[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
COMMUNICATIONS NETWORKS AND CONSUMER PRIVACY: RECENT DEVELOPMENTS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
APRIL 23, 2009
__________
Serial No. 111-31
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
72-880 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
HENRY A. WAXMAN, California
Chairman
JOHN D. DINGELL, Michigan JOE BARTON, Texas
Chairman Emeritus Ranking Member
EDWARD J. MARKEY, Massachusetts RALPH M. HALL, Texas
RICK BOUCHER, Virginia FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey CLIFF STEARNS, Florida
BART GORDON, Tennessee NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois ED WHITFIELD, Kentucky
ANNA G. ESHOO, California JOHN SHIMKUS, Illinois
BART STUPAK, Michigan JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York ROY BLUNT, Missouri
GENE GREEN, Texas STEVE BUYER, Indiana
DIANA DeGETTE, Colorado GEORGE RADANOVICH, California
Vice Chairman JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania GREG WALDEN, Oregon
JANE HARMAN, California LEE TERRY, Nebraska
TOM ALLEN, Maine MIKE ROGERS, Michigan
JANICE D. SCHAKOWSKY, Illinois SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas TIM MURPHY, Pennsylvania
JAY INSLEE, Washington MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York STEVE SCALISE, Louisiana
JIM MATHESON, Utah
G.K. BUTTERFIELD, North Carolina
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin
Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE BRALEY, Iowa
PETER WELCH, Vermont
Subcommittee on Communications, Technology, and the Internet
RICK BOUCHER, Virginia
Chairman
EDWARD J. MARKEY, Massachusetts FRED UPTON, Michigan
BART GORDON, Tennessee Ranking Member
BOBBY L. RUSH, Illinois J. DENNIS HASTERT, Illinois
ANNA G. ESHOO, California CLIFF STEARNS, Florida
BART STUPAK, Michigan NATHAN DEAL, Georgia
DIANA DeGETTE, Colorado BARBARA CUBIN, Wyoming
MICHAEL F. DOYLE, Pennsylvania JOHN SHIMKUS, Illinois
JAY INSLEE, Washington HEATHER WILSON, New Mexico
ANTHONY D. WEINER, New York CHARLES W. ``CHIP'' PICKERING,
G.K. BUTTERFIELD, North Carolina Mississippi
CHARLIE MELANCON, Louisiana VITO FOSELLA, New York
BARON P. HILL, Indiana GEORGE RADANOVICH, California
DORIS O. MATSUI, California MARY BONO MACK, California
DONNA M. CHRISTENSEN, Virgin GREG WALDEN, Oregon
Islands LEE TERRY, Nebraska
KATHY CASTOR, Florida MIKE FERGUSON, New Jersey
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
PETER WELCH, Vermont
JOHN D. DINGELL, Michigan (ex
officio)
C O N T E N T S
----------
Page
Hon. Rick Boucher, a Representative in Congress from the
Commonwealth of Virginia, opening statement....................
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement..................................
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, opening statement...............................
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, opening statement...............................
Hon. George Radanovich, a Representative in Congress from the
State of California, opening statement.........................
Hon. Bart Stupak, a Representative in Congress from the State of
Michigan, opening statement....................................
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement..........................
Hon. Edward J. Markey, a Representative in Congress from the
Commonwealth of Massachusetts, prepared statement..............
Witnesses
Leslie Harris, President, Chief Executive Officer, Center for
Democracy And Technology.......................................
Prepared statement...........................................
Answers to submitted questions...............................
Kyle McSlarrow, President and CEO, National Cable and
Telecommunications Association.................................
Prepared statement...........................................
Answers to submitted questions...............................
Marc Rotenberg, President and Executive Director, Electronic
Privacy Information Center.....................................
Prepared statement...........................................
Answers to submitted questions...............................
Dorothy Attwood, Senior Vice President, Public Policy and Chief
Privacy Officer, AT&T Services, Inc............................
Prepared statement...........................................
Answers to submitted questions...............................
Ben Scott, Policy Director, Free Press...........................
Prepared statement...........................................
Answers to submitted questions...............................
Brian R. Knapp, Chief Operating Officer, Loopt, Inc..............
Prepared statement...........................................
Answers to submitted questions...............................
Richard Bennett, Publisher, Broadbandpolitics.com................
Prepared statement...........................................
Answers to submitted questions...............................
Submitted Material
Statement of Scott Cleland, Precursor, LLC, submitted by Mr.
Stearns........................................................
COMMUNICATIONS NETWORKS AND CONSUMER PRIVACY: RECENT DEVELOPMENTS
----------
THURSDAY, APRIL 23, 2009
House of Representatives,
Subcommittee on Communications, Technology,
and the Internet,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:05 a.m., in
Room 2322 of the Rayburn House Office Building, Hon. Rick
Boucher (chairman) presiding.
Members present: Representatives Boucher, Rush, Eshoo,
Stupak, DeGette, Weiner, Christensen, Castor, Space, Stearns,
Shimkus, Buyer, Radanovich, Bono Mack, Terry, and Blackburn.
Staff present: Roger Sherman, Chief Counsel; Tim Powderly,
Counsel; Shawn Chang, Counsel; Greg Guice, Counsel; Amy Levine,
Counsel, Sarah Fisher, Special Assistant; Pat Delgado, Chief of
Staff Congressman Waxman; Neil Fried, Counsel; and Sam
Costello, Legislative Clerk.
OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF VIRGINIA
Mr. Boucher. The subcommittee will come to order. Broadband
networks are a primary driver of the national economy and it is
fundamentally in the Nation's interest to encourage their
expanded use. One clear way Congress can promote a greater use
of the Internet for a variety of purposes including access to
information, electronic commerce and entertainment is to assure
Internet users of a higher degree of privacy protection with
regard to data that is collected concerning their Internet
usage. It is my intention for the subcommittee this year to
develop on a bipartisan basis legislation extending to Internet
users that assurance that their online experience is more
secure. We see this measure as a driver of greater levels of
Internet uses such as electronic commerce. Not as a hindrance
to them.
Today's discussion is the first of two presently planned
hearings relating to consumer privacy on electronic networks.
Today we explore network-based privacy matters including the
growing deployment of deep packet inspection technologies and
location-based privacy enabled by specific technologies. There
are additional privacy related matters that we intend to
explore including targeted and behavioral advertising. And we
are now planning to conduct a joint hearing with the full
committee's Subcommittee on Commerce, Trade and Consumer
Protection during the early period of the summer in order to
examine online privacy including behavioral advertising at
which Internet-based companies will be invited to testify
before the subcommittee.
A range of concerns related to online advertising should be
vetted and just as there are concerns about the privacy
implications of the network-based technologies upon which we
are focusing this morning. Those online advertising concerns
will be thoroughly vetted at the joint hearing we will have
with the other subcommittee this summer. But today's focus is
on emerging network technologies that have significant privacy
implications and three of them will be highlighted by witnesses
testifying to us today.
Deep packet inspection enables the opening of the packets
which actually hold the content of Internet transported
communications. Through the use of DPI, the content can be
fully revealed and fully examined. It has generally been
accepted that there are beneficial uses for DPI, such as
enabling better control of networks and the blocking of
Internet viruses and worms.
DPI also enables better compliance by Internet service
providers with warrants authorizing electronic message
intercepts by law enforcement, but its privacy intrusion
potential is nothing short of frightening. The thought that a
network operator could track a users every move on the
Internet, record the details of every search and read every e-
mail or document attached to an e-mail message is alarming. And
while I am certain that no one appearing on the panel today
uses DPI in this manner, our discussion today of the
capabilities of the technology and the extent of its current
deployment, any projection that could be made about its
anticipated schedule and path of deployment and the uses to
which that technology is currently being put will give us as a
subcommittee a better understanding of where to draw the lines
between permissible and impermissible uses, or uses that might
justify opt-in as opposed to opt-out consent from Internet
users.
I look forward to hearing from our witnesses this morning
about how we can best balance the deployment of DPI with
adequate protection for consumers' privacy. For example, should
a network operator's use of DPI always require opt-in consent
or is opt-out sometimes appropriate and if so, under what
circumstances would opt-out be appropriate? What services that
consumers consider essential to the safe and effective
functioning of the Internet are advanced through deep packet
inspection?
Since the death of NebuAd, DPI-based behavioral advertising
service last year, do we now see other companies using DPI in
order to deliver behavioral advertising? What if any safeguards
are in place to ensure that consumers are giving meaningful
consent to the tracking of their activities on the Internet?
These and other questions deserve our consideration this
morning.
I also look forward to learning about other emerging
network-based technologies such as Project Canoe on the cable
platform and Loopt and the wireless-base employing new uses of
cable set top boxes and GPS tracking capabilities on wireless
devices. What benefits do these services offer to consumers and
how should the network operator procure meaningful consent from
users for their use?
We are also interested in hearing a preview of what the
future of network-based technologies may hold. What new
services may they enable and how do we accommodate with regard
to them key privacy concerns? So I look forward to hearing from
our distinguished panel and I want to thank each of our
witnesses for appearing here this morning and sharing their
expertise and views with the subcommittee.
At this time, I am pleased to recognize the Ranking
Republican Member of the subcommittee, the gentleman from
Florida, Mr. Stearns.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Good morning and thank you, Mr. Chairman, and
I appreciate your opening statement and you are offering a
bipartisan tone to it, and your interest in having additional
hearings including with the Commerce, Consumer Protection Trade
which I chaired during Republican majority.
Our goal today should be to broadly examine how companies
are using consumer Internet behavior to tailor online
advertising, both the benefits to the consumers as well as any
potential concerns that have not already been addressed by
industry. Our focus should go beyond only broadband providers
and also look at the entire Internet universe, including search
engines and Internet advertising networks. We cannot have this
discussion without addressing them, as well.
Whatever the appropriate standards are, they should apply
to everyone. We need to be consistent. Consumers don't care if
you are a search engine or a broadband provider. They just want
to ensure that their privacy is protected.
I hope, Mr. Chairman, you will agree to hold more privacy
hearings on this subcommittee and I am glad to hear that you
will so that we hear from the network operators. That is the
only way members can be fully informed about these issues
before marking up any legislation.
As we move forward towards privacy legislation we must
empower consumers to make their own privacy-related decisions.
Only the consumer knows how he or she feels about the
information that is being collected, the parties doing the
collecting and the actual purpose for which the information
will ultimately be used. Congress cannot and should not make
that decision for them. We need to place the control over
consumer information with the consumer himself. This means
companies should be as transparent as possible about what
information they collect and how do they use this information,
that way consumers will be better able to make informed privacy
decisions.
We also need to examine the ways in which the use of
behavioral information for marketing has been shown to have
already harmed consumers. It is imperative that there be some
evidence of harm if we are going to regulate this practice or
we run the risk of prematurely restricting the latest
technological advancement related to online marketing.
Consumers' online activities provide advertisers with
valuable platforms upon which to market their products, their
services. Collecting this type of information for targeted
advertising is very important because it allows many of these
products and services to remain free to consumers. Without this
information, Web sites would either have to cut back on their
free information and services or would have to start charging a
fee to see to consumers. Neither result is good. Over-reaching
privacy regulations, particularly in the absence of consumer
harm, could have a significant negative economic impact at a
time while many businesses in our economy are struggling. So
let us look very closely at these issues before we leap to
legislative proposals.
We also need a consumer-based approach. Consumers are the
best judges. We will not truly address the privacy implications
of tailored Internet advertising unless we shift the discussion
towards consumer-centric approaches and away from the
characteristics of the companies, like the particular
technology they use or their corporate structure itself.
Whatever we do, we must apply the same standards of privacy to
companies collecting this type of information for the same type
of purposes, whether it is a phone company, a cable company or
companies like Google, Yahoo or Microsoft. Consumers don't care
how their privacy has been invaded. What they care about is
what the information is that is collected and how it is being
used.
Now, Mr. Chairman, as you have mentioned, I have had a
record of privacy when I was chairman of the trade and consumer
protection subcommittee. We held the most extensive hearings on
the topic of privacy and following these hearings I offered and
introduced the Consumer Privacy Protection Act, which I hope
will be used as a baseline for new legislation. This bill would
have required data-collectors to provide consumers with
information on the entity collecting the information and the
purposes for which the information was being collected.
