[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]







 BEHAVIORAL ADVERTISING: INDUSTRY PRACTICES AND CONSUMERS' EXPECTATIONS

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                    SUBCOMMITTEE ON COMMERCE, TRADE,
                        AND CONSUMER PROTECTION

                                AND THE

      SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 18, 2009

                               __________

                           Serial No. 111-53









      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov


                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

74-087                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                    COMMITTEE ON ENERGY AND COMMERCE

                 HENRY A. WAXMAN, California, Chairman

JOHN D. DINGELL, Michigan            JOE BARTON, Texas
  Chairman Emeritus                    Ranking Member
EDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas
RICK BOUCHER, Virginia               FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida
BART GORDON, Tennessee               NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky
ANNA G. ESHOO, California            JOHN SHIMKUS, Illinois
BART STUPAK, Michigan                JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York             ROY BLUNT, Missouri
GENE GREEN, Texas                    STEVE BUYER, Indiana
DIANA DeGETTE, Colorado              GEORGE RADANOVICH, California
  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California               MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon
JANE HARMAN, California              LEE TERRY, Nebraska
TOM ALLEN, Maine                     MIKE ROGERS, Michigan
JAN SCHAKOWSKY, Illinois             SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California           JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas           TIM MURPHY, Pennsylvania
JAY INSLEE, Washington               MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin             MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas                  PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York          STEVE SCALISE, Louisiana
JIM MATHESON, Utah                   PARKER GRIFFITH, Alabama
G.K. BUTTERFIELD, North Carolina     ROBERT E. LATTA, Ohio
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin 
Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE BRALEY, Iowa
PETER WELCH, Vermont

                                  (ii)
        Subcommittee on Commerce, Trade, and Consumer Protection

                        BOBBY L. RUSH, Illinois
                                  Chairman
JAN SCHAKOWSKY, Illinois             CLIFF STEARNS, Florida
    Vice Chair                            Ranking Member
JOHN P. SARBANES, Maryland           RALPH M. HALL, Texas
BETTY SUTTON, Ohio                   ED WHITFIELD, Kentucky
FRANK PALLONE, Jr., New Jersey       GEORGE RADANOVICH, California
BART GORDON, Tennessee               JOSEPH R. PITTS, Pennsylvania
BART STUPAK, Michigan                MARY BONO MACK, California
GENE GREEN, Texas                    LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas           MIKE ROGERS, Michigan
ANTHONY D. WEINER, New York          SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina
JOHN BARROW, Georgia
DORIS O. MATSUI, California
KATHY CASTOR, Florida
ZACHARY T. SPACE, Ohio
BRUCE BRALEY, Iowa
DIANA DeGETTE, Colorado
JOHN D. DINGELL, Michigan (ex 
    officio)
                                 ------                                

      Subcommittee on Communications, Technology, and the Internet

                         RICK BOUCHER, Virginia
                                 Chairman
EDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan
BART GORDON, Tennessee                 Ranking Member
BOBBY L. RUSH, Illinois              CLIFF STEARNS, Florida
ANNA G. ESHOO, California            NATHAN DEAL, Georgia
BART STUPAK, Michigan                BARBARA CUBIN, Wyoming
DIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois
MICHAEL F. DOYLE, Pennsylvania       GEORGE RADANOVICH, California
JAY INSLEE, Washington               MARY BONO MACK, California
ANTHONY D. WEINER, New York          GREG WALDEN, Oregon
G.K. BUTTERFIELD, North Carolina     LEE TERRY, Nebraska
CHARLIE MELANCON, Louisiana          MIKE FERGUSON, New Jersey
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin 
    Islands
KATHY CASTOR, Florida
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
PETER WELCH, Vermont
JOHN D. DINGELL, Michigan (ex 
    officio)










                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................     1
Hon. George Radanovich, a Representative in Congress from the 
  State of California, opening statement.........................     3
Hon. Rick Boucher, a Representative in Congress from the 
  Commonwealth of Virginia, opening statement....................     4
    Prepared statement...........................................     7
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     9
Hon. Zachary T. Space, a Representative in Congress from the 
  State of Ohio, opening statement...............................    10
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, opening statement.......................................    11
    Prepared statement...........................................    13
Hon. Doris O. Matsui, a Representative in Congress from the State 
  of California, opening statement...............................    19
Hon. Joseph R. Pitts, a Representative in Congress from the 
  Commonwealth of Pennsylvania, prepared statement...............    21
Hon. Phil Gingrey, a Representative in Congress from the State of 
  Georgia, opening statement.....................................    23
Hon. Steve Scalise, a Representative in Congress from the State 
  of Louisiana, opening statement................................    24
Hon. John D. Dingell, a Representative in Congress from the State 
  of Michigan, prepared statement................................   145
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, prepared statement..............   148
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, prepared statement..............................   150

                               Witnesses

Edward W. Felten, Director, Center for Information Technology 
  Policy, Princeton University...................................    25
    Prepared statement...........................................    28
    Answers to submitted questions...............................   155
Anne Toth, Vice President of Policy, Head of Privacy, Yahoo!, 
  Inc............................................................    36
    Prepared statement...........................................    38
    Answers to submitted questions...............................   158
Nicole Wong, Deputy General Counsel, Google Inc..................    48
    Prepared statement...........................................    50
    Answers to submitted questions \1\
Christopher M. Kelly, Chief Privacy Officer, Facebook............    59
    Prepared statement...........................................    61
    Answers to submitted questions...............................   185
Jeffrey Chester, Executive Director, Center for Digital Democracy    68
    Prepared statement...........................................    70
    Answers to submitted questions...............................   189
Charles D. Curran, Executive Director, Network Advertising 
  Initiative.....................................................    98
    Prepared statement...........................................   100
    Answers to submitted questions...............................   193

----------
\1\ Ms. Wong did not respond to submitted questions for the 
  record.
Scott Cleland, President, Precursor LLC..........................   115
    Prepared statement...........................................   117
    Answers to submitted questions \2\

                           Submitted material

Letter of June 16, 2009, from the FTC to Subcommittees, submitted 
  by Mr. Boucher.................................................   152

----------
\2\ Mr. Cleland did not respond to submitted questions for the 
  record.

 
 BEHAVIORAL ADVERTISING: INDUSTRY PRACTICES AND CONSUMERS' EXPECTATIONS

                              ----------                              


                        THURSDAY, JUNE 18, 2009

        House of Representatives, Subcommittee on Commerce, 
            Trade, and Consumer Protection, joint with the 
            Subcommittee on Communications, Technology, and 
            the Internet, Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittees met, pursuant to call, at 10:08 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Bobby L. 
Rush (chairman of the Subcommittee on Commerce, Trade, and 
Comsumer Protection) presiding.
    Present from Subcommittee on Commerce, Trade, and Consumer 
Protection: Representatives Rush, Weiner, Matsui, Space, 
Radanovich, Stearns, Whitfield, Pitts, Terry, Gingrey, Scalise, 
and Barton (ex officio.)
    Present from Subcommittee on Communications, Technology and 
the Internet: Representatives Boucher, Barrow, Welch, Inslee, 
Upton, and Buyer.
    Staff present: Amy Levine, Subcommittee Counsel; Jen 
Berenholz, Deputy Clerk; Timothy Robinson, Subcommittee 
Counsel; Michele Ash, Chief Counsel; Greg Guice, Subcommittee 
Counsel; Pat Delgado, Chief of Staff (Waxman); Will Cusey, 
Special Assistant; Sarah Fisher, Special Assistant; Anna 
Laiton, Counsel; and Roger Sherman, Chief Counsel.

 OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Rush. Today is a joint hearing of the Subcommittees on 
Commerce, Trade, and Consumer Protection, and Communications, 
Technology, and the Internet. And I want to welcome all of you 
to this hearing. And I want to just give you some advance 
notice that in about 20 minutes, we will be called to the floor 
for a series of votes. Some have estimated to be--we are 
scheduled for about 27 votes on the floor, which is certainly 
going to extend the hearing, and so we ask that you be patient 
with us. We will try to conduct this hearing and try to be very 
mindful of your time, but our actions will be dictated by the 
House schedule and by the votes on the floor. Now I want to 
recognize myself for 5 minutes of opening statement. As I 
indicated, today, the two subcommittees, Commerce, Trade, and 
Consumer Protection, and Communications, Technology, and the 
Internet are combining our commitment to privacy and our 
resources to conduct an extremely important hearing on 
Behavioral Advertising: Industry Practices and Consumers' 
Expectations.
    And I just want to take a moment to thank Chairman Boucher 
for not only his cooperation and working together and teaming 
up on this particular issue, but I want to thank him also for 
his past championship and dedication to this very, very 
important issue. This is but one hearing along a continuum of 
legislative activity examining the domains of online and off-
line consumer privacy and how companies handle and treat 
consumers' personal information. Most recently, the 
Subcommittee on Commerce, Trade, and Consumer Protection, which 
I chair, marked up H.R. 2221, the Data Accountability and Trust 
Act, a bipartisan bill, which addresses the security of 
personal information, breaches of that security, and corrects 
some of the resulting harms to consumers. I am hopeful that 
there will be more hearings.
    There are currently no federal laws specifically governing 
behavioral advertising nor do we have a comprehensive general 
privacy law. As members of Congress, we have anticipated for 
some time that this hearing would be highly informative and 
very valuable in helping us answer the question that everyone 
seems to ask, is federal privacy legislation necessary, or 
should companies be trusted to discipline and regulate 
themselves? At this hearing, I look forward to hearing from our 
very distinguished panel of witnesses about this growing trend 
of online behavioral advertising. Market research firms have 
estimated that behaviorally targeted ad spending will reach 
$4.4 billion by the end of 2012. That number is eye-opening as 
it translates into almost 25 percent of all the online display 
ad spending that is projected to be spent by year-end 2012.
    As prevalent as these ads are becoming, so too are the buzz 
road, which are purportedly needed to flush out the appropriate 
contents of fair information principles and practices. Words 
and phrases such as transparency, choice, notice, consent, 
consumer expectations, opt-in and opt-out seemingly mean 
different things to different speakers depending upon an array 
of variables. Such variables may include the identity of the 
user, whether he or she has registered with the visited Web 
site, whether the ads are being served by first or third party 
sites, the sufficiency and conspicuousness of pre-existing 
privacy policies and disclosures, the robustness of user-
enabled settings for managing user privacy, and the list goes 
on and on and on and on.
    All of these variables are important to consider, but they 
can muddle the issue of whether legislation is needed. I will 
be listening intently to your accounts of how up front 
companies have been about the types of personal information 
that they are collecting from consumers, what they are doing 
with the information, and what choices and controls that 
consumers have over the subsequent use of that information. I 
want to thank all the witnesses for coming in this morning, for 
sharing with us, taking away from your busy schedule to provide 
input, much-needed input, into these matters that are before us 
today. And I want to thank all the subcommittee members and the 
staff for so diligently preparing us on this subcommittee for 
these hearings. And now I want to recognize for 5 minutes for 
the purposes of opening statement the ranking member, Mr. 
Radanovich. Mr. Radanovich is recognized for 5 minutes for 
opening statement.

 OPENING STATEMENT OF HON. GEORGE RADANOVICH, A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Radanovich. Thank you, Mr. Chairman, and I want to 
thank you and Chairman Boucher and my fellow ranking member, 
Mr. Upton, on these hearings today. I think it is a good issue 
that we need to be talking about. Privacy continues to be an 
issue of increasing concern to consumers, and I am pleased that 
we will be looking at all the relevant issues to determine what 
the problems are and what possible solutions exist. What was 
once thought to be an issue limited to business with whom 
consumers had a customer relationship has been forever altered 
by the Internet. Progression and innovation in computer and 
digital technology over the last 20 years has transformed many 
aspects of our lives, and by the same token that progress has 
opened the possibility of potential abuses and invasions into 
our lives.
    In the connected world of the Internet where data is 
instantaneously accessible to anybody in the world, we have 
learned how vast amounts of sensitive consumer data can be 
inadvertently disclosed or subject to more malicious and 
intentional theft. We also know the main reason consumers 
should be concerned about the amount of personal information 
out there on the worldwide web is that sensitive personal 
information can be used for harmful purposes, particularly 
identity theft. Thankfully, we are addressing some of those 
concerns with the data security and breach notification 
legislation moving through the committee right now. Our 
oversight into the data security issue opened our eyes to the 
types of sensitive personal information many institutions 
ranging from businesses to government maintain about us.
    While information kept about us may be for legitimate 
reasons that mandate data retention, for instance, for law 
enforcement purposes most consumers do not fully understand how 
information gathered about us will be used or with whom it will 
be shared. These concerns are legitimate. What is more, these 
concerns over keeping personal information private are 
exacerbated by digital technology and the capabilities of 
Internet technology. Information that filled rooms of file 
cabinets in a paper-based business can now be stored in devices 
that attach to a key ring and can be sent over the Internet in 
seconds, making information theft easy and often untraceable. 
The ability to instantaneously collect, analyze, and store 
consumers' online behavior for marketing purposes stretches 
this dynamic even further.
    The Internet quickly evolved beyond its original purpose as 
a communication tool to become a means of commerce, education, 
and social interaction. A generation has been raised on the 
Internet with the ability to find information relevant to their 
interests and communicate in ways that we could not imagine 
only 10 years ago, and most expect these services to be 
customized for their preferences. But many of these 
technologies and practices that deliver high levels of 
customization present new challenges and concerns for 
consumers, primarily understanding what the trade-off is for 
these services. Do we need to relinquish personal information 
about ourselves and our Internet for the purposes of generating 
more user-specific advertisements in exchange for access to the 
information we seek on the Internet, and, if so, who has our 
access to this information?
    The Internet has been a successful tool for commerce and 
has benefitted consumers with convenience, choice, and savings. 
Relevant advertisements based upon user interests will be more 
beneficial to the consumer and business, which in concept is no 
different than the manner in which marketing research 
determines which advertisements are selected to be placed in 
magazines, newspapers or on television based on the intended 
audience. However, in practice the Internet is different 
because of its ability to track preferences on a minute by 
minute basis. The question is how advertisers engage in the 
process of identifying their potential target audience. 
Specifically, what information is used to generate targeted 
advertisements? I have a son who I would do anything to 
protect, and although I cannot monitor him every waking moment 
and prohibit his ability to access the Internet, nor would I 
want to, like any parent I want to trust that he will be safe 
to surf online and interact with his friends without being 
unknowingly monitored or profiled.
    While my son is in a vulnerable demographic millions of 
Americans of all ages spend time surfing, posting, and shopping 
on the Internet. How their information is used and what control 
the individual has over the collection of their information is 
at the center of the debate of whether we need a federal 
privacy law, and, if so, how it should be structured and what 
activities it will address. In the case of my son, I am 
concerned with the information being gathered and how it is 
used. I am less concerned with who is conducting the behavioral 
profiling or what technology they are using. I thank the 
witnesses today, and I look forward to your testimony, 
particularly hearing more about what the industry is doing to 
address many of these concerns in and of itself. Mr. Chairman, 
I am ready to work with you and the stakeholders to address 
identified problems and ensure whatever solutions develop will 
equally apply to the behavior regardless of who engages in it. 
Thank you, Mr. Chairman.
    Mr. Rush. The chair thanks the gentleman. It is now my 
privilege and honor to recognize for 5 minutes for the purposes 
of opening statement the chairman of the Subcommittee on 
Communications, Technology, and the Internet, the gentleman 
from West Virginia, Chairman Boucher, for 5 minutes.

  OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF VIRGINIA

    Mr. Boucher. Well, thank you very much, Chairman Rush, and 
I want to begin this morning by saying thank you to you and to 
your very fine staff and to Mr. Radanovich from California, 
your ranking member, as well to Mr. Stearns and his staff for 
the excellent cooperation we have had among ourselves as the 
plans for this joint hearing of our two subcommittees have 
progressed. I very much look forward to our continued 
collaboration as we consider the need for legislation and 
discuss the principles that privacy protection legislation 
should embody. Broadband networks are a primary driver of the 
national economy and it is fundamentally in the nation's 
interest to encourage their expanded use.
    One clear way Congress can promote greater use of the 
Internet for access to information, for electronic commerce, 
and for entertainment is to assure that Internet users have a 
high degree of privacy protection, including transparency about 
information collection practices and uses, and control over the 
use of the information that is collected from those who use the 
Internet. I have previously announced my desire to work with 
Chairman Waxman, Chairman Rush, and ranking members Barton, 
Stearns, and Radanovich in order to develop legislation this 
year extending to Internet users the assurance that their 
online experience will be more secure. Such a measure would be 
a driver of greater levels of Internet uses, such as electronic 
commerce, not a hindrance to them.
    Today's discussion will examine behavioral advertising and 
ways to enhance consumer protection in association with it. I 
am a supporter and a beneficiary of targeted advertising. I 
would much prefer to receive Internet advertisements that are 
truly relevant to my particular interests. In fact, I have 
bought a significant number of items based upon targeted 
advertising delivered to me from web sites that I frequently 
visit. And so I have a deep appreciation of the value of 
targeted advertising from the consumer perspective. It is 
important to note also that online advertising supports much of 
the commercial content applications and services that are 
available to Internet users without charge, and I have no 
intention of doing anything that would disrupt that very 
successful, in fact, essential business model for Internet-
based companies.
    At the same time, I think consumers are entitled to some 
base line protections in the online space. Consumers should be 
given clear, concise information in an easy defined privacy 
policy about what information a web site collects about them, 
how that information is used, how long it is stored, how it is 
stored, what happens to it when it is no longer stored, and 
whether it is ever given or sold to third parties. Consumers 
should be able to opt out of first party use of the information 
and for its use by third parties or subsidiaries who are a part 
of the company's normal first party transactions or without 
whom the company could not provide its service. All that would 
fall within the ambit of opt out. Consumers should be able to 
opt in to use of their information by third parties for those 
parties' own marketing purposes.
    This arrangement should not prove to be burdensome. In 
fact, it is very much in line with the practices of many, if 
not most, of the reputable service providers today. I look 
forward to hearing from your witnesses about their reactions to 
this arrangement and how it can best balance Internet business 
models that depend on online advertising with adequate 
protection for consumers' privacy. For example, have I 
suggested a workable online opt in and opt out consent 
arrangement or are there additional situations in which opt out 
consent might sometimes be appropriate? What safeguards should 
be in place in order to ensure that consumers are giving 
meaningful consent to the sharing of their information both on 
and off the Internet? What role could self-regulatory 
organizations play in a statutory arrangement that ensures that 
all entities that collect information about Internet users 
abide by a basic set of consumer privacy standards.
    I also look forward to learning about emerging approaches 
to enhancing consumer choice and controlled over the use of 
information through efforts like the network advertising 
initiative and persistent opt out cookies. What benefits could 
these services offer to consumers? What is the best way to 
inform consumers about the availability of these services and 
again how should the consumers' meaningful consent be procured? 
I am also interested in hearing a purview of what the future of 
behavioral advertising may hold and what services it might 
enable and how to accommodate privacy concerns associated with 
those future services. I want to thank our witnesses for taking 
the time to join us here today. They represent a broad and 
diverse range of interest and are all deeply knowledgeable 
about these subjects. We very much look forward to hearing your 
testimony. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Boucher follows:]





    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the ranking member of the Subcommittee on 
Communications, the ranking member, Mr. Stearns, from Florida. 
He is recognized for 5 minutes for the purposes of opening 
statement.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Good morning, and, thank you, Mr. Chairman. I 
also want to echo Mr. Boucher's comment that we look forward to 
working together in a bipartisan fashion on a very important 
bill, and I want to thank the witnesses for coming this 
morning. I think for the most part you are going to educate us. 
You are the experts here, and we respect your opinions. We want 
to do no harm here. So I think when you look at the possibility 
of federal legislation dealing with privacy, we want to make 
sure that it is consumer centric. Consumers don't care if you 
are a search engine or a broadband provider. They just want the 
assurance that their privacy is protected. We must empower them 
to make these privacy decisions themselves. They feel, they 
know how much ought to be collected and what should not be 
collected. Congress cannot and should not make that decision 
for them, but it can play a role in making sure consumers have 
the information simply to make their own choices.
    That means companies should be as transparent as possible 
about what information they collect, and, of course, how they 
are using it. That way consumers will be better able to make 
informed privacy decisions. This transparency should include 
robust disclosure and notice outside the privacy policy. Notice 
and disclosure needs to be clear and conspicuous so the 
consumers know that. First, some information is being 
collected. Second, what is the information that is being 
collected? How is it being used? And, third, how to prevent 
this information being collected if they so desire. By giving 
the consumer more robust and transparent information, we can 
strike the proper balance between privacy protection and strong 
Internet commerce.
    Furthermore, my colleagues, I want to emphasize two 
principles that should play a prominent role in our examination 
of this issue. First, we should apply the same privacy standard 
to companies that are engaged in similar conduct with similar 
information, but we should avoid applying those same standards 
to entities that do not use the same types of information for 
the same purposes and do not have anywhere near the same volume 
of information about the perspective consumer. For example, 
search engines in the Internet advertising networks may use a 
consumer's visit to a particular web site to create profiles 
not directly related to the reason for the visit. Other 
entities, like web publishers, collect information only to 
provide the very service the consumer has come for. Our 
approach should recognize that.
    Second, any legislation in this area should hold various 
parties accountable only for that which they know and control. 
We should be wary of efforts to make any one party responsible 
for the actions of others. Consumers' online activities provide 
advertisers with valuable information upon which to market 
their products and their services. Collecting this type of 
information for targeted advertising is very important because 
it simply allows many of these products and services to remain 
free to consumers. Without this information, web sites would 
either have to cut back on their free information and services 
or would have to start charging a fee. Neither result is good 
for the consumers. Overreaching privacy regulation could have a 
significant economic negative impact at a time when many 
businesses in our economy are struggling, so let us be very 
careful on these issues before we leap to legislative 
regulatory proposals.
    When I was chairman of the Commerce, Consumer Protection, 
and Trade, I held a number of hearings on privacies. I worked 
with Chairman Boucher, and we developed a consumer privacy 
protection at which we dropped as a bill. This bill would have 
required data collectors to provide consumers with information 
on the entity collecting the information and the purposes for 
which the information was being collected. I believe it was, 
and still is, a good base bill to use as we move forward to 
develop a new privacy bill. Also, I would like to bring up an 
issue perhaps that many of us have thought about, and I don't 
want to bog down our discussion about it. Which agency will 
regulate and enforce privacy standards? Will it be the FCC or 
the Federal Trade Commission, a combination or possibly a new 
agency? I know this issue won't be solved this morning, but it 
is something we are going to have to work out and work through, 
and I look forward to doing this in a bipartisan fashion.
    And I would be interested, if possible, if some of the 
witnesses could give us their feelings about how the 
jurisdiction of this privacy bill would be best supervised 
with. So, Mr. Chairman, I would conclude by pointing out we 
have talked a little bit at previous hearings about deep pocket 
inspection. The point is that whether a company uses deep 
pocket inspection or reads your e-mail directly, this should be 
part of the privacy rules in some way. So I think our witnesses 
can also help us on that particular aspect, so I look forward 
to hearing and thank you for the opportunity to speak.
    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the gentleman from Ohio, Mr. Space, for 2 minutes 
for the purposes of opening statement.

OPENING STATEMENT OF HON. ZACHARY T. SPACE, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF OHIO

    Mr. Space. Thank you, Chairman Rush and Chairman Boucher, 
Ranking Member Radanovich and Ranking Member Stearns for 
convening us today on the topic of behavioral advertising. I 
was struck when reviewing Professor Felten's testimony by a 
comment that he makes, ``Responsible ad services typically 
collect less information and track users less intensively than 
the technology would allow.'' To me, this means that just 
because we can doesn't mean that we should. I certainly 
understand the need for companies to advertise on their sites. 
Doing so is what enables our constituents to access free 
content, products, and services on line. They also understand 
the desire of ad companies to supply consumers with ads that 
are of more relevance to them. This is a better business model 
for the companies and potentially a service to consumers.
    However, I want to make clear that one bad apple could 
spoil the whole bunch here. The moment online consumers believe 
their personal information is at risk of corruption, misuse or 
theft will be the moment this approach we are discussing today 
will cease to work. I strongly believe it is in the interest of 
all parties to disclose to consumers their advertising 
practices and intent and to ensure that consumers' personal 
information is strictly guarded against security breaches and 
exploitation. I look forward to these conversations today and 
to working with my colleagues on this issue as we move forward. 
I yield back my time.
    Mr. Rush. The chair thanks the gentleman. It is now my 
pleasure and honor to recognize for 5 minutes for the purposes 
of opening statement the ranking member of the full Committee 
on Energy and Commerce, Mr. Barton, is recognized for 5 
minutes.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Mr. Chairman. As I look on the other 
side of the aisle, I am glad to see that none of the Democrats 
who played on the Democratic baseball team are actually in the 
room, so I can congratulate them in their absence and I won't 
have to do it face to face when I see them on the floor. But 
last night Mike Doyle, who is the manager of the team, Bart 
Stupak, who is on this committee, played an amazing game. It 
wasn't their usual Democratic bumbling error game. They 
actually played very well as a team, and as a result they beat 
the stalwart Republicans 15-10. John Shimkus, who is our 
starting pitcher, played an excellent game, and we had a number 
of Energy and Commerce Republicans, Mr. Gingrey, Dr. Gingrey, 
who is here, walked at a key time and later scored.
    Mr. Scalise, who is here, played second base some and also 
did some base running and scored. Mr. Pitts, who came out and 
watched the game, and luckily didn't try to play although we 
could have used his bombing skills from the Vietnam War. So, 
anyway, we raised quite a bit of money for charity and had a 
good time. When you all see Mike Doyle and you see that he is 
grinning from ear to ear just congratulate him and tell him to 
take pity on the downtrodden Republicans who didn't quite have 
the stuff last night.
    On this hearing, Mr. Chairman, I do want to thank you, 
thank Mr. Boucher, Mr. Stearns, Mr. Radanovich for working in a 
bipartisan fashion to protect the privacy and security of every 
American's personal information. I am glad that we are working 
on this in a bipartisan way. I especially appreciate Chairman 
Rush's agreement to act on the Republicans' data security bill. 
That bill has implications for the broader privacy discussion, 
and I hope that that bill will move forward in the full 
committee. Along with Congressman Markey, I co-chair the 
Congressional Privacy Caucus, so I am glad that we are working 
on these issues in a bipartisan way. I, myself, every few days 
hit the delete button and clean out all the various cookies on 
the computer and at my home. It is amazing to me how many of 
those accumulate and most of the time without absolutely any 
knowledge of myself or anybody else for that matter that they 
are being put on our computer.
    I think it is a big deal if somebody tracks where you go 
and what you look at without your personal approval. We 
wouldn't like that in the non-Internet world, and I personally 
don't like it in the Internet world. The information about 
myself is mine. Unless I choose to share it, I would just as 
soon that it stay my information only. I think that I have the 
right to know what information people are gathering about me 
and the right to know what they are doing with it. It is 
obvious that the public agrees with the statement that I just 
made because poll after poll shows that they think that their 
information and their right to privacy is just as important on 
the Internet as it is in the non-Internet world. When I open an 
e-mail for the new Dallas Cowboy Stadium that is in my 
congressional district, I don't expect to begin receiving 
unsolicited ads for airlines tickets to the Dallas-Fort Worth 
area or hotels, also in my district in Arlington, Texas.
    It is obvious that people track what I do and where I go, 
and try to take advantage of that. Fortunately, technology has 
come quite a ways in protecting the individuals. We started 
looking at the spyware problem back in the 107th Congress, and 
thanks to the work among others Congresswoman Mary Bono Mack, 
Ed Towns, Chairman Dingell, those spyware infections are not 
near the problems that they used to be. However, today 
companies continue to gather, maintain, and use data through a 
variety of technological methods. Some of those companies such 
as Verizon and Comcast are large companies. They are regulated 
in some parts of their business model, and I think they are 
trying to act appropriately. There are other companies, so-
called ISP locators, that I personally don't even know their 
name. Then you have the in-between companies, the so-called 
edge companies like Yahoo! and Google. Put together, it still 
is a little bit of a wild west out there, and I think it is 
time that Congress begin to look at and try to bring some law 
and order to that particular wild west area.
    I see that my time has expired, Mr. Chairman, so I will 
submit the rest of the statement for the record. Suffice it to 
say that I am glad that you and Congressman Boucher are working 
with the Republicans and taking a serious look at this. I also 
want to commend the private sector that is here today. It is my 
understanding that you are working together to come up with 
some voluntary rules, and it is always preferable in my opinion 
to do it through a voluntary market-based approach as opposed 
to a mandatory regulatory approach. So in any event again thank 
you, Mr. Chairman, and once again congratulations to the 
Democrats for winning the baseball game last night. I yield 
back.
    [The prepared statement of Mr. Barton follows:]





    Mr. Rush. The chair thanks the ranking member. It is now my 
honor to recognize the gentle lady from California for 2 
minutes for the purpose of opening statement, Ms. Matsui.

OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Matsui. Thank you, Mr. Chairman. I want to thank you 
and Chairman Rush for calling today's joint hearing and applaud 
both your leadership in addressing this important issue. I 
would also like to thank our panelists for being here with us 
this morning. Today, we are here to examine the practices and 
consumer protections from a growing online advertisement 
practice known as behavioral advertising. As broadband access 
continues to expand across the country, more and more Americans 
rely on the Internet for news information, online videos, and 
to purchase goods and services. Americans need to have trust 
and confidence that their personal information are properly 
protected. Privacy policies and disclosures should be clear and 
transparent so consumers can choose what information they want 
to view and receive on the Internet instead of inappropriate 
collection and misuse of their information.
    Consumers should also understand the scope of the 
information that is being collected, what it is being used for, 
the length of time it is being retained, and its security. The 
more information that consumers have, the better. Moving 
forward, we must assure that Americans are comfortable with 
using the Internet and know with confidence that meaningful 
privacy safeguards are in place or ensuring that we don't 
stifle innovation. I thank both of you, Mr. Chairman, for 
holding this important hearing today, and I yield back the 
balance of my time.
    Mr. Rush. The chair thanks the gentlelady. Now the chair 
recognizes the gentleman from Kentucky, Mr. Whitfield, for 5 
minutes for the purpose of opening--let me correct that. The 
chair recognizes the gentleman from Michigan.
    Mr. Upton. I thank my friend, and I will not take my 2 
minutes. We have great attendance. We will see what the 
attendance is after lunch when we return after these votes. I 
would like to associate myself with Mr. Barton's remarks. The 
information is yours. When you make a phone call, no matter who 
it is, you don't expect AT&T or Verizon to share the 
information with somebody else. You can imagine if you ordered 
a pizza on the phone and all of a sudden you get different 
pizza companies coming in knowing that you are going to be 
subscribing to that. That information is personal. It shouldn't 
be shared unless that individual allows and knows that it is 
going to be shared. It needs to be protected. It is nobody's 
business. You don't expect to have someone follow you in your 
car when you go make an errand whether it be to a dry cleaner 
or wherever you might go and expect some competitor then to 
perhaps get the information to trace you back. So this is a 
great hearing, and I look forward to it and I yield back the 
balance of my time.
    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the gentleman from Georgia, Mr. Barrow, for 2 
minutes for the purpose of opening statement.
    Mr. Barrow. I thank the chairman. I am going to waive 
opening but I want to thank the ranking member for his kind 
words of congratulations. In solidarity with Mr. Pitts, I want 
to remind the ranking member that those of us who sit in the 
stands and cheer also serve. Thank you very much.
    Mr. Rush. The chair now recognizes the gentleman from 
Kentucky, Mr. Whitfield, for 5 minutes.
    Mr. Whitfield. Thank you, Mr. Chairman. We certainly 
appreciate all these witnesses being here today as we explore 
this very important subject. As online communities use an array 
of sophisticated and ever evolving data collection and 
profiling applications, it is important that we focus on 
protecting privacy. Today, I think we will be hearing about 
privacy policies at various companies, the data retention that 
they do, and as we proceed and think about legislation, it is 
imperative that we use a balanced approach and proceed with 
caution. And I think if we do have any legislation it certainly 
should apply equally to all entities throughout the Internet 
ecosystem, and I will yield back the balance of my time.
    Mr. Rush. The chair now recognizes the gentleman from Ohio, 
Mr. Pitts from Pennsylvania, Mr. Pitts, recognized for 2 
minutes.
    Mr. Pitts. Thank you, Mr. Chairman. I worked real hard on 
an opening statement, but I think I will submit it for the 
record. Just let me say I believe that consumer privacy rights 
should be carefully guarded. I am also encouraged by private 
industry's recent steps to further protect consumers. It is my 
hope that if legislative action is taken that we will do so in 
a careful manner striking a delicate balance between the 
necessary steps we must take to protect consumers, and the 
ability for industry to continue to be successful. So with 
that, I will submit the rest for the record and yield back.
    [The prepared statement of Mr. Pitts follows:]





    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the gentleman from Georgia, Dr. Gingrey, for 2 
minutes for the purpose of opening statement.

  OPENING STATEMENT OF HON. PHIL GINGREY, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF GEORGIA

    Mr. Gingrey. Chairman Rush and Chairman Boucher, Ranking 
Member Radanovich and Stearns, I want to thank you for calling 
this hearing today on the emerging use of behavioral or 
interest-based advertising online. This type of advertising 
only represents a small portion of all online ads. By 2012 this 
type of advertising is estimated to reach $4.4 billion in 
revenue. Therefore, it is important for these subcommittees to 
take a further look at this industry in order that we ensure 
the online privacy of consumers. When hearing testimony from 
this panel today, I believe that it will be important that we 
focus on three components of any potential regulation that 
these subcommittees propose. First, it is important to 
distinguish what it is that we are going to be regulating.
    Currently, most interest-based advertising is conducted 
through the use of web browser cookies. These encoded text 
files help indicate a user's online activity, thereby enabling 
advertisers to customize ads based on a series of preferences. 
However, as we have seen in the IT industry, particularly over 
this last decade, technology moves very quickly and if we are 
to propose regulations for this industry then we must make the 
determination of exactly how and what we are going to regulate.
    Mr. Chairman, we must also examine which federal agency 
would be best suited to coordinate any potential regulation. 
Both the Federal Communications Commission, FCC, and the 
Federal Trade Commission have jurisdiction over elements of 
behavioral advertising. Therefore, for the sake of consumers if 
regulations are necessary, we must coordinate the efforts and 
responsibilities of these two governmental entities, thereby 
allowing for industry growth while at the same time 
safeguarding an individual's private information. Lastly, Mr. 
Chairman, we would also have to determine whom we would be 
regulating. Would it be the Internet service provider or the 
advertisers or the web interfacing companies represented here 
today?
    Accordingly, I think it will be important that as we move 
forward, we diligently take the time to hear from ISP companies 
and advertisers as a way to give us different perspective on 
this important issue that will continue to be crucial to the 
further development of online activity. Mr. Chairman, the heart 
of this hearing is the American consumer so our focus must be 
their overall protection. I look forward to hearing from the 
panel, and I yield back the balance of my time.
    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the gentleman from Louisiana, Mr. Scalise, for 2 
minutes for the purposes of opening statements.

 OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF LOUISIANA

    Mr. Scalise. Thank you, Mr. Chairman. I want to thank you 
and the ranking members of the subcommittees for having this 
hearing on behavioral advertising. I am pleased that both 
subcommittees are examining this issue as well as the greater 
issue of data privacy. I know that Congress and this committee 
have held hearings on data privacy in the past, but as we know 
technology continues to advance and develop in ways that 
provide tremendous benefits to consumers. But these 
advancements and benefits can expose consumers to certain 
risks. Therefore, we must continue to examine ways to ensure 
consumers don't have their personal information compromised. 
The technology industry is one of the most advanced and 
competitive industries in our country. It is also one of the 
most beneficial, both for consumers and for our economy.
    We are able to share information, exchange ideas, and 
conduct commerce in ways that were never imagined just a few 
decades ago. The industry also provides millions of good high-
paying jobs for people all across this country. One thing that 
I think must be pointed out is that the industry has evolved 
and grown on its own with little regulation from the federal 
government. Some would say that the government's failure to 
regulate this industry is one of the reasons it has grown and 
provided so many good jobs. Yes, there have been bad actors in 
the industry, and there are issues we must address in 
protecting consumers' personal information, but I would hope we 
would proceed with caution when stepping in or when drafting 
legislation in this area. I hope the focus of today's hearing 
is how we can protect consumers and their personal information 
and what steps the industry will take to do that.
    I hope today's hearing does not focus on how the government 
can improve the industry. As we continue to delve into this 
issue today and future hearings, we should focus on the 
consumer and what will offer consumers the greatest 
transparency into the online practices and give them meaningful 
control over their personal information. For this reason, I 
believe that self-regulation is sufficient and if privacy 
regulatory requirements are needed, they should be consistent 
across the industry and not be greater for one technology 
compared to another. Everyone involved in online advertising, 
ISPs, search engines, advertising networks, web site publishers 
and others, should all be subject to the same requirements, and 
Congress should not try to pick winners and losers. After all, 
consumers are not always aware that their Internet activities 
are being tracked.
    They care about what information is collected and what it 
is used for. They want to know if this is going on and, if so, 
they should be able to opt out if they so choose and be assured 
that a breach of their personal information will not occur. I 
look forward to the hearing and the comments from our panelists 
today, particularly on self-regulation and what changes they 
will make to ensure protection of personal information and what 
changes they plan on making moving forward. It is important 
that these committees and subcommittees understand their 
positions and activities as well as all the implications of 
these new advertising practices. Thank you, and I yield back.
    Mr. Rush. The chair thanks the gentleman. As I indicated 
earlier, there is a vote occurring on the House floor. It is a 
series of votes, and so we will recess the committee until the 
completion of those votes, and we will reconvene 15 minutes 
after the completion of those votes. The committee now stands 
in recess.
    [Recess.]
    Mr. Rush. The committee will reconvene. I certainly want to 
thank each and every one of you for your patience. I want to 
also apologize for the time that you have been forced to spend 
here. This has been an abnormal day with a lot of abnormal 
activities, and I might add it has been a record-breaking day. 
According to some, we have had at least 54 consecutive votes 
one after another and this never happened before that we know. 
So it is not something we are proud of, but it has been that 
kind of a day. We are going to proceed right to our witnesses.
    Starting on my left, to the right we will proceed with 
introducing our witnesses. Mr. Jeffrey Chester is the Executive 
Director for the Center for Digital Democracy--let me start 
over again. Mr. Edward W. Felten is Professor of Computer 
Science at Princeton University. Next to Mr. Felten is Ms. Anne 
Toth. She is the vice president of Policy, Head of Privacy for 
Yahoo. Ms. Nicole Wong is the Deputy General Counsel 
responsible for privacy for Google. Mr. Christopher M. Kelly is 
Chief Privacy Officer at Facebook. Mr. Jeffrey Chester is 
Executive Director for the Center for Digital Democracy. Mr. 
Charles D. Curran is the Executive Director of Network 
Advertising Initiative. And Mr. Scott Cleland is the President 
of Precursor LLC. Again, we want to thank the witnesses for 
their patience and for their appearance before the 
subcommittee. It is the practice of this subcommittee now that 
we will swear in all the witnesses, so would you please stand 
and raise your right hand?
    [Witnesses sworn.]
    Mr. Rush. Let the record reflect that all the witnesses 
have responded in the affirmative. Now we will ask the 
witnesses to enter into opening statements. And, Mr. Felten, 
you are recognized for 5 minutes or thereabouts. So please pull 
the mike in front of you, turn it on, and let it rip. Thank 
you.

TESTIMONY OF EDWARD W. FELTEN, DIRECTOR, CENTER FOR INFORMATION 
   TECHNOLOGY POLICY, PRINCETON UNIVERSITY; ANNE TOTH, VICE 
  PRESIDENT OF POLICY, HEAD OF PRIVACY, YAHOO!, INC.; NICOLE 
   WANG, DEPUTY GENERAL COUNSEL, GOOGLE INC.; CHRISTOPHER M. 
   KELLY, CHIEF PRIVACY OFFICER, FACEBOOK; JEFFREY CHESTER, 
 EXECUTIVE DIRECTOR, CENTER FOR DIGITAL DEMOCRACY; CHARLES D. 
CURRAN, EXECUTIVE DIRECTOR, NETWORK ADVERTISING INITIATIVE; AND 
            SCOTT CLELAND, PRESIDENT, PRECURSOR LLC

                 TESTIMONY OF EDWARD W. FELTEN

    Mr. Felten. Thank you, Chairman Rush, Chairman Boucher, for 
the opportunity to testify today. My name is Edward Felten. I 
am a Professor of Computer Science and Public Affairs at 
Princeton University. I am here as a technologist. I am a 
computer science professor and I would like to explain some of 
the technology behind behavioral advertising. The most serious 
privacy concerns are raised not by the presence of advertising 
but by the gathering of information about users that can be 
used either to target ads or for other purposes. I would like 
to describe what technology makes possible. Responsible ad 
services do not do everything that is possible, and I don't 
mean to imply otherwise. Others on the panel can describe what 
their own systems do do.
    To explain what this technology allows, I would like to 
walk through a scenario illustrated by the diagram on the last 
page of my written testimony. And if I could have the display, 
please, of the Power Point. What I would like to describe, Mr. 
Chairman, is a scenario involving behavioral advertising. In 
the beginning of the scenario, I go to a weather site, and I 
look up Thursday's forecast for Washington. The weather site 
sends me a page with the forecast information and a hole where 
the ad should be. And along with that page it sends my computer 
a command telling it how to find the ad. Following these 
instructions, my web browser connects to an ad service shown 
here at the bottom and asks for an ad.
    Along with this request, information is sent to the ad 
service about me, the fact that I am looking up Thursday's 
forecast for Washington and the fact that I normally look up 
the forecast in Princeton, New Jersey. The ad service remembers 
this information. The ad service sends an ad, which is inserted 
into the page. The service also sends an ad in this case 
related to travel to Washington because I looked up the 
Washington, D.C. forecast. The service also sends along its so-
called cookie which contains a small, unique code which in this 
example in the diagram is 7592, and my computer stores this 
cookie. Later, I visit a social network page which also 
contains an ad. Again, the page has a blank space for the ad 
and my computer contacts the ad service to get an ad.
    My computer automatically sends along the cookie that the 
service provided earlier. This request for an ad carries more 
information about me. It says that I am interested in baseball 
and jazz, which the social network site knows, and that my name 
is Edward Felten. The ad service recognizes that the cookie is 
the same as before so it knows that I am the same person who 
looked up D.C. weather earlier and it adds the new information 
to its profile of me. The service sends back an ad. This time 
it is an ad for Washington Nationals tickets because I looked 
up Washington weather earlier, and I am interested in baseball.
    Notice that the ad service is connecting the dots between 
things that I did on different sites between something I did on 
the weather site and something I did on the social network 
site. This allows it to better target ads and also to build up 
a more extensive profile about me. Next, I go to a book store 
and look up books about travel in Hawaii. The book store site 
sends this information to the ad service along with another ad 
request. Again, the cookie allows the ad service to link 
together my book store activities with my earlier activities on 
other sites. The ad service sends back an ad for jazz CDs 
because it knows I like jazz because the social network site 
told it. By this point, the ad service knows enough to identify 
me. It knows I live in Princeton and it knows that my name is 
Edward Felten. The ad service buys access to a third party 
commercial database using what it knows about my identity to 
get more information about me.
    In this example, the ad service gets my credit report in by 
insurance history, which it adds to my profile along with the 
other information it had. And, finally, I go to a news site 
that uses the same ad service. My computer again requests an 
ad. The ad service in this case sends an ad for budget Hawaiian 
vacations. It knows that I am interested in visiting Hawaii 
because I looked at Hawaii books at the bookstore, and it knows 
I am interested in a low cost trip because it has my credit 
report. The news site sends information about what I was 
reading. In this example, I was reading about cancer 
treatments. This information is added to my profile as well.
    In this scenario, the ad service got information in three 
ways. First, content providers sent along information about 
what I was doing on their sites and what I had done in the 
past. Second, the ad service connected the dots to link my 
activities across different sites at different times. And, 
third, the ad service accessed third party commercial 
databases. All of this information ended up in my profile. The 
result was well-targeted ads but also the creation of an 
electronic profile of me containing sensitive information which 
could in principle be resold or reused for other purposes. Now 
ad services are not the only parties who can assemble such 
profiles but large ad services do have a prime opportunity to 
build profiles due to their relationships with many content 
providers who can pass along information about users, and due 
to the ad service's ability to connect the dots by linking 
together a user's activities across different web sites.
    All of this is possible as a technical matter which is not 
to say that responsible ad services do all of it or even most 
of it. Ad services may be restrained by law, by self-regulation 
or by market pressures. What is clear is the technology by 
itself cannot protect users from broad gathering and use of 
information.
    Mr. Rush. Mr. Felten, I am embarrassed to say this, but 
would you please bring your statement to a close? You have 
extended your time.
    Mr. Felten. Thank you, Mr. Chairman. I was just wrapping 
up. I just wanted to thank the committee for holding this 
hearing and for giving me the opportunity to testify. Thank 
you.
    [The prepared statement of Mr. Felten follows:]





    Mr. Rush. Thank you so very much. Ms. Toth, you are 
recognized for 5 minutes for the purpose of opening statement.

