b"<html>\n<title> - BEHAVIORAL ADVERTISING: INDUSTRY PRACTICES AND CONSUMERS' EXPECTATIONS</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n BEHAVIORAL ADVERTISING: INDUSTRY PRACTICES AND CONSUMERS' EXPECTATIONS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                    SUBCOMMITTEE ON COMMERCE, TRADE,\n                        AND CONSUMER PROTECTION\n\n                                AND THE\n\n      SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 18, 2009\n\n                               __________\n\n                           Serial No. 111-53\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n74-087                    WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                 HENRY A. WAXMAN, California, Chairman\n\nJOHN D. DINGELL, Michigan            JOE BARTON, Texas\n  Chairman Emeritus                    Ranking Member\nEDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas\nRICK BOUCHER, Virginia               FRED UPTON, Michigan\nFRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida\nBART GORDON, Tennessee               NATHAN DEAL, Georgia\nBOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky\nANNA G. ESHOO, California            JOHN SHIMKUS, Illinois\nBART STUPAK, Michigan                JOHN B. SHADEGG, Arizona\nELIOT L. ENGEL, New York             ROY BLUNT, Missouri\nGENE GREEN, Texas                    STEVE BUYER, Indiana\nDIANA DeGETTE, Colorado              GEORGE RADANOVICH, California\n  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania\nLOIS CAPPS, California               MARY BONO MACK, California\nMICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon\nJANE HARMAN, California              LEE TERRY, Nebraska\nTOM ALLEN, Maine                     MIKE ROGERS, Michigan\nJAN SCHAKOWSKY, Illinois             SUE WILKINS MYRICK, North Carolina\nHILDA L. SOLIS, California           JOHN SULLIVAN, Oklahoma\nCHARLES A. GONZALEZ, Texas           TIM MURPHY, Pennsylvania\nJAY INSLEE, Washington               MICHAEL C. BURGESS, Texas\nTAMMY BALDWIN, Wisconsin             MARSHA BLACKBURN, Tennessee\nMIKE ROSS, Arkansas                  PHIL GINGREY, Georgia\nANTHONY D. WEINER, New York          STEVE SCALISE, Louisiana\nJIM MATHESON, Utah                   PARKER GRIFFITH, Alabama\nG.K. BUTTERFIELD, North Carolina     ROBERT E. LATTA, Ohio\nCHARLIE MELANCON, Louisiana\nJOHN BARROW, Georgia\nBARON P. HILL, Indiana\nDORIS O. MATSUI, California\nDONNA M. CHRISTENSEN, Virgin \nIslands\nKATHY CASTOR, Florida\nJOHN P. SARBANES, Maryland\nCHRISTOPHER S. MURPHY, Connecticut\nZACHARY T. SPACE, Ohio\nJERRY McNERNEY, California\nBETTY SUTTON, Ohio\nBRUCE BRALEY, Iowa\nPETER WELCH, Vermont\n\n                                  (ii)\n        Subcommittee on Commerce, Trade, and Consumer Protection\n\n                        BOBBY L. RUSH, Illinois\n                                  Chairman\nJAN SCHAKOWSKY, Illinois             CLIFF STEARNS, Florida\n    Vice Chair                            Ranking Member\nJOHN P. SARBANES, Maryland           RALPH M. HALL, Texas\nBETTY SUTTON, Ohio                   ED WHITFIELD, Kentucky\nFRANK PALLONE, Jr., New Jersey       GEORGE RADANOVICH, California\nBART GORDON, Tennessee               JOSEPH R. PITTS, Pennsylvania\nBART STUPAK, Michigan                MARY BONO MACK, California\nGENE GREEN, Texas                    LEE TERRY, Nebraska\nCHARLES A. GONZALEZ, Texas           MIKE ROGERS, Michigan\nANTHONY D. WEINER, New York          SUE WILKINS MYRICK, North Carolina\nJIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas\nG.K. BUTTERFIELD, North Carolina\nJOHN BARROW, Georgia\nDORIS O. MATSUI, California\nKATHY CASTOR, Florida\nZACHARY T. SPACE, Ohio\nBRUCE BRALEY, Iowa\nDIANA DeGETTE, Colorado\nJOHN D. DINGELL, Michigan (ex \n    officio)\n                                 ------                                \n\n      Subcommittee on Communications, Technology, and the Internet\n\n                         RICK BOUCHER, Virginia\n                                 Chairman\nEDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan\nBART GORDON, Tennessee                 Ranking Member\nBOBBY L. RUSH, Illinois              CLIFF STEARNS, Florida\nANNA G. ESHOO, California            NATHAN DEAL, Georgia\nBART STUPAK, Michigan                BARBARA CUBIN, Wyoming\nDIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois\nMICHAEL F. DOYLE, Pennsylvania       GEORGE RADANOVICH, California\nJAY INSLEE, Washington               MARY BONO MACK, California\nANTHONY D. WEINER, New York          GREG WALDEN, Oregon\nG.K. BUTTERFIELD, North Carolina     LEE TERRY, Nebraska\nCHARLIE MELANCON, Louisiana          MIKE FERGUSON, New Jersey\nBARON P. HILL, Indiana\nDORIS O. MATSUI, California\nDONNA M. CHRISTENSEN, Virgin \n    Islands\nKATHY CASTOR, Florida\nCHRISTOPHER S. MURPHY, Connecticut\nZACHARY T. SPACE, Ohio\nJERRY McNERNEY, California\nPETER WELCH, Vermont\nJOHN D. DINGELL, Michigan (ex \n    officio)\n\n\n\n\n\n\n\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Bobby L. Rush, a Representative in Congress from the State \n  of Illinois, opening statement.................................     1\nHon. George Radanovich, a Representative in Congress from the \n  State of California, opening statement.........................     3\nHon. Rick Boucher, a Representative in Congress from the \n  Commonwealth of Virginia, opening statement....................     4\n    Prepared statement...........................................     7\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, opening statement..................................     9\nHon. Zachary T. Space, a Representative in Congress from the \n  State of Ohio, opening statement...............................    10\nHon. Joe Barton, a Representative in Congress from the State of \n  Texas, opening statement.......................................    11\n    Prepared statement...........................................    13\nHon. Doris O. Matsui, a Representative in Congress from the State \n  of California, opening statement...............................    19\nHon. Joseph R. Pitts, a Representative in Congress from the \n  Commonwealth of Pennsylvania, prepared statement...............    21\nHon. Phil Gingrey, a Representative in Congress from the State of \n  Georgia, opening statement.....................................    23\nHon. Steve Scalise, a Representative in Congress from the State \n  of Louisiana, opening statement................................    24\nHon. John D. Dingell, a Representative in Congress from the State \n  of Michigan, prepared statement................................   145\nHon. Edward J. Markey, a Representative in Congress from the \n  Commonwealth of Massachusetts, prepared statement..............   148\nHon. Anna G. Eshoo, a Representative in Congress from the State \n  of California, prepared statement..............................   150\n\n                               Witnesses\n\nEdward W. Felten, Director, Center for Information Technology \n  Policy, Princeton University...................................    25\n    Prepared statement...........................................    28\n    Answers to submitted questions...............................   155\nAnne Toth, Vice President of Policy, Head of Privacy, Yahoo!, \n  Inc............................................................    36\n    Prepared statement...........................................    38\n    Answers to submitted questions...............................   158\nNicole Wong, Deputy General Counsel, Google Inc..................    48\n    Prepared statement...........................................    50\n    Answers to submitted questions \\1\\\nChristopher M. Kelly, Chief Privacy Officer, Facebook............    59\n    Prepared statement...........................................    61\n    Answers to submitted questions...............................   185\nJeffrey Chester, Executive Director, Center for Digital Democracy    68\n    Prepared statement...........................................    70\n    Answers to submitted questions...............................   189\nCharles D. Curran, Executive Director, Network Advertising \n  Initiative.....................................................    98\n    Prepared statement...........................................   100\n    Answers to submitted questions...............................   193\n\n----------\n\\1\\ Ms. Wong did not respond to submitted questions for the \n  record.\nScott Cleland, President, Precursor LLC..........................   115\n    Prepared statement...........................................   117\n    Answers to submitted questions \\2\\\n\n                           Submitted material\n\nLetter of June 16, 2009, from the FTC to Subcommittees, submitted \n  by Mr. Boucher.................................................   152\n\n----------\n\\2\\ Mr. Cleland did not respond to submitted questions for the \n  record.\n\n \n BEHAVIORAL ADVERTISING: INDUSTRY PRACTICES AND CONSUMERS' EXPECTATIONS\n\n                              ----------                              \n\n\n                        THURSDAY, JUNE 18, 2009\n\n        House of Representatives, Subcommittee on Commerce, \n            Trade, and Consumer Protection, joint with the \n            Subcommittee on Communications, Technology, and \n            the Internet, Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittees met, pursuant to call, at 10:08 a.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Bobby L. \nRush (chairman of the Subcommittee on Commerce, Trade, and \nComsumer Protection) presiding.\n    Present from Subcommittee on Commerce, Trade, and Consumer \nProtection: Representatives Rush, Weiner, Matsui, Space, \nRadanovich, Stearns, Whitfield, Pitts, Terry, Gingrey, Scalise, \nand Barton (ex officio.)\n    Present from Subcommittee on Communications, Technology and \nthe Internet: Representatives Boucher, Barrow, Welch, Inslee, \nUpton, and Buyer.\n    Staff present: Amy Levine, Subcommittee Counsel; Jen \nBerenholz, Deputy Clerk; Timothy Robinson, Subcommittee \nCounsel; Michele Ash, Chief Counsel; Greg Guice, Subcommittee \nCounsel; Pat Delgado, Chief of Staff (Waxman); Will Cusey, \nSpecial Assistant; Sarah Fisher, Special Assistant; Anna \nLaiton, Counsel; and Roger Sherman, Chief Counsel.\n\n OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF ILLINOIS\n\n    Mr. Rush. Today is a joint hearing of the Subcommittees on \nCommerce, Trade, and Consumer Protection, and Communications, \nTechnology, and the Internet. And I want to welcome all of you \nto this hearing. And I want to just give you some advance \nnotice that in about 20 minutes, we will be called to the floor \nfor a series of votes. Some have estimated to be--we are \nscheduled for about 27 votes on the floor, which is certainly \ngoing to extend the hearing, and so we ask that you be patient \nwith us. We will try to conduct this hearing and try to be very \nmindful of your time, but our actions will be dictated by the \nHouse schedule and by the votes on the floor. Now I want to \nrecognize myself for 5 minutes of opening statement. As I \nindicated, today, the two subcommittees, Commerce, Trade, and \nConsumer Protection, and Communications, Technology, and the \nInternet are combining our commitment to privacy and our \nresources to conduct an extremely important hearing on \nBehavioral Advertising: Industry Practices and Consumers' \nExpectations.\n    And I just want to take a moment to thank Chairman Boucher \nfor not only his cooperation and working together and teaming \nup on this particular issue, but I want to thank him also for \nhis past championship and dedication to this very, very \nimportant issue. This is but one hearing along a continuum of \nlegislative activity examining the domains of online and off-\nline consumer privacy and how companies handle and treat \nconsumers' personal information. Most recently, the \nSubcommittee on Commerce, Trade, and Consumer Protection, which \nI chair, marked up H.R. 2221, the Data Accountability and Trust \nAct, a bipartisan bill, which addresses the security of \npersonal information, breaches of that security, and corrects \nsome of the resulting harms to consumers. I am hopeful that \nthere will be more hearings.\n    There are currently no federal laws specifically governing \nbehavioral advertising nor do we have a comprehensive general \nprivacy law. As members of Congress, we have anticipated for \nsome time that this hearing would be highly informative and \nvery valuable in helping us answer the question that everyone \nseems to ask, is federal privacy legislation necessary, or \nshould companies be trusted to discipline and regulate \nthemselves? At this hearing, I look forward to hearing from our \nvery distinguished panel of witnesses about this growing trend \nof online behavioral advertising. Market research firms have \nestimated that behaviorally targeted ad spending will reach \n$4.4 billion by the end of 2012. That number is eye-opening as \nit translates into almost 25 percent of all the online display \nad spending that is projected to be spent by year-end 2012.\n    As prevalent as these ads are becoming, so too are the buzz \nroad, which are purportedly needed to flush out the appropriate \ncontents of fair information principles and practices. Words \nand phrases such as transparency, choice, notice, consent, \nconsumer expectations, opt-in and opt-out seemingly mean \ndifferent things to different speakers depending upon an array \nof variables. Such variables may include the identity of the \nuser, whether he or she has registered with the visited Web \nsite, whether the ads are being served by first or third party \nsites, the sufficiency and conspicuousness of pre-existing \nprivacy policies and disclosures, the robustness of user-\nenabled settings for managing user privacy, and the list goes \non and on and on and on.\n    All of these variables are important to consider, but they \ncan muddle the issue of whether legislation is needed. I will \nbe listening intently to your accounts of how up front \ncompanies have been about the types of personal information \nthat they are collecting from consumers, what they are doing \nwith the information, and what choices and controls that \nconsumers have over the subsequent use of that information. I \nwant to thank all the witnesses for coming in this morning, for \nsharing with us, taking away from your busy schedule to provide \ninput, much-needed input, into these matters that are before us \ntoday. And I want to thank all the subcommittee members and the \nstaff for so diligently preparing us on this subcommittee for \nthese hearings. And now I want to recognize for 5 minutes for \nthe purposes of opening statement the ranking member, Mr. \nRadanovich. Mr. Radanovich is recognized for 5 minutes for \nopening statement.\n\n OPENING STATEMENT OF HON. GEORGE RADANOVICH, A REPRESENTATIVE \n            IN CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Radanovich. Thank you, Mr. Chairman, and I want to \nthank you and Chairman Boucher and my fellow ranking member, \nMr. Upton, on these hearings today. I think it is a good issue \nthat we need to be talking about. Privacy continues to be an \nissue of increasing concern to consumers, and I am pleased that \nwe will be looking at all the relevant issues to determine what \nthe problems are and what possible solutions exist. What was \nonce thought to be an issue limited to business with whom \nconsumers had a customer relationship has been forever altered \nby the Internet. Progression and innovation in computer and \ndigital technology over the last 20 years has transformed many \naspects of our lives, and by the same token that progress has \nopened the possibility of potential abuses and invasions into \nour lives.\n    In the connected world of the Internet where data is \ninstantaneously accessible to anybody in the world, we have \nlearned how vast amounts of sensitive consumer data can be \ninadvertently disclosed or subject to more malicious and \nintentional theft. We also know the main reason consumers \nshould be concerned about the amount of personal information \nout there on the worldwide web is that sensitive personal \ninformation can be used for harmful purposes, particularly \nidentity theft. Thankfully, we are addressing some of those \nconcerns with the data security and breach notification \nlegislation moving through the committee right now. Our \noversight into the data security issue opened our eyes to the \ntypes of sensitive personal information many institutions \nranging from businesses to government maintain about us.\n    While information kept about us may be for legitimate \nreasons that mandate data retention, for instance, for law \nenforcement purposes most consumers do not fully understand how \ninformation gathered about us will be used or with whom it will \nbe shared. These concerns are legitimate. What is more, these \nconcerns over keeping personal information private are \nexacerbated by digital technology and the capabilities of \nInternet technology. Information that filled rooms of file \ncabinets in a paper-based business can now be stored in devices \nthat attach to a key ring and can be sent over the Internet in \nseconds, making information theft easy and often untraceable. \nThe ability to instantaneously collect, analyze, and store \nconsumers' online behavior for marketing purposes stretches \nthis dynamic even further.\n    The Internet quickly evolved beyond its original purpose as \na communication tool to become a means of commerce, education, \nand social interaction. A generation has been raised on the \nInternet with the ability to find information relevant to their \ninterests and communicate in ways that we could not imagine \nonly 10 years ago, and most expect these services to be \ncustomized for their preferences. But many of these \ntechnologies and practices that deliver high levels of \ncustomization present new challenges and concerns for \nconsumers, primarily understanding what the trade-off is for \nthese services. Do we need to relinquish personal information \nabout ourselves and our Internet for the purposes of generating \nmore user-specific advertisements in exchange for access to the \ninformation we seek on the Internet, and, if so, who has our \naccess to this information?\n    The Internet has been a successful tool for commerce and \nhas benefitted consumers with convenience, choice, and savings. \nRelevant advertisements based upon user interests will be more \nbeneficial to the consumer and business, which in concept is no \ndifferent than the manner in which marketing research \ndetermines which advertisements are selected to be placed in \nmagazines, newspapers or on television based on the intended \naudience. However, in practice the Internet is different \nbecause of its ability to track preferences on a minute by \nminute basis. The question is how advertisers engage in the \nprocess of identifying their potential target audience. \nSpecifically, what information is used to generate targeted \nadvertisements? I have a son who I would do anything to \nprotect, and although I cannot monitor him every waking moment \nand prohibit his ability to access the Internet, nor would I \nwant to, like any parent I want to trust that he will be safe \nto surf online and interact with his friends without being \nunknowingly monitored or profiled.