[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
THE COLLECTION AND USE OF LOCATION INFORMATION FOR COMMERCIAL PURPOSES
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, TRADE,
AND CONSUMER PROTECTION
AND THE
SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 24, 2010
__________
Serial No. 111-98
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
76-010 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
HENRY A. WAXMAN, California, Chairman
JOHN D. DINGELL, Michigan JOE BARTON, Texas
Chairman Emeritus Ranking Member
EDWARD J. MARKEY, Massachusetts RALPH M. HALL, Texas
RICK BOUCHER, Virginia FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey CLIFF STEARNS, Florida
BART GORDON, Tennessee NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois ED WHITFIELD, Kentucky
ANNA G. ESHOO, California JOHN SHIMKUS, Illinois
BART STUPAK, Michigan JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York ROY BLUNT, Missouri
GENE GREEN, Texas STEVE BUYER, Indiana
DIANA DeGETTE, Colorado GEORGE RADANOVICH, California
Vice Chairman JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania GREG WALDEN, Oregon
JANE HARMAN, California LEE TERRY, Nebraska
TOM ALLEN, Maine MIKE ROGERS, Michigan
JAN SCHAKOWSKY, Illinois SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas TIM MURPHY, Pennsylvania
JAY INSLEE, Washington MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York STEVE SCALISE, Louisiana
JIM MATHESON, Utah PARKER GRIFFITH, Alabama
G.K. BUTTERFIELD, North Carolina ROBERT E. LATTA, Ohio
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin
Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE L. BRALEY, Iowa
PETER WELCH, Vermont
Subcommittee on Commerce, Trade, and Consumer Protection
BOBBY L. RUSH, Illinois
Chairman
JANICE D. SCHAKOWSKY, Illinois CLIFF STEARNS, Florida
Vice Chair Ranking Member
JOHN SARBANES, Maryland RALPH M. HALL, Texas
BETTY SUTTON, Ohio ED WHITFIELD, Kentucky
FRANK PALLONE, New Jersey GEORGE RADANOVICH, California
BART GORDON, Tennessee JOSEPH R. PITTS, Pennsylvania
BART STUPAK, Michigan MARY BONO MACK, California
GENE GREEN, Texas LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas MIKE ROGERS, Michigan
ANTHONY D. WEINER, New York SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina
JOHN BARROW, Georgia
DORIS O. MATSUI, California
KATHY CASTOR, Florida
ZACHARY T. SPACE, Ohio
BRUCE L. BRALEY, Iowa
DIANA DeGETTE, Colorado
JOHN D. DINGELL, Michigan (ex officio)
------
Subcommittee on Communications, Technology, and the Internet
RICK BOUCHER, Virginia
Chairman
EDWARD J. MARKEY, Massachusetts FRED UPTON, Michigan
BART GORDON, Tennessee Ranking Member
BOBBY L. RUSH, Illinois CLIFF STEARNS, Florida
ANNA G. ESHOO, California NATHAN DEAL, Georgia
BART STUPAK, Michigan BARBARA CUBIN, Wyoming
DIANA DeGETTE, Colorado JOHN SHIMKUS, Illinois
MICHAEL F. DOYLE, Pennsylvania HEATHER WILSON, New Mexico
JAY INSLEE, Washington VITO FOSELLA, New York
ANTHONY D. WEINER, New York GEORGE RADANOVICH, California
G.K. BUTTERFIELD, North Carolina MARY BONO MACK, California
CHARLIE MELANCON, Louisiana GREG WALDEN, Oregon
BARON P. HILL, Indiana LEE TERRY, Nebraska
DORIS O. MATSUI, California MIKE FERGUSON, New Jersey
DONNA M. CHRISTENSEN, Virgin
Islands
KATHY CASTOR, Florida
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
PETER WELCH, Vermont
JOHN D. DINGELL, Michigan (ex
officio)
C O N T E N T S
----------
Page
Hon. Bobby L. Rush, a Representative in Congress from the State
of Illinois, opening statement................................. 1
Hon. Ed Whitfield, a Representative in Congress from the
Commonwealth of Kentucky, opening statement.................... 3
Prepared statement........................................... 5
Hon. Doris O. Matsui, a Representative in Congress from the State
of California, opening statement............................... 7
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 7
Hon. Kathy Castor, a Representative in Congress from the State of
Florida, opening statement..................................... 9
Hon. Edward J. Markey, a Representative in Congress from the
Commonwealth of Massachusetts, opening statement............... 10
Hon. Steve Scalise, a Representative in Congress from the State
of Louisiana, opening statement................................ 11
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, opening statement............................... 12
Hon. Lee Terry, a Representative in Congress from the State of
Nebraska, opening statement.................................... 13
Hon. Rick Boucher, a Representative in Congress from the
Commonwealth of Virginia, prepared statement................... 124
Hon. Joe Barton, a Representative in Congress from the State of
Texas, prepared statement...................................... 128
Witnesses
John B. Morris, Jr., General Counsel, Center for Democracy and
Technology..................................................... 14
Prepared statement........................................... 17
Lorrie Cranor, Associate Professor, Computer Science and
Engineering and Public Policy, Carnegie Mellon University...... 32
Prepared statement........................................... 34
Jerry King, Chief Operating Officer, uLocate Communications, Inc. 69
Prepared statement........................................... 71
Tony Bernard, Vice President and General Manager, Useful Networks 76
Prepared statement........................................... 78
Michael Altschul, Senior Vice President and General Counsel,
CTIA--The Wireless Association................................. 87
Prepared statement........................................... 89
Anne Collier, ConnectSafely...................................... 96
Prepared statement........................................... 98
THE COLLECTION AND USE OF LOCATION INFORMATION FOR COMMERCIAL PURPOSES
----------
WEDNESDAY, FEBRUARY 24, 2010
House of Representatives, Subcommittee on Commerce,
Trade, and Consumer Protection, joint with the
Subcommittee on Communications, Technology, and
the Internet, Committee on Energy and Commerce,
Washington, DC.
The subcommittees met, pursuant to call, at 10:05 a.m., in
Room 2141 of the Rayburn House Office Building, Hon. Bobby L.
Rush [Chairman of the Subcommittee on Commerce, Trade, and
Consumer Protection] presiding.
Present from Subcommittee on Commerce, Trade, and Consumer
Protection: Representatives Rush, Sarbanes, Barrow, Matsui,
Castor, Space, Braley, Stearns, Whitfield, Terry and Scalise.
Present from Subcommittee on Communications, Technology and
the Internet: Representatives Boucher, Markey, Eshoo, Doyle,
Matsui, Castor, Space, Stearns, Shimkus, Buyer and Terry.
Staff present: Michelle Ash, Chief Counsel; Marc Groman,
FTC Detailee; Greg Guice, FCC Detailee; Will Cusey, Special
Assistant; Daniel Hekier, Intern; Sarah Fisher, Special
Assistant; David Kohn, Press Secretary; Amy Levine, Counsel;
Timothy Robinson, Counsel; Ross Schulman, Intern; Will Carty,
Minority Professional Staff; Sam Costello, Minority Legislative
Analyst; Neil Fried, Minority Senior Counsel; Shannon Weinberg,
Minority Counsel; and Brian McCullough, Minority Senior
Professional Staff.
OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Mr. Rush. The subcommittee will now come to order. We are
conducting a hearing this morning on the matter of the
collection and use of location information for commercial
purposes, and I want to welcome all the members of the
committee who are present, those individuals who are present
who are non-members, and I also want to welcome all the
witnesses and those who are doing this from the perspective of
interested parties who are in evidence. The chairman recognizes
himself for 5 minutes for the purposes of an opening statement.
Today we are pleased to welcome six witnesses representing
the wireless industry, software firms, a nonprofit advocacy
group and an academic. We have got a lot of expertise in the
realm of privacy, and this joint hearing, which is the fifth in
our series of hearings on the general topic of consumer
privacy, will focus on the collection and use of location
information about individual consumers. Local base applications
and services are springing up each day like wildfire. Yesterday
there was Facebook and in the not too distant future we will be
encountering something more akin to a placebook. Location-based
services and the applications that ride on these services
utilize a number of different tracking technologies which can
make it easy to track the whereabouts of an estimated 100
million individuals around the world. By the year 2013, it is
estimated that the precise whereabouts of over 800 million
individuals will be readily discernible at any given moment in
time. Of that amount, nearly 180 million of these users will be
North Americans. Virtually all location-based services are
currently offered to subscribers for free and are subsidized by
advertisers. A majority of these services generate, emit or
connect terrestrial and satellite wireless signals. They
connect independently or at premapped points on a network.
These signals can then hone in on and find a wireless's
wireless, handheld or low-wave device such as a cell phone or a
GPS unit, and because these devices are typically always on our
bodies or within arm's reach, there is very little guesswork
for inquiring advertisers and other curious subscribers to know
or deduce where an individual is located or where their daily
movements are likely to be. In fact, advertisers even know the
identity of that individual with the growing trend of
behavioral advertising and how it intersects with privacy
considerations at our joint hearing which our two committees
held in June 2009.
To some extent, location-based services can be viewed as a
subcategory of behavioral tracking in that they can quickly and
cheaply, I might add, tell advertisers more than contextual
advertising ever could about someone's preference, their habits
and their patterns. Location-based services are in actuality
inherently more invasive and threatening to consumer welfare
and perhaps even more challenging to consumer privacy than
behavioral advertising. Tracking a user's movements through a
virtual world of business-to-consumer Web sites is, I am sure
everyone will agree, bad enough. Location-based services on the
other hand up the ante by making an individual's real-world
location data accessible to intended and unintended recipients.
In closing, let me state clearly for the record, and
especially for those interested consumer groups, interested
entities and government regulators who have been monitoring our
series of hearings that with the information we will obtain
from today's hearing, we have now learned enough to take the
next major step. As one of two co-chairs of these joint
undertakings along with my friend, Congressman Boucher, on
privacy, it is my intent that our next hearing on privacy will
be a legislative hearing where we will discuss ``the devil in
the details'' by commenting on a discussion draft of a
comprehensive privacy bill. There is such a thing as TMI, and
we need to stop gathering information now and get legislation
on a privacy bill.
In the coming days, I and my staff will be working closely
with Mr. Boucher, Mr. Whitfield in Mr. Radanovich's absence,
Mr. Stearns and the minority staff to produce a draft of a
bill, and I would like to thank each of our witnesses for your
participation today and I look forward to hearing your
testimony and to vigorously engage in our discussion today. I
might again emphasize, I really appreciate you taking the time
out from your busy schedule to be with us here today to add
your voices and your values and your expertise to this process.
We will now recognize now Mr. Whitfield for 5 minutes for
the purposes of opening statement.
OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF KENTUCKY
Mr. Whitfield. Mr. Chairman, thank you very much for having
this hearing on the collection and use of location information
for commercial purposes. We certainly appreciate the panel for
being here and giving us this expertise on this important
subject.
