[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]







 THE COLLECTION AND USE OF LOCATION INFORMATION FOR COMMERCIAL PURPOSES

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                    SUBCOMMITTEE ON COMMERCE, TRADE,
                        AND CONSUMER PROTECTION

                                AND THE

      SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 24, 2010

                               __________

                           Serial No. 111-98





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov
                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

76-010                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001













                    COMMITTEE ON ENERGY AND COMMERCE

                 HENRY A. WAXMAN, California, Chairman
JOHN D. DINGELL, Michigan            JOE BARTON, Texas
  Chairman Emeritus                    Ranking Member
EDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas
RICK BOUCHER, Virginia               FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida
BART GORDON, Tennessee               NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky
ANNA G. ESHOO, California            JOHN SHIMKUS, Illinois
BART STUPAK, Michigan                JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York             ROY BLUNT, Missouri
GENE GREEN, Texas                    STEVE BUYER, Indiana
DIANA DeGETTE, Colorado              GEORGE RADANOVICH, California
  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California               MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon
JANE HARMAN, California              LEE TERRY, Nebraska
TOM ALLEN, Maine                     MIKE ROGERS, Michigan
JAN SCHAKOWSKY, Illinois             SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California           JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas           TIM MURPHY, Pennsylvania
JAY INSLEE, Washington               MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin             MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas                  PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York          STEVE SCALISE, Louisiana
JIM MATHESON, Utah                   PARKER GRIFFITH, Alabama
G.K. BUTTERFIELD, North Carolina     ROBERT E. LATTA, Ohio
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin 
    Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE L. BRALEY, Iowa
PETER WELCH, Vermont
        Subcommittee on Commerce, Trade, and Consumer Protection

                        BOBBY L. RUSH, Illinois
                                  Chairman
JANICE D. SCHAKOWSKY, Illinois       CLIFF STEARNS, Florida
    Vice Chair                            Ranking Member
JOHN SARBANES, Maryland              RALPH M. HALL, Texas
BETTY SUTTON, Ohio                   ED WHITFIELD, Kentucky
FRANK PALLONE, New Jersey            GEORGE RADANOVICH, California
BART GORDON, Tennessee               JOSEPH R. PITTS, Pennsylvania
BART STUPAK, Michigan                MARY BONO MACK, California
GENE GREEN, Texas                    LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas           MIKE ROGERS, Michigan
ANTHONY D. WEINER, New York          SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina
JOHN BARROW, Georgia
DORIS O. MATSUI, California
KATHY CASTOR, Florida
ZACHARY T. SPACE, Ohio
BRUCE L. BRALEY, Iowa
DIANA DeGETTE, Colorado
JOHN D. DINGELL, Michigan (ex officio)
                                 ------                                

      Subcommittee on Communications, Technology, and the Internet

                         RICK BOUCHER, Virginia
                                 Chairman
EDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan
BART GORDON, Tennessee                 Ranking Member
BOBBY L. RUSH, Illinois              CLIFF STEARNS, Florida
ANNA G. ESHOO, California            NATHAN DEAL, Georgia
BART STUPAK, Michigan                BARBARA CUBIN, Wyoming
DIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois
MICHAEL F. DOYLE, Pennsylvania       HEATHER WILSON, New Mexico
JAY INSLEE, Washington               VITO FOSELLA, New York
ANTHONY D. WEINER, New York          GEORGE RADANOVICH, California
G.K. BUTTERFIELD, North Carolina     MARY BONO MACK, California
CHARLIE MELANCON, Louisiana          GREG WALDEN, Oregon
BARON P. HILL, Indiana               LEE TERRY, Nebraska
DORIS O. MATSUI, California          MIKE FERGUSON, New Jersey
DONNA M. CHRISTENSEN, Virgin 
    Islands
KATHY CASTOR, Florida
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
PETER WELCH, Vermont
JOHN D. DINGELL, Michigan (ex 
    officio)




                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................     1
Hon. Ed Whitfield, a Representative in Congress from the 
  Commonwealth of Kentucky, opening statement....................     3
    Prepared statement...........................................     5
Hon. Doris O. Matsui, a Representative in Congress from the State 
  of California, opening statement...............................     7
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     7
Hon. Kathy Castor, a Representative in Congress from the State of 
  Florida, opening statement.....................................     9
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, opening statement...............    10
Hon. Steve Scalise, a Representative in Congress from the State 
  of Louisiana, opening statement................................    11
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, opening statement...............................    12
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................    13
Hon. Rick Boucher, a Representative in Congress from the 
  Commonwealth of Virginia, prepared statement...................   124
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, prepared statement......................................   128

                               Witnesses

John B. Morris, Jr., General Counsel, Center for Democracy and 
  Technology.....................................................    14
    Prepared statement...........................................    17
Lorrie Cranor, Associate Professor, Computer Science and 
  Engineering and Public Policy, Carnegie Mellon University......    32
    Prepared statement...........................................    34
Jerry King, Chief Operating Officer, uLocate Communications, Inc.    69
    Prepared statement...........................................    71
Tony Bernard, Vice President and General Manager, Useful Networks    76
    Prepared statement...........................................    78
Michael Altschul, Senior Vice President and General Counsel, 
  CTIA--The Wireless Association.................................    87
    Prepared statement...........................................    89
Anne Collier, ConnectSafely......................................    96
    Prepared statement...........................................    98

 
 THE COLLECTION AND USE OF LOCATION INFORMATION FOR COMMERCIAL PURPOSES

                              ----------                              


                      WEDNESDAY, FEBRUARY 24, 2010

        House of Representatives, Subcommittee on Commerce, 
            Trade, and Consumer Protection, joint with the 
            Subcommittee on Communications, Technology, and 
            the Internet, Committee on Energy and Commerce, 
            Washington, DC.
    The subcommittees met, pursuant to call, at 10:05 a.m., in 
Room 2141 of the Rayburn House Office Building, Hon. Bobby L. 
Rush [Chairman of the Subcommittee on Commerce, Trade, and 
Consumer Protection] presiding.
    Present from Subcommittee on Commerce, Trade, and Consumer 
Protection: Representatives Rush, Sarbanes, Barrow, Matsui, 
Castor, Space, Braley, Stearns, Whitfield, Terry and Scalise.
    Present from Subcommittee on Communications, Technology and 
the Internet: Representatives Boucher, Markey, Eshoo, Doyle, 
Matsui, Castor, Space, Stearns, Shimkus, Buyer and Terry.
    Staff present: Michelle Ash, Chief Counsel; Marc Groman, 
FTC Detailee; Greg Guice, FCC Detailee; Will Cusey, Special 
Assistant; Daniel Hekier, Intern; Sarah Fisher, Special 
Assistant; David Kohn, Press Secretary; Amy Levine, Counsel; 
Timothy Robinson, Counsel; Ross Schulman, Intern; Will Carty, 
Minority Professional Staff; Sam Costello, Minority Legislative 
Analyst; Neil Fried, Minority Senior Counsel; Shannon Weinberg, 
Minority Counsel; and Brian McCullough, Minority Senior 
Professional Staff.

 OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Rush. The subcommittee will now come to order. We are 
conducting a hearing this morning on the matter of the 
collection and use of location information for commercial 
purposes, and I want to welcome all the members of the 
committee who are present, those individuals who are present 
who are non-members, and I also want to welcome all the 
witnesses and those who are doing this from the perspective of 
interested parties who are in evidence. The chairman recognizes 
himself for 5 minutes for the purposes of an opening statement.
    Today we are pleased to welcome six witnesses representing 
the wireless industry, software firms, a nonprofit advocacy 
group and an academic. We have got a lot of expertise in the 
realm of privacy, and this joint hearing, which is the fifth in 
our series of hearings on the general topic of consumer 
privacy, will focus on the collection and use of location 
information about individual consumers. Local base applications 
and services are springing up each day like wildfire. Yesterday 
there was Facebook and in the not too distant future we will be 
encountering something more akin to a placebook. Location-based 
services and the applications that ride on these services 
utilize a number of different tracking technologies which can 
make it easy to track the whereabouts of an estimated 100 
million individuals around the world. By the year 2013, it is 
estimated that the precise whereabouts of over 800 million 
individuals will be readily discernible at any given moment in 
time. Of that amount, nearly 180 million of these users will be 
North Americans. Virtually all location-based services are 
currently offered to subscribers for free and are subsidized by 
advertisers. A majority of these services generate, emit or 
connect terrestrial and satellite wireless signals. They 
connect independently or at premapped points on a network. 
These signals can then hone in on and find a wireless's 
wireless, handheld or low-wave device such as a cell phone or a 
GPS unit, and because these devices are typically always on our 
bodies or within arm's reach, there is very little guesswork 
for inquiring advertisers and other curious subscribers to know 
or deduce where an individual is located or where their daily 
movements are likely to be. In fact, advertisers even know the 
identity of that individual with the growing trend of 
behavioral advertising and how it intersects with privacy 
considerations at our joint hearing which our two committees 
held in June 2009.
    To some extent, location-based services can be viewed as a 
subcategory of behavioral tracking in that they can quickly and 
cheaply, I might add, tell advertisers more than contextual 
advertising ever could about someone's preference, their habits 
and their patterns. Location-based services are in actuality 
inherently more invasive and threatening to consumer welfare 
and perhaps even more challenging to consumer privacy than 
behavioral advertising. Tracking a user's movements through a 
virtual world of business-to-consumer Web sites is, I am sure 
everyone will agree, bad enough. Location-based services on the 
other hand up the ante by making an individual's real-world 
location data accessible to intended and unintended recipients.
    In closing, let me state clearly for the record, and 
especially for those interested consumer groups, interested 
entities and government regulators who have been monitoring our 
series of hearings that with the information we will obtain 
from today's hearing, we have now learned enough to take the 
next major step. As one of two co-chairs of these joint 
undertakings along with my friend, Congressman Boucher, on 
privacy, it is my intent that our next hearing on privacy will 
be a legislative hearing where we will discuss ``the devil in 
the details'' by commenting on a discussion draft of a 
comprehensive privacy bill. There is such a thing as TMI, and 
we need to stop gathering information now and get legislation 
on a privacy bill.
    In the coming days, I and my staff will be working closely 
with Mr. Boucher, Mr. Whitfield in Mr. Radanovich's absence, 
Mr. Stearns and the minority staff to produce a draft of a 
bill, and I would like to thank each of our witnesses for your 
participation today and I look forward to hearing your 
testimony and to vigorously engage in our discussion today. I 
might again emphasize, I really appreciate you taking the time 
out from your busy schedule to be with us here today to add 
your voices and your values and your expertise to this process.
    We will now recognize now Mr. Whitfield for 5 minutes for 
the purposes of opening statement.

  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY

    Mr. Whitfield. Mr. Chairman, thank you very much for having 
this hearing on the collection and use of location information 
for commercial purposes. We certainly appreciate the panel for 
being here and giving us this expertise on this important 
subject.
    Through the use of technologies including GPS, 
triangulation of cell phone positioning information or user-
entered data, consumers now have access to what I call 
convenient information. Whether it is finding the nearest local 
restaurant in an unfamiliar city, navigating cars to intended 
designations or the knowledge that a first responder can find 
us by our GPS location if we are ever in trouble, many 
consumers find they can no longer live without these apps, as 
they are called. This new technology raises legitimate concerns 
about privacy. Obviously most people know that the application 
they download specifically for its location features will 
communicate that information for application functionality. 
What isn't as clear is how the data will be used, whether 
notice to the consumer is clear and whether user controls over 
the personal data are adequate. In addition to first-person 
privacy concerns, there are also privacy concerns for second 
persons, the people who may not use a service directly but who 
may be touched by a service by virtue of someone else's use, 
just as counterparties to phone calls or e-mails may find their 
identity revealed without their consent. For example, if 
someone forwards an e-mail to another person, so too can one's 
privacy location information be revealed if the user of the 
location-based social networking application shares that 
information.
    Similarly, special situations arise in the employer-
employee relationship. We can agree that there are benefits to 
a delivery service improving its delivery efficiency by using 
location tracking and positioning. The question is, what rights 
do the employees have and what policy does the employer 
communicate about its use of this technology. In one example 
last August, a New York City employee was terminated after the 
GPS on his city-provided phone revealed that he had been at 
home before his shift ended on 83 occasions according to an 
article in the New York Post. While this may have been 
justified, the fear of a Big Brother surveillance environment 
has clearly arrived and merits a serious discussion.
    Another issue I might add that merits discussion concerns 
uniformity, in my view. Wireless carriers are generally 
prohibited from using location-based information for commercial 
purposes. However, application providers are not subject to 
this requirement. So I think that is an issue we also need to 
be focused on.
    There are many questions raised by these technologies and 
how consumers interact with them. Most of these beneficial 
services were developed in the absence of legal mandates, and 
our top priority must be maintaining the appropriate balance 
between an environment that does not impede innovation but that 
does ensure consumers are fully aware of the information they 
trade for the use of these services. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Whitfield follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Rush. The Chair recognizes the gentlelady from 
California, Ms. Matsui, for 2 minutes.

OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Matsui. Thank you, Mr. Chairman. I want to thank you 
and Chairman Boucher for calling today's joint hearing. I would 
also like to thank our panelists for being with us this morning 
as we examine the collection of use of location-based 
commercial information.
    Today, millions of Americans rely on different location-
based services and applications for a variety of activities 
including social networking and navigation and mapping 
services, among many others. As both broadband expansion and 
the use of mobile devices continue to grow among consumers, the 
industry that provides location-based services and applications 
will only increase. In fact, according to one estimate, the use 
of these services and applications are expected to reach more 
than 80 million new users in North America alone over the next 
3 years. As we all know, in today's economy information is 
everything to everyone, and as we know, mobile devices are 
everything to millions of consumers storing in many cases very 
personal information or even providing their physical location.
    With ever-increasing technologies and applications 
emerging, it is essential that we properly protect the private 
and personal information of consumers. Simply put, privacy 
policies and disclosures should be clear and transparent. We 
should also understand the scope of information that is being 
collected, what it is used for, the length of time it is 
retained and its security. The more information that consumers 
have, the better. Ultimately, meaningful privacy safeguards 
should be in place while ensuring that we don't stifle 
innovation.
    I thank both the chairmen for holding this important 
hearing today and I yield back the balance of my time.
    Mr. Rush. The Chair now recognizes the gentleman from 
Florida, Mr. Stearns, for 2 minutes.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Good morning, and let me welcome the witnesses 
and thank you, Mr. Rush and Mr. Boucher, the chair on the 
Telecom Committee, for having this hearing.
    As technology continues to advance, obviously new issues 
surrounding consumer privacy will continue to confront us. My 
main concern continues to be protecting the privacy of American 
consumers without of course stifling innovation that is so 
critical to growing our economy, particularly now, and keeping 
America globally competitive.
    Today's hearing focuses on the use of location-based 
services and applications which collect and use location data 
that allows a consumer to communicate, socialize, travel, play, 
dine and shop at great convenience than ever before. Location-
based service technology is relatively new and as such it is 
important to examine the privacy concerns that go along with 
this new technology. Location-based services present both an 
opportunity and a potential for all consumers. On the one hand, 
consumers could receive relevant information about commercial, 
educational and social opportunities just simply based upon 
their location, but on the other hand, consumer privacy could 
be undermined if multiple entities have access to a consumer's 
location and online activities.
    So in order to maximize the consumer benefit of location-
based services, the privacy policies of such services need to 
be transparent and provide a consumer with informed choice 
regarding whether to permit access to his or her location-based 
information. That is critical. In addition, we need to ensure 
that consumers are not lulled into a false sense of security 
regarding the privacy of their location-based information. Now, 
under section 222(f) of the Communications Act, wireless 
carriers are generally prohibited from using location-based 
information for commercial purposes without the express prior 
consent of the consumer. However, application providers are 
subject to no such requirement even though their applications 
are being downloaded on the devices of wireless carriers. This 
may falsely lead to consumers to the conclusion that 
application providers are subject to the same prohibitions as 
wireless carriers and that no action by consumers is necessary 
to ensure that their privacy is protected.
    I hope our witnesses can address this very important issue 
but it seems to represent a gap in my mind in consumer privacy 
protection. So clear and transparent policies should be 
standard in regard to location-based services and applications. 
Real transparency should include a robust disclosure and notice 
to the consumer outside the privacy policy. These notices and 
disclosures must be presented in a clear and conspicuous manner 
so that the consumer knows first that information is being 
collected, second, how the information is being used, and 
third, what it is being used for, and possibly fourth, how to 
prevent the collection of this information.
    Small businesses and consumers may greatly benefit from the 
delivery of location-based technology. I mean, for example, 
imagine that you are in a city and you have a desire to have 
Chinese food. Location-based application could give you some 
help right away and point you in the right direction to get it. 
It is a win-win situation. You get your Chinese food and the 
restaurant owner gets a customer that they may not otherwise 
have received. Conversely, if Congress makes it difficult for 
small businesses to reach or target potential consumers, small 
businesses could find it increasingly difficult to survive in 
the complex and constantly changing marketplace. If 
comprehensive privacy laws are to be developed by Congress, 
they must be competitively and technologically neutral and they 
must also be forward looking and adaptable. A proper regulatory 
framework will take into account the nature of rapidly changing 
technology. This is particularly true when it comes to a 
location-based technology that we are talking about today. 
Congress should not legislate in a way that is restrictive of 
technology development or that unfairly targets one industry 
over another.
    Although there are certain numerous privacy concerns that 
must be taken into account, we must also keep in mind the 
tremendous benefit from these technologies ultimately to all 
the consumers. The reality is that location-based service 
technology is the wave of the future. As such, this committee 
has a duty, a responsibility to ensure that consumers are 
protected and free to benefit from these new technologies.
    Mr. Chairman, you and I have worked well in the past, Mr. 
Rush and I and Mr. Boucher, on a number of issues including 
privacy. Mr. Rush, you mentioned the idea of a privacy bill. I 
had met with Mr. Boucher, we talked, and I think Mr. Boucher 
has a draft bill. I understand that there is a possibility that 
we could get this draft bill. We have not seen it on this side. 
We urge you to give it to us. I think as a result of this 
hearing, we may have to look at ways to better inform 
consumers, as I mentioned earlier, on the location-based 
applications and services with more transparency. As I 
previously stated, there seems to be a gap in consumer privacy 
protection between the regulation of wireless carriers and the 
application providers. I think this needs to be fixed.
    Thank you, Mr. Chairman.
    Mr. Rush. The Chair now recognizes the gentleman from 
Georgia, Mr. Barrow, for 2 minutes.
    Mr. Barrow. I thank the Chair. I will waive an opening 
statement.
    Mr. Rush. The Chair now recognizes the gentlelady from 
Florida, Ms. Castor, for 2 minutes.

  OPENING STATEMENT OF HON. KATHY CASTOR, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Ms. Castor. Thank you, Chairman Rush and Chairman Boucher, 
for calling this hearing.
    Today's hearing provides a unique opportunity to learn more 
about a technology that has a potential to impact our lives in 
profound ways. I am looking forward to the testimony of our 
witnesses very much.
    The mobile devices that we carry with us now, whether it is 
a basic cell phone or a smartphone like an iPhone or 
BlackBerry, are now practically indispensable to Americans. 
They are our lifelines in many respects. We rely on them to 
organize our day, keep in touch with our children and run our 
businesses, and the location-based technologies are generating 
new ways of interacting, and I am very fond of the function 
when I am traveling out of town to be able--you know, it used 
to be that you would reach into the glove box, take out the map 
and try to figure out--have interesting discussions with your 
spouse about where you should have turned. Now you can hit the 
map function and it will show you, and I can find my way to the 
soccer tournament or the business meeting where I am going.
    So these location-based services are already very handy and 
they have the potential to help us with emergency services 
especially. They are enabling large companies and small to 
track their inventory, manage their workforce and do business 
more efficiently. A hundred million people already use these, 
but this is going to grow exponentially.
    Such rapid proliferation of a technology as promising as 
LBS is awe-inspiring and bewildering. On one hand, the economic 
and social benefits that could be generated are potentially 
endless, but on the other hand, we need to protect consumer 
privacy, and the need to protect consumer privacy is greater 
than ever but the law has not kept pace with this increased 
need. We are at a crossroads with telecommunications 
legislation. The Communications Act of 1934 requires phone 
companies to ask for permission before sharing consumer data 
including location information and companies are sharing best 
practices about how to protect sensitive information. Even so, 
we know that a large percentage of companies don't yet have 
privacy policies to prevent the sharing of sensitive location 
data with marketers and other interested parties. There are no 
comprehensive rules to guide these companies or courts when 
dealing with location information privacy concerns. So any 
proposed legislation needs to strike that balance, the right 
balance to further spur and encourage innovation without 
encroaching upon the privacy rights of consumers.
    So thank you all, and I look forward to your testimony.
    Mr. Rush. The Chair now recognizes the gentleman from 
Illinois, Mr. Shimkus, for 2 minutes.
    Mr. Shimkus. Thank you, Mr. Chairman. You are hearing a lot 
of the same from a lot of members. Location-based services 
would be great, especially when you are in areas that you don't 
know where things are. You can imagine traveling and being able 
to get to a place where you want to go, and I think a lot of 
people put the GPS in their baggage when they get a rental car, 
although a lot of rental cars have some of the applications 
now.
    As legislators, I just want to continue to allow the 
development of this technology, at the same time ensuring 
consumer information is protected, and I know that is in the 
best interest of the industry. I know it is in the best 
interests of our citizens. So I look forward to hearing the 
testimony and looking forward to make sure that that happens. 
Yield back.
    Mr. Rush. The Chair now recognizes the gentleman from 
Massachusetts, Mr. Markey, for 2 minutes.
    Mr. Markey. Thank you, Mr. Chairman, very much.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