\n    While my son is in a vulnerable demographic millions of \nAmericans of all ages spend time surfing, posting, and shopping \non the Internet. How their information is used and what control \nthe individual has over the collection of their information is \nat the center of the debate of whether we need a federal \nprivacy law, and, if so, how it should be structured and what \nactivities it will address. In the case of my son, I am \nconcerned with the information being gathered and how it is \nused. I am less concerned with who is conducting the behavioral \nprofiling or what technology they are using. I thank the \nwitnesses today, and I look forward to your testimony, \nparticularly hearing more about what the industry is doing to \naddress many of these concerns in and of itself. Mr. Chairman, \nI am ready to work with you and the stakeholders to address \nidentified problems and ensure whatever solutions develop will \nequally apply to the behavior regardless of who engages in it. \nThank you, Mr. Chairman.\n    Mr. Rush. The chair thanks the gentleman. It is now my \nprivilege and honor to recognize for 5 minutes for the purposes \nof opening statement the chairman of the Subcommittee on \nCommunications, Technology, and the Internet, the gentleman \nfrom West Virginia, Chairman Boucher, for 5 minutes.\n\n  OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN \n           CONGRESS FROM THE COMMONWEALTH OF VIRGINIA\n\n    Mr. Boucher. Well, thank you very much, Chairman Rush, and \nI want to begin this morning by saying thank you to you and to \nyour very fine staff and to Mr. Radanovich from California, \nyour ranking member, as well to Mr. Stearns and his staff for \nthe excellent cooperation we have had among ourselves as the \nplans for this joint hearing of our two subcommittees have \nprogressed. I very much look forward to our continued \ncollaboration as we consider the need for legislation and \ndiscuss the principles that privacy protection legislation \nshould embody. Broadband networks are a primary driver of the \nnational economy and it is fundamentally in the nation's \ninterest to encourage their expanded use.\n    One clear way Congress can promote greater use of the \nInternet for access to information, for electronic commerce, \nand for entertainment is to assure that Internet users have a \nhigh degree of privacy protection, including transparency about \ninformation collection practices and uses, and control over the \nuse of the information that is collected from those who use the \nInternet. I have previously announced my desire to work with \nChairman Waxman, Chairman Rush, and ranking members Barton, \nStearns, and Radanovich in order to develop legislation this \nyear extending to Internet users the assurance that their \nonline experience will be more secure. Such a measure would be \na driver of greater levels of Internet uses, such as electronic \ncommerce, not a hindrance to them.\n    Today's discussion will examine behavioral advertising and \nways to enhance consumer protection in association with it. I \nam a supporter and a beneficiary of targeted advertising. I \nwould much prefer to receive Internet advertisements that are \ntruly relevant to my particular interests. In fact, I have \nbought a significant number of items based upon targeted \nadvertising delivered to me from web sites that I frequently \nvisit. And so I have a deep appreciation of the value of \ntargeted advertising from the consumer perspective. It is \nimportant to note also that online advertising supports much of \nthe commercial content applications and services that are \navailable to Internet users without charge, and I have no \nintention of doing anything that would disrupt that very \nsuccessful, in fact, essential business model for Internet-\nbased companies.\n    At the same time, I think consumers are entitled to some \nbase line protections in the online space. Consumers should be \ngiven clear, concise information in an easy defined privacy \npolicy about what information a web site collects about them, \nhow that information is used, how long it is stored, how it is \nstored, what happens to it when it is no longer stored, and \nwhether it is ever given or sold to third parties. Consumers \nshould be able to opt out of first party use of the information \nand for its use by third parties or subsidiaries who are a part \nof the company's normal first party transactions or without \nwhom the company could not provide its service. All that would \nfall within the ambit of opt out. Consumers should be able to \nopt in to use of their information by third parties for those \nparties' own marketing purposes.\n    This arrangement should not prove to be burdensome. In \nfact, it is very much in line with the practices of many, if \nnot most, of the reputable service providers today. I look \nforward to hearing from your witnesses about their reactions to \nthis arrangement and how it can best balance Internet business \nmodels that depend on online advertising with adequate \nprotection for consumers' privacy. For example, have I \nsuggested a workable online opt in and opt out consent \narrangement or are there additional situations in which opt out \nconsent might sometimes be appropriate? What safeguards should \nbe in place in order to ensure that consumers are giving \nmeaningful consent to the sharing of their information both on \nand off the Internet? What role could self-regulatory \norganizations play in a statutory arrangement that ensures that \nall entities that collect information about Internet users \nabide by a basic set of consumer privacy standards.\n    I also look forward to learning about emerging approaches \nto enhancing consumer choice and controlled over the use of \ninformation through efforts like the network advertising \ninitiative and persistent opt out cookies. What benefits could \nthese services offer to consumers? What is the best way to \ninform consumers about the availability of these services and \nagain how should the consumers' meaningful consent be procured? \nI am also interested in hearing a purview of what the future of \nbehavioral advertising may hold and what services it might \nenable and how to accommodate privacy concerns associated with \nthose future services. I want to thank our witnesses for taking \nthe time to join us here today. They represent a broad and \ndiverse range of interest and are all deeply knowledgeable \nabout these subjects. We very much look forward to hearing your \ntestimony. Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Boucher follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the ranking member of the Subcommittee on \nCommunications, the ranking member, Mr. Stearns, from Florida. \nHe is recognized for 5 minutes for the purposes of opening \nstatement.\n\n OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. Good morning, and, thank you, Mr. Chairman. I \nalso want to echo Mr. Boucher's comment that we look forward to \nworking together in a bipartisan fashion on a very important \nbill, and I want to thank the witnesses for coming this \nmorning. I think for the most part you are going to educate us. \nYou are the experts here, and we respect your opinions. We want \nto do no harm here. So I think when you look at the possibility \nof federal legislation dealing with privacy, we want to make \nsure that it is consumer centric. Consumers don't care if you \nare a search engine or a broadband provider. They just want the \nassurance that their privacy is protected. We must empower them \nto make these privacy decisions themselves. They feel, they \nknow how much ought to be collected and what should not be \ncollected. Congress cannot and should not make that decision \nfor them, but it can play a role in making sure consumers have \nthe information simply to make their own choices.\n    That means companies should be as transparent as possible \nabout what information they collect, and, of course, how they \nare using it. That way consumers will be better able to make \ninformed privacy decisions. This transparency should include \nrobust disclosure and notice outside the privacy policy. Notice \nand disclosure needs to be clear and conspicuous so the \nconsumers know that. First, some information is being \ncollected. Second, what is the information that is being \ncollected? How is it being used? And, third, how to prevent \nthis information being collected if they so desire. By giving \nthe consumer more robust and transparent information, we can \nstrike the proper balance between privacy protection and strong \nInternet commerce.\n    Furthermore, my colleagues, I want to emphasize two \nprinciples that should play a prominent role in our examination \nof this issue. First, we should apply the same privacy standard \nto companies that are engaged in similar conduct with similar \ninformation, but we should avoid applying those same standards \nto entities that do not use the same types of information for \nthe same purposes and do not have anywhere near the same volume \nof information about the perspective consumer. For example, \nsearch engines in the Internet advertising networks may use a \nconsumer's visit to a particular web site to create profiles \nnot directly related to the reason for the visit. Other \nentities, like web publishers, collect information only to \nprovide the very service the consumer has come for. Our \napproach should recognize that.\n    Second, any legislation in this area should hold various \nparties accountable only for that which they know and control. \nWe should be wary of efforts to make any one party responsible \nfor the actions of others. Consumers' online activities provide \nadvertisers with valuable information upon which to market \ntheir products and their services. Collecting this type of \ninformation for targeted advertising is very important because \nit simply allows many of these products and services to remain \nfree to consumers. Without this information, web sites would \neither have to cut back on their free information and services \nor would have to start charging a fee. Neither result is good \nfor the consumers. Overreaching privacy regulation could have a \nsignificant economic negative impact at a time when many \nbusinesses in our economy are struggling, so let us be very \ncareful on these issues before we leap to legislative \nregulatory proposals.\n    When I was chairman of the Commerce, Consumer Protection, \nand Trade, I held a number of hearings on privacies. I worked \nwith Chairman Boucher, and we developed a consumer privacy \nprotection at which we dropped as a bill. This bill would have \nrequired data collectors to provide consumers with information \non the entity collecting the information and the purposes for \nwhich the information was being collected. I believe it was, \nand still is, a good base bill to use as we move forward to \ndevelop a new privacy bill. Also, I would like to bring up an \nissue perhaps that many of us have thought about, and I don't \nwant to bog down our discussion about it. Which agency will \nregulate and enforce privacy standards? Will it be the FCC or \nthe Federal Trade Commission, a combination or possibly a new \nagency? I know this issue won't be solved this morning, but it \nis something we are going to have to work out and work through, \nand I look forward to doing this in a bipartisan fashion.\n    And I would be interested, if possible, if some of the \nwitnesses could give us their feelings about how the \njurisdiction of this privacy bill would be best supervised \nwith. So, Mr. Chairman, I would conclude by pointing out we \nhave talked a little bit at previous hearings about deep pocket \ninspection. The point is that whether a company uses deep \npocket inspection or reads your e-mail directly, this should be \npart of the privacy rules in some way. So I think our witnesses \ncan also help us on that particular aspect, so I look forward \nto hearing and thank you for the opportunity to speak.\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the gentleman from Ohio, Mr. Space, for 2 minutes \nfor the purposes of opening statement.\n\nOPENING STATEMENT OF HON. ZACHARY T. SPACE, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF OHIO\n\n    Mr. Space. Thank you, Chairman Rush and Chairman Boucher, \nRanking Member Radanovich and Ranking Member Stearns for \nconvening us today on the topic of behavioral advertising. I \nwas struck when reviewing Professor Felten's testimony by a \ncomment that he makes, ``Responsible ad services typically \ncollect less information and track users less intensively than \nthe technology would allow.'' To me, this means that just \nbecause we can doesn't mean that we should. I certainly \nunderstand the need for companies to advertise on their sites. \nDoing so is what enables our constituents to access free \ncontent, products, and services on line. They also understand \nthe desire of ad companies to supply consumers with ads that \nare of more relevance to them. This is a better business model \nfor the companies and potentially a service to consumers.\n    However, I want to make clear that one bad apple could \nspoil the whole bunch here. The moment online consumers believe \ntheir personal information is at risk of corruption, misuse or \ntheft will be the moment this approach we are discussing today \nwill cease to work. I strongly believe it is in the interest of \nall parties to disclose to consumers their advertising \npractices and intent and to ensure that consumers' personal \ninformation is strictly guarded against security breaches and \nexploitation. I look forward to these conversations today and \nto working with my colleagues on this issue as we move forward. \nI yield back my time.\n    Mr. Rush. The chair thanks the gentleman. It is now my \npleasure and honor to recognize for 5 minutes for the purposes \nof opening statement the ranking member of the full Committee \non Energy and Commerce, Mr. Barton, is recognized for 5 \nminutes.\n\n   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Barton. Thank you, Mr. Chairman. As I look on the other \nside of the aisle, I am glad to see that none of the Democrats \nwho played on the Democratic baseball team are actually in the \nroom, so I can congratulate them in their absence and I won't \nhave to do it face to face when I see them on the floor. But \nlast night Mike Doyle, who is the manager of the team, Bart \nStupak, who is on this committee, played an amazing game. It \nwasn't their usual Democratic bumbling error game. They \nactually played very well as a team, and as a result they beat \nthe stalwart Republicans 15-10. John Shimkus, who is our \nstarting pitcher, played an excellent game, and we had a number \nof Energy and Commerce Republicans, Mr. Gingrey, Dr. Gingrey, \nwho is here, walked at a key time and later scored.\n    Mr. Scalise, who is here, played second base some and also \ndid some base running and scored. Mr. Pitts, who came out and \nwatched the game, and luckily didn't try to play although we \ncould have used his bombing skills from the Vietnam War. So, \nanyway, we raised quite a bit of money for charity and had a \ngood time. When you all see Mike Doyle and you see that he is \ngrinning from ear to ear just congratulate him and tell him to \ntake pity on the downtrodden Republicans who didn't quite have \nthe stuff last night.\n    On this hearing, Mr. Chairman, I do want to thank you, \nthank Mr. Boucher, Mr. Stearns, Mr. Radanovich for working in a \nbipartisan fashion to protect the privacy and security of every \nAmerican's personal information. I am glad that we are working \non this in a bipartisan way. I especially appreciate Chairman \nRush's agreement to act on the Republicans' data security bill. \nThat bill has implications for the broader privacy discussion, \nand I hope that that bill will move forward in the full \ncommittee. Along with Congressman Markey, I co-chair the \nCongressional Privacy Caucus, so I am glad that we are working \non these issues in a bipartisan way. I, myself, every few days \nhit the delete button and clean out all the various cookies on \nthe computer and at my home. It is amazing to me how many of \nthose accumulate and most of the time without absolutely any \nknowledge of myself or anybody else for that matter that they \nare being put on our computer.\n    I think it is a big deal if somebody tracks where you go \nand what you look at without your personal approval. We \nwouldn't like that in the non-Internet world, and I personally \ndon't like it in the Internet world. The information about \nmyself is mine. Unless I choose to share it, I would just as \nsoon that it stay my information only. I think that I have the \nright to know what information people are gathering about me \nand the right to know what they are doing with it. It is \nobvious that the public agrees with the statement that I just \nmade because poll after poll shows that they think that their \ninformation and their right to privacy is just as important on \nthe Internet as it is in the non-Internet world. When I open an \ne-mail for the new Dallas Cowboy Stadium that is in my \ncongressional district, I don't expect to begin receiving \nunsolicited ads for airlines tickets to the Dallas-Fort Worth \narea or hotels, also in my district in Arlington, Texas.\n    It is obvious that people track what I do and where I go, \nand try to take advantage of that. Fortunately, technology has \ncome quite a ways in protecting the individuals. We started \nlooking at the spyware problem back in the 107th Congress, and \nthanks to the work among others Congresswoman Mary Bono Mack, \nEd Towns, Chairman Dingell, those spyware infections are not \nnear the problems that they used to be. However, today \ncompanies continue to gather, maintain, and use data through a \nvariety of technological methods. Some of those companies such \nas Verizon and Comcast are large companies. They are regulated \nin some parts of their business model, and I think they are \ntrying to act appropriately. There are other companies, so-\ncalled ISP locators, that I personally don't even know their \nname. Then you have the in-between companies, the so-called \nedge companies like Yahoo! and Google. Put together, it still \nis a little bit of a wild west out there, and I think it is \ntime that Congress begin to look at and try to bring some law \nand order to that particular wild west area.