[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]






   COMMUNICATIONS NETWORKS AND CONSUMER PRIVACY: RECENT DEVELOPMENTS

=======================================================================

                                HEARING

                               BEFORE THE

      SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 23, 2009

                               __________

                           Serial No. 111-31










      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov

                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
72-880                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001








                    COMMITTEE ON ENERGY AND COMMERCE

                       HENRY A. WAXMAN, California
                                 Chairman
JOHN D. DINGELL, Michigan                JOE BARTON, Texas
  Chairman Emeritus                        Ranking Member
EDWARD J. MARKEY, Massachusetts          RALPH M. HALL, Texas
RICK BOUCHER, Virginia                   FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey           CLIFF STEARNS, Florida
BART GORDON, Tennessee                   NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois                  ED WHITFIELD, Kentucky
ANNA G. ESHOO, California                JOHN SHIMKUS, Illinois
BART STUPAK, Michigan                    JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York                 ROY BLUNT, Missouri
GENE GREEN, Texas                        STEVE BUYER, Indiana
DIANA DeGETTE, Colorado                  GEORGE RADANOVICH, California
  Vice Chairman                          JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California                   MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania           GREG WALDEN, Oregon
JANE HARMAN, California                  LEE TERRY, Nebraska
TOM ALLEN, Maine                         MIKE ROGERS, Michigan
JANICE D. SCHAKOWSKY, Illinois           SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California               JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas               TIM MURPHY, Pennsylvania
JAY INSLEE, Washington                   MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin                 MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas                      PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York              STEVE SCALISE, Louisiana
JIM MATHESON, Utah                       
G.K. BUTTERFIELD, North Carolina         
CHARLIE MELANCON, Louisiana              
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin 
    Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE BRALEY, Iowa
PETER WELCH, Vermont                 
                                     
                                     
      Subcommittee on Communications, Technology, and the Internet

                         RICK BOUCHER, Virginia
                                 Chairman
EDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan
BART GORDON, Tennessee                 Ranking Member
BOBBY L. RUSH, Illinois              J. DENNIS HASTERT, Illinois
ANNA G. ESHOO, California            CLIFF STEARNS, Florida
BART STUPAK, Michigan                NATHAN DEAL, Georgia
DIANA DeGETTE, Colorado              BARBARA CUBIN, Wyoming
MICHAEL F. DOYLE, Pennsylvania       JOHN SHIMKUS, Illinois
JAY INSLEE, Washington               HEATHER WILSON, New Mexico
ANTHONY D. WEINER, New York          CHARLES W. ``CHIP'' PICKERING, 
G.K. BUTTERFIELD, North Carolina         Mississippi
CHARLIE MELANCON, Louisiana          VITO FOSELLA, New York
BARON P. HILL, Indiana               GEORGE RADANOVICH, California
DORIS O. MATSUI, California          MARY BONO MACK, California
DONNA M. CHRISTENSEN, Virgin         GREG WALDEN, Oregon
    Islands                          LEE TERRY, Nebraska
KATHY CASTOR, Florida                MIKE FERGUSON, New Jersey
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
PETER WELCH, Vermont
JOHN D. DINGELL, Michigan (ex 
    officio)





                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Rick Boucher, a Representative in Congress from the 
  Commonwealth of Virginia, opening statement....................
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, opening statement...............................
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, opening statement...............................
Hon. George Radanovich, a Representative in Congress from the 
  State of California, opening statement.........................
Hon. Bart Stupak, a Representative in Congress from the State of 
  Michigan, opening statement....................................
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, prepared statement..............

                               Witnesses

Leslie Harris, President, Chief Executive Officer, Center for 
  Democracy And Technology.......................................
    Prepared statement...........................................
    Answers to submitted questions...............................
Kyle McSlarrow, President and CEO, National Cable and 
  Telecommunications Association.................................
    Prepared statement...........................................
    Answers to submitted questions...............................
Marc Rotenberg, President and Executive Director, Electronic 
  Privacy Information Center.....................................
    Prepared statement...........................................
    Answers to submitted questions...............................
Dorothy Attwood, Senior Vice President, Public Policy and Chief 
  Privacy Officer, AT&T Services, Inc............................
    Prepared statement...........................................
    Answers to submitted questions...............................
Ben Scott, Policy Director, Free Press...........................
    Prepared statement...........................................
    Answers to submitted questions...............................
Brian R. Knapp, Chief Operating Officer, Loopt, Inc..............
    Prepared statement...........................................
    Answers to submitted questions...............................
Richard Bennett, Publisher, Broadbandpolitics.com................
    Prepared statement...........................................
    Answers to submitted questions...............................

                           Submitted Material

Statement of Scott Cleland, Precursor, LLC, submitted by Mr. 
  Stearns........................................................

 
   COMMUNICATIONS NETWORKS AND CONSUMER PRIVACY: RECENT DEVELOPMENTS

                              ----------                              


                        THURSDAY, APRIL 23, 2009

              House of Representatives,    
Subcommittee on Communications, Technology,
                                  and the Internet,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:05 a.m., in 
Room 2322 of the Rayburn House Office Building, Hon. Rick 
Boucher (chairman) presiding.
    Members present: Representatives Boucher, Rush, Eshoo, 
Stupak, DeGette, Weiner, Christensen, Castor, Space, Stearns, 
Shimkus, Buyer, Radanovich, Bono Mack, Terry, and Blackburn.
    Staff present: Roger Sherman, Chief Counsel; Tim Powderly, 
Counsel; Shawn Chang, Counsel; Greg Guice, Counsel; Amy Levine, 
Counsel, Sarah Fisher, Special Assistant; Pat Delgado, Chief of 
Staff Congressman Waxman; Neil Fried, Counsel; and Sam 
Costello, Legislative Clerk.

  OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF VIRGINIA

    Mr. Boucher. The subcommittee will come to order. Broadband 
networks are a primary driver of the national economy and it is 
fundamentally in the Nation's interest to encourage their 
expanded use. One clear way Congress can promote a greater use 
of the Internet for a variety of purposes including access to 
information, electronic commerce and entertainment is to assure 
Internet users of a higher degree of privacy protection with 
regard to data that is collected concerning their Internet 
usage. It is my intention for the subcommittee this year to 
develop on a bipartisan basis legislation extending to Internet 
users that assurance that their online experience is more 
secure. We see this measure as a driver of greater levels of 
Internet uses such as electronic commerce. Not as a hindrance 
to them.
    Today's discussion is the first of two presently planned 
hearings relating to consumer privacy on electronic networks. 
Today we explore network-based privacy matters including the 
growing deployment of deep packet inspection technologies and 
location-based privacy enabled by specific technologies. There 
are additional privacy related matters that we intend to 
explore including targeted and behavioral advertising. And we 
are now planning to conduct a joint hearing with the full 
committee's Subcommittee on Commerce, Trade and Consumer 
Protection during the early period of the summer in order to 
examine online privacy including behavioral advertising at 
which Internet-based companies will be invited to testify 
before the subcommittee.
    A range of concerns related to online advertising should be 
vetted and just as there are concerns about the privacy 
implications of the network-based technologies upon which we 
are focusing this morning. Those online advertising concerns 
will be thoroughly vetted at the joint hearing we will have 
with the other subcommittee this summer. But today's focus is 
on emerging network technologies that have significant privacy 
implications and three of them will be highlighted by witnesses 
testifying to us today.
    Deep packet inspection enables the opening of the packets 
which actually hold the content of Internet transported 
communications. Through the use of DPI, the content can be 
fully revealed and fully examined. It has generally been 
accepted that there are beneficial uses for DPI, such as 
enabling better control of networks and the blocking of 
Internet viruses and worms.
    DPI also enables better compliance by Internet service 
providers with warrants authorizing electronic message 
intercepts by law enforcement, but its privacy intrusion 
potential is nothing short of frightening. The thought that a 
network operator could track a users every move on the 
Internet, record the details of every search and read every e-
mail or document attached to an e-mail message is alarming. And 
while I am certain that no one appearing on the panel today 
uses DPI in this manner, our discussion today of the 
capabilities of the technology and the extent of its current 
deployment, any projection that could be made about its 
anticipated schedule and path of deployment and the uses to 
which that technology is currently being put will give us as a 
subcommittee a better understanding of where to draw the lines 
between permissible and impermissible uses, or uses that might 
justify opt-in as opposed to opt-out consent from Internet 
users.
    I look forward to hearing from our witnesses this morning 
about how we can best balance the deployment of DPI with 
adequate protection for consumers' privacy. For example, should 
a network operator's use of DPI always require opt-in consent 
or is opt-out sometimes appropriate and if so, under what 
circumstances would opt-out be appropriate? What services that 
consumers consider essential to the safe and effective 
functioning of the Internet are advanced through deep packet 
inspection?
    Since the death of NebuAd, DPI-based behavioral advertising 
service last year, do we now see other companies using DPI in 
order to deliver behavioral advertising? What if any safeguards 
are in place to ensure that consumers are giving meaningful 
consent to the tracking of their activities on the Internet? 
These and other questions deserve our consideration this 
morning.
    I also look forward to learning about other emerging 
network-based technologies such as Project Canoe on the cable 
platform and Loopt and the wireless-base employing new uses of 
cable set top boxes and GPS tracking capabilities on wireless 
devices. What benefits do these services offer to consumers and 
how should the network operator procure meaningful consent from 
users for their use?
    We are also interested in hearing a preview of what the 
future of network-based technologies may hold. What new 
services may they enable and how do we accommodate with regard 
to them key privacy concerns? So I look forward to hearing from 
our distinguished panel and I want to thank each of our 
witnesses for appearing here this morning and sharing their 
expertise and views with the subcommittee.
    At this time, I am pleased to recognize the Ranking 
Republican Member of the subcommittee, the gentleman from 
Florida, Mr. Stearns.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Good morning and thank you, Mr. Chairman, and 
I appreciate your opening statement and you are offering a 
bipartisan tone to it, and your interest in having additional 
hearings including with the Commerce, Consumer Protection Trade 
which I chaired during Republican majority.
    Our goal today should be to broadly examine how companies 
are using consumer Internet behavior to tailor online 
advertising, both the benefits to the consumers as well as any 
potential concerns that have not already been addressed by 
industry. Our focus should go beyond only broadband providers 
and also look at the entire Internet universe, including search 
engines and Internet advertising networks. We cannot have this 
discussion without addressing them, as well.
    Whatever the appropriate standards are, they should apply 
to everyone. We need to be consistent. Consumers don't care if 
you are a search engine or a broadband provider. They just want 
to ensure that their privacy is protected.
    I hope, Mr. Chairman, you will agree to hold more privacy 
hearings on this subcommittee and I am glad to hear that you 
will so that we hear from the network operators. That is the 
only way members can be fully informed about these issues 
before marking up any legislation.
    As we move forward towards privacy legislation we must 
empower consumers to make their own privacy-related decisions. 
Only the consumer knows how he or she feels about the 
information that is being collected, the parties doing the 
collecting and the actual purpose for which the information 
will ultimately be used. Congress cannot and should not make 
that decision for them. We need to place the control over 
consumer information with the consumer himself. This means 
companies should be as transparent as possible about what 
information they collect and how do they use this information, 
that way consumers will be better able to make informed privacy 
decisions.
    We also need to examine the ways in which the use of 
behavioral information for marketing has been shown to have 
already harmed consumers. It is imperative that there be some 
evidence of harm if we are going to regulate this practice or 
we run the risk of prematurely restricting the latest 
technological advancement related to online marketing.
    Consumers' online activities provide advertisers with 
valuable platforms upon which to market their products, their 
services. Collecting this type of information for targeted 
advertising is very important because it allows many of these 
products and services to remain free to consumers. Without this 
information, Web sites would either have to cut back on their 
free information and services or would have to start charging a 
fee to see to consumers. Neither result is good. Over-reaching 
privacy regulations, particularly in the absence of consumer 
harm, could have a significant negative economic impact at a 
time while many businesses in our economy are struggling. So 
let us look very closely at these issues before we leap to 
legislative proposals.
    We also need a consumer-based approach. Consumers are the 
best judges. We will not truly address the privacy implications 
of tailored Internet advertising unless we shift the discussion 
towards consumer-centric approaches and away from the 
characteristics of the companies, like the particular 
technology they use or their corporate structure itself. 
Whatever we do, we must apply the same standards of privacy to 
companies collecting this type of information for the same type 
of purposes, whether it is a phone company, a cable company or 
companies like Google, Yahoo or Microsoft. Consumers don't care 
how their privacy has been invaded. What they care about is 
what the information is that is collected and how it is being 
used.
    Now, Mr. Chairman, as you have mentioned, I have had a 
record of privacy when I was chairman of the trade and consumer 
protection subcommittee. We held the most extensive hearings on 
the topic of privacy and following these hearings I offered and 
introduced the Consumer Privacy Protection Act, which I hope 
will be used as a baseline for new legislation. This bill would 
have required data-collectors to provide consumers with 
information on the entity collecting the information and the 
purposes for which the information was being collected.
    Furthermore, in 2005 I held two hearings on identity theft 
and security breaches involving personal information. These 
hearings led me to introduce the Data Accountability and Trust 
Act which would have required any entity that experiences a 
breach of security such as a business to notify all those in 
the United States whose information was acquired by an 
unauthorized person as a result of that breach.
    So, Mr. Chairman, I look forward to our hearings. 
Protecting consumers' privacy is a very serious issue and one 
that needs to be fully examined and I think your leadership on 
this is to be commended and I look forward to continuing our 
work together.
    Mr. Boucher. Well, thank you very much, Mr. Stearns, and 
let me simply briefly respond by saying that I appreciate and 
agree with your suggestions for the focus of our future hearing 
or hearings on this very important set of privacy concerns. And 
I want to acknowledge the gentleman's leadership in sponsoring 
comprehensive and thoughtful legislation in previous Congresses 
relating to privacy. I was pleased at that time to be the lead 
Democratic cosponsor of the gentleman's bill. And will be, 
well, I couldn't resist noting that, and we will be relying on 
the gentleman's experience and expertise on this subject as we 
construct bipartisan privacy legislation in this Congress.
    The gentlelady from California, Ms. Eshoo, is recognized 
for 2 minutes.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Eshoo. Thank you, Mr. Chairman, for holding this 
hearing on network privacy.
    As a member of the House Intelligence Committee, I 
understand that the most valuable intelligence is to know how 
someone thinks because that enables one to predict what they 
might or will do in the future. Network operators want to 
monetize this predictability and profit from it. On its face, 
this is not an insidious practice. What is concerning is that 
the market is largely unregulated.
    In the digital age was can aggregate enormous amounts of 
data, including what Web sites are viewed, search terms 
entered, programs viewed, items bought and sold, web 
applications utilized and other forms of data most of us don't 
even realize is being collected. With this information, a 
powerful profile can be created which can be used to target 
specific advertisements that are more relevant to the user.
    We are here today to examine once again this growing issue. 
How do we regulate personal data collected by web companies and 
by network operators? Should we? And today we are obviously 
focusing on the network operators.
    There is a growing tide of critics in this debate that I 
believe fundamentally do not understand the purpose of our 
privacy laws. These voices, some of them testifying today, 
believe that web-based services and telecommunications carriers 
should be subject to the same privacy regulations. I don't 
think this is practical or prudent. There is a fundamental 
difference between offering up free web-based advertiser 
supported applications and services, and a common carrier 
offering voice and broadband services. These separate and 
distinct services should each be governed fairly. That doesn't 
mean within the same regulatory structure. A healthcare 
provider and a stock broker shouldn't be regulated, in my view, 
under the same structure. Each should have its own. A 
consumer's relationship with their phone or broadband provider 
is not the same relationship they have with a search engine or 
an online vendor.
    I am eager to hear from all of our witnesses. I am glad 
that you are all here today to hear about your practices and 
how you would envision privacy regulations. This is a very 
important debate and I hope that the final result will be a 
very sound and prudent bill that can be taken to the floor of 
the House.
    So thank you, Mr. Chairman, for kicking off this series of 
hearings.
    Mr. Boucher. Thank you very much, Ms. Eshoo.
    The gentlelady from California, Ms. Bono Mack, is 
recognized for 2 minutes.

 OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Bono Mack. Good morning, Chairman Boucher, Ranking 
Member Stearns and distinguished panel. Thank you for holding a 
hearing on the important issue of consumer privacy and 
broadband networks.
    When a consumer makes a telephone call, purchases a good 
online, visits a Web site or watches a TV program on his couch, 
there is a built-in expectation of privacy associated with each 
activity. It is understood that our personal privacy is 
something of value. We have laws which protect privacy and the 
assurance of privacy is a marketable quality.
    It is also important to note that cost of certain 
commercial activity on broadband networks is deflected away 
from the consumer because of advertising. As many of you know, 
I have a long history of working to protect consumers in the 
online space. In past Congresses I authored anti-spyware 
legislation and this is the second consecutive Congress I have 
introduced the Informed P2P User Act, therefore my legislative 
history speaks for itself. Additionally, I also have a history 
of fighting to prevent piracy online so I am willing to listen 
to efforts that reduce the impact piracy has on our national 
economy, as well.
    As we begin the process of balancing consumer privacy and 
commercial activities online, I would like to listen to all 
sides of the debate and all parties involved in the online 
space. This includes consumers, law enforcement, ISPs, tech 
companies, search engines, advertisers, as well as content 
creators. It is my belief that both the privacy expectations 
and commercial activity need to be measured before we act. The 
committee would be wise to begin with the American consumers' 
privacy expectations in mind. I do not look at this issue as a 
partisan matter and I don't think we should be out to get one 
particular company or favor one particular industry. With that 
said, I do admit that sometimes a one size fits all approach is 
not possible in achieving certain goals. As such, I will be 
paying close attention to the debate and I look forward to 
working on this important issue.
    Thank you, Mr. Chairman. I yield back.
    Mr. Boucher. Thank you very much, Ms. Bono Mack.
    The gentlelady from Colorado, Ms. DeGette, is recognized 
for 2 minutes.
    Ms. DeGette. Thank you very much, Mr. Chairman. I want to 
thank you for having this important hearing today.
    As technology changes and as consumer habits change, so do 
the privacy concerns that we are faced with and so I am looking 
forward to hearing from all of the witnesses today as we 
continue in our evolving discussion of privacy.
    And with that, I will yield back.
    Mr. Boucher. Thank you very much, Ms. DeGette. We will add 
2 minutes to your time to question the panel of witnesses based 
upon that waiver.
    The gentleman from California, Mr. Radanovich, is 
recognized for 2 minutes.

 OPENING STATEMENT OF HON. GEORGE RADANOVICH, A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Radanovich. Thank you, Chairman Boucher. I want to 
thank you and Mr. Stearns for holding this consumer privacy 
meeting and I do want to thank you, Mr. Chairman, I am pleased 
to hear that we will have a joint hearing on online 
advertising. It will be important for us to hear from the full 
technology landscape that utilizes private user information 
before we can move forward with any comprehensive effort to 
address this issue. I look forward to working with you on that 
hearing, as well.
    One of the primary issues that has developed with 
communications and the Internet is the collection of consumer 
data. As technology advances and becomes more complex, 
consumers are rightfully concerned about their personal 
information. What we should focus on when it comes to consumer 
data is the consumers and what they care about and I believe 
that we should invoke looking at what data is collected, why it 
is collected and what is done with it. This information will 
help us all work together with the industry to achieve our goal 
of meeting the consumer needs by preventing the misuse of their 
information.
    What I think that we should be looking at for most is the 
most effective way to protect our constituents' information in 
a manner that recognizes there are beneficial users for many of 
these new technologies and continues to allow for innovation 
that can make the communications experience more enjoyable, 
more productive and safer for us all.
    I want to thank all of our witnesses for being here today 
and to discuss a wide variety of networks and their 
relationship to privacy. Your experience will certainly help us 
as we continue and I look forward to a productive hearing.
    Thank you, Mr. Chairman.
    Mr. Boucher. Thank you, Mr. Radanovich.
    The gentleman from Michigan, Mr. Stupak, is recognized for 
2 minutes.

  OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Stupak. Thank you, Mr. Chairman, and thank you for 
holding this hearing.
    It is time we modernized our telecommunications policies in 
regard to privacy. An individual's right to privacy has been 
under increasing assault as more Americans are using the 
Internet for more and more of their daily activities. Consumers 
do not have a clear picture of what occurs with their 
information without their consent and what needs to be done.
    Last year this subcommittee held a hearing on a new type of 
data gathering for the purpose of behavioral advertising. This 
new method uses network technology known as deep pack 
inspection to read 100 percent of a web user's activities to 
create a profile for purposes of reselling it to advertisers. 
Companies that wish to utilize this technology have claimed 
that personally identifiable information is protected but I 
have my doubts and concerns.
    As it stands right now, The Communication Act gives no 
clear definition of when affirmative consent or opt-in is 
required in the handling of a consumer's personal identifiable 
information. Without clear direction from Congress on this 
matter, technology will continue to outpace our privacy laws 
and consumer personal information will continue to go 
unprotected. Any method of collecting personally identifiable 
information from an Internet user's online activity for the 
purpose of reselling that information must require an opt-in 
from that user. In addition, that user should also be provided 
with the information on how and what is happening with their 
data, how it is collected and who is receiving it.
    I look forward to hearing from our witnesses today on how 
we can modernize our privacy laws to protect, inform and 
empower consumers.
    Thank you, Mr. Chairman, again for holding this hearing. I 
look forward to working with you and our colleagues to move 
legislation on this subject.
    Mr. Boucher. Thank you very much, Mr. Stupak.
    The gentlelady from Tennessee, Ms. Blackburn, is recognized 
for 2 minutes.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Ms. Blackburn. Thank you, Mr. Chairman. I want to thank you 
for holding the hearing today. And I want to welcome all of our 
witnesses and thank you for being here with us today.
    Consumer privacy as you have heard from everyone who has 
spoken is a key element in the unspoken contract between the 
end user and the ISP and the merchants who make their living 
providing goods and services online. When any link in that 
chain of trust is broken, consumers at every level are going to 
suffer. It is therefore critical for Congress and our partners 
in the administration, the private sector and the consumer 
advocacy community to remain vigilant in securing consumer 
privacy online.
    It is also critical on the other hand that Congress ensure 
vibrancy in the marketplace. And I think that is where many of 
us are going to have questions and want to explore a little bit 
more deeply with you to make certain that we have a good 
understanding of the deep packet inspection technologies and 
that we move forward in the appropriate way.
    Mr. Chairman, I am pleased to know that we are going to do 
another hearing on the Google issues that are in front of us 
and I look forward to working with you on that hearing. And I 
hope that we can all send a message that piracy does not pay. 
That privacy and respect for intellectual property is an 
imperative and I look forward to the hearing.
    I yield back.
    Mr. Boucher. Thank you very much, Ms. Blackburn.
    The gentlelady from Florida, Ms. Castor, is recognized for 
2 minutes.
    Ms. Castor. Thank you, Mr. Chairman, for this timely 
hearing on the evolution of our communications networks and 
consumer privacy. Welcome to our panel. I look forward to your 
expert advice in learning a great deal more about this issue 
and I will yield back the remaining portion of my time.
    Mr. Boucher. Thank you very much, Ms. Castor. We will add 2 
minutes to your questioning time for the first panel.
    The gentleman from Nebraska, Mr. Terry, is recognized for 2 
minutes.
    Mr. Terry. Thank you, Mr. Chairman. I would waive and 
appreciate 2 minutes.
    Mr. Boucher. You shall have the same.
    [The prepared statement of Mr. Markey 
follows:]*************** INSERT 8 ***************
    Mr. Boucher. All members having now been recognized for 
opening statements, we turn to our panel of witnesses and 
express appreciation to each of you for your testimony here 
this morning. Ms. Leslie Harris is the president and chief 
executive officer of the Center for Democracy and Technology. 
Mr. Kyle McSlarrow is president and chief executive officer of 
the National Cable and Telecommunications Association. Mr. Marc 
Rotenberg is the executive director of the Electronic Privacy 
Information Center. Ms. Dorothy Attwood is chief privacy 
officer for AT&T Services. Mr. Ben Scott is policy director for 
Free Press. Mr. Brian Knapp is chief operating officer of 
Loopt. And Mr. Richard Bennett is a network engineer and a 
blogger and we welcome each of you. Without objection, your 
prepared written statements will be made part of the record. We 
would ask for your oral summary kept to approximately 5 minutes 
so that we will have ample time for questions.
    And, Ms. Harris, we are pleased to begin with you and you 
need to turn your mike on. It is amazing how many people in the 
technology subcommittee don't have their mike on when they 
start to testify.