Furthermore, in 2005 I held two hearings on identity theft
and security breaches involving personal information. These
hearings led me to introduce the Data Accountability and Trust
Act which would have required any entity that experiences a
breach of security such as a business to notify all those in
the United States whose information was acquired by an
unauthorized person as a result of that breach.
So, Mr. Chairman, I look forward to our hearings.
Protecting consumers' privacy is a very serious issue and one
that needs to be fully examined and I think your leadership on
this is to be commended and I look forward to continuing our
work together.
Mr. Boucher. Well, thank you very much, Mr. Stearns, and
let me simply briefly respond by saying that I appreciate and
agree with your suggestions for the focus of our future hearing
or hearings on this very important set of privacy concerns. And
I want to acknowledge the gentleman's leadership in sponsoring
comprehensive and thoughtful legislation in previous Congresses
relating to privacy. I was pleased at that time to be the lead
Democratic cosponsor of the gentleman's bill. And will be,
well, I couldn't resist noting that, and we will be relying on
the gentleman's experience and expertise on this subject as we
construct bipartisan privacy legislation in this Congress.
The gentlelady from California, Ms. Eshoo, is recognized
for 2 minutes.
OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Eshoo. Thank you, Mr. Chairman, for holding this
hearing on network privacy.
As a member of the House Intelligence Committee, I
understand that the most valuable intelligence is to know how
someone thinks because that enables one to predict what they
might or will do in the future. Network operators want to
monetize this predictability and profit from it. On its face,
this is not an insidious practice. What is concerning is that
the market is largely unregulated.
In the digital age was can aggregate enormous amounts of
data, including what Web sites are viewed, search terms
entered, programs viewed, items bought and sold, web
applications utilized and other forms of data most of us don't
even realize is being collected. With this information, a
powerful profile can be created which can be used to target
specific advertisements that are more relevant to the user.
We are here today to examine once again this growing issue.
How do we regulate personal data collected by web companies and
by network operators? Should we? And today we are obviously
focusing on the network operators.
There is a growing tide of critics in this debate that I
believe fundamentally do not understand the purpose of our
privacy laws. These voices, some of them testifying today,
believe that web-based services and telecommunications carriers
should be subject to the same privacy regulations. I don't
think this is practical or prudent. There is a fundamental
difference between offering up free web-based advertiser
supported applications and services, and a common carrier
offering voice and broadband services. These separate and
distinct services should each be governed fairly. That doesn't
mean within the same regulatory structure. A healthcare
provider and a stock broker shouldn't be regulated, in my view,
under the same structure. Each should have its own. A
consumer's relationship with their phone or broadband provider
is not the same relationship they have with a search engine or
an online vendor.
I am eager to hear from all of our witnesses. I am glad
that you are all here today to hear about your practices and
how you would envision privacy regulations. This is a very
important debate and I hope that the final result will be a
very sound and prudent bill that can be taken to the floor of
the House.
So thank you, Mr. Chairman, for kicking off this series of
hearings.
Mr. Boucher. Thank you very much, Ms. Eshoo.
The gentlelady from California, Ms. Bono Mack, is
recognized for 2 minutes.
OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Bono Mack. Good morning, Chairman Boucher, Ranking
Member Stearns and distinguished panel. Thank you for holding a
hearing on the important issue of consumer privacy and
broadband networks.
When a consumer makes a telephone call, purchases a good
online, visits a Web site or watches a TV program on his couch,
there is a built-in expectation of privacy associated with each
activity. It is understood that our personal privacy is
something of value. We have laws which protect privacy and the
assurance of privacy is a marketable quality.
It is also important to note that cost of certain
commercial activity on broadband networks is deflected away
from the consumer because of advertising. As many of you know,
I have a long history of working to protect consumers in the
online space. In past Congresses I authored anti-spyware
legislation and this is the second consecutive Congress I have
introduced the Informed P2P User Act, therefore my legislative
history speaks for itself. Additionally, I also have a history
of fighting to prevent piracy online so I am willing to listen
to efforts that reduce the impact piracy has on our national
economy, as well.
As we begin the process of balancing consumer privacy and
commercial activities online, I would like to listen to all
sides of the debate and all parties involved in the online
space. This includes consumers, law enforcement, ISPs, tech
companies, search engines, advertisers, as well as content
creators. It is my belief that both the privacy expectations
and commercial activity need to be measured before we act. The
committee would be wise to begin with the American consumers'
privacy expectations in mind. I do not look at this issue as a
partisan matter and I don't think we should be out to get one
particular company or favor one particular industry. With that
said, I do admit that sometimes a one size fits all approach is
not possible in achieving certain goals. As such, I will be
paying close attention to the debate and I look forward to
working on this important issue.
Thank you, Mr. Chairman. I yield back.
Mr. Boucher. Thank you very much, Ms. Bono Mack.
The gentlelady from Colorado, Ms. DeGette, is recognized
for 2 minutes.
Ms. DeGette. Thank you very much, Mr. Chairman. I want to
thank you for having this important hearing today.
As technology changes and as consumer habits change, so do
the privacy concerns that we are faced with and so I am looking
forward to hearing from all of the witnesses today as we
continue in our evolving discussion of privacy.
And with that, I will yield back.
Mr. Boucher. Thank you very much, Ms. DeGette. We will add
2 minutes to your time to question the panel of witnesses based
upon that waiver.
The gentleman from California, Mr. Radanovich, is
recognized for 2 minutes.
OPENING STATEMENT OF HON. GEORGE RADANOVICH, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF CALIFORNIA
Mr. Radanovich. Thank you, Chairman Boucher. I want to
thank you and Mr. Stearns for holding this consumer privacy
meeting and I do want to thank you, Mr. Chairman, I am pleased
to hear that we will have a joint hearing on online
advertising. It will be important for us to hear from the full
technology landscape that utilizes private user information
before we can move forward with any comprehensive effort to
address this issue. I look forward to working with you on that
hearing, as well.
One of the primary issues that has developed with
communications and the Internet is the collection of consumer
data. As technology advances and becomes more complex,
consumers are rightfully concerned about their personal
information. What we should focus on when it comes to consumer
data is the consumers and what they care about and I believe
that we should invoke looking at what data is collected, why it
is collected and what is done with it. This information will
help us all work together with the industry to achieve our goal
of meeting the consumer needs by preventing the misuse of their
information.
What I think that we should be looking at for most is the
most effective way to protect our constituents' information in
a manner that recognizes there are beneficial users for many of
these new technologies and continues to allow for innovation
that can make the communications experience more enjoyable,
more productive and safer for us all.
I want to thank all of our witnesses for being here today
and to discuss a wide variety of networks and their
relationship to privacy. Your experience will certainly help us
as we continue and I look forward to a productive hearing.
Thank you, Mr. Chairman.
Mr. Boucher. Thank you, Mr. Radanovich.
The gentleman from Michigan, Mr. Stupak, is recognized for
2 minutes.
OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Stupak. Thank you, Mr. Chairman, and thank you for
holding this hearing.
It is time we modernized our telecommunications policies in
regard to privacy. An individual's right to privacy has been
under increasing assault as more Americans are using the
Internet for more and more of their daily activities. Consumers
do not have a clear picture of what occurs with their
information without their consent and what needs to be done.
Last year this subcommittee held a hearing on a new type of
data gathering for the purpose of behavioral advertising. This
new method uses network technology known as deep pack
inspection to read 100 percent of a web user's activities to
create a profile for purposes of reselling it to advertisers.
Companies that wish to utilize this technology have claimed
that personally identifiable information is protected but I
have my doubts and concerns.
As it stands right now, The Communication Act gives no
clear definition of when affirmative consent or opt-in is
required in the handling of a consumer's personal identifiable
information. Without clear direction from Congress on this
matter, technology will continue to outpace our privacy laws
and consumer personal information will continue to go
unprotected. Any method of collecting personally identifiable
information from an Internet user's online activity for the
purpose of reselling that information must require an opt-in
from that user. In addition, that user should also be provided
with the information on how and what is happening with their
data, how it is collected and who is receiving it.
I look forward to hearing from our witnesses today on how
we can modernize our privacy laws to protect, inform and
empower consumers.
Thank you, Mr. Chairman, again for holding this hearing. I
look forward to working with you and our colleagues to move
legislation on this subject.
Mr. Boucher. Thank you very much, Mr. Stupak.
The gentlelady from Tennessee, Ms. Blackburn, is recognized
for 2 minutes.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Ms. Blackburn. Thank you, Mr. Chairman. I want to thank you
for holding the hearing today. And I want to welcome all of our
witnesses and thank you for being here with us today.
Consumer privacy as you have heard from everyone who has
spoken is a key element in the unspoken contract between the
end user and the ISP and the merchants who make their living
providing goods and services online. When any link in that
chain of trust is broken, consumers at every level are going to
suffer. It is therefore critical for Congress and our partners
in the administration, the private sector and the consumer
advocacy community to remain vigilant in securing consumer
privacy online.
It is also critical on the other hand that Congress ensure
vibrancy in the marketplace. And I think that is where many of
us are going to have questions and want to explore a little bit
more deeply with you to make certain that we have a good
understanding of the deep packet inspection technologies and
that we move forward in the appropriate way.
Mr. Chairman, I am pleased to know that we are going to do
another hearing on the Google issues that are in front of us
and I look forward to working with you on that hearing. And I
hope that we can all send a message that piracy does not pay.
That privacy and respect for intellectual property is an
imperative and I look forward to the hearing.
I yield back.
Mr. Boucher. Thank you very much, Ms. Blackburn.
The gentlelady from Florida, Ms. Castor, is recognized for
2 minutes.
Ms. Castor. Thank you, Mr. Chairman, for this timely
hearing on the evolution of our communications networks and
consumer privacy. Welcome to our panel. I look forward to your
expert advice in learning a great deal more about this issue
and I will yield back the remaining portion of my time.
Mr. Boucher. Thank you very much, Ms. Castor. We will add 2
minutes to your questioning time for the first panel.
The gentleman from Nebraska, Mr. Terry, is recognized for 2
minutes.
Mr. Terry. Thank you, Mr. Chairman. I would waive and
appreciate 2 minutes.
Mr. Boucher. You shall have the same.
[The prepared statement of Mr. Markey
follows:]*************** INSERT 8 ***************
Mr. Boucher. All members having now been recognized for
opening statements, we turn to our panel of witnesses and
express appreciation to each of you for your testimony here
this morning. Ms. Leslie Harris is the president and chief
executive officer of the Center for Democracy and Technology.
Mr. Kyle McSlarrow is president and chief executive officer of
the National Cable and Telecommunications Association. Mr. Marc
Rotenberg is the executive director of the Electronic Privacy
Information Center. Ms. Dorothy Attwood is chief privacy
officer for AT&T Services. Mr. Ben Scott is policy director for
Free Press. Mr. Brian Knapp is chief operating officer of
Loopt. And Mr. Richard Bennett is a network engineer and a
blogger and we welcome each of you. Without objection, your
prepared written statements will be made part of the record. We
would ask for your oral summary kept to approximately 5 minutes
so that we will have ample time for questions.
And, Ms. Harris, we are pleased to begin with you and you
need to turn your mike on. It is amazing how many people in the
technology subcommittee don't have their mike on when they
start to testify.
STATEMENTS OF LESLIE HARRIS, PRESIDENT, CHIEF EXECUTIVE
OFFICER, CENTER FOR DEMOCRACY AND TECHNOLOGY; KYLE MCSLARROW,
PRESIDENT AND CEO, NATIONAL CABLE AND TELECOMMUNICATIONS
ASSOCIATION; MARC ROTENBERG, PRESIDENT AND EXECUTIVE DIRECTOR,
ELECTRONIC PRIVACY INFORMATION CENTER; DOROTHY ATTWOOD, SENIOR
VICE PRESIDENT, PUBLIC POLICY AND CHIEF PRIVACY OFFICER, AT&T
SERVICES, INC.; BEN SCOTT, POLICY DIRECTOR, FREE PRESS; BRIAN
R. KNAPP, CHIEF OPERATING OFFICER, LOOPT, INC.; AND RICHARD
BENNETT, PUBLISHER, BROADBANDPOLITICS.COM
STATEMENT OF LESLIE HARRIS
Ms. Harris. Mr. Chairman, Mr. Stearns, members of the
subcommittee, I appreciate the opportunity to testify on this
important question of the privacy implications of DPI.