                     TESTIMONY OF ANNE TOTH

    Ms. Toth. Chairman Boucher and Rush, Ranking Member Stearns 
and Radanovich, members of the subcommittees, I appreciate the 
opportunity to appear before you today at this important 
hearing. My name is Anne Toth, and I am Yahoo!'s Vice President 
of Policy and Head of Privacy. I joined the company over 11 
years ago and became one of the very first dedicated privacy 
professionals at any online company. Quite simply, my job is 
about making sure Yahoo! earns and maintains its users' trust 
each and every day. Yahoo! was founded by Jerry Yang and David 
Filo, who were trying to help people find information that was 
useful and relevant to them among the clutter of the early 
World Wide Web. What began as a directory of popular web sites 
quickly grew into a globally recognized brand that provides a 
wide range of innovative and useful products and services to 
500 million users worldwide.
    The Internet has changed a great deal, and this hearing 
recognizes its importance in our global economy. Gone are the 
days of one size fits all Internet content. Our consumers 
expect not only that Yahoo! will meet their needs, but that we 
will anticipate those needs as well. The same is true for 
advertising. Consumers are more likely to click on advertising 
that speaks directly to them and their interests. For example, 
Yahoo! might deliver ads featuring hybrid cars if the users 
spend a great deal of time on Yahoo! Green or has recently 
browsed car reviews on Yahoo! Autos. Put simply, customized 
advertising helps consumers save time and energy. As you may 
know, Yahoo! offers our industry leading products and services 
larger for free.
    Our business also depends almost entirely on the trust of 
our users. It has been paramount to our growth and is critical 
for our future success. Our approach to privacy couples front 
end transparency, meaningful choice, and user education with 
back end protections for data that limit how much information 
and how long personal identifiers are maintained. Let us start 
by talking about transparency. Our leading edge privacy center, 
which you can see on the slide that is being projected, 
provides easy navigation, information on special topics, and 
gives prominence to our opt-out page, and actually if we could 
move to the next slide, making it simple for users to find and 
exercise their privacy choices. We have also experimented with 
a number of ways to provide notice and transparency outside of 
standard privacy policies giving users multiple privacy touch 
points.
    We must also put control in the hands of our users. We have 
an opt-out that now applies to interest-based advertising both 
on and off the Yahoo! network of web sites. Whether a user 
touches us as a first party publisher or as a third party ad 
network, we want them to have a choice. We also didn't want 
users to have to redo their opt-outs again and again and took 
the further step of making our opt-out persistent for users who 
registered for a Yahoo! account. This means that these users 
who clear their cookies will not inadvertently clear their 
privacy choices at the same time. The final aspect of the front 
end of privacy protection is user education. For over a year, 
Yahoo! has displayed on average 200 million ads per month that 
explain our approach to privacy. All of these front end steps 
are complemented by back end protections.
    We focus on security and data retention as core aspects of 
protecting back end privacy. We recently announced the 
industry's leading data retention policy. Under this policy, we 
will retain the vast majority of our web log data in 
identifiable form for only 90 days. This dramatically reduces 
the period of time we will hold log file data in identifiable 
form and vastly increases the scope of data covered by the 
policy. The limited exceptions for this policy are explained 
more fully in my written testimony. We believe that our front 
end, back end approach to privacy builds a circle of trust with 
users, providing transparency, meaningful choice, and extensive 
education coupled with strong security and minimum data 
retention.
    Much attention has been recently paid to the question of 
whether an opt-out or an opt-in approach to user control in the 
area of interest-based advertising is best. The answer is both. 
The decision about whether to ask for opt-in consent or give 
users the opportunity to opt out depends on the individual 
services being provided and the information being collected. 
Most advances in online privacy protection have come as a 
result of industry initiative and self-regulation. Market 
forces drive companies like Yahoo! to bring privacy innovations 
to customers quickly. As one company leads, many others follow 
or leap frog by innovating in new ways. So as Congress 
considers its role in helping protect consumer privacy online, 
Yahoo! hopes that legislators will consider an approach that 
enables providers to keep pace not only with technological 
advances but with customer demands and expectations as well.
    I am very proud of Yahoo!'s record of trust and commitment 
to privacy, and the industry's history of responsible self-
regulation. I look forward to sharing our experience with you 
in more depth and am happy to answer your questions. Thank you.
    [The prepared statement of Ms. Toth follows:]





    Mr. Rush. Thank you, Ms. Toth. Now the chair recognizes Ms. 
Wong. Ms. Wong, you have 5 minutes or thereabouts.

                    TESTIMONY OF NICOLE WONG

    Ms. Wong. Chairmen Rush and Boucher, Ranking Members 
Radanovich and Stearns, and members of the committee, I am 
pleased to appear before you this evening to discuss online 
advertising and the ways that Google protects our users' 
privacy. Online advertising is critically important to our 
economy. It promotes freer, more robust and more diverse 
speech, and enables many thousands of small businesses to 
connect with consumers across the nation and around the world. 
It helps support the hundreds of thousands of blogs, online 
newspapers, and other web publications that we read every day. 
Over the last decade, the industry had struggled with the 
challenges of providing behavioral advertising. On the one 
hand, well-tailored ads benefit consumers, advertisers, and 
publishers alike. On the other hand, we recognize the need to 
deliver relevant ads while respecting users' privacy.
    In March, Google entered the space and announced our 
release of interest-based advertising for our AdSense partner 
sites and for YouTube. Interest-based advertising uses 
information about the web pages people visit to make the online 
ads they see more relevant and relevant advertising has fueled 
much of the content, products, and services available on the 
Internet today. As Google prepared to rule out interest-based 
advertising, we talked to many users, privacy and consumer 
advocates and government experts. Those conversations led us to 
realize that we needed to solve 3 important issues in order to 
provide consumers with greater transparency and choice, which 
are core design principles at Google.
    First, who served the ad? Second, what information is being 
collected and how is it being used? And, finally, how can 
consumers be given more control over how their information is 
used? This evening I would like to show you how we answered 
each of those questions with the launch of interest-based 
advertising, which includes innovative, consumer-friendly 
features to provide meaningful transparency and choice for our 
users. When you see an online ad today you generally don't know 
much about that ad. It is difficult to tell who provided the ad 
and how your information is being collected and used. Google is 
trying to solve this problem by providing a link to more 
information right in the ad, as you can see, where it is 
labeled Ads By Google. This is very different from current 
industry practices, but we believe that it is important to 
provide users with more information about the ad right at the 
point of interaction.
    We believe that this is a significant innovation that 
empowers consumers and we think that this is the direction that 
many in the industry are going. If you are curious about 
getting information about the ad, you can click on the Google 
link and navigate to an information page about Google ads, 
which you can see here. On this page, you are invited to visit 
our ads preference manager, which helps explain in plain 
language user friendly format what information is being 
collected, how it is being used, and how you can exercise 
choice and get more information about how this advertising 
product works. Here is the ads preference manager. This 
innovative tool allows you to see what interests are associated 
with an advertising cookie, the double click cookie, that is 
set in the browser you are using.
    In this case, Google has inferred that my cookie should be 
associated with hybrid cars, movie rentals and sales, and real 
estate. This is because I visited sites using the browser about 
hybrids, movies, and real estate. Before Google introduced the 
ads preference manager, most users had no idea what interests 
were being associated with their cookies online by advertising 
companies. We are the first major company to introduce this 
kind of transparency. Now you can see those interests, and if 
you don't agree with those interests, maybe you are not a movie 
fan or you simply don't want to see ads about movies, you can 
delete any one of them or a few or as many as you want. So, for 
example, if you want to delete movie rentals and sales, you can 
do that with one click, and I have just done that.
    Likewise, you can add any interests you like. Note that 
Google does not use sensitive categories so there is nothing in 
here about sexual orientation, religious affiliation, health 
status or the like, but there are many, many other options. For 
example, if you are a sports fan you can associate your cookie 
with sports, and with a click I have decided that I would like 
to receive ads personalized for sports fans. If you prefer not 
to see interest-based ads from Google, you can opt out at any 
time with one click. After you opt out, Google won't collect 
information for interest-based advertising and you won't 
receive interest-based ads from us. You will still see ads, but 
they may not be as relevant. The opt-out is achieved by 
attaching an opt out cookie to your browser. Opt out cookies in 
the industry, however, have traditionally not been persistent. 
That is, they are often inadvertently deleted from the browser 
when a user deletes her cookies.
    So our engineers have developed a tool that was not 
previously available that makes Google's opt out cookie 
permanent even when users clear other cookies from their 
browsers. After you opt out, just click the download button and 
follow the instructions to install a browser plug-in that saves 
your opt out settings even when you clear your cookies. I hope 
this gives you a better idea how Google shows interest-based 
ads and how we provide users with transparency in the right 
place at the right time, as well as meaningful, granular, and 
user-friendly traces for setting ad preferences or opting out. 
Thank you very much for your time.
    [The prepared statement of Ms. Wong follows:]





    Mr. Rush. Next, we welcome Mr. Kelly. Mr. Kelly, you are 
recognized for 5 minutes.

               TESTIMONY OF CHRISTOPHER M. KELLY

    Mr. Kelly. Thank you very much. Chairman Rush and Boucher, 
and Ranking Members Radanovich and Stearns, and members of the 
subcommittees, thank you for this opportunity to address 
important privacy matters on the Internet. We agree with you 
that protecting privacy is critical to the future growth of the 
Internet economy. Facebook now serves more than 200 million 
active users worldwide, roughly 70 million of whom are in the 
United States. We are a technology company that gives people 
the power to share their lives and experiences in an authentic 
and trusted environment making the world more open and 
connected. Facebook's privacy settings give users control over 
how they share their information allowing them to choose the 
friends they accept, the affiliations they choose, and how 
their information is shared with their friends, and, if they 
desire, the world at large.
    Today, I would like to make four key points. First, 
Facebook's user centric approach to privacy is unique, 
innovative, and empowers consumers. Our privacy centric 
principles are at the core of our advertising model. Second, in 
offering its free service to users, Facebook is dedicated to 
developing advertising that is relevant and personal without 
invading users' privacy, and to give users more control over 
how their personal information is used in the online 
advertising environment. Third, we primarily achieve these 
objectives by giving users control over how they share their 
personal information that model real world information sharing 
and providing them transparency about how we use their 
information in advertising.
    Fourth, the Federal Trade Commission's behavioral 
advertising principles recognize the important distinctions 
made by Facebook in its ad targeting between the use of 
aggregate, non-personally identifiable information that is not 
shared or sold to third parties versus other sites and 
companies' surreptitious harvesting, sharing, and sale of 
personally identifiable information to third party companies. 
Facebook understands that few of us want to be hermits sharing 
no information with anyone, nor do many of us want to share 
everything with everyone, though some do want that. Most people 
seek to share information with friends, their family, and 
others that they share a social context with on a regular basis 
seeking to control who gets our information and how they have 
access to it. People come to Facebook to share information. We 
give them the technological tools to manage that sharing.
    Contrary to some popular misconceptions, full information 
on Facebook users isn't even available to most users on 
Facebook let alone all users of the Internet. If someone is 
searching for new friends on Facebook all that you might see 
about other users who are not yet her friends would be the 
limited information that those users have decided to make 
available. Most of our users choose to limit what profile 
information is available to non-friends. They have extensive 
and precise controls available to choose who sees what among 
their networks and friends as well as tools that give them the 
choice to make a limited set of information available to search 
engines and other outside entities.
    We are constantly refining these tools to allow users to 
make informed choices. Every day use of the site educates users 
as to the power they have over how they share their information 
and user feedback informs everything that we do. Facebook is 
transparent with our users about the fact that we are an 
advertising-based business and we explained to them fully the 
uses of their personal data that they are authorizing by 
interacting with Facebook either on facebook.com or on the over 
10,000 Facebook connect sites throughout the web. Ads targeted 
to user preferences and demographics have always been part of 
the advertising industry. The critical distinction that we 
embrace in our advertising policies and practices and that we 
want this committee to understand is between the use of 
personal information for advertisements in personally 
identifiable form, and the use, dissemination or sharing of 
information with advertisers in non-personally identifiable 
form.
    Users should choose what information they share with 
advertisers. This is a distinction that few companies make and 
Facebook does it because we believe it protects user privacy. 
Ad targeting that shares or sells personal information to 
advertisers in name, e-mail or other contact information 
without user control is materially different from targeting 
that only gives advertisers the ability to present their ads 
based on aggregate data. So to take in Dr. Felten's example, if 
you were to navigate to the social networking site, in his 
example if it were Facebook we would not be sharing with the ad 
provider that he was Edward Felten or that he likes jazz.
    So on Facebook a feed is established where people know what 
they are uploading and receive timely reactions from their 
friends. The privacy policy and users' experience inform them 
about how advertising on the surface works. Advertising that 
enables us to provide the service for free to users is targeted 
to the expressed attributes of a profile and presented on the 
space on the page allocated for advertising without granting an 
advertiser access to any individual user's profile. Unless a 
user decides otherwise by directly and voluntarily sharing 
information with an advertiser, advertisers can only target 
Facebook advertisements against non-personally identifiable 
attributes of a user derived from profile data. Facebook builds 
and supports products founded on the principles of transparency 
and user control, and we thank you very much for the 
opportunity to present our philosophy on online advertising 
before this committee.
    [The prepared statement of Mr. Kelly follows:]





    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes Mr. Chester for 5 minutes.