    STATEMENTS OF LESLIE HARRIS, PRESIDENT, CHIEF EXECUTIVE 
 OFFICER, CENTER FOR DEMOCRACY AND TECHNOLOGY; KYLE MCSLARROW, 
   PRESIDENT AND CEO, NATIONAL CABLE AND TELECOMMUNICATIONS 
ASSOCIATION; MARC ROTENBERG, PRESIDENT AND EXECUTIVE DIRECTOR, 
ELECTRONIC PRIVACY INFORMATION CENTER; DOROTHY ATTWOOD, SENIOR 
 VICE PRESIDENT, PUBLIC POLICY AND CHIEF PRIVACY OFFICER, AT&T 
 SERVICES, INC.; BEN SCOTT, POLICY DIRECTOR, FREE PRESS; BRIAN 
  R. KNAPP, CHIEF OPERATING OFFICER, LOOPT, INC.; AND RICHARD 
           BENNETT, PUBLISHER, BROADBANDPOLITICS.COM

                   STATEMENT OF LESLIE HARRIS

    Ms. Harris. Mr. Chairman, Mr. Stearns, members of the 
subcommittee, I appreciate the opportunity to testify on this 
important question of the privacy implications of DPI.
    In CDT's view, DPI poses very serious challenges both to 
the privacy and to the openness of the Internet. The success of 
the Internet can be traced to its defining end-to-end principle 
which is a simple idea that applications are better left to be 
implemented at the edges of a network and leave the core 
unfettered by gatekeepers.
    The end-to-end principle, as you know, is supported by a 
policy framework that generally protects Internet service 
providers for liability for the content that they are either 
posting or flowing over their networks. And together these two 
policy choices have really preserved the Internet as a trusted, 
open platform.
    Today massive growth in data processing power has spurred 
the development of DPI and potentially allowing Internet 
service providers and other intermediaries and partners to 
analyze all of the Internet traffic of millions of users 
simultaneously. This raises profound questions about the future 
of privacy, openness and innovation online. Though deployment 
is still somewhat limited, applications range from management 
of congestion on the networks and network threats, content 
blocking, behavioral advertising and government surveillance.
    It is my understanding that right now network operators are 
only using the technology for security-related purposes 
although, of course, last summer we did have a failed attempt 
to use it for behavioral advertising. Of course, some of these 
applications may have other troubling legal policy concerns but 
it is important to stress that all applications of DPI raise 
serious privacy concerns because all applications of DPI begin 
with the interception and analysis of traffic.
    In our view, deep packet inspection is really no different 
than postal employees opening envelopes, reading letters 
inside. DPI networks intercept and examine the entire payload 
of a packet, the actual data that the packet carries in 
addition to a packet header unless the content is encrypted.
    So even if ISP's or advertising networks intend to only use 
a small portion of what is captured by DPI and dispose of the 
rest, it doesn't diminish the breadth and intrusiveness of that 
initial data capture. And DPI is being deployed within a 
technological environment where consumers are sending more and 
more information through the networks. Providers of all kinds 
are acquiring and collecting and holding more data and sharing 
it and it is being retained for longer periods of time and all 
of this without an adequate legal framework.
    Consumers simply do not expect to be snooped on by their 
ISPs or other intermediaries in the middle of the network. And 
so therefore DPI really defies the legitimate expectations of 
privacy that consumers have and it is also at odds with fair 
information practices, concepts like transparency, concepts 
like limited collection of data. The sectoral privacy laws that 
we have, have been far outpaced by technological innovation and 
as many of you have said, we have no baseline consumer privacy 
law.
    Finally, as DPI matures and becomes more widely deployed, 
our concern is that any notion of limited use is going to give 
way to mission creep as new applications are deployed. And that 
mission creep, frankly, is not just a concern that the 
providers will find new ways but that government and 
policymakers will increasingly have mandates to networks to use 
DPI for various purposes. And, of course, we worry as well 
about the sort of unlimited appetite for surveillance that our 
government appears to have and the fact that DPI really is a 
game changer there as well.
    For all these reasons, we applaud the fact you are taking a 
comprehensive look at DPI. We obviously think that, you know, 
the most important thing that can happen this year is an acting 
baseline, technology neutral consumer privacy legislation based 
on fair information practices. We are very pleased to hear the 
announcement, Mr. Chairman, and the support from the committee. 
I will just say that we also hope the subcommittee might move 
ahead with carefully crafted Internet neutrality legislation 
because we think it might put some balance on the more 
worrisome uses of DPI. And finally, it is outside of your 
jurisdiction, I think, but Congress has to examine and 
strengthen the communications privacy laws, ECPA, et cetera, at 
the same time which has to do with government access because 
all of these have been outstripped by technology and really 
change the nature of what privacy protections really exist at 
this point for consumers.
    So thank you so much.
    [The prepared statement of Ms. Harris 
follows:]*************** INSERT 1 ***************
    Mr. Boucher. Thank you very much, Ms. Harris.
    Mr. McSlarrow.

                  STATEMENT OF KYLE MCSLARROW

    Mr. McSlarrow. Mr. Chairman, Mr. Stearns, distinguished 
members of the subcommittee, thank you for giving me an 
opportunity to testify today.
    I think the starting place for the cable industry is to 
recognize that Congress passed probably what was at that time 
the first broad based opt-in statute, a very forward-leaning, 
pro-consumer, privacy protection regime that we have lived 
under for over 25 years for cable services. And today with 
digital voice services, we now live under the similar privacy 
protections offered under Section 222 of The Communications 
Act. And during that time I think our track record has been 
excellent both in terms of safeguarding consumer privacy and 
abiding by rules that I think people have discovered prove that 
good privacy protection in also good business so we believe 
that.
    As I think everybody has acknowledged, the question on the 
table isn't so much what people are doing today. It is about 
the emerging models and emerging ideas in creativity and what 
they mean for privacy, and we think it is completely 
appropriate to examine all of that.
    In the short time I have available, I do want to take a 
deeper dive into deep packet inspection because I think it is 
actually emblematic of this entire conversation. It is true 
that today, at least for my members, none of the cable ISPs are 
actually using any of this information for behavioral targeting 
purposes. But obviously, there are many industries including 
ours who are interested in trying to figure out a way to 
provide more relevant and useful advertising for the consumer. 
It is likely to support the entire Internet ecosystem. It is 
likely to spur more growth in creative ideas and content and 
services, but we recognize that it has to be done in a way that 
is respectful of the consumer's privacy.
    Deep packet inspection is actually not something that is 
new. One of the frustrations I think we have is that people act 
like something just happened yesterday, something new and 
different and scary. Deep packet inspection or packet 
inspection generally is something the operators, all providers 
have used or tools like that for many years and for very good 
reasons. I think the test is consumer expectations and I think 
broadly speaking, when a consumer sits down at a computer it is 
always on if they are a broadband customer. They go anywhere 
they want. They access any application they want. No one stops 
them. It all works. The speeds are doubling. The price per 
megabyte is dropping. Deployment is continuing but on the other 
side of that computer, there is a war going on. You have got 
network operators who are fighting malware and viruses and 
spam. You have got botnet armies and things that I don't even 
know about that are taking place in very complicated regime. 
The consumer doesn't know anything about that. They don't want 
to know anything about that. They don't necessarily need to 
know how you are dealing with it. They just want you to deal 
with it and we do.
    Now, I think reading everybody's testimony, I think 
everybody concedes that the use of deep packet inspection has 
today beneficent and pro-consumer purposes so I am not going to 
dwell on that. But I will say there it is hard to do analogies 
because probably no one in this room or very few are really 
technical experts here. But I do think we have to be very 
careful. We require some precision here when we are talking 
about deep packet inspection.
    I have heard and I think Leslie just said as an example, 
this is like the post office opening up your letter, going 
beyond looking at the address and looking at the contents of 
the letter. And I myself am guilty sometimes just saying a 
packet of information on the Internet has a header and a 
payload. But the truth is if you are looking at the layers of a 
packet, each layer has a header and payload. Each, you know, 
one layer, layer four is going to be something, you know, that 
has source and destination for IP addresses, all the way down 
to layer seven where you could have a web browser, URL address, 
source and destination. And when you hear envelope and content 
you think there is just one step before you get to the content 
but the truth is, it is really more like envelopes within 
envelopes, each one of which has addresses and at some point 
you do have content.
    So far as I can tell, I haven't done my own due diligence, 
the only time we are actually scanning and what I mean by scan, 
I mean a machine doing something in a billionth of a second, 
content is what we are trying to deter spam. All of the other 
activities related to deep packet inspections so far as I am 
aware, are looking at headers. That is the addresses that most 
people say they are actually oK with.
    So my point here is just a caution. Any technology can be 
used for good purposes and for bad. We recognize that no one 
would want us looking at the communications in an e-mail. We 
don't particularly want to do that. In fact, the only tracking 
I actually want to do is to track down the engineer who 
actually came up with the term deep packet inspection and shoot 
him.
    Last point and I realize I am rowing against the tide here 
and you do have my commitment, Mr. Chairman, that as you 
consider legislation to work constructively with you but I do 
want to make a final plea to consider allowing self-regulation 
to work and I would really say it for two reasons. Number one, 
this entire arena is moving so fast. There are new models being 
created. I know that is what gives rise to the concerns but I 
also think it is a caution. It is very hard to freeze one point 
in time with what is actually a fairly immature marketplace 
when you think about it how young the Internet system is and 
how young really the broadband market is. And I think we should 
allow industry and all stake-holders to try to work together 
using the oversight of this committee and the bully pulpit, 
force us to come up with self-regulatory principles that 
respect consumers' privacies knowing that at least in my 
industry's case, we have a backstop of legislation that gives a 
lot of the rules of the road. And the second is to recognize 
that behavioral advertising can potentially be the most pro-
consumer thing we do to enrich the Internet to allow new 
services that haven't even been created yet to survive and 
thrive by making it easy for those services new web 
applications to monetize their services without having to go 
out and get the capital necessary to launch a new service.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. McSlarrow 
follows:]*************** INSERT 2 ***************
    Mr. Boucher. Thank you, Mr. McSlarrow.
    Mr. Rotenberg.

                  STATEMENT OF MARC ROTENBERG

    Mr. Rotenberg. Thank you, Mr. Chairman and members of the 
committee. I appreciate the opportunity to be here today.
    EPIC has a broad interest in matters of consumer privacy 
and network security. We have worked on technical issues at 
ICANN and IETF on the evolving standards for Internet security. 
We have been at the FCC on rule-making for consumer privacy and 
we have even defended the commission's authority to enforce 
consumer protections on the network. So we have a broad 
understanding I think of the issues and the opportunities to 
safeguard consumers in this emerging online environment and I 
agree very strongly with the members of the committee who say 
that this is a vital issue for consumers today. According to 
the Federal Trade Commission, identity theft is the number one 
concern of American consumers. We have serious problems also 
with security breaches and so the need to find a policy here 
that makes it possible to take advantage of new technology to 
grow new business opportunities and at the same time to 
safeguard consumers is absolutely critical.
    Now, let me say a few words about the DPI issue and I 
should add I have also been teaching privacy law for many years 
over at Georgetown. One of the things that has occurred to me 
is that many of these issues that may seem new today, in fact 
have been with us for a very long time. So I want to say a few 
words now about The Communications Act of 1934. The 
Communications Act of 1934 set out the first regulatory 
framework for communication service providers in the United 
States and it tried to answer a simple question, in part. Under 
what circumstances should communication service providers get 
content to the information that they are conveying on behalf of 
their customers. And the answer, generally speaking, was to 
ensure the provision of the service to make sure that it worked 
and to protect security and to comply with a legal requirement 
provided by the government such as a warrant. And there really 
were no other exceptions which is to say you could listen in on 
the telephone to make sure your line was working, and you could 
deal with load leveling issues, and you could enforce a wiretap 
if you were told to do so but you weren't supposed to access 
the communications traffic for your own commercial benefit.
    And I think that commonsense understanding of the 
obligations of communication service providers answers most of 
the questions that have been asked about deep packet inspection 
today. I do not think that companies that are in the business 
of providing network services to customers should get access to 
the content of the communications for a commercial benefit. 
There may be other good reasons, spam, viruses, legal 
obligations which I think we would all accept are appropriate 
exceptions but broadly speaking I don't think there should be 
access.
    Now, here is where it gets interesting. The companies that 
have come along in the last couple of years such as NebuAd and 
Phorm have said we have a way to get access to the traffic that 
doesn't require us to know who the individual users are. We are 
going to do this type of targeting without collecting 
personally identifiable information which from a privacy 
perspective is actually very attractive because our big 
concern, of course, is that if companies know who these users 
are they build very detailed profiles and people just won't 
know how much information about them is being collected. And so 
NebuAd and Phorm, both companies that have been highly 
criticized for their technique are at the same time developing 
some of the most innovative methods for advertising because 
they are genuinely concerned about privacy.
    Now, this actually creates for you a very interesting 
dilemma. I don't think it solves the intercept problem because 
the truth is they are still going to the network without 
affirmative consent and they are still getting access and I 
think they are still violating The Wiretap Act as many of the 
members of this committee concluded last year and as European 
Commission Vivian Redding said early this month when she 
brought and action against the Government of Great Britain for 
allowing the service to go forward. So the intercept problem is 
still there but the question is let us say people agreed. Let 
us say people said well if you can do this advertising well and 
you are not profiling me maybe I am oK with that and I think 
you still have a policy challenge. I think you have to ensure 
that these new services really do protect the anonymity of the 
users, really ensure that it doesn't become possible later to 
figure out who these folks are or don't simply decide to change 
the business model.
    Now, why should you be concerned about that and why do you 
ultimately need to legislate because that is actually what 
happened 10 years ago with online advertising. When a company 
called DoubleClick said we can make anonymous advertising work 
on the Internet, many of us supported that. Many companies 
partnered with DoubleClick and then DoubleClick said well now 
that we got all of these people in our advertising base, maybe 
we should start identifying them. And that actually began the 
first wave of hearings on the issue of Internet privacy when 
people were being targeted because of who they were without 
adequate privacy protection. And I think that will be a 
critical question in this specific context for this committee 
to address.
    Mr. Chairman, if I would make one final point and I very 
much appreciate the fact that you have held this hearing and 
plan to hold another hearing, I do think from the user 
perspective we can't limit the discussion to concerns about 
DPI. There are a lot of other activities that implicate online 
privacy, web-based e-mail for example. I mean I am surprised 
that companies are able to get access to the content of e-mail 
and provide advertising on that basis. From the user's 
perspective that is the functional equivalent of the carrier 
getting access to the message and providing some, you know, 
commercial benefit. It is a difficult question that hasn't been 
addressed yet but I hope the committee will get to that one, as 
well.
    Thank you very much.
    [The prepared statement of Mr. Rotenberg 
follows:]*************** INSERT 3 ***************
    Mr. Boucher. Thank you, Mr. Rotenberg.
    Ms. Attwood.