\n    I see that my time has expired, Mr. Chairman, so I will \nsubmit the rest of the statement for the record. Suffice it to \nsay that I am glad that you and Congressman Boucher are working \nwith the Republicans and taking a serious look at this. I also \nwant to commend the private sector that is here today. It is my \nunderstanding that you are working together to come up with \nsome voluntary rules, and it is always preferable in my opinion \nto do it through a voluntary market-based approach as opposed \nto a mandatory regulatory approach. So in any event again thank \nyou, Mr. Chairman, and once again congratulations to the \nDemocrats for winning the baseball game last night. I yield \nback.\n    [The prepared statement of Mr. Barton follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. The chair thanks the ranking member. It is now my \nhonor to recognize the gentle lady from California for 2 \nminutes for the purpose of opening statement, Ms. Matsui.\n\nOPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Matsui. Thank you, Mr. Chairman. I want to thank you \nand Chairman Rush for calling today's joint hearing and applaud \nboth your leadership in addressing this important issue. I \nwould also like to thank our panelists for being here with us \nthis morning. Today, we are here to examine the practices and \nconsumer protections from a growing online advertisement \npractice known as behavioral advertising. As broadband access \ncontinues to expand across the country, more and more Americans \nrely on the Internet for news information, online videos, and \nto purchase goods and services. Americans need to have trust \nand confidence that their personal information are properly \nprotected. Privacy policies and disclosures should be clear and \ntransparent so consumers can choose what information they want \nto view and receive on the Internet instead of inappropriate \ncollection and misuse of their information.\n    Consumers should also understand the scope of the \ninformation that is being collected, what it is being used for, \nthe length of time it is being retained, and its security. The \nmore information that consumers have, the better. Moving \nforward, we must assure that Americans are comfortable with \nusing the Internet and know with confidence that meaningful \nprivacy safeguards are in place or ensuring that we don't \nstifle innovation. I thank both of you, Mr. Chairman, for \nholding this important hearing today, and I yield back the \nbalance of my time.\n    Mr. Rush. The chair thanks the gentlelady. Now the chair \nrecognizes the gentleman from Kentucky, Mr. Whitfield, for 5 \nminutes for the purpose of opening--let me correct that. The \nchair recognizes the gentleman from Michigan.\n    Mr. Upton. I thank my friend, and I will not take my 2 \nminutes. We have great attendance. We will see what the \nattendance is after lunch when we return after these votes. I \nwould like to associate myself with Mr. Barton's remarks. The \ninformation is yours. When you make a phone call, no matter who \nit is, you don't expect AT&T or Verizon to share the \ninformation with somebody else. You can imagine if you ordered \na pizza on the phone and all of a sudden you get different \npizza companies coming in knowing that you are going to be \nsubscribing to that. That information is personal. It shouldn't \nbe shared unless that individual allows and knows that it is \ngoing to be shared. It needs to be protected. It is nobody's \nbusiness. You don't expect to have someone follow you in your \ncar when you go make an errand whether it be to a dry cleaner \nor wherever you might go and expect some competitor then to \nperhaps get the information to trace you back. So this is a \ngreat hearing, and I look forward to it and I yield back the \nbalance of my time.\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the gentleman from Georgia, Mr. Barrow, for 2 \nminutes for the purpose of opening statement.\n    Mr. Barrow. I thank the chairman. I am going to waive \nopening but I want to thank the ranking member for his kind \nwords of congratulations. In solidarity with Mr. Pitts, I want \nto remind the ranking member that those of us who sit in the \nstands and cheer also serve. Thank you very much.\n    Mr. Rush. The chair now recognizes the gentleman from \nKentucky, Mr. Whitfield, for 5 minutes.\n    Mr. Whitfield. Thank you, Mr. Chairman. We certainly \nappreciate all these witnesses being here today as we explore \nthis very important subject. As online communities use an array \nof sophisticated and ever evolving data collection and \nprofiling applications, it is important that we focus on \nprotecting privacy. Today, I think we will be hearing about \nprivacy policies at various companies, the data retention that \nthey do, and as we proceed and think about legislation, it is \nimperative that we use a balanced approach and proceed with \ncaution. And I think if we do have any legislation it certainly \nshould apply equally to all entities throughout the Internet \necosystem, and I will yield back the balance of my time.\n    Mr. Rush. The chair now recognizes the gentleman from Ohio, \nMr. Pitts from Pennsylvania, Mr. Pitts, recognized for 2 \nminutes.\n    Mr. Pitts. Thank you, Mr. Chairman. I worked real hard on \nan opening statement, but I think I will submit it for the \nrecord. Just let me say I believe that consumer privacy rights \nshould be carefully guarded. I am also encouraged by private \nindustry's recent steps to further protect consumers. It is my \nhope that if legislative action is taken that we will do so in \na careful manner striking a delicate balance between the \nnecessary steps we must take to protect consumers, and the \nability for industry to continue to be successful. So with \nthat, I will submit the rest for the record and yield back.\n    [The prepared statement of Mr. Pitts follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the gentleman from Georgia, Dr. Gingrey, for 2 \nminutes for the purpose of opening statement.\n\n  OPENING STATEMENT OF HON. PHIL GINGREY, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF GEORGIA\n\n    Mr. Gingrey. Chairman Rush and Chairman Boucher, Ranking \nMember Radanovich and Stearns, I want to thank you for calling \nthis hearing today on the emerging use of behavioral or \ninterest-based advertising online. This type of advertising \nonly represents a small portion of all online ads. By 2012 this \ntype of advertising is estimated to reach $4.4 billion in \nrevenue. Therefore, it is important for these subcommittees to \ntake a further look at this industry in order that we ensure \nthe online privacy of consumers. When hearing testimony from \nthis panel today, I believe that it will be important that we \nfocus on three components of any potential regulation that \nthese subcommittees propose. First, it is important to \ndistinguish what it is that we are going to be regulating.\n    Currently, most interest-based advertising is conducted \nthrough the use of web browser cookies. These encoded text \nfiles help indicate a user's online activity, thereby enabling \nadvertisers to customize ads based on a series of preferences. \nHowever, as we have seen in the IT industry, particularly over \nthis last decade, technology moves very quickly and if we are \nto propose regulations for this industry then we must make the \ndetermination of exactly how and what we are going to regulate.\n    Mr. Chairman, we must also examine which federal agency \nwould be best suited to coordinate any potential regulation. \nBoth the Federal Communications Commission, FCC, and the \nFederal Trade Commission have jurisdiction over elements of \nbehavioral advertising. Therefore, for the sake of consumers if \nregulations are necessary, we must coordinate the efforts and \nresponsibilities of these two governmental entities, thereby \nallowing for industry growth while at the same time \nsafeguarding an individual's private information. Lastly, Mr. \nChairman, we would also have to determine whom we would be \nregulating. Would it be the Internet service provider or the \nadvertisers or the web interfacing companies represented here \ntoday?\n    Accordingly, I think it will be important that as we move \nforward, we diligently take the time to hear from ISP companies \nand advertisers as a way to give us different perspective on \nthis important issue that will continue to be crucial to the \nfurther development of online activity. Mr. Chairman, the heart \nof this hearing is the American consumer so our focus must be \ntheir overall protection. I look forward to hearing from the \npanel, and I yield back the balance of my time.\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the gentleman from Louisiana, Mr. Scalise, for 2 \nminutes for the purposes of opening statements.\n\n OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF LOUISIANA\n\n    Mr. Scalise. Thank you, Mr. Chairman. I want to thank you \nand the ranking members of the subcommittees for having this \nhearing on behavioral advertising. I am pleased that both \nsubcommittees are examining this issue as well as the greater \nissue of data privacy. I know that Congress and this committee \nhave held hearings on data privacy in the past, but as we know \ntechnology continues to advance and develop in ways that \nprovide tremendous benefits to consumers. But these \nadvancements and benefits can expose consumers to certain \nrisks. Therefore, we must continue to examine ways to ensure \nconsumers don't have their personal information compromised. \nThe technology industry is one of the most advanced and \ncompetitive industries in our country. It is also one of the \nmost beneficial, both for consumers and for our economy.\n    We are able to share information, exchange ideas, and \nconduct commerce in ways that were never imagined just a few \ndecades ago. The industry also provides millions of good high-\npaying jobs for people all across this country. One thing that \nI think must be pointed out is that the industry has evolved \nand grown on its own with little regulation from the federal \ngovernment. Some would say that the government's failure to \nregulate this industry is one of the reasons it has grown and \nprovided so many good jobs. Yes, there have been bad actors in \nthe industry, and there are issues we must address in \nprotecting consumers' personal information, but I would hope we \nwould proceed with caution when stepping in or when drafting \nlegislation in this area. I hope the focus of today's hearing \nis how we can protect consumers and their personal information \nand what steps the industry will take to do that.\n    I hope today's hearing does not focus on how the government \ncan improve the industry. As we continue to delve into this \nissue today and future hearings, we should focus on the \nconsumer and what will offer consumers the greatest \ntransparency into the online practices and give them meaningful \ncontrol over their personal information. For this reason, I \nbelieve that self-regulation is sufficient and if privacy \nregulatory requirements are needed, they should be consistent \nacross the industry and not be greater for one technology \ncompared to another. Everyone involved in online advertising, \nISPs, search engines, advertising networks, web site publishers \nand others, should all be subject to the same requirements, and \nCongress should not try to pick winners and losers. After all, \nconsumers are not always aware that their Internet activities \nare being tracked.\n    They care about what information is collected and what it \nis used for. They want to know if this is going on and, if so, \nthey should be able to opt out if they so choose and be assured \nthat a breach of their personal information will not occur. I \nlook forward to the hearing and the comments from our panelists \ntoday, particularly on self-regulation and what changes they \nwill make to ensure protection of personal information and what \nchanges they plan on making moving forward. It is important \nthat these committees and subcommittees understand their \npositions and activities as well as all the implications of \nthese new advertising practices. Thank you, and I yield back.\n    Mr. Rush. The chair thanks the gentleman. As I indicated \nearlier, there is a vote occurring on the House floor. It is a \nseries of votes, and so we will recess the committee until the \ncompletion of those votes, and we will reconvene 15 minutes \nafter the completion of those votes. The committee now stands \nin recess.\n    [Recess.]\n    Mr. Rush. The committee will reconvene. I certainly want to \nthank each and every one of you for your patience. I want to \nalso apologize for the time that you have been forced to spend \nhere. This has been an abnormal day with a lot of abnormal \nactivities, and I might add it has been a record-breaking day. \nAccording to some, we have had at least 54 consecutive votes \none after another and this never happened before that we know. \nSo it is not something we are proud of, but it has been that \nkind of a day. We are going to proceed right to our witnesses.\n    Starting on my left, to the right we will proceed with \nintroducing our witnesses. Mr. Jeffrey Chester is the Executive \nDirector for the Center for Digital Democracy--let me start \nover again. Mr. Edward W. Felten is Professor of Computer \nScience at Princeton University. Next to Mr. Felten is Ms. Anne \nToth. She is the vice president of Policy, Head of Privacy for \nYahoo. Ms. Nicole Wong is the Deputy General Counsel \nresponsible for privacy for Google. Mr. Christopher M. Kelly is \nChief Privacy Officer at Facebook. Mr. Jeffrey Chester is \nExecutive Director for the Center for Digital Democracy. Mr. \nCharles D. Curran is the Executive Director of Network \nAdvertising Initiative. And Mr. Scott Cleland is the President \nof Precursor LLC. Again, we want to thank the witnesses for \ntheir patience and for their appearance before the \nsubcommittee. It is the practice of this subcommittee now that \nwe will swear in all the witnesses, so would you please stand \nand raise your right hand?\n    [Witnesses sworn.]\n    Mr. Rush. Let the record reflect that all the witnesses \nhave responded in the affirmative. Now we will ask the \nwitnesses to enter into opening statements. And, Mr. Felten, \nyou are recognized for 5 minutes or thereabouts. So please pull \nthe mike in front of you, turn it on, and let it rip. Thank \nyou.\n\nTESTIMONY OF EDWARD W. FELTEN, DIRECTOR, CENTER FOR INFORMATION \n   TECHNOLOGY POLICY, PRINCETON UNIVERSITY; ANNE TOTH, VICE \n  PRESIDENT OF POLICY, HEAD OF PRIVACY, YAHOO!, INC.; NICOLE \n   WANG, DEPUTY GENERAL COUNSEL, GOOGLE INC.; CHRISTOPHER M. \n   KELLY, CHIEF PRIVACY OFFICER, FACEBOOK; JEFFREY CHESTER, \n EXECUTIVE DIRECTOR, CENTER FOR DIGITAL DEMOCRACY; CHARLES D. \nCURRAN, EXECUTIVE DIRECTOR, NETWORK ADVERTISING INITIATIVE; AND \n            SCOTT CLELAND, PRESIDENT, PRECURSOR LLC\n\n                 TESTIMONY OF EDWARD W. FELTEN\n\n    Mr. Felten. Thank you, Chairman Rush, Chairman Boucher, for \nthe opportunity to testify today. My name is Edward Felten. I \nam a Professor of Computer Science and Public Affairs at \nPrinceton University. I am here as a technologist. I am a \ncomputer science professor and I would like to explain some of \nthe technology behind behavioral advertising. The most serious \nprivacy concerns are raised not by the presence of advertising \nbut by the gathering of information about users that can be \nused either to target ads or for other purposes. I would like \nto describe what technology makes possible. Responsible ad \nservices do not do everything that is possible, and I don't \nmean to imply otherwise. Others on the panel can describe what \ntheir own systems do do.\n    To explain what this technology allows, I would like to \nwalk through a scenario illustrated by the diagram on the last \npage of my written testimony. And if I could have the display, \nplease, of the Power Point. What I would like to describe, Mr. \nChairman, is a scenario involving behavioral advertising. In \nthe beginning of the scenario, I go to a weather site, and I \nlook up Thursday's forecast for Washington. The weather site \nsends me a page with the forecast information and a hole where \nthe ad should be. And along with that page it sends my computer \na command telling it how to find the ad. Following these \ninstructions, my web browser connects to an ad service shown \nhere at the bottom and asks for an ad.\n    Along with this request, information is sent to the ad \nservice about me, the fact that I am looking up Thursday's \nforecast for Washington and the fact that I normally look up \nthe forecast in Princeton, New Jersey. The ad service remembers \nthis information. The ad service sends an ad, which is inserted \ninto the page. The service also sends an ad in this case \nrelated to travel to Washington because I looked up the \nWashington, D.C. forecast. The service also sends along its so-\ncalled cookie which contains a small, unique code which in this \nexample in the diagram is 7592, and my computer stores this \ncookie. Later, I visit a social network page which also \ncontains an ad. Again, the page has a blank space for the ad \nand my computer contacts the ad service to get an ad.\n    My computer automatically sends along the cookie that the \nservice provided earlier. This request for an ad carries more \ninformation about me. It says that I am interested in baseball \nand jazz, which the social network site knows, and that my name \nis Edward Felten. The ad service recognizes that the cookie is \nthe same as before so it knows that I am the same person who \nlooked up D.C. weather earlier and it adds the new information \nto its profile of me. The service sends back an ad. This time \nit is an ad for Washington Nationals tickets because I looked \nup Washington weather earlier, and I am interested in baseball.\n    Notice that the ad service is connecting the dots between \nthings that I did on different sites between something I did on \nthe weather site and something I did on the social network \nsite. This allows it to better target ads and also to build up \na more extensive profile about me. Next, I go to a book store \nand look up books about travel in Hawaii. The book store site \nsends this information to the ad service along with another ad \nrequest. Again, the cookie allows the ad service to link \ntogether my book store activities with my earlier activities on \nother sites. The ad service sends back an ad for jazz CDs \nbecause it knows I like jazz because the social network site \ntold it. By this point, the ad service knows enough to identify \nme. It knows I live in Princeton and it knows that my name is \nEdward Felten. The ad service buys access to a third party \ncommercial database using what it knows about my identity to \nget more information about me.