 
implementation plans so they can ensure that in deploying NebuAd's 
services, customers receive clear, direct, and prior notice that 
NebuAd's services will take effect, thereby allowing subscribers to 
make an informed choice regarding whether to participate.
    NebuAd plans to continue to explain our existing business model and 
better educate the public about the state-of-the-art privacy 
protections that have been built-in to NebuAd's services, and, equally 
as important, the process that we have established to continuously 
improve on them. In support of this process to continuously advance 
privacy protections beyond industry standards, NebuAd looks forward to 
a continued open dialogue with legislators, regulators, and the 
advocacy community.
    NebuAd remains committed to delivering strong value to advertisers, 
publishers, and ISPs while setting the gold standard for privacy in 
online advertising and delivering the best Internet experience possible 
to consumers.

    Question la. Do you believe that consumers have the perception that 
your technology will allow ISPs to watch over every move they make on 
the Internet?
    Answer. A close examination of NebuAd's technology, operations, and 
privacy protections demonstrates that it is a responsible, privacy 
conscious business. Unfortunately, some recent public statements from 
various sources have presented inaccuracies, distortions, and 
misrepresentations of our technology and business model. While some 
consumers may have formed mistaken perceptions based on these erroneous 
statements about the NebuAd technology, the privacy controls in place, 
and the business model in conjunction with our ISP partners, we believe 
that consumer education is a key component of our continued effort to 
set the gold standard for privacy in online advertising.
    Finally, as a point of clarification, NebuAd does not watch every 
move consumers make on the Internet. The NebuAd system only uses a 
select set of a consumer's Internet activities (that is, only a subset 
of HTTP traffic) to construct anonymous inferences about the consumer's 
level of qualification for a predefined set of market segment 
categories, which are then used to select and serve the most relevant 
advertisements to that consumer. The NebuAd system does not collect or 
use any information from password-protected sites (e.g., HTTPS 
traffic), web mail, e-mail, instant messages, or VoIP traffic, and the 
system does not make use of any market segments that are deemed to be 
sensitive.

    Question 2. Mr. Dykes, in your written testimony you praise online 
advertising, especially NebuAd's approach, for enhancing consumers' 
Internet experience. As you know, the most important quality to 
Internet users is the speed of their Internet connection. How does the 
NebuAd's approach to behavioral monitoring--deep packet inspection--
affect the speed of a consumer's connection, including uploads and 
downloads?
    Answer. NebuAd's service does not adversely affect either upload or 
download performance. The NebuAd Ultra Transparent Appliance (``UTA'') 
is transparent when it comes to performance impact. Lab-tests of the 
NebuAd UTA and have found the performance of the NebuAd UTA matched or 
exceeded standard performance metrics expected from any network device 
such as a switch and/or a router. In addition, NebuAd has sophisticated 
monitoring capabilities to ensure performance expectations are 
maintained.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. David Vitter to 
                            Robert R. Dykes

    Question 1. Does your company's business model already accommodate 
the FTC's proposed principles for industry self-regulation? If so, 
please explain how.
    Answer. NebuAd participated in the FTC's proceeding by submitting 
written comments on the proposed principles. A copy of NebuAd's 
comments is available at http://www.ftc.gov/os/comments/
behavioraladprinciples/080411nebuad.pdf (``NebuAd Comments''). In its 
written comments, NebuAd agreed with the FTC Staff that the ``self-
regulatory principles that emerge from this process must rest within an 
overall framework that promotes transparency, consumer control, limited 
use of sensitive information, limited data storage, and strong 
security.''
    NebuAd's comments focused on a central theme: any set of final 
proposals for self-regulation should focus on the ultimate goal--
preventing consumer harm--and not on regulating different behavioral 
advertising technologies and companies in different ways based simply 
on the underlying technology used or individual entities involved. In 
other words, NebuAd believes that the final self-regulatory principles 
that emerge from the FTC proceeding must be consistent with the twin 
objectives of technology-neutrality and provider and publisher-
neutrality. This will allow for innovation within a flexible self-
regulatory framework while preventing an unintended consequence of 
inadvertently picking winners and losers in the emerging behavioral 
advertising marketplace, based solely on technology or business model.
    NebuAd looks forward to the Commission Staff's release of its final 
principles. Like the Federal Trade Commission, NebuAd is ``cautiously 
optimistic'' that industry self-regulation will work to protect 
consumers. See Prepared Statement of the Federal Trade Commission on 
Behavioral Advertising, Before the Senate Committee on Commerce, 
Science, and Transportation (July 9, 2008) at 1, available at http://
www.ftc.gov/os/2008/07/P085400behavioralad.pdf. Moreover, NebuAd has 
joined a chorus of other companies in calling for baseline privacy 
legislation. See oral testimony of Mr. Robert R. Dykes, Chairman and 
CEO, NebuAd, Inc, in hearing before the Subcommittee on 
Telecommunications and the Internet: What Your Broadband Provider Knows 
About Your Web Use: Deep Packet Inspection and Communications Laws and 
Policies, July 17, 2008.
    NebuAd's specific response to this question is as follows. (The 
FTC's Proposed Principles for the Self-Regulation of Behavioral 
Advertising are available at http://www.ftc.gov/os/2007/12/
P859900stmt.pdf).

    Principle 1: To address the need for greater transparency and 
consumer control regarding privacy issues raised by behavioral 
advertising, the FTC staff proposes:

   Every website where data is collected for behavioral 
        advertising should provide a clear, consumer-friendly, and 
        prominent statement that data is being collected to provide ads 
        targeted to the consumer and give consumers the ability to 
        choose whether or not to have their information collected for 
        such purpose.

    NebuAd Response: NebuAd supports the underlying goal of this 
proposal, which is to ensure that consumers are provided with ample 
opportunity to understand what information is collected, by whom, for 
what purpose, and to provide consumers with control over their online 
experience. Unfortunately, the proposal, as written, is problematic for 
NebuAd for reasons that are business-model specific, and having nothing 
to do with providing consumers with meaningful transparency and 
consumer control. As we noted in our comments to the FTC,

        ``[t]his proposal is apparently addressed to behavioral 
        advertising companies that, unlike NebuAd, have direct 
        relationships with those websites, typically as part of a 
        network. Because NebuAd works through ISPs and other ad 
        networks and does not necessarily have direct relationships 
        with the websites consumers visit, it has no way to require 
        them to post the proposed notice. For this reason, NebuAd 
        respectfully asks the Commission Staff to consider alternative 
        methods of notice, such as direct notice provided by ISPs to 
        their subscribers, together with an opportunity to opt-out, as 
        an appropriate means of meeting the Staff's proposed 
        transparency principle.''

    See NebuAd comments at p. 4. In other words, NebuAd is in full 
agreement with the policy of this principle, but must meet it in an 
alternative way. Indeed, that alternative way--direct notice to 
consumers, prior to the NebuAd service taking effect, with an 
opportunity to opt out then and persistently thereafter--may be more 
transparent than the Commission's proposed transparency principle.