In CDT's view, DPI poses very serious challenges both to
the privacy and to the openness of the Internet. The success of
the Internet can be traced to its defining end-to-end principle
which is a simple idea that applications are better left to be
implemented at the edges of a network and leave the core
unfettered by gatekeepers.
The end-to-end principle, as you know, is supported by a
policy framework that generally protects Internet service
providers for liability for the content that they are either
posting or flowing over their networks. And together these two
policy choices have really preserved the Internet as a trusted,
open platform.
Today massive growth in data processing power has spurred
the development of DPI and potentially allowing Internet
service providers and other intermediaries and partners to
analyze all of the Internet traffic of millions of users
simultaneously. This raises profound questions about the future
of privacy, openness and innovation online. Though deployment
is still somewhat limited, applications range from management
of congestion on the networks and network threats, content
blocking, behavioral advertising and government surveillance.
It is my understanding that right now network operators are
only using the technology for security-related purposes
although, of course, last summer we did have a failed attempt
to use it for behavioral advertising. Of course, some of these
applications may have other troubling legal policy concerns but
it is important to stress that all applications of DPI raise
serious privacy concerns because all applications of DPI begin
with the interception and analysis of traffic.
In our view, deep packet inspection is really no different
than postal employees opening envelopes, reading letters
inside. DPI networks intercept and examine the entire payload
of a packet, the actual data that the packet carries in
addition to a packet header unless the content is encrypted.
So even if ISP's or advertising networks intend to only use
a small portion of what is captured by DPI and dispose of the
rest, it doesn't diminish the breadth and intrusiveness of that
initial data capture. And DPI is being deployed within a
technological environment where consumers are sending more and
more information through the networks. Providers of all kinds
are acquiring and collecting and holding more data and sharing
it and it is being retained for longer periods of time and all
of this without an adequate legal framework.
Consumers simply do not expect to be snooped on by their
ISPs or other intermediaries in the middle of the network. And
so therefore DPI really defies the legitimate expectations of
privacy that consumers have and it is also at odds with fair
information practices, concepts like transparency, concepts
like limited collection of data. The sectoral privacy laws that
we have, have been far outpaced by technological innovation and
as many of you have said, we have no baseline consumer privacy
law.
Finally, as DPI matures and becomes more widely deployed,
our concern is that any notion of limited use is going to give
way to mission creep as new applications are deployed. And that
mission creep, frankly, is not just a concern that the
providers will find new ways but that government and
policymakers will increasingly have mandates to networks to use
DPI for various purposes. And, of course, we worry as well
about the sort of unlimited appetite for surveillance that our
government appears to have and the fact that DPI really is a
game changer there as well.
For all these reasons, we applaud the fact you are taking a
comprehensive look at DPI. We obviously think that, you know,
the most important thing that can happen this year is an acting
baseline, technology neutral consumer privacy legislation based
on fair information practices. We are very pleased to hear the
announcement, Mr. Chairman, and the support from the committee.
I will just say that we also hope the subcommittee might move
ahead with carefully crafted Internet neutrality legislation
because we think it might put some balance on the more
worrisome uses of DPI. And finally, it is outside of your
jurisdiction, I think, but Congress has to examine and
strengthen the communications privacy laws, ECPA, et cetera, at
the same time which has to do with government access because
all of these have been outstripped by technology and really
change the nature of what privacy protections really exist at
this point for consumers.
So thank you so much.
[The prepared statement of Ms. Harris
follows:]*************** INSERT 1 ***************
Mr. Boucher. Thank you very much, Ms. Harris.
Mr. McSlarrow.
STATEMENT OF KYLE MCSLARROW
Mr. McSlarrow. Mr. Chairman, Mr. Stearns, distinguished
members of the subcommittee, thank you for giving me an
opportunity to testify today.
I think the starting place for the cable industry is to
recognize that Congress passed probably what was at that time
the first broad based opt-in statute, a very forward-leaning,
pro-consumer, privacy protection regime that we have lived
under for over 25 years for cable services. And today with
digital voice services, we now live under the similar privacy
protections offered under Section 222 of The Communications
Act. And during that time I think our track record has been
excellent both in terms of safeguarding consumer privacy and
abiding by rules that I think people have discovered prove that
good privacy protection in also good business so we believe
that.
As I think everybody has acknowledged, the question on the
table isn't so much what people are doing today. It is about
the emerging models and emerging ideas in creativity and what
they mean for privacy, and we think it is completely
appropriate to examine all of that.
In the short time I have available, I do want to take a
deeper dive into deep packet inspection because I think it is
actually emblematic of this entire conversation. It is true
that today, at least for my members, none of the cable ISPs are
actually using any of this information for behavioral targeting
purposes. But obviously, there are many industries including
ours who are interested in trying to figure out a way to
provide more relevant and useful advertising for the consumer.
It is likely to support the entire Internet ecosystem. It is
likely to spur more growth in creative ideas and content and
services, but we recognize that it has to be done in a way that
is respectful of the consumer's privacy.
Deep packet inspection is actually not something that is
new. One of the frustrations I think we have is that people act
like something just happened yesterday, something new and
different and scary. Deep packet inspection or packet
inspection generally is something the operators, all providers
have used or tools like that for many years and for very good
reasons. I think the test is consumer expectations and I think
broadly speaking, when a consumer sits down at a computer it is
always on if they are a broadband customer. They go anywhere
they want. They access any application they want. No one stops
them. It all works. The speeds are doubling. The price per
megabyte is dropping. Deployment is continuing but on the other
side of that computer, there is a war going on. You have got
network operators who are fighting malware and viruses and
spam. You have got botnet armies and things that I don't even
know about that are taking place in very complicated regime.
The consumer doesn't know anything about that. They don't want
to know anything about that. They don't necessarily need to
know how you are dealing with it. They just want you to deal
with it and we do.
Now, I think reading everybody's testimony, I think
everybody concedes that the use of deep packet inspection has
today beneficent and pro-consumer purposes so I am not going to
dwell on that. But I will say there it is hard to do analogies
because probably no one in this room or very few are really
technical experts here. But I do think we have to be very
careful. We require some precision here when we are talking
about deep packet inspection.
I have heard and I think Leslie just said as an example,
this is like the post office opening up your letter, going
beyond looking at the address and looking at the contents of
the letter. And I myself am guilty sometimes just saying a
packet of information on the Internet has a header and a
payload. But the truth is if you are looking at the layers of a
packet, each layer has a header and payload. Each, you know,
one layer, layer four is going to be something, you know, that
has source and destination for IP addresses, all the way down
to layer seven where you could have a web browser, URL address,
source and destination. And when you hear envelope and content
you think there is just one step before you get to the content
but the truth is, it is really more like envelopes within
envelopes, each one of which has addresses and at some point
you do have content.
So far as I can tell, I haven't done my own due diligence,
the only time we are actually scanning and what I mean by scan,
I mean a machine doing something in a billionth of a second,
content is what we are trying to deter spam. All of the other
activities related to deep packet inspections so far as I am
aware, are looking at headers. That is the addresses that most
people say they are actually oK with.
So my point here is just a caution. Any technology can be
used for good purposes and for bad. We recognize that no one
would want us looking at the communications in an e-mail. We
don't particularly want to do that. In fact, the only tracking
I actually want to do is to track down the engineer who
actually came up with the term deep packet inspection and shoot
him.
Last point and I realize I am rowing against the tide here
and you do have my commitment, Mr. Chairman, that as you
consider legislation to work constructively with you but I do
want to make a final plea to consider allowing self-regulation
to work and I would really say it for two reasons. Number one,
this entire arena is moving so fast. There are new models being
created. I know that is what gives rise to the concerns but I
also think it is a caution. It is very hard to freeze one point
in time with what is actually a fairly immature marketplace
when you think about it how young the Internet system is and
how young really the broadband market is. And I think we should
allow industry and all stake-holders to try to work together
using the oversight of this committee and the bully pulpit,
force us to come up with self-regulatory principles that
respect consumers' privacies knowing that at least in my
industry's case, we have a backstop of legislation that gives a
lot of the rules of the road. And the second is to recognize
that behavioral advertising can potentially be the most pro-
consumer thing we do to enrich the Internet to allow new
services that haven't even been created yet to survive and
thrive by making it easy for those services new web
applications to monetize their services without having to go
out and get the capital necessary to launch a new service.
Thank you, Mr. Chairman.
[The prepared statement of Mr. McSlarrow
follows:]*************** INSERT 2 ***************
Mr. Boucher. Thank you, Mr. McSlarrow.
Mr. Rotenberg.
STATEMENT OF MARC ROTENBERG
Mr. Rotenberg. Thank you, Mr. Chairman and members of the
committee. I appreciate the opportunity to be here today.
EPIC has a broad interest in matters of consumer privacy
and network security. We have worked on technical issues at
ICANN and IETF on the evolving standards for Internet security.
We have been at the FCC on rule-making for consumer privacy and
we have even defended the commission's authority to enforce
consumer protections on the network. So we have a broad
understanding I think of the issues and the opportunities to
safeguard consumers in this emerging online environment and I
agree very strongly with the members of the committee who say
that this is a vital issue for consumers today. According to
the Federal Trade Commission, identity theft is the number one
concern of American consumers. We have serious problems also
with security breaches and so the need to find a policy here
that makes it possible to take advantage of new technology to
grow new business opportunities and at the same time to
safeguard consumers is absolutely critical.
Now, let me say a few words about the DPI issue and I
should add I have also been teaching privacy law for many years
over at Georgetown. One of the things that has occurred to me
is that many of these issues that may seem new today, in fact
have been with us for a very long time. So I want to say a few
words now about The Communications Act of 1934. The
Communications Act of 1934 set out the first regulatory
framework for communication service providers in the United
States and it tried to answer a simple question, in part. Under
what circumstances should communication service providers get
content to the information that they are conveying on behalf of
their customers. And the answer, generally speaking, was to
ensure the provision of the service to make sure that it worked
and to protect security and to comply with a legal requirement
provided by the government such as a warrant. And there really
were no other exceptions which is to say you could listen in on
the telephone to make sure your line was working, and you could
deal with load leveling issues, and you could enforce a wiretap
if you were told to do so but you weren't supposed to access
the communications traffic for your own commercial benefit.
And I think that commonsense understanding of the
obligations of communication service providers answers most of
the questions that have been asked about deep packet inspection
today. I do not think that companies that are in the business
of providing network services to customers should get access to
the content of the communications for a commercial benefit.
There may be other good reasons, spam, viruses, legal
obligations which I think we would all accept are appropriate
exceptions but broadly speaking I don't think there should be
access.
Now, here is where it gets interesting. The companies that
have come along in the last couple of years such as NebuAd and
Phorm have said we have a way to get access to the traffic that
doesn't require us to know who the individual users are. We are
going to do this type of targeting without collecting
personally identifiable information which from a privacy
perspective is actually very attractive because our big
concern, of course, is that if companies know who these users
are they build very detailed profiles and people just won't
know how much information about them is being collected. And so
NebuAd and Phorm, both companies that have been highly
criticized for their technique are at the same time developing
some of the most innovative methods for advertising because
they are genuinely concerned about privacy.
Now, this actually creates for you a very interesting
dilemma. I don't think it solves the intercept problem because
the truth is they are still going to the network without
affirmative consent and they are still getting access and I
think they are still violating The Wiretap Act as many of the
members of this committee concluded last year and as European
Commission Vivian Redding said early this month when she
brought and action against the Government of Great Britain for
allowing the service to go forward. So the intercept problem is
still there but the question is let us say people agreed. Let
us say people said well if you can do this advertising well and
you are not profiling me maybe I am oK with that and I think
you still have a policy challenge. I think you have to ensure
that these new services really do protect the anonymity of the
users, really ensure that it doesn't become possible later to
figure out who these folks are or don't simply decide to change
the business model.
Now, why should you be concerned about that and why do you
ultimately need to legislate because that is actually what
happened 10 years ago with online advertising. When a company
called DoubleClick said we can make anonymous advertising work
on the Internet, many of us supported that. Many companies
partnered with DoubleClick and then DoubleClick said well now
that we got all of these people in our advertising base, maybe
we should start identifying them. And that actually began the
first wave of hearings on the issue of Internet privacy when
people were being targeted because of who they were without
adequate privacy protection. And I think that will be a
critical question in this specific context for this committee
to address.