\n    In this example, the ad service gets my credit report in by \ninsurance history, which it adds to my profile along with the \nother information it had. And, finally, I go to a news site \nthat uses the same ad service. My computer again requests an \nad. The ad service in this case sends an ad for budget Hawaiian \nvacations. It knows that I am interested in visiting Hawaii \nbecause I looked at Hawaii books at the bookstore, and it knows \nI am interested in a low cost trip because it has my credit \nreport. The news site sends information about what I was \nreading. In this example, I was reading about cancer \ntreatments. This information is added to my profile as well.\n    In this scenario, the ad service got information in three \nways. First, content providers sent along information about \nwhat I was doing on their sites and what I had done in the \npast. Second, the ad service connected the dots to link my \nactivities across different sites at different times. And, \nthird, the ad service accessed third party commercial \ndatabases. All of this information ended up in my profile. The \nresult was well-targeted ads but also the creation of an \nelectronic profile of me containing sensitive information which \ncould in principle be resold or reused for other purposes. Now \nad services are not the only parties who can assemble such \nprofiles but large ad services do have a prime opportunity to \nbuild profiles due to their relationships with many content \nproviders who can pass along information about users, and due \nto the ad service's ability to connect the dots by linking \ntogether a user's activities across different web sites.\n    All of this is possible as a technical matter which is not \nto say that responsible ad services do all of it or even most \nof it. Ad services may be restrained by law, by self-regulation \nor by market pressures. What is clear is the technology by \nitself cannot protect users from broad gathering and use of \ninformation.\n    Mr. Rush. Mr. Felten, I am embarrassed to say this, but \nwould you please bring your statement to a close? You have \nextended your time.\n    Mr. Felten. Thank you, Mr. Chairman. I was just wrapping \nup. I just wanted to thank the committee for holding this \nhearing and for giving me the opportunity to testify. Thank \nyou.\n    [The prepared statement of Mr. Felten follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. Thank you so very much. Ms. Toth, you are \nrecognized for 5 minutes for the purpose of opening statement.\n\n                     TESTIMONY OF ANNE TOTH\n\n    Ms. Toth. Chairman Boucher and Rush, Ranking Member Stearns \nand Radanovich, members of the subcommittees, I appreciate the \nopportunity to appear before you today at this important \nhearing. My name is Anne Toth, and I am Yahoo!'s Vice President \nof Policy and Head of Privacy. I joined the company over 11 \nyears ago and became one of the very first dedicated privacy \nprofessionals at any online company. Quite simply, my job is \nabout making sure Yahoo! earns and maintains its users' trust \neach and every day. Yahoo! was founded by Jerry Yang and David \nFilo, who were trying to help people find information that was \nuseful and relevant to them among the clutter of the early \nWorld Wide Web. What began as a directory of popular web sites \nquickly grew into a globally recognized brand that provides a \nwide range of innovative and useful products and services to \n500 million users worldwide.\n    The Internet has changed a great deal, and this hearing \nrecognizes its importance in our global economy. Gone are the \ndays of one size fits all Internet content. Our consumers \nexpect not only that Yahoo! will meet their needs, but that we \nwill anticipate those needs as well. The same is true for \nadvertising. Consumers are more likely to click on advertising \nthat speaks directly to them and their interests. For example, \nYahoo! might deliver ads featuring hybrid cars if the users \nspend a great deal of time on Yahoo! Green or has recently \nbrowsed car reviews on Yahoo! Autos. Put simply, customized \nadvertising helps consumers save time and energy. As you may \nknow, Yahoo! offers our industry leading products and services \nlarger for free.\n    Our business also depends almost entirely on the trust of \nour users. It has been paramount to our growth and is critical \nfor our future success. Our approach to privacy couples front \nend transparency, meaningful choice, and user education with \nback end protections for data that limit how much information \nand how long personal identifiers are maintained. Let us start \nby talking about transparency. Our leading edge privacy center, \nwhich you can see on the slide that is being projected, \nprovides easy navigation, information on special topics, and \ngives prominence to our opt-out page, and actually if we could \nmove to the next slide, making it simple for users to find and \nexercise their privacy choices. We have also experimented with \na number of ways to provide notice and transparency outside of \nstandard privacy policies giving users multiple privacy touch \npoints.\n    We must also put control in the hands of our users. We have \nan opt-out that now applies to interest-based advertising both \non and off the Yahoo! network of web sites. Whether a user \ntouches us as a first party publisher or as a third party ad \nnetwork, we want them to have a choice. We also didn't want \nusers to have to redo their opt-outs again and again and took \nthe further step of making our opt-out persistent for users who \nregistered for a Yahoo! account. This means that these users \nwho clear their cookies will not inadvertently clear their \nprivacy choices at the same time. The final aspect of the front \nend of privacy protection is user education. For over a year, \nYahoo! has displayed on average 200 million ads per month that \nexplain our approach to privacy. All of these front end steps \nare complemented by back end protections.\n    We focus on security and data retention as core aspects of \nprotecting back end privacy. We recently announced the \nindustry's leading data retention policy. Under this policy, we \nwill retain the vast majority of our web log data in \nidentifiable form for only 90 days. This dramatically reduces \nthe period of time we will hold log file data in identifiable \nform and vastly increases the scope of data covered by the \npolicy. The limited exceptions for this policy are explained \nmore fully in my written testimony. We believe that our front \nend, back end approach to privacy builds a circle of trust with \nusers, providing transparency, meaningful choice, and extensive \neducation coupled with strong security and minimum data \nretention.\n    Much attention has been recently paid to the question of \nwhether an opt-out or an opt-in approach to user control in the \narea of interest-based advertising is best. The answer is both. \nThe decision about whether to ask for opt-in consent or give \nusers the opportunity to opt out depends on the individual \nservices being provided and the information being collected. \nMost advances in online privacy protection have come as a \nresult of industry initiative and self-regulation. Market \nforces drive companies like Yahoo! to bring privacy innovations \nto customers quickly. As one company leads, many others follow \nor leap frog by innovating in new ways. So as Congress \nconsiders its role in helping protect consumer privacy online, \nYahoo! hopes that legislators will consider an approach that \nenables providers to keep pace not only with technological \nadvances but with customer demands and expectations as well.\n    I am very proud of Yahoo!'s record of trust and commitment \nto privacy, and the industry's history of responsible self-\nregulation. I look forward to sharing our experience with you \nin more depth and am happy to answer your questions. Thank you.\n    [The prepared statement of Ms. Toth follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. Thank you, Ms. Toth. Now the chair recognizes Ms. \nWong. Ms. Wong, you have 5 minutes or thereabouts.\n\n                    TESTIMONY OF NICOLE WONG\n\n    Ms. Wong. Chairmen Rush and Boucher, Ranking Members \nRadanovich and Stearns, and members of the committee, I am \npleased to appear before you this evening to discuss online \nadvertising and the ways that Google protects our users' \nprivacy. Online advertising is critically important to our \neconomy. It promotes freer, more robust and more diverse \nspeech, and enables many thousands of small businesses to \nconnect with consumers across the nation and around the world. \nIt helps support the hundreds of thousands of blogs, online \nnewspapers, and other web publications that we read every day. \nOver the last decade, the industry had struggled with the \nchallenges of providing behavioral advertising. On the one \nhand, well-tailored ads benefit consumers, advertisers, and \npublishers alike. On the other hand, we recognize the need to \ndeliver relevant ads while respecting users' privacy.\n    In March, Google entered the space and announced our \nrelease of interest-based advertising for our AdSense partner \nsites and for YouTube. Interest-based advertising uses \ninformation about the web pages people visit to make the online \nads they see more relevant and relevant advertising has fueled \nmuch of the content, products, and services available on the \nInternet today. As Google prepared to rule out interest-based \nadvertising, we talked to many users, privacy and consumer \nadvocates and government experts. Those conversations led us to \nrealize that we needed to solve 3 important issues in order to \nprovide consumers with greater transparency and choice, which \nare core design principles at Google.\n    First, who served the ad? Second, what information is being \ncollected and how is it being used? And, finally, how can \nconsumers be given more control over how their information is \nused? This evening I would like to show you how we answered \neach of those questions with the launch of interest-based \nadvertising, which includes innovative, consumer-friendly \nfeatures to provide meaningful transparency and choice for our \nusers. When you see an online ad today you generally don't know \nmuch about that ad. It is difficult to tell who provided the ad \nand how your information is being collected and used. Google is \ntrying to solve this problem by providing a link to more \ninformation right in the ad, as you can see, where it is \nlabeled Ads By Google. This is very different from current \nindustry practices, but we believe that it is important to \nprovide users with more information about the ad right at the \npoint of interaction.\n    We believe that this is a significant innovation that \nempowers consumers and we think that this is the direction that \nmany in the industry are going. If you are curious about \ngetting information about the ad, you can click on the Google \nlink and navigate to an information page about Google ads, \nwhich you can see here. On this page, you are invited to visit \nour ads preference manager, which helps explain in plain \nlanguage user friendly format what information is being \ncollected, how it is being used, and how you can exercise \nchoice and get more information about how this advertising \nproduct works. Here is the ads preference manager. This \ninnovative tool allows you to see what interests are associated \nwith an advertising cookie, the double click cookie, that is \nset in the browser you are using.\n    In this case, Google has inferred that my cookie should be \nassociated with hybrid cars, movie rentals and sales, and real \nestate. This is because I visited sites using the browser about \nhybrids, movies, and real estate. Before Google introduced the \nads preference manager, most users had no idea what interests \nwere being associated with their cookies online by advertising \ncompanies. We are the first major company to introduce this \nkind of transparency. Now you can see those interests, and if \nyou don't agree with those interests, maybe you are not a movie \nfan or you simply don't want to see ads about movies, you can \ndelete any one of them or a few or as many as you want. So, for \nexample, if you want to delete movie rentals and sales, you can \ndo that with one click, and I have just done that.\n    Likewise, you can add any interests you like. Note that \nGoogle does not use sensitive categories so there is nothing in \nhere about sexual orientation, religious affiliation, health \nstatus or the like, but there are many, many other options. For \nexample, if you are a sports fan you can associate your cookie \nwith sports, and with a click I have decided that I would like \nto receive ads personalized for sports fans. If you prefer not \nto see interest-based ads from Google, you can opt out at any \ntime with one click. After you opt out, Google won't collect \ninformation for interest-based advertising and you won't \nreceive interest-based ads from us. You will still see ads, but \nthey may not be as relevant. The opt-out is achieved by \nattaching an opt out cookie to your browser. Opt out cookies in \nthe industry, however, have traditionally not been persistent. \nThat is, they are often inadvertently deleted from the browser \nwhen a user deletes her cookies.\n    So our engineers have developed a tool that was not \npreviously available that makes Google's opt out cookie \npermanent even when users clear other cookies from their \nbrowsers. After you opt out, just click the download button and \nfollow the instructions to install a browser plug-in that saves \nyour opt out settings even when you clear your cookies. I hope \nthis gives you a better idea how Google shows interest-based \nads and how we provide users with transparency in the right \nplace at the right time, as well as meaningful, granular, and \nuser-friendly traces for setting ad preferences or opting out. \nThank you very much for your time.\n    [The prepared statement of Ms. Wong follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. Next, we welcome Mr. Kelly. Mr. Kelly, you are \nrecognized for 5 minutes.\n\n               TESTIMONY OF CHRISTOPHER M. KELLY\n\n    Mr. Kelly. Thank you very much. Chairman Rush and Boucher, \nand Ranking Members Radanovich and Stearns, and members of the \nsubcommittees, thank you for this opportunity to address \nimportant privacy matters on the Internet. We agree with you \nthat protecting privacy is critical to the future growth of the \nInternet economy. Facebook now serves more than 200 million \nactive users worldwide, roughly 70 million of whom are in the \nUnited States. We are a technology company that gives people \nthe power to share their lives and experiences in an authentic \nand trusted environment making the world more open and \nconnected. Facebook's privacy settings give users control over \nhow they share their information allowing them to choose the \nfriends they accept, the affiliations they choose, and how \ntheir information is shared with their friends, and, if they \ndesire, the world at large.\n    Today, I would like to make four key points. First, \nFacebook's user centric approach to privacy is unique, \ninnovative, and empowers consumers. Our privacy centric \nprinciples are at the core of our advertising model. Second, in \noffering its free service to users, Facebook is dedicated to \ndeveloping advertising that is relevant and personal without \ninvading users' privacy, and to give users more control over \nhow their personal information is used in the online \nadvertising environment. Third, we primarily achieve these \nobjectives by giving users control over how they share their \npersonal information that model real world information sharing \nand providing them transparency about how we use their \ninformation in advertising.\n    Fourth, the Federal Trade Commission's behavioral \nadvertising principles recognize the important distinctions \nmade by Facebook in its ad targeting between the use of \naggregate, non-personally identifiable information that is not \nshared or sold to third parties versus other sites and \ncompanies' surreptitious harvesting, sharing, and sale of \npersonally identifiable information to third party companies. \nFacebook understands that few of us want to be hermits sharing \nno information with anyone, nor do many of us want to share \neverything with everyone, though some do want that. Most people \nseek to share information with friends, their family, and \nothers that they share a social context with on a regular basis \nseeking to control who gets our information and how they have \naccess to it. People come to Facebook to share information. We \ngive them the technological tools to manage that sharing.\n    Contrary to some popular misconceptions, full information \non Facebook users isn't even available to most users on \nFacebook let alone all users of the Internet. If someone is \nsearching for new friends on Facebook all that you might see \nabout other users who are not yet her friends would be the \nlimited information that those users have decided to make \navailable. Most of our users choose to limit what profile \ninformation is available to non-friends. They have extensive \nand precise controls available to choose who sees what among \ntheir networks and friends as well as tools that give them the \nchoice to make a limited set of information available to search \nengines and other outside entities.\n    We are constantly refining these tools to allow users to \nmake informed choices. Every day use of the site educates users \nas to the power they have over how they share their information \nand user feedback informs everything that we do. Facebook is \ntransparent with our users about the fact that we are an \nadvertising-based business and we explained to them fully the \nuses of their personal data that they are authorizing by \ninteracting with Facebook either on facebook.com or on the over \n10,000 Facebook connect sites throughout the web. Ads targeted \nto user preferences and demographics have always been part of \nthe advertising industry. The critical distinction that we \nembrace in our advertising policies and practices and that we \nwant this committee to understand is between the use of \npersonal information for advertisements in personally \nidentifiable form, and the use, dissemination or sharing of \ninformation with advertisers in non-personally identifiable \nform.\n    Users should choose what information they share with \nadvertisers. This is a distinction that few companies make and \nFacebook does it because we believe it protects user privacy. \nAd targeting that shares or sells personal information to \nadvertisers in name, e-mail or other contact information \nwithout user control is materially different from targeting \nthat only gives advertisers the ability to present their ads \nbased on aggregate data. So to take in Dr. Felten's example, if \nyou were to navigate to the social networking site, in his \nexample if it were Facebook we would not be sharing with the ad \nprovider that he was Edward Felten or that he likes jazz.