                  STATEMENT OF DOROTHY ATTWOOD

    Ms. Attwood. Thank you, Chairman Boucher and Ranking Member 
Stearns for providing AT&T the opportunity to discuss consumer 
privacy in the online world.
    As the leading communications company in America, AT&T has 
a profound interest as a major advertiser, as a Web site 
publisher, as an Internet service provider and as a provider of 
communications generally, in seeing the Internet grow through 
an advertising-supported model. After all, online advertising 
fuels investment and innovation across a wide range of Internet 
activities and next generation forums of online advertising 
could prove quite valuable to consumers and could dramatically 
improve their online experiences.
    At the same time, we balance our interest in the evolution 
of online advertising with the unique investment we have in 
concentration on our customer relationships. These 
relationships are our most treasured asset and we are doggedly 
focused on enhancing them and ensuring that our customer 
expectations are met. For this reason, AT&T has articulated and 
publicly supports a pro-consumer framework that both promotes 
the privacy interests of our customers as well as fostering 
advancements that lead to more useful and relevant online 
advertising. We have endorsed the simple principle that we need 
to engage consumers and offer them transparency and control 
over their Internet experience.
    The new forms of online advertising that is the subject of 
today's hearing which we generally refer to as behavioral 
advertising, can take many forms. They can in theory involve 
the use by an ISP of technologies such as deep packet 
inspection to capture and analyze a user's Internet browsing 
activities and experience across unrelated Web sites. They also 
involve search engines and advertising networks implementing 
evermore sophisticated technologies to track consumer web 
surfing and search activity over time, to develop profiles of 
consumer activity and combine data from offline and online 
sources. They are not inherently problematic but pitfalls can 
arise because behavioral advertising in its current forms is 
largely invisible to customers.
    We have actually conducted focus groups and we have asked 
our customers their views on behavioral advertising and the 
results have been illuminating. Customers clearly appear to 
understand and willingly accept that information will be 
collected in commercial relationships and will be used to offer 
goods and services that are of value to them. But these same 
consumers do not well understand and fully embrace the concept 
that their online activity associated across unrelated Web 
sites or their overall web browsing activity can be and is used 
today to create detailed profiles of them. They can see the 
benefits of more targeted and relevant advertising but they 
want control over their personal information and they want that 
control to be individualized.
    These new online advertising paradigms must therefore be 
designed to account for a new set of still evolving customer 
expectations about how personal information will be used and 
how personal privacy will be safeguarded. As an industry then, 
we must deploy next generation advertising techniques in tandem 
with next generation privacy innovations and any solution must 
be achieved by all elements of the Internet ecosystem.
    For its part, AT&T is listening to its customers and we are 
confronting the opportunities and challenges presented by 
behavioral advertising by not thoughtlessly lurching into this 
realm. We will initiate such a program only after testing and 
validating the various technologies and only after establishing 
clear and consistent methods and procedures to engage 
customers, to ensure the protection of and ultimately their 
control over their information. If AT&T deploys these 
technologies and processes, we will do it the right way. So 
indeed, AT&T has already adopted flexible privacy principles 
that will guide any effort to engage in behavioral advertising, 
the pillars of which are transparency, customer control, 
privacy protection and customer value. These principles can be 
the foundation of an ethic of consumer engagement for all 
players in the online behavioral advertising sphere and it both 
ensures that customers have ultimate control over the use of 
their personal information and guards against privacy abuse.
    I want to thank you very much and look forward to your 
questions.
    [The prepared statement of Ms. Attwood 
follows:]*************** INSERT 4 ***************
    Mr. Boucher. Thank you very much, Ms. Attwood.
    Mr. Scott.

                     STATEMENT OF BEN SCOTT

    Mr. Scott. Thank you, Chairman Boucher and Ranking Member 
Stearns and members of the subcommittee.
    I am the policy director for Free Press. We are the largest 
public interest organization in the country that works on media 
policy issues. I would like to focus my testimony this morning 
on deep packet inspection or DPI. I have submitted a white 
paper on the subject for the record which I will try to 
summarize here.
    You have already heard about the uses for DPI for the 
collection of personal information about Internet users for 
advertising purposes. I would like to focus on other issues of 
DPI technology because really any time a network monitors 
Internet traffic as Mr. Rotenberg pointed out, we have a 
potential privacy problem. That harm is compounded by DPI tools 
that violate network neutrality with any competitive practices.
    Let me offer a little context. It is 3 years ago we had a 
robust debate in the Congress over the necessity of net 
neutrality and privacy rules to protect the consumers, and that 
debate largely turned on whether or not the harms were 
hypothetical, and indeed the technology did not exist in 2006 
that would have permitted wide-scale violations. Today these 
technologies do exist. They are deep packet inspection devices 
and they are now widely deployed. Worse still, from my 
perspective, an entire industry of manufacturers has emerged 
that markets DPI explicitly to monitor and control consumer 
behavior online. All a network operator has to do is flip the 
switch.
    DPI will have a broad impact on the Internet. Without this 
technology, everything you do online is sent through the 
network basically anonymously, e-mail, sports scores, family 
photos. The network doesn't know or care what you are doing. 
Online anonymity in this sense also has the virtue of 
nondiscrimination. But with DPI, it is a whole new ballgame. 
This technology can track every online click. Once a network 
owner can see what you are doing, they have the power to 
manipulate your experience. They can sell you ads. They can 
block content. They can speed things up. They can slow things 
down. Perhaps there is no better way to describe what DPI can 
do then to quote directly from the manufacturers' marketing 
materials. Their selling points are exactly the uses that 
trouble me most.
    Let me offer a few examples. Zeugma Systems describes its 
technology as a way for network owners to ``see, manage and 
monetize individual flows to individual subscribers.'' A 
company called Allot promises that their equipment empowers 
ISPs ``to meter and control individual use of applications and 
services'' including to help network owners ``reduce the 
performance of applications with negative influence on revenues 
(e.g. competitive VoIP services).'' Now, that sounds like 
blatantly anti-competitive behavior to me. Procera Networks 
went so far as to publish a brochure that was titled ``If You 
Can See It, You Can Monetize It.'' That is chilling stuff and 
there are more than a dozen of these companies. I could go on 
and on. They sell products marketed to help ISPs make more 
money by spying on consumers and controlling how they use the 
Internet.
    Let me be clear, the technology itself is not necessarily 
problematic. However, in the past year deep packet inspection 
has evolved from basically innocuous to potentially insidious. 
DPI was created as a network security tool but has become a 
mechanism of precise surveillance and content control. We have 
already begun to see incidents of bad behavior.
    This subcommittee has had hearings on Comcast and NebuAd 
which both used DPI in secret, questionable ways. Today, Cox 
Communications is using DPI to speed up some applications and 
slow down others. These types of practices may have short term 
traffic management benefits but the tradeoff is the 
unprecedented step of putting a network owner in control of 
consumers' online choices. After this first step, it is a 
slippery slope. We could soon see every major ISP in the 
country adopt a different traffic control regime. Without 
oversight, this could vulcanize the Internet so that 
applications that work on a network in Virginia may not work on 
a network in Kansas or Florida.
    The critical question is how to best protect consumers from 
these kinds of harms. Let me offer an analogy. Think of DPI 
technologies as similar to complex financial instruments like, 
I don't know, credit default swaps. Properly regulated they can 
be used as a constructive part of our banking system. But 
without oversight, they can run amuck and severely harm 
consumers.
    What we need are bright line rules of consumer protections. 
The negative implications for privacy network neutrality are 
already clear but the new uses of DPI may also reduce 
incentives for infrastructure investment. Installing DPI offers 
a tempting alternative to building a robust network. At a 
fraction of the cost, a DPI can discourage users from high-
bandwidth applications or charge higher fees for priority 
access.
    Before these technologies become firmly entrenched, we 
encourage Congress to open a broad inquiry to determine what is 
in the best interest of consumers. Once DPI devices are 
activated across the Internet, it will be very difficult to 
reverse course.
    I thank you for your time and I do look forward to your 
questions.
    [The prepared statement of Mr. Scott 
follows:]*************** INSERT 5 ***************
    Mr. Boucher. Thank you, Mr. Scott.
    Mr. Knapp.

                  STATEMENT OF BRIAN R. KNAPP

    Mr. Knapp. Good morning, Chairman Boucher, nice to see you 
again, Ranking Member Stearns and members of the subcommittee.
    My name is Brian Knapp, Chief Operating Officer. I have 
responsibility at Loopt for day-to-day business operations as 
well as privacy policy, data security matters and legal 
affairs.
    Since you may not be familiar with my company, Loopt, 
please allow me to tell you a little bit about our company. We 
are a location-based service that can change the way friends 
and family connect, share and explore in the mobile 
environment. Loopt facilitates real world interactions by 
helping users connect on the go and navigate their social and 
family lives. Loopt users can see their friends and family 
where they are located and what is going on around them via 
detailed interactive maps on their mobile phones. And users can 
also share location information and updates with their networks 
of friends on a variety of popular social networks and 
communities. Over one million users have already registered for 
Loopt and by all accounts, consumers are very excited about 
emerging mobile services and location services like Loopt.
    Loopt itself got started back in 2005 when Sam Altman, a 
sophomore computer science major at Stanford University had an 
epiphany as he walked out of class, realizing that it would be 
great if he could open his mobile phone and see a map of where 
all his friends were. Since 2005, Loopt has grown. We are 
located in Mountain View, proud to be in Congresswoman Eshoo's 
district. We have grown to over 40 employees and our service is 
launched across multiple wireless carriers and mobile devices.
    Today we are available on AT&T Mobility, Sprint Nextel, 
Boost Mobile, MetroPCS, T-Mobile and Verizon Wireless networks 
as well as popular devices such as the Apple iPhone, Blackberry 
and Google's Android G1. Depending on the service provider and 
the device, the cost of Loopt ranges from free and advertising-
supported to $3.99 per month.
    From its inception, Loopt's founders and investors made a 
commitment to the development of strong privacy practices and 
policies. I began working with the company in late-2005 and was 
hired full-time by the company as chief privacy officer and 
general counsel two years ago, and they asked me specifically 
to focus on these areas as we developed our service and grew 
the company. At that time, we only had 13 other employees and 
we were alive on one network operator at the time. However, 
even in our early days we knew that investing in an effective 
privacy program was necessary for our users and an important 
foundation for our future business growth and success.
    Our privacy approach is based on the key principles of 
user-control, education and notice and our regime specifically 
includes informed consent. Our service is 100 percent 
permission-based so users are choosing to download and access 
Loopt. We receive this informed consent from every user. They 
must proceed through a multi-step registration process which 
has key information about how the service works and how they 
should use it responsibly. And there are several ways to access 
our key user agreements and privacy policies. At the end of my 
testimony there is actually a flow of this process that you can 
see.
    We have reminders and notifications even after users have 
registered to again have them keep in mind how to use the 
service responsibly and access the privacy settings. Speaking 
of privacy settings, we have several controls so they can 
manage where, when and with whom their location is shared and 
displayed.
    Also, any friend connections or family connections made on 
Loopt are also chosen by the user so there is no automatic 
sharing of location information. You have to decide who you are 
going to share that information with and then you can still 
control it after the fact.
    We also have age limits on our service so our minimum age 
is 14 years and we have implemented an age-neutral screening 
mechanism in compliance that works in accordance with the FTC's 
guidance with regard to COPPA best practices. We have report 
abuse links throughout the service so the community can give us 
feedback if other users seem to be behaving badly. Our privacy 
notice and user education are key aspects of our regime. Our 
privacy notice is readily available and viewable within the 
mobile application itself and on our Web site and may actually 
be received by e-mail or postal delivery for our users. Our Web 
site contains detailed information about our privacy features 
as well as frequently asked questions and there are several 
links on the homepage of that site to access this information.
    I want to emphasize that we have developed these policies 
by listening to our customers and working closely with leading 
mobile social networking and online privacy and security 
organizations, including the Center for Democracy and 
Technology, the Electronic Frontier Foundation, the Family 
Online Safety Institute and Progress and Freedom Foundation, 
among others.
    We also participated in an Internet safety technical task 
force and finally, we also participated in the development of 
CTIA's Guidelines and Best Practices for Location-Based 
Services. And our accomplishments to date in terms of privacy 
and security innovation would not have been possible without 
the great feedback, insights and know-how of these 
organizations and folks on the hill.
    We believe that the result of all this collaboration is a 
consistent, sound set of privacy policies that apply to all of 
our users, regardless of where they live or use the service. We 
know that Loopt's customers value their privacy and especially 
the easy access to tools and information to control their 
privacy settings as needed so we have created a privacy policy 
and regime that is both straightforward, effective and easy to 
understand. We do note that this is an evolutionary process.
    We look forward to participating in these hearing and 
learning from other companies and the hill. And we will 
continue to strive for excellence in privacy innovation and 
aspire as a company to achieve effective privacy by design.
    Thank you for the opportunity to share our story and I look 
forward to any questions you may have.
    [The prepared statement of Mr. Knapp 
follows:]*************** INSERT 6 ***************
    Mr. Boucher. Thank you, Mr. Knapp.
    Mr. Bennett.