    Principle 2: To address the concern that data collected for 
behavioral advertising may find its way into the hands of criminals or 
other wrongdoers, and concerns about the length of time companies are 
retaining consumer data, the FTC staff proposes:

   Any company that collects or stores consumer data for 
        behavioral advertising should provide reasonable security for 
        that data and should retain data only as long as is necessary 
        to fulfill a legitimate business or law enforcement need.

    NebuAd Response: NebuAd is in complete agreement with this 
principle. While NebuAd does not collect personally-identifiable 
information and does not store raw data associated with individual 
users, NebuAd nevertheless provides state-of-the-art security for the 
data it does collect and store: commercial categories mapped against 
anonymous identifiers and some aggregate data used for analytics. 
Moreover, unlike some search some companies, NebuAd retains the data 
used for behavioral advertising purposes only for as long as it is 
useful for that purpose--generally from a few days to a couple of 
months.

    Principle 3: To address the concern that companies may not keep 
their privacy promises when they change their privacy policies, FTC 
staff proposes:

   Companies should obtain affirmative express consent from 
        affected consumers before using data in a manner materially 
        different from promises the company made when it collected the 
        data.

    NebuAd Response: NebuAd requires by contract that its ISP partners 
not only change their privacy policies to address NebuAd's service, but 
also to provide direct notice to subscribers at least 30 days prior to 
the service taking effect, with an opportunity to opt-out. This allows 
for subscribers to exercise informed choice prior to the service taking 
effect. It is important to note that opting out does not mean that the 
subscriber must find a new ISP; rather, the subscriber may stay with 
the same ISP, without the NebuAd behavioral advertising service 
offering more relevant ads than those the subscriber would otherwise 
receive.

    Principle 4: To address the concern that sensitive data--medical 
information or children's activities online, for example--may be used 
in behavioral advertising, FTC staff proposes:

   Companies should only collect sensitive data for behavioral 
        advertising if they obtain affirmative express consent from the 
        consumer to receive such advertising.

    NebuAd Response: The NebuAd system does not make use of any market 
segments that are deemed to be sensitive. Specifically, NebuAd does not 
track or serve ads based on visits related to adult content, sensitive 
medical information, racial or ethnic origins, religious beliefs or 
content of a sexual nature, and does not have market segment categories 
for illegal products. Accordingly, the NebuAd system does not have nor 
does the system ever attempt to detect keyword patterns related to such 
subjects. NebuAd therefore looks forward to the final set of the FTC 
Staff's ``sensitive'' categories, which NebuAd assumes will be 
carefully tailored to prevent consumer harm, and, assuming so, will 
exclude those categories from the data used for behavioral advertising 
purposes or require an affirmative opt-in for them.

    Question 2. Does your system accommodate for a consumer's choice 
not to receive behavioral advertising, and in your systems, is that 
request honored permanently? If so, please explain how.
    Answer. Yes. NebuAd's service and policies were designed to provide 
consumers with prior, robust notice and the opportunity to express 
informed choice about whether to participate, both before the service 
takes effect and persistently thereafter.
    If a consumer should exercise his/her choice to not receive 
behavioral advertising, the consumer's choice is honored in the same 
manner as all other typical ad networks that provide ``cookie-based 
opt-out mechanisms'' and consistent with the self-regulatory guidelines 
of the Network Advertising Initiative (``NAI'').
    In addition, as stated on the opt-out page displayed to the 
consumer (either on the NebuAd website or on our partner ISP website), 
we inform that consumer that if he/she should delete the NebuAd cookie 
or if he/she should change computers or web browsers, then the consumer 
would need to opt-out again. This is similar to the statement that the 
members of the NAI make to consumers (http://
lwww.networkadvertising.org/managing/opt out.asp).
    NebuAd's current opt-out system is a more robust mechanism than 
traditional ``cookie-based opt-out'' systems and goes beyond the system 
offered by typical ad networks in the following situation. If a 
consumer's web browser blocks cookies, the NebuAd system will consider 
the consumer to be an opted-out user and will exclude that consumer 
from NebuAd's information collection and targeted ads.
    Finally, NebuAd recently announced that it is developing a network-
based opt-out mechanism that is not reliant on web browser cookies. 
Leveraging this advanced technology, ISP partners will be empowered to 
offer this enhanced mechanism to their subscribers in order to honor 
their opt-out choices more persistently than current systems widely 
used today.

    Question 3. Can you expand on how NebuAd's model collects 
information for marketing, depersonalizes that information into market 
segments, and keeps it depersonalized? To be clear, I am not asking 
that you reveal any of your company's proprietary information, only a 
general overview of how this is done and how consumers' information is 
protected in your system.
    Answer. The NebuAd system only uses a select set of a consumer's 
Internet activities (that is, only a subset of HTTP traffic) to 
construct anonymous inferences about the consumer's level of 
qualification for a predefined set of market segment categories 
(``anonymous user profiles''), which are then used to select and serve 
the most relevant advertisements to that consumer.
Depersonalization into Market Segments
    An anonymous user profile is a set of numbers that represent the 
consumer's level of qualification for a predefined set of NebuAd 
supported market segments (e.g., Las Vegas travel or domestic SUVs). 
NebuAd develops a set of keyword patterns associated with each specific 
market segment.
    As HTTP traffic flows through, the NebuAd system looks for 
appearances of these keyword patterns. A consumer's level of 
qualification for each particular market segment increases for each 
detected keyword pattern appearance. None of a consumer's HTTP traffic 
or the keyword patterns themselves is ever stored within an anonymous 
user profile. Only the set of numbers that represent the consumer's 
level of qualification, at a given point in time, for a limited number 
of broad market segments is maintained within an anonymous user 
profile. This mechanism of constructing anonymous inferences about a 
consumer's level of qualification and not storing the raw data that was 
used to create or update a user's anonymous profile provides a strong 
additional layer of privacy protection that goes beyond the standards 
used by many Internet companies today.
    In addition, each market segment has a predefined lifespan 
associated with it so if no keyword pattern for that market segment is 
detected for some time, the consumer's level of qualification will age 
fairly quickly--generally from a few days to a couple of months.
    Specifically, this means that a consumer's anonymous user profile 
represents just his/her current qualification levels and does not 
retain a long-standing history of qualifications levels.
Additional Protections
    The NebuAd system has also built-in multiple additional privacy 
protections from the ground up to ensure a consumer's anonymity 
including:

   The NebuAd system does not collect or use any information 
        from password-protected sites (e.g., HTTPS traffic), web mail, 
        e-mail, instant messages, or VoIP traffic.

   As noted above, the NebuAd system does not make use of any 
        market segments that are deemed to be sensitive. Specifically, 
        NebuAd does not track or serve ads based on visits related to 
        adult content, sensitive medical information, racial or ethnic 
        origins, religious beliefs or content of a sexual nature, and 
        does not have market segment categories for illegal products. 
        Accordingly, the NebuAd system does not have nor does the 
        system ever attempt to detect keyword patterns related to such 
        subjects.