Through the use of technologies including GPS,
triangulation of cell phone positioning information or user-
entered data, consumers now have access to what I call
convenient information. Whether it is finding the nearest local
restaurant in an unfamiliar city, navigating cars to intended
designations or the knowledge that a first responder can find
us by our GPS location if we are ever in trouble, many
consumers find they can no longer live without these apps, as
they are called. This new technology raises legitimate concerns
about privacy. Obviously most people know that the application
they download specifically for its location features will
communicate that information for application functionality.
What isn't as clear is how the data will be used, whether
notice to the consumer is clear and whether user controls over
the personal data are adequate. In addition to first-person
privacy concerns, there are also privacy concerns for second
persons, the people who may not use a service directly but who
may be touched by a service by virtue of someone else's use,
just as counterparties to phone calls or e-mails may find their
identity revealed without their consent. For example, if
someone forwards an e-mail to another person, so too can one's
privacy location information be revealed if the user of the
location-based social networking application shares that
information.
Similarly, special situations arise in the employer-
employee relationship. We can agree that there are benefits to
a delivery service improving its delivery efficiency by using
location tracking and positioning. The question is, what rights
do the employees have and what policy does the employer
communicate about its use of this technology. In one example
last August, a New York City employee was terminated after the
GPS on his city-provided phone revealed that he had been at
home before his shift ended on 83 occasions according to an
article in the New York Post. While this may have been
justified, the fear of a Big Brother surveillance environment
has clearly arrived and merits a serious discussion.
Another issue I might add that merits discussion concerns
uniformity, in my view. Wireless carriers are generally
prohibited from using location-based information for commercial
purposes. However, application providers are not subject to
this requirement. So I think that is an issue we also need to
be focused on.
There are many questions raised by these technologies and
how consumers interact with them. Most of these beneficial
services were developed in the absence of legal mandates, and
our top priority must be maintaining the appropriate balance
between an environment that does not impede innovation but that
does ensure consumers are fully aware of the information they
trade for the use of these services. Thank you, Mr. Chairman.
[The prepared statement of Mr. Whitfield follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The Chair recognizes the gentlelady from
California, Ms. Matsui, for 2 minutes.
OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Matsui. Thank you, Mr. Chairman. I want to thank you
and Chairman Boucher for calling today's joint hearing. I would
also like to thank our panelists for being with us this morning
as we examine the collection of use of location-based
commercial information.
Today, millions of Americans rely on different location-
based services and applications for a variety of activities
including social networking and navigation and mapping
services, among many others. As both broadband expansion and
the use of mobile devices continue to grow among consumers, the
industry that provides location-based services and applications
will only increase. In fact, according to one estimate, the use
of these services and applications are expected to reach more
than 80 million new users in North America alone over the next
3 years. As we all know, in today's economy information is
everything to everyone, and as we know, mobile devices are
everything to millions of consumers storing in many cases very
personal information or even providing their physical location.
With ever-increasing technologies and applications
emerging, it is essential that we properly protect the private
and personal information of consumers. Simply put, privacy
policies and disclosures should be clear and transparent. We
should also understand the scope of information that is being
collected, what it is used for, the length of time it is
retained and its security. The more information that consumers
have, the better. Ultimately, meaningful privacy safeguards
should be in place while ensuring that we don't stifle
innovation.
I thank both the chairmen for holding this important
hearing today and I yield back the balance of my time.
Mr. Rush. The Chair now recognizes the gentleman from
Florida, Mr. Stearns, for 2 minutes.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Good morning, and let me welcome the witnesses
and thank you, Mr. Rush and Mr. Boucher, the chair on the
Telecom Committee, for having this hearing.
As technology continues to advance, obviously new issues
surrounding consumer privacy will continue to confront us. My
main concern continues to be protecting the privacy of American
consumers without of course stifling innovation that is so
critical to growing our economy, particularly now, and keeping
America globally competitive.
Today's hearing focuses on the use of location-based
services and applications which collect and use location data
that allows a consumer to communicate, socialize, travel, play,
dine and shop at great convenience than ever before. Location-
based service technology is relatively new and as such it is
important to examine the privacy concerns that go along with
this new technology. Location-based services present both an
opportunity and a potential for all consumers. On the one hand,
consumers could receive relevant information about commercial,
educational and social opportunities just simply based upon
their location, but on the other hand, consumer privacy could
be undermined if multiple entities have access to a consumer's
location and online activities.
So in order to maximize the consumer benefit of location-
based services, the privacy policies of such services need to
be transparent and provide a consumer with informed choice
regarding whether to permit access to his or her location-based
information. That is critical. In addition, we need to ensure
that consumers are not lulled into a false sense of security
regarding the privacy of their location-based information. Now,
under section 222(f) of the Communications Act, wireless
carriers are generally prohibited from using location-based
information for commercial purposes without the express prior
consent of the consumer. However, application providers are
subject to no such requirement even though their applications
are being downloaded on the devices of wireless carriers. This
may falsely lead to consumers to the conclusion that
application providers are subject to the same prohibitions as
wireless carriers and that no action by consumers is necessary
to ensure that their privacy is protected.
I hope our witnesses can address this very important issue
but it seems to represent a gap in my mind in consumer privacy
protection. So clear and transparent policies should be
standard in regard to location-based services and applications.
Real transparency should include a robust disclosure and notice
to the consumer outside the privacy policy. These notices and
disclosures must be presented in a clear and conspicuous manner
so that the consumer knows first that information is being
collected, second, how the information is being used, and
third, what it is being used for, and possibly fourth, how to
prevent the collection of this information.
Small businesses and consumers may greatly benefit from the
delivery of location-based technology. I mean, for example,
imagine that you are in a city and you have a desire to have
Chinese food. Location-based application could give you some
help right away and point you in the right direction to get it.
It is a win-win situation. You get your Chinese food and the
restaurant owner gets a customer that they may not otherwise
have received. Conversely, if Congress makes it difficult for
small businesses to reach or target potential consumers, small
businesses could find it increasingly difficult to survive in
the complex and constantly changing marketplace. If
comprehensive privacy laws are to be developed by Congress,
they must be competitively and technologically neutral and they
must also be forward looking and adaptable. A proper regulatory
framework will take into account the nature of rapidly changing
technology. This is particularly true when it comes to a
location-based technology that we are talking about today.
Congress should not legislate in a way that is restrictive of
technology development or that unfairly targets one industry
over another.
Although there are certain numerous privacy concerns that
must be taken into account, we must also keep in mind the
tremendous benefit from these technologies ultimately to all
the consumers. The reality is that location-based service
technology is the wave of the future. As such, this committee
has a duty, a responsibility to ensure that consumers are
protected and free to benefit from these new technologies.
Mr. Chairman, you and I have worked well in the past, Mr.
Rush and I and Mr. Boucher, on a number of issues including
privacy. Mr. Rush, you mentioned the idea of a privacy bill. I
had met with Mr. Boucher, we talked, and I think Mr. Boucher
has a draft bill. I understand that there is a possibility that
we could get this draft bill. We have not seen it on this side.
We urge you to give it to us. I think as a result of this
hearing, we may have to look at ways to better inform
consumers, as I mentioned earlier, on the location-based
applications and services with more transparency. As I
previously stated, there seems to be a gap in consumer privacy
protection between the regulation of wireless carriers and the
application providers. I think this needs to be fixed.
Thank you, Mr. Chairman.
Mr. Rush. The Chair now recognizes the gentleman from
Georgia, Mr. Barrow, for 2 minutes.
Mr. Barrow. I thank the Chair. I will waive an opening
statement.
Mr. Rush. The Chair now recognizes the gentlelady from
Florida, Ms. Castor, for 2 minutes.
OPENING STATEMENT OF HON. KATHY CASTOR, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Ms. Castor. Thank you, Chairman Rush and Chairman Boucher,
for calling this hearing.
Today's hearing provides a unique opportunity to learn more
about a technology that has a potential to impact our lives in
profound ways. I am looking forward to the testimony of our
witnesses very much.
The mobile devices that we carry with us now, whether it is
a basic cell phone or a smartphone like an iPhone or
BlackBerry, are now practically indispensable to Americans.
They are our lifelines in many respects. We rely on them to
organize our day, keep in touch with our children and run our
businesses, and the location-based technologies are generating
new ways of interacting, and I am very fond of the function
when I am traveling out of town to be able--you know, it used
to be that you would reach into the glove box, take out the map
and try to figure out--have interesting discussions with your
spouse about where you should have turned. Now you can hit the
map function and it will show you, and I can find my way to the
soccer tournament or the business meeting where I am going.
So these location-based services are already very handy and
they have the potential to help us with emergency services
especially. They are enabling large companies and small to
track their inventory, manage their workforce and do business
more efficiently. A hundred million people already use these,
but this is going to grow exponentially.
Such rapid proliferation of a technology as promising as
LBS is awe-inspiring and bewildering. On one hand, the economic
and social benefits that could be generated are potentially
endless, but on the other hand, we need to protect consumer
privacy, and the need to protect consumer privacy is greater
than ever but the law has not kept pace with this increased
need. We are at a crossroads with telecommunications
legislation. The Communications Act of 1934 requires phone
companies to ask for permission before sharing consumer data
including location information and companies are sharing best
practices about how to protect sensitive information. Even so,
we know that a large percentage of companies don't yet have
privacy policies to prevent the sharing of sensitive location
data with marketers and other interested parties. There are no
comprehensive rules to guide these companies or courts when
dealing with location information privacy concerns. So any
proposed legislation needs to strike that balance, the right
balance to further spur and encourage innovation without
encroaching upon the privacy rights of consumers.
So thank you all, and I look forward to your testimony.
Mr. Rush. The Chair now recognizes the gentleman from
Illinois, Mr. Shimkus, for 2 minutes.
Mr. Shimkus. Thank you, Mr. Chairman. You are hearing a lot
of the same from a lot of members. Location-based services
would be great, especially when you are in areas that you don't
know where things are. You can imagine traveling and being able
to get to a place where you want to go, and I think a lot of
people put the GPS in their baggage when they get a rental car,
although a lot of rental cars have some of the applications
now.
As legislators, I just want to continue to allow the
development of this technology, at the same time ensuring
consumer information is protected, and I know that is in the
best interest of the industry. I know it is in the best
interests of our citizens. So I look forward to hearing the
testimony and looking forward to make sure that that happens.
Yield back.
Mr. Rush. The Chair now recognizes the gentleman from
Massachusetts, Mr. Markey, for 2 minutes.
Mr. Markey. Thank you, Mr. Chairman, very much.
OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS
Mr. Chairman, back in 1999, I authored the privacy
provisions that are now contained in section 222 of the
Communications Act to safeguard the privacy of
telecommunications customers and place new duties on
telecommunications carriers to protect the confidentiality of
proprietary information relating to other carriers, equipment
makers and customers, and my law also included an opt-in,
enabling customers to request the disclosure of their own
personal telecommunications information to any person they may
choose to designate but it would be their choice to opt in and
so in that way I was trying to make sure that what you had in
your hand was a telecommunications device and not a tracker,
not something that could be used unless there was a warrant
obtained by the police, you had given your permission for
anyone to know what was going on with your device. And now what
we have to do because of what has happened over the last 10
years is, we have to continue to update the laws just to make
sure we fill in the gaps, that we give people protection. You
know, if you are leaving someplace and you are really planning
on going to the New England Patriots-Jacksonville Jaguars game,
no one should be able to track and see where you really went.
If you went to the Patriots-Jaguars game, you know, it is none
of their business. They shouldn't be able to do it unless you
gave them permission or there is a warrant out, you have been
able to get legally obtained permission to get access to that
information. That is my feeling. And if it inhibits the
business plan of a few software or telecommunications
companies, well, that is just tough luck. They have no right to
know that. And so that is my view on it, always has been, and I
just think that this makes it possible for people to know just
where you are, what seat you are sitting in at the Patriots-
Jaguars game, you know, right down the row, oh, there is he
right there. ``I thought you said that you were going to be out
shopping this afternoon.''
So this is a very important set of rules we have to put in
place, and in fact, it will create all new industries that are
down here. Mr. King and others are down here. There are whole
companies that can crop up to give you the protection that you
need as long as we mandate it, and innovation is out there
where you get to use the device, have the information that you
need, but it is not voluntary. We can't make it voluntary
because only some people will be protected because it will be
dependent upon the good will of an individual company,
individual application company as to whether or not you are
voluntarily protected by them, and that is just not going to be
good enough.
Thank you, Mr. Chairman.
Mr. Rush. Thank you. The gentleman from Louisiana, Mr.
Scalise, is recognized for 2 minutes.
OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF LOUISIANA
Mr. Scalise. Thank you, Mr. Chairman. I am pleased that
both subcommittees are once examining the balance between new
technologies and privacy.
We can all agree that our privacy is important and we
should continue to balance them as technology advances and
develops in ways that provide tremendous benefits to consumers
and in ways that were previously never imagined. A great
example of this is the emergence of location-based
technologies. Whereas 10 years ago many people did not even
have cell phones, we can now use our mobile devices to find the
closest restaurant or pull up directions to a destination, and
in many cases, a message or coupon might be sent to us from the
restaurant close by or for the destination we are trying to
reach. These technologies and the applications that employ them
are tremendous advancements and provide consumers with great
benefits, not only convenience but also during instances when a
person's location is needed for law enforcement personnel or
during an emergency situation.
The technological advancements we are seeing today are
impressive but as is most often the case, we are still learning
about their capabilities and their implications. Even with
these advancements, location-based technologies can also expose
consumers to certain risks such as having your location
routinely tracked, which could lead to identity theft or
stalking. As a father of two young children, I am also
concerned about the effects these technologies could have on
child safety. Therefore, we must continue to examine ways to
ensure consumers don't have their personal information or
safety compromised.
I look forward to hearing from our panelists today on what
steps they are taking and what steps they think are needed to
ensure that consumer protection and personal safety are not
compromised. I also hope our panelists discuss what information
is being collected on consumers and what is being done with
that data and whether consumers even know their information is
being collected. As I have stated before, the technology
industry is one of the most advanced and competitive industries
in our country. It is also one of the most beneficial both for
consumers and for the economy. It is worth pointing out that
the industry has evolved and grown on its own with little
regulation from the federal government, some would say.
Therefore, I hope we proceed carefully when stepping in or when
drafting legislation in this area.
I hope today's hearing focuses on how we can protect
consumers and their safety and what steps the industry will
take or has already taken to do so. If self-regulation is not
sufficient and privacy regulations move forward, they should be
consistent across the industry and not be greater for one
technology compared to another. Everyone involved should have
to play by the same set of rules, and Congress should not pick
winners or losers.
Again, I look forward to hearing the comments of our
panelists today, particularly on self-regulation and whether
parity is needed in the industry. It is important that we
understand their positions and activities as well as all the
implications of these popular technologies.
Thank you, and I yield back.
Mr. Rush. The Chair now recognizes the gentlelady from
California, Ms. Eshoo, for 2 minutes.
OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Eshoo. Thank you, Mr. Chairman, and to Chairman Boucher
as well for convening this joint subcommittee hearing on the
growing use of location-based technology and its implications
on personal privacy. I support the continued effort to balance
the needs of both promoting innovation and protecting the
personal information of customers.
I have long advocated the use of location-based technology
as a public safety tool. In fact, I am the author of the E911
legislation, so I can tell you that this technology is critical
to first responders and to law enforcement. When they locate
our citizens in distress by using geographical information,
they literally can save thousands of lives, and they have.
So the use of this technology, however, has expanded beyond
public safety and it is now widely used by consumers to
complete everyday tasks to make their lives easier and more
efficient including finding driving directions, restaurants or
the nearest gas station. So it is highly useful, very practical
and we all use it. But it is also our job to look after the
bests interests of the American people, so we have to ensure
that the location of users is protected against any misuse from
both corporate and government interests.
I look forward to hearing from the witnesses and I would
like to especially welcome Anne Collier, who is with
ConnectSafely, which is co-headquartered in Palo Alto,
California, which is the heart of my district. So thank you to
both of our chairmen and I look forward to hearing from the
witnesses. Thank you.
Mr. Rush. The Chair now recognizes the gentleman from
Nebraska, Mr. Terry, for 2 minutes.
OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEBRASKA
Mr. Terry. Thank you, Mr. Chairman, for holding this
important hearing.
I agree with the necessity for balance. We should be
examining these serious privacy concerns raised from the
collection of location information going on today, but I
believe that we must consider the great benefits these
location-based services can provide our first responders in
case of an emergency.
A colleague of ours, a good friend of mine, Todd Tiahrt
from Kansas, has recently brought to my attention an issue that
not only coincides with our topic of discussion today but an
issue I believe must be addressed in any such discussion
involving location information. On June 2, 2007, 18-year-old
Kelsey Smith was abducted from a Target parking lot in Overland
Park, Kansas. Law enforcement was quickly notified and they
subsequently called her wireless provider to obtain Kelsey's
ping data, or call information. They were denied. On June 6,
2007, 4 days after she had disappeared, Kelsey's body was
found. She had been raped and murdered. Authorities had used
the ping information to determine where her cell phone had
traveled after 4 days of begging and pleading, so the time that
they were able to ping, within 45 minutes after that found her
dead. Law enforcement found her body.
Now, current law states that a telecommunications carrier
may give call location information out to emergency service
providers. However, telecom carriers are not required to give
this information out to authorities and oftentimes telecom
carriers are hesitant to provide the information due to
potential liability. I believe it is time that we require
telecom service providers to provide location or ping
information when asked by law enforcement during cases of
emergencies. I encourage my colleagues to look at Mr. Tiahrt's
bill, join Mr. Rogers and me, and I think we are going to have
discussion about this specific case and its implications.
Thank you for this opportunity. Yield back.
Mr. Rush. The gentleman from Indiana, Mr. Buyer, is
recognized for 2 minutes.
Mr. Buyer. I reserve my time for questioning. Thank you.
Mr. Rush. The Chair thanks the gentleman. It is now my
pleasure and honor to introduce our witnesses. We have six
witnesses before us today, and I will introduce them beginning
on my left. Mr. John B. Morris, Jr. is the general counsel for
the Center for Democracy and Technology. Seated next to him is
Ms. Lorrie Cranor. She is an associate professor of computer
science and engineering and public policy at the Carnegie
Mellon University. Mr. Jerry King is the chief operating
officer for a company called uLocate Communications
Incorporated. Seated next to Mr. King is Mr. Tony Bernard. He
is the vice president and the general manager of a corporation
called Useful Networks. And next to Mr. Bernard is the senior
vice president and general counsel for the CTIA-The Wireless
Association. And last but not least, Ms. Anne Collier, who is
with the organization ConnectSafely. Again, I want to welcome
each and every one of you for appearing before us today, and I
must note to you that it is the practice of this subcommittee
to swear in witnesses. So I would like if you would please
stand and raise your right hand.
[Witnesses sworn.]
Mr. Rush. Let the record indicate and reflect that all the
witnesses have answered in the affirmative.
Now I will recognize each one of the witnesses for 5
minutes. I want to note that our timer is technically
incapacitated this morning so we are going to have to do it the
old-fashioned way. We are going to have to guess. So each one
of you are recognized for 5 minutes or thereabouts. So
beginning with you, Mr. Morris, please, your opening statement.
TESTIMONY OF JOHN B. MORRIS, JR., GENERAL COUNSEL, CENTER FOR
DEMOCRACY AND TECHNOLOGY; LORRIE CRANOR, ASSOCIATE PROFESSOR,
COMPUTER SCIENCE AND ENGINEERING AND PUBLIC POLICY, CARNEGIE
MELLON UNIVERSITY; JERRY KING, CHIEF OPERATING OFFICER, ULOCATE
COMMUNICATIONS, INC.; TONY BERNARD, VICE PRESIDENT AND GENERAL
MANAGER, USEFUL NETWORKS; MICHAEL ALTSCHUL, SENIOR VICE
PRESIDENT AND GENERAL COUNSEL, CTIA--THE WIRELESS ASSOCIATION;
AND ANNE COLLIER, CONNECTSAFELY
TESTIMONY OF JOHN B. MORRIS, JR.
Mr. Morris. Thank you very much, and thankfully, I was able
to download an app yesterday onto my smartphone that is a 5-
minute countdown timer, so I at least will be able to be on
time.
Chairman Rush and members of the subcommittee, thank you
very much for inviting us to testify on behalf of the Center
for Democracy and Technology. We applaud the leadership of the
subcommittee for examining the rapidly evolving area of
commercial location-based services. We look forward to
discussing the promises and the privacy risks of these
services.
Over the past 18 months, location services have truly
arrived in the online environment as more and more devices can
obtain increasingly accurate information. Location has come to
permeate the online experience and we are seeing an amazing
array of new and innovative location-based products and
services. But the easy availability of location information
also raises a host of privacy concerns. Location can reveal
very privacy information and can even put users at physical
risk. Mobile location can reveal, often without user
interaction, where a person is and what they are doing. It can
reveal visits to potentially sensitive destinations like
medical clinics, courts, political rallies or, as I learned
today, even New England Patriot games. And sadly, we have
already seen location services abused in domestic violence
cases.
Unfortunately, the legal standards for the protection of
location information are woefully inadequate. Location
technology simply has outpaced the existing statutory
protections that Congressman Markey talked about, and they are
inadequate both in the commercial context as well as with
regard to standards for law enforcement access to location
information. Congress must act to strengthen statutory
protection of location, not only for the sake of protecting
privacy but also to protect and to promote innovation in online
services. Clear privacy rules are a prerequisite to the growth
and success of this valuable part of our industry.