                  TESTIMONY OF JEFFREY CHESTER

    Mr. Chester. I want to thank the chairs and ranking members 
and the members of the committee for their interest in privacy 
for holding this hearing and to support their efforts to, I 
think, help Americans get a fair digital data deal and that is 
what they deserve. Just very quickly before I make 4 points, I 
submitted my testimony in writing. It tries to lay out for the 
committee the broad parameters of the interactive advertising 
system as we know it in the United States, all the various 
elements that now are shaping this very powerful system so you 
can look at that if you want more information. I have been 
working on these issues for 15 years looking at online 
advertising, online marketing, digital communications. I last 
worked closely with the Commerce Committee back in 1998 when we 
led the campaign that established with your legislation the 
Children's Online Privacy Protection Act. Right now, that is 
the only online privacy law. It was a bipartisan effort. And 
what we did for kids, we now need to do for teens and adults.
    Imagine the world, and this is the world that we have 
created and you have already spoken about it, both the chair 
spoke about it, Mr. Barton spoke about it, others have spoke 
about it. Imagine a world where every move, you are being 
watched, whatever contents you read, what you buy, how much you 
are willing to spend, and how much you are not willing to 
spend, where you go, what you like, what you don't like, all 
that being compiled. Outside databases being used to even build 
up this even larger profile of who you are. You include your 
race, whether you are a low income or middle class. They call 
it on the online ad industry digital fingerprints or user DNA 
but this very powerful system that is invisible and 
unaccountable to the average American is constantly collecting 
and refining and storing all this information and making claims 
and assumptions about you, your reputation without any 
accountability to you as the consumer let alone as the citizen.
    That is the online advertising system today as we know it. 
It is different from traditional advertising because as you, 
yourself, described it is able to track you minute by minute, 
minute by second, and your information is being sold in online 
ad auctions in milliseconds. They know who you are and they are 
selling access to it, so it is an incredible system that we 
have created. And it is now meshed in almost everything we do 
online, watching online videos, even e-mail, doing searches, 
playing games. This broad date collection system is a digital 
data collection arms race going on as they build this 
incredibly sophisticated system. And I want to make it clear 
for my second point that our call for privacy and consumer 
protection rules isn't about undermining the role of online 
advertising and marketing. That has an important role to play. 
It is the underpinning, the foundation of our modern publishing 
system or really our new way of life in the digital age. We 
need to have online advertising and marketing, but we need to--
and it is not about any particular company here or sense of 
companies. It is about the overall practices that the industry 
has created to collect all this information and to use all this 
information with these very powerful multi-media, in their 
words, immersive online advertising services that are not 
understandable and controllable and definable by consumers.
    I think to me it is very clear that you look at the issue 
of what is called sensitive data, which I am hoping you are 
going to work on, and in particular financial data. When you 
look at what happened during the recent financial crisis online 
advertising played a major role in encouraging people to take 
out those subprime mortgages. Online advertisers and mortgage 
companies were some of the biggest advertisers on the Internet 
during the boom period that led to this current crisis. People 
had no idea when they were taking out a mortgage or taking out 
a loan what exactly they were getting because this system was 
defining them in certain ways and making them various offers, 
once again, non-transparent to them, and as result, they, and I 
think we, have had to face the consequences.
    That is just as with the financial system, we need some 
regulation here that puts the system into balance. Yes, they 
can try to build this business and we can be innovators, but, 
yes, consumers get to ensure what data is being used and how it 
is used, and they have a chance to change it if it is 
incorrect. So consumer groups around the country are calling on 
you to enact legislation as soon as possible to bring fair 
information principles up to the digital era. Self-regulation 
has failed. They have been working, with all due respect to my 
friends here, they have been working on self-regulation for 15 
years and all you have is more and more data collected every 
minute. Americans shouldn't have to trade away their rights to 
control their information and have some autonomy in their 
affairs, whether it is buying a mortgage, looking up a 
prescription drug, buying a car or doing anything else without 
having to give their data up. There is a balance. I hope you 
will help us restore it. There is a win-win possible here. 
Thank you.
    [The prepared statement of Mr. Chester follows:]





    Mr. Rush. Thank you, Mr. Chester. Now the chair recognizes 
Mr. Curran for 5 minutes.

                 TESTIMONY OF CHARLES D. CURRAN

    Mr. Curran. Thank you, Chairman Rush, Chairman Boucher, and 
members of the subcommittee. I would like to thank you on 
behalf of the Network Advertising Initiative for the 
opportunity to discuss both the economic benefits and the 
privacy obligations of online behavioral advertising. The NAI 
is a coalition of advertising networks and other online 
marketing companies dedicated to responsible business practices 
and effective self-regulation. Originally founded 9 years ago, 
the NAI has grown to include more than 30 leading online 
advertising companies including all 10 of the largest 
advertising networks. Today, through the NAI's Web site 
consumers can learn more about or opt out of online behavioral 
advertising by any or all of the NAI's member companies across 
the many thousands of web sites on which such advertising is 
served. Today's hearing focuses on both industry practice and 
consumer expectations.
    The NAI and its members are committed to online advertising 
practices that strike the right balance between consumers' 
economic and privacy expectations. We believe that consumers 
enjoy the diverse range of web sites and services that they get 
for free thanks to relevant advertising, but we must also 
provide consumers with meaningful notice and choice. Tens of 
millions of Americans benefit every day from free web content 
and services made available on the web because of banner 
advertising served by NAI members. These ad-supported services 
include news, blogs, video, photo sharing, and social 
networking services. NAI members support these web sites by 
connecting them with advertisers and by using web browser 
cookies to serve their visitors with more relevant and 
compelling advertisements.
    NAI members provide web sites with a broad variety of 
services. They help smaller web sites combine their audiences 
so they can attract larger advertisers. They help advertisers 
gauge the success of their campaigns across multiple sites, and 
they also make online advertising more interesting and useful 
to consumers by using non-personally identifiable information 
about users' activity within an ad network to try to predict 
their likely interests. In the early days of online behavioral 
advertising more than 10 years ago, advocates and regulators 
challenged industry to provide appropriate privacy protections 
around browser cookies. The NAI self-regulatory code was 
established to meet that challenge and continues today to apply 
the same core principles for our members. First, users should 
receive clear and conspicuous notice on the web sites that they 
visit where data is collected and used.
    Second, users should have the ability to opt out of 
behavioral advertising. Third, sensitive data should not be 
used for online behavioral advertising without a user's 
affirmative consent. Fourth, a user's affirmative consent 
should also be obtained if personally identifiable information 
is merged with information previously gathered about the user's 
web browsing with an ad network. As these technologies have 
matured and the online marketplace has diversified, the Federal 
Trade Commission has called on industry to broaden and enhance 
its approach to self-regulation. The NAI and its member 
companies believe that self-regulatory approaches should be as 
dynamic as the online marketplace that they serve, and we are 
moving quickly to respond.
    The NAI member companies are working to develop 
technologies that would support and enhance consumer notice in 
or around behaviorally based banner ads. This would allow users 
to learn more about behavioral advertising and to make choices 
directly from the ad itself. Additionally, to help protect 
users' choices, the NAI is implementing technology to improve 
the durability of user opt out preferences stored in browser 
cookies. The NAI believes that its current opt out approach 
strikes the right balance and consumers' expectations for 
today's cookie-based advertising. The model combines an opt out 
for the use of non-sensitive, non-personally identifiable 
information to deliver ads with an opt in requirement for use 
of sensitive or personally identifiable data. This preserves a 
default experience in which web sites provide users with more 
rather than less relevant advertising.
    Users have multiple options to control behavioral 
advertising either by using opt outs offered by the NAI's 
members or their own easily accessible web browser tools. Any 
significant changes to this model such as requiring a user's 
opt in even to non-personally identifiable uses of cookies to 
improve the relevance could pose a profound risk to both the 
user's experience and the economic model for ad-supported web 
services. As they navigate from site to site, consumers could 
be inundated with recurring opt in prompts asking their 
permission to serve relevant ads. Consumer rejection of this 
approach could uproot the revenue model that supports many web 
sites today. It is vital to the continued growth of web 
services that the right balance is struck between the economic, 
technological, and consumer protection considerations relating 
to online advertising. The NAI looks forward to working with 
the subcommittees as they consider these important online 
privacy issues. Thank you.
    [The prepared statement of Mr. Curran follows:]





    Mr. Rush. The chair thanks the gentleman. Now the chair 
recognizes Mr. Cleland for 5 minutes.

                   TESTIMONY OF SCOTT CLELAND

    Mr. Cleland. Thank you, Mr. Chairman, both you and the 
ranking member. As a leading Internet expert and consultant, I 
obviously have Internet companies as clients, which include 
wireless cable and telecom broadband companies in the 
communications sector, and Microsoft in the tech sector. 
However, I want to emphasize my views today are my personal 
views and not those of any of my clients. What I want to do is 
talk about the Internet problem and Internet solution. So what 
is the Internet privacy problem? Well, technology has turned 
privacy upside down. Before the Internet, it was inefficient, 
it was costly, and it was difficult to collect private 
information. Now it is hyper-efficient, cheap and easy to 
invade privacy. So through inertia what we have is a default, 
finders keepers, losers weepers, privacy policy.
    Now, second, most Americans incorrectly assume that the 
privacy they enjoyed offline in the past is the privacy they 
have online, and that is not true. Third, all the technology 
megatrends out there, social networking, cloud computing, 
Internet mobility, Internet of Things, all of them will 
dramatically increase privacy risks online. Fourth, there is a 
significant faction in the technology community that really 
views privacy negatively and in some parts antithetical to the 
behavioral advertising and the Web 2.0 model. Now, fifth, a 
problem is that increasingly the underground currency of the 
Internet is private data. Now private information is very 
valuable, but in the absence of a system where consumers can 
assert ownership and control over their private information, 
privacy can be taken away from them for free and profited from 
with no obligation to or compensation due to the affected 
consumer.
    The sixth part of the problem, and that is we now have a 
technology-driven Swiss cheese privacy framework, which may be 
the worse of all possible worlds. Simply, the haphazard 
framework we have gives a user no meaningful informed choice to 
either protect themselves or benefit themselves in the market 
place arena of their private information. So what is the 
solution? I think it is very simple. You have a consumer-
oriented, consumer centric approach that is technology and 
competition neutral. Think about it. It is consumers' private 
information that is being taken and exploited without their 
consent. Since it is consumers that are most at risk of having 
their information misused or stolen, wouldn't it be logical for 
our privacy framework to be organized around the consumer?
    Now, clearly, businesses should be free to fairly represent 
and engage consumers in a fair market transaction for their 
private information. Now its fair market transaction where 
consumers are able to effectively understand and negotiate the 
risk and reward involved with sharing the private information. 
Moreover, since the consumer is the only one that knows which 
information about their personal situation or their views or 
their intentions or their interests, which ones they are 
comfortable with sharing, shouldn't it be the consumer that is 
empowered to make those decisions? So if Congress decides that 
it is going to legislate in this area, I think one thing is 
obvious, and that thing is that you should have consumer 
framework that would be superior to the current technology-
driven framework. That is because it would emphasize protecting 
people, not technologies. It would empower consumers with both 
the control and the freedom to choose to either protect or to 
exploit their privacy.
    It would prevent competitive arbitrage by creating a level 
playing field. And it would allow you to stay current with the 
constant changing innovation because you are not technology 
oriented, you are consumer oriented. And, lastly, you are going 
to be able to accommodate both sides, the people who care very 
much to protect their privacy but also those who care less and 
would like to exploit their private information. So in closing 
I think we can do better than the current finders keepers, 
losers weepers privacy policy that is the de facto policy of 
the United States. Thank you, Mr. Chairman, and ranking member 
for the opportunity to testify.
    [The prepared statement of Mr. Cleland follows:]