   Finally, by design, the NebuAd system's set of keyword 
        patterns do not contain any personally identifiable information 
        about Internet consumers, and it ensures the anonymous 
        information that its systems infer cannot be used to identify 
        any individual. None of the anonymous information NebuAd uses 
        can be compiled together and somehow reverse engineered to 
        identify any individual. In other words, the information is not 
        ``pseudo-anonymous."
                                 ______
                                 
                               Memorandum
                                                       July 8, 2008
From: Nebuad, Inc.
Re: Legal and Policy Issues Supporting Nebuad's Services
I. Introduction to NebuAd
    NebuAd is an online media company founded by Internet security 
experts in 2006. It provides online advertising in partnership with 
ISPs, using a select set of a user's Internet activities (only a subset 
of HTTP traffic) to construct anonymous inferences about the user's 
level of qualification with respect to a predefined set of market 
segment categories (``anonymous user profiles''), which are then used 
to select and serve the most relevant advertisements to that user.
    NebuAd is a newcomer to the world of online advertising. This world 
of Internet companies includes several industry giants, behavioral 
advertising networks, and countless website publishers. Currently, 
online advertising solutions operate in many locations throughout the 
Internet ecosystem--from users' computers to individual websites to 
networks of websites. When an Internet user visits the sites of web 
publishers, like Yahoo! or Amazon, these sites typically collect 
information about the user's activities to target ads based on that 
information. When an Internet user conducts a search, the search 
company may collect information from the user's activity, which in turn 
may be used to improve the relevance of the sponsored search results 
and ads shown. When a user visits websites within an online advertising 
network, some of which include thousands of sites, the visits help the 
advertising network track the user for the purpose of serving higher-
value targeted advertising. All of these activities are well-entrenched 
in the Internet and have become fundamental to the economic model that 
underpins the wide availability of content and services on the Internet 
today. These advertising capabilities, have proven to have mutual 
benefits for users, publishers--both large and small--and advertisers.
    NebuAd offers a unique business model that allows ISPs to 
participate in the online advertising ecosystem, while not only 
adhering to industry-standard privacy policies but also establishing 
new state-of-the-art privacy protections and user choice policies that 
go far and beyond those used on the Internet today.
    Given the background of its founders, NebuAd architected its 
service and its policies to adhere to very strict privacy principles. 
These include:

        1. NebuAd's service does not collect or use PII from ISP 
        subscribers. The entire ad optimization and serving system does 
        not collect or use any Personally Identifiable Information 
        (PII), nor does it collect any information from password-
        protected sites, web mail, e-mail, instant messages, or VOIP 
        traffic.

        2. NebuAd stores only a set of numbers that represent the 
        user's level of qualification for a predefined set of market 
        segment categories (``anonymous user profiles''). NebuAd does 
        not store raw data such as URLs navigated or IP addresses 
        associated with an identifiable individual.
        Rather, the NebuAd service constructs anonymous inferences 
        about the user's level of qualification for a predefined set of 
        market segment categories, and then discards the raw data that 
        was used to create or update a user's anonymous profile. This 
        mechanism of constructing anonymous inferences about the user's 
        level of qualification and not storing raw data provides a 
        strong additional layer of privacy protection that goes beyond 
        the standards used by many Internet companies today.

        3. NebuAd's ISP Partners are required to provide notice to 
        users in advance of launch of the service. The notice, which 
        must be direct and robust, discloses to the user that the ISP 
        is working to ensure that advertisements shown will be more 
        relevant advertisements, that to deliver these ads its partner 
        creates anonymous profiles based on part of the user's web 
        surfing behavior, which does not include the collection of PII, 
        and that the user may opt-out of the service. For existing 
        subscribers, the notice is required to be delivered 30 days 
        prior to the launch of the service by postal mail, e-mail, or 
        both. For new subscribers, the notice is required to be placed 
        clearly and conspicuously in the new subscriber sign-up flow 
        and outside the privacy policy. All subscribers can opt-out at 
        any time, and on-going disclosure and opportunity to opt-out is 
        required to be provided within the ISP's privacy policy.

        4. NebuAd and its ISP partners offer users advance and on-going 
        choice of opting-out of the service. Users are provided with a 
        clear statement of what the opt-out means and the way it 
        operates. Once the opt-out option is chosen, NebuAd honors that 
        choice and ignores the user's subsequent web surfing activity 
        and thus does not serve the user with behaviorally targeted 
        ads.\1\
---------------------------------------------------------------------------
    \1\ The user, of course, will continue to receive ads.

        5. NebuAd's service only creates anonymous user profiles, which 
        contain no PII and no raw data, and its placement of ads is 
        completely anonymous. NebuAd uses proprietary algorithms and 
        techniques, including one-way encryption of data, so that no 
        one--not even NebuAd's engineers who designed the system--can 
        reverse-engineer an anonymous identifier, or the anonymous user 
---------------------------------------------------------------------------
        profile associated with it, to an identifiable individual.

        6. NebuAd avoids any sensitive websites or product categories. 
        NebuAd does not track or serve ads based on visits related to 
        adult content, sensitive medical information, racial or ethnic 
        origins, religious beliefs or content of a sexual nature, and 
        does not have market segment categories for illegal products.

        7. NebuAd does not permit either complexity of data or 
        narrowness of data to be reverse-engineered into PII. This 
        protection is accomplished because anonymous user profiles are 
        constructed by anonymous inferences about the user's level of 
        qualification for a predefined set of market segment 
        categories. Raw data is simply not stored as part of the 
        anonymous user profile. In addition, the NebuAd service does 
        not have narrowly-defined segments. Finally, the anonymous 
        profile identifier is the result of multiple encryptions, and 
        based on multiple data elements including the hashed IP 
        address.

        8. There is no connection or link between the ISP's 
        registration data systems and NebuAd. That means that no user-
        specific data is exchanged between NebuAd and ISP data systems. 
        This boundary is preserved further, and inadvertent disclosure 
        is prevented, because NebuAd immediately performs a one-way 
        encryption of the IP address and other anonymous user 
        identifiers used within the NebuAd system.

        9. NebuAd installs no applications of any type on users' 
        computers, has no access to users' hard drives, and has no 
        access to secure transactions. As such, NebuAd does not control 
        a user's computer or web-surfing activity in any way, e.g., by 
        changing computer settings or observing private or sensitive 
        information.

        10. NebuAd's Data Centers are professionally operated and 
        secured. NebuAd's servers are located at secure sites with 
        state-of-the-art protections against any intrusion, electronic 
        or physical.