    Mr. Chairman, back in 1999, I authored the privacy 
provisions that are now contained in section 222 of the 
Communications Act to safeguard the privacy of 
telecommunications customers and place new duties on 
telecommunications carriers to protect the confidentiality of 
proprietary information relating to other carriers, equipment 
makers and customers, and my law also included an opt-in, 
enabling customers to request the disclosure of their own 
personal telecommunications information to any person they may 
choose to designate but it would be their choice to opt in and 
so in that way I was trying to make sure that what you had in 
your hand was a telecommunications device and not a tracker, 
not something that could be used unless there was a warrant 
obtained by the police, you had given your permission for 
anyone to know what was going on with your device. And now what 
we have to do because of what has happened over the last 10 
years is, we have to continue to update the laws just to make 
sure we fill in the gaps, that we give people protection. You 
know, if you are leaving someplace and you are really planning 
on going to the New England Patriots-Jacksonville Jaguars game, 
no one should be able to track and see where you really went. 
If you went to the Patriots-Jaguars game, you know, it is none 
of their business. They shouldn't be able to do it unless you 
gave them permission or there is a warrant out, you have been 
able to get legally obtained permission to get access to that 
information. That is my feeling. And if it inhibits the 
business plan of a few software or telecommunications 
companies, well, that is just tough luck. They have no right to 
know that. And so that is my view on it, always has been, and I 
just think that this makes it possible for people to know just 
where you are, what seat you are sitting in at the Patriots-
Jaguars game, you know, right down the row, oh, there is he 
right there. ``I thought you said that you were going to be out 
shopping this afternoon.''
    So this is a very important set of rules we have to put in 
place, and in fact, it will create all new industries that are 
down here. Mr. King and others are down here. There are whole 
companies that can crop up to give you the protection that you 
need as long as we mandate it, and innovation is out there 
where you get to use the device, have the information that you 
need, but it is not voluntary. We can't make it voluntary 
because only some people will be protected because it will be 
dependent upon the good will of an individual company, 
individual application company as to whether or not you are 
voluntarily protected by them, and that is just not going to be 
good enough.
    Thank you, Mr. Chairman.
    Mr. Rush. Thank you. The gentleman from Louisiana, Mr. 
Scalise, is recognized for 2 minutes.

 OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF LOUISIANA

    Mr. Scalise. Thank you, Mr. Chairman. I am pleased that 
both subcommittees are once examining the balance between new 
technologies and privacy.
    We can all agree that our privacy is important and we 
should continue to balance them as technology advances and 
develops in ways that provide tremendous benefits to consumers 
and in ways that were previously never imagined. A great 
example of this is the emergence of location-based 
technologies. Whereas 10 years ago many people did not even 
have cell phones, we can now use our mobile devices to find the 
closest restaurant or pull up directions to a destination, and 
in many cases, a message or coupon might be sent to us from the 
restaurant close by or for the destination we are trying to 
reach. These technologies and the applications that employ them 
are tremendous advancements and provide consumers with great 
benefits, not only convenience but also during instances when a 
person's location is needed for law enforcement personnel or 
during an emergency situation.
    The technological advancements we are seeing today are 
impressive but as is most often the case, we are still learning 
about their capabilities and their implications. Even with 
these advancements, location-based technologies can also expose 
consumers to certain risks such as having your location 
routinely tracked, which could lead to identity theft or 
stalking. As a father of two young children, I am also 
concerned about the effects these technologies could have on 
child safety. Therefore, we must continue to examine ways to 
ensure consumers don't have their personal information or 
safety compromised.
    I look forward to hearing from our panelists today on what 
steps they are taking and what steps they think are needed to 
ensure that consumer protection and personal safety are not 
compromised. I also hope our panelists discuss what information 
is being collected on consumers and what is being done with 
that data and whether consumers even know their information is 
being collected. As I have stated before, the technology 
industry is one of the most advanced and competitive industries 
in our country. It is also one of the most beneficial both for 
consumers and for the economy. It is worth pointing out that 
the industry has evolved and grown on its own with little 
regulation from the federal government, some would say. 
Therefore, I hope we proceed carefully when stepping in or when 
drafting legislation in this area.
    I hope today's hearing focuses on how we can protect 
consumers and their safety and what steps the industry will 
take or has already taken to do so. If self-regulation is not 
sufficient and privacy regulations move forward, they should be 
consistent across the industry and not be greater for one 
technology compared to another. Everyone involved should have 
to play by the same set of rules, and Congress should not pick 
winners or losers.
    Again, I look forward to hearing the comments of our 
panelists today, particularly on self-regulation and whether 
parity is needed in the industry. It is important that we 
understand their positions and activities as well as all the 
implications of these popular technologies.
    Thank you, and I yield back.
    Mr. Rush. The Chair now recognizes the gentlelady from 
California, Ms. Eshoo, for 2 minutes.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Eshoo. Thank you, Mr. Chairman, and to Chairman Boucher 
as well for convening this joint subcommittee hearing on the 
growing use of location-based technology and its implications 
on personal privacy. I support the continued effort to balance 
the needs of both promoting innovation and protecting the 
personal information of customers.
    I have long advocated the use of location-based technology 
as a public safety tool. In fact, I am the author of the E911 
legislation, so I can tell you that this technology is critical 
to first responders and to law enforcement. When they locate 
our citizens in distress by using geographical information, 
they literally can save thousands of lives, and they have.
    So the use of this technology, however, has expanded beyond 
public safety and it is now widely used by consumers to 
complete everyday tasks to make their lives easier and more 
efficient including finding driving directions, restaurants or 
the nearest gas station. So it is highly useful, very practical 
and we all use it. But it is also our job to look after the 
bests interests of the American people, so we have to ensure 
that the location of users is protected against any misuse from 
both corporate and government interests.
    I look forward to hearing from the witnesses and I would 
like to especially welcome Anne Collier, who is with 
ConnectSafely, which is co-headquartered in Palo Alto, 
California, which is the heart of my district. So thank you to 
both of our chairmen and I look forward to hearing from the 
witnesses. Thank you.
    Mr. Rush. The Chair now recognizes the gentleman from 
Nebraska, Mr. Terry, for 2 minutes.