    Mr. Rush. The chair thanks the gentleman. Now the committee 
will engage the witnesses in a series of questions, and the 
chair recognizes himself for 5 minutes for the purpose of 
questioning the witnesses. Ms. Toth, in your testimony you 
discuss meaningful choice for consumers, and this is a 
principle that everyone agrees is a good one. However, it 
appears that the only choice for consumers using Yahoo! is to 
opt out of receiving ``interest-based advertising.'' It seems 
that they can't opt out of Yahoo!'s collection of information 
and tracking. Can you clarify exactly what the consumers' 
choice is with Yahoo!'s opt out? If consumers ask to opt out of 
behavioral advertising, does your company continue to collect 
data on their browsing habits?
    And I have another question. Does the opt out only stop the 
displaying of targeted advertising or does it stop the 
collection of data? Does your firm offer consumers any way to 
opt out of tracking and data collection? Would you answer those 
three questions for me, please?
    Ms. Toth. Our opt out, you are correct, it is not an opt 
out of collection of data. It is an opt out of use of data. So 
there are a number of reasons why we collect data and primarily 
that relates to the display of advertising, so advertisers pay 
us to show advertisements, and so we have to know if those ads 
were delivered and shown so we collect information in order to 
report that information back to the advertisers who are paying 
for those ads. But another reason why has a lot to do with the 
way we operate our web site, so if we were to stop collecting 
data when a user opts out then there are a number of users we 
suspect would opt out and engage in behaviors on the site that 
may not be legitimate behaviors that may be abusive or 
fraudulent behaviors. So we are continuing to collect 
information, but when the user opts out we are no longer 
showing them behavioral advertisements. We are opting them out 
of that use of their data.
    So we are a web site that offers a number of different 
services. Ad serving is one of our many businesses, so we have 
other uses for the data as I described. I am not sure if I 
understood the other question specifically as being different 
from that one. I maybe misheard. So the extent that data is no 
longer used for advertising, that is what the opt out applies 
to. But the opt out that we offer is actually a very--it is 
very clearly provided to users, and it is actually very easy to 
find, so we think that that actually matters a great deal. The 
other thing actually that I will mention is that what we offer 
on the back end is anonymization of that data within 90 days so 
if users have a concern that there is a great deal of data 
being collected, we hope to be addressing that on the back end 
by anonymizing the vast majority of our data within 90 days.
    What is really notable about that is that our policy 
doesn't just apply to search log records or to a specific type 
of log file that all of our log systems including the log 
systems that inform our advertising capabilities.
    Mr. Rush. So a consumer cannot opt out of data collection 
at all?
    Ms. Toth. The consumer can't opt out through----
    Mr. Rush. Cannot. They cannot opt out of data collection.
    Ms. Toth. No. There are other tools at the browser level 
that would address that. Our systems don't work that way.
    Mr. Rush. Ms. Wong, can you answer the same questions for 
me?
    Ms. Wong. Sure. Let me start by sort of describing our 
approach to privacy and data collection on our sites generally 
because I don't know if you are a regular Google user. Google 
actually has a design philosophy of always trying to minimize 
the amount of data we collect about a user in the first 
instance, so almost all of our services actually don't require 
a user to provide any personal information at all. When you go 
to Google Search, you don't have to register. You simply type 
in your search. If you type in a search and you are not signed 
in or registered with us what that means is the only thing we 
get back is what all of us here, what all web sites get, which 
is sort of a standard what we call log line that records--a 
computer is asking you a question and that question comes with 
two things that can be identifying a user. One is an IP 
address, which your ISP assigns to you, and the other is a 
cookie, which is what Anne referenced.
    Neither of those things for Google are tied to an 
individual. You can't know it is Nicole or Chris or Anne based 
solely on the IP address and the cookie. Just to be clear about 
the type of data we collect, we do provide an opt out, as I was 
demonstrating in our presentation, for the use of that cookie 
and IP address data to target ads. In other words, when you 
click on the opt out what it does is instead of getting a 
unique cookie, which is a series of numbers and letters, what 
you get is what we call the opt out cookie, and that opt out 
cookie literally says in it opt out so that the data that we 
collect goes into a huge pool of all users who have the same 
opt out cookie. It is completely abrogated which means we can't 
see an individual user in that pool of data that has been 
identified as opt out.
    Mr. Rush. The chair's time is up. The chair now recognizes 
the ranking member, Mr. Radanovich, for 5 minutes, and at the 
conclusion of his questions and answers, the chair will 
relinquish the chair to the chairman of the Communications 
Subcommittee at that point.
    Mr. Radanovich. Thank you, Mr. Chairman, and welcome 
members of the panel. Your testimony is very interesting. My 
first question goes to Mr. Curran, is it? For your testimony, I 
understand that you are involved in a broad industry-wide 
effort to create self-regulating principles, and that these 
principles, you are going to be releasing these principles 
pretty soon, I understand within about 30 days. Can you expand 
a little bit on what we can expect you to address on those, and 
I am particularly interested about the enforcement areas of 
these principles.
    Mr. Curran. Actually I think there are two different 
answers to your question because there are two different things 
going on, and in my long form testimony I detailed some of the 
work going on with the NAI in terms of our member companies, 
which are primarily advertising networks and other online 
marketing companies, to essentially further the development of 
technology that will allow, as Ms. Wong showed you with her 
presentation, notice inside the banner ad really to get 
together to advance an infrastructure that would allow any 
entity serving a behaviorally targeted ad or any party 
responsible for a behaviorally targeted ad to deliver that kind 
of notice in connection with an ad.
    Mr. Radanovich. So that is work that the NAI has been 
pursuing from a technological perspective?
    Mr. Curran. Separately, I think your question relates to a 
far broader industry dialogue that has been not led by the NAI 
but instead by the IAD, the DMA, the AAAA's, the ANA, and also 
the BBB. That is a lot of acronyms.
    Mr. Radanovich. That is much clearer now.
    Mr. Curran. I think the key takeaway here is that certainly 
the FTC has indicated that broader self-regulatory approaches 
were needed for industry, and that is very much an effort in 
that direction of actually establishing principles similar in 
spirit to those of the NAI to apply on an ecosystem wide basis. 
My understanding is that the roll out of those principles is in 
weeks. And we are very much supportive of those efforts, and I 
think they are very much a part of a trend of really a momentum 
towards exactly what the FTC called for in terms of really a 
very vigorous engagement.
    Mr. Radanovich. Thank you very much. Ms. Wong, I would love 
to ask you a question regarding your comments or support of 
establishing a uniform online and offline framework for 
privacy. Now I would love to have you clarify what uniform 
means and does it mean that it should apply to all entities and 
engage in collecting or using and sharing online information 
whether they are ISPs or application providers? Should it be 
straight across the board or are there different applications?
    Ms. Wong. Yes. And I think there are two answers to that. 
As an initial matter, Google and a number of the folks at the 
table here have been really working hard to think about federal 
comprehensive privacy legislation, and if I were to encourage 
the committee to do anything I think it is backing something 
like that because our history on privacy legislation has really 
been about sectorally trying to regulate privacy with children, 
with health, with financial, so that for a user on the Internet 
their Internet experience is seamless. They go from their bank 
to their doctor to their web service seamlessly and don't 
realize that different privacy laws apply. The important for 
ensuring that users continue to trust the use of their data on 
the Internet is to have baseline privacy law across industries. 
To get to your second question about----
    Mr. Radanovich. Let me ask this and clarify it a little 
bit. When you say uniform, does that apply to content providers 
that provide content over Google? Would they be subject to the 
same--is that what you call uniform online privacy?
    Ms. Wong. Right. So, yes, there would be baseline standards 
for all companies in terms of notice to users, access and 
control for users, and security for that data.
    Mr. Radanovich. OK. Thank you. Ms. Toth, in Yahoo! recently 
you announced that you will completely erase IP addresses at 
the end of its data retention period rather than just deleting 
a few numbers as is the practice of a number of your 
competitors. If you don't need the IP addresses for fraud 
prevention or anything else, what is the utility in keeping the 
IP address at all, and why the fractional numbers of why don't 
you just dump it right away?
    Ms. Toth. I think we actually have slides in there of our 
data retention policy and the process steps that we take so for 
the vast majority of our data at 90 days we de-identify the 
data. We apply a four-step process to remove identifiers. The 
IP address is one of those identifiers that is stored in the 
logs, and for us we completely delete that identifier at 90 
days with the exception of the fraud and abuse systems which 
hold it for up to 6 months and then it is deleted. So we store 
that data only for as long as we need it for the purposes of 
providing our services and then we de-identify the records and 
that gets to the IP address. The IP address is typically in the 
context of use have more to do with customizing a user's 
experience along the lines of geography, those sorts of things. 
But it is de-identified and it is removed at 90 days. Does that 
answer your question?
    Mr. Radanovich. Good enough. Thank you very much.
    Mr. Boucher [presiding]. Well, I again want to express 
apologies to our witnesses for the lengthy delay. We were on 
the House floor a bit longer than we had anticipated, and you 
were very patient. We want to express the committee's 
appreciation to you for your willingness to stay with us and 
provide what has been some truly excellent testimony. I am 
going to propound a series of questions and then recognize 
other members who are here. Some have made the point in written 
testimony, and I have heard it made otherwise, apart from this 
hearing, that there can be a meaningless opt in and a 
meaningful opt out. And I would assume that the difference with 
regard to meaningfulness depends to some extent on the degree 
of disclosure that is made to the user. So what I would like is 
to get your statement of what you think the elements of a 
meaningful opt out would be. Who would like to answer? Mr. 
Chester.
    Mr. Chester. I would like to say, thanks, that I think we 
need an opt in. And my rule of thumb is, and this has to be 
done in a doable way to make----
    Mr. Boucher. Mr. Chester, before you alter the question and 
answer the question you wish I had asked, let me see if we can 
get you or someone to answer the question I actually did ask. 
Ms. Wong.
    Ms. Wong. I will give it a try. And I agree with the 
concept of there are good opt outs and there are bad opt ins. I 
think a bad opt in is, you know, an opt in slipped in in a long 
provision at the beginning of a contract relationship with your 
user that they forget over time, and so there could be 
continued data collection in the life of your relationship with 
that user that the user completely forgotten about. A good opt 
out is an opt out that is presented again and again to the user 
as a meaningful choice to them. So in our interest-based 
advertising, for example, one of the things that we are trying 
to do is to put ourselves in front of the user so that we 
encourage them to engage with their own data. That is the 
purpose of that Ads by Google link in the ad because we want 
them to know when you are looking at this page it is not just 
the New York Times you are looking at. The ad is from Google, 
and you should engage with that data. The purpose of our ads 
preference manager is again to give the users a sense of 
control so that they change their behavior and start to engage 
and take control of their own data. And I think that----
    Mr. Boucher. So you would make full disclosure to the user 
of what information is collected about the user. You would 
describe how that information is used once you have collected 
it and then you would provide the opt out opportunity?
    Ms. Wong. That is right.
    Mr. Boucher. And would those be the meaningful elements of 
opt out as far as you are concerned?
    Ms. Wong. I think that is right. The continued engagement 
with the user.
    Mr. Boucher. All right. Now let me ask Mr. Chester, who I 
know is very interested in taking part in this discussion, what 
his response to that would be.
    Mr. Chester. Well, my rule of thumb is this, it has to be 
done workably. The companies should be telling the consumer 
what they tell perspective clients. When you see what--and I 
included some of that in my testimony, when you see what they 
are telling their clients and their perspective clients or when 
they are reporting on the results of the data collection system 
they have created with the advertising, they are talking about 
massive collection of data that is far beyond the ken of what 
might be presented in a simple opt out. So they need to be 
honest and tell people exactly what is about to happen. It can 
be a scale here, but if you read what they are doing including, 
frankly, the companies here, if you read what they are saying 
and also how the applications, the interactive applications, 
when you read the literature, the interactive applications have 
been designed, the online video, to get people to give up more 
data, so they have to be honest.
    Mr. Boucher. All right. Thank you very much. If we were to 
draw a regulatory line of some sort that is focused on the 
collection and use of personally identifiable information, 
should we include within the definition of what is personally 
identifiable information, the IP address? Mr. Chester is saying 
yes. Let me see if any have any different views. Everyone 
agrees that--well, OK, Ms. Wong.
    Ms. Wong. I will give it a try again. I think our position 
is that the IP address can be personally identifying depending 
on your relationship with the user so, for example, if you are 
the ISP that assigned that IP address what it means is that you 
are actually billing that user every month and having credit 
card or billing information from them, which means you can in 
fact associate the IP address, the ISP assigned, with a real 
person. If you are in a position like Google with an 
unauthenticated user where you don't know who is attached to an 
IP address it is not personally identifiable.
    Mr. Boucher. So you are saying it would be personally 
identifiable if it is associated with other kinds of 
information about the user?
    Ms. Wong. That is right.
    Mr. Boucher. Some of which might be quite sensitive and 
personal.
    Ms. Wong. That is right.
    Mr. Boucher. You would probably say it is not personally 
identifiable if you have that in isolation perhaps with an opt 
out cookie?
    Ms. Wong. Right.
    Mr. Boucher. All right. I think I understand your position. 
In the time I have remaining, let me ask about the possible 
role that self-regulatory organizations might play in a 
statutory scheme that would extend privacy rights to Internet 
users. Several questions about that. I know we have well-
regarded SROs in existence today. Many of the major Internet 
companies are affiliated with one or more SROs, and I am 
concerned if we add a statutory scheme on top of that in order 
to assure that every Internet user has the understanding that 
his online experience is secure because all web sites will have 
to comply with a certain set of fundamental privacy assurances. 
How we do that in association with continued viability and 
usability for the SROs so just a couple of key questions. How 
would a user who feels aggrieved because the SRO, for example, 
may not have complied with the principles it signed up to 
comply with get recourse? Should there at some point be access 
to a federal agency to seek that resource? And how could we 
make sure that every web site actually complies with the 
minimum set of guarantees? So who would like to try answering 
that? Mr. Cleland.
    Mr. Cleland. Well, I think, you know, you are trying to get 
to something that actually works, and I think you are trying to 
get to an accountable system. One idea I would offer whether it 
is self-regulatory or governmental is that there needs to be 
some audit that is occurring on a regular basis. Those could be 
automated audits or they can be personalized. They need to be 
random because what you are talking about is meaningful. We are 
talking about accountable. And if you care about those two 
words and those two concepts and principles, there needs to be 
some verification.
    Mr. Boucher. Other comments, Mr. Chester?
    Mr. Chester. There is a role for self-regulation, but I 
just have to underscore that self-regulation has failed. The 
only reason the NAI is upgrading its principles is because of 
the controversy that occurred over the Google-DoubleClick 
merger when all these consumer privacy groups made so much 
trouble that then the FTC said, OK, we got to do something 
about privacy principles, and then the NAI after many years of 
being asleep, you know, decided, OK, we are going to revamp 
them. The only reason the companies have reduced their 
retention time is because the European Union has been pressing 
them. So it is the forces of regulation that have actually 
bolstered the failing self-regulatory system.
    Mr. Boucher. So you would agree, would you not, Mr. 
Chester, that if the statute imposed certain fundamental 
guarantees and they meet your definition of what those 
fundamental guarantees of privacy should be, for example, that 
an SRO that enforces those fundamental guarantees or has those 
as its core principles that are a condition of membership, such 
an SRO could be effective, could it not?
    Mr. Chester. I think the history of self-regulation 
certainly need telecommunications like the kids area has been 