II. The Federal Wiretap Act
    As a threshold matter, it is important to note that the Federal 
Wiretap Act \2\ was last amended in 1986 before the widespread adoption 
of personal computing and online communications.\3\ When the Wiretap 
Act was enacted, and amended, the focus was on telephone communication 
and other similar technology. Case law is rich with examples of claims 
involving a tapped phone line.\4\ Notably, these cases primarily 
involve direct, one-on-one communication between the parties. The 
content is personal to the speakers, such that if one of the parties 
was replaced, the communication would not contain the same content. 
Although secrecy or confidentiality was not expressly built into the 
Wiretap Act, the Act was enacted at a time when the focus was on 
individual communications--likely as a result of the limitations of 
then-existing technology.
---------------------------------------------------------------------------
    \2\ 18 U.S.C.  2510 et seq.
    \3\ The Wiretap Act was amended by the Electronic Communications 
Privacy Act of 1986 (``ECPA''), Pub. L. 99-508, 100 Stat. 1848 (1986). 
While the Wiretap Act is Title I of the ECPA, it was first passed as 
Title III of the Omnibus Crime Control and Safe Streets Act of 1968 and 
is generally known as ``Title III.''
    \4\ See, e.g., United States v. Foster, 580 F.2d 388 (10th Cir. 
1978) (telephone company taps phone line of user suspected of 
defrauding the telephone company out of long-distance charges); United 
States v. Harvey, 540 F.2d 1345 (8th Cir. 1976) (same); United States 
v. Auler, 539 F.2d 642 (7th Cir. 1976) (same).
---------------------------------------------------------------------------
    The environment that has since evolved for online communications is 
markedly different. While online communications are still carried by 
wire, there are important policy distinctions between the types of 
communications that the Wiretap Act was enacted to address, and the 
types of communications present in the online environment today. 
Internet users are not engaged in a personal, direct conversation with 
non-secure website publishers.\5\ Such publishers provide online 
content indiscriminately to all users. As stated below, even under the 
Wiretap Act, courts look to the circumstances surrounding a 
communication.\6\ Yet, the evaluation of circumstances that surround a 
telephone communication between two parties is not analogous to an 
online communication between a party and a website. To date, there are 
no litigated decisions directly addressing the application of the 
Wiretap Act to a URL provided as part of a consumer's online 
navigations or provided via publicly available search request and 
response. Therefore, it is still an open question as to whether these 
types of communications are even covered by the Wiretap Act.\7\
---------------------------------------------------------------------------
    \5\ There are always exceptions to this statement, such as online 
purchases, encrypted communication, and other secured data 
transactions, but notably, these private communications are the exact 
types of information that NebuAd's services do not collect. NebuAd's 
services personalize generic content rather than intruding upon private 
communications.
    \6\ See United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987).
    \7\ See Patricia L. Bellia, Spyware: The Latest Cyber-Regulatory 
Challenge, 20 Berkeley Tech. L.J. 1283, 1296, 1311-12 (2005). Another 
law review article described the question as to whether URLs contain 
contents as ``surprisingly difficult'' and ``quite murky.'' Orin S. 
Kerr, Internet Surveillance Law After the USA Patriot Act: The Big 
Brother That Isn't, 97 Nw. U.L. Rev. 607, 645-46 (2003).
---------------------------------------------------------------------------
    Assuming, for the purposes of this memorandum, that the Wiretap Act 
applies to NebuAd's services, the Act expressly prohibits the 
intentional interception of an electronic communication \8\ unless 
``one of the parties to the communication has given prior consent to 
such interception.'' \9\ The legislative history of the Wiretap Act 
clearly indicates ``that Congress intended the consent requirement to 
be construed broadly.'' \10\ As a result, ``courts have resoundingly 
recognized the doctrine of implied consent.'' \11\ The Court of Appeals 
for the Second Circuit stated that the Wiretap Act ``affords safe 
harbor not only for persons who intercept calls with the explicit 
consent of a conversant but also for those who do so after receiving 
implied consent.'' \12\
---------------------------------------------------------------------------
    \8\ 18 U.S.C.  2511(1)(a).
    \9\Id.  2511(2)(d).
    \10\ United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987) (`` 
`Consent may be expressed or implied. Surveillance devices in banks or 
apartment houses for institutional or personal protection would be 
impliedly consented to.' '' (quoting S. Rep. No. 1097, 90th Cong. 2d 
Sess., reprinted in 1968 U.S.C.C.A.N. 2112, 2182)).
    \11\ George v. Carusone, 849 F. Supp. 159, 164 (D. Conn. 1994); see 
United States v. Faulkner, 439 F.3d 1221, 1224-25 (10th Cir. 2006) 
(``We are not persuaded to depart from the unanimous view of the 
holdings by our fellow circuit courts.''); Griggs-Ryan v. Smith, 904 
F.2d 112, 118; United States v. Corona-Chavez, 328 F.3d 974, 978-79 
(8th Cir. 2003); Amen, 831 F.2d at 378; United States v. Willoughby, 
860 F.2d 15, 19-20; United States v. Tzakis, 736 F.2d 867, 870, 872 (2d 
Cir. 1984); Borninski v. Williamson, No. Civ. A. 3:02CV1014-L, 2005 WL 
1206872, at *13 (N.D. Tex. May 17, 2005); United States v. Rittweger, 
258 F. Supp. 2d 345, 354 (S.D.N.Y. 2003); Chance v. Avenue A, Inc., 165 
F. Supp. 2d 1153, 1162 (W.D. Wash. 2001); In re DoubleClick Inc. 
Privacy Litig., 154 F. Supp. 2d 497, 514 (S.D.N.Y. 2001).
    \12\ Griggs-Ryan, 904 F.2d at 116.
---------------------------------------------------------------------------
    To determine whether a party has impliedly consented to an 
interception under the Wiretap Act, courts examine the totality of the 
circumstances and ``imply consent in fact from surrounding 
circumstances indicating that the [party] knowingly agreed to the 
surveillance.'' \13\ In such evaluations, courts have found that 
parties impliedly consented to an interception in various fact 
patterns. The Federal district court for the Southern District of New 
York found implied consent when an employer circulated memoranda 
regarding telephone monitoring and recording. Although the party denied 
receiving the notice, and evidence proving such receipt was destroyed, 
the court determined that the party had knowledge of the monitoring and 
recording and impliedly consented to such monitoring and recording by 
continuing to use the monitored telephone lines.\14\
---------------------------------------------------------------------------
    \13\ Amen, 831 F.2d at 378.
    \14\ Rittweger, 258 F. Supp. 2d at 354.
---------------------------------------------------------------------------
    Similarly, a Connecticut Federal district court found that 
employees had given their implied consented to the recording of 
conversations on work telephones, as many of the telephones displayed 
warning labels, memoranda were circulated to all employees regarding 
the recordingof incoming and outgoing telephone calls.\15\ The court 
stated that employees' ``knowledge of the system and subsequent use of 
the phones is tantamount to implied consent to the interception of 
their conversations.'' \16\ The Court of Appeals for the First Circuit 
held that repeated oral statements that all incoming telephone calls 
would be monitored was sufficient notice, and that the party's taking 
an incoming phone call was implied consent to the interception.\17\ 
Additionally, a Texas Federal district court found that an employee 
consented to monitoring of Internet communications at work because the 
employee had signed a form stating that ``Internet access should be 
limited to `business use only,' and that the company `logs and archives 