                  STATEMENT OF RICHARD BENNETT

    Mr. Bennett. Good morning, Mr. Chairman, Mr. Stearns and 
members.
    Thanks very much for inviting me. This is the first 
Congressional meeting I have actually attended in person since 
Senate Watergate. So maybe I should tell you what I know and 
when I came to know it.
    I am actually--some said there are no technical experts 
here. I am kind of offended by that because I am supposed to be 
one. I have been developing network systems for some 30 years 
in the Ethernet and Wi-Fi systems that use today include some 
innovations that I personally invented and put there. And so 
when I look at these technologies the sort of collection of 
technologies that are coming under the umbrella of deep packet 
inspection, I think I have a slightly different perspective on 
it then most people do because what I see them as is an 
evolution of the tools that we have used to develop network 
technologies over the years.
    It has been essential in the development of every network 
protocol and in every network access device to have 
intelligence about the behavior of the systems that are 
communicating and the forwarding behavior of the intermediate 
nodes and the network that move the packets along. Without the 
ability to have that information we would not have been able to 
develop the systems that we all use today on the Internet and 
on the related private networks that feed the Internet.
    We never called this deep packet inspection. We simply 
called it packet monitoring and that process which was largely 
a matter of running a system that had filters that could 
capture packets from a live network and store them for the 
immediate examination and analysis by a network engineer, has 
been automated into a system that takes that information that 
has always been accessible to network engineers. There is not 
any--I mean I take issue with Mr. Scott that there has been 
some new leap forward in this technology in the last year. I 
mean there really hasn't. It is a smooth evolution from the 
systems that we have always used for manual analysis into 
archiving and data-mining, and these are the features that have 
actually changed in the use of this technology over the years.
    The raw information has always been there and the raw 
information is there because digital networks typically don't 
carry encrypted traffic. And the reason for that is a lot of 
the information that you might think of as payload is actually 
header from another point of view as Mr. McSlarrow indicated. 
When we examine a network packet there is in fact a series of 
headers that you get that you have to go through before you get 
to final payload. And there is no actual location in that 
packet where you can draw a bright line and say everything to 
the right of this is payload, everything to the rest is header 
because applications invent protocols on top of protocols, on 
top of protocols and it is a more or less never-ending process 
because that is how new services are born on the web.
    So I am not worried about the use of deep packet inspection 
if I can use that term for network management purposes. For 
network management purposes it is vitally important for network 
operators to be able to apply network engineering principles, 
not for the purpose of making competing services perform less 
well but to make them perform more well.
    In one of the reasons that Comcast implemented the system 
that they got in so much trouble for a couple of years ago was 
because they had customer complaints that Vonage was not 
working well on their network. And they analyzed the traffic on 
their network to troubleshoot this problem that customers were 
reporting with Vonage's voiceover IP service and what they 
found was the rise of peer-to-peer traffic was causing delays 
for Vonage. And this is because peer-to-peer traffic puts 
enormous volume on the uplink side of a network that was 
engineered primarily to supply data in the downlink direction. 
And the reason it is engineered that way is because that simply 
is the way that data flows on the worldwide web and when you 
click on a Web site you send a small message upstream and what 
you receive downstream is, you know, 30, 50, 100,000 bytes.
    So the networks are engineered to behave asymmetrically. A 
new application comes along that actually puts more data on the 
uplink side then it draws down on the downlink side and it 
destabilizes the network engineering throughout the entire 
network. And so the engineering tools are applied to identify 
that problem and they made a crude attempt and they admit--I 
mean I am actually more positive about their attempts then they 
are. They admitted that their attempt to resolve that problem 
was done incorrectly and so the way that that should be done is 
in a more anonymous and more protocol-neutral manner where they 
simply collect data about the volume of traffic that individual 
users are putting on the network over a 15 minute period of 
time. So this is a beneficial use.
    In my written testimony, there is a little footnote where I 
try explain why I think the issue of deep packet inspection is 
so--there is so much animosity against it. Now, I think what is 
actually behind that is a dispute over two competing regulatory 
models for advanced telecommunication services like Internet 
and broadband. The traditional method has been described by FCC 
Commissioner McDowell as technology silos, where we regulate 
telecom one way. We regulate information services another way 
and every new technology that comes along becomes the subject 
of a new raft of regulations. Well, it turns out that 
technology silos approach with Title One, Title Two regulations 
isn't effective when you have competing services like voice and 
video that can be delivered across different platforms. And so 
there are a couple of different ways to address that problem 
and one solution that has been proposed is to go to a 
functional layering model where the different layers of the 
network are regulated according to different standards.
    So we treat carriers one way because that they are 
basically moving packets across a network. We treat web 
services providers a different way because they are on top of 
that infrastructure. But I think that approach which 
essentially is just rotating the silos model 90 degrees to the 
right exhibits a lot of the same problems because what you have 
is the ambiguity of services. E-mail is a service that can be 
provided by an ISP and traditionally is but it can also be 
provided by a web company like Google or Yahoo. Is there some 
reason why Google and Yahoo's e-mail should be regulated 
differently from an ISP's e-mail? I don't think there is. E-
mail is e-mail is e-mail. It is a service.
    Mr. Boucher. Mr. Bennett, you are now about 2-1/2 minutes 
over your time if you would wrap up.
    Mr. Bennett. I am sorry. I got too inspired.
    Mr. Boucher. That is quite all right.
    Mr. Bennett. So that is my pitch is that I think that 
rather than focusing on the technology, it makes more sense to 
look at the services themselves and to begin with the standards 
of proper disclosure and truth in advertising that any service 
should have.
    [The prepared statement of Mr. Bennett 
follows:]*************** INSERT 7 ***************
    Mr. Boucher. Thank you very much, Mr. Bennett and thanks to 
each of our witnesses this morning for your informative 
testimony.
    So a question that I have all of you are invited to comment 
on this relates to whether or not we have anyone at the present 
time using network technologies for behavioral advertising 
purposes. NebuAd has gone. Is anyone using packet inspections 
specifically today for the kinds of activities that NebuAd I 
suppose is the way you pronounce this but NebuAd was using at 
the time this subcommittee had a hearing on that practice 
during the last Congress, Mr. Rotenberg?
    Mr. Rotenberg. Mr. Chairman, my understanding is that there 
is no provider in the United States right now that is using DPI 
for targeting in large measure because of the work that was 
done by this committee last year. But the activity is 
continuing in the United Kingdom and that is very interesting 
to watch both by the response of the companies, some of which 
have said that they will not participate, and also by the 
response of the European commissioners responsible for privacy 
protection who have said they are going to try to crack down on 
this practice. But my understanding in the U.S. is that it is 
not currently taking place.
    Mr. Boucher. Thank you. Do any of you have suggestions for 
other kinds of network technologies apart from the ones we 
focused on today and that would be specifically deep packet 
inspection, the new possible uses of cable set-top boxes and 
the GPS tracking chips that are now placed in some mobile 
devices? Those are the three we focused on today. Are you aware 
of any other similar kinds of technologies that carry 
significant privacy implications that we should keep an eye on, 
Ms. Harris?
    Ms. Harris. Mr. Chairman, I just think it is important to 
clarify and maybe this is Brian's to clarify and not me that 
GPS is not the only way that location is being collected for 
services. So I think there is somewhat of a misunderstanding 
that GPS chips and I would rather Brian describe it then I but, 
you know, I wouldn't want--I would rather we focus on location 
services because if you say GPS then it actually will not reach 
a lot of the mobile services that are going.
    Mr. Boucher. That is appropriate. Any further comment on 
that question, Mr. Rotenberg?
    Mr. Rotenberg. Well, this follows from Leslie Harris' 
point. If your concern, for example, is about mobile tracking 
in the network environment then I think you should also look at 
the issue of IP addressing. In other words, the designation 
that is associated with a device in the network can reveal a 
great deal of information about the user of the device and the 
location of the device. It is actually what enables services 
like Loopt, for example, to track users.
    Mr. Boucher. All right. Any further comment, Mr. Knapp?
    Mr. Knapp. Yes, I mean I actually am not entirely sure 
about the IP address association but there are a wide variety 
of location technologies that enable these kind of applications 
consumers are enjoying. And, you know, I would just say that 
also speaks to why any consideration on legislation in this 
regard needs to be very considered so it is not sort of 
immediately put out of date by a new technology and broadly 
consider location information as you do other data.
    Mr. Boucher. Thank you, Mr. Knapp. Ms. Attwood?
    Ms. Attwood. Mr. Chairman, I would like to answer the 
question that I would have liked you to ask me and broaden I 
think your intent. I think it is important to understand that 
the device isn't the concern that should be the focus of a 
privacy hearing because technology will improve and advance. I 
think in the USA Today story about how there is concerns about 
using social networks by individuals in the security context, 
you know, there will be advances in technology and devices. I 
think the question is starting from the proposition of are 
there things that we need to be looking at as an industry 
relative to protecting privacy interests and in that regard I 
would agree.
    Mr. Boucher. Let me get to that in a subsequent question. I 
was just focusing for the moment on the presence of emerging 
technology. I wanted to make sure we were covering the 
waterfront in the terms of the technologies that we need to 
keep an eye on so but thank you for that. I am actually going 
to come to that now and I want to begin by commending both you 
and also Mr. McSlarrow on your announced intention to protect 
consumer privacy in association with the use of technologies 
that can reveal an extensive amount of information about those 
consumers. My precise question to you, to both of you, is 
whether you have developed privacy policies to the level of 
detail of the application of consumer opt-in as compared to 
consumer opt-out. Have you gotten to that level of detail in 
terms of formulating and announcing your consumer protection 
policies?
    Ms. Attwood. Well, with respect to the specific topic of 
DPI, we have in fact announced that we will not use DPI. We 
don't use it today and we will not use DPI in connection with 
behavioral advertising without the customer's express 
meaningful consent.
    Mr. Boucher. And does express meaningful consent imply opt-
in?
    Ms. Attwood. It absolutely can imply opt-in. I am going to 
push all of you in the committee as we learn more about these 
issues to advance our thinking and our discussion about what we 
mean by opt-in. Opt-in is an old terminology. Opt-out is an old 
terminology.
    Mr. Boucher. In our thinking, it basically means that your 
customer would have to take an affirmative step of some kind in 
order to expressly authorize you to engage in the 
identification and tracking process. So checking a box, 
clicking a box on the Web site would be an example of opt-in.
    Ms. Attwood. It would absolutely be an example of a 
customer engagement and what we have committed to is that we 
will in fact bring the customer into that decision about how 
their information is used before we use any DPI for behavioral 
advertising. And I think really I commend and I encourage you 
to look at Loopt's way in which they have approached it and 
they have absolutely worked on a very small form which is a 
mobile device and made sure that customers not only check a box 
but actually engage with the service provider, understand what 
they are purchasing and therefore get the benefit of it.
    Mr. Boucher. So it is opt-in plus?
    Ms. Attwood. I would say it is engagement and it is in fact 
a complete transparency and customer control, yes.
    Mr. Boucher. OK. Thank you. Mr. McSlarrow.
    Mr. McSlarrow. Mr. Chairman, as an industry I don't think 
we have made any announcement but I can, as you suggested, 
report that at least for the ISPs, when you are talking about 
user data providing the bedrock for behavioral targeted 
advertising, they recognize the burden has got to be a lot 
heavier. It has got to approximate and I sort of associate 
myself with Dorothy's comment about whether it is opt-in or not 
but the point is that the step, affirmative step taken by the 
consumer after engagement and education we have recognized is 
the necessary precondition to moving forward.
    Mr. Boucher. OK. Thank you. Mr. Knapp, you as Ms. Attwood 
has suggested, are using a form of opt-in in order to gain your 
customers' consent before you engage in location activities 
using mobile devices. What brought you to that model? What were 
the considerations and can you describe how that works in your 
application?
    Mr. Knapp. Sure and I think the illustrations in the back 
of my testimony are great if members would like to turn to that 
and sort of see the flow that the user goes through but the key 
is and it is with all of these applications the users are 
choosing to access them and so, you know, in the case of Loopt 