Mr. Chairman, if I would make one final point and I very
much appreciate the fact that you have held this hearing and
plan to hold another hearing, I do think from the user
perspective we can't limit the discussion to concerns about
DPI. There are a lot of other activities that implicate online
privacy, web-based e-mail for example. I mean I am surprised
that companies are able to get access to the content of e-mail
and provide advertising on that basis. From the user's
perspective that is the functional equivalent of the carrier
getting access to the message and providing some, you know,
commercial benefit. It is a difficult question that hasn't been
addressed yet but I hope the committee will get to that one, as
well.
Thank you very much.
[The prepared statement of Mr. Rotenberg
follows:]*************** INSERT 3 ***************
Mr. Boucher. Thank you, Mr. Rotenberg.
Ms. Attwood.
STATEMENT OF DOROTHY ATTWOOD
Ms. Attwood. Thank you, Chairman Boucher and Ranking Member
Stearns for providing AT&T the opportunity to discuss consumer
privacy in the online world.
As the leading communications company in America, AT&T has
a profound interest as a major advertiser, as a Web site
publisher, as an Internet service provider and as a provider of
communications generally, in seeing the Internet grow through
an advertising-supported model. After all, online advertising
fuels investment and innovation across a wide range of Internet
activities and next generation forums of online advertising
could prove quite valuable to consumers and could dramatically
improve their online experiences.
At the same time, we balance our interest in the evolution
of online advertising with the unique investment we have in
concentration on our customer relationships. These
relationships are our most treasured asset and we are doggedly
focused on enhancing them and ensuring that our customer
expectations are met. For this reason, AT&T has articulated and
publicly supports a pro-consumer framework that both promotes
the privacy interests of our customers as well as fostering
advancements that lead to more useful and relevant online
advertising. We have endorsed the simple principle that we need
to engage consumers and offer them transparency and control
over their Internet experience.
The new forms of online advertising that is the subject of
today's hearing which we generally refer to as behavioral
advertising, can take many forms. They can in theory involve
the use by an ISP of technologies such as deep packet
inspection to capture and analyze a user's Internet browsing
activities and experience across unrelated Web sites. They also
involve search engines and advertising networks implementing
evermore sophisticated technologies to track consumer web
surfing and search activity over time, to develop profiles of
consumer activity and combine data from offline and online
sources. They are not inherently problematic but pitfalls can
arise because behavioral advertising in its current forms is
largely invisible to customers.
We have actually conducted focus groups and we have asked
our customers their views on behavioral advertising and the
results have been illuminating. Customers clearly appear to
understand and willingly accept that information will be
collected in commercial relationships and will be used to offer
goods and services that are of value to them. But these same
consumers do not well understand and fully embrace the concept
that their online activity associated across unrelated Web
sites or their overall web browsing activity can be and is used
today to create detailed profiles of them. They can see the
benefits of more targeted and relevant advertising but they
want control over their personal information and they want that
control to be individualized.
These new online advertising paradigms must therefore be
designed to account for a new set of still evolving customer
expectations about how personal information will be used and
how personal privacy will be safeguarded. As an industry then,
we must deploy next generation advertising techniques in tandem
with next generation privacy innovations and any solution must
be achieved by all elements of the Internet ecosystem.
For its part, AT&T is listening to its customers and we are
confronting the opportunities and challenges presented by
behavioral advertising by not thoughtlessly lurching into this
realm. We will initiate such a program only after testing and
validating the various technologies and only after establishing
clear and consistent methods and procedures to engage
customers, to ensure the protection of and ultimately their
control over their information. If AT&T deploys these
technologies and processes, we will do it the right way. So
indeed, AT&T has already adopted flexible privacy principles
that will guide any effort to engage in behavioral advertising,
the pillars of which are transparency, customer control,
privacy protection and customer value. These principles can be
the foundation of an ethic of consumer engagement for all
players in the online behavioral advertising sphere and it both
ensures that customers have ultimate control over the use of
their personal information and guards against privacy abuse.
I want to thank you very much and look forward to your
questions.
[The prepared statement of Ms. Attwood
follows:]*************** INSERT 4 ***************
Mr. Boucher. Thank you very much, Ms. Attwood.
Mr. Scott.
STATEMENT OF BEN SCOTT
Mr. Scott. Thank you, Chairman Boucher and Ranking Member
Stearns and members of the subcommittee.
I am the policy director for Free Press. We are the largest
public interest organization in the country that works on media
policy issues. I would like to focus my testimony this morning
on deep packet inspection or DPI. I have submitted a white
paper on the subject for the record which I will try to
summarize here.
You have already heard about the uses for DPI for the
collection of personal information about Internet users for
advertising purposes. I would like to focus on other issues of
DPI technology because really any time a network monitors
Internet traffic as Mr. Rotenberg pointed out, we have a
potential privacy problem. That harm is compounded by DPI tools
that violate network neutrality with any competitive practices.
Let me offer a little context. It is 3 years ago we had a
robust debate in the Congress over the necessity of net
neutrality and privacy rules to protect the consumers, and that
debate largely turned on whether or not the harms were
hypothetical, and indeed the technology did not exist in 2006
that would have permitted wide-scale violations. Today these
technologies do exist. They are deep packet inspection devices
and they are now widely deployed. Worse still, from my
perspective, an entire industry of manufacturers has emerged
that markets DPI explicitly to monitor and control consumer
behavior online. All a network operator has to do is flip the
switch.
DPI will have a broad impact on the Internet. Without this
technology, everything you do online is sent through the
network basically anonymously, e-mail, sports scores, family
photos. The network doesn't know or care what you are doing.
Online anonymity in this sense also has the virtue of
nondiscrimination. But with DPI, it is a whole new ballgame.
This technology can track every online click. Once a network
owner can see what you are doing, they have the power to
manipulate your experience. They can sell you ads. They can
block content. They can speed things up. They can slow things
down. Perhaps there is no better way to describe what DPI can
do then to quote directly from the manufacturers' marketing
materials. Their selling points are exactly the uses that
trouble me most.
Let me offer a few examples. Zeugma Systems describes its
technology as a way for network owners to ``see, manage and
monetize individual flows to individual subscribers.'' A
company called Allot promises that their equipment empowers
ISPs ``to meter and control individual use of applications and
services'' including to help network owners ``reduce the
performance of applications with negative influence on revenues
(e.g. competitive VoIP services).'' Now, that sounds like
blatantly anti-competitive behavior to me. Procera Networks
went so far as to publish a brochure that was titled ``If You
Can See It, You Can Monetize It.'' That is chilling stuff and
there are more than a dozen of these companies. I could go on
and on. They sell products marketed to help ISPs make more
money by spying on consumers and controlling how they use the
Internet.
Let me be clear, the technology itself is not necessarily
problematic. However, in the past year deep packet inspection
has evolved from basically innocuous to potentially insidious.
DPI was created as a network security tool but has become a
mechanism of precise surveillance and content control. We have
already begun to see incidents of bad behavior.
This subcommittee has had hearings on Comcast and NebuAd
which both used DPI in secret, questionable ways. Today, Cox
Communications is using DPI to speed up some applications and
slow down others. These types of practices may have short term
traffic management benefits but the tradeoff is the
unprecedented step of putting a network owner in control of
consumers' online choices. After this first step, it is a
slippery slope. We could soon see every major ISP in the
country adopt a different traffic control regime. Without
oversight, this could vulcanize the Internet so that
applications that work on a network in Virginia may not work on
a network in Kansas or Florida.
The critical question is how to best protect consumers from
these kinds of harms. Let me offer an analogy. Think of DPI
technologies as similar to complex financial instruments like,
I don't know, credit default swaps. Properly regulated they can
be used as a constructive part of our banking system. But
without oversight, they can run amuck and severely harm
consumers.
What we need are bright line rules of consumer protections.
The negative implications for privacy network neutrality are
already clear but the new uses of DPI may also reduce
incentives for infrastructure investment. Installing DPI offers
a tempting alternative to building a robust network. At a
fraction of the cost, a DPI can discourage users from high-
bandwidth applications or charge higher fees for priority
access.
Before these technologies become firmly entrenched, we
encourage Congress to open a broad inquiry to determine what is
in the best interest of consumers. Once DPI devices are
activated across the Internet, it will be very difficult to
reverse course.
I thank you for your time and I do look forward to your
questions.
[The prepared statement of Mr. Scott
follows:]*************** INSERT 5 ***************
Mr. Boucher. Thank you, Mr. Scott.
Mr. Knapp.
STATEMENT OF BRIAN R. KNAPP
Mr. Knapp. Good morning, Chairman Boucher, nice to see you
again, Ranking Member Stearns and members of the subcommittee.
My name is Brian Knapp, Chief Operating Officer. I have
responsibility at Loopt for day-to-day business operations as
well as privacy policy, data security matters and legal
affairs.
Since you may not be familiar with my company, Loopt,
please allow me to tell you a little bit about our company. We
are a location-based service that can change the way friends
and family connect, share and explore in the mobile
environment. Loopt facilitates real world interactions by
helping users connect on the go and navigate their social and
family lives. Loopt users can see their friends and family
where they are located and what is going on around them via
detailed interactive maps on their mobile phones. And users can
also share location information and updates with their networks
of friends on a variety of popular social networks and
communities. Over one million users have already registered for
Loopt and by all accounts, consumers are very excited about
emerging mobile services and location services like Loopt.
Loopt itself got started back in 2005 when Sam Altman, a
sophomore computer science major at Stanford University had an
epiphany as he walked out of class, realizing that it would be
great if he could open his mobile phone and see a map of where
all his friends were. Since 2005, Loopt has grown. We are
located in Mountain View, proud to be in Congresswoman Eshoo's
district. We have grown to over 40 employees and our service is
launched across multiple wireless carriers and mobile devices.
Today we are available on AT&T Mobility, Sprint Nextel,
Boost Mobile, MetroPCS, T-Mobile and Verizon Wireless networks
as well as popular devices such as the Apple iPhone, Blackberry
and Google's Android G1. Depending on the service provider and
the device, the cost of Loopt ranges from free and advertising-
supported to $3.99 per month.
From its inception, Loopt's founders and investors made a
commitment to the development of strong privacy practices and
policies. I began working with the company in late-2005 and was
hired full-time by the company as chief privacy officer and
general counsel two years ago, and they asked me specifically
to focus on these areas as we developed our service and grew
the company. At that time, we only had 13 other employees and
we were alive on one network operator at the time. However,
even in our early days we knew that investing in an effective
privacy program was necessary for our users and an important
foundation for our future business growth and success.
Our privacy approach is based on the key principles of
user-control, education and notice and our regime specifically
includes informed consent. Our service is 100 percent
permission-based so users are choosing to download and access
Loopt. We receive this informed consent from every user. They
must proceed through a multi-step registration process which
has key information about how the service works and how they
should use it responsibly. And there are several ways to access
our key user agreements and privacy policies. At the end of my
testimony there is actually a flow of this process that you can
see.
We have reminders and notifications even after users have
registered to again have them keep in mind how to use the
service responsibly and access the privacy settings. Speaking
of privacy settings, we have several controls so they can
manage where, when and with whom their location is shared and
displayed.
Also, any friend connections or family connections made on
Loopt are also chosen by the user so there is no automatic
sharing of location information. You have to decide who you are
going to share that information with and then you can still
control it after the fact.
We also have age limits on our service so our minimum age
is 14 years and we have implemented an age-neutral screening
mechanism in compliance that works in accordance with the FTC's
guidance with regard to COPPA best practices. We have report
abuse links throughout the service so the community can give us
feedback if other users seem to be behaving badly. Our privacy
notice and user education are key aspects of our regime. Our
privacy notice is readily available and viewable within the
mobile application itself and on our Web site and may actually
be received by e-mail or postal delivery for our users. Our Web
site contains detailed information about our privacy features
as well as frequently asked questions and there are several
links on the homepage of that site to access this information.
I want to emphasize that we have developed these policies
by listening to our customers and working closely with leading
mobile social networking and online privacy and security
organizations, including the Center for Democracy and
Technology, the Electronic Frontier Foundation, the Family
Online Safety Institute and Progress and Freedom Foundation,
among others.