My written testimony describes several technical methods to
determine location of a mobile device, but let me just
highlight one critical fact. In the old days, say, 3 or 4 years
ago, most location determinations involved a cellular carrier
that provides the phone service to the device being located.
But in the past few years that has all changed. While carriers
are continuing to offer innovative location services, many
other service providers also offer location service and they
can do so wholly without the cooperation or even the knowledge
of the cellular carrier. For example, Skyhook Wireless offers a
service that can locate this device in this room based solely
on the WiFi access points that are visible in this room, and
through wireless Internet access, my device can send my
location to any Web site or service on the Internet. Thus,
anyone from mom-and-pop Web sites to Starbucks can offer
location-based services wholly without the involvement of a
cellular carrier. All a Web site really needs to do is to add a
small portion of JavaScript code onto the Web site and they can
enable location services on their Web site, which brings me
back to the legal standards to protect the privacy of location
information.
As Congressman Markey noted, commendably, Congress enacted
the CPNI rules to protect customer proprietary network
information and included location information. But as has been
noted a number of times in your opening statements, those CPNI
rules only apply to telecommunications carriers offering voice
services, and today many of the new and innovative location
services operate completely outside of the reach of the CPNI
rules. And unfortunately, without a statutory mandate to
protect location information, some location service providers
have been slow to do so. Some in the industry are very closely
attentive to privacy but others are not.
CDT believes that Congress can help protect location
privacy in at least two ways. First, as Congress contemplates
enacting baseline consumer privacy legislation, as has been
discussed, we believe that location data should definitely be
included as part of the broader framework governing sensitive
user data. And second, and of relevance even to the Commerce
Committee as well as the Judiciary Committee, whose room we are
borrowing today, we believe it is vital for Congress to improve
the standards for location access by government and law
enforcement agencies. By clarifying the standard, there is an
ongoing battle right now in courts about what the appropriate
standard is for law enforcement access, and by clarifying the
standard, we can address some of the concerns that carriers
have about access.
So all of these points were made in more detail in my
written testimony and I hope to be able to answer any questions
you might have about these issues. Thank you very much for the
opportunity to testify.
[The prepared statement of Mr. Morris follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The Chair recognizes Professor Cranor for 5
minutes for opening statement.
TESTIMONY OF LORRIE CRANOR
Ms. Cranor. Chairmen Boucher and Rush, I thank you for the
opportunity to testify today. My name is Lorrie Cranor. I am an
associate professor of computer science and of engineering and
public policy at Carnegie Mellon University. I have been asked
to testify about privacy issues associated with the use of
location information for commercial purposes.
Location-based services use a variety of technologies to
acquire a user's location based on the current position of cell
phone, computer or other device. These technologies typically
use triangulation to locate the device based on signals from
GPS satellites, cell towers or WiFi access points, often within
a few hundred feet. Cellular providers can obtain location
information of mobile phones in that manner even when the
phones are not being used to place a call. The Internet address
of a user's computer can also be used to determine an
approximate geographic location, typically at a city level.
In April 2009, we conducted a survey at CMU to understand
consumers' perceptions of location-sharing services. We asked
participants about the degree of harm or benefit they
associated with each of 24 scenarios. Participants rated
finding people in an emergency as the scenario with the most
significant benefit. Other highly beneficial scenarios included
being able to track one's children and relatives, finding
information based on one's location, and checking to see if
people are OK. On the risk side, participants had significant
privacy concerns. They saw great harm in scenarios involving
stalking or revealing one's home address. They were also
concerned about being found by people one wants to avoid or
when one wants to be alone, having others intrude on one's
personal space and being tracked by the government, and also
receiving location-based ads.
We then evaluated 89 location-sharing applications and
systems to determine the types of privacy protections that each
one offered. We found that most of these applications provided
fairly limited privacy concerns, and about a third of them did
not even provide readily accessible privacy policies on their
Web site. Some location-sharing applications had generic
privacy policies that don't explicitly mention location. Others
mention that they provide privacy controls but in order to see
what controls are provided, a consumer has to actually use the
service. Most of the applications with privacy controls
required users to click multiple screens to reach the privacy
settings.
Some of the privacy controls that allow users to specify
that their location information should be shared only with
their friends rather than with the general public turn out to
actually have exceptions. For example, many services have a
simple privacy switch. It looks very simple. It says on and
off. But in one service we examined, text positioned four
paragraphs below the switch mentions that there are actually
two exceptions in which location information will be shared
even when the privacy switch is not set to share information.
Our research at Carnegie Mellon has explored offering fine-
grained and expressive privacy controls. The Locaccino system
we developed allows users to specify location-sharing rules
based on time, location and the person making a location
request. For example, I have set up a rule that allows students
to find my location when I am on campus so they can determine
if I am in my office or teaching in another building. Another
rule allows my family members to locate me at all times and
locations. And another rule allows people I work with to locate
me between 8 a.m. and 6 p.m. on weekdays. Locaccino is not
being used for advertising, but a similar approach could be
used to control when and where location information is used for
location-based advertising.
Our research suggests that Internet users are definitely
concerned about their location privacy but that most currently
available location-sharing services do not do a good job
informing them about how their location information will be
used or provide users with expressive location privacy controls
and privacy protective default settings. Thus, additional
privacy protections may be necessary.
While the CTIA best practices offer a useful framework that
requires notice and consent about location use, they do not
specify form, placement, manner of delivery or content of
notices nor do they provide enforcement. Thus, while users may
opt in to a service by signing up for it, they may not realize
what they are getting themselves into. As the Web site
pleaserobme.com suggests, users may not think through the
implications of broadcasting their location information to the
public or even be aware that a service makes their location
information public. Indeed, the CTIA best practices do not
discuss what should happen when location information is
disclosed publicly.
Even when users understand and are comfortable with the
commercial use of their location data, the use of this data
without a warrant by law enforcement has troubling
implications. Due to the way cellular technology works, the
widespread use of cell phones enables large-scale round-the-
clock surveillance of citizens. It is important that the
storage of individual location data be minimized and that
protections be put in place to limit when it can be disclosed.
Finally, it is important to realize that techniques to
deidentify personal information may not be effective when it
comes to location information. Even when a person is not
identified by name, her location trails may be used to identify
her. Since most of us go to a particular location for work each
weekday and a particular location to sleep each evening, with
only a few days of location trails information combined with
other publicly available information, it becomes possible to
identify most people. Thus, users who try to hide behind made-
up names may still unwittingly be identifying themselves when
they make their location information public. Thus, it is
important that privacy be considered from the beginning in the
design of location-based services and that users of these
services are fully informed about the privacy implications of
their use.
Thank you for inviting me to testify today. I look forward
to answering your questions.
[The prepared statement of Ms. Cranor follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. Thank you very much.
The Chair now recognizes Mr. King for 5 minutes for the
purposes of an opening statement.
TESTIMONY OF JERRY KING
Mr. King. Thank you, Mr. Chairman and members of the joint
committee for inviting uLocate here today to discuss the use of
location information in commercial software applications. What
I hope to accomplish this morning is to provide you with an
example of how such information can be used to benefit the
consumer in the form of a mobile location search application
within a privacy-sensitive business model.
To start, please allow me to tell you a little bit about
uLocate's mobile application WHERE and how we use location. We
launched WHERE in 2007 and have since become a top provider of
mobile local search content that informs, entertains and helps
consumers save time and money. WHERE's popularity is
demonstrated by millions of downloads on top phones such as the
Android and iPhone and BlackBerry and feature phones on most
North American carriers including AT&T, Sprint and T-Mobile.
Local content available through WHERE includes everything
from the weather, news, traffic, coffee shops with WiFi, you
name it, plus we have integrated a variety of Yellow Pages
search providers to further expand the information available at
the consumer's fingertips. WHERE also helps people reach their
destinations with easy-to-use maps and directions.
In addition to providing local content and search services,
WHERE enables brands and advertisers to reach a local audience
through contextually and demographically targeted ads.
Interestingly, as we move from displaying non-location-based
banner ads last year to more targeted advertising, we began to
receive positive feedback from our users. As opposed to
expressing frustration with generic or irrelevant banner ads,
our users commented that our new style ads were positive
additions to their experience. In other words, ads and offers
for local businesses that make sense within the consumer's
experience turn out to be viewed as value-added content.
We also noticed that such ads generated more revenue for
uLocate. For example, by using location, time of day and other
factors, we know that an ad for a local service station inside
of a traffic widget has a higher click-through rate. Similarly,
ads for local pizza shops at lunchtime perform very well.
Next, I will provide you some details about how WHERE
collects location information. WHERE employs several location
technologies such as GPS, WiFi and network-based location to
determine the consumer's whereabouts. When a consumer starts
WHERE for the first time, they are informed that WHERE will
attempt to get their location. Consumers that are concerned
about this can also choose not to allow WHERE to get location
automatically. Consumers within WHERE always have the option to
manually set their location either to their actual position on
the planet or someplace else at any time for any reason.
WHERE users can also control location accuracy. For
example, if the user chooses to update their location within
WHERE, they are presented with a list of options ranging from
zip code to GPS fix. For many search activities, zip code is
more than sufficient while a street address may provide a more
optimized experience for other functions. Once the location of
the consumer's handset is updated, we cache that new location
on the consumer's handset. When location is sent from a handset
to our backend service as part of a service request as in a
search, the location data is encrypted.
Having processes and policies that address collection and
storage of location information is important but is only part
of our approach to protecting consumer privacy. I would also
like to address the issue of sharing location information,
unlike some location-based services in market where it does not
allow anyone to pull or monitor or track the location of anyone
else. We also do not allow the automatic posting of locations
that allow others to track a WHERE user's location. Lastly, we
do not share personally identifiable location information of
WHERE users with any third parties. Having a well-defined and
trusted application with respect to these three behaviors has
been a cornerstone of our approach to protecting consumer
privacy within WHERE.
WHERE does allow users to publish or push their location to
others within certain user-controlled functions such as reviews
or check-ins. This is done to provide the consumer with the
ability to generate location-specific content such as a
restaurant review and post that content on a variety of social
networks such as Facebook.
I hope this statement has provided you with some insights
into what we consider a well-behaved location-based
application. In sum, we use location to deliver beneficial
consumer experience and we put the consumer in control of both
managing their location information and sharing it with others.
Thank you for the opportunity to speak with you today. I
look forward to your questions.
[The prepared statement of Mr. King follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The Chair now recognizes Mr. Bernard for 5
minutes.
TESTIMONY OF TONY BERNARD
Mr. Bernard. Thank you. On behalf of Useful Networks and
the location industry, thank you to your respective committees
for their time and my fellow witnesses for their time in this
important topic.
I am Tony Bernard, vice president and general manager of
Useful Networks. Useful Networks is a Denver-based company that
delivers innovative local location-based services to consumers,
wireless carriers, application developers and mobile marketers.