they are choosing to download it from the AT&T deck or the 
Apple's iPhone, the App-store. They download it and then they 
need to sort of set-up Loopt to work for them. And it was very 
clear to us that users want to be in complete control of 
whether a company like Loopt was accessing their location 
information and then allowing them to share it with others. And 
so it was pretty key for us given that they were going to use 
our application to share it with others to make sure that they 
initially walk through a step to set it up that educated them 
about the application and the service. So, you know, I mean a 
lot of these key privacy principles go back even a few decades 
to 1980 when the OECD published those and I think, you know, in 
subsequent privacy practices. And that is also why I mentioned 
before with regard to location information it is certainly 
sensitive information but I think you can look at and as we did 
other privacy laws and principles that are out there and 
guidelines, and apply them broadly to information like 
location.
    Mr. Boucher. Thank you, Mr. Knapp. My time has expired. The 
gentleman from Florida, Mr. Stearns, is recognized for 5 
minutes.
    Mr. Stearns. Thank you, Mr. Chairman. Mr. Rotenberg, I have 
had the opportunity to hear you as a panel witness particularly 
when I was chairman of the consumer trade and protection 
subcommittee. Although the bill is a little old, it was dropped 
in the 109th Congress, the Consumer Privacy Protection Act, 
HR1263, which my good friend, Mr. Boucher, was a co-sponsor. He 
and I worked together on this bill. Do you think that bill as 
it has been written could be used as a starting point for this? 
And how would you change it today for a general privacy bill 
for out of this subcommittee?
    Mr. Rotenberg. Thank you very much for the question, Mr. 
Stearns. I also want to commend you by the way because I do 
remember that series of hearings that you held on consumer 
privacy which I think were very important hearings. I would 
need to go back and look at the legislation that you and the 
Chairman had put together. I do recall thinking at the time 
that we needed to be sure that the policies gave consumers some 
meaningful control over their information. That it wouldn't be 
enough just for the consumers to be told the policy of the 
company and then to consent, opt-in or opt-out, but we really 
wanted to give consumers the assurance that for example 
security standards were being followed. One of the things that 
we have learned over the last few years of course is that we 
have problems today with security breaches in the U.S. and it 
impacts business and the Internet user. So I think that would 
be important. There is always this difficult issue of course of 
a State preemption. I appreciate that the businesses would like 
a national standard. That is a tough one.
    Mr. Stearns. That was one. If you might just take a moment 
and go back since you are an educator and you could give us a 
good sounding, it might be helpful for Mr. Boucher and I to 
have your written comments about the bill and what you think. 
Is anyone else on the panel familiar with the bill that I 
dropped, H.R. 1263, that Mr. Boucher and I who would like to 
comment on it? Yes, Ms. Harris.
    Ms. Harris. Mr. Stearns, I think we would have to go back 
and refresh our memory, as well.
    Mr. Stearns. OK.
    Ms. Harris. You know, at the time I think we, you know, 
there were always as Marc has said, series of questions about 
preemption, about standard, just thinking about development 
since then, behavioral advertising we have to sort of put it in 
context but we would be glad to come back to you.
    Mr. Stearns. OK. Mr. Bennett, you had mentioned in your 
opening statement about in some cases the difference between an 
ISP services and a web-based services, you know, if you are 
talking about sort of web-based services like Google and 
Microsoft and Yahoo, do you think they should be--have a 
separate type of privacy policy or is the privacy policy that 
we apply applicable to them too?
    Mr. Bennett. I think e-mail is e-mail and it doesn't matter 
whether it is provided by the ISP or by a web-based services 
provider. I think the exact same standards for disclosure and 
transparency should apply to a web-based service that is 
equivalent like e-mail is to services traditionally been 
provided by ISPs.
    Mr. Stearns. To your knowledge, are the people providing e-
mail today, web-based services, are they scanning our e-mails 
for certain words? To your knowledge, could that be?
    Mr. Bennett. Google absolutely does. I mean the web-based 
e-mail services are primarily advertising supported because 
unlike the ISPs they don't collect a subscription fee. So some 
of them have an option where you can get the advertising taken 
off your e-mail.
    Mr. Stearns. But does that prevent the web-based service 
from still scanning if you click that?
    Mr. Bennett. I believe it would. I can't say that for a 
certainty.
    Mr. Stearns. But you are saying right now that most of 
these web-based services are scanning our e-mail for certain 
words using that as a double back to give us advertising so 
that when I go on one of these which I do, I see all these ads 
and sometimes these ads are for things that appear to me that I 
have just been interested in not too long ago.
    Mr. Bennett. Um-hum.
    Mr. Stearns. So if that is true, do you think that is 
considered something that should be part of a privacy bill so 
that consumers are aware when they go on their e-mail that 
their words are scanned, that their e-mail is being scanned?
    Mr. Bennett. I think it depends on a judgment that you have 
to make about consumer awareness. I mean it seems to me that 
people that subscribe to an e-mail service like Yahoo or Gmail 
are aware of the fact that it is an advertising supported 
service and I think Google does a pretty good job of disclosing 
the fact that they scan the e-mails for contextual clues so 
that they can put more relevant ads, you know, alongside the e-
mails.
    Mr. Stearns. Yes, Mr. McSlarrow, the Chairman had mentioned 
the Project Canoe and it is being used I think to track 
consumers watching. I think you might just give us an idea what 
the status is of the cable industry with this Project Canoe, 
what it is really about and how it is being tracked and what 
the future is for the cable industry?
    Mr. McSlarrow. Sure, it is now called Canoe Ventures. It is 
a consortium of six cable operators.
    Mr. Stearns. Can you tell us who they are?
    Mr. McSlarrow. I should be able to remember that, Comcast, 
Time Warner, Brighthouse, Cablevision. I will have to get you 
the complete list.
    Mr. Stearns. Cox?
    Mr. McSlarrow. I believe Cox, yes.
    Mr. Stearns. Yes, oK.
    Mr. McSlarrow. And I know I am missing somebody. Basically 
the idea is to build a platform to work with program networks 
and advertisers to allow them to deliver more relevant 
advertising to the consumer. The classic example used by the 
CEO of Canoe Ventures is the ideal would be to make sure you 
could deliver a dog food commercial to a household that has 
dogs, in the here and now.
    Mr. Stearns. So this is an interactive operation where 
there must be a remote for the customer on Comcast, for 
example, and when this program comes up they can hit a remote 
which will tell them yes they want it then that is a feedback, 
has information that the cable operator gives to the advertiser 
which in turn he puts an ad back in to give.
    Mr. McSlarrow. It could be.
    Mr. Stearns. Could be.
    Mr. McSlarrow. Today they only have two products that they 
are planning on launching and one uses just third-party 
demographics data. It doesn't have any set-top box user data at 
all.
    Mr. Stearns. No interaction.
    Mr. McSlarrow. The second one would be what you just 
described which would be a commercial comes up and you have an 
opportunity to hit a button and say yes I would like to order a 
pizza. So it is that built-in, opt-in system. In preparing for 
this hearing, I actually asked them the question whether or not 
they had any plans to use set-top box generated data for 
purposes of advertising. It is not even on the product road map 
but they do recognize if and when down the road they get to a 
point in time where they would have to take a look at that, 
they would have to comply fully with the Cable Act which exists 
today and I think they are very conscious of the privacy 
implications of everything they do but as I said it is not even 
on the product roadmap.
    Mr. Stearns. All right. Thank you, Mr. Chairman.
    Mr. Boucher. Thank you, Mr. Stearns. The gentlelady from 
California, Ms. Eshoo, is recognized for 5 minutes.
    Ms. Eshoo. Thank you, Mr. Chairman, and thank you to each 
of the witnesses. This has been a really a valuable experience 
to listen to each of you coming at the subject matter for the 
subcommittee today. First, Ms. Attwood, I didn't when you 
talked about opt-in, does AT&T support opt-in?
    Ms. Attwood. AT&T for the use of DPI for behavioral 
targeting, yes, we have said we will not use DPI for 
behavioral.
    Ms. Eshoo. Because you used the word engagement, you said 
we support engagement.
    Ms. Attwood. Yes, I think engagement.
    Ms. Eshoo. You want to talk about weddings, we want to talk 
about this.
    Ms. Attwood. Yes, sure, I think engagement is actually a 
better way to describe what we are talking about which is 
customer awareness but.
    Ms. Eshoo. So you do support opt-in?
    Ms. Attwood. Yes.
    Ms. Eshoo. OK. Now, in the last three years AT&T, as you 
know, has paid more than $21 million to resolve FCC claims that 
it misused a customer's personal information. What is your 
policy moving forward to get away from that record?
    Ms. Attwood. We are very proud of our record is supporting 
our customers' privacy. I think you are referring to UPN 
issues.
    Ms. Eshoo. Well, $21 million in fines is a lot. I don't 
know who else in the industry has paid that much and but we 
don't want past to be prolog and so I am giving you the 
opportunity to tell the subcommittee where you move--how you 
move forward and what kind of policy AT&T would support beyond 
opt-in?
    Ms. Attwood. So part of the success story in any fine and 
any enforcement action is the fact that we have committed to 
improve our policies and in fact stand up and acknowledge the 
cooperation and work with the regulatory agency in order to 
ensure the protection of the customer information at issue 
there. So we absolutely pledge to continue to work on that.
    Ms. Eshoo. Good. OK. Now, on I have a couple more 
questions. Has AT&T used AudioScience.com to place ads on the 
web?
    Ms. Attwood. Not to my knowledge if you are asking 
AudioScience with respect to DPI solutions, is that what you 
are asking?
    Ms. Eshoo. Well, it is my understanding that that is the 
case is it?
    Ms. Attwood. No.
    Ms. Eshoo. I mean do you--does, has AT&T used AudioScience?
    Ms. Attwood. We do not use a DPI solution to place ads on 
our web, no.
    Ms. Eshoo. Does AudioScience.com notify customers when data 
is collected or you don't deal with them at all?
    Ms. Attwood. I am not familiar with the dealings with 
AudioScience. I am happy to get back to you on with respect to 
that particular vendor.
    Ms. Eshoo. OK. I would appreciate that. To, Mr. McSlarrow 
and Ms. Harris, in Mr. Bennett's written testimony he says ``I 
fear the only way to ensure robust protection for personal 
privacy in the long run is to replace the open access 
advertising supported business model with one in which we pay 
for content and services.'' I guess this modern day ``modest 
proposal'' is one solution. I think it would destroy a free and 
open Internet and that it would in turn fix all of the privacy 
concerns that we have discussed today. But I think the real 
issue here is what you think or if you think that consumer 
privacy and a free and open Internet are compatible?
    Mr. Rotenberg. Yes, well Congresswoman I understand where 
Mr. Bennett is coming from. I mean there is the concern right 
now that if we continue down the unregulated advertising model 
that is sustaining the Internet, there is no stopping point. 
And I even raise in my testimony the related concern that this 
won't only be about privacy. This will be about web publishers 
because the content on the Web sites will become less valuable 
to the advertising networks as they learn more about the users. 
They will effectively bypass the content which will actually 
weaken the publishing industry. So I don't even think it is 
just privacy that is at risk in the unregulated advertising 
model. I think it is web-based publishing that is at risk, as 
well. Now, while I am sympathetic to his view, I do think 
advertising is important and can help sustain a lot of the 
Internet as long as limitations are established. That is really 
the key here. If we can say yes we need advertising. We 
understand that and there is a benefit here by having Internet 
with advertising but we are going to draw some lines and you 
are not going to get to do these tremendous profiles of users 
that currently taking place. I think that is a sustainable 
model. In fact, that is the tradition in the publishing world. 
You know, publishing up until recently had done very well for 
the user, for the publisher and for the advertiser but we are 
going down a road right now which I am afraid will actually 
lead to collapse.
    Ms. Eshoo. Kyle, you want to say something?
    Mr. McSlarrow. Well, I think the short answer is I think 
they are compatible. I think, you know, one of the great--I 
mean we can all, at least some of us can remember, you know, 
the day that the Internet was sort of commercialized but that 
is the world we live in and I think the great thing about the 
Internet is it is proven that you can take what was an old 
broadcast advertising model with a lot of waste and refine it 
in a way that allowed the services we have today. To me, the 
next step by keeping privacy in mind is to make that 
advertising model potentially even more relevant and more 
useful to advertisers. I just think it lists the entire 
Internet so I think we have to recognize privacy is an 
important part of it but I do think for the future of the 
Internet that kind of targeted advertising is going to be 
essential.
    Ms. Eshoo. Ms. Harris.
    Ms. Harris. Well, I remain skeptical about the value of the 
behavioral advertising in the long run but, you know, it is 
here and I think the, you know, at the end of the day it is can 
we get a privacy regime in place that is going to put consumers 
back in charge and be able to make choices.
    Ms. Eshoo. I agree.
    Ms. Harris. I think that if we are chasing each business 
model, each technology, we are not going to be able to do this 
and we have to step back and ask what is it that we want to 
give consumers the right to do in terms of controlling what is 
reasonable and put that in place.
    Ms. Eshoo. And in going back to the exchange I believe that 
you had with the Chairman, you see that as best being carried 