We also participated in an Internet safety technical task
force and finally, we also participated in the development of
CTIA's Guidelines and Best Practices for Location-Based
Services. And our accomplishments to date in terms of privacy
and security innovation would not have been possible without
the great feedback, insights and know-how of these
organizations and folks on the hill.
We believe that the result of all this collaboration is a
consistent, sound set of privacy policies that apply to all of
our users, regardless of where they live or use the service. We
know that Loopt's customers value their privacy and especially
the easy access to tools and information to control their
privacy settings as needed so we have created a privacy policy
and regime that is both straightforward, effective and easy to
understand. We do note that this is an evolutionary process.
We look forward to participating in these hearing and
learning from other companies and the hill. And we will
continue to strive for excellence in privacy innovation and
aspire as a company to achieve effective privacy by design.
Thank you for the opportunity to share our story and I look
forward to any questions you may have.
[The prepared statement of Mr. Knapp
follows:]*************** INSERT 6 ***************
Mr. Boucher. Thank you, Mr. Knapp.
Mr. Bennett.
STATEMENT OF RICHARD BENNETT
Mr. Bennett. Good morning, Mr. Chairman, Mr. Stearns and
members.
Thanks very much for inviting me. This is the first
Congressional meeting I have actually attended in person since
Senate Watergate. So maybe I should tell you what I know and
when I came to know it.
I am actually--some said there are no technical experts
here. I am kind of offended by that because I am supposed to be
one. I have been developing network systems for some 30 years
in the Ethernet and Wi-Fi systems that use today include some
innovations that I personally invented and put there. And so
when I look at these technologies the sort of collection of
technologies that are coming under the umbrella of deep packet
inspection, I think I have a slightly different perspective on
it then most people do because what I see them as is an
evolution of the tools that we have used to develop network
technologies over the years.
It has been essential in the development of every network
protocol and in every network access device to have
intelligence about the behavior of the systems that are
communicating and the forwarding behavior of the intermediate
nodes and the network that move the packets along. Without the
ability to have that information we would not have been able to
develop the systems that we all use today on the Internet and
on the related private networks that feed the Internet.
We never called this deep packet inspection. We simply
called it packet monitoring and that process which was largely
a matter of running a system that had filters that could
capture packets from a live network and store them for the
immediate examination and analysis by a network engineer, has
been automated into a system that takes that information that
has always been accessible to network engineers. There is not
any--I mean I take issue with Mr. Scott that there has been
some new leap forward in this technology in the last year. I
mean there really hasn't. It is a smooth evolution from the
systems that we have always used for manual analysis into
archiving and data-mining, and these are the features that have
actually changed in the use of this technology over the years.
The raw information has always been there and the raw
information is there because digital networks typically don't
carry encrypted traffic. And the reason for that is a lot of
the information that you might think of as payload is actually
header from another point of view as Mr. McSlarrow indicated.
When we examine a network packet there is in fact a series of
headers that you get that you have to go through before you get
to final payload. And there is no actual location in that
packet where you can draw a bright line and say everything to
the right of this is payload, everything to the rest is header
because applications invent protocols on top of protocols, on
top of protocols and it is a more or less never-ending process
because that is how new services are born on the web.
So I am not worried about the use of deep packet inspection
if I can use that term for network management purposes. For
network management purposes it is vitally important for network
operators to be able to apply network engineering principles,
not for the purpose of making competing services perform less
well but to make them perform more well.
In one of the reasons that Comcast implemented the system
that they got in so much trouble for a couple of years ago was
because they had customer complaints that Vonage was not
working well on their network. And they analyzed the traffic on
their network to troubleshoot this problem that customers were
reporting with Vonage's voiceover IP service and what they
found was the rise of peer-to-peer traffic was causing delays
for Vonage. And this is because peer-to-peer traffic puts
enormous volume on the uplink side of a network that was
engineered primarily to supply data in the downlink direction.
And the reason it is engineered that way is because that simply
is the way that data flows on the worldwide web and when you
click on a Web site you send a small message upstream and what
you receive downstream is, you know, 30, 50, 100,000 bytes.
So the networks are engineered to behave asymmetrically. A
new application comes along that actually puts more data on the
uplink side then it draws down on the downlink side and it
destabilizes the network engineering throughout the entire
network. And so the engineering tools are applied to identify
that problem and they made a crude attempt and they admit--I
mean I am actually more positive about their attempts then they
are. They admitted that their attempt to resolve that problem
was done incorrectly and so the way that that should be done is
in a more anonymous and more protocol-neutral manner where they
simply collect data about the volume of traffic that individual
users are putting on the network over a 15 minute period of
time. So this is a beneficial use.
In my written testimony, there is a little footnote where I
try explain why I think the issue of deep packet inspection is
so--there is so much animosity against it. Now, I think what is
actually behind that is a dispute over two competing regulatory
models for advanced telecommunication services like Internet
and broadband. The traditional method has been described by FCC
Commissioner McDowell as technology silos, where we regulate
telecom one way. We regulate information services another way
and every new technology that comes along becomes the subject
of a new raft of regulations. Well, it turns out that
technology silos approach with Title One, Title Two regulations
isn't effective when you have competing services like voice and
video that can be delivered across different platforms. And so
there are a couple of different ways to address that problem
and one solution that has been proposed is to go to a
functional layering model where the different layers of the
network are regulated according to different standards.
So we treat carriers one way because that they are
basically moving packets across a network. We treat web
services providers a different way because they are on top of
that infrastructure. But I think that approach which
essentially is just rotating the silos model 90 degrees to the
right exhibits a lot of the same problems because what you have
is the ambiguity of services. E-mail is a service that can be
provided by an ISP and traditionally is but it can also be
provided by a web company like Google or Yahoo. Is there some
reason why Google and Yahoo's e-mail should be regulated
differently from an ISP's e-mail? I don't think there is. E-
mail is e-mail is e-mail. It is a service.
Mr. Boucher. Mr. Bennett, you are now about 2-1/2 minutes
over your time if you would wrap up.
Mr. Bennett. I am sorry. I got too inspired.
Mr. Boucher. That is quite all right.
Mr. Bennett. So that is my pitch is that I think that
rather than focusing on the technology, it makes more sense to
look at the services themselves and to begin with the standards
of proper disclosure and truth in advertising that any service
should have.
[The prepared statement of Mr. Bennett
follows:]*************** INSERT 7 ***************
Mr. Boucher. Thank you very much, Mr. Bennett and thanks to
each of our witnesses this morning for your informative
testimony.
So a question that I have all of you are invited to comment
on this relates to whether or not we have anyone at the present
time using network technologies for behavioral advertising
purposes. NebuAd has gone. Is anyone using packet inspections
specifically today for the kinds of activities that NebuAd I
suppose is the way you pronounce this but NebuAd was using at
the time this subcommittee had a hearing on that practice
during the last Congress, Mr. Rotenberg?
Mr. Rotenberg. Mr. Chairman, my understanding is that there
is no provider in the United States right now that is using DPI
for targeting in large measure because of the work that was
done by this committee last year. But the activity is
continuing in the United Kingdom and that is very interesting
to watch both by the response of the companies, some of which
have said that they will not participate, and also by the
response of the European commissioners responsible for privacy
protection who have said they are going to try to crack down on
this practice. But my understanding in the U.S. is that it is
not currently taking place.
Mr. Boucher. Thank you. Do any of you have suggestions for
other kinds of network technologies apart from the ones we
focused on today and that would be specifically deep packet
inspection, the new possible uses of cable set-top boxes and
the GPS tracking chips that are now placed in some mobile
devices? Those are the three we focused on today. Are you aware
of any other similar kinds of technologies that carry
significant privacy implications that we should keep an eye on,
Ms. Harris?
Ms. Harris. Mr. Chairman, I just think it is important to
clarify and maybe this is Brian's to clarify and not me that
GPS is not the only way that location is being collected for
services. So I think there is somewhat of a misunderstanding
that GPS chips and I would rather Brian describe it then I but,
you know, I wouldn't want--I would rather we focus on location
services because if you say GPS then it actually will not reach
a lot of the mobile services that are going.
Mr. Boucher. That is appropriate. Any further comment on
that question, Mr. Rotenberg?
Mr. Rotenberg. Well, this follows from Leslie Harris'
point. If your concern, for example, is about mobile tracking
in the network environment then I think you should also look at
the issue of IP addressing. In other words, the designation
that is associated with a device in the network can reveal a
great deal of information about the user of the device and the
location of the device. It is actually what enables services
like Loopt, for example, to track users.
Mr. Boucher. All right. Any further comment, Mr. Knapp?
Mr. Knapp. Yes, I mean I actually am not entirely sure
about the IP address association but there are a wide variety
of location technologies that enable these kind of applications
consumers are enjoying. And, you know, I would just say that
also speaks to why any consideration on legislation in this
regard needs to be very considered so it is not sort of
immediately put out of date by a new technology and broadly
consider location information as you do other data.
Mr. Boucher. Thank you, Mr. Knapp. Ms. Attwood?
Ms. Attwood. Mr. Chairman, I would like to answer the
question that I would have liked you to ask me and broaden I
think your intent. I think it is important to understand that
the device isn't the concern that should be the focus of a
privacy hearing because technology will improve and advance. I
think in the USA Today story about how there is concerns about
using social networks by individuals in the security context,
you know, there will be advances in technology and devices. I
think the question is starting from the proposition of are
there things that we need to be looking at as an industry
relative to protecting privacy interests and in that regard I
would agree.
Mr. Boucher. Let me get to that in a subsequent question. I
was just focusing for the moment on the presence of emerging
technology. I wanted to make sure we were covering the
waterfront in the terms of the technologies that we need to
keep an eye on so but thank you for that. I am actually going
to come to that now and I want to begin by commending both you
and also Mr. McSlarrow on your announced intention to protect
consumer privacy in association with the use of technologies
that can reveal an extensive amount of information about those
consumers. My precise question to you, to both of you, is
whether you have developed privacy policies to the level of
detail of the application of consumer opt-in as compared to
consumer opt-out. Have you gotten to that level of detail in
terms of formulating and announcing your consumer protection
policies?
Ms. Attwood. Well, with respect to the specific topic of
DPI, we have in fact announced that we will not use DPI. We
don't use it today and we will not use DPI in connection with
behavioral advertising without the customer's express
meaningful consent.
Mr. Boucher. And does express meaningful consent imply opt-
in?
Ms. Attwood. It absolutely can imply opt-in. I am going to
push all of you in the committee as we learn more about these
issues to advance our thinking and our discussion about what we
mean by opt-in. Opt-in is an old terminology. Opt-out is an old
terminology.
Mr. Boucher. In our thinking, it basically means that your
customer would have to take an affirmative step of some kind in
order to expressly authorize you to engage in the
identification and tracking process. So checking a box,
clicking a box on the Web site would be an example of opt-in.
Ms. Attwood. It would absolutely be an example of a
customer engagement and what we have committed to is that we
will in fact bring the customer into that decision about how
their information is used before we use any DPI for behavioral
advertising. And I think really I commend and I encourage you
to look at Loopt's way in which they have approached it and
they have absolutely worked on a very small form which is a
mobile device and made sure that customers not only check a box
but actually engage with the service provider, understand what
they are purchasing and therefore get the benefit of it.
Mr. Boucher. So it is opt-in plus?
Ms. Attwood. I would say it is engagement and it is in fact
a complete transparency and customer control, yes.
Mr. Boucher. OK. Thank you. Mr. McSlarrow.
Mr. McSlarrow. Mr. Chairman, as an industry I don't think
we have made any announcement but I can, as you suggested,
report that at least for the ISPs, when you are talking about
user data providing the bedrock for behavioral targeted
advertising, they recognize the burden has got to be a lot
heavier. It has got to approximate and I sort of associate
myself with Dorothy's comment about whether it is opt-in or not
but the point is that the step, affirmative step taken by the
consumer after engagement and education we have recognized is
the necessary precondition to moving forward.
Mr. Boucher. OK. Thank you. Mr. Knapp, you as Ms. Attwood
has suggested, are using a form of opt-in in order to gain your
customers' consent before you engage in location activities
using mobile devices. What brought you to that model? What were
the considerations and can you describe how that works in your
application?