all incoming and outgoing data communications through its gateway 
system. Use of the gateway implies consent to such monitoring.' '' \18\
---------------------------------------------------------------------------
    \15\ George, 849 F. Supp. at 164.
    \16\ Id.
    \17\ Griggs-Ryan, 904 F.2d at 117-19.
    \18\ Borninski v. Williamson, No. Civ. A. 3:02CV1014-L, 2005 WL 
1206872, at *13 (N.D. Tex. May 17, 2005).
---------------------------------------------------------------------------
    Using the framework established by the courts, NebuAd satisfies the 
implied consent exception to liability for interception under the 
Federal Wiretap Act.\19\ NebuAd requires, by contract, that all of its 
ISP partners give subscribers notice of NebuAd's services, including 
the collection of anonymous information regarding subscribers' online 
activities, for use in advertising. This notice must be given directly, 
and prior to the initiation of the ISP's use of NebuAd's services. The 
ISP partners are also required, by contract, to alter their privacy 
policies accordingly. NebuAd further requires that all ISP partners 
provide users with an option to opt-out of NebuAd's services, initially 
upon receipt of the direct notice, and in an ongoing manner through the 
ISP's privacy policy.
---------------------------------------------------------------------------
    \19\ Website publishers may also consent to an interception, as 
website publishers make web content available for any user. Such 
posting does not constitute an exclusive communication between the 
website publisher and the user, but rather it is public communication 
that is intended to be viewed by any number of simultaneous users. As a 
result, website publishers have no reasonable expectation that the 
communication between it and any consumer will remain private or 
confidential, and thus impliedly consent to the interception by a third 
party.
---------------------------------------------------------------------------
III. The Cable Act
    The Cable Act \20\ was enacted to protect cable subscribers' 
personal information. Among other things, it requires cable operators 
to obtain written or electronic consent from a subscriber prior to 
collecting any PII concerning the subscriber.\21\ In addition to the 
limitations on the collection of subscriber PII, the Cable Act limits 
the disclosure of subscriber PII by cable operators.\22\ The Cable Act 
sets out multiple standards that a cable operator must satisfy in order 
to disclose subscriber PII. If the disclosure is necessary for a 
legitimate business activity, a cable operator is not required to 
provide the subscriber with any notice.\23\ A cable operator may 
disclose the name and mailing addresses of subscribers if it provides 
subscribers with the opportunity to opt out of such disclosure.\24\ For 
all other disclosures of subscriber PII, a cable operator must obtain 
``the prior written or electronic consent of the subscriber''--
essentially an opt-in standard.\25\
---------------------------------------------------------------------------
    \20\ Cable Communications Policy Act (1984), 47 U.S.C.  551 et 
seq.
    \21\ Id.  551(b)(1).
    \22\ Id.  551(c).
    \23\ Id.  551(c)(2)(A).
    \24\ Id.  551(c)(2)(C)(i).
    \25\ Id.  551(c)(1).
---------------------------------------------------------------------------
    Notably, under the Cable Act, PII ``does not include any record of 
aggregate data which does not identify particular persons.'' \26\ 
NebuAd's service specifically complies with the Cable Act because 
NebuAd's service does not collect PII. Instead, using only non-
personally identifiable information, NebuAd uses a select set of a 
user's Internet activities (a subset of HTTP traffic) to construct 
anonymous inferences about the user's level of qualification for a 
predefined set of market segment categories, which are then used to 
select and serve the most relevant advertisements to that user. The use 
of NebuAd's services certainly does not require a subscriber to opt 
in--the strictest notice and consent requirement. Although not an 
activity conducted by NebuAd, even the disclosure of a subscriber's 
mailing address, widely recognized as PII, only requires that the 
subscriber have an opportunity to opt out. NebuAd's service, on the 
other hand, does not even collect subscriber PII. Because NebuAd's 
service does not collect subscriber PII, there is no violation of the 
Cable Act.
---------------------------------------------------------------------------
    \26\ Id.  551(a)(2)(A).
---------------------------------------------------------------------------
    Additionally, a 2002 FCC ruling concluded that ``cable modem 
service, as it is currently offered, is properly classified as an 
interstate information service, not as a cable service, and that there 
is no separate offering of a telecommunications service.'' \27\ This 
determination that cable Internet services are not classified as 
telecommunications services was upheld by the Supreme Court as a lawful 
interpretation of the Communications Act.\28\ A recent decision by the 
Court of Appeals for the Sixth Circuit upheld this distinction and 
stated that the plain language of the Cable Act precludes its 
application to broadband Internet services, even those provided by a 
cable operator.\29\ Examining the application of the Cable Act, the 
court emphasized that as the cable provider was providing broadband 
Internet access and not cable service, the Cable Act was inapplicable.
---------------------------------------------------------------------------
    \27\ In re Inquiry Concerning High-Speed Access to the Internet 
Over Cable and Other Facilities, 17 FCCR 4798, 4802 (2002).
    \28\ Nat'l Cable and Telecomms. Ass'n v. Brand X Internet Servs., 
545 U.S. 967 (2005).
    \29\ Klimas v. Comcast Cable Commc'ns, Inc., 465 F.3d 271 (6th Cir. 
2007), reh'g en banc denied Klimas v. Comcast Cable Commc'ns, Inc., 
2007 U.S. App. LEXIS 13658 (6th Cir. May 1, 2007).
---------------------------------------------------------------------------
IV. Policy Implications
    NebuAd provides users with a great amount of privacy protection. 
Unlike many online advertising models today, NebuAd's service does not 
collect or use any PII. In addition, NebuAd's anonymous user profiles 
do not contain any original raw data, such as URLs navigated, but only 
consist of a set of numbers that represent anonymous inferences about 
the user's level of qualification for a predefined set of market 
segment categories. (NebuAd does retain some anonymous data for 
analysis and reporting.) Additionally, NebuAd is one of the only 
models--if not the only model--that provides users with advance notice 
of the nature of its services and an opportunity to opt-out before the 
service takes effect. NebuAd's service also complies with the 
government's consent policy on privacy as NebuAd's service does not 
collect any PII, and provides users with the opportunity to opt-
out.\30\ Finally, NebuAd's service does not observe encrypted traffic, 
does not observe VoIP sessions, does not store raw search queries 
linked to an identifiable user, and does not track users' IP addresses, 
thus providing an excellent set of privacy protections. Because of the 
privacy protections that NebuAd has incorporated into the architecture 
of its service, it is able to provide users with relevant advertising 
messages in a safe, secure, and privacy-respecting manner.
---------------------------------------------------------------------------
    \30\ Use of a consumer opt out is consistent with other consumer 
information protection statutes such as the Gramm-Leach-Bliley Act 
(financial data), the Health Insurance Portability And Accountability 
Act (health data), the Fair Credit Reporting Act (consumer reports), 
the Telemarketing and Consumer Fraud and Abuse Prevention Act 
(telemarketing), and the CAN-SPAM Act (e-mail marketing).
---------------------------------------------------------------------------
                                 ______
                                 