out, implemented how?
    Ms. Harris. Well, I think we need a law that is a privacy 
framework.
    Ms. Eshoo. Yes.
    Ms. Harris. That is, you know, that we move that has to do 
with data collection wherever it is collected and right now 
strong sectoral laws. We have cable law that is fairly strong. 
We really on the Internet except for if you make a privacy 
promise and fail to keep it then you have a FTC violation, you 
don't have any rules. We have some sectors that engage in self-
regulation that is reasonably robust but that is not ultimately 
going to be an answer given how this is going.
    Ms. Eshoo. Because it is not tameless.
    Ms. Harris. It is not going to be enough.
    Ms. Eshoo. Thank you very much.
    Ms. Harris. Sure.
    Ms. Eshoo. Thank you, Mr. Chairman.
    Ms. Boucher. Thank you very much. Thank you, Ms. Eshoo. The 
gentleman from Florida is recognized for a unanimous consent 
request.
    Mr. Stearns. Thank you, Mr. Chairman. I just want to put 
the testimony of Scott Cleland, the president for Precursor, 
LLC. He testified before the Energy and subcommittee, our 
subcommittee on July 17, 2008, and I think it would be relevant 
to have his part of this hearing. So if you ask unanimous 
consent to be made a part thereof.
    Mr. Boucher. Without objection.
    [The information appears at the conclusion of the 
hearing.]*************** INSERT 9 ***************
    Mr. Boucher. The gentlelady from Colorado, Ms. DeGette, is 
recognized for 5 minutes. I am sorry, 7 minutes in total.
    Ms. DeGette. Thank you very much. Thank you very much, Mr. 
Chairman. I want to follow-up on the line of questioning that 
Ms. Eshoo was talking about because I am concerned on the one 
hand I think DPI has shown to be an effective and an efficient 
way to deal with spam and other security issues. On the other 
hand, I am thinking here about consumer protection and the 
choices that people have to make in accessing services or 
Internet content. And listening to the witnesses talk about 
opt-in or consumer knowledge or whatever terminology you want 
to use about it, it really underscores for me something Ms. 
Attwood said which is we don't really know what we mean when we 
say consumer knowledge or assent. For example, with Mr. Knapp's 
company, we were impressed by all the levels of informed 
consent that you ask for but I also have, I am sure your 
company doesn't do behavioral advertising. That is not what you 
are getting the informed consent for, correct?
    Mr. Knapp. We will support our service with advertising.
    Ms. DeGette. Are you going to do behavioral advertising 
with DPI?
    Mr. Knapp. Generally no, DPI is not something that we--we 
are a mobile application.
    Ms. DeGette. Right, it is a different application.
    Mr. Knapp. Exactly.
    Ms. DeGette. So are you going to say to your consumers now 
we are going to monitor what we are going to use this 
technology to do behavioral advertising that is tailored toward 
you and your habits? Do you want to opt-in to that? Are you 
going to do that?
    Mr. Knapp. And we in fact we do. We are going to support 
Loopt through advertising.
    Ms. DeGette. No, that is not my question.
    Mr. Knapp. Sure.
    Ms. DeGette. Is that going to be part of the informed 
consent that you give?
    Mr. Knapp. Yes.
    Ms. DeGette. OK. Good. Now, that is admirable because my 
question is to Mr. McSlarrow is that going to happen with all 
of the members of your association that that is the kind of 
informed consent that the consumers are going to have?
    Mr. McSlarrow. I think actually I need to back up. I 
represent not just ISPs but also networks and I make a 
distinction among them because and this is one of the points, 
there are many actors on the Internet. For the ISPs, yes, we 
recognize that there is a heavier burden to use the personally 
identified.
    Ms. DeGette. So they are going to say to people, I mean 
they are going to say to people now if you give informed 
consent what that means is that your communications are going 
to be tracked and tailored for behavioral advertising?
    Mr. McSlarrow. Yes, I think the notice in disclosure has to 
be as robust as possible. I mean this has to be legible and the 
English people need to understand this is exactly what we are 
talking about.
    Ms. DeGette. That is great. Ms. Harris, you are nodding 
your head.
    Ms. Harris. We testified in front of this subcommittee last 
year on behavioral advertising saying that is what it is 
required. Frankly, we think it is required already under the 
Electronic Communications Privacy laws. Obviously, we want that 
incorporated into a Consumer Privacy law but that is the right 
answer. I think it is hard. I think given the fact that ISPs 
are in a position where they are not in daily contact with 
their users, you haven't made a decision to go to a site, the 
online environment has not done a good job yet with opt-out so 
I think this is a difficult step. It is a big commitment and it 
will be difficult to implement but it is the right choice.
    Ms. DeGette. Right. Well, I agree with that and I am happy 
to hear both of you say that you are going to do that. Ms. 
Attwood, is that also the intention of AT&T?
    Ms. Attwood. Yes and we stated that on several occasions 
with respect to our ISP service, yes.
    Ms. DeGette. That it would be because I think consumers now 
understand. I know when I sign up for some kind of Internet 
communication or whatever it says, you know, our policy is we 
do not sell or otherwise communicate your data to other people 
unless you check here so people get that. I am not sure they 
understand DPI or what that means and I am wondering, Mr. 
Rotenberg, is eager to address this issue.
    Mr. Rotenberg. Well, Congresswoman, I would like to join 
this chorus and certainly opt-in would be preferable to opt-out 
but I don't think it is sufficient. And I don't think it is 
sufficient because it won't be meaningful unless consumers 
actually understand what data about them is being collected and 
how it is being used.
    Ms. DeGette. That is my point.
    Mr. Rotenberg. And I think the mistake that is often made 
is that we place so much emphasis on a policy and so much 
emphasis on obtaining consent that the person who is actually 
being asked to make the decision really doesn't have any 
information to make the decision. So for many of these 
Internet-based techniques, people really need to know what 
information about them is being collected. Show it to me and 
who are you giving it to and for what purpose? Now, if the 
person is oK with all of that, then you say yes, that is 
consent.
    Ms. DeGette. That is exactly what I am trying to say.
    Mr. Rotenberg. OK. Well, that is great.
    Ms. DeGette. And the reason why I am concerned about that 
is because I don't think that certainly people above a certain 
age like me, may not understand exactly how this data can be 
used or where it can go. People under a certain age don't 
have--I think of my two teenaged daughters. They may not have 
the sophistication to understand why that could be a problem 
which is why I think you have to have adequate disclosure and 
education.
    Mr. Rotenberg. Right and if I could say one more point 
because, you know, my children are on Facebook now and we spend 
a lot of time looking at privacy issues with Facebook. And one 
of the things that struck me is that young people are actually 
pretty sophisticated about what information they put up, what 
information they don't put up. And when the change of the terms 
of service changed for Facebook, they organized and objected 
and Facebook listened and there has been a very important 
process going on because the users of the service knew what was 
happening. But and here is a very important related point, the 
information about Facebook users that flows to advertisers and 
application developers, people know very little about and it is 
those applications that they don't have any meaningful control 
over.
    Ms. DeGette. That is right and so that is why I think we 
really we can say informed consent or we can say consumer 
awareness or whatever but we need to make sure that they 
understand exactly where that information is going.
    Mr. Rotenberg. Yes.
    Ms. DeGette. And I think everybody up here is shaking their 
heads so I think, Mr. McSlarrow, do you agree with that 
concept?
    Mr. McSlarrow. I totally agree with it and not only is it 
the right thing to do, I think it is good business.
    Ms. DeGette. Great. OK. Thank you. Thank you very much, Mr. 
Chairman.
    Mr. Boucher. Thank you, Ms. DeGette. The gentleman from 
Illinois, Mr. Rush, the chairman of the Subcommittee on 
Consumer Protection is recognized for 5 minutes.
    Mr. Rush. Thank you, Mr. Chairman. And, Mr. Chairman, I 
want to begin by really thanking you for your comments earlier 
in this hearing. I want you to know that I look forward to 
working very vigorously with you and on this particular issue 
and look forward to our joint hearing that we will be having in 
the near future. Mr. Chairman, I am going to start out with 
some questions that I would like for all of the panel if they 
would just even provide either a yes or no answer. And the 
question I am going to get right to what I believe for me is 
the heart of the matter, do you think that Congress should pass 
consumer privacy legislation with regard to all of the 
communications network?
    Mr. Rotenberg. How many votes do I get? Yes.
    Mr. Rush. Well, from Chicago we will see where we wind up 
at and then we will add something to it. OK. All right. I am 
beginning with you.
    Ms. Harris. Yes, absolutely we need to develop a baseline 
consumer privacy bill that is based on fair information 
practices across all technologies. And frankly we need a bill 
that covers all collection and goes beyond this, you know, the 
media environment. We have got sectoral laws right now that hit 
some sectors and not others so I mean we need to do both and it 
is not clear to me it should be done separately. We need a 
baseline consumer privacy bill that has to do with data 
collection and obviously there is a need to reconcile the fact 
that we have different or no standards in media but from a 
consumer protection point of view, I think it is probably 
broader than that.
    Mr. Rush. OK. The fellow next to you.
    Mr. McSlarrow. OK. Mr. Chairman, no but I would like to be 
at the table when do.
    Mr. Rush. OK. All right.
    Mr. Rotenberg. Yes, Mr. Chairman.
    Mr. Rush. Yes, oK.
    Ms. Attwood. I guess I would have to say it depends and 
certainly I can echo the comments that everyone has made about 
a broad based look. I encourage the kinds of discussions that 
we are having today but it may be premature and that is quite 
frankly so that we can get better educated and as an industry 
so we have an opportunity. There is a lot of complex 
relationships that govern this environment and in order to get 
a complete answer we really need to have the industry 
supportive and so I would urge us as an industry and working 
with out fellows in the public interest world and civil society 
to come up with a robust plan. That does not mean that 
legislation is not something that ultimately is at the end of 
that road but certainly right now the first step is discussion.
    Mr. Rush. All right. Please, yes sir?
    Mr. Scott. Yes, I agree a baseline privacy law would be a 
reasonable next step.
    Mr. Rush. Yes, oK.
    Mr. Knapp. This is my first hearing. Is maybe an acceptable 
answer? I think as a cutting edge innovative company that 
really wants to offer a service that users love and they want 
for free I, you know, I think a high level privacy framework 
that sticks by tried and true principles would be beneficial. 
But I do have concerns when laws get too specific or focus on a 
snapshot in a moment of time as I think has been mentioned here 
today and may get outdated an problematic for some companies 
like us who are trying to innovate and offer services for free 
to comply. And so those would be my concerns about that 
approach.
    Mr. Rush. All right. Go ahead.
    Mr. Bennett. Mr. Rush, I think I could support a bill like 
that if the emphasis was on disclosure rather than on 
prohibitions of particular practices. And one feature that I 
would like to see in it is that once a consumer has opted into 
a data collection service, I think you should get a regular 
reminder or the opt-in shouldn't be perpetual. So when you opt-
in to a service it works for a year then you have to get a 
notice and you have a choice of opting in again because I don't 
know how many Web sites I have given permission to, to collect 
information on me over the years that I have completely 
forgotten about.
    Mr. Rush. So your answer is yes?
    Mr. Bennett. I answered yes.
    Mr. Rush. OK. All right. Thank you. Mr. Rotenberg, since we 
need another vote form you. Why don't you answer again? I am 
just kidding. All right. The next question that I have is and 
please the same sequences for all the panel is do you believe 
that consumers should have the same sort of control if and how 
their information is selected? Do you believe that they should 
control if and how this information is used? Please answer a 
yes or no.
    Ms. Harris. I think that the question of use is an 
important one and it seems to me that when you are authorizing 
a collection you ought to also be authorizing the purposes or 
you are authorizing that it can be used for multiple purposes. 
But I don't think, you know, simply saying you can have my data 
or not have my data answers the question. We use your data for 
marketing, opt-in, don't opt-in. We use your data for, you 
know, I mean I think there are some uses of data which are 
transactional that, you know, if you are ordering a product I 
think separately saying you can use my data to do what is 
necessary to process this transaction seems unnecessary but for 
uses that are not directly connected for the initial purpose of 
collection it is just a standard fair information practice then 
I think yes of course you have to authorize that.
    Mr. Rush. Sure. Next gentleman.
    Mr. McSlarrow. I think in our case The Cable Act actually 
is a good example which says that when you give authorization 
for personally identifiable information, it doesn't take into 
account the use of that data for just rendering the business 
services. But once you go beyond that I think you do have to 
identify what the purpose is you would use it for.
    Mr. Rotenberg. Mr. Chairman, I would say yes and I would 
probably add in some other things too like ensuring security of 
the data that is collected and some access to the information 
and some accountability. I think the basic elements of a 
privacy bill and in fact The Cable Act is a good model or at 
least the pre-Patriot Act version was a good model from 1984. 
That is a good starting point.
    Ms. Attwood. Yes, we support transparency and control.
    Mr. Scott. Absolutely and I think beyond that I agree that 
the consumer is not only entitled to know that their data is 
being used but three other things. One is intentionality, the 