Mr. Knapp. Sure and I think the illustrations in the back
of my testimony are great if members would like to turn to that
and sort of see the flow that the user goes through but the key
is and it is with all of these applications the users are
choosing to access them and so, you know, in the case of Loopt
they are choosing to download it from the AT&T deck or the
Apple's iPhone, the App-store. They download it and then they
need to sort of set-up Loopt to work for them. And it was very
clear to us that users want to be in complete control of
whether a company like Loopt was accessing their location
information and then allowing them to share it with others. And
so it was pretty key for us given that they were going to use
our application to share it with others to make sure that they
initially walk through a step to set it up that educated them
about the application and the service. So, you know, I mean a
lot of these key privacy principles go back even a few decades
to 1980 when the OECD published those and I think, you know, in
subsequent privacy practices. And that is also why I mentioned
before with regard to location information it is certainly
sensitive information but I think you can look at and as we did
other privacy laws and principles that are out there and
guidelines, and apply them broadly to information like
location.
Mr. Boucher. Thank you, Mr. Knapp. My time has expired. The
gentleman from Florida, Mr. Stearns, is recognized for 5
minutes.
Mr. Stearns. Thank you, Mr. Chairman. Mr. Rotenberg, I have
had the opportunity to hear you as a panel witness particularly
when I was chairman of the consumer trade and protection
subcommittee. Although the bill is a little old, it was dropped
in the 109th Congress, the Consumer Privacy Protection Act,
HR1263, which my good friend, Mr. Boucher, was a co-sponsor. He
and I worked together on this bill. Do you think that bill as
it has been written could be used as a starting point for this?
And how would you change it today for a general privacy bill
for out of this subcommittee?
Mr. Rotenberg. Thank you very much for the question, Mr.
Stearns. I also want to commend you by the way because I do
remember that series of hearings that you held on consumer
privacy which I think were very important hearings. I would
need to go back and look at the legislation that you and the
Chairman had put together. I do recall thinking at the time
that we needed to be sure that the policies gave consumers some
meaningful control over their information. That it wouldn't be
enough just for the consumers to be told the policy of the
company and then to consent, opt-in or opt-out, but we really
wanted to give consumers the assurance that for example
security standards were being followed. One of the things that
we have learned over the last few years of course is that we
have problems today with security breaches in the U.S. and it
impacts business and the Internet user. So I think that would
be important. There is always this difficult issue of course of
a State preemption. I appreciate that the businesses would like
a national standard. That is a tough one.
Mr. Stearns. That was one. If you might just take a moment
and go back since you are an educator and you could give us a
good sounding, it might be helpful for Mr. Boucher and I to
have your written comments about the bill and what you think.
Is anyone else on the panel familiar with the bill that I
dropped, H.R. 1263, that Mr. Boucher and I who would like to
comment on it? Yes, Ms. Harris.
Ms. Harris. Mr. Stearns, I think we would have to go back
and refresh our memory, as well.
Mr. Stearns. OK.
Ms. Harris. You know, at the time I think we, you know,
there were always as Marc has said, series of questions about
preemption, about standard, just thinking about development
since then, behavioral advertising we have to sort of put it in
context but we would be glad to come back to you.
Mr. Stearns. OK. Mr. Bennett, you had mentioned in your
opening statement about in some cases the difference between an
ISP services and a web-based services, you know, if you are
talking about sort of web-based services like Google and
Microsoft and Yahoo, do you think they should be--have a
separate type of privacy policy or is the privacy policy that
we apply applicable to them too?
Mr. Bennett. I think e-mail is e-mail and it doesn't matter
whether it is provided by the ISP or by a web-based services
provider. I think the exact same standards for disclosure and
transparency should apply to a web-based service that is
equivalent like e-mail is to services traditionally been
provided by ISPs.
Mr. Stearns. To your knowledge, are the people providing e-
mail today, web-based services, are they scanning our e-mails
for certain words? To your knowledge, could that be?
Mr. Bennett. Google absolutely does. I mean the web-based
e-mail services are primarily advertising supported because
unlike the ISPs they don't collect a subscription fee. So some
of them have an option where you can get the advertising taken
off your e-mail.
Mr. Stearns. But does that prevent the web-based service
from still scanning if you click that?
Mr. Bennett. I believe it would. I can't say that for a
certainty.
Mr. Stearns. But you are saying right now that most of
these web-based services are scanning our e-mail for certain
words using that as a double back to give us advertising so
that when I go on one of these which I do, I see all these ads
and sometimes these ads are for things that appear to me that I
have just been interested in not too long ago.
Mr. Bennett. Um-hum.
Mr. Stearns. So if that is true, do you think that is
considered something that should be part of a privacy bill so
that consumers are aware when they go on their e-mail that
their words are scanned, that their e-mail is being scanned?
Mr. Bennett. I think it depends on a judgment that you have
to make about consumer awareness. I mean it seems to me that
people that subscribe to an e-mail service like Yahoo or Gmail
are aware of the fact that it is an advertising supported
service and I think Google does a pretty good job of disclosing
the fact that they scan the e-mails for contextual clues so
that they can put more relevant ads, you know, alongside the e-
mails.
Mr. Stearns. Yes, Mr. McSlarrow, the Chairman had mentioned
the Project Canoe and it is being used I think to track
consumers watching. I think you might just give us an idea what
the status is of the cable industry with this Project Canoe,
what it is really about and how it is being tracked and what
the future is for the cable industry?
Mr. McSlarrow. Sure, it is now called Canoe Ventures. It is
a consortium of six cable operators.
Mr. Stearns. Can you tell us who they are?
Mr. McSlarrow. I should be able to remember that, Comcast,
Time Warner, Brighthouse, Cablevision. I will have to get you
the complete list.
Mr. Stearns. Cox?
Mr. McSlarrow. I believe Cox, yes.
Mr. Stearns. Yes, oK.
Mr. McSlarrow. And I know I am missing somebody. Basically
the idea is to build a platform to work with program networks
and advertisers to allow them to deliver more relevant
advertising to the consumer. The classic example used by the
CEO of Canoe Ventures is the ideal would be to make sure you
could deliver a dog food commercial to a household that has
dogs, in the here and now.
Mr. Stearns. So this is an interactive operation where
there must be a remote for the customer on Comcast, for
example, and when this program comes up they can hit a remote
which will tell them yes they want it then that is a feedback,
has information that the cable operator gives to the advertiser
which in turn he puts an ad back in to give.
Mr. McSlarrow. It could be.
Mr. Stearns. Could be.
Mr. McSlarrow. Today they only have two products that they
are planning on launching and one uses just third-party
demographics data. It doesn't have any set-top box user data at
all.
Mr. Stearns. No interaction.
Mr. McSlarrow. The second one would be what you just
described which would be a commercial comes up and you have an
opportunity to hit a button and say yes I would like to order a
pizza. So it is that built-in, opt-in system. In preparing for
this hearing, I actually asked them the question whether or not
they had any plans to use set-top box generated data for
purposes of advertising. It is not even on the product road map
but they do recognize if and when down the road they get to a
point in time where they would have to take a look at that,
they would have to comply fully with the Cable Act which exists
today and I think they are very conscious of the privacy
implications of everything they do but as I said it is not even
on the product roadmap.
Mr. Stearns. All right. Thank you, Mr. Chairman.
Mr. Boucher. Thank you, Mr. Stearns. The gentlelady from
California, Ms. Eshoo, is recognized for 5 minutes.
Ms. Eshoo. Thank you, Mr. Chairman, and thank you to each
of the witnesses. This has been a really a valuable experience
to listen to each of you coming at the subject matter for the
subcommittee today. First, Ms. Attwood, I didn't when you
talked about opt-in, does AT&T support opt-in?
Ms. Attwood. AT&T for the use of DPI for behavioral
targeting, yes, we have said we will not use DPI for
behavioral.
Ms. Eshoo. Because you used the word engagement, you said
we support engagement.
Ms. Attwood. Yes, I think engagement.
Ms. Eshoo. You want to talk about weddings, we want to talk
about this.
Ms. Attwood. Yes, sure, I think engagement is actually a
better way to describe what we are talking about which is
customer awareness but.
Ms. Eshoo. So you do support opt-in?
Ms. Attwood. Yes.
Ms. Eshoo. OK. Now, in the last three years AT&T, as you
know, has paid more than $21 million to resolve FCC claims that
it misused a customer's personal information. What is your
policy moving forward to get away from that record?
Ms. Attwood. We are very proud of our record is supporting
our customers' privacy. I think you are referring to UPN
issues.
Ms. Eshoo. Well, $21 million in fines is a lot. I don't
know who else in the industry has paid that much and but we
don't want past to be prolog and so I am giving you the
opportunity to tell the subcommittee where you move--how you
move forward and what kind of policy AT&T would support beyond
opt-in?
Ms. Attwood. So part of the success story in any fine and
any enforcement action is the fact that we have committed to
improve our policies and in fact stand up and acknowledge the
cooperation and work with the regulatory agency in order to
ensure the protection of the customer information at issue
there. So we absolutely pledge to continue to work on that.
Ms. Eshoo. Good. OK. Now, on I have a couple more
questions. Has AT&T used AudioScience.com to place ads on the
web?
Ms. Attwood. Not to my knowledge if you are asking
AudioScience with respect to DPI solutions, is that what you
are asking?
Ms. Eshoo. Well, it is my understanding that that is the
case is it?
Ms. Attwood. No.
Ms. Eshoo. I mean do you--does, has AT&T used AudioScience?
Ms. Attwood. We do not use a DPI solution to place ads on
our web, no.
Ms. Eshoo. Does AudioScience.com notify customers when data
is collected or you don't deal with them at all?
Ms. Attwood. I am not familiar with the dealings with
AudioScience. I am happy to get back to you on with respect to
that particular vendor.
Ms. Eshoo. OK. I would appreciate that. To, Mr. McSlarrow
and Ms. Harris, in Mr. Bennett's written testimony he says ``I
fear the only way to ensure robust protection for personal
privacy in the long run is to replace the open access
advertising supported business model with one in which we pay
for content and services.'' I guess this modern day ``modest
proposal'' is one solution. I think it would destroy a free and
open Internet and that it would in turn fix all of the privacy
concerns that we have discussed today. But I think the real
issue here is what you think or if you think that consumer
privacy and a free and open Internet are compatible?
Mr. Rotenberg. Yes, well Congresswoman I understand where
Mr. Bennett is coming from. I mean there is the concern right
now that if we continue down the unregulated advertising model
that is sustaining the Internet, there is no stopping point.
And I even raise in my testimony the related concern that this
won't only be about privacy. This will be about web publishers
because the content on the Web sites will become less valuable
to the advertising networks as they learn more about the users.
They will effectively bypass the content which will actually
weaken the publishing industry. So I don't even think it is
just privacy that is at risk in the unregulated advertising
model. I think it is web-based publishing that is at risk, as
well. Now, while I am sympathetic to his view, I do think
advertising is important and can help sustain a lot of the
Internet as long as limitations are established. That is really
the key here. If we can say yes we need advertising. We
understand that and there is a benefit here by having Internet
with advertising but we are going to draw some lines and you
are not going to get to do these tremendous profiles of users
that currently taking place. I think that is a sustainable
model. In fact, that is the tradition in the publishing world.
You know, publishing up until recently had done very well for
the user, for the publisher and for the advertiser but we are
going down a road right now which I am afraid will actually
lead to collapse.
Ms. Eshoo. Kyle, you want to say something?
Mr. McSlarrow. Well, I think the short answer is I think
they are compatible. I think, you know, one of the great--I
mean we can all, at least some of us can remember, you know,
the day that the Internet was sort of commercialized but that
is the world we live in and I think the great thing about the
Internet is it is proven that you can take what was an old
broadcast advertising model with a lot of waste and refine it
in a way that allowed the services we have today. To me, the
next step by keeping privacy in mind is to make that
advertising model potentially even more relevant and more
useful to advertisers. I just think it lists the entire
Internet so I think we have to recognize privacy is an
important part of it but I do think for the future of the
Internet that kind of targeted advertising is going to be
essential.
Ms. Eshoo. Ms. Harris.
Ms. Harris. Well, I remain skeptical about the value of the
behavioral advertising in the long run but, you know, it is
here and I think the, you know, at the end of the day it is can
we get a privacy regime in place that is going to put consumers
back in charge and be able to make choices.