\n    So on Facebook a feed is established where people know what \nthey are uploading and receive timely reactions from their \nfriends. The privacy policy and users' experience inform them \nabout how advertising on the surface works. Advertising that \nenables us to provide the service for free to users is targeted \nto the expressed attributes of a profile and presented on the \nspace on the page allocated for advertising without granting an \nadvertiser access to any individual user's profile. Unless a \nuser decides otherwise by directly and voluntarily sharing \ninformation with an advertiser, advertisers can only target \nFacebook advertisements against non-personally identifiable \nattributes of a user derived from profile data. Facebook builds \nand supports products founded on the principles of transparency \nand user control, and we thank you very much for the \nopportunity to present our philosophy on online advertising \nbefore this committee.\n    [The prepared statement of Mr. Kelly follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes Mr. Chester for 5 minutes.\n\n                  TESTIMONY OF JEFFREY CHESTER\n\n    Mr. Chester. I want to thank the chairs and ranking members \nand the members of the committee for their interest in privacy \nfor holding this hearing and to support their efforts to, I \nthink, help Americans get a fair digital data deal and that is \nwhat they deserve. Just very quickly before I make 4 points, I \nsubmitted my testimony in writing. It tries to lay out for the \ncommittee the broad parameters of the interactive advertising \nsystem as we know it in the United States, all the various \nelements that now are shaping this very powerful system so you \ncan look at that if you want more information. I have been \nworking on these issues for 15 years looking at online \nadvertising, online marketing, digital communications. I last \nworked closely with the Commerce Committee back in 1998 when we \nled the campaign that established with your legislation the \nChildren's Online Privacy Protection Act. Right now, that is \nthe only online privacy law. It was a bipartisan effort. And \nwhat we did for kids, we now need to do for teens and adults.\n    Imagine the world, and this is the world that we have \ncreated and you have already spoken about it, both the chair \nspoke about it, Mr. Barton spoke about it, others have spoke \nabout it. Imagine a world where every move, you are being \nwatched, whatever contents you read, what you buy, how much you \nare willing to spend, and how much you are not willing to \nspend, where you go, what you like, what you don't like, all \nthat being compiled. Outside databases being used to even build \nup this even larger profile of who you are. You include your \nrace, whether you are a low income or middle class. They call \nit on the online ad industry digital fingerprints or user DNA \nbut this very powerful system that is invisible and \nunaccountable to the average American is constantly collecting \nand refining and storing all this information and making claims \nand assumptions about you, your reputation without any \naccountability to you as the consumer let alone as the citizen.\n    That is the online advertising system today as we know it. \nIt is different from traditional advertising because as you, \nyourself, described it is able to track you minute by minute, \nminute by second, and your information is being sold in online \nad auctions in milliseconds. They know who you are and they are \nselling access to it, so it is an incredible system that we \nhave created. And it is now meshed in almost everything we do \nonline, watching online videos, even e-mail, doing searches, \nplaying games. This broad date collection system is a digital \ndata collection arms race going on as they build this \nincredibly sophisticated system. And I want to make it clear \nfor my second point that our call for privacy and consumer \nprotection rules isn't about undermining the role of online \nadvertising and marketing. That has an important role to play. \nIt is the underpinning, the foundation of our modern publishing \nsystem or really our new way of life in the digital age. We \nneed to have online advertising and marketing, but we need to--\nand it is not about any particular company here or sense of \ncompanies. It is about the overall practices that the industry \nhas created to collect all this information and to use all this \ninformation with these very powerful multi-media, in their \nwords, immersive online advertising services that are not \nunderstandable and controllable and definable by consumers.\n    I think to me it is very clear that you look at the issue \nof what is called sensitive data, which I am hoping you are \ngoing to work on, and in particular financial data. When you \nlook at what happened during the recent financial crisis online \nadvertising played a major role in encouraging people to take \nout those subprime mortgages. Online advertisers and mortgage \ncompanies were some of the biggest advertisers on the Internet \nduring the boom period that led to this current crisis. People \nhad no idea when they were taking out a mortgage or taking out \na loan what exactly they were getting because this system was \ndefining them in certain ways and making them various offers, \nonce again, non-transparent to them, and as result, they, and I \nthink we, have had to face the consequences.\n    That is just as with the financial system, we need some \nregulation here that puts the system into balance. Yes, they \ncan try to build this business and we can be innovators, but, \nyes, consumers get to ensure what data is being used and how it \nis used, and they have a chance to change it if it is \nincorrect. So consumer groups around the country are calling on \nyou to enact legislation as soon as possible to bring fair \ninformation principles up to the digital era. Self-regulation \nhas failed. They have been working, with all due respect to my \nfriends here, they have been working on self-regulation for 15 \nyears and all you have is more and more data collected every \nminute. Americans shouldn't have to trade away their rights to \ncontrol their information and have some autonomy in their \naffairs, whether it is buying a mortgage, looking up a \nprescription drug, buying a car or doing anything else without \nhaving to give their data up. There is a balance. I hope you \nwill help us restore it. There is a win-win possible here. \nThank you.\n    [The prepared statement of Mr. Chester follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. Thank you, Mr. Chester. Now the chair recognizes \nMr. Curran for 5 minutes.\n\n                 TESTIMONY OF CHARLES D. CURRAN\n\n    Mr. Curran. Thank you, Chairman Rush, Chairman Boucher, and \nmembers of the subcommittee. I would like to thank you on \nbehalf of the Network Advertising Initiative for the \nopportunity to discuss both the economic benefits and the \nprivacy obligations of online behavioral advertising. The NAI \nis a coalition of advertising networks and other online \nmarketing companies dedicated to responsible business practices \nand effective self-regulation. Originally founded 9 years ago, \nthe NAI has grown to include more than 30 leading online \nadvertising companies including all 10 of the largest \nadvertising networks. Today, through the NAI's Web site \nconsumers can learn more about or opt out of online behavioral \nadvertising by any or all of the NAI's member companies across \nthe many thousands of web sites on which such advertising is \nserved. Today's hearing focuses on both industry practice and \nconsumer expectations.\n    The NAI and its members are committed to online advertising \npractices that strike the right balance between consumers' \neconomic and privacy expectations. We believe that consumers \nenjoy the diverse range of web sites and services that they get \nfor free thanks to relevant advertising, but we must also \nprovide consumers with meaningful notice and choice. Tens of \nmillions of Americans benefit every day from free web content \nand services made available on the web because of banner \nadvertising served by NAI members. These ad-supported services \ninclude news, blogs, video, photo sharing, and social \nnetworking services. NAI members support these web sites by \nconnecting them with advertisers and by using web browser \ncookies to serve their visitors with more relevant and \ncompelling advertisements.\n    NAI members provide web sites with a broad variety of \nservices. They help smaller web sites combine their audiences \nso they can attract larger advertisers. They help advertisers \ngauge the success of their campaigns across multiple sites, and \nthey also make online advertising more interesting and useful \nto consumers by using non-personally identifiable information \nabout users' activity within an ad network to try to predict \ntheir likely interests. In the early days of online behavioral \nadvertising more than 10 years ago, advocates and regulators \nchallenged industry to provide appropriate privacy protections \naround browser cookies. The NAI self-regulatory code was \nestablished to meet that challenge and continues today to apply \nthe same core principles for our members. First, users should \nreceive clear and conspicuous notice on the web sites that they \nvisit where data is collected and used.\n    Second, users should have the ability to opt out of \nbehavioral advertising. Third, sensitive data should not be \nused for online behavioral advertising without a user's \naffirmative consent. Fourth, a user's affirmative consent \nshould also be obtained if personally identifiable information \nis merged with information previously gathered about the user's \nweb browsing with an ad network. As these technologies have \nmatured and the online marketplace has diversified, the Federal \nTrade Commission has called on industry to broaden and enhance \nits approach to self-regulation. The NAI and its member \ncompanies believe that self-regulatory approaches should be as \ndynamic as the online marketplace that they serve, and we are \nmoving quickly to respond.\n    The NAI member companies are working to develop \ntechnologies that would support and enhance consumer notice in \nor around behaviorally based banner ads. This would allow users \nto learn more about behavioral advertising and to make choices \ndirectly from the ad itself. Additionally, to help protect \nusers' choices, the NAI is implementing technology to improve \nthe durability of user opt out preferences stored in browser \ncookies. The NAI believes that its current opt out approach \nstrikes the right balance and consumers' expectations for \ntoday's cookie-based advertising. The model combines an opt out \nfor the use of non-sensitive, non-personally identifiable \ninformation to deliver ads with an opt in requirement for use \nof sensitive or personally identifiable data. This preserves a \ndefault experience in which web sites provide users with more \nrather than less relevant advertising.\n    Users have multiple options to control behavioral \nadvertising either by using opt outs offered by the NAI's \nmembers or their own easily accessible web browser tools. Any \nsignificant changes to this model such as requiring a user's \nopt in even to non-personally identifiable uses of cookies to \nimprove the relevance could pose a profound risk to both the \nuser's experience and the economic model for ad-supported web \nservices. As they navigate from site to site, consumers could \nbe inundated with recurring opt in prompts asking their \npermission to serve relevant ads. Consumer rejection of this \napproach could uproot the revenue model that supports many web \nsites today. It is vital to the continued growth of web \nservices that the right balance is struck between the economic, \ntechnological, and consumer protection considerations relating \nto online advertising. The NAI looks forward to working with \nthe subcommittees as they consider these important online \nprivacy issues. Thank you.\n    [The prepared statement of Mr. Curran follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. The chair thanks the gentleman. Now the chair \nrecognizes Mr. Cleland for 5 minutes.\n\n                   TESTIMONY OF SCOTT CLELAND\n\n    Mr. Cleland. Thank you, Mr. Chairman, both you and the \nranking member. As a leading Internet expert and consultant, I \nobviously have Internet companies as clients, which include \nwireless cable and telecom broadband companies in the \ncommunications sector, and Microsoft in the tech sector. \nHowever, I want to emphasize my views today are my personal \nviews and not those of any of my clients. What I want to do is \ntalk about the Internet problem and Internet solution. So what \nis the Internet privacy problem? Well, technology has turned \nprivacy upside down. Before the Internet, it was inefficient, \nit was costly, and it was difficult to collect private \ninformation. Now it is hyper-efficient, cheap and easy to \ninvade privacy. So through inertia what we have is a default, \nfinders keepers, losers weepers, privacy policy.\n    Now, second, most Americans incorrectly assume that the \nprivacy they enjoyed offline in the past is the privacy they \nhave online, and that is not true. Third, all the technology \nmegatrends out there, social networking, cloud computing, \nInternet mobility, Internet of Things, all of them will \ndramatically increase privacy risks online. Fourth, there is a \nsignificant faction in the technology community that really \nviews privacy negatively and in some parts antithetical to the \nbehavioral advertising and the Web 2.0 model. Now, fifth, a \nproblem is that increasingly the underground currency of the \nInternet is private data. Now private information is very \nvaluable, but in the absence of a system where consumers can \nassert ownership and control over their private information, \nprivacy can be taken away from them for free and profited from \nwith no obligation to or compensation due to the affected \nconsumer.\n    The sixth part of the problem, and that is we now have a \ntechnology-driven Swiss cheese privacy framework, which may be \nthe worse of all possible worlds. Simply, the haphazard \nframework we have gives a user no meaningful informed choice to \neither protect themselves or benefit themselves in the market \nplace arena of their private information. So what is the \nsolution? I think it is very simple. You have a consumer-\noriented, consumer centric approach that is technology and \ncompetition neutral. Think about it. It is consumers' private \ninformation that is being taken and exploited without their \nconsent. Since it is consumers that are most at risk of having \ntheir information misused or stolen, wouldn't it be logical for \nour privacy framework to be organized around the consumer?\n    Now, clearly, businesses should be free to fairly represent \nand engage consumers in a fair market transaction for their \nprivate information. Now its fair market transaction where \nconsumers are able to effectively understand and negotiate the \nrisk and reward involved with sharing the private information. \nMoreover, since the consumer is the only one that knows which \ninformation about their personal situation or their views or \ntheir intentions or their interests, which ones they are \ncomfortable with sharing, shouldn't it be the consumer that is \nempowered to make those decisions? So if Congress decides that \nit is going to legislate in this area, I think one thing is \nobvious, and that thing is that you should have consumer \nframework that would be superior to the current technology-\ndriven framework. That is because it would emphasize protecting \npeople, not technologies. It would empower consumers with both \nthe control and the freedom to choose to either protect or to \nexploit their privacy.\n    It would prevent competitive arbitrage by creating a level \nplaying field. And it would allow you to stay current with the \nconstant changing innovation because you are not technology \noriented, you are consumer oriented. And, lastly, you are going \nto be able to accommodate both sides, the people who care very \nmuch to protect their privacy but also those who care less and \nwould like to exploit their private information. So in closing \nI think we can do better than the current finders keepers, \nlosers weepers privacy policy that is the de facto policy of \nthe United States. Thank you, Mr. Chairman, and ranking member \nfor the opportunity to testify.\n    [The prepared statement of Mr. Cleland follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Rush. The chair thanks the gentleman. Now the committee \nwill engage the witnesses in a series of questions, and the \nchair recognizes himself for 5 minutes for the purpose of \nquestioning the witnesses. Ms. Toth, in your testimony you \ndiscuss meaningful choice for consumers, and this is a \nprinciple that everyone agrees is a good one. However, it \nappears that the only choice for consumers using Yahoo! is to \nopt out of receiving ``interest-based advertising.'' It seems \nthat they can't opt out of Yahoo!'s collection of information \nand tracking. Can you clarify exactly what the consumers' \nchoice is with Yahoo!'s opt out? If consumers ask to opt out of \nbehavioral advertising, does your company continue to collect \ndata on their browsing habits?\n    And I have another question. Does the opt out only stop the \ndisplaying of targeted advertising or does it stop the \ncollection of data? Does your firm offer consumers any way to \nopt out of tracking and data collection? Would you answer those \nthree questions for me, please?\n    Ms. Toth. Our opt out, you are correct, it is not an opt \nout of collection of data. It is an opt out of use of data. So \nthere are a number of reasons why we collect data and primarily \nthat relates to the display of advertising, so advertisers pay \nus to show advertisements, and so we have to know if those ads \nwere delivered and shown so we collect information in order to \nreport that information back to the advertisers who are paying \nfor those ads. But another reason why has a lot to do with the \nway we operate our web site, so if we were to stop collecting \ndata when a user opts out then there are a number of users we \nsuspect would opt out and engage in behaviors on the site that \nmay not be legitimate behaviors that may be abusive or \nfraudulent behaviors. So we are continuing to collect \ninformation, but when the user opts out we are no longer \nshowing them behavioral advertisements. We are opting them out \nof that use of their data.