other is behavior and the third is outcome. Why do you want my 
information? What are you going to do with it? And what does 
that mean to me as a consumer?
    Mr. Rush. Yes.
    Mr. Knapp. Yes we agree with the principles of transparency 
and control, as well.
    Mr. Rush. OK.
    Mr. Bennett. That is a yes for me, too.
    Mr. Rush. Thank you, Mr. Chairman. I appreciate you, sir.
    Mr. Boucher. Thank you very much, Mr. Rush, and we look 
forward to coordinating closely with you as we develop the 
joint hearing between our two subcommittees and then thereafter 
as we develop privacy legislation which we will put forward in 
tandem.
    Mr. Rush. Nice of you to say, Mr. Chairman.
    Mr. Boucher. And thank you for your presentation.
    Mr. Rush. You are a great Chairman.
    Mr. Boucher. Thank you very much. The gentleman from New 
York, Mr. Weiner, is recognized for 5 minutes.
    Mr. Weiner. Mr. Chairman, I won't take the full 5 minutes. 
It strikes me that some of the what gets hairy here is saying 
is defining what it is that you are checking the box to do. For 
example, is you say I want help in deciding what other products 
are out there that are being sold that I might be interested 
in. It is a pretty tough box to word. I mean it is a pretty 
tough disclosure to have any real meaning but I think by and 
large, consumers do like that. I mean I like it when you go to 
Amazon and it says we also have this for you. So I think one of 
the problems that we often face is that disclosure has tipping 
point that if you want it until the point that there is so much 
of it that it ceases to really disclose anything. And I think 
the part of the challenge that we have is trying to come up 
with terms of art that truly do encapsulate what we are trying 
to do. For example, you know, would you like to be told about 
other products you might be interested in. Theoretically, that 
can be just about anything. I mean it is concise and it is 
crisp and it probably is worded in a way that will entice 
people to check a box and I don't know how you have a second 
line that says but you are going to get a lot of stuff and a 
lot of companies that might be far removed from this shoe 
purchase might be getting information. And so I mean can you 
offer us any guidance on how to make this type of disclosure 
opt-in, opt-out truly useful to consumers without us all having 
to retain, you know, to go to lawyers.com to read what I am 
getting at Amazon.com. I don't know who would be best to tackle 
that? Whoever leans forward first.
    Mr. Rotenberg. Well, I mean, Congressman, it is an 
excellent point and it is one of the reasons I have suggest in 
my testimony not to place too much emphasis on opt-in or opt-
out as the basis for privacy protection. Given a choice between 
opt-in and opt-out from the consumers' perspective, opt-in is 
preferable because it means more control but for many of the 
reasons you described, it won't be adequate for real privacy 
protection. For example, no one agrees to a security breach. In 
other words, you may check a box and give a company some 
information and some magnetic tape is going to fall off the 
back of the truck. You certainly didn't agree to that so there 
has to be a way I think within privacy law to get it to a 
broader range of issues for many of the reasons your described.
    Ms. Harris. I agree with that. I think that the Congress 
has been stymied in moving that forward on privacy because of 
the sole focus being about opt-in and opt-out, and not looking 
more broadly at how to resolve some of these, you know, other 
questions. And we don't know how to give notice well in a way 
that consumers understand. You know, I think one thing to look 
to is we just passed landmark new privacy protections in the 
healthcare context and it could have gotten equally tied-up 
around opt-in and opt-out and it focused far more broadly, you 
know, about where sharing was appropriate and not appropriate, 
security protections. So while those, while there are places 
where consent is required, it is not just about that. And I 
think that we do get hung up sometime and we don't wind up with 
a framework so we need a framework. And we would start with 
fair information practices because that is transparency. That 
is collecting data only to the extent you need it for the 
transaction. It is giving people choices about other uses and 
it is making the explanation about those other uses.
    Mr. Weiner. Right but before Ms. Attwood adds to this, even 
that is complicated, right?
    Ms. Harris. Right, I am not saying this is easy.
    Mr. Weiner. Right, I mean just about the transaction, well 
you bought the stereo. You should know about--do you mind if we 
share information with this speaker company and then you get 
information about that. I mean I agree it is that opt-in and 
opt-out is not the only way to do this and we are going to go 
far beyond that. But we have grown kind of culturally 
accustomed to the idea of having places that we kind of agree 
to what goes on. You know, when my credit card company says oh 
yes, well we told you about that. I am like, really that was 
page nine six months ago on the thing we told you about it. We 
are covered. So you are right, opt-in, opt-out is not 
everything but the way we have grown literate with how these 
things happen as citizens, there is some expectation that we 
are going to have some control over that.
    Ms. Harris. Oh absolutely, I am not suggesting that we 
shouldn't.
    Mr. Weiner. Right.
    Ms. Harris. I am saying that even that is much harder and 
has not been done well online in most instances so, you know, 
passing this framework is the beginning but the assumption that 
we are going to get these practices right overnight, no, we are 
not.
    Mr. Weiner. Go ahead, Ms. Attwood.
    Ms. Attwood. I just I guess I offer some hope in the 
context of if you approach this as a legal exercise then 
consent is something that is a, you know, it is a difficult 
proposition to get right. But if you approach this as actually 
what really is exploding online and the idea that in fact you 
are trying to get personalization and you are trying to get 
information that is all about me and you are trying to get a 
page that identifies my likes and dislikes, I have confidence 
that that in fact this industry using new and developing tools 
will be able to actually communicate more effectively to the 
customer and allow that kind of customization and that 
personalization to be an advance. If we think about this as a 
design feature, privacy is a design feature in what I am 
offering then it is in my interest as a commercial entity to 
make it very clear that proposition. That is why you see the 
success of Loopt. On one level, his service is extremely 
complicated. On the other level, the customer gets it right 
away, understands the value of proposition and that 
communication is something that as an industry I think I am 
optimistic that we can work to grow that communication and make 
it work for consumers.
    Mr. Weiner. Thank you, Mr. Chairman.
    Mr. Boucher. Thank you very much, Mr. Weiner. The 
gentlelady from the Virgin Islands, Ms. Christensen, is 
recognized for 5 minutes.
    Ms. Christensen. Thank you, Mr. Chairman, and this is a 
very interesting hearing for me. Privacy is an issue that is of 
very much concern to minority communities like the one I 
represent and it comes up whenever we talk about HIT and other 
issues related. Ms. Attwood, when you were asking about opt-in 
and opt-out and you talked about engagement it seemed as though 
you used that word deliberately and wanted to elaborate on it 
and I wanted to be give you an opportunity to explain what you 
mean by engagement.
    Ms. Attwood. Sure, I actually think Mr. Rotenberg said it a 
lot better and but I think everybody on the panel has discussed 
it that when we talk about opt-in and opt-out, we really are 
limited in the concept of what we are trying to discuss when it 
comes to really ensuring that the customer is part of the 
decision about the use of the information and that is a broader 
concept. That is a concept that is engaging. That is a concept 
that is enticing. That is a concept of control. Opt-in, we have 
all been a part of opt-ins. I think the Congressman from New 
York described it where, you know, it is pages and pages and 
pages where the company is entirely protected and there is a 
checked box but it is not. The customer is not in fact really 
participating in that decision, you know, and so I am hopeful 
this industry can in fact rally around the idea of really 
bringing the customer into that decision and it can happen in a 
broader way.
    Ms. Christensen. I am kind of old fashioned and I am trying 
to remember when I see those kinds of boxes, I just want to 
skip them. Do people usually answer them and or do you have to 
opt-in or opt-out, just for my information, not as a swear. Do 
you have to answer it?
    Ms. Attwood. If it is designed that way, I mean they are 
designed differently but there are some that are forced screens 
or box where you can't get past it unless you do something so 
yes. There are others that in fact don't require that but most 
times it is a service obligation to check that box.
    Ms. Christensen. And in the cases where you just ignore it 
and try to move on and you can, that is assumed to be an opt-
out?
    Ms. Attwood. It would be possibly an opt-out. It really 
again depends on the design of that. It may be that you don't 
get the service.
    Ms. Christensen. Did you want to say something, Ms. Harris?
    Ms. Harris. Yes, I do want to agree with Ms. Attwood on the 
question of can industry doing this. I mean in discussing this 
with Mr. Weiner, it is very hard but when industry chooses to 
do this, when they choose to do it sort of at the beginning and 
do privacy by design rather than privacy by law, it can be 
accomplished. Loopt is an example. There are several examples 
in the online healthcare space where from the very beginning 
this has been built in, in a way that consumers can use. So I, 
you know, it is hard to say that we are in this environment of 
such technological innovation and we can't figure out how to 
use that technological innovation to make this simpler. I think 
we can. I think frankly a privacy framework will encourage that 
but I do think at the end of the day it is going to have to be, 
you know, a combination. The law by itself in the absence of 
companies stepping up and doing that and that is what is going 
to have to happen.
    Ms. Christensen. OK. I thought Mr. Bennett's suggestion of 
having to go back periodically and opt-in was a good one. Does 
that happen now and if doesn't, would you all support 
periodically having to go back and review that question?
    Mr. Rotenberg. We have actually recommended that the right 
way to understand consent is that you should be able to opt-in 
when you choose to have your data used in a way and then opt-
out at the point that you want to discontinue the use and I 
think Mr. Bennett's comment captures that but any time you 
choose to leave a service--this came up recently with Facebook, 
for example.
    Ms. Christensen. Yes.
    Mr. Rotenberg. Facebook wanted to tell users well you leave 
the service. We will keep your data and the user said well that 
is not right. I mean if we leave the service we want you to 
delete the data.
    Ms. Christensen. Right.
    Mr. Rotenberg. And Facebook agreed and I think that is 
people's intuition and it is really fair, and when companies go 
against it then there is a problem.
    Ms. Christensen. Right.
    Ms. Harris. I think it is going to be a very important 
concept for the ISPs if they are to move into this space 
because for some people who are not also using an ISP's e-mail 
service, they may not be communicating with their ISP except 
at, you know, initially to sign up or get a bill so the 
potential to think about screens that come on, you know, that 
explain what you agreed to and give you a choice to change your 
mind, I think it is going to be a critical part of it.
    Mr. Scott. It strikes me that whether we are talking about 
reminders which I think is a great idea or engagement or 
clarity and transparency, we are really talking about our 
different forms of consumer education because the real problem 
is that most consumers don't have any idea what the 10,000 
words of six point font means when they check the box at the 
bottom and oftentimes, sometimes those boxes are pre-checked or 
you can't buy the shoes unless you check the box and so in many 
ways I think we need to be thinking about ways to help 
consumers understand exactly what it is that they are signing 
up for and what that means and what comes to my mind is the 
little glossy one-pager that my power company sends me every 
winter to try to advise me on how to save money on my power 
bills. It has got pictures. It is in big letters. I read it. I 
have actually found some helpful tips there. That is sort of is 
what I think of as engagement when I hear you say that and I 
think that is the kind of consumer education that can help us 
fix this problem.
    Ms. Christensen. Thank you. Thank you, Mr. Chairman.
    Mr. Boucher. Well, thank you very much, Ms. Christensen. I 
want to say thank you to all of the witnesses for their 
extremely informative testimony today. This has been an engaged 
conversation and as we close this hearing, I simply want to 
note that I personally concur completely with the suggestions 
that many have made here over the course of the last hour that 
what is needed is not just a decision between opt-in and opt-
out but also a framework for privacy protection. And I hasten 
to note that the legislation that Mr. Stearns and I put forward 
some several years ago which will be the starting point and the 
foundation for our privacy bill this year, contains exactly the 
kinds of formulas that many on the panel have suggested and 
that is that any service that collects information about a 
customer must disclose what information that is collected and 
how that information is used and then provide the appropriate 
opportunity for that customer to act on the information, 
whether that be by opt-in or opt-out. So opt-in taken by 
itself, is meaningless. There has to be an adequate description 
of what conduct the particular user is authorizing for it to 
have content and meaning and offer real protection. We get that 
and that will be very clearly a part of the foundation of the 
measure that we move forward with later.
    So with that having been said and acknowledged, let me 
thank this panel for its contributions to our understanding of 
the network technologies that have privacy implications for 
users and suggest that we probably are going to consulting with 
you at greater length as we move forward to have out joint 
hearing with the other subcommittee and also to draft this 
legislation. You have been very helpful to us. We appreciate 
your participation and with that said, this subcommittee stands 
adjourned.
    [Whereupon, at 12:10 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                                 