Ms. Eshoo. I agree.
Ms. Harris. I think that if we are chasing each business
model, each technology, we are not going to be able to do this
and we have to step back and ask what is it that we want to
give consumers the right to do in terms of controlling what is
reasonable and put that in place.
Ms. Eshoo. And in going back to the exchange I believe that
you had with the Chairman, you see that as best being carried
out, implemented how?
Ms. Harris. Well, I think we need a law that is a privacy
framework.
Ms. Eshoo. Yes.
Ms. Harris. That is, you know, that we move that has to do
with data collection wherever it is collected and right now
strong sectoral laws. We have cable law that is fairly strong.
We really on the Internet except for if you make a privacy
promise and fail to keep it then you have a FTC violation, you
don't have any rules. We have some sectors that engage in self-
regulation that is reasonably robust but that is not ultimately
going to be an answer given how this is going.
Ms. Eshoo. Because it is not tameless.
Ms. Harris. It is not going to be enough.
Ms. Eshoo. Thank you very much.
Ms. Harris. Sure.
Ms. Eshoo. Thank you, Mr. Chairman.
Ms. Boucher. Thank you very much. Thank you, Ms. Eshoo. The
gentleman from Florida is recognized for a unanimous consent
request.
Mr. Stearns. Thank you, Mr. Chairman. I just want to put
the testimony of Scott Cleland, the president for Precursor,
LLC. He testified before the Energy and subcommittee, our
subcommittee on July 17, 2008, and I think it would be relevant
to have his part of this hearing. So if you ask unanimous
consent to be made a part thereof.
Mr. Boucher. Without objection.
[The information appears at the conclusion of the
hearing.]*************** INSERT 9 ***************
Mr. Boucher. The gentlelady from Colorado, Ms. DeGette, is
recognized for 5 minutes. I am sorry, 7 minutes in total.
Ms. DeGette. Thank you very much. Thank you very much, Mr.
Chairman. I want to follow-up on the line of questioning that
Ms. Eshoo was talking about because I am concerned on the one
hand I think DPI has shown to be an effective and an efficient
way to deal with spam and other security issues. On the other
hand, I am thinking here about consumer protection and the
choices that people have to make in accessing services or
Internet content. And listening to the witnesses talk about
opt-in or consumer knowledge or whatever terminology you want
to use about it, it really underscores for me something Ms.
Attwood said which is we don't really know what we mean when we
say consumer knowledge or assent. For example, with Mr. Knapp's
company, we were impressed by all the levels of informed
consent that you ask for but I also have, I am sure your
company doesn't do behavioral advertising. That is not what you
are getting the informed consent for, correct?
Mr. Knapp. We will support our service with advertising.
Ms. DeGette. Are you going to do behavioral advertising
with DPI?
Mr. Knapp. Generally no, DPI is not something that we--we
are a mobile application.
Ms. DeGette. Right, it is a different application.
Mr. Knapp. Exactly.
Ms. DeGette. So are you going to say to your consumers now
we are going to monitor what we are going to use this
technology to do behavioral advertising that is tailored toward
you and your habits? Do you want to opt-in to that? Are you
going to do that?
Mr. Knapp. And we in fact we do. We are going to support
Loopt through advertising.
Ms. DeGette. No, that is not my question.
Mr. Knapp. Sure.
Ms. DeGette. Is that going to be part of the informed
consent that you give?
Mr. Knapp. Yes.
Ms. DeGette. OK. Good. Now, that is admirable because my
question is to Mr. McSlarrow is that going to happen with all
of the members of your association that that is the kind of
informed consent that the consumers are going to have?
Mr. McSlarrow. I think actually I need to back up. I
represent not just ISPs but also networks and I make a
distinction among them because and this is one of the points,
there are many actors on the Internet. For the ISPs, yes, we
recognize that there is a heavier burden to use the personally
identified.
Ms. DeGette. So they are going to say to people, I mean
they are going to say to people now if you give informed
consent what that means is that your communications are going
to be tracked and tailored for behavioral advertising?
Mr. McSlarrow. Yes, I think the notice in disclosure has to
be as robust as possible. I mean this has to be legible and the
English people need to understand this is exactly what we are
talking about.
Ms. DeGette. That is great. Ms. Harris, you are nodding
your head.
Ms. Harris. We testified in front of this subcommittee last
year on behavioral advertising saying that is what it is
required. Frankly, we think it is required already under the
Electronic Communications Privacy laws. Obviously, we want that
incorporated into a Consumer Privacy law but that is the right
answer. I think it is hard. I think given the fact that ISPs
are in a position where they are not in daily contact with
their users, you haven't made a decision to go to a site, the
online environment has not done a good job yet with opt-out so
I think this is a difficult step. It is a big commitment and it
will be difficult to implement but it is the right choice.
Ms. DeGette. Right. Well, I agree with that and I am happy
to hear both of you say that you are going to do that. Ms.
Attwood, is that also the intention of AT&T?
Ms. Attwood. Yes and we stated that on several occasions
with respect to our ISP service, yes.
Ms. DeGette. That it would be because I think consumers now
understand. I know when I sign up for some kind of Internet
communication or whatever it says, you know, our policy is we
do not sell or otherwise communicate your data to other people
unless you check here so people get that. I am not sure they
understand DPI or what that means and I am wondering, Mr.
Rotenberg, is eager to address this issue.
Mr. Rotenberg. Well, Congresswoman, I would like to join
this chorus and certainly opt-in would be preferable to opt-out
but I don't think it is sufficient. And I don't think it is
sufficient because it won't be meaningful unless consumers
actually understand what data about them is being collected and
how it is being used.
Ms. DeGette. That is my point.
Mr. Rotenberg. And I think the mistake that is often made
is that we place so much emphasis on a policy and so much
emphasis on obtaining consent that the person who is actually
being asked to make the decision really doesn't have any
information to make the decision. So for many of these
Internet-based techniques, people really need to know what
information about them is being collected. Show it to me and
who are you giving it to and for what purpose? Now, if the
person is oK with all of that, then you say yes, that is
consent.
Ms. DeGette. That is exactly what I am trying to say.
Mr. Rotenberg. OK. Well, that is great.
Ms. DeGette. And the reason why I am concerned about that
is because I don't think that certainly people above a certain
age like me, may not understand exactly how this data can be
used or where it can go. People under a certain age don't
have--I think of my two teenaged daughters. They may not have
the sophistication to understand why that could be a problem
which is why I think you have to have adequate disclosure and
education.
Mr. Rotenberg. Right and if I could say one more point
because, you know, my children are on Facebook now and we spend
a lot of time looking at privacy issues with Facebook. And one
of the things that struck me is that young people are actually
pretty sophisticated about what information they put up, what
information they don't put up. And when the change of the terms
of service changed for Facebook, they organized and objected
and Facebook listened and there has been a very important
process going on because the users of the service knew what was
happening. But and here is a very important related point, the
information about Facebook users that flows to advertisers and
application developers, people know very little about and it is
those applications that they don't have any meaningful control
over.
Ms. DeGette. That is right and so that is why I think we
really we can say informed consent or we can say consumer
awareness or whatever but we need to make sure that they
understand exactly where that information is going.
Mr. Rotenberg. Yes.
Ms. DeGette. And I think everybody up here is shaking their
heads so I think, Mr. McSlarrow, do you agree with that
concept?
Mr. McSlarrow. I totally agree with it and not only is it
the right thing to do, I think it is good business.
Ms. DeGette. Great. OK. Thank you. Thank you very much, Mr.
Chairman.
Mr. Boucher. Thank you, Ms. DeGette. The gentleman from
Illinois, Mr. Rush, the chairman of the Subcommittee on
Consumer Protection is recognized for 5 minutes.
Mr. Rush. Thank you, Mr. Chairman. And, Mr. Chairman, I
want to begin by really thanking you for your comments earlier
in this hearing. I want you to know that I look forward to
working very vigorously with you and on this particular issue
and look forward to our joint hearing that we will be having in
the near future. Mr. Chairman, I am going to start out with
some questions that I would like for all of the panel if they
would just even provide either a yes or no answer. And the
question I am going to get right to what I believe for me is
the heart of the matter, do you think that Congress should pass
consumer privacy legislation with regard to all of the
communications network?
Mr. Rotenberg. How many votes do I get? Yes.
Mr. Rush. Well, from Chicago we will see where we wind up
at and then we will add something to it. OK. All right. I am
beginning with you.
Ms. Harris. Yes, absolutely we need to develop a baseline
consumer privacy bill that is based on fair information
practices across all technologies. And frankly we need a bill
that covers all collection and goes beyond this, you know, the
media environment. We have got sectoral laws right now that hit
some sectors and not others so I mean we need to do both and it
is not clear to me it should be done separately. We need a
baseline consumer privacy bill that has to do with data
collection and obviously there is a need to reconcile the fact
that we have different or no standards in media but from a
consumer protection point of view, I think it is probably
broader than that.
Mr. Rush. OK. The fellow next to you.
Mr. McSlarrow. OK. Mr. Chairman, no but I would like to be
at the table when do.
Mr. Rush. OK. All right.
Mr. Rotenberg. Yes, Mr. Chairman.
Mr. Rush. Yes, oK.
Ms. Attwood. I guess I would have to say it depends and
certainly I can echo the comments that everyone has made about
a broad based look. I encourage the kinds of discussions that
we are having today but it may be premature and that is quite
frankly so that we can get better educated and as an industry
so we have an opportunity. There is a lot of complex
relationships that govern this environment and in order to get
a complete answer we really need to have the industry
supportive and so I would urge us as an industry and working
with out fellows in the public interest world and civil society
to come up with a robust plan. That does not mean that
legislation is not something that ultimately is at the end of
that road but certainly right now the first step is discussion.
Mr. Rush. All right. Please, yes sir?
Mr. Scott. Yes, I agree a baseline privacy law would be a
reasonable next step.
Mr. Rush. Yes, oK.
Mr. Knapp. This is my first hearing. Is maybe an acceptable
answer? I think as a cutting edge innovative company that
really wants to offer a service that users love and they want
for free I, you know, I think a high level privacy framework
that sticks by tried and true principles would be beneficial.
But I do have concerns when laws get too specific or focus on a
snapshot in a moment of time as I think has been mentioned here
today and may get outdated an problematic for some companies
like us who are trying to innovate and offer services for free
to comply. And so those would be my concerns about that
approach.
Mr. Rush. All right. Go ahead.
Mr. Bennett. Mr. Rush, I think I could support a bill like
that if the emphasis was on disclosure rather than on
prohibitions of particular practices. And one feature that I
would like to see in it is that once a consumer has opted into
a data collection service, I think you should get a regular
reminder or the opt-in shouldn't be perpetual. So when you opt-
in to a service it works for a year then you have to get a
notice and you have a choice of opting in again because I don't
know how many Web sites I have given permission to, to collect
information on me over the years that I have completely
forgotten about.
Mr. Rush. So your answer is yes?
Mr. Bennett. I answered yes.
Mr. Rush. OK. All right. Thank you. Mr. Rotenberg, since we
need another vote form you. Why don't you answer again? I am
just kidding. All right. The next question that I have is and
please the same sequences for all the panel is do you believe
that consumers should have the same sort of control if and how
their information is selected? Do you believe that they should
control if and how this information is used? Please answer a
yes or no.
Ms. Harris. I think that the question of use is an
important one and it seems to me that when you are authorizing
a collection you ought to also be authorizing the purposes or
you are authorizing that it can be used for multiple purposes.
But I don't think, you know, simply saying you can have my data
or not have my data answers the question. We use your data for
marketing, opt-in, don't opt-in. We use your data for, you
know, I mean I think there are some uses of data which are
transactional that, you know, if you are ordering a product I
think separately saying you can use my data to do what is
necessary to process this transaction seems unnecessary but for
uses that are not directly connected for the initial purpose of
collection it is just a standard fair information practice then
I think yes of course you have to authorize that.
Mr. Rush. Sure. Next gentleman.
Mr. McSlarrow. I think in our case The Cable Act actually
is a good example which says that when you give authorization
for personally identifiable information, it doesn't take into
account the use of that data for just rendering the business
services. But once you go beyond that I think you do have to
identify what the purpose is you would use it for.