\n    So we are a web site that offers a number of different \nservices. Ad serving is one of our many businesses, so we have \nother uses for the data as I described. I am not sure if I \nunderstood the other question specifically as being different \nfrom that one. I maybe misheard. So the extent that data is no \nlonger used for advertising, that is what the opt out applies \nto. But the opt out that we offer is actually a very--it is \nvery clearly provided to users, and it is actually very easy to \nfind, so we think that that actually matters a great deal. The \nother thing actually that I will mention is that what we offer \non the back end is anonymization of that data within 90 days so \nif users have a concern that there is a great deal of data \nbeing collected, we hope to be addressing that on the back end \nby anonymizing the vast majority of our data within 90 days.\n    What is really notable about that is that our policy \ndoesn't just apply to search log records or to a specific type \nof log file that all of our log systems including the log \nsystems that inform our advertising capabilities.\n    Mr. Rush. So a consumer cannot opt out of data collection \nat all?\n    Ms. Toth. The consumer can't opt out through----\n    Mr. Rush. Cannot. They cannot opt out of data collection.\n    Ms. Toth. No. There are other tools at the browser level \nthat would address that. Our systems don't work that way.\n    Mr. Rush. Ms. Wong, can you answer the same questions for \nme?\n    Ms. Wong. Sure. Let me start by sort of describing our \napproach to privacy and data collection on our sites generally \nbecause I don't know if you are a regular Google user. Google \nactually has a design philosophy of always trying to minimize \nthe amount of data we collect about a user in the first \ninstance, so almost all of our services actually don't require \na user to provide any personal information at all. When you go \nto Google Search, you don't have to register. You simply type \nin your search. If you type in a search and you are not signed \nin or registered with us what that means is the only thing we \nget back is what all of us here, what all web sites get, which \nis sort of a standard what we call log line that records--a \ncomputer is asking you a question and that question comes with \ntwo things that can be identifying a user. One is an IP \naddress, which your ISP assigns to you, and the other is a \ncookie, which is what Anne referenced.\n    Neither of those things for Google are tied to an \nindividual. You can't know it is Nicole or Chris or Anne based \nsolely on the IP address and the cookie. Just to be clear about \nthe type of data we collect, we do provide an opt out, as I was \ndemonstrating in our presentation, for the use of that cookie \nand IP address data to target ads. In other words, when you \nclick on the opt out what it does is instead of getting a \nunique cookie, which is a series of numbers and letters, what \nyou get is what we call the opt out cookie, and that opt out \ncookie literally says in it opt out so that the data that we \ncollect goes into a huge pool of all users who have the same \nopt out cookie. It is completely abrogated which means we can't \nsee an individual user in that pool of data that has been \nidentified as opt out.\n    Mr. Rush. The chair's time is up. The chair now recognizes \nthe ranking member, Mr. Radanovich, for 5 minutes, and at the \nconclusion of his questions and answers, the chair will \nrelinquish the chair to the chairman of the Communications \nSubcommittee at that point.\n    Mr. Radanovich. Thank you, Mr. Chairman, and welcome \nmembers of the panel. Your testimony is very interesting. My \nfirst question goes to Mr. Curran, is it? For your testimony, I \nunderstand that you are involved in a broad industry-wide \neffort to create self-regulating principles, and that these \nprinciples, you are going to be releasing these principles \npretty soon, I understand within about 30 days. Can you expand \na little bit on what we can expect you to address on those, and \nI am particularly interested about the enforcement areas of \nthese principles.\n    Mr. Curran. Actually I think there are two different \nanswers to your question because there are two different things \ngoing on, and in my long form testimony I detailed some of the \nwork going on with the NAI in terms of our member companies, \nwhich are primarily advertising networks and other online \nmarketing companies, to essentially further the development of \ntechnology that will allow, as Ms. Wong showed you with her \npresentation, notice inside the banner ad really to get \ntogether to advance an infrastructure that would allow any \nentity serving a behaviorally targeted ad or any party \nresponsible for a behaviorally targeted ad to deliver that kind \nof notice in connection with an ad.\n    Mr. Radanovich. So that is work that the NAI has been \npursuing from a technological perspective?\n    Mr. Curran. Separately, I think your question relates to a \nfar broader industry dialogue that has been not led by the NAI \nbut instead by the IAD, the DMA, the AAAA's, the ANA, and also \nthe BBB. That is a lot of acronyms.\n    Mr. Radanovich. That is much clearer now.\n    Mr. Curran. I think the key takeaway here is that certainly \nthe FTC has indicated that broader self-regulatory approaches \nwere needed for industry, and that is very much an effort in \nthat direction of actually establishing principles similar in \nspirit to those of the NAI to apply on an ecosystem wide basis. \nMy understanding is that the roll out of those principles is in \nweeks. And we are very much supportive of those efforts, and I \nthink they are very much a part of a trend of really a momentum \ntowards exactly what the FTC called for in terms of really a \nvery vigorous engagement.\n    Mr. Radanovich. Thank you very much. Ms. Wong, I would love \nto ask you a question regarding your comments or support of \nestablishing a uniform online and offline framework for \nprivacy. Now I would love to have you clarify what uniform \nmeans and does it mean that it should apply to all entities and \nengage in collecting or using and sharing online information \nwhether they are ISPs or application providers? Should it be \nstraight across the board or are there different applications?\n    Ms. Wong. Yes. And I think there are two answers to that. \nAs an initial matter, Google and a number of the folks at the \ntable here have been really working hard to think about federal \ncomprehensive privacy legislation, and if I were to encourage \nthe committee to do anything I think it is backing something \nlike that because our history on privacy legislation has really \nbeen about sectorally trying to regulate privacy with children, \nwith health, with financial, so that for a user on the Internet \ntheir Internet experience is seamless. They go from their bank \nto their doctor to their web service seamlessly and don't \nrealize that different privacy laws apply. The important for \nensuring that users continue to trust the use of their data on \nthe Internet is to have baseline privacy law across industries. \nTo get to your second question about----\n    Mr. Radanovich. Let me ask this and clarify it a little \nbit. When you say uniform, does that apply to content providers \nthat provide content over Google? Would they be subject to the \nsame--is that what you call uniform online privacy?\n    Ms. Wong. Right. So, yes, there would be baseline standards \nfor all companies in terms of notice to users, access and \ncontrol for users, and security for that data.\n    Mr. Radanovich. OK. Thank you. Ms. Toth, in Yahoo! recently \nyou announced that you will completely erase IP addresses at \nthe end of its data retention period rather than just deleting \na few numbers as is the practice of a number of your \ncompetitors. If you don't need the IP addresses for fraud \nprevention or anything else, what is the utility in keeping the \nIP address at all, and why the fractional numbers of why don't \nyou just dump it right away?\n    Ms. Toth. I think we actually have slides in there of our \ndata retention policy and the process steps that we take so for \nthe vast majority of our data at 90 days we de-identify the \ndata. We apply a four-step process to remove identifiers. The \nIP address is one of those identifiers that is stored in the \nlogs, and for us we completely delete that identifier at 90 \ndays with the exception of the fraud and abuse systems which \nhold it for up to 6 months and then it is deleted. So we store \nthat data only for as long as we need it for the purposes of \nproviding our services and then we de-identify the records and \nthat gets to the IP address. The IP address is typically in the \ncontext of use have more to do with customizing a user's \nexperience along the lines of geography, those sorts of things. \nBut it is de-identified and it is removed at 90 days. Does that \nanswer your question?\n    Mr. Radanovich. Good enough. Thank you very much.\n    Mr. Boucher [presiding]. Well, I again want to express \napologies to our witnesses for the lengthy delay. We were on \nthe House floor a bit longer than we had anticipated, and you \nwere very patient. We want to express the committee's \nappreciation to you for your willingness to stay with us and \nprovide what has been some truly excellent testimony. I am \ngoing to propound a series of questions and then recognize \nother members who are here. Some have made the point in written \ntestimony, and I have heard it made otherwise, apart from this \nhearing, that there can be a meaningless opt in and a \nmeaningful opt out. And I would assume that the difference with \nregard to meaningfulness depends to some extent on the degree \nof disclosure that is made to the user. So what I would like is \nto get your statement of what you think the elements of a \nmeaningful opt out would be. Who would like to answer? Mr. \nChester.\n    Mr. Chester. I would like to say, thanks, that I think we \nneed an opt in. And my rule of thumb is, and this has to be \ndone in a doable way to make----\n    Mr. Boucher. Mr. Chester, before you alter the question and \nanswer the question you wish I had asked, let me see if we can \nget you or someone to answer the question I actually did ask. \nMs. Wong.\n    Ms. Wong. I will give it a try. And I agree with the \nconcept of there are good opt outs and there are bad opt ins. I \nthink a bad opt in is, you know, an opt in slipped in in a long \nprovision at the beginning of a contract relationship with your \nuser that they forget over time, and so there could be \ncontinued data collection in the life of your relationship with \nthat user that the user completely forgotten about. A good opt \nout is an opt out that is presented again and again to the user \nas a meaningful choice to them. So in our interest-based \nadvertising, for example, one of the things that we are trying \nto do is to put ourselves in front of the user so that we \nencourage them to engage with their own data. That is the \npurpose of that Ads by Google link in the ad because we want \nthem to know when you are looking at this page it is not just \nthe New York Times you are looking at. The ad is from Google, \nand you should engage with that data. The purpose of our ads \npreference manager is again to give the users a sense of \ncontrol so that they change their behavior and start to engage \nand take control of their own data. And I think that----\n    Mr. Boucher. So you would make full disclosure to the user \nof what information is collected about the user. You would \ndescribe how that information is used once you have collected \nit and then you would provide the opt out opportunity?\n    Ms. Wong. That is right.\n    Mr. Boucher. And would those be the meaningful elements of \nopt out as far as you are concerned?\n    Ms. Wong. I think that is right. The continued engagement \nwith the user.\n    Mr. Boucher. All right. Now let me ask Mr. Chester, who I \nknow is very interested in taking part in this discussion, what \nhis response to that would be.\n    Mr. Chester. Well, my rule of thumb is this, it has to be \ndone workably. The companies should be telling the consumer \nwhat they tell perspective clients. When you see what--and I \nincluded some of that in my testimony, when you see what they \nare telling their clients and their perspective clients or when \nthey are reporting on the results of the data collection system \nthey have created with the advertising, they are talking about \nmassive collection of data that is far beyond the ken of what \nmight be presented in a simple opt out. So they need to be \nhonest and tell people exactly what is about to happen. It can \nbe a scale here, but if you read what they are doing including, \nfrankly, the companies here, if you read what they are saying \nand also how the applications, the interactive applications, \nwhen you read the literature, the interactive applications have \nbeen designed, the online video, to get people to give up more \ndata, so they have to be honest.\n    Mr. Boucher. All right. Thank you very much. If we were to \ndraw a regulatory line of some sort that is focused on the \ncollection and use of personally identifiable information, \nshould we include within the definition of what is personally \nidentifiable information, the IP address? Mr. Chester is saying \nyes. Let me see if any have any different views. Everyone \nagrees that--well, OK, Ms. Wong.\n    Ms. Wong. I will give it a try again. I think our position \nis that the IP address can be personally identifying depending \non your relationship with the user so, for example, if you are \nthe ISP that assigned that IP address what it means is that you \nare actually billing that user every month and having credit \ncard or billing information from them, which means you can in \nfact associate the IP address, the ISP assigned, with a real \nperson. If you are in a position like Google with an \nunauthenticated user where you don't know who is attached to an \nIP address it is not personally identifiable.\n    Mr. Boucher. So you are saying it would be personally \nidentifiable if it is associated with other kinds of \ninformation about the user?\n    Ms. Wong. That is right.\n    Mr. Boucher. Some of which might be quite sensitive and \npersonal.\n    Ms. Wong. That is right.\n    Mr. Boucher. You would probably say it is not personally \nidentifiable if you have that in isolation perhaps with an opt \nout cookie?\n    Ms. Wong. Right.\n    Mr. Boucher. All right. I think I understand your position. \nIn the time I have remaining, let me ask about the possible \nrole that self-regulatory organizations might play in a \nstatutory scheme that would extend privacy rights to Internet \nusers. Several questions about that. I know we have well-\nregarded SROs in existence today. Many of the major Internet \ncompanies are affiliated with one or more SROs, and I am \nconcerned if we add a statutory scheme on top of that in order \nto assure that every Internet user has the understanding that \nhis online experience is secure because all web sites will have \nto comply with a certain set of fundamental privacy assurances. \nHow we do that in association with continued viability and \nusability for the SROs so just a couple of key questions. How \nwould a user who feels aggrieved because the SRO, for example, \nmay not have complied with the principles it signed up to \ncomply with get recourse? Should there at some point be access \nto a federal agency to seek that resource? And how could we \nmake sure that every web site actually complies with the \nminimum set of guarantees? So who would like to try answering \nthat? Mr. Cleland.\n    Mr. Cleland. Well, I think, you know, you are trying to get \nto something that actually works, and I think you are trying to \nget to an accountable system. One idea I would offer whether it \nis self-regulatory or governmental is that there needs to be \nsome audit that is occurring on a regular basis. Those could be \nautomated audits or they can be personalized. They need to be \nrandom because what you are talking about is meaningful. We are \ntalking about accountable. And if you care about those two \nwords and those two concepts and principles, there needs to be \nsome verification.\n    Mr. Boucher. Other comments, Mr. Chester?\n    Mr. Chester. There is a role for self-regulation, but I \njust have to underscore that self-regulation has failed. The \nonly reason the NAI is upgrading its principles is because of \nthe controversy that occurred over the Google-DoubleClick \nmerger when all these consumer privacy groups made so much \ntrouble that then the FTC said, OK, we got to do something \nabout privacy principles, and then the NAI after many years of \nbeing asleep, you know, decided, OK, we are going to revamp \nthem. The only reason the companies have reduced their \nretention time is because the European Union has been pressing \nthem. So it is the forces of regulation that have actually \nbolstered the failing self-regulatory system.\n    Mr. Boucher. So you would agree, would you not, Mr. \nChester, that if the statute imposed certain fundamental \nguarantees and they meet your definition of what those \nfundamental guarantees of privacy should be, for example, that \nan SRO that enforces those fundamental guarantees or has those \nas its core principles that are a condition of membership, such \nan SRO could be effective, could it not?\n    Mr. Chester. I think the history of self-regulation \ncertainly need telecommunications like the kids area has been \nthat the self-regulatory structure is only as good as the law \nthat has in fact----\n    Mr. Boucher. On that note, my time has expired. And I will \nrecognize the gentleman from Florida, Mr. Stearns, for 5 \nminutes.\n    Mr. Stearns. Thank you, Mr. Chairman, and let me also \nreiterate your comments. This is the first time I think in the \nhistory of Congress that we had this kind of procedure on the \nfloor. We had almost 55 votes, and they were over almost 8 \nhours. And so you have hit sort of a perfect storm so your \npatience is appreciated and we appreciate you staying. Ms. Toth \nand Ms. Wong, on any given day people come to your sites. Let \nus call that X. They all come to your sites. What percent of \nthose people actually go to your privacy, Ms. Toth?\n    Ms. Toth. We don't calculate it as a percentage. Overall, \nthe number of page views of users who come to our privacy \npolicy remains a fairly low number overall.\n    Mr. Stearns. So let us say just take 1,000 people just to \nmake it easy, 1,000 people. You couldn't even tell me if it is \n10 percent or 1 percent or half a percent?\n    Ms. Toth. It certainly is far lower than 1 percent.\n    Mr. Stearns. So it is very, very small. And, Ms. Wong, how \nabout you?\n    Ms. Wong. I don't know, and I can try and get back to you \nwith the number, but off the top of my head I don't know the \nnumber of views.