that the self-regulatory structure is only as good as the law 
that has in fact----
    Mr. Boucher. On that note, my time has expired. And I will 
recognize the gentleman from Florida, Mr. Stearns, for 5 
minutes.
    Mr. Stearns. Thank you, Mr. Chairman, and let me also 
reiterate your comments. This is the first time I think in the 
history of Congress that we had this kind of procedure on the 
floor. We had almost 55 votes, and they were over almost 8 
hours. And so you have hit sort of a perfect storm so your 
patience is appreciated and we appreciate you staying. Ms. Toth 
and Ms. Wong, on any given day people come to your sites. Let 
us call that X. They all come to your sites. What percent of 
those people actually go to your privacy, Ms. Toth?
    Ms. Toth. We don't calculate it as a percentage. Overall, 
the number of page views of users who come to our privacy 
policy remains a fairly low number overall.
    Mr. Stearns. So let us say just take 1,000 people just to 
make it easy, 1,000 people. You couldn't even tell me if it is 
10 percent or 1 percent or half a percent?
    Ms. Toth. It certainly is far lower than 1 percent.
    Mr. Stearns. So it is very, very small. And, Ms. Wong, how 
about you?
    Ms. Wong. I don't know, and I can try and get back to you 
with the number, but off the top of my head I don't know the 
number of views.
    Mr. Stearns. No one on your staff can even just give a 
ballpark? I mean it is not 10 percent?
    Ms. Wong. I am sure it is lower than the number of overall 
visits we get. Here is what I do know, which is that a year ago 
or so we started uploading videos to explain our privacy 
practices, and what we are seeing there is that users are 
engaging with us in those----
    Mr. Stearns. Because it is a video. OK.
    Ms. Wong. Because it is a video and they are rating them 
and telling us what works for them and what doesn't, and I know 
that notice is a really important thing for this committee. We 
have to find better ways than a pure privacy policy to engage 
with our users to make them----
    Mr. Stearns. And videos might be a good way.
    Ms. Wong. And videos----
    Mr. Stearns. Now each of you mentioned that you are willing 
to give to the consumer the information that you have collected 
and get it in sort of a category. And is this information that 
you are going to give--this is then sensitized or you have put 
together a summary and given it to the customer. Will you let 
the user actually see the raw data or at least actually see 
what you collect? Will you ever get to the point they can 
actually see what you collect?
    Ms. Toth. I would actually love it if we could--I would 
like you to see some of the data that we actually do collect 
because I think it----
    Mr. Stearns. So I could actually see it if I wanted to.
    Ms. Toth. Right.
    Mr. Stearns. And not just get your categories----
    Ms. Toth. We have a slide that shows our log files or a 
sample of what we collect in the log files. I don't think 
actually a consumer would engage with that in a way that would 
be meaningful for the consumer because it is a very technical 
expression of a user's interaction with us on the site so what 
we do in our interest-based advertising and the behavioral 
targeting systems that we use is to take those visits and 
categorize them based on the types of interaction. So if a user 
visits sports, they will have a score that indicates they visit 
sports. The actual log files themselves would probably not be 
useful for a consumer to engage with. It is a series of--it is 
actually quite difficult to explain in plain English what is in 
a log file.
    Mr. Stearns. OK, but the customer would have access to it 
is what you are saying if they wish to?
    Ms. Toth. Well, the customer--we don't actually make it 
available because there are no tools that actually generate log 
files in a way that would be easily accessible for consumers. 
What we give consumers is ready access to our privacy policy, 
educational links, opt out opportunities that are abundant 
across the site.
    Ms. Wong. The demo that we did for you about our ads 
preference manager is an attempt to make that interface real 
which is demonstrating the interest categories that are 
assigned to a cookie in order to target advertising because I 
think Anne is correct that if a user won't read a privacy 
policy they are surely not going to read code.
    Mr. Stearns. OK. Mr. Chester, before you can answer that 
question also, what do you do with the bad actors? I mean we 
sit here and we pass a bill and we set up opt in and opt out 
procedures, and we have got Yahoo! and Google, but what are you 
going to do with the bad actors and how--is it possible that in 
addition to developing this legislation so that all 50 states 
have one set because each state now is developing a different 
one so there might be a need for us at the federal level to 
develop it so you don't have 50 states with 50 different 
privacies. So I guess my question is twofold. What do we do 
with the bad actors and is it a possibility that you could set 
up good housekeeping seals that everybody would say I am safe 
with this site, bingo, I can go into it and feel comfortable, 
and the bad actors wouldn't get it and then you could 
differentiate and say I am not going to fool with those.
    Mr. Chester. I think if you passed legislative standards, 
right, that would be the base line. Everybody would know 
basically that they are protected. You now have a changed FTC 
potentially and hopefully you are going to reauthorize it soon. 
I mean the FTC has been hampered in going after the bad actors. 
It has been constrained from really looking as closely at this 
market as it should be and hasn't had the resources, and it has 
also been in conflict. There is now a new chairman there. There 
is a new director of consumer protection. They really want to 
move on this issue, and they could in fact be empowered to go 
after the bad actors in a much more vigorous way. Of course, we 
don't want to see state pre-emption consumer----
    Mr. Stearns. Now when I had hearings on this one of the 
problems we found is that there was no reciprocity between 
countries and you had the bad actors outside the United States. 
And so part and parcel of this is to develop legislation with 
other countries where you have reciprocity so you can go after 
corruption and fraud and there is that ability to do it. 
Otherwise, no one is going to comply with the federal bill and 
they will be in another country.
    Mr. Chester. Well, I do think we are falling behind the 
Europeans. They are going to have a better privacy policy and 
build a whole new online commerce business that is privacy 
friendly while we are lagging because they are moving. The 
market is really being shaped, and this is something positive 
about the industry, we are creating this global interactive 
market. Yes, there are European companies, yes, there are Asian 
companies, but they in fact have created the standard and that 
is terrific. What happens here can shape the rest of the world. 
As for profiles, you can see company after company says I have 
all this information about an individual consumer. I would hope 
that under the legislation that consumer could see all the 
detailed information that is being collected about them.
    Mr. Stearns. Mr. Cleland.
    Mr. Cleland. Yes. I think if Congress is serious about this 
you need to focus on the concept of deterrence. I mean if 
privacy violations or repeated violations are important there 
needs to be a significant penalty of whatever is appropriate 
but if legislation is passed and there is no deterrent and 
there is also no significant way of getting caught meaning 
independent audits of some type, it will not have teeth. It 
won't be meaningful and it won't be accountable. So if you are 
serious about this, you really need to be thinking about how do 
you take unaccountability, which is a problem across the 
Internet, not just with privacy, and try and address that and 
create more accountability. It is never going to be perfect but 
it is a key.
    Mr. Stearns. Mr. Chairman, if you will give me a little 
slack here, I just want to bring this last question, which 
really is also what we as legislators are grappling with, and 
that is the regulatory side versus the enforcement. Mr. Cleland 
talked about the enforcement, and we have two jurisdictions 
here. We have the FCC and the Federal Trade Commission, so I 
would like to just start to my left and just go down, and 
perhaps you could give us a feeling of how you think this bill 
should come together in terms of jurisdiction with the FCC and 
the Federal Trade Commission. Some people think, well, the FCC 
could be the enforcer and the FTC could be the regulator, but I 
would be curious if each one of you, if you don't mind, take a 
few moments, Mr. Chairman.
    Mr. Felten. I would say this is closer to an FTC issue. I 
think it is fundamentally a consumer protection issue.
    Mr. Stearns. So both for regulatory and enforcement?
    Mr. Felten. Yes.
    Mr. Stearns. OK.
    Ms. Toth. I would agree with Mr. Felten. We have worked for 
a very long time with the Federal Trade Commission on issues of 
consumer privacy online. We feel very comfortable and believe 
that they are well versed to address this issue.
    Mr. Stearns. Ms. Wong.
    Ms. Wong. I have to say I feel a little bit out of my depth 
in terms of understanding the jurisdiction between federal 
agencies, but like Anne we have worked for quite a while with 
the FTC. My experience in watching them over the last 10 years 
is they brought very effective enforcement actions.
    Mr. Kelly. I would say as well that we worked extensively 
with the FTC so far along this and they also have a great deal 
of expertise in the competition area, which is one of the 
things that is driving better technology throughout the 
industry in terms of providing users more transparency and more 
control over their data so the FTC has developed a great deal 
of expertise in this area.
    Mr. Chester. I would like to see a joint task force because 
in fact the FCC will have expertise at the network level and 
particularly with cases with--inspection. There is a real role 
here for the FCC but when it comes to the ad itself and the 
consumer experience itself it is the FTC.
    Mr. Stearns. Yes, because, you know, this is going to 
develop once you get broadband more. You are going to see voice 
over Internet. You are going to see everything over the 
Internet. And so all communication is going to be through that 
media and so I think the FCC has a part and parcel role.
    Mr. Curran. I think I would echo that, a nod to the FTC, 
certainly in terms of our business model for cookie-related 
activity. The FTC for over a decade with its workshops on 
technology has been instrumental in raising awareness of the 
policy and technical issues and very much determinant in 
setting the direction for self-regulation. And as for other 
business models and other regulatory schemes, I wouldn't be 
able to speak to that.
    Mr. Stearns. OK. Mr. Cleland.
    Mr. Cleland. FTC is the lead in close coordination with the 
FCC. The only problem would be is if jurisdiction got in the 
way of passing--if you want to pass legislation. That would be 
the only tragedy.
    Mr. Stearns. Thank you.
    Mr. Boucher. Thank you very much, Mr. Stearns. The 
gentleman from New York, Mr. Weiner, is recognized for 5 
minutes.
    Mr. Weiner. Thank you. Could I ask perhaps for Ms. Wong to 
talk a little bit about your experience developing Chrome, 
which is your--what is it called?
    Ms. Wong. Browser.
    Mr. Weiner. Your browser. Wouldn't it be possible through 
that vehicle so when you download it, your first page is tell 
us what information you would like to know about the pages you 
are visiting and what information that you would like to share, 
and maybe a collection of boxes you can check or not check. It 
is similar to kind of what Facebook tries to do although they 
don't do it right in your face. They kind of have you can say 
this--that seems to be an even better place to think about the 
true gateway to the experience. If I wanted to do that through 
Chrome, would I be able to do that in some way? I mean I know I 
can go and erase the cookies and I can erase my browser 
history, but can I do something like that?
    Ms. Wong. Right. Thank you for that question.
    Mr. Weiner. You are welcome.
    Ms. Wong. And I am at a little bit of a disadvantage 
because I am not an engineer, just a lawyer, and our engineers 
do amazing things. I think that--I don't know if there is any 
limitation on what they can do. I know they are working very 
hard to build privacy controls----
    Mr. Weiner. Well, perhaps if I could interrupt you maybe 
Mr. Felten can tell me about the technology possible here.
    Mr. Felten. Sure. The information flows that users might be 
concerned about mostly happy not at the browser but after the 
user has interacted with a web site or a content provider, so 
what that means is that technical controls would exist mostly 
not in the browser but in the web sites themselves.
    Mr. Weiner. Let me interrupt on that point. But if you have 
a fairly finite number of browsers that most people use, let us 
say for the purpose of this conversation it is 5. That 
basically probably accounts for most of what people do. And the 
browsers are themselves competitive with one another. You can 
argue that the browser industry grew out of people's 
dissatisfaction with Explorer. So why couldn't you say that if 
you want your web site to come up when you traveling through 
Firefox, you have to have certain of your own information that 
you are giving us about what we can tell our users. Isn't that 
kind of a technical solution, a solution but a technical way to 
kind of serve as a gatekeeper for a lot of web sites?
    Mr. Felten. Yes, and certainly there are things you could 
do along those lines so that the browser could help the user 
express their preferences and the browser could in a technical 
way query a site and see what promises the site makes about 
uses of data. There have been efforts to do this in the past. 
There was a standardization effort called P3P, the platform for 
privacy preferences, which defines such a standard and for 
reasons that are subject to debate the standard didn't stick. 
It wasn't popular. Nonetheless, I think this is a fruitful 
approach and I for one would be happy if the companies got 
together and had a discussion again about how to do this.
    Mr. Weiner. Mr. Kelly, tell us a little bit, if you could, 
about your experiences in stepping on the toes of people's 
privacy concerns. It seems to me that we to some degree have 
three companies that have succeeded because consumers with a 
lot of different choices have chosen to use Google, chosen to 
use Yahoo, chosen in large numbers to go to Facebook. Could it 
be that the reason they are choosing your 3 services in 
particular is that you are being self-selected by an active 
consumer marketplace that thinks privacy works on your sites? 
You just had an experience, I guess it is an ongoing one, where 
you had kind of a conversation with your members about privacy. 
How does it work differently on yours than say--what search 
engine do you use when you are searching the Internet 
personally?
    Mr. Kelly. It is usually Google.
    Mr. Weiner. How is your privacy experience as a consumer of 
Google different than as a member of Facebook, is it at all?
    Mr. Kelly. Well, I think that all three of these sites have 
succeeded because they are providing great user experiences 
overall, and in come cases those are around privacy, and 
because we have based a business on identity and personal 
information and the effective sharing of that with people who 
share a social context with you, we knew going in that privacy 
was going to be a critical issue for us. And our goal has been 
to build technologies that allow people to make choices, so one 
of the things that has gotten lost in the discussions of social 
networking is that friending, whether your friend somebody or 
not and how you connect to them is in and of itself a privacy 
setting. It determines what information that you see on 
Facebook, and that has been a great experience for us.
    When you look at Google or Yahoo! as a search engine, they 
are looking to deliver a different experience there. They are 
looking for you type in a word or two and get back something 
that they think is the most relevant experience for you to get 
you to the page that you need to go next. If you use other 
services on those sites, they are providing different 
experiences there. Our goal has been to build technology that 
empowers users and lets them make their own choices about how 
they share information. We have aimed to extend that into the 
advertising realm as well.
    Mr. Weiner. Mr. Chester, I know you want to answer this 
question, but let me build on it. You can go ahead and in my 
last few seconds you can answer, but I take you back to 1986 or 
even 1996. I don't even know when this phenomenon all began. 
You could buy someone's credit report from three different 
companies. You could probably find aggregators of information 
that helped car dealers figure out who to send their 
information to. You could probably scrub public records to find 
out what kind of a home that they own, how much taxes they 
paid. It seems to me that there have always been resources that 
allowed someone to do 75 percent of what you described in your 
testimony as the thing we are protecting against. And we have 
acted here in Congress to try to limit access to that 
information but to some degree wouldn't you agree that 
consumers have pretty much now have a lot of tools that inform 
their experience.
    I would argue without knowing, I bet you there are places I 
can go on the Internet to even find little software plug-ins I 
can probably download to let me know who is doing what and what 
web sites are good or bad at protecting information. So it is a 
two-part question. One is in a lot of the stuff that you are 
most concerned about is going to be out there whether you don't 
plug into the Internet at all, and, secondly, isn't some degree 
the marketplace allowing--aren't consumers allowing the winners 
to be the good privacy companies? So why don't you take both 
those----
    Mr. Chester. Polls after polls after surveys including the 
one that UC Berkeley just released about a week ago, 10 days 
ago, say that the most users, most consumers, have no idea 
about what is being collected, how it is being used, how it 
really works. I honestly believe, and I think this is going to 
come out as part of this debate, and, frankly, that is why we 
need good privacy legislation because it is going to undermine 
public confidence. People don't really know what is going on 
inside Facebook and the third party developers and all the data 
flowing out. They don't know what Google is collecting across 
its various interests. If they knew, they would, in fact, I 
think be more concerned, so consumers don't know. The polls 
show that. This is a whole different world here than it was 
back in 1996 or 1998 when we did the children's act.
    You are talking about the instantaneous merging of a vast 