   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEBRASKA

    Mr. Terry. Thank you, Mr. Chairman, for holding this 
important hearing.
    I agree with the necessity for balance. We should be 
examining these serious privacy concerns raised from the 
collection of location information going on today, but I 
believe that we must consider the great benefits these 
location-based services can provide our first responders in 
case of an emergency.
    A colleague of ours, a good friend of mine, Todd Tiahrt 
from Kansas, has recently brought to my attention an issue that 
not only coincides with our topic of discussion today but an 
issue I believe must be addressed in any such discussion 
involving location information. On June 2, 2007, 18-year-old 
Kelsey Smith was abducted from a Target parking lot in Overland 
Park, Kansas. Law enforcement was quickly notified and they 
subsequently called her wireless provider to obtain Kelsey's 
ping data, or call information. They were denied. On June 6, 
2007, 4 days after she had disappeared, Kelsey's body was 
found. She had been raped and murdered. Authorities had used 
the ping information to determine where her cell phone had 
traveled after 4 days of begging and pleading, so the time that 
they were able to ping, within 45 minutes after that found her 
dead. Law enforcement found her body.
    Now, current law states that a telecommunications carrier 
may give call location information out to emergency service 
providers. However, telecom carriers are not required to give 
this information out to authorities and oftentimes telecom 
carriers are hesitant to provide the information due to 
potential liability. I believe it is time that we require 
telecom service providers to provide location or ping 
information when asked by law enforcement during cases of 
emergencies. I encourage my colleagues to look at Mr. Tiahrt's 
bill, join Mr. Rogers and me, and I think we are going to have 
discussion about this specific case and its implications.
    Thank you for this opportunity. Yield back.
    Mr. Rush. The gentleman from Indiana, Mr. Buyer, is 
recognized for 2 minutes.
    Mr. Buyer. I reserve my time for questioning. Thank you.
    Mr. Rush. The Chair thanks the gentleman. It is now my 
pleasure and honor to introduce our witnesses. We have six 
witnesses before us today, and I will introduce them beginning 
on my left. Mr. John B. Morris, Jr. is the general counsel for 
the Center for Democracy and Technology. Seated next to him is 
Ms. Lorrie Cranor. She is an associate professor of computer 
science and engineering and public policy at the Carnegie 
Mellon University. Mr. Jerry King is the chief operating 
officer for a company called uLocate Communications 
Incorporated. Seated next to Mr. King is Mr. Tony Bernard. He 
is the vice president and the general manager of a corporation 
called Useful Networks. And next to Mr. Bernard is the senior 
vice president and general counsel for the CTIA-The Wireless 
Association. And last but not least, Ms. Anne Collier, who is 
with the organization ConnectSafely. Again, I want to welcome 
each and every one of you for appearing before us today, and I 
must note to you that it is the practice of this subcommittee 
to swear in witnesses. So I would like if you would please 
stand and raise your right hand.
    [Witnesses sworn.]
    Mr. Rush. Let the record indicate and reflect that all the 
witnesses have answered in the affirmative.
    Now I will recognize each one of the witnesses for 5 
minutes. I want to note that our timer is technically 
incapacitated this morning so we are going to have to do it the 
old-fashioned way. We are going to have to guess. So each one 
of you are recognized for 5 minutes or thereabouts. So 
beginning with you, Mr. Morris, please, your opening statement.

 TESTIMONY OF JOHN B. MORRIS, JR., GENERAL COUNSEL, CENTER FOR 
 DEMOCRACY AND TECHNOLOGY; LORRIE CRANOR, ASSOCIATE PROFESSOR, 
 COMPUTER SCIENCE AND ENGINEERING AND PUBLIC POLICY, CARNEGIE 
MELLON UNIVERSITY; JERRY KING, CHIEF OPERATING OFFICER, ULOCATE 
COMMUNICATIONS, INC.; TONY BERNARD, VICE PRESIDENT AND GENERAL 
    MANAGER, USEFUL NETWORKS; MICHAEL ALTSCHUL, SENIOR VICE 
PRESIDENT AND GENERAL COUNSEL, CTIA--THE WIRELESS ASSOCIATION; 
                AND ANNE COLLIER, CONNECTSAFELY

                TESTIMONY OF JOHN B. MORRIS, JR.

    Mr. Morris. Thank you very much, and thankfully, I was able 
to download an app yesterday onto my smartphone that is a 5-
minute countdown timer, so I at least will be able to be on 
time.
    Chairman Rush and members of the subcommittee, thank you 
very much for inviting us to testify on behalf of the Center 
for Democracy and Technology. We applaud the leadership of the 
subcommittee for examining the rapidly evolving area of 
commercial location-based services. We look forward to 
discussing the promises and the privacy risks of these 
services.
    Over the past 18 months, location services have truly 
arrived in the online environment as more and more devices can 
obtain increasingly accurate information. Location has come to 
permeate the online experience and we are seeing an amazing 
array of new and innovative location-based products and 
services. But the easy availability of location information 
also raises a host of privacy concerns. Location can reveal 
very privacy information and can even put users at physical 
risk. Mobile location can reveal, often without user 
interaction, where a person is and what they are doing. It can 
reveal visits to potentially sensitive destinations like 
medical clinics, courts, political rallies or, as I learned 
today, even New England Patriot games. And sadly, we have 
already seen location services abused in domestic violence 
cases.
    Unfortunately, the legal standards for the protection of 
location information are woefully inadequate. Location 
technology simply has outpaced the existing statutory 
protections that Congressman Markey talked about, and they are 
inadequate both in the commercial context as well as with 
regard to standards for law enforcement access to location 
information. Congress must act to strengthen statutory 
protection of location, not only for the sake of protecting 
privacy but also to protect and to promote innovation in online 
services. Clear privacy rules are a prerequisite to the growth 
and success of this valuable part of our industry.
    My written testimony describes several technical methods to 
determine location of a mobile device, but let me just 
highlight one critical fact. In the old days, say, 3 or 4 years 
ago, most location determinations involved a cellular carrier 
that provides the phone service to the device being located. 
But in the past few years that has all changed. While carriers 
are continuing to offer innovative location services, many 
other service providers also offer location service and they 
can do so wholly without the cooperation or even the knowledge 
of the cellular carrier. For example, Skyhook Wireless offers a 
service that can locate this device in this room based solely 
on the WiFi access points that are visible in this room, and 
through wireless Internet access, my device can send my 
location to any Web site or service on the Internet. Thus, 
anyone from mom-and-pop Web sites to Starbucks can offer 
location-based services wholly without the involvement of a 
cellular carrier. All a Web site really needs to do is to add a 
small portion of JavaScript code onto the Web site and they can 
enable location services on their Web site, which brings me 
back to the legal standards to protect the privacy of location 
information.
    As Congressman Markey noted, commendably, Congress enacted 
the CPNI rules to protect customer proprietary network 
information and included location information. But as has been 
noted a number of times in your opening statements, those CPNI 
rules only apply to telecommunications carriers offering voice 
services, and today many of the new and innovative location 
services operate completely outside of the reach of the CPNI 
rules. And unfortunately, without a statutory mandate to 
protect location information, some location service providers 
have been slow to do so. Some in the industry are very closely 
attentive to privacy but others are not.
    CDT believes that Congress can help protect location 
privacy in at least two ways. First, as Congress contemplates 
enacting baseline consumer privacy legislation, as has been 
discussed, we believe that location data should definitely be 
included as part of the broader framework governing sensitive 
user data. And second, and of relevance even to the Commerce 
Committee as well as the Judiciary Committee, whose room we are 
borrowing today, we believe it is vital for Congress to improve 
the standards for location access by government and law 
enforcement agencies. By clarifying the standard, there is an 
ongoing battle right now in courts about what the appropriate 
standard is for law enforcement access, and by clarifying the 
standard, we can address some of the concerns that carriers 
have about access.
    So all of these points were made in more detail in my 
written testimony and I hope to be able to answer any questions 
you might have about these issues. Thank you very much for the 
opportunity to testify.
    [The prepared statement of Mr. Morris follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Rush. The Chair recognizes Professor Cranor for 5 
minutes for opening statement.