We were founded in July of 2006 and are focused on location
aggregation and enablement, providing a location clearinghouse
and related services with our PlaceWhere platform. Useful
Networks is a wholly owned subsidiary of TruePosition, the
global leader in location determination and intelligence
solutions that help protect citizens, combat crime and save
lives.
A location aggregator provides its third-party partners
with location connectivity to a variety of sources including
wireless carrier infrastructure. Aggregators may also offer
privacy management like Useful Networks does to complement the
location connectivity we provide. To the gentleman's points
earlier, this platform is both forward looking and adaptable in
that it offers a multi-tiered privacy framework to enable
compliance with the current and future requirements for access
to and use of an end-user's location information. PlaceWhere
ensures compliance with privacy best practices as manifested by
a variety of stakeholders including industry and government
entities, wireless carriers and most importantly, consumers.
My focus today is to talk about location-based advertising.
A few of the players in the location-based advertising value
chain include publishers, which own and manage content portals
via which audience is aggregated and into which mobile
advertisements be published. An example of the type of
application publisher would be uLocate and their WHERE
application. We also work with ad networks who aggregate
publisher inventory and sell ad campaigns. Examples of those
would include Quatro and Millennial Media. We work with ad
exchanges who aggregate ad networks for publishers, enabling
them to serve the most profitable ads from the available
networks.
Additionally, ad agencies play a role in location-based
advertising. They buy advertising from ad networks, assign
creative campaigns and sell their brands. Examples of these
would include traditional ones such like Saatchi and Saatchi as
well as emerging digital agencies like Razorfish. And finally,
there are location enablers like Useful Networks who endeavor
to establish rules by which others can engage in location-based
advertising and ensure they are complied with.
So it is important to talk briefly about the state of
location-based advertising in the United States. The CTIA
published a set of best practices and guidelines for use of
location services in 2008 fundamentally predicated on the two
principles of user notice and informed consent. Specifically,
the ability to use a consumer's location to provide a location-
enhanced advertisement is fundamentally predicated upon an
explicit opt-in where such consent is provided by the consumer
on an informed basis with respect to if, how, when and by whom
their location information may be used. Consumers may
subsequently opt out of their location being used for such
purposes.
Whereas wireless carriers tend to rigidly enforce these
principles, to the earlier points raised, the emerging devices
carrier category, examples of which would include the iPhone
and Nexus One devices, do not yet fall under the auspices of
these guidelines, and what we see now is what could be
perceived as a regulatory gap where consumers can have very
different expectations and experiences with the same
application if that application is on a carrier device versus a
non-carrier-controlled device. I look forward to talking more
about that topic.
Another significant evolution in location-based advertising
is the emergence of the check-in model. The emerging check-in
model is enabling the transition from passive to active
location sharing. Where passive is typically location tracked
by the network, active is the consumer making a choice to share
that location information. Examples of these include
applications like BrightKite, Foursquare, Gawala, and MyTown.
It is anticipated that these check-in capabilities will become
an even more ubiquitous feature across a wide variety of
location-based applications and services in the near future and
it will be important to understand implications to these.
Another component of the state of location-based
advertising is how location context is enabling a transition by
advertisers from paying for impression-based campaigns to
performance-based campaigns. Mobile devices in general and
location-aware devices specifically add significant context for
advertisers. This context is unavailable via traditional
advertising channels such as print and online advertising.
Combining this context with mobility creates new opportunities
for advertisers to improve the efficiency of their advertising
spend by focusing on conversion.
A few examples of location-based advertising. Useful
Networks, launched a trial in 2009 working with a tier one U.S.
carrier and an advertising network which in turn worked with a
major fast-food chain and a major automotive company to launch
two location-based advertising trials which were centered
around a store finder page and were designed to test and prove
the added benefits that location enablement brings to mobile
marketing campaigns. These trials resulted in a yield of three
times as many store finder page views as compared to the number
of page views when the end-user was asked to enter their zip
code.
Another trial we are preparing to commence is with a
company called Mobox. Mobox is a location-based mobile ad
platform that serves ads into mobile content, reaching over 30
million unique U.S. mobile users. Useful Networks is providing
location connectivity and privacy management to enable location
targeting via Mobox's platform.
Again, I would like to thank their committees for their
interest and attention to this important topic and look forward
to talking about these issues in more earnest during the future
testimony. Thank you.
[The prepared statement of Mr. Bernard follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. Thank you.
The gentleman, Mr. Altschul, is recognized for 5 minutes.
TESTIMONY OF MICHAEL ALTSCHUL
Mr. Altschul. On behalf of CTIA, I want to thank Chairman
Rush and Chairman Boucher, all the members of the two
subcommittees for the opportunity to testify here.
My name is Mike Altschul and I have served as CTIA's
general counsel since 1990. In that role, on behalf of CTIA, I
have been involved in the development of a number of voluntary
industry best practices including CTIA's best practices and
guidelines for location-based services that you have heard the
other witnesses on the panel describe. I am very proud that
CTIA and the wireless industry have long been at the forefront
of efforts to promote location privacy. In the late 1990s, we
supported the Wireless Communications and Public Safety Act,
which amended section 222 of the Communications Act to require
the express prior authorization of the customer for the
disclosure of the wireless customer's location information for
location-based services. That really has provided the
foundation for everything that has followed since.
In fact, in 2000, following the enactment of the Wireless
Communications and Public Safety Act, CTIA petitioned the FCC
to adopt a set of fair location information practices for
wireless location-based services modeled upon the familiar fair
information practice principles of notice and consent. More
recently, as location-based services began to be deployed for
applications other than E911, CTIA developed the current set of
best practices to promote and protect the privacy of wireless
customers' location information. You have heard what they have
done and you have also heard from the other witnesses that in
the 2 years since we adopted and developed these best
practices, as so often happens in the wireless industry,
technology has overtaken our static assumption and the
location-based services now being offered turn out to be quite
different from what had been envisioned just 2 years ago. You
have heard how the move towards opening platforms including the
iPhone and the Google Android platform, the introduction and
overwhelming consumer adoption of smartphones, which include
their own GPS capabilities, and the increased prevalence of
GPS-enabled service applications that can be downloaded to a
handset and enabled without any involvement or knowledge by a
wireless carrier have combined to make a carrier-centric
approach to location-based services no longer sufficient for
guidelines.
So these factors and the rapid developments of the past 2
years have led us to reevaluate our guidelines, and as we have
completed work on the new guidelines, it is our goal to ensure
there will always be one clearly identified location-based
service provider with the obligation to inform the user as to
how location information will be used and disclosed in addition
to obtaining customers' consent before initiating the service.
While the scope of the new CTIA guidelines is different,
the focus is not. The new guidelines will build on the
foundation we laid 10 years ago by continuing to put a premium
on user notice and user consent. We believe the guidelines
offer a meaningful framework for the protection of user privacy
and we urge policymakers to recognize that the industry's
willingness to develop best practices and to revise these
guidelines as circumstances warrant represents the best way to
balance the needs to promote and protect user privacy while
also facilitating the deployment of new and innovative products
and services.
A call for legislative restraint does not mean there is no
role for Congress while the industry and technology evolve.
Congress also has made clear that the express prior
authorization of the customer is the prerequisite for the
disclosure of a wireless customer's location information. While
section 222 on its terms applies only to telecommunications
carriers, its requirements have been observed by all providers
of wireless location-based services across all the different
application levels. As these services continue to evolve and
develop in both predictable and unpredictable ways, Congress
has an important oversight role in ensuring that all providers
of location-based services deliver effective notice and obtain
consent regardless of the device or technology used so that
wireless users can continue to exercise informed consent to
control the use or disclosure of their location information.
As Mr. Morris mentioned, one area in which we believe
legislative guidance may be appropriate is a clarification of
the terms under which location information may be released to
law enforcement. As you know, just this month in the 3rd
Circuit, there was oral argument on the issue of what standards
should apply when law enforcement seeks to gain access to a
wireless user's location information. Most courts have allowed
access to stored location records based on a court order and
demonstrated need, but in the 3rd Circuit, the U.S. Department
of Justice and privacy advocates argued whether access to these
historical location records should meet a probable-cause
standard. Service providers need clarity so as to not be caught
in the middle of these disputes.
Finally, we urge Congress to recognize the interstate
nature of location-based services, the mobile nature of
wireless users and to take care in whatever framework may be
adopted to preempt state regulation of these services. A
uniform national approach presents the best way of protecting
user privacy and educating and informing wireless customers
while fostering the innovation, investment and introduction of
new location-based services by wireless carriers, device
manufacturers, operating system developers and application
creators.
Thank you again for the opportunity to share our views with
the subcommittees. We look forward to working with you as you
continue your efforts on this issue.
[The prepared statement of Mr. Altschul follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The Chair now recognizes Mrs. Collier for 5
minutes for the purposes of an opening statement, and she will
conclude our witnesses' opening statements. Mrs. Collier, you
are recognized for 5 minutes.
TESTIMONY OF ANNE COLLIER
Ms. Collier. Thank you, Chairman Rush and Chairman Boucher
and members for me here today. My name is Anne Collier and I am
co-director of ConnectSafely.org and serving as co-chair of the
Online Safety and Technology Working Group.
We have been following location-based services for several
years now and we don't feel they represent a unique safety risk
to young social-media users for several reasons that I will go
into. We do, however, feel particular consideration needs to be
given to children's privacy as geolocation products and
services increasingly connect to children's other social tools
and networks.
First, some context. U.S. teens now send or receive more
than 3,100 text messages a month. For them, a text isn't like a
phone call, it is part of a conversation, part of the ongoing
flow of their social life, and texting is only one of their
tools for hanging out online and offline. They also use their
phones to update their social network profiles, play games,
snap and upload photos and videos to profiles, and even talk.
There is as yet no data on teens' LBS use but we know that more
than 65 million, or about a third, of Facebook users of all
ages currently access Facebook through their mobile devices,
and who is all this communication with? Research shows that the
vast majority of teen social networks, 91 percent, use all
these tools to socialize with friends they see regularly,
usually at school.
We adults think and talk about standalone products and
services in terms of use but with kids, it is more useful to
view LBS in terms of child and adolescent development. For
example, location-based services depend a lot on users'
mobility and autonomy and involve a certain amount of
spontaneity. The main objectives are spontaneous in-person get-
togethers and finding good places to eat or drink when you are
on your own in a city. A user really needs the independence
enjoyed by an older teen or adult to enjoy LBSs. The mobility
of a driver's license helps too. Urban youth may have more
physical mobility without a driver's license but there is no
reason to believe they have proportionately more freedom from
adult supervision.