                          Memorandum Addendum
                                                       July 8, 2008
From: Nebuad, Inc.
Re: Legal and Policy Issues Supporting Nebuad's Services

I. The Memorandum on Behavioral Advertising \1\ by the Center For 
        Democracy and Technology Is Based on a Misunderstanding of 
        Nebuad's Services
---------------------------------------------------------------------------
    \1\ Center for Democracy and Technology, Privacy Implications of 
Online Advertising (July 9, 2008) [hereinafter ``CDT Memorandum''].
---------------------------------------------------------------------------
    NebuAd's service was architected to comply with very strict privacy 
principles. The Center for Democracy and Technology (``CDT'') 
misunderstands how NebuAd's service operates. First, the service does 
not ``cop[y] all or substantially all Web transactions.'' \2\ NebuAd's 
service uses only a subset of HTTP traffic to construct anonymous 
inferences about the user's level of qualification with respect to a 
predefined set of market segment categories. NebuAd's service only 
stores a one-way encrypted anonymous user identifier, which is used to 
represent an anonymous user, and a set of numbers which represent the 
user's level of qualification with respect to a predefined set of 
market segment categories. NebuAd does not store raw data such as URLs 
navigated or IP addresses associated with an identifiable individual. 
Second, to provide additional privacy protection, NebuAd's service does 
not track or serve ads based on visits to sensitive websites or product 
categories. CDT also unfortunately erroneously stated in its Memorandum 
that a NebuAd ISP implementation ``did not provide a way for 
subscribers to give or withhold consent.'' \3\ This is not so. NebuAd 
requires its ISP partners, by contract, to give their ISP subscribers 
prior, direct notice about NebuAd's service and an opportunity to 
withhold consent or to express their informed choice before the service 
takes effect.
---------------------------------------------------------------------------
    \2\ CDT Memorandum at 23.
    \3\ Id. at 15.
---------------------------------------------------------------------------
II. The CDT's Evaluation Is Largely a Policy Argument on How the 
        Existing Law Ought to Apply in the Internet Context
A. Federal Wiretap Act
    While citing a number of cases and policy arguments, the CDT 
acknowledges that exceptions to the Federal Wiretap Act may apply. The 
CDT Memorandum contains hedging language that an exception ``probably 
does not permit'' NebuAd's service,\4\ that it is ``unlikely'' that the 
``necessary incident'' exception would apply,\5\ and citing no cases on 
point, that it is ``unclear'' whether the ``business use'' exception 
would apply.\6\ It is therefore unclear from the CDT's own Memorandum 
whether NebuAd's service qualifies for either of these exceptions.
---------------------------------------------------------------------------
    \4\ Id. at 26.
    \5\ Id. at 26.
    \6\ Id. at 27.
---------------------------------------------------------------------------
    The CDT also does not deny that implied consent, where a consumer 
receives notice, prior to the service taking effect, has the 
opportunity to opt-out, and continues to use the service, can and often 
amounts to implied consent under the Wiretap Act, which has been well-
recognized by the Federal courts. The CDT Memorandum equivocates on 
NebuAd's service in particular, stating that prior notice of NebuAd's 
service ``might not be enough,'' \7\ to meet the implied consent 
standard, and that the courts would be skeptical ``if'' the notice to 
consumers did not provide sufficient notice of the services.\8\
---------------------------------------------------------------------------
    \7\ Id. at 30-31.
    \8\ Id. at 31.
---------------------------------------------------------------------------
    The CDT's Memorandum does not give a full picture of the implied 
consent standard. While courts have stated ``that consent under the 
Wiretap Act `is not to be cavalierly implied,' '' \9\ courts have 
equally stated that ``Congress intended the consent requirement to be 
construed broadly.'' \10\ These statements are not mutually exclusive, 
and courts have made both statements in the same case.\11\
---------------------------------------------------------------------------
    \9\ Id. At 30 (quoting Watkins v. L.M. Berry & Co., 704 F.2d 577, 
579 (11th Cir. 1983).
    \10\ Griggs-Ryan v. Smith, 904 F.2d 112, 116 (1st Cir. 1990); see, 
e.g., United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987); United 
States v. Faulkner, 439 F.3d 1221, 1224 (10th Cir. 2006); George v. 
Carusone, 849 F. Supp. 159, 164 (D. Conn. 1994).
    \11\ See, e.g., Griggs-Ryan v. Smith, 904 F.2d at 116-17.
---------------------------------------------------------------------------
    Moreover, none of the cases the CDT relies on for its policy 
argument that opt-in should be required is on point, and some contain 
language affirming the use of implied consent. For example, reliance on 
Watkins \12\ for the proposition that implied consent is insufficient 
is misplaced, as Watkins involves an employee that had consented to 
limited monitoring practices by an employer, and the employer 
subsequently exceeded the authorized monitoring. Thus, Watkins does not 
state that implied consent is invalid, but rather that consent may be 
limited.\13\ Similarly, the CDT cites to Griggs-Ryan v. Smith \14\ for 
the proposition that ``consent should not casually be inferred.'' The 
context surrounding this statement is important in order to gauge the 
statement's full meaning. In the preceding paragraphs of the same case, 
the court described how ``Congress intended the consent requirement to 
be construed broadly,'' and ``that Title III affords safe harbor not 
only for persons who intercept calls with the explicit consent of a 
conversant but also for those who do so after receiving implied 
consent.'' \15\ The Griggs-Ryan court found implied consent based on 
repeated oral statements that all incoming calls would be monitored. 
The other cases CDT cites on implied consent are either distinguishable 
or don't apply here.\16\
---------------------------------------------------------------------------
    \12\ Watkins v. L.M. Berry & Co., 704 F.2d 577 (11th Cir. 1983).
    \13\ See also Griggs-Ryan, 904 F.2d at 119 (finding the plaintiff's 
heavy reliance on Watkins to be mislaid because of the limited consent 
in that case).
    \14\ Griggs-Ryan, 904 F.2d 112 (1st Cir. 1990).
    \15\ Id. at 116.
    \16\ See Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 19-20 (1st 
Cir. 2003) (The court found that ``consent must be actual, not 
constructive.'' The court in Pharmatrak indeed made this point but only 
insofar as to cite to the decision from which it originated, namely, 
Williams v. Poulos, 11 F.3d 271 (1st Cir. 1993).); United States v. 
Corona-Chavez, 328 F.3d 974, 978 (8th Cir. 2003) (The court held that 
there must be actual consent to meet the consent exception under the 
Wiretap Act. The court provides the example that ``when someone 
voluntarily participates in a telephone conversation knowing that the 
call is being intercepted, this conduct supports a finding of implied 
consent to the interception.''); Berry v. Funk, 146 F.3d 1003, 1011 
(D.C. Cir. 1998) (The court found that ``[w]ithout actual notice, 
consent can only be implied when the surrounding circumstances 
convincingly show that the party knew about and consented to the 
interception.'' In this case, the government tried to show implied 
consent by arguing that any reasonable person would assume that an 
operator stayed on the line if not told otherwise. In dismissing this 
argument, the court found that ``[t]he key question in such an inquiry 
obviously is whether parties are given sufficient notice.''); Deal v. 
Spears, 980 F.2d 1153 (8th Cir. 1992) (holding that a warning about the 
possibility, rather than actual notice, of monitoring did not 
constitute sufficient notice for implied consent); Specht v. Netscape 
Commc'ns Corp., 306 F.3d 17 (2d Cir. 2002) (evaluating claims outside 
the Wiretap Act and considering the sufficiency of notice provided by 
an inconspicuous software download license agreement); United States v. 
Lanoue, 71 F.3d 966, 981 (1st Cir. 1995) (standing for the general 
proposition that ``[d]eficient notice will almost always defeat a claim 
of implied consent,'' this acknowledges that sufficient notice will 
support a finding of implied consent).
---------------------------------------------------------------------------
B. State Wiretap Statutes
    In addition to noting various all-party consent states, the CDT has 
focused on California. First, the CDT Memorandum contains hedging 
language regarding the application of various exceptions, such that if 
such an exception were met, the issue of all-party consent would not be 
reached as NebuAd's service would be exempted from liability under 
alternative grounds.\17\ Additionally, the CDT notes the lack of 
developed case law on the extension of the California wiretap statute 
to Internet communications.\18\ The CDT points to the extraterritorial 
application of the California wiretap statute involving telephone 
communications--notably after recognizing that such statute may be 
inapplicable to NebuAd's service--but then offers a countervailing 
argument that California's consent requirement may be inapplicable to 
behavioral advertising altogether.\19\ While focusing on the California 
wiretap statute as a roadblock to NebuAd's service, the CDT Memorandum 
itself recognizes that the statute may exempt NebuAd's service or may 
be inapplicable to the industry altogether.
---------------------------------------------------------------------------
    \17\ See supra notes 4-8 and accompanying text.
    \18\ CDT Memorandum at 33.
    \19\ Id.
---------------------------------------------------------------------------
                                 ______
                                 
    Response to Written Question Submitted by Hon. David Vitter to 
                         Clyde Wayne Crews, Jr.

    Question. As our Committee continues to examine the issue of online 
privacy, should we focus on the variations in different technologies 
used to provide what appears to be essentially similar marketing 
services? Or, should we instead focus on the use of the information 
collected--by whatever method it is collected--to ensure that data is 
used for legitimate marketing purposes, that privacy is protected, and 
that we can go after those who misuse any data they collect?
    Answer. Targeted marketing encompasses a diverse array of 
relationships between users, marketers, and websites. While all types 
of behavioral advertising techniques are often lumped together, there 
is in fact a great deal of variety among online marketing business 
models.
    Even across search engines, there is no uniform method of dealing 
with user data from search queries. Google, for example, to improve 
search accuracy by recording every search query along with the user's 
IP address and the time the search was conducted. Yet, Google does not 
utilize this data to create user profiles. Another search provider, the 
recently launched Cuil, does not retain any personal data. Microsoft 
recently unveiled plans to deliver search results that take into 
consideration each user's individual browsing habits, arguing that 
Microsoft's Live Search engine will be better equipped to compete 
against Google if it can analyze the intent of each user.
    The misuse of sensitive information is an important concern for 
policymakers evaluating online privacy issues. However, misuse can only 
be defined on a case-by-case basis. This cannot be accomplished by 
prescriptive legislation--especially in frontier sectors like the 
Internet. The danger of stifling nascent markets is far greater than 
any potential benefits of legislation which privacy mandates could 
bring.
    Controversial practices like the use of deep-packet inspection by 
Internet Service Providers may offer commercial opportunities with 
benefits to consumers. Lower broadband bills are just one possible 
benefit from the delivery of personalized ads to subscribers. Of 
course, for many users, privacy concerns trump potential benefits. In 
some instances, firms may inaccurately assess consumer preferences, 
resulting in mistakes like the NebuAd scuffle. Such mistakes, however 
disturbing, will be resolved by market forces as competing firms 
respond to consumer concerns by revising data collection practices as 
needed.
    Consider two users with different levels of concern regarding 
personal privacy. One user lists his hobbies, friends, and demographic 
details on a public social networking profile and does not expect that 
data to remain private. On the other hand, another user whose Gmail 
inbox contains sensitive personal correspondence assumes the data will 
not be made public. In the current environment--where government 
enforces voluntary privacy arrangements, but does not dictate them--
both users can be satisfied. Thanks to Gmail's robust privacy policy, 
the concerned user can rest assured that her e-mails will be safe from 
outside prying. And the user of the social networking site can enjoy 
the services and content sustained by marketing income without 
undesired rules preventing the use of data that is clearly in the 
public sphere.
    The technologies that drive online advertising are incredibly 
complex, and new ways of analyzing data are constantly being developed. 
Therefore, the fundamental question in the online privacy debate is how 
we arrange for our data to be used once it has been transferred to a 
third party. Calls for Congress to build walls around personal 
information would preclude these arrangements, giving us too little 
privacy in some cases and too much in others. A set of guidelines that 
seems reasonable when applied to ISP deep-packet inspection might 
eliminate other, more innocuous business models that rely on targeted 
marketing.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. David Vitter to 
                           Michael D. Hintze

    Thank you again for your interest in the important privacy 
implications of online advertising. Microsoft has a deep and 
longstanding commitment to consumer privacy issues, and we welcomed the 
opportunity to testify before the Senate Commerce Committee about the 
concrete steps we are taking to protect consumers' privacy online. As 
we indicated in our testimony, Microsoft believes that strong privacy 
protections are not only compatible with bringing the benefits of 
online advertising to consumers, advertisers and publishers, but are 
essential to ensuring the success of this important business model. 
This means that Microsoft, and all companies operating online, must 
adopt meaningful privacy practices that build trust with consumers. We 
believe our responses to your important follow-up questions demonstrate 
that Microsoft takes this responsibility seriously.

    Question 1. Does your company's business model already accommodate 
the FTC's proposed principles for industry self-regulation? If so, 
please explain how.
    Answer. Yes, Microsoft's business model accommodates and even 
exceeds the Federal Trade Commission's proposed principles for self 
regulation. In our comments to the FTC, we urged the Commission to 
focus on a broad array of online advertising activities (not simply 
behavioral advertising) because all online advertising involves the 
collection of data about computer users and may be contrary to 
consumers' expectations.\1\ To this end, Microsoft specifically 
advocated for a tiered approach to self regulation that is 
appropriately tailored to account for the types of information being 
collected and how that information will be used. Our proposal would 
establish a baseline set of privacy protections applicable to all 
online advertising activities and additional obligations for those 
companies that engage in practices that raise additional privacy 
concerns.
---------------------------------------------------------------------------
    \1\ See http://www.ftc.gov/os/comments/behavioraladprinciples/
080411microsoft.pdf.
---------------------------------------------------------------------------
    Microsoft's broad approach to self regulation is based on the 
comprehensive privacy principles for online search and ad targeting we 
announced in July 2007.\2\ These principles include commitments to user 
notice, user controls, anonymization, security, and best practices. 
Microsoft has embraced these privacy principles, and they will shape 
the development of our new product offerings. We also have released a 
set of privacy guidelines designed to help developers build meaningful 
privacy protections into their software programs and online 
services.\3\ The following paragraphs highlight the ways in which we 
have implemented our own privacy principles into practice and, by doing 
so, have also accommodated the FTC's proposed principles for industry 
self-regulation.
---------------------------------------------------------------------------
    \2\ Microsoft's Privacy Principles for Live Search and Online Ad 
Targeting are available at http://www.microsoft.com/mscorp/twc/privacy/
default.mspx.
    \3\ Microsoft's Privacy Guidelines for Developing Software Products 
and Services are available at http://www.microsoft.com/privacy.
---------------------------------------------------------------------------
    A. Transparency. Microsoft agrees with the FTC that transparency is 
critical to enable consumers to make informed choices. To this end, 
Microsoft's Online Privacy Statement is readily accessible from every 
page of our websites, including the home page. It also is written in 
clear language and offered in a ``layered'' format that provides 
consumers with the most important information about our privacy 
practices upfront, followed by additional layers of notice that provide 
a more comprehensive examination of our general privacy practices.\4\ 
With respect to the delivery of advertisements online, the Microsoft 
Online Privacy Notice Highlights clearly informs users about 
Microsoft's online advertising practices, noting that Microsoft 
``use[s] cookies and other technologies to keep track of your 
interactions with our sites and services to offer a personalized 
experience'' and that Microsoft's services ``may include the display of 
personalized content and advertising.'' In addition, our full privacy 
statement includes complete descriptions of the types of information 
collected for online advertising and the ways in which such information 
may be used. We believe our upfront and more detailed privacy 
statements help ensure consumers are fully informed of our data 
collection and usage practices.
---------------------------------------------------------------------------
    \4\ Microsoft's Online Privacy Statement can be found at http://
go.microsoft.com/fwlink/?LinkId=74170.
---------------------------------------------------------------------------
    B. Consumer Control. Microsoft also agrees with the FTC that the 
collection of information about consumers to generate a profile of 
their behavior upon which ads can be targeted raises heightened 
concerns that warrant additional levels of user control. For this 
reason, Microsoft has taken the following steps:

   Microsoft was the first major online advertising provider to 
        announce it would give customers the opportunity to opt out of 
        receiving targeted advertising on all of the websites where 
        Microsoft provided advertising, including both Microsoft sites 
        and third-party partner websites.

   Microsoft prominently provides information and links to our 
        opt-out mechanism in the top-layer of our privacy statement and 
        in our full privacy statement.

   Microsoft allows users to tie their opt-out choice to their 
        Windows Live ID so their choice will be effective across 
        multiple computers without any additional effort on the user's 
        part.

   Microsoft's opt-out method is more persistent than others--
        for example, deleting cookies will not erase consumer's opt-out 
        selection; rather, their opt-out choice will be reset when they 
        sign in with their Windows Live ID.

    We also recently announced three features of our new Internet 
Explorer product that will improve consumer control. First, users may 
choose to activate InPrivate browsing so their web surfing history, 
temporary Internet files, and cookies are not recorded on their 
computer after browsing. Second, users are given notice and a choice 
about whether they want to block content coming from third parties that 
may track and aggregate their online behavior by using the InPrivate 
Blocking feature. Third, users have the choice to clear all or some of 
their browsing history by using the enhanced Delete Browsing History 
feature.
    C. Security. Microsoft is committed to the FTC's principles around 
data security. We have adopted strong data security practices, 
implemented meaningful data protection and security plans, and 
undertaken detailed third-party audits. We also have taken steps to 
educate consumers about ways to protect themselves while online, and we 
have worked closely with industry members and law enforcement around 
the world to identify security threats, share best practices, and 
improve our coordinated response to security issues.
    D. Data Retention. Microsoft supports the FTC's principle that 
entities that collect data through online advertising ``should retain 
data only as long as is necessary to fulfill a legitimate business or 
law enforcement need.'' As the Commission notes, there are often sound 
and legitimate business reasons for retaining data collected from 
users. These reasons include enhancing fraud detection efforts, helping 
guard consumers against security threats, understanding website usage, 
improving the content of online services, and tailoring features to 
consumer demands.
    Microsoft's policy around retaining search query data provides a 
good example of the careful balance of interests that must be taken 
into account when analyzing retention periods. Specifically, Microsoft 
has committed to make search query data anonymous after 18 months by 
permanently removing cookies, the entire IP address, and other 
identifiers from search logs, unless the user has provided consent for 
us to retain data for a longer period of time. Unlike other companies, 
our anonymization method involves irreversibly removing the entire IP 
address and other cross-session identifiers, such as cookies and other 
machine identifiers, from search terms. Some companies remove only the 
last few digits of a consumer's IP address, which means that an 
individual search query may still be narrowed down to a small number of 
computers on a network. We think that such partial methods do not fully 
protect consumer privacy, so we have chosen an approach that renders 
search terms truly and irreversibly anonymous.

    E. Use of Personal Information for Online Advertising. Microsoft 
agrees with the FTC that the merger of personally identifiable 
information with other information collected about consumers through 
behavioral advertising for the purposes of ad targeting presents 
further privacy risks. This is because consumers are unlikely to expect 
that a third party may combine such pieces of information and use it to 
deliver ads (whether online or offline). For this reason, Microsoft has 
developed its online ad targeting platform to select appropriate ads 
based only on data that does not personally and directly identify 
individual users, and we take steps to separate the data used for ad 
targeting from any personally identifiable information before using it 
to serve ads--a process we refer to as ``deidentification.'' \5\ 
Specifically, for users who have created Windows Live accounts, rather 
than using the account ID as the basis for our ad systems, we use a 
one-way cryptographic hash to create a new anonymized identifier. We 
then use that identifier, along with the non-identifiable demographic 
data, to serve ads online. Search query data and web surfing behavior 
used for ad targeting is associated with this anonymized identifier 
rather than an account identifier that could be used to personally and 
directly identify a user.
---------------------------------------------------------------------------
    \5\ Microsoft's ``de-identification'' white paper is available at 
http://www.microsoft.com/privacy.

    Question 2. Does your system accommodate for a consumer's choice 
not to receive behavioral advertising, and in your systems, is that 
request honored permanently? If so, please explain how.
    Answer. Yes, Microsoft's system does accommodate for a consumer's 
choice not to receive behavioral advertising. In July 2007, Microsoft 
was the first major online advertising provider to announce it would 
give customers the opportunity to opt out of receiving targeted 
advertising on all of the websites where Microsoft provides 
advertising, including both Microsoft sites and third-party partner 
websites. This opt-out option became available in the Spring of 2008. 
We prominently provide information and links to our opt-out mechanism 
in the top-layer of our privacy statement and in our full privacy 
statement.
    Microsoft's opt-out choice is also unique from any other offered in 
industry today because it is more persistent and applies across 
multiple computers. As background, the industry-standard approach for 
offering an opt-out choice is merely to place an ``opt-out'' cookie on 
their machines. While this process generally works well, it does have 
some inherent limitations. For example, opt-out cookies are computer-
specific--if a consumer switches computers, he or she will need to 
specify any opt-out preferences again. Similarly, if cookies are 
deleted, that user's opt-out choice is no longer in effect. To address 
these limitations, the mechanism Microsoft offers gives consumers the 
option to associate their opt-out choice to their Windows Live ID. This 
means that even if they delete cookies on their machine, when they sign 
back in their opt-out choice will persist. It also means that a single 
choice can apply across multiple computers that they use. This will 
help ensure that consumers' choices are respected without requiring 
undue effort on their part.\6\
---------------------------------------------------------------------------
    \6\ Microsoft's opt-out page is available at https://
choice.live.com/advertisementchoice/
Default.aspx.
---------------------------------------------------------------------------
    Microsoft appreciates the opportunity to provide more information 
about our privacy practices. We look forward to continuing to work with 
you and all stakeholders to ensure consumers' privacy is protected 
online.

                                  