\n    Mr. Stearns. No one on your staff can even just give a \nballpark? I mean it is not 10 percent?\n    Ms. Wong. I am sure it is lower than the number of overall \nvisits we get. Here is what I do know, which is that a year ago \nor so we started uploading videos to explain our privacy \npractices, and what we are seeing there is that users are \nengaging with us in those----\n    Mr. Stearns. Because it is a video. OK.\n    Ms. Wong. Because it is a video and they are rating them \nand telling us what works for them and what doesn't, and I know \nthat notice is a really important thing for this committee. We \nhave to find better ways than a pure privacy policy to engage \nwith our users to make them----\n    Mr. Stearns. And videos might be a good way.\n    Ms. Wong. And videos----\n    Mr. Stearns. Now each of you mentioned that you are willing \nto give to the consumer the information that you have collected \nand get it in sort of a category. And is this information that \nyou are going to give--this is then sensitized or you have put \ntogether a summary and given it to the customer. Will you let \nthe user actually see the raw data or at least actually see \nwhat you collect? Will you ever get to the point they can \nactually see what you collect?\n    Ms. Toth. I would actually love it if we could--I would \nlike you to see some of the data that we actually do collect \nbecause I think it----\n    Mr. Stearns. So I could actually see it if I wanted to.\n    Ms. Toth. Right.\n    Mr. Stearns. And not just get your categories----\n    Ms. Toth. We have a slide that shows our log files or a \nsample of what we collect in the log files. I don't think \nactually a consumer would engage with that in a way that would \nbe meaningful for the consumer because it is a very technical \nexpression of a user's interaction with us on the site so what \nwe do in our interest-based advertising and the behavioral \ntargeting systems that we use is to take those visits and \ncategorize them based on the types of interaction. So if a user \nvisits sports, they will have a score that indicates they visit \nsports. The actual log files themselves would probably not be \nuseful for a consumer to engage with. It is a series of--it is \nactually quite difficult to explain in plain English what is in \na log file.\n    Mr. Stearns. OK, but the customer would have access to it \nis what you are saying if they wish to?\n    Ms. Toth. Well, the customer--we don't actually make it \navailable because there are no tools that actually generate log \nfiles in a way that would be easily accessible for consumers. \nWhat we give consumers is ready access to our privacy policy, \neducational links, opt out opportunities that are abundant \nacross the site.\n    Ms. Wong. The demo that we did for you about our ads \npreference manager is an attempt to make that interface real \nwhich is demonstrating the interest categories that are \nassigned to a cookie in order to target advertising because I \nthink Anne is correct that if a user won't read a privacy \npolicy they are surely not going to read code.\n    Mr. Stearns. OK. Mr. Chester, before you can answer that \nquestion also, what do you do with the bad actors? I mean we \nsit here and we pass a bill and we set up opt in and opt out \nprocedures, and we have got Yahoo! and Google, but what are you \ngoing to do with the bad actors and how--is it possible that in \naddition to developing this legislation so that all 50 states \nhave one set because each state now is developing a different \none so there might be a need for us at the federal level to \ndevelop it so you don't have 50 states with 50 different \nprivacies. So I guess my question is twofold. What do we do \nwith the bad actors and is it a possibility that you could set \nup good housekeeping seals that everybody would say I am safe \nwith this site, bingo, I can go into it and feel comfortable, \nand the bad actors wouldn't get it and then you could \ndifferentiate and say I am not going to fool with those.\n    Mr. Chester. I think if you passed legislative standards, \nright, that would be the base line. Everybody would know \nbasically that they are protected. You now have a changed FTC \npotentially and hopefully you are going to reauthorize it soon. \nI mean the FTC has been hampered in going after the bad actors. \nIt has been constrained from really looking as closely at this \nmarket as it should be and hasn't had the resources, and it has \nalso been in conflict. There is now a new chairman there. There \nis a new director of consumer protection. They really want to \nmove on this issue, and they could in fact be empowered to go \nafter the bad actors in a much more vigorous way. Of course, we \ndon't want to see state pre-emption consumer----\n    Mr. Stearns. Now when I had hearings on this one of the \nproblems we found is that there was no reciprocity between \ncountries and you had the bad actors outside the United States. \nAnd so part and parcel of this is to develop legislation with \nother countries where you have reciprocity so you can go after \ncorruption and fraud and there is that ability to do it. \nOtherwise, no one is going to comply with the federal bill and \nthey will be in another country.\n    Mr. Chester. Well, I do think we are falling behind the \nEuropeans. They are going to have a better privacy policy and \nbuild a whole new online commerce business that is privacy \nfriendly while we are lagging because they are moving. The \nmarket is really being shaped, and this is something positive \nabout the industry, we are creating this global interactive \nmarket. Yes, there are European companies, yes, there are Asian \ncompanies, but they in fact have created the standard and that \nis terrific. What happens here can shape the rest of the world. \nAs for profiles, you can see company after company says I have \nall this information about an individual consumer. I would hope \nthat under the legislation that consumer could see all the \ndetailed information that is being collected about them.\n    Mr. Stearns. Mr. Cleland.\n    Mr. Cleland. Yes. I think if Congress is serious about this \nyou need to focus on the concept of deterrence. I mean if \nprivacy violations or repeated violations are important there \nneeds to be a significant penalty of whatever is appropriate \nbut if legislation is passed and there is no deterrent and \nthere is also no significant way of getting caught meaning \nindependent audits of some type, it will not have teeth. It \nwon't be meaningful and it won't be accountable. So if you are \nserious about this, you really need to be thinking about how do \nyou take unaccountability, which is a problem across the \nInternet, not just with privacy, and try and address that and \ncreate more accountability. It is never going to be perfect but \nit is a key.\n    Mr. Stearns. Mr. Chairman, if you will give me a little \nslack here, I just want to bring this last question, which \nreally is also what we as legislators are grappling with, and \nthat is the regulatory side versus the enforcement. Mr. Cleland \ntalked about the enforcement, and we have two jurisdictions \nhere. We have the FCC and the Federal Trade Commission, so I \nwould like to just start to my left and just go down, and \nperhaps you could give us a feeling of how you think this bill \nshould come together in terms of jurisdiction with the FCC and \nthe Federal Trade Commission. Some people think, well, the FCC \ncould be the enforcer and the FTC could be the regulator, but I \nwould be curious if each one of you, if you don't mind, take a \nfew moments, Mr. Chairman.\n    Mr. Felten. I would say this is closer to an FTC issue. I \nthink it is fundamentally a consumer protection issue.\n    Mr. Stearns. So both for regulatory and enforcement?\n    Mr. Felten. Yes.\n    Mr. Stearns. OK.\n    Ms. Toth. I would agree with Mr. Felten. We have worked for \na very long time with the Federal Trade Commission on issues of \nconsumer privacy online. We feel very comfortable and believe \nthat they are well versed to address this issue.\n    Mr. Stearns. Ms. Wong.\n    Ms. Wong. I have to say I feel a little bit out of my depth \nin terms of understanding the jurisdiction between federal \nagencies, but like Anne we have worked for quite a while with \nthe FTC. My experience in watching them over the last 10 years \nis they brought very effective enforcement actions.\n    Mr. Kelly. I would say as well that we worked extensively \nwith the FTC so far along this and they also have a great deal \nof expertise in the competition area, which is one of the \nthings that is driving better technology throughout the \nindustry in terms of providing users more transparency and more \ncontrol over their data so the FTC has developed a great deal \nof expertise in this area.\n    Mr. Chester. I would like to see a joint task force because \nin fact the FCC will have expertise at the network level and \nparticularly with cases with--inspection. There is a real role \nhere for the FCC but when it comes to the ad itself and the \nconsumer experience itself it is the FTC.\n    Mr. Stearns. Yes, because, you know, this is going to \ndevelop once you get broadband more. You are going to see voice \nover Internet. You are going to see everything over the \nInternet. And so all communication is going to be through that \nmedia and so I think the FCC has a part and parcel role.\n    Mr. Curran. I think I would echo that, a nod to the FTC, \ncertainly in terms of our business model for cookie-related \nactivity. The FTC for over a decade with its workshops on \ntechnology has been instrumental in raising awareness of the \npolicy and technical issues and very much determinant in \nsetting the direction for self-regulation. And as for other \nbusiness models and other regulatory schemes, I wouldn't be \nable to speak to that.\n    Mr. Stearns. OK. Mr. Cleland.\n    Mr. Cleland. FTC is the lead in close coordination with the \nFCC. The only problem would be is if jurisdiction got in the \nway of passing--if you want to pass legislation. That would be \nthe only tragedy.\n    Mr. Stearns. Thank you.\n    Mr. Boucher. Thank you very much, Mr. Stearns. The \ngentleman from New York, Mr. Weiner, is recognized for 5 \nminutes.\n    Mr. Weiner. Thank you. Could I ask perhaps for Ms. Wong to \ntalk a little bit about your experience developing Chrome, \nwhich is your--what is it called?\n    Ms. Wong. Browser.\n    Mr. Weiner. Your browser. Wouldn't it be possible through \nthat vehicle so when you download it, your first page is tell \nus what information you would like to know about the pages you \nare visiting and what information that you would like to share, \nand maybe a collection of boxes you can check or not check. It \nis similar to kind of what Facebook tries to do although they \ndon't do it right in your face. They kind of have you can say \nthis--that seems to be an even better place to think about the \ntrue gateway to the experience. If I wanted to do that through \nChrome, would I be able to do that in some way? I mean I know I \ncan go and erase the cookies and I can erase my browser \nhistory, but can I do something like that?\n    Ms. Wong. Right. Thank you for that question.\n    Mr. Weiner. You are welcome.\n    Ms. Wong. And I am at a little bit of a disadvantage \nbecause I am not an engineer, just a lawyer, and our engineers \ndo amazing things. I think that--I don't know if there is any \nlimitation on what they can do. I know they are working very \nhard to build privacy controls----\n    Mr. Weiner. Well, perhaps if I could interrupt you maybe \nMr. Felten can tell me about the technology possible here.\n    Mr. Felten. Sure. The information flows that users might be \nconcerned about mostly happy not at the browser but after the \nuser has interacted with a web site or a content provider, so \nwhat that means is that technical controls would exist mostly \nnot in the browser but in the web sites themselves.\n    Mr. Weiner. Let me interrupt on that point. But if you have \na fairly finite number of browsers that most people use, let us \nsay for the purpose of this conversation it is 5. That \nbasically probably accounts for most of what people do. And the \nbrowsers are themselves competitive with one another. You can \nargue that the browser industry grew out of people's \ndissatisfaction with Explorer. So why couldn't you say that if \nyou want your web site to come up when you traveling through \nFirefox, you have to have certain of your own information that \nyou are giving us about what we can tell our users. Isn't that \nkind of a technical solution, a solution but a technical way to \nkind of serve as a gatekeeper for a lot of web sites?\n    Mr. Felten. Yes, and certainly there are things you could \ndo along those lines so that the browser could help the user \nexpress their preferences and the browser could in a technical \nway query a site and see what promises the site makes about \nuses of data. There have been efforts to do this in the past. \nThere was a standardization effort called P3P, the platform for \nprivacy preferences, which defines such a standard and for \nreasons that are subject to debate the standard didn't stick. \nIt wasn't popular. Nonetheless, I think this is a fruitful \napproach and I for one would be happy if the companies got \ntogether and had a discussion again about how to do this.\n    Mr. Weiner. Mr. Kelly, tell us a little bit, if you could, \nabout your experiences in stepping on the toes of people's \nprivacy concerns. It seems to me that we to some degree have \nthree companies that have succeeded because consumers with a \nlot of different choices have chosen to use Google, chosen to \nuse Yahoo, chosen in large numbers to go to Facebook. Could it \nbe that the reason they are choosing your 3 services in \nparticular is that you are being self-selected by an active \nconsumer marketplace that thinks privacy works on your sites? \nYou just had an experience, I guess it is an ongoing one, where \nyou had kind of a conversation with your members about privacy. \nHow does it work differently on yours than say--what search \nengine do you use when you are searching the Internet \npersonally?\n    Mr. Kelly. It is usually Google.\n    Mr. Weiner. How is your privacy experience as a consumer of \nGoogle different than as a member of Facebook, is it at all?\n    Mr. Kelly. Well, I think that all three of these sites have \nsucceeded because they are providing great user experiences \noverall, and in come cases those are around privacy, and \nbecause we have based a business on identity and personal \ninformation and the effective sharing of that with people who \nshare a social context with you, we knew going in that privacy \nwas going to be a critical issue for us. And our goal has been \nto build technologies that allow people to make choices, so one \nof the things that has gotten lost in the discussions of social \nnetworking is that friending, whether your friend somebody or \nnot and how you connect to them is in and of itself a privacy \nsetting. It determines what information that you see on \nFacebook, and that has been a great experience for us.\n    When you look at Google or Yahoo! as a search engine, they \nare looking to deliver a different experience there. They are \nlooking for you type in a word or two and get back something \nthat they think is the most relevant experience for you to get \nyou to the page that you need to go next. If you use other \nservices on those sites, they are providing different \nexperiences there. Our goal has been to build technology that \nempowers users and lets them make their own choices about how \nthey share information. We have aimed to extend that into the \nadvertising realm as well.\n    Mr. Weiner. Mr. Chester, I know you want to answer this \nquestion, but let me build on it. You can go ahead and in my \nlast few seconds you can answer, but I take you back to 1986 or \neven 1996. I don't even know when this phenomenon all began. \nYou could buy someone's credit report from three different \ncompanies. You could probably find aggregators of information \nthat helped car dealers figure out who to send their \ninformation to. You could probably scrub public records to find \nout what kind of a home that they own, how much taxes they \npaid. It seems to me that there have always been resources that \nallowed someone to do 75 percent of what you described in your \ntestimony as the thing we are protecting against. And we have \nacted here in Congress to try to limit access to that \ninformation but to some degree wouldn't you agree that \nconsumers have pretty much now have a lot of tools that inform \ntheir experience.\n    I would argue without knowing, I bet you there are places I \ncan go on the Internet to even find little software plug-ins I \ncan probably download to let me know who is doing what and what \nweb sites are good or bad at protecting information. So it is a \ntwo-part question. One is in a lot of the stuff that you are \nmost concerned about is going to be out there whether you don't \nplug into the Internet at all, and, secondly, isn't some degree \nthe marketplace allowing--aren't consumers allowing the winners \nto be the good privacy companies? So why don't you take both \nthose----\n    Mr. Chester. Polls after polls after surveys including the \none that UC Berkeley just released about a week ago, 10 days \nago, say that the most users, most consumers, have no idea \nabout what is being collected, how it is being used, how it \nreally works. I honestly believe, and I think this is going to \ncome out as part of this debate, and, frankly, that is why we \nneed good privacy legislation because it is going to undermine \npublic confidence. People don't really know what is going on \ninside Facebook and the third party developers and all the data \nflowing out. They don't know what Google is collecting across \nits various interests. If they knew, they would, in fact, I \nthink be more concerned, so consumers don't know. The polls \nshow that. This is a whole different world here than it was \nback in 1996 or 1998 when we did the children's act.\n    You are talking about the instantaneous merging of a vast \nnumber of offline databases with online behavior minute by \nminute that is adopted to an individual's actions and reactions \nwith various online environments including all the personal \ninformation they put on their social networks. This is a \ncompletely different system that has been created. And, \nfinally, you know, I have a 16-year-old. I look at this as the \nworld that will be here very soon. We will be buying our \nmortgages on this mobile phone in the not too distance future. \nThis is the dominant way we are going to be doing business for \nthe PC and the mobile phone. It is a whole different world that \nhas been created. On the one hand, we should be proud of it. \nThey created it for us. We just have to make sure that \nconsumers are protected.