Meanwhile, LBSs are, to young people, just another twist on
status updates. The 75 percent of teens owning cell phones now,
they have for some time had other ways to let each other know
their plans and whereabouts and they are constantly in touch,
text messages, updates to social network profiles, Gmail chat
and instant messages, to name a few. They are always in touch
with each other. And remember, the operative phrase is ``each
other.'' Virtually all of this communication is with known
peers.
Still, understandably, the most visceral and concerning
risk associated with location-based and all Net services is
predation. So let us go into that a little bit. Research about
LBS use is needed in this area too but we do already know a lot
about youth risk online. First, not all youth are equally at
risk. The young people most at risk online, on phones are those
most at risk already offline, and a child's psychosocial makeup
and home and school environments are better predictors of risk
than any technology a child uses.
Second, the risk of Net-related predation is extremely low
relative to real-life risk, according to David Finkelhor,
director of the Crimes Against Children Research Center. In a
report just last spring, Dr. Finkelhor and his co-authors
wrote, ``There is no evidence that online predators are
stalking or abducting unsuspecting victims based on information
they posted at social networking sites.'' A recent study of how
teens deal with strangers in a social site found that 92
percent of those who had received sexual solicitations had
responded appropriately, ignoring, blocking or reporting the
sender.
Finally, a quick snapshot of an emerging privacy challenge.
Because Google Buzz is brand new and a hybrid of LBSs, Gmail,
microblogging and social networking, we are all at the early
stages of figuring out its implications for kids, a lot of whom
use Gmail. Charlene Lee, a mom and well-known industry analyst
in San Francisco, blogged just this past Sunday that she
discovered her 9-year-old daughter was using Buzz with her
friends. They had only had one conversation so far but they had
no idea their conversation was public. She thought about just
disabling Buzz on her daughter's computer but the kids were
enjoying it so much that Lee decided she would let her daughter
keep going if all the kids kept the conversation private. And
there is the rub. Ensuring that all the girls keep it private
will be a project for her, probably involving communication
with all the other parents.
Privacy is now a collective effort on the part of users
every bit as much as providers in this user-generated medial
environment. It is a negotiation among users in a peer group
sharing thoughts, tagging photos, et cetera. Privacy protection
is user generated too, not just a matter of privacy features.
This is going to take a lot of consumer education by us NGOs
and the industry and government.
This issue also points to the impact on children's,
everybody's privacy of combining social media products within
companies across devices and platforms and then across users'
networks like Facebook Connect. A lot of consumer education is
needed with support from industry best practices. Thank you.
[The prepared statement of Ms. Collier follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The Chair now yields to the chairman of the
Telecommunications Subcommittee, my friend, Mr. Boucher.
Mr. Boucher [presiding]. Well, let me thank our witnesses
for their statements this morning and for your participating in
our hearing and informing us on your well-studied views with
regard to location-based services and privacy as associated
with them. I have a series of questions I will propound to the
witnesses but I want to say a word of welcome first to Mr.
Whitfield from Kentucky, a friend of long standing, who is the
new ranking Republican member of the Subcommittee on Consumer
Protection and just say to him how much I look forward to
working with him on privacy matters.
The Communications Act requires opt-in consent before
telecommunications carriers can disclose geolocation
information but there is no federal statute or regulation that
governs privacy rights associated with non-carriers who come
into possession of that information whether they collect it
themselves or whether they receive it from someone who does,
and I am wondering what our witnesses would say to this
question. Has the time arrived for Congress to adopt a statute
that applies a consent requirement with respect to geolocation
services information, not only to telecommunications carriers
but to others who come into contact with that information? Let
us begin with Mr. Morris.
Mr. Morris. My answer to that question is a very short yes
but with a qualification to say that we would certainly urge
Congress to do just what you said and focus careful attention
on location but we would hope it would be in the context of a
larger privacy bill as opposed to a sectorially focused bill
just on location itself. I mean, we have an anomalous situation
in this country where my video rental records are more
protected than my e-mail on Gmail and that to us doesn't make
sense, so we hope that the work you do on location privacy is
in the context of a broader baseline privacy bill.
Mr. Boucher. I couldn't have provided a better answer
myself. Thank you. I think you can expect to see this measure
emerge as part of a larger legislative item.
Mr. Altschul, I want to commend CTIA for the adoption of
your series of best practices, guidelines and recommendations.
I have a couple of questions for you. First of all, can you
tell me the percentage of your carriers that are part of CTIA
who are complying with your guidelines and recommendations at
the moment?
Mr. Altschul. We believe that all of the carriers are
complying with the guidelines, which were intended to build on
the principles in section 222(f) and they provide guidance and
examples for how to convert----
Mr. Boucher. So you think you have 100 percent compliance?
Mr. Altschul. We do, for the carriers that are supporting
these services.
Mr. Boucher. I want to give you an opportunity to respond
to some of the statements that Professor Cranor in her
testimony made. I missed her oral testimony but her written
testimony, which I have reviewed, suggests that your voluntary
guidelines could be sharpened a bit, and I want you to respond
to this. She says that they do not specify the form, placement
or content of notices, there is no mechanism for enforcement
within our guidelines, there are no assurances that the
location-based service providers follow the practices--that is
kind of a subset of the previous comment--and your guidelines
as they specify the disclosures that the carriers should make
are somewhat confusing and might lead to different kinds of
disclosures being made with regard to the same kind of
information among the various different carriers. Would you
like to respond to those comments?
Mr. Altschul. Yes. Thank you. First, by design, our
guidelines do not provide a one-size-fits-all set of guidance
or statements because the applications that fall within both
the guidelines and, more importantly, the category of location-
based services, do not fit one category. Certainly there is a
very different set of privacy and customer expectations
associated with a one-time query for a concierge-type service,
where is the nearest gas station, to a continuing social
networking application that links users by consent to one
another's location. So rather than specifying one kind of
notice, which we don't think would be appropriate across the
broad spectrum of services, our guidelines address the fact
that the notices should be tailored to the type of location
service. I view that as a strength rather than a weakness in
the guidelines.
As for not all of the applications that were in her survey
following even rudimentary privacy practices and notices, we
recently did a survey that didn't purport to be scientific. We
actually went to the Web sites of some of the application
service providers, created a snapshot of what is being
provided, and there is a range of notice and consent and
privacy statements. We submitted this paper to the Federal
Trade Commission last month for their privacy workshop.
But through guidelines--and this will get to your question
about the lack of enforcement--the industry and all of the
participants in the industry, carriers and application
providers alike, play a very important role in educating
themselves and their customers as to what they should expect
and should insist upon in using any kind of application
location-based service, and that is the primary role of
industry guidelines. We are not being codified in Title 18 of
the U.S. Code. We are trying to understand the issues----
Mr. Boucher. Well, in the interests of time, Mr. Altschul--
I am intrigued by your answers, I would like to hear more, but
my time is expiring. Let me just suggest this. It might be
helpful if you review Professor Cranor's comments and consider
modifying your guidelines to the extent that you can sharpen
them so that they provide greater clarity to the carriers,
particularly on what kinds of disclosures the carriers should
make with regard to services, to the information they come into
contact with. I think it might be helpful. Would you be willing
to consider doing that?
Mr. Altschul. Absolutely.
Mr. Boucher. I have one further question. My time has
expired. I intend to be generous with the other members in
terms of their time for questions as well.
Mr. King, Mr. Bernard, let me just pose this question to
you. Do you think that your customers are aware of the
secondary uses that your services are making of the geolocation
information about them, and do they have a reasonable
expectation based on information that is made available to them
that their geolocation information is going to be used by
advertisers in order to target advertising to them. Mr.
Bernard, Mr. King.
Mr. King. Thank you, Mr. Chairman. One way to answer that
is that the location information goes out to an advertising
network and requests an ad so the location is just--it is not
personally identifiable so that there is no information about
that consumer going to the advertiser. We are selecting from an
inventory of ads and then bringing them in and showing what we
think are the most appropriate ad, given that context.
Mr. Boucher. Well, that is understood, but the question is,
does that person have a reasonable expectation that those
events are going to happen, that the advertisers are going to
be marketing to them based in part on their location?
Mr. King. Yes. We have a location-based application that is
both free and ad driven where you can pay a subscription fee so
they are free applications we believe that consumers expect to
be ad driven, so the short answer would be yes to that.
Mr. Boucher. Mr. Bernard.
Mr. Bernard. Thank you. Useful Networks does not support
secondary uses to now, as I think about them, where secondary
use is using that location subsequently beyond that for which
you have already provided notice. So specifically in our mind,
we provide primary use, and an example of that is our location-
based advertising trial. End-users were presented with a banner
ad on the mobile Web site enticing them to click on it to see a
viewer location or a quick serve burger location near them. The
next page they saw explicitly said please allow us to use your
location to provide a list of stores near you, and only if they
clicked were they provided----
Mr. Boucher. All right. That is very clear. Thank you. Mr.
King and Mr. Bernard, I just want to pose one further question
to you, and it is the same question I asked Mr. Morris at the
outset. Is it time that we had a federal statute in order to
provide a uniform set of standards across applications, not
just for the telecom carriers but for those who are providing
applications, selling applications, using applications as well?
Mr. King. I would say in general, yes.
Mr. Boucher. Thank you. That is a great answer. That is
what I am looking for.
Mr. Bernard?
Mr. Bernard. It should be a uniform set of practices, not
necessarily legislation.
Mr. Boucher. Well, OK. That is half a loaf. Thank you all
very much.
The gentleman from Kentucky, Mr. Whitfield, is recognized
for his questions.
Mr. Whitfield. Thank you, Mr. Chairman.
And Mr. Bernard, I didn't hear the last part of your
answer. Would you repeat that for me?
Mr. Bernard. The last part of that more specifically spoke
to self-regulation. We believe there are certainly business
incentives both on the part of the distribution centers,
whether they are carriers or device manufacturers, as well as
on consumers in that they won't use services where they feel
like their privacy is not respected.
Mr. Whitfield. Well, everyone----
Mr. Bernard. We do agree with a level playing field.
Mr. Whitfield. Everyone on the panel has had the
opportunity to answer that question except a few. Professor
Cranor, what is your position on Chairman Boucher's question?
Ms. Cranor. Yes, I think that it is probably time to have
some legislation to have some privacy rules, but like Mr.
Morris, I think that we shouldn't have a very narrow view on
just location if we are going to set privacy rules, that there
is a need for more general privacy legislation.
Mr. Whitfield. And Ms. Collier, what is your position?
Ms. Collier. I agree with that. I think it is time to
update privacy law but, you know, it needs to coordinate with
COPPA, the Children's Online Privacy Protection Act, but it
shouldn't refer to just a single technology.
Mr. Whitfield. And Mr. Altschul?
Mr. Altschul. Well, we certainly endorse the idea of a
level playing field and the consumers don't have to guess as to
what their privacy rights are. We are always concerned that
despite the best of intentions, when these principles are
codified, either technology or unintended consequences will get
in the way.