number of offline databases with online behavior minute by 
minute that is adopted to an individual's actions and reactions 
with various online environments including all the personal 
information they put on their social networks. This is a 
completely different system that has been created. And, 
finally, you know, I have a 16-year-old. I look at this as the 
world that will be here very soon. We will be buying our 
mortgages on this mobile phone in the not too distance future. 
This is the dominant way we are going to be doing business for 
the PC and the mobile phone. It is a whole different world that 
has been created. On the one hand, we should be proud of it. 
They created it for us. We just have to make sure that 
consumers are protected.
    Mr. Weiner. Thank you, Mr. Chairman.
    Mr. Boucher. Thank you very much, Mr. Weiner. The gentleman 
from Louisiana, Mr. Scalise, is recognized for 5 minutes.
    Mr. Scalise. Thank you, Mr. Chairman. When we talk about 
opt in versus opt out, and I would imagine for business model 
purposes opt out is the preference because if you force 
somebody to opt in, I would think it would probably limit the 
number of people that would want their data to be collected on 
the front end, but if they do go through the process of opting 
out, are they actually stopping their personal data from being 
collected or are they just not getting the targeted 
advertising. If Ms. Toth could start.
    Ms. Toth. When a user is opting out for us that is an opt 
out of not collection but of use of the information, but I also 
want to be careful about the use of the term personal 
information because very often what is being conveyed to us is 
information that is specific only to a browser that is used to 
customize advertising. But even that level is what the user is 
able to opt out of in terms of that data being used.
    Mr. Scalise. But in different levels, of course. If you are 
just going on to a browser, and I think Ms. Wong talked about 
that, if I just go on to Google and do a search there is 
different information, maybe just my IP address, but then if I 
actually use Yahoo! for an e-mail account then clearly I am 
going to be giving you a whole lot more information and then 
you will have access to that, and if I choose to opt out of 
that what am I opting out of there? Are you not going to be 
collecting that data anymore or are you just not going to be 
giving the targeted advertising?
    Ms. Toth. The way that we do it at Yahoo! is that when a 
user opts out, we are no longer showing them targeted 
advertising, and we are not using their information in that 
particular way. Yahoo! offers a wide array of products and 
services, as you mentioned, e-mail, search, a wide array of 
different----
    Mr. Scalise. Maybe social network services.
    Ms. Toth. Social networking, exactly. So when a user opt 
out, we opt them out of the delivery of targeted advertising, 
but we also recognize that users may not want us to have that 
much information about them, so we take great pains to de-
identify the data as soon as we can. We spent over a year 
looking at every single product, every single data system at 
Yahoo! to really try to minimize the amount of time that we 
hold data about users.
    Mr. Scalise. Right. I know we got limited time, so, Ms. 
Wong, and then Mr. Kelly.
    Ms. Wong. Sure. I think it is roughly the same answer that 
I gave earlier, which is we really collect very little data 
from users when they are searching the IP address and the 
cookie, and the opt out for our interest-based advertising is 
an opt out for those targeted ads, and that it means is that 
the cookie you are getting is not uniquely identified. It just 
drops the query that you send us or the data that we have 
gotten into a bucket of all opt out cookies.
    Mr. Kelly. Because our service is based on sharing personal 
information with others, we inevitably end up collecting a 
great deal of personal information so that we can effectively 
share it with others, and actually ask people to retain 
people's photo albums for them, which they usually expect to be 
retained indefinitely. In certain circumstances, and 
particularly in our advertising products, where we are 
innovating and where people may not be used to a presentation 
in a particular way, we have allowed for opt outs in those 
instances because we think it empowers users. It allows them to 
say I am not comfortable with this at this point, but they can 
reconsider that at a later time. Our goal overall, and I think 
the goal of this committee and any legislation it considers and 
any enhancement of regulatory authority should be to make sure 
that consumers have real power to make those choices. We have 
tried to embody that in technology as much as we can, and you 
are here trying to embody it in law and trying to encourage the 
regulatory agencies to continue to meet their burdens and their 
obligations under existing law.
    Mr. Scalise. And I apologize to interrupt. I have only got 
a minute left. There is something else I want to ask especially 
as it relates to the e-mail services. And both for Yahoo! and 
Google, if you can answer this. If a user of Yahoo! or Google 
or any other e-mail service decides that they want to opt in or 
they don't opt out to all of those agreements, and you can 
collect whatever information you want from them, but let us say 
they then send me, and I don't have that service, and they send 
me an e-mail. I didn't agree to any of those issues. Do you 
read e-mails from people that are a Yahoo! or Google e-mail 
subscriber? Do you read through those e-mails to gather 
information in any way?
    Ms. Toth. Yahoo! does not scan the content of e-mail 
communications in order to share targeted advertising.
    Mr. Scalise. Or for any other purposes?
    Ms. Toth. We don't--well, there are only some purposes 
for--there is a process that actually removes viruses from e-
mail that is an automated process but we don't use the 
content----
    Mr. Scalise. For advertising. Ms. Wong.
    Ms. Wong. Yes. We are using that same technology that scans 
for viruses and also scans for spam. It is basically technology 
that looks for pattern in text, and we use that not only for 
the spam blocking and viruses but also to serve ads within the 
Gmail user's experience so importantly like the----
    Mr. Scalise. So if two people are exchanging an e-mail 
about a sporting event and they are talking about going to the 
game and then maybe they are going to want to go out for a 
drink afterwards, could they then maybe expect to get an 
advertisement about which different bars are offering specials 
after the game?
    Ms. Wong. They won't get an e-mail with an advertisement 
but only the Gmail user will be able to see ads that shows up 
just like they show up on the side of our search results that 
are key to specific words--they are key words just as if you 
typed them into our browser that are calling from our 
repository of millions of ads to deliver an ad that is targeted 
to the content that you are reading.
    Mr. Scalise. So if that was a two-way conversation, one was 
the Gmail subscriber who agreed to or didn't opt out of the 
privacy but the other person in that conversation was not a 
Gmail user, clearly not someone who opted in or opted out, 
would any part--because in an e-mail thread they could have had 
maybe four or five replies and you got a long thread built up, 
and it is not just going to be the Gmail's information that is 
going to be there. The person who is a non Gmail user is also 
going to be included in that thread. Would any of that 
information be read?
    Ms. Wong. The non Gmail user will not have any ads targeted 
to them at all.
    Mr. Scalise. Is any of their data collected from that 
conversation?
    Ms. Wong. Their data sits in the recipient's, the Gmail 
recipient's e-mail archive.
    Mr. Scalise. So if you have got algorithms that went 
through that Gmail e-mail, then when you were reading things in 
that e-mail some of the things that you were reading----
    Ms. Wong. Were scanned.
    Mr. Scalise [continuing]. Would have been part of the 
thread of a non Gmail subscriber.
    Ms. Wong. That is right.
    Mr. Scalise. How does your privacy policy handle that 
because that person clearly has absolutely no knowledge of you 
reading their e-mail, they surely didn't agree to it, and they 
didn't have the ability to opt out, so how is that handled?
    Ms. Wong. Yes, just to be really clear. There are no humans 
reading e-mail at our company.
    Mr. Scalise. But even if it is a software algorithm that is 
trained to go through and look for key words or key 
information, their e-mail address, of course, is going to be in 
there, so you would be able to know who that person is at least 
from their e-mail address, but also you would be able to have 
access to the information. Do you have anything in those 
algorithms that prevents that information that is not Gmail 
related to be read from a person who didn't agree or have the 
ability to opt out of the privacy----
    Ms. Wong. It would have to be that the user decided that 
they did not want to receive that e-mail from the person who 
sent it to them so this is fully in control of the Gmail 
account holder, and they can refuse to receive e-mails from 
certain people.
    Mr. Scalise. So you would be putting the burden now of 
privacy collection on a user of Gmail, someone who actually has 
a Gmail account?
    Ms. Wong. So our user----
    Mr. Scalise. But your user actually knew what your policy 
was and could today right now go online as you showed, you got 
many opportunities for your users to opt out.
    Ms. Wong. That is right.
    Mr. Scalise. The person who is the third party who is the 
non Gmail subscriber who is part of that thread does not have 
that same access so how can you put the burden on the person 
who sent the e-mail?
    Ms. Wong. No, no, no. The person who sent the e-mail has--
they have sent their e-mail to their friend. That user is not 
going to get any ad targeted to them. We are not going to have 
any information about that user at all.
    Mr. Scalise. Is any of their information read?
    Ms. Wong. Except for the fact that we hold their e-mail 
because we are the e-mail service provider for the Gmail 
account holder, which is the same as any other web mail 
service.
    Mr. Scalise. I guess the real question is how is that 
person--the Gmail subscriber clearly has the ability to protect 
their privacy, to opt out if they so choose. Maybe some of 
their data is still collected but they could still opt out but 
the third party that they sent the e-mail to who then replied 
back to them who is contained in that thread doesn't have that 
same ability but their data is subject to being searched in the 
same way, so how----
    Ms. Wong. That is true, but that occurs with every web mail 
service because every web mail service----
    Mr. Scalise. But Yahoo! just said that they don't do the 
same thing.
    Ms. Wong [continuing]. Scans their e-mail.
    Mr. Scalise. I will ask Ms. Toth if that----
    Ms. Wong. Every web mail service scans their e-mail for 
spam, scans it for viruses. It is the same process.
    Mr. Scalise. But also for targeted advertising, I think you 
said you all do scan it for targeted advertisements. Ms. Toth 
said they do not.
    Ms. Toth. We do not target. We don't----
    Mr. Scalise. And I guess in the case where they are 
scanning it for other services that would be maybe sold to a 
third party, how does the person protect their privacy when 
they never had the same opportunity to opt out that the 
original Gmail subscriber who sent the e-mail was able to have 
the same access?
    Ms. Wong. To be very clear, no user's information is sold 
to any third party. No information about the sender of an e-
mail to a Gmail account is----
    Mr. Scalise. But if----
    Mr. Boucher. Mr. Scalise, you are now past 10 minutes of 
time. We are going to wrap up.
    Mr. Scalise. If I can get that in writing maybe the answer 
to that. Thank you.
    Mr. Boucher. That is fine. If any of the witnesses would 
like to respond to that last question in writing, that would be 
highly appropriate. The gentleman from Vermont is recognized 
next, Mr. Welch, for 5 minutes.
    Mr. Welch. Thank you, Mr. Chairman. Thank you. I want to 
join my colleagues in apologizing for the delay and 
appreciation for your patience although I think I might rather 
have your job today than ours. Ms. Wong, in your written 
testimony you noted that the committee should continue our 
efforts to explore the privacy issues. This is obviously an 
incredibly difficult issue, both because of the complexity of 
making this work and assuring confidence to users and because 
of basic questions about what should be private and what isn't. 
I am asking that you expand on that and what ongoing efforts is 
Google making about the merging of online and offline data and 
the issues that are created as a result of that. I would start 
by asking you if you would comment on that and probably ask a 
few others as well.
    Ms. Wong. Sure. And I actually think this is a multi-
dimensional question. I think absolutely there is an obligation 
on industry to do the right thing because the trust of our 
users is incredibly important. I also think that there is a 
role for groups like Mr. Curran's group, the self-regulatory 
groups, which continue having us innovate on best practices. I 
think the best thing that has happened in the last few years 
that all of the major Internet companies are competing to 
create better privacy technologies, and that is really 
phenomenal. There is also a role for government because to be 
very clear, there are bad actors, and so there is a role for 
oversight into the range of players on ecosystem and the 
conduct that they engage in.
    And the thing that I think is most important, and the 
reason it should apply to both online and offline is that the 
companies that you have here all face our users, are all 
invested in deepening the relationship with our users. There 
are companies that do not face the public that are behind it 
and that need more oversight because nobody knows what they do 
with their data.
    Mr. Welch. Mr. Curran, do you want to comment or anything 
else to add? Kudos to you for the role that you play.
    Mr. Curran. I would simply say I think we have an 
obligation to tell you about our successes and areas of 
improvement as self-regulatory organizations as it relates to--
and also to, I think, work with you to explain the somewhat 
complicated technologies that go around the different business 
models. I don't believe that--I have diverse memberships that 
we are not in the position of having a legislative view at this 
time, but we are very much committed to educating the committee 
on the technologies, and I think today's hearing has been very 
helpful on that in terms of in effect helping you discern the 
exact technical infrastructure that goes into all of this 
online advertising.
    Mr. Welch. Well, let me come back to Mr. Kelly. The 
Congress is never going to be able, obviously, to address 
technical issues. It is not our competence. It is not our job. 
It is not what we should do. What specific things in terms of 
policies, I will ask you, Mr. Kelly, what would you be 
recommending that Congress do in order to protect privacy, 
which is our proper concern, but do it in a way that doesn't 
strangle innovation?
    Mr. Kelly. And that is a critical role that you do have is 
to protect the innovation in American technology and how we 
have been able to lead the world in this area. But, obviously, 
protecting the privacy of American consumers is critical to us 
and to other companies in the technology industry but not 
everyone. And so there are many actors out there who are tasked 
and see their role as gathering data and building personal 
profiles of people with no notice, no consent, no control. I 
think that Congress' regulatory action should be largely 
directed there. We have a set of existing and extensive 
regulations, and we have talked tonight about our work with the 
FTC as a technology industry in this area where there are bans 
against deceptive practices and other activities, but still 
there are many technology companies out there, whether they be 
spyware vendors, whether they be sort of just surreptitious 
collectors and aggregators of personal data that deserve the 
attention of this committee, the Congress, and existing 
regulators.
    Mr. Welch. Thank you. My time is almost expired and I yield 
the balance of my time.
    Mr. Cleland. Could I answer?
    Mr. Welch. It is up to the chairman. I think I am almost 
out of time.
    Mr. Boucher. Yes, that is fine. Go ahead, Mr. Cleland.
    Mr. Cleland. Yes. I think the key concept of what you are 
looking for that the FTC and others should build on is 
longstanding, fair representation law. We obviously have a huge 
gap. Jeff mentioned a lot of the polls out there. Consumer 
don't have a clue about all the stuff that is being collected 
on them, not a clue. And so if you believe in fair 
representation and you take the facts of all the people that 
have been dealt with on the Internet and they don't know what 
is going on, there is a serious breakdown in fair 
representation.
    Mr. Chester. Do you think I could add something?
    Mr. Boucher. Mr. Chester, please.
    Mr. Chester. Just very briefly. All the companies here, 
including the members of NAI, as far as I can see, are 
increasing the amount of data they are collecting on consumers. 
It is not that there is a question of best practices. They are 
building and expanding the data collection. That is the nature 
of the business. That is the nature of the online advertising 
system to build out these very sophisticated approaches. 
Therefore, you need to have rules, you need to bring PIA up to 
date, because you don't need to know your name anymore to know 
who you are. You need to protect sensitive data and you have to 
have the FTC be a better watchdog.
    Mr. Boucher. With that, Mr. Welch, your time has expired. 
And let me say thank you once again to our witnesses for what 
truly has been an informative session. Long delayed, but well 
worth our time talking to you, and we thank you very much for 
taking your time, all day, in fact, to talk to us. I have 
clearance for unanimous consent from the minority to place in 
the record a letter to the subcommittee, the joint 
subcommittees actually, from the Federal Trade Commission, 
concerning the subject of today's hearing, a letter from Data 
Foundry, a data company based in Austin, Texas. Without 
objection, those will be made a part of the record.
    [The information appears at the conclusion of the hearing.]
    Mr. Boucher. And without objection, the record of this 
proceeding will be kept open for a period of 3 weeks so that 
other members of the subcommittee can submit to our witnesses 
questions in writing. And as you receive those questions from 
the members, if you could respond to them promptly, that would 
be much appreciated. Thanks again to you for an excellent 
hearing. This hearing stands adjourned.
    [Whereupon, at 8:20 p.m., the subcommittees were 
adjourned.]
    [Material submitted for inclusion in the record follows:]