                   TESTIMONY OF LORRIE CRANOR

    Ms. Cranor. Chairmen Boucher and Rush, I thank you for the 
opportunity to testify today. My name is Lorrie Cranor. I am an 
associate professor of computer science and of engineering and 
public policy at Carnegie Mellon University. I have been asked 
to testify about privacy issues associated with the use of 
location information for commercial purposes.
    Location-based services use a variety of technologies to 
acquire a user's location based on the current position of cell 
phone, computer or other device. These technologies typically 
use triangulation to locate the device based on signals from 
GPS satellites, cell towers or WiFi access points, often within 
a few hundred feet. Cellular providers can obtain location 
information of mobile phones in that manner even when the 
phones are not being used to place a call. The Internet address 
of a user's computer can also be used to determine an 
approximate geographic location, typically at a city level.
    In April 2009, we conducted a survey at CMU to understand 
consumers' perceptions of location-sharing services. We asked 
participants about the degree of harm or benefit they 
associated with each of 24 scenarios. Participants rated 
finding people in an emergency as the scenario with the most 
significant benefit. Other highly beneficial scenarios included 
being able to track one's children and relatives, finding 
information based on one's location, and checking to see if 
people are OK. On the risk side, participants had significant 
privacy concerns. They saw great harm in scenarios involving 
stalking or revealing one's home address. They were also 
concerned about being found by people one wants to avoid or 
when one wants to be alone, having others intrude on one's 
personal space and being tracked by the government, and also 
receiving location-based ads.
    We then evaluated 89 location-sharing applications and 
systems to determine the types of privacy protections that each 
one offered. We found that most of these applications provided 
fairly limited privacy concerns, and about a third of them did 
not even provide readily accessible privacy policies on their 
Web site. Some location-sharing applications had generic 
privacy policies that don't explicitly mention location. Others 
mention that they provide privacy controls but in order to see 
what controls are provided, a consumer has to actually use the 
service. Most of the applications with privacy controls 
required users to click multiple screens to reach the privacy 
settings.
    Some of the privacy controls that allow users to specify 
that their location information should be shared only with 
their friends rather than with the general public turn out to 
actually have exceptions. For example, many services have a 
simple privacy switch. It looks very simple. It says on and 
off. But in one service we examined, text positioned four 
paragraphs below the switch mentions that there are actually 
two exceptions in which location information will be shared 
even when the privacy switch is not set to share information.
    Our research at Carnegie Mellon has explored offering fine-
grained and expressive privacy controls. The Locaccino system 
we developed allows users to specify location-sharing rules 
based on time, location and the person making a location 
request. For example, I have set up a rule that allows students 
to find my location when I am on campus so they can determine 
if I am in my office or teaching in another building. Another 
rule allows my family members to locate me at all times and 
locations. And another rule allows people I work with to locate 
me between 8 a.m. and 6 p.m. on weekdays. Locaccino is not 
being used for advertising, but a similar approach could be 
used to control when and where location information is used for 
location-based advertising.
    Our research suggests that Internet users are definitely 
concerned about their location privacy but that most currently 
available location-sharing services do not do a good job 
informing them about how their location information will be 
used or provide users with expressive location privacy controls 
and privacy protective default settings. Thus, additional 
privacy protections may be necessary.
    While the CTIA best practices offer a useful framework that 
requires notice and consent about location use, they do not 
specify form, placement, manner of delivery or content of 
notices nor do they provide enforcement. Thus, while users may 
opt in to a service by signing up for it, they may not realize 
what they are getting themselves into. As the Web site 
pleaserobme.com suggests, users may not think through the 
implications of broadcasting their location information to the 
public or even be aware that a service makes their location 
information public. Indeed, the CTIA best practices do not 
discuss what should happen when location information is 
disclosed publicly.
    Even when users understand and are comfortable with the 
commercial use of their location data, the use of this data 
without a warrant by law enforcement has troubling 
implications. Due to the way cellular technology works, the 
widespread use of cell phones enables large-scale round-the-
clock surveillance of citizens. It is important that the 
storage of individual location data be minimized and that 
protections be put in place to limit when it can be disclosed.
    Finally, it is important to realize that techniques to 
deidentify personal information may not be effective when it 
comes to location information. Even when a person is not 
identified by name, her location trails may be used to identify 
her. Since most of us go to a particular location for work each 
weekday and a particular location to sleep each evening, with 
only a few days of location trails information combined with 
other publicly available information, it becomes possible to 
identify most people. Thus, users who try to hide behind made-
up names may still unwittingly be identifying themselves when 
they make their location information public. Thus, it is 
important that privacy be considered from the beginning in the 
design of location-based services and that users of these 
services are fully informed about the privacy implications of 
their use.
    Thank you for inviting me to testify today. I look forward 
to answering your questions.
    [The prepared statement of Ms. Cranor follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Rush. Thank you very much.
    The Chair now recognizes Mr. King for 5 minutes for the 
purposes of an opening statement.