Mr. Whitfield. Professor Cranor, in your testimony you
talked about a system that was developed at Carnegie Mellon,
and I am not sure the pronunciation but is it Locaccino?
Locaccino. Now, how widespread is that type of technology being
used?
Ms. Cranor. So our particular system is a research system
that is being used by a thousand people. It is similar
technology to what is being used by commercial providers. The
main difference is that we have gone out of our way to provide
privacy controls at a very fine-grained level for people who
use it.
Mr. Whitfield. I see. And, you know, this is deviating a
little bit from the technical aspect of this but also I found
it interesting in your testimony, you said in your survey, we
found that most of our participants did not expect that
location-sharing technologies would be all that beneficial to
them, and then that they did have significant concerns about
their privacy when sharing their locations online. So what is
your overall conclusion of that? It sounds like to me this is a
service that is really not all that beneficial but----
Ms. Cranor. Well, so what we found is that the general
public for the most part doesn't understand why they would want
location-based services. Now, there are plenty of people who
have adopted them who do get it and they say yes, this is
useful to me and I want to use them. But they are right now the
minority of the population.
Mr. Whitfield. So you found most people just simply were
not aware of the benefits of it?
Ms. Cranor. Right. They don't find it beneficial, and when
we talk about this with people, you know, the notion that there
is a map and there is a pinpoint and that is me on it, that
really scares people.
Mr. Whitfield. Right. I would just ask you, Mr. Morris, let
us assume for the moment that we are going to regulate Internet
privacy. Should the FCC do the regulating or should the FTC do
the regulating or should different regulators govern different
parties?
Mr. Morris. Well, we would suggest that the FTC is probably
the better place to go for two independent reasons. One, the
FTC has a very long track record and experience in looking at
consumer privacy issues, and they have already through a number
of workshops over the years have been looking specifically at
location privacy. And secondly, the FCC is frankly really not
the federal Internet commission. It really doesn't have a broad
mandate to regulate the Internet. It doesn't frankly have
regulatory experience at the application layer. It is obviously
critically important at the lower layers of the communications
stack and so, you know, its regulation of telecommunications
carriers and underlying broadband services is clear and
appropriate but it doesn't really have as extensive experience
in the privacy area at the applications layer as the FTC does.
Mr. Whitfield. Thank you all, and I see my time is expired.
Mr. Boucher. Thank you, Mr. Whitfield.
The gentlelady from Florida, Ms. Castor, is recognized for
5 minutes.
Ms. Castor. Thank you, Chairman Boucher.
Mr. Altschul, I thought it was interesting, you said that
even though all of your members are adherent to best practices
that technology has overtaken best practices. So I guess in
effect you are conceding that given how valuable the location
data could be to marketers and it is to advertisers, that
industry self-regulation is not realistic.
Mr. Altschul. No, what I meant to convey by saying the
technology has overtaken our guidelines, our guidelines just 2
years ago were carrier centric. Carriers were clearly covered
by section 222 of the Communications Act. That was before the
introduction of iPhones and introduction of smartphones that
have their own GPS receivers and before the broad adoption of
WiFi public access points. What surprised the experts in the
industry was how quickly the landscape changed in using this
technology so that as you heard from everyone on the panel and
many of the opening remarks today, increasingly location-based
services and applications do not touch a wireless carrier's
network. They have no knowledge of the application being used.
What we have done is, we have gone back and in effect broadened
our guidelines so that they are no longer going to be carrier
centric but provide the same touchstones of consumer notice and
consent regardless of whether the application runs with a
carrier's knowledge or not.
Ms. Castor. So I think you stated clearly, you see your
responsibility and your membership educating the consumer. Does
that need to be something that is promoted in a specific sort
of way as we develop new consumer consent provisions?
Mr. Altschul. I think that is the responsibility for all of
the stakeholders, the industry, public policymakers, educators
and the like, yes.
Ms. Castor. Ms. Collier, could you touch on what are some
of the innovations in the arena of emergency services? Are we
doing enough there as the law? Do we need to focus on any
specific provisions in updating that?
Ms. Collier. Emergency services and helping children be
found?
Ms. Castor. The children's angle is really your area of
expertise.
Ms. Collier. Yes.
Ms. Castor. Who best on the panel can address whether or
not we need updates when it comes to emergency services in
relation to LBS? Mr. Morris, go ahead.
Mr. Morris. I am always game to try to answer a question.
You know, the emergency--and I have actually worked in
technical standard-setting bodies on the transition in the
emergency system from the old analog system to kind of a new
IP-enabled Internet protocol-enabled, system, and the emergency
community is very aggressively trying to make that transition
but it is a very costly transition, and so I believe, my
perception is that the FCC and the emergency community is
actually proceeding at a fairly healthy pace to make the
transition to IP-enabled emergency services and ultimately, you
know, I think that some years from now, a couple of years from
now, we really will have the ability to both dial 911 on this
device and then take a picture of the auto accident that
happened so that the emergency response facility can actually
see the situation even before they send their responders. So my
perception is that we are in fact making that transition, it is
going to be a costly transition because there are lot of public
service answering points, PSAPs, that are not currently
technically and physically set up to do IP-enabled services
like that. But the transition is underway.
Ms. Castor. Any other comments on that?
Thank you. I yield back.
Mr. Boucher. Thank you, Ms. Castor.
The gentleman from Florida, Mr. Stearns, ranking member on
our Telecom Subcommittee, is recognized.
Mr. Stearns. Thank you, Mr. Chairman.
Mr. Morris, I was watching the television back in my office
and I saw that the gentleman from Kentucky asked you about
jurisdiction and about whether the FCC or the Federal Trade
Commission should be involved, and I think your statement was
that the jurisdiction for the Internet should be the Federal
Trade Commission. Is that what I am to understand you said?
Mr. Morris. Well, really, my position would be more that
the jurisdiction of a privacy should be at the Federal Trade
Commission. Frankly, I would urge that the Internet generally
speaking doesn't need to have a designated agency that has
broad jurisdiction over it. It really is a success story of
non-regulation, and Congress in 1996 in section 230 of the
Communications Code really set out its policy of having the
Internet grow and develop without regulation.
Mr. Stearns. All right. Let us assume what you are saying
is that the privacy on the Internet--as you know, the FCC now
has taken steps to address what they perceive as a problem and
they have called it Net neutrality. I call it Net regulation.
Based upon what you said dealing with privacy, would you agree
with me that perhaps the FCC does not have the jurisdiction to
regulate with its promulgating a Net Neutrality under the same
assumptions that you made from the gentleman from Kentucky that
privacy should be under the Federal Trade Commission and the
FCC has no jurisdiction over it?
Mr. Morris. Well, let me----
Mr. Stearns. Would that be a fair statement?
Mr. Morris. No, it wouldn't, Your Honor, if I could--Your
Honor----
Mr. Stearns. I was hoping you would say yes.
Mr. Morris. If I could explain, let me answer it by saying
that the Internet first grew up in a dial-up world where it
rode on top----
Mr. Stearns. I need you to be concise, so you say no. But
let me ask you----
Mr. Morris. I think I can offer a one-sentence answer.
Mr. Stearns. So I am just trying to sort of pigeonhole you
here.
Mr. Morris. I appreciate that.
Mr. Stearns. OK. So your argument was, the Internet grew up
without regulation, you talked about in 1996, and how the idea
was not to have regulation and let it expand without
interference. That is what you said. And then you indicated
that privacy should be under the Federal Trade Commission
rather than the FCC. So would it be fair to say that any type
of regulation of the Internet should not come through the FCC?
Mr. Morris. I think it is appropriate for the FCC to
regulate the underlying telecommunications platform on which
the Internet runs.
Mr. Stearns. Phones, cable, broadcasting but not the
Internet itself?
Mr. Morris. Not the applications and services that ride on
top of----
Mr. Stearns. OK. That is good enough for us. We appreciate
your opinion. Let me follow up. You described a potential risk
of location data being stored and used well into the future. Is
there harm if the information is not tied to an individual? How
often is the identity of the user known to the application
provider and what information can an application provider
gather about a consumer's identity and his or her habits?
Mr. Morris. Well, certainly if information is truly
deidentified and anonymized, it presents less concern. But as
Professor Cranor noted, there is a unique individual in this
world who lives where I live and works where I work and so
tracking my location over time could easily be tracked back to
me through that. So I do think there are very serious concerns
about retaining location over a longer period of time beyond
the use that it is first obtained for.
Mr. Stearns. Professor Cranor, location-based services are
still I think in their infancy with their development and we
just don't know where it is going to go from here. Would you
believe that the federal government should address with
regulation some of the new technology concerns that could
possibly even hinder the development of future benefits? In
other words, if we step in right now, is it a concern of yours
that we could actually hinder this infancy type of industry and
you might even say in your best mind where this industry will
be 10 years from now, 5 years from now.
Ms. Cranor. So I agree that the industry is in its infancy,
and it is somewhat hard to predict where it will be but I would
imagine it will be very different 10 years from now than it is
today and probably location-based services will be in much more
widespread use. I think there is always a risk of stifling
innovation with legislation. On the other hand, I think we do
have some serious concerns, and rather than waiting 10 years
and discovering that we are all in trouble, it would be good to
kind of set things straight from the beginning and really have
systems built with privacy designed in from the beginning. So I
would urge you to consider legislating on privacy from the
beginning and making that part of a more general privacy
framework.
Mr. Stearns. If you were me and you were doing a privacy
bill, what would you suggest as being part of location-based
privacy? You are writing the bill now yourself.
Ms. Cranor. Right. Fortunately, that is not my job but----
Mr. Stearns. Well, just hypothetically.
Ms. Cranor. But hypothetically, so I think there probably
should be some limits to the use of location data but also I
think it is very important to make sure that individuals are
fully aware and informed of use of their location data and that
there are robust consent experiences available to them.
Mr. Stearns. So a person could opt out or opt in? What
would you prefer?
Ms. Cranor. I think generally opt in, although I think it
depends on what you mean by opt out and opt in in this
situation.
Mr. Stearns. Thank you, Mr. Chairman.
Mr. Boucher. Thank you very much, Mr. Stearns.
The gentleman from Maryland, Mr. Sarbanes, is recognized
for 5 minutes.
Mr. Sarbanes. Thank you very much, Mr. Chairman.
Ms. Collier, I am going to direct these questions to you. I
guess you can answer them generally when it comes to privacy
and so forth and particularly with respect to location-based
services if you want. Would you say that there should be a
higher standard of privacy at work when you are dealing with
children as opposed to adults just generally speaking?
Ms. Collier. Yes, I would, and I think there is a higher
standard applied right now with the Children's Online Privacy
Protection Act that is being administered by the FTC.
Mr. Sarbanes. One of the things that intrigues me is that
children are the leading edge of the use of technology these
days.
Ms. Collier. Some technologies, yes.
Mr. Sarbanes. Well, they are the leading edge of use of
many technologies that have significant privacy implications.
Wouldn't you agree, or not?