\n    Mr. Weiner. Thank you, Mr. Chairman.\n    Mr. Boucher. Thank you very much, Mr. Weiner. The gentleman \nfrom Louisiana, Mr. Scalise, is recognized for 5 minutes.\n    Mr. Scalise. Thank you, Mr. Chairman. When we talk about \nopt in versus opt out, and I would imagine for business model \npurposes opt out is the preference because if you force \nsomebody to opt in, I would think it would probably limit the \nnumber of people that would want their data to be collected on \nthe front end, but if they do go through the process of opting \nout, are they actually stopping their personal data from being \ncollected or are they just not getting the targeted \nadvertising. If Ms. Toth could start.\n    Ms. Toth. When a user is opting out for us that is an opt \nout of not collection but of use of the information, but I also \nwant to be careful about the use of the term personal \ninformation because very often what is being conveyed to us is \ninformation that is specific only to a browser that is used to \ncustomize advertising. But even that level is what the user is \nable to opt out of in terms of that data being used.\n    Mr. Scalise. But in different levels, of course. If you are \njust going on to a browser, and I think Ms. Wong talked about \nthat, if I just go on to Google and do a search there is \ndifferent information, maybe just my IP address, but then if I \nactually use Yahoo! for an e-mail account then clearly I am \ngoing to be giving you a whole lot more information and then \nyou will have access to that, and if I choose to opt out of \nthat what am I opting out of there? Are you not going to be \ncollecting that data anymore or are you just not going to be \ngiving the targeted advertising?\n    Ms. Toth. The way that we do it at Yahoo! is that when a \nuser opts out, we are no longer showing them targeted \nadvertising, and we are not using their information in that \nparticular way. Yahoo! offers a wide array of products and \nservices, as you mentioned, e-mail, search, a wide array of \ndifferent----\n    Mr. Scalise. Maybe social network services.\n    Ms. Toth. Social networking, exactly. So when a user opt \nout, we opt them out of the delivery of targeted advertising, \nbut we also recognize that users may not want us to have that \nmuch information about them, so we take great pains to de-\nidentify the data as soon as we can. We spent over a year \nlooking at every single product, every single data system at \nYahoo! to really try to minimize the amount of time that we \nhold data about users.\n    Mr. Scalise. Right. I know we got limited time, so, Ms. \nWong, and then Mr. Kelly.\n    Ms. Wong. Sure. I think it is roughly the same answer that \nI gave earlier, which is we really collect very little data \nfrom users when they are searching the IP address and the \ncookie, and the opt out for our interest-based advertising is \nan opt out for those targeted ads, and that it means is that \nthe cookie you are getting is not uniquely identified. It just \ndrops the query that you send us or the data that we have \ngotten into a bucket of all opt out cookies.\n    Mr. Kelly. Because our service is based on sharing personal \ninformation with others, we inevitably end up collecting a \ngreat deal of personal information so that we can effectively \nshare it with others, and actually ask people to retain \npeople's photo albums for them, which they usually expect to be \nretained indefinitely. In certain circumstances, and \nparticularly in our advertising products, where we are \ninnovating and where people may not be used to a presentation \nin a particular way, we have allowed for opt outs in those \ninstances because we think it empowers users. It allows them to \nsay I am not comfortable with this at this point, but they can \nreconsider that at a later time. Our goal overall, and I think \nthe goal of this committee and any legislation it considers and \nany enhancement of regulatory authority should be to make sure \nthat consumers have real power to make those choices. We have \ntried to embody that in technology as much as we can, and you \nare here trying to embody it in law and trying to encourage the \nregulatory agencies to continue to meet their burdens and their \nobligations under existing law.\n    Mr. Scalise. And I apologize to interrupt. I have only got \na minute left. There is something else I want to ask especially \nas it relates to the e-mail services. And both for Yahoo! and \nGoogle, if you can answer this. If a user of Yahoo! or Google \nor any other e-mail service decides that they want to opt in or \nthey don't opt out to all of those agreements, and you can \ncollect whatever information you want from them, but let us say \nthey then send me, and I don't have that service, and they send \nme an e-mail. I didn't agree to any of those issues. Do you \nread e-mails from people that are a Yahoo! or Google e-mail \nsubscriber? Do you read through those e-mails to gather \ninformation in any way?\n    Ms. Toth. Yahoo! does not scan the content of e-mail \ncommunications in order to share targeted advertising.\n    Mr. Scalise. Or for any other purposes?\n    Ms. Toth. We don't--well, there are only some purposes \nfor--there is a process that actually removes viruses from e-\nmail that is an automated process but we don't use the \ncontent----\n    Mr. Scalise. For advertising. Ms. Wong.\n    Ms. Wong. Yes. We are using that same technology that scans \nfor viruses and also scans for spam. It is basically technology \nthat looks for pattern in text, and we use that not only for \nthe spam blocking and viruses but also to serve ads within the \nGmail user's experience so importantly like the----\n    Mr. Scalise. So if two people are exchanging an e-mail \nabout a sporting event and they are talking about going to the \ngame and then maybe they are going to want to go out for a \ndrink afterwards, could they then maybe expect to get an \nadvertisement about which different bars are offering specials \nafter the game?\n    Ms. Wong. They won't get an e-mail with an advertisement \nbut only the Gmail user will be able to see ads that shows up \njust like they show up on the side of our search results that \nare key to specific words--they are key words just as if you \ntyped them into our browser that are calling from our \nrepository of millions of ads to deliver an ad that is targeted \nto the content that you are reading.\n    Mr. Scalise. So if that was a two-way conversation, one was \nthe Gmail subscriber who agreed to or didn't opt out of the \nprivacy but the other person in that conversation was not a \nGmail user, clearly not someone who opted in or opted out, \nwould any part--because in an e-mail thread they could have had \nmaybe four or five replies and you got a long thread built up, \nand it is not just going to be the Gmail's information that is \ngoing to be there. The person who is a non Gmail user is also \ngoing to be included in that thread. Would any of that \ninformation be read?\n    Ms. Wong. The non Gmail user will not have any ads targeted \nto them at all.\n    Mr. Scalise. Is any of their data collected from that \nconversation?\n    Ms. Wong. Their data sits in the recipient's, the Gmail \nrecipient's e-mail archive.\n    Mr. Scalise. So if you have got algorithms that went \nthrough that Gmail e-mail, then when you were reading things in \nthat e-mail some of the things that you were reading----\n    Ms. Wong. Were scanned.\n    Mr. Scalise [continuing]. Would have been part of the \nthread of a non Gmail subscriber.\n    Ms. Wong. That is right.\n    Mr. Scalise. How does your privacy policy handle that \nbecause that person clearly has absolutely no knowledge of you \nreading their e-mail, they surely didn't agree to it, and they \ndidn't have the ability to opt out, so how is that handled?\n    Ms. Wong. Yes, just to be really clear. There are no humans \nreading e-mail at our company.\n    Mr. Scalise. But even if it is a software algorithm that is \ntrained to go through and look for key words or key \ninformation, their e-mail address, of course, is going to be in \nthere, so you would be able to know who that person is at least \nfrom their e-mail address, but also you would be able to have \naccess to the information. Do you have anything in those \nalgorithms that prevents that information that is not Gmail \nrelated to be read from a person who didn't agree or have the \nability to opt out of the privacy----\n    Ms. Wong. It would have to be that the user decided that \nthey did not want to receive that e-mail from the person who \nsent it to them so this is fully in control of the Gmail \naccount holder, and they can refuse to receive e-mails from \ncertain people.\n    Mr. Scalise. So you would be putting the burden now of \nprivacy collection on a user of Gmail, someone who actually has \na Gmail account?\n    Ms. Wong. So our user----\n    Mr. Scalise. But your user actually knew what your policy \nwas and could today right now go online as you showed, you got \nmany opportunities for your users to opt out.\n    Ms. Wong. That is right.\n    Mr. Scalise. The person who is the third party who is the \nnon Gmail subscriber who is part of that thread does not have \nthat same access so how can you put the burden on the person \nwho sent the e-mail?\n    Ms. Wong. No, no, no. The person who sent the e-mail has--\nthey have sent their e-mail to their friend. That user is not \ngoing to get any ad targeted to them. We are not going to have \nany information about that user at all.\n    Mr. Scalise. Is any of their information read?\n    Ms. Wong. Except for the fact that we hold their e-mail \nbecause we are the e-mail service provider for the Gmail \naccount holder, which is the same as any other web mail \nservice.\n    Mr. Scalise. I guess the real question is how is that \nperson--the Gmail subscriber clearly has the ability to protect \ntheir privacy, to opt out if they so choose. Maybe some of \ntheir data is still collected but they could still opt out but \nthe third party that they sent the e-mail to who then replied \nback to them who is contained in that thread doesn't have that \nsame ability but their data is subject to being searched in the \nsame way, so how----\n    Ms. Wong. That is true, but that occurs with every web mail \nservice because every web mail service----\n    Mr. Scalise. But Yahoo! just said that they don't do the \nsame thing.\n    Ms. Wong [continuing]. Scans their e-mail.\n    Mr. Scalise. I will ask Ms. Toth if that----\n    Ms. Wong. Every web mail service scans their e-mail for \nspam, scans it for viruses. It is the same process.\n    Mr. Scalise. But also for targeted advertising, I think you \nsaid you all do scan it for targeted advertisements. Ms. Toth \nsaid they do not.\n    Ms. Toth. We do not target. We don't----\n    Mr. Scalise. And I guess in the case where they are \nscanning it for other services that would be maybe sold to a \nthird party, how does the person protect their privacy when \nthey never had the same opportunity to opt out that the \noriginal Gmail subscriber who sent the e-mail was able to have \nthe same access?\n    Ms. Wong. To be very clear, no user's information is sold \nto any third party. No information about the sender of an e-\nmail to a Gmail account is----\n    Mr. Scalise. But if----\n    Mr. Boucher. Mr. Scalise, you are now past 10 minutes of \ntime. We are going to wrap up.\n    Mr. Scalise. If I can get that in writing maybe the answer \nto that. Thank you.\n    Mr. Boucher. That is fine. If any of the witnesses would \nlike to respond to that last question in writing, that would be \nhighly appropriate. The gentleman from Vermont is recognized \nnext, Mr. Welch, for 5 minutes.\n    Mr. Welch. Thank you, Mr. Chairman. Thank you. I want to \njoin my colleagues in apologizing for the delay and \nappreciation for your patience although I think I might rather \nhave your job today than ours. Ms. Wong, in your written \ntestimony you noted that the committee should continue our \nefforts to explore the privacy issues. This is obviously an \nincredibly difficult issue, both because of the complexity of \nmaking this work and assuring confidence to users and because \nof basic questions about what should be private and what isn't. \nI am asking that you expand on that and what ongoing efforts is \nGoogle making about the merging of online and offline data and \nthe issues that are created as a result of that. I would start \nby asking you if you would comment on that and probably ask a \nfew others as well.\n    Ms. Wong. Sure. And I actually think this is a multi-\ndimensional question. I think absolutely there is an obligation \non industry to do the right thing because the trust of our \nusers is incredibly important. I also think that there is a \nrole for groups like Mr. Curran's group, the self-regulatory \ngroups, which continue having us innovate on best practices. I \nthink the best thing that has happened in the last few years \nthat all of the major Internet companies are competing to \ncreate better privacy technologies, and that is really \nphenomenal. There is also a role for government because to be \nvery clear, there are bad actors, and so there is a role for \noversight into the range of players on ecosystem and the \nconduct that they engage in.\n    And the thing that I think is most important, and the \nreason it should apply to both online and offline is that the \ncompanies that you have here all face our users, are all \ninvested in deepening the relationship with our users. There \nare companies that do not face the public that are behind it \nand that need more oversight because nobody knows what they do \nwith their data.\n    Mr. Welch. Mr. Curran, do you want to comment or anything \nelse to add? Kudos to you for the role that you play.\n    Mr. Curran. I would simply say I think we have an \nobligation to tell you about our successes and areas of \nimprovement as self-regulatory organizations as it relates to--\nand also to, I think, work with you to explain the somewhat \ncomplicated technologies that go around the different business \nmodels. I don't believe that--I have diverse memberships that \nwe are not in the position of having a legislative view at this \ntime, but we are very much committed to educating the committee \non the technologies, and I think today's hearing has been very \nhelpful on that in terms of in effect helping you discern the \nexact technical infrastructure that goes into all of this \nonline advertising.\n    Mr. Welch. Well, let me come back to Mr. Kelly. The \nCongress is never going to be able, obviously, to address \ntechnical issues. It is not our competence. It is not our job. \nIt is not what we should do. What specific things in terms of \npolicies, I will ask you, Mr. Kelly, what would you be \nrecommending that Congress do in order to protect privacy, \nwhich is our proper concern, but do it in a way that doesn't \nstrangle innovation?\n    Mr. Kelly. And that is a critical role that you do have is \nto protect the innovation in American technology and how we \nhave been able to lead the world in this area. But, obviously, \nprotecting the privacy of American consumers is critical to us \nand to other companies in the technology industry but not \neveryone. And so there are many actors out there who are tasked \nand see their role as gathering data and building personal \nprofiles of people with no notice, no consent, no control. I \nthink that Congress' regulatory action should be largely \ndirected there. We have a set of existing and extensive \nregulations, and we have talked tonight about our work with the \nFTC as a technology industry in this area where there are bans \nagainst deceptive practices and other activities, but still \nthere are many technology companies out there, whether they be \nspyware vendors, whether they be sort of just surreptitious \ncollectors and aggregators of personal data that deserve the \nattention of this committee, the Congress, and existing \nregulators.\n    Mr. Welch. Thank you. My time is almost expired and I yield \nthe balance of my time.\n    Mr. Cleland. Could I answer?\n    Mr. Welch. It is up to the chairman. I think I am almost \nout of time.\n    Mr. Boucher. Yes, that is fine. Go ahead, Mr. Cleland.\n    Mr. Cleland. Yes. I think the key concept of what you are \nlooking for that the FTC and others should build on is \nlongstanding, fair representation law. We obviously have a huge \ngap. Jeff mentioned a lot of the polls out there. Consumer \ndon't have a clue about all the stuff that is being collected \non them, not a clue. And so if you believe in fair \nrepresentation and you take the facts of all the people that \nhave been dealt with on the Internet and they don't know what \nis going on, there is a serious breakdown in fair \nrepresentation.\n    Mr. Chester. Do you think I could add something?\n    Mr. Boucher. Mr. Chester, please.\n    Mr. Chester. Just very briefly. All the companies here, \nincluding the members of NAI, as far as I can see, are \nincreasing the amount of data they are collecting on consumers. \nIt is not that there is a question of best practices. They are \nbuilding and expanding the data collection. That is the nature \nof the business. That is the nature of the online advertising \nsystem to build out these very sophisticated approaches. \nTherefore, you need to have rules, you need to bring PIA up to \ndate, because you don't need to know your name anymore to know \nwho you are. You need to protect sensitive data and you have to \nhave the FTC be a better watchdog.\n    Mr. Boucher. With that, Mr. Welch, your time has expired. \nAnd let me say thank you once again to our witnesses for what \ntruly has been an informative session. Long delayed, but well \nworth our time talking to you, and we thank you very much for \ntaking your time, all day, in fact, to talk to us. I have \nclearance for unanimous consent from the minority to place in \nthe record a letter to the subcommittee, the joint \nsubcommittees actually, from the Federal Trade Commission, \nconcerning the subject of today's hearing, a letter from Data \nFoundry, a data company based in Austin, Texas. Without \nobjection, those will be made a part of the record.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Boucher. And without objection, the record of this \nproceeding will be kept open for a period of 3 weeks so that \nother members of the subcommittee can submit to our witnesses \nquestions in writing. And as you receive those questions from \nthe members, if you could respond to them promptly, that would \nbe much appreciated. Thanks again to you for an excellent \nhearing. This hearing stands adjourned.\n    [Whereupon, at 8:20 p.m., the subcommittees were \nadjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n\n\n\n\x1a\n</pre></body></html>\n"