                    TESTIMONY OF JERRY KING

    Mr. King. Thank you, Mr. Chairman and members of the joint 
committee for inviting uLocate here today to discuss the use of 
location information in commercial software applications. What 
I hope to accomplish this morning is to provide you with an 
example of how such information can be used to benefit the 
consumer in the form of a mobile location search application 
within a privacy-sensitive business model.
    To start, please allow me to tell you a little bit about 
uLocate's mobile application WHERE and how we use location. We 
launched WHERE in 2007 and have since become a top provider of 
mobile local search content that informs, entertains and helps 
consumers save time and money. WHERE's popularity is 
demonstrated by millions of downloads on top phones such as the 
Android and iPhone and BlackBerry and feature phones on most 
North American carriers including AT&T, Sprint and T-Mobile.
    Local content available through WHERE includes everything 
from the weather, news, traffic, coffee shops with WiFi, you 
name it, plus we have integrated a variety of Yellow Pages 
search providers to further expand the information available at 
the consumer's fingertips. WHERE also helps people reach their 
destinations with easy-to-use maps and directions.
    In addition to providing local content and search services, 
WHERE enables brands and advertisers to reach a local audience 
through contextually and demographically targeted ads. 
Interestingly, as we move from displaying non-location-based 
banner ads last year to more targeted advertising, we began to 
receive positive feedback from our users. As opposed to 
expressing frustration with generic or irrelevant banner ads, 
our users commented that our new style ads were positive 
additions to their experience. In other words, ads and offers 
for local businesses that make sense within the consumer's 
experience turn out to be viewed as value-added content.
    We also noticed that such ads generated more revenue for 
uLocate. For example, by using location, time of day and other 
factors, we know that an ad for a local service station inside 
of a traffic widget has a higher click-through rate. Similarly, 
ads for local pizza shops at lunchtime perform very well.
    Next, I will provide you some details about how WHERE 
collects location information. WHERE employs several location 
technologies such as GPS, WiFi and network-based location to 
determine the consumer's whereabouts. When a consumer starts 
WHERE for the first time, they are informed that WHERE will 
attempt to get their location. Consumers that are concerned 
about this can also choose not to allow WHERE to get location 
automatically. Consumers within WHERE always have the option to 
manually set their location either to their actual position on 
the planet or someplace else at any time for any reason.
    WHERE users can also control location accuracy. For 
example, if the user chooses to update their location within 
WHERE, they are presented with a list of options ranging from 
zip code to GPS fix. For many search activities, zip code is 
more than sufficient while a street address may provide a more 
optimized experience for other functions. Once the location of 
the consumer's handset is updated, we cache that new location 
on the consumer's handset. When location is sent from a handset 
to our backend service as part of a service request as in a 
search, the location data is encrypted.
    Having processes and policies that address collection and 
storage of location information is important but is only part 
of our approach to protecting consumer privacy. I would also 
like to address the issue of sharing location information, 
unlike some location-based services in market where it does not 
allow anyone to pull or monitor or track the location of anyone 
else. We also do not allow the automatic posting of locations 
that allow others to track a WHERE user's location. Lastly, we 
do not share personally identifiable location information of 
WHERE users with any third parties. Having a well-defined and 
trusted application with respect to these three behaviors has 
been a cornerstone of our approach to protecting consumer 
privacy within WHERE.
    WHERE does allow users to publish or push their location to 
others within certain user-controlled functions such as reviews 
or check-ins. This is done to provide the consumer with the 
ability to generate location-specific content such as a 
restaurant review and post that content on a variety of social 
networks such as Facebook.
    I hope this statement has provided you with some insights 
into what we consider a well-behaved location-based 
application. In sum, we use location to deliver beneficial 
consumer experience and we put the consumer in control of both 
managing their location information and sharing it with others.
    Thank you for the opportunity to speak with you today. I 
look forward to your questions.
    [The prepared statement of Mr. King follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Rush. The Chair now recognizes Mr. Bernard for 5 
minutes.

                   TESTIMONY OF TONY BERNARD

    Mr. Bernard. Thank you. On behalf of Useful Networks and 
the location industry, thank you to your respective committees 
for their time and my fellow witnesses for their time in this 
important topic.
    I am Tony Bernard, vice president and general manager of 
Useful Networks. Useful Networks is a Denver-based company that 
delivers innovative local location-based services to consumers, 
wireless carriers, application developers and mobile marketers. 
We were founded in July of 2006 and are focused on location 
aggregation and enablement, providing a location clearinghouse 
and related services with our PlaceWhere platform. Useful 
Networks is a wholly owned subsidiary of TruePosition, the 
global leader in location determination and intelligence 
solutions that help protect citizens, combat crime and save 
lives.
    A location aggregator provides its third-party partners 
with location connectivity to a variety of sources including 
wireless carrier infrastructure. Aggregators may also offer 
privacy management like Useful Networks does to complement the 
location connectivity we provide. To the gentleman's points 
earlier, this platform is both forward looking and adaptable in 
that it offers a multi-tiered privacy framework to enable 
compliance with the current and future requirements for access 
to and use of an end-user's location information. PlaceWhere 
ensures compliance with privacy best practices as manifested by 
a variety of stakeholders including industry and government 
entities, wireless carriers and most importantly, consumers.
    My focus today is to talk about location-based advertising. 
A few of the players in the location-based advertising value 
chain include publishers, which own and manage content portals 
via which audience is aggregated and into which mobile 
advertisements be published. An example of the type of 
application publisher would be uLocate and their WHERE 
application. We also work with ad networks who aggregate 
publisher inventory and sell ad campaigns. Examples of those 
would include Quatro and Millennial Media. We work with ad 
exchanges who aggregate ad networks for publishers, enabling 
them to serve the most profitable ads from the available 
networks.
    Additionally, ad agencies play a role in location-based 
advertising. They buy advertising from ad networks, assign 
creative campaigns and sell their brands. Examples of these 
would include traditional ones such like Saatchi and Saatchi as 
well as emerging digital agencies like Razorfish. And finally, 
there are location enablers like Useful Networks who endeavor 
to establish rules by which others can engage in location-based 
advertising and ensure they are complied with.
    So it is important to talk briefly about the state of 
location-based advertising in the United States. The CTIA 
published a set of best practices and guidelines for use of 
location services in 2008 fundamentally predicated on the two 
principles of user notice and informed consent. Specifically, 
the ability to use a consumer's location to provide a location-
enhanced advertisement is fundamentally predicated upon an 
explicit opt-in where such consent is provided by the consumer 
on an informed basis with respect to if, how, when and by whom 
their location information may be used. Consumers may 
subsequently opt out of their location being used for such 
purposes.
    Whereas wireless carriers tend to rigidly enforce these 
principles, to the earlier points raised, the emerging devices 
carrier category, examples of which would include the iPhone 
and Nexus One devices, do not yet fall under the auspices of 
these guidelines, and what we see now is what could be 
perceived as a regulatory gap where consumers can have very 
different expectations and experiences with the same 
application if that application is on a carrier device versus a 
non-carrier-controlled device. I look forward to talking more 
about that topic.
    Another significant evolution in location-based advertising 
is the emergence of the check-in model. The emerging check-in 
model is enabling the transition from passive to active 
location sharing. Where passive is typically location tracked 
by the network, active is the consumer making a choice to share 
that location information. Examples of these include 
applications like BrightKite, Foursquare, Gawala, and MyTown. 
It is anticipated that these check-in capabilities will become 
an even more ubiquitous feature across a wide variety of 
location-based applications and services in the near future and 
it will be important to understand implications to these.
    Another component of the state of location-based 
advertising is how location context is enabling a transition by 
advertisers from paying for impression-based campaigns to 
performance-based campaigns. Mobile devices in general and 
location-aware devices specifically add significant context for 
advertisers. This context is unavailable via traditional 
advertising channels such as print and online advertising. 
Combining this context with mobility creates new opportunities 
for advertisers to improve the efficiency of their advertising 
spend by focusing on conversion.
    A few examples of location-based advertising. Useful 
Networks, launched a trial in 2009 working with a tier one U.S. 
carrier and an advertising network which in turn worked with a 
major fast-food chain and a major automotive company to launch 
two location-based advertising trials which were centered 
around a store finder page and were designed to test and prove 
the added benefits that location enablement brings to mobile 
marketing campaigns. These trials resulted in a yield of three 
times as many store finder page views as compared to the number 
of page views when the end-user was asked to enter their zip 
code.
    Another trial we are preparing to commence is with a 
company called Mobox. Mobox is a location-based mobile ad 
platform that serves ads into mobile content, reaching over 30 
million unique U.S. mobile users. Useful Networks is providing 
location connectivity and privacy management to enable location 
targeting via Mobox's platform.
    Again, I would like to thank their committees for their 
interest and attention to this important topic and look forward 
to talking about these issues in more earnest during the future 
testimony. Thank you.
    [The prepared statement of Mr. Bernard follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Rush. Thank you.
    The gentleman, Mr. Altschul, is recognized for 5 minutes.