Ms. Collier. Yes, some technologies that would have privacy
implications. You know, they are not big on Twitter, they are
not blogging as much anymore. It is a moving target. But, yes,
absolutely, privacy is a tremendous consideration where
children are concerned.
Mr. Sarbanes. I mean, it strikes me that adolescence plus
technology is a privacy nightmare in some ways.
Ms. Collier. Yes, and that is what I was basically saying
in my testimony is that location-based technologies and
services are not, you know, a unique problem in this area.
Children are constantly in touch with each other, constantly
updating their status, their location with each other
regardless of the technology.
Mr. Sarbanes. And notification and notice and consent
provisions or regimes that are established are also ones that
sort of become like quicksand when you are dealing with kids. I
mean, for example, Facebook I think has a rule that you have to
be 13.
Ms. Collier. Right. Facebook complies with COPPA.
Mr. Sarbanes. Right. Well----
Ms. Collier. There are a lot of kids under 13 who use
Facebook.
Mr. Sarbanes. Who we kidding?
Ms. Collier. Right.
Mr. Sarbanes. Yes. So the kids are going on and
representing--I guess they have to, I mean, I haven't gone
through the process--but representing that they are meeting the
standard when everybody knows that they are not. The teachers
know. I mean, two-thirds of these classes of 12-year-olds and
11-year-olds, they are all on Facebook. So I guess what I am
asking you is, how do we address that issue, which is that to
me a lot of the privacy standards and expectations we have is
either wishful thinking or it is a kind of wink-and-nod
exercise when you lay it against just how compelling and
seductive and powerful these technologies are, particularly for
young people, and it makes me feel that it is almost futile,
not quite perhaps, but to try to establish these things when it
comes to protection of kids and privacy standards and other
things, and I just ask you to reflect on that for the remainder
of my time.
Ms. Collier. Well, I completely agree that what we are
dealing here largely with is adolescent and child development
and behavior, not technology, and that is very, very difficult
to regulate. I do think that COPPA is a very important sort of
baseline standard and the FTC is currently reviewing, you know,
the rules and the enforcement of COPPA, rightfully so, but it
does effectively protect children's protection under 13. But
regulation is not the solution here. I really believe that
consumer education is the solution, and I would love to see
more thought given to consumer education and product
development teams, that product development teams and the
industry would be putting on their parent hats more and that
consumer education happens right with product launch or when a
product is in beta. There is no substitute for parental care
and so consumer education involves both parents and children
and it has to come through schools, it has to come--you know,
we can't keep these products and services out of children's
experience in school either. They are part of 21st century
education. And therefore to encourage schools to block social
media from school is absurd because you can't teach swimming
without a pool and we can't hold back the competitiveness of
American education. We have got to get technology into schools
and stop giving teachers an excuse not to teach with social and
interactive and new media, whatever you want to call it.
Mr. Sarbanes. That is a great answer. Thank you.
Mr. Boucher. Thank you very much, Mr. Sarbanes.
The gentleman from Indiana, Mr. Buyer, is recognized for 7
minutes.
Mr. Buyer. Ms. Collier, I want to pick up where you just
left off. The level of cyber bullying and sexting that is going
on right now, so for you to make a blanket statement that says
that, you know, don't take these devices away from kids, I am
almost to the point as a parent--my children went through
public school. It has gotten so bad, I would probably find a
private school that says my children are going to wear a
uniform and they are not going to have access to technology
like cell phones during school hours, and that is almost to the
point where it has gotten.
Ms. Collier. That would be the easy way. I have kids in
public school too, 12 and 18, and it would be easy just to ban
all technology from their lives. But what would that do to
them? What would that do their social lives?
Mr. Buyer. I don't believe it is banning it from their
lives but it is definitely----
Ms. Collier. Within reason?
Mr. Buyer. The cyber bullying is really extraordinary that
is going on right now, or how--I won't get into the sexting
part of it. Let us just do the cyber bullying for a moment, how
they can marginalize, isolate and then destroy someone that is
13 whereby that reputation is everything to them. Also,
reputation is everything to us. I mean, if you want to talk
about cyber bullying, be a member of Congress and deal with the
yahoos that we get to deal with, and I don't mean the Web site
either. I mean, we experience cyber bullying all the time.
I am going to pick up on something else Mr. Sarbanes had
just said. He is absolutely correct, I believe, about the
nightmares that this creates when you put technology in the
hands of our children. At the same time, when it comes to
privacy, as a parent, my children had limited privacy, and
guess what? I have the right as a parent to spy on my children.
Ms. Collier. Yes.
Mr. Buyer. I have that right in my oversight to ensure that
they are where they said they are going to be.
Ms. Collier. Absolutely.
Mr. Buyer. And I will tell you what, I would love to have
as a parent the actual location ability on a GPS to know where
my children are.
Ms. Collier. You can have that.
Mr. Buyer. I know. That is why I am saying. So with regard
to this ``privacy'' so how we have to balance this, Mr.
Sarbanes, with regard to how we protect our children from the
outside in. At the same time, as a parent, how do we gain
access to know what they are doing at all times. And there is a
balance. And so when you made this comment about how do we get
parents to take an active role and interest in the lives of
their children, government isn't going to be able to do that.
But you are right when you say about education. You are right,
I also believe in corporate responsibility when the products
come out. I also believe that our schools, since they are also
the guardian of our children while they are gone, also have a
social responsibility.
Ms. Collier. We have also got to stop scaring the bejeebers
out of parents. We have done a very bad job of that. We have
had a predator panic in this country for several years, and
what that fear does is cause parents to overreact and shut
things down rather than communicate with their kids.
Mr. Buyer. But how do we--we can do all the things I just
said. This issue on cyber bullying, how do we----
Ms. Collier. Cyber bullying is just an electronic extension
of bullying so what you are asking me is what do we do about
bullying, and that is probably beyond the purview of this
hearing but we should all be thinking about that. Bullying is--
--
Mr. Buyer. But bullying used to be a little more isolated.
If they find themselves out at recess, if they find themselves
at the gym, if they find themselves at the cafeteria, but now
you can be in the classroom, you can be anywhere and you can be
cyber bullied at any moment at any time because they make some
statement or they make up a scenario and this kid then is
tortured, you know, constantly. So it is more aggravated.
Ms. Collier. We need to get the schools up to speed on
this, so we are working hard at that.
Mr. Buyer. As a parent, my children are now grown but I can
tell you, I think the cyber bullying is really getting out of
hand. I mean, you can turn on the news and you find that
someone has now committed suicide and you discover that they
were cyber bullied or some 16-year-old thought it would be cute
to send a naked picture to her boyfriend, he then sent that to
someone else and she commits suicide. I mean, this technology
is also being used in a manner which we never anticipated by
individuals who don't completely understand the realm of
responsibility. Anyway, I appreciate you having this
conversation with me. I yield back.
And thank you, Mr. Sarbanes. You brought up a really good
issue.
Mr. Boucher. Thank you very much, Mr. Buyer.
We have recorded votes pending on the floor, and I think we
probably have time for one more member to propound questions.
Mr. Space is next. And then following that, we will need to
have a recess. Mr. Doyle, I am sorry----
Mr. Space. Well, actually, Mr. Chairman, I am going to
pass.
Mr. Boucher. Oh, you are going to pass? Well, thank you,
Mr. Space. That does help us.
Mr. Doyle, the gentleman from Pennsylvania.
Mr. Doyle. Thank you, Mr. Chairman, and my apologies for
being late. We had several hearings at the same time.
Professor Cranor, welcome to this panel. It is always good
to see someone from CMU here and not just because they are in
my district, Mr. Chairman, but it is one of the great
universities in America, and your work has been very helpful to
this committee.
Professor Cranor, tell me, in your testimony you mentioned
that Internet users legitimately care about their location
privacy but that the current system isn't set up in such a way
to give users a good sense of how location-based service
providers will use that information nor do most location-based
service providers supply users with comprehensive privacy
controls and protective default settings, and you add that
further additional protections might be necessary. I wonder if
you could just elaborate a little bit on what additional
protections may be necessary to ensure that we have proper
control over location information, and do you think it requires
Congress to take any action?
Ms. Cranor. So I think that we need to start with at least
having some guidelines which give more specific guidance about
what is acceptable notice to users. You know, the fact that
providing notice, you know, buried in the legalese of a privacy
policy is not providing adequate notice, and guidance that, you
know, saying well, you have privacy but there are exceptions
and you have to go read the fine print, those sorts of things
are not providing people with adequate notice. You know, as Ms.
Collier raised, you know, with Google Buzz, you know, people
started using it and had no idea that everything was public and
that is a very common thing that we have seen in our research
is that people use these services, they think only their
friends are seeing their information, only their friends are
seeing their location and yet it is being made public. So I
think we need at the very least guidelines for the service
providers and perhaps actually regulation along those lines as
well.
Mr. Doyle. I mean, what options do consumers really have
today for choosing or negotiating their own privacy
preferences? I mean, are there technologies available that
would let consumers express their own privacy preferences up
front where they could say up front this is how I want my
information to be used and this is who I want to be able to see
it?
Ms. Cranor. Well, I think in the commercial services today,
you can do that to a limited extent so there are some that you
can certainly turn off the location sharing. There are some
that let you choose between sharing with the public or sharing
with a group of designated friends. So there are some controls
but they tend to be fairly course grained, and you can't really
have your cake and eat it too with most of them. With some of
the more experimental systems like our research on Locaccino at
CMU, you can actually have much finer-grained controls and so I
think it would certainly be possible to give consumers a lot
more options and a lot more control but we are not actually
seeing that being deployed in commercial services.
Mr. Doyle. Now, Mr. Morris, I saw you either laughing or
smiling so I want to give you a chance to grab the microphone
and chime in if you would like.
Mr. Morris. I started working in 2001 with the Internet
engineering task force on a protocol called GeoPriv, geographic
privacy, that attempts to do exactly what you are proposing,
attempts to allow users to set the rules to say you can keep my
information only for 24 hours and you can't pass it on to
anybody else, and there's been some uptake with that technology
but unfortunately at the applications layer, the Worldwide Web
layer, that technology has not been accepted. We have been
working to try to get it implemented at the applications there.
So certainly the technology is out there. I frankly think it
will take an act of Congress to really get the industry to
really try to give users the level of control that you are
talking about.
Mr. Doyle. Mr. Chairman, I know we have votes pending.
Thank you for your patience. And to all the panelists, thank
you for being here today.
Mr. Boucher. Thank you very much, Mr. Doyle, and I want to
express appreciation also to each of you. Your testimony has
been informative and helpful to us.
The record for this hearing will remain open for a period
of time, and there may be questions that members want to submit
to you. If you receive those, please reply to them promptly.
And we do appreciate your help. This has been very beneficial
for us.
This hearing stands adjourned.
[Whereupon, at 12:04 p.m., the Subcommittees were
adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