Mr. Rotenberg. Mr. Chairman, I would say yes and I would
probably add in some other things too like ensuring security of
the data that is collected and some access to the information
and some accountability. I think the basic elements of a
privacy bill and in fact The Cable Act is a good model or at
least the pre-Patriot Act version was a good model from 1984.
That is a good starting point.
Ms. Attwood. Yes, we support transparency and control.
Mr. Scott. Absolutely and I think beyond that I agree that
the consumer is not only entitled to know that their data is
being used but three other things. One is intentionality, the
other is behavior and the third is outcome. Why do you want my
information? What are you going to do with it? And what does
that mean to me as a consumer?
Mr. Rush. Yes.
Mr. Knapp. Yes we agree with the principles of transparency
and control, as well.
Mr. Rush. OK.
Mr. Bennett. That is a yes for me, too.
Mr. Rush. Thank you, Mr. Chairman. I appreciate you, sir.
Mr. Boucher. Thank you very much, Mr. Rush, and we look
forward to coordinating closely with you as we develop the
joint hearing between our two subcommittees and then thereafter
as we develop privacy legislation which we will put forward in
tandem.
Mr. Rush. Nice of you to say, Mr. Chairman.
Mr. Boucher. And thank you for your presentation.
Mr. Rush. You are a great Chairman.
Mr. Boucher. Thank you very much. The gentleman from New
York, Mr. Weiner, is recognized for 5 minutes.
Mr. Weiner. Mr. Chairman, I won't take the full 5 minutes.
It strikes me that some of the what gets hairy here is saying
is defining what it is that you are checking the box to do. For
example, is you say I want help in deciding what other products
are out there that are being sold that I might be interested
in. It is a pretty tough box to word. I mean it is a pretty
tough disclosure to have any real meaning but I think by and
large, consumers do like that. I mean I like it when you go to
Amazon and it says we also have this for you. So I think one of
the problems that we often face is that disclosure has tipping
point that if you want it until the point that there is so much
of it that it ceases to really disclose anything. And I think
the part of the challenge that we have is trying to come up
with terms of art that truly do encapsulate what we are trying
to do. For example, you know, would you like to be told about
other products you might be interested in. Theoretically, that
can be just about anything. I mean it is concise and it is
crisp and it probably is worded in a way that will entice
people to check a box and I don't know how you have a second
line that says but you are going to get a lot of stuff and a
lot of companies that might be far removed from this shoe
purchase might be getting information. And so I mean can you
offer us any guidance on how to make this type of disclosure
opt-in, opt-out truly useful to consumers without us all having
to retain, you know, to go to lawyers.com to read what I am
getting at Amazon.com. I don't know who would be best to tackle
that? Whoever leans forward first.
Mr. Rotenberg. Well, I mean, Congressman, it is an
excellent point and it is one of the reasons I have suggest in
my testimony not to place too much emphasis on opt-in or opt-
out as the basis for privacy protection. Given a choice between
opt-in and opt-out from the consumers' perspective, opt-in is
preferable because it means more control but for many of the
reasons you described, it won't be adequate for real privacy
protection. For example, no one agrees to a security breach. In
other words, you may check a box and give a company some
information and some magnetic tape is going to fall off the
back of the truck. You certainly didn't agree to that so there
has to be a way I think within privacy law to get it to a
broader range of issues for many of the reasons your described.
Ms. Harris. I agree with that. I think that the Congress
has been stymied in moving that forward on privacy because of
the sole focus being about opt-in and opt-out, and not looking
more broadly at how to resolve some of these, you know, other
questions. And we don't know how to give notice well in a way
that consumers understand. You know, I think one thing to look
to is we just passed landmark new privacy protections in the
healthcare context and it could have gotten equally tied-up
around opt-in and opt-out and it focused far more broadly, you
know, about where sharing was appropriate and not appropriate,
security protections. So while those, while there are places
where consent is required, it is not just about that. And I
think that we do get hung up sometime and we don't wind up with
a framework so we need a framework. And we would start with
fair information practices because that is transparency. That
is collecting data only to the extent you need it for the
transaction. It is giving people choices about other uses and
it is making the explanation about those other uses.
Mr. Weiner. Right but before Ms. Attwood adds to this, even
that is complicated, right?
Ms. Harris. Right, I am not saying this is easy.
Mr. Weiner. Right, I mean just about the transaction, well
you bought the stereo. You should know about--do you mind if we
share information with this speaker company and then you get
information about that. I mean I agree it is that opt-in and
opt-out is not the only way to do this and we are going to go
far beyond that. But we have grown kind of culturally
accustomed to the idea of having places that we kind of agree
to what goes on. You know, when my credit card company says oh
yes, well we told you about that. I am like, really that was
page nine six months ago on the thing we told you about it. We
are covered. So you are right, opt-in, opt-out is not
everything but the way we have grown literate with how these
things happen as citizens, there is some expectation that we
are going to have some control over that.
Ms. Harris. Oh absolutely, I am not suggesting that we
shouldn't.
Mr. Weiner. Right.
Ms. Harris. I am saying that even that is much harder and
has not been done well online in most instances so, you know,
passing this framework is the beginning but the assumption that
we are going to get these practices right overnight, no, we are
not.
Mr. Weiner. Go ahead, Ms. Attwood.
Ms. Attwood. I just I guess I offer some hope in the
context of if you approach this as a legal exercise then
consent is something that is a, you know, it is a difficult
proposition to get right. But if you approach this as actually
what really is exploding online and the idea that in fact you
are trying to get personalization and you are trying to get
information that is all about me and you are trying to get a
page that identifies my likes and dislikes, I have confidence
that that in fact this industry using new and developing tools
will be able to actually communicate more effectively to the
customer and allow that kind of customization and that
personalization to be an advance. If we think about this as a
design feature, privacy is a design feature in what I am
offering then it is in my interest as a commercial entity to
make it very clear that proposition. That is why you see the
success of Loopt. On one level, his service is extremely
complicated. On the other level, the customer gets it right
away, understands the value of proposition and that
communication is something that as an industry I think I am
optimistic that we can work to grow that communication and make
it work for consumers.
Mr. Weiner. Thank you, Mr. Chairman.
Mr. Boucher. Thank you very much, Mr. Weiner. The
gentlelady from the Virgin Islands, Ms. Christensen, is
recognized for 5 minutes.
Ms. Christensen. Thank you, Mr. Chairman, and this is a
very interesting hearing for me. Privacy is an issue that is of
very much concern to minority communities like the one I
represent and it comes up whenever we talk about HIT and other
issues related. Ms. Attwood, when you were asking about opt-in
and opt-out and you talked about engagement it seemed as though
you used that word deliberately and wanted to elaborate on it
and I wanted to be give you an opportunity to explain what you
mean by engagement.
Ms. Attwood. Sure, I actually think Mr. Rotenberg said it a
lot better and but I think everybody on the panel has discussed
it that when we talk about opt-in and opt-out, we really are
limited in the concept of what we are trying to discuss when it
comes to really ensuring that the customer is part of the
decision about the use of the information and that is a broader
concept. That is a concept that is engaging. That is a concept
that is enticing. That is a concept of control. Opt-in, we have
all been a part of opt-ins. I think the Congressman from New
York described it where, you know, it is pages and pages and
pages where the company is entirely protected and there is a
checked box but it is not. The customer is not in fact really
participating in that decision, you know, and so I am hopeful
this industry can in fact rally around the idea of really
bringing the customer into that decision and it can happen in a
broader way.
Ms. Christensen. I am kind of old fashioned and I am trying
to remember when I see those kinds of boxes, I just want to
skip them. Do people usually answer them and or do you have to
opt-in or opt-out, just for my information, not as a swear. Do
you have to answer it?
Ms. Attwood. If it is designed that way, I mean they are
designed differently but there are some that are forced screens
or box where you can't get past it unless you do something so
yes. There are others that in fact don't require that but most
times it is a service obligation to check that box.
Ms. Christensen. And in the cases where you just ignore it
and try to move on and you can, that is assumed to be an opt-
out?
Ms. Attwood. It would be possibly an opt-out. It really
again depends on the design of that. It may be that you don't
get the service.
Ms. Christensen. Did you want to say something, Ms. Harris?
Ms. Harris. Yes, I do want to agree with Ms. Attwood on the
question of can industry doing this. I mean in discussing this
with Mr. Weiner, it is very hard but when industry chooses to
do this, when they choose to do it sort of at the beginning and
do privacy by design rather than privacy by law, it can be
accomplished. Loopt is an example. There are several examples
in the online healthcare space where from the very beginning
this has been built in, in a way that consumers can use. So I,
you know, it is hard to say that we are in this environment of
such technological innovation and we can't figure out how to
use that technological innovation to make this simpler. I think
we can. I think frankly a privacy framework will encourage that
but I do think at the end of the day it is going to have to be,
you know, a combination. The law by itself in the absence of
companies stepping up and doing that and that is what is going
to have to happen.
Ms. Christensen. OK. I thought Mr. Bennett's suggestion of
having to go back periodically and opt-in was a good one. Does
that happen now and if doesn't, would you all support
periodically having to go back and review that question?
Mr. Rotenberg. We have actually recommended that the right
way to understand consent is that you should be able to opt-in
when you choose to have your data used in a way and then opt-
out at the point that you want to discontinue the use and I
think Mr. Bennett's comment captures that but any time you
choose to leave a service--this came up recently with Facebook,
for example.
Ms. Christensen. Yes.
Mr. Rotenberg. Facebook wanted to tell users well you leave
the service. We will keep your data and the user said well that
is not right. I mean if we leave the service we want you to
delete the data.
Ms. Christensen. Right.
Mr. Rotenberg. And Facebook agreed and I think that is
people's intuition and it is really fair, and when companies go
against it then there is a problem.
Ms. Christensen. Right.
Ms. Harris. I think it is going to be a very important
concept for the ISPs if they are to move into this space
because for some people who are not also using an ISP's e-mail
service, they may not be communicating with their ISP except
at, you know, initially to sign up or get a bill so the
potential to think about screens that come on, you know, that
explain what you agreed to and give you a choice to change your
mind, I think it is going to be a critical part of it.
Mr. Scott. It strikes me that whether we are talking about
reminders which I think is a great idea or engagement or
clarity and transparency, we are really talking about our
different forms of consumer education because the real problem
is that most consumers don't have any idea what the 10,000
words of six point font means when they check the box at the
bottom and oftentimes, sometimes those boxes are pre-checked or
you can't buy the shoes unless you check the box and so in many
ways I think we need to be thinking about ways to help
consumers understand exactly what it is that they are signing
up for and what that means and what comes to my mind is the
little glossy one-pager that my power company sends me every
winter to try to advise me on how to save money on my power
bills. It has got pictures. It is in big letters. I read it. I
have actually found some helpful tips there. That is sort of is
what I think of as engagement when I hear you say that and I
think that is the kind of consumer education that can help us
fix this problem.
Ms. Christensen. Thank you. Thank you, Mr. Chairman.
Mr. Boucher. Well, thank you very much, Ms. Christensen. I
want to say thank you to all of the witnesses for their
extremely informative testimony today. This has been an engaged
conversation and as we close this hearing, I simply want to
note that I personally concur completely with the suggestions
that many have made here over the course of the last hour that
what is needed is not just a decision between opt-in and opt-
out but also a framework for privacy protection. And I hasten
to note that the legislation that Mr. Stearns and I put forward
some several years ago which will be the starting point and the
foundation for our privacy bill this year, contains exactly the
kinds of formulas that many on the panel have suggested and
that is that any service that collects information about a
customer must disclose what information that is collected and
how that information is used and then provide the appropriate
opportunity for that customer to act on the information,
whether that be by opt-in or opt-out. So opt-in taken by
itself, is meaningless. There has to be an adequate description
of what conduct the particular user is authorizing for it to
have content and meaning and offer real protection. We get that
and that will be very clearly a part of the foundation of the
measure that we move forward with later.
So with that having been said and acknowledged, let me
thank this panel for its contributions to our understanding of
the network technologies that have privacy implications for
users and suggest that we probably are going to consulting with
you at greater length as we move forward to have out joint
hearing with the other subcommittee and also to draft this
legislation. You have been very helpful to us. We appreciate
your participation and with that said, this subcommittee stands
adjourned.
[Whereupon, at 12:10 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