                 TESTIMONY OF MICHAEL ALTSCHUL

    Mr. Altschul. On behalf of CTIA, I want to thank Chairman 
Rush and Chairman Boucher, all the members of the two 
subcommittees for the opportunity to testify here.
    My name is Mike Altschul and I have served as CTIA's 
general counsel since 1990. In that role, on behalf of CTIA, I 
have been involved in the development of a number of voluntary 
industry best practices including CTIA's best practices and 
guidelines for location-based services that you have heard the 
other witnesses on the panel describe. I am very proud that 
CTIA and the wireless industry have long been at the forefront 
of efforts to promote location privacy. In the late 1990s, we 
supported the Wireless Communications and Public Safety Act, 
which amended section 222 of the Communications Act to require 
the express prior authorization of the customer for the 
disclosure of the wireless customer's location information for 
location-based services. That really has provided the 
foundation for everything that has followed since.
    In fact, in 2000, following the enactment of the Wireless 
Communications and Public Safety Act, CTIA petitioned the FCC 
to adopt a set of fair location information practices for 
wireless location-based services modeled upon the familiar fair 
information practice principles of notice and consent. More 
recently, as location-based services began to be deployed for 
applications other than E911, CTIA developed the current set of 
best practices to promote and protect the privacy of wireless 
customers' location information. You have heard what they have 
done and you have also heard from the other witnesses that in 
the 2 years since we adopted and developed these best 
practices, as so often happens in the wireless industry, 
technology has overtaken our static assumption and the 
location-based services now being offered turn out to be quite 
different from what had been envisioned just 2 years ago. You 
have heard how the move towards opening platforms including the 
iPhone and the Google Android platform, the introduction and 
overwhelming consumer adoption of smartphones, which include 
their own GPS capabilities, and the increased prevalence of 
GPS-enabled service applications that can be downloaded to a 
handset and enabled without any involvement or knowledge by a 
wireless carrier have combined to make a carrier-centric 
approach to location-based services no longer sufficient for 
guidelines.
    So these factors and the rapid developments of the past 2 
years have led us to reevaluate our guidelines, and as we have 
completed work on the new guidelines, it is our goal to ensure 
there will always be one clearly identified location-based 
service provider with the obligation to inform the user as to 
how location information will be used and disclosed in addition 
to obtaining customers' consent before initiating the service.
    While the scope of the new CTIA guidelines is different, 
the focus is not. The new guidelines will build on the 
foundation we laid 10 years ago by continuing to put a premium 
on user notice and user consent. We believe the guidelines 
offer a meaningful framework for the protection of user privacy 
and we urge policymakers to recognize that the industry's 
willingness to develop best practices and to revise these 
guidelines as circumstances warrant represents the best way to 
balance the needs to promote and protect user privacy while 
also facilitating the deployment of new and innovative products 
and services.
    A call for legislative restraint does not mean there is no 
role for Congress while the industry and technology evolve. 
Congress also has made clear that the express prior 
authorization of the customer is the prerequisite for the 
disclosure of a wireless customer's location information. While 
section 222 on its terms applies only to telecommunications 
carriers, its requirements have been observed by all providers 
of wireless location-based services across all the different 
application levels. As these services continue to evolve and 
develop in both predictable and unpredictable ways, Congress 
has an important oversight role in ensuring that all providers 
of location-based services deliver effective notice and obtain 
consent regardless of the device or technology used so that 
wireless users can continue to exercise informed consent to 
control the use or disclosure of their location information.
    As Mr. Morris mentioned, one area in which we believe 
legislative guidance may be appropriate is a clarification of 
the terms under which location information may be released to 
law enforcement. As you know, just this month in the 3rd 
Circuit, there was oral argument on the issue of what standards 
should apply when law enforcement seeks to gain access to a 
wireless user's location information. Most courts have allowed 
access to stored location records based on a court order and 
demonstrated need, but in the 3rd Circuit, the U.S. Department 
of Justice and privacy advocates argued whether access to these 
historical location records should meet a probable-cause 
standard. Service providers need clarity so as to not be caught 
in the middle of these disputes.
    Finally, we urge Congress to recognize the interstate 
nature of location-based services, the mobile nature of 
wireless users and to take care in whatever framework may be 
adopted to preempt state regulation of these services. A 
uniform national approach presents the best way of protecting 
user privacy and educating and informing wireless customers 
while fostering the innovation, investment and introduction of 
new location-based services by wireless carriers, device 
manufacturers, operating system developers and application 
creators.
    Thank you again for the opportunity to share our views with 
the subcommittees. We look forward to working with you as you 
continue your efforts on this issue.
    [The prepared statement of Mr. Altschul follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Rush. The Chair now recognizes Mrs. Collier for 5 
minutes for the purposes of an opening statement, and she will 
conclude our witnesses' opening statements. Mrs. Collier, you 
are recognized for 5 minutes.

                   TESTIMONY OF ANNE COLLIER

    Ms. Collier. Thank you, Chairman Rush and Chairman Boucher 
and members for me here today. My name is Anne Collier and I am 
co-director of ConnectSafely.org and serving as co-chair of the 
Online Safety and Technology Working Group.
    We have been following location-based services for several 
years now and we don't feel they represent a unique safety risk 
to young social-media users for several reasons that I will go 
into. We do, however, feel particular consideration needs to be 
given to children's privacy as geolocation products and 
services increasingly connect to children's other social tools 
and networks.
    First, some context. U.S. teens now send or receive more 
than 3,100 text messages a month. For them, a text isn't like a 
phone call, it is part of a conversation, part of the ongoing 
flow of their social life, and texting is only one of their 
tools for hanging out online and offline. They also use their 
phones to update their social network profiles, play games, 
snap and upload photos and videos to profiles, and even talk. 
There is as yet no data on teens' LBS use but we know that more 
than 65 million, or about a third, of Facebook users of all 
ages currently access Facebook through their mobile devices, 
and who is all this communication with? Research shows that the 
vast majority of teen social networks, 91 percent, use all 
these tools to socialize with friends they see regularly, 
usually at school.
    We adults think and talk about standalone products and 
services in terms of use but with kids, it is more useful to 
view LBS in terms of child and adolescent development. For 
example, location-based services depend a lot on users' 
mobility and autonomy and involve a certain amount of 
spontaneity. The main objectives are spontaneous in-person get-
togethers and finding good places to eat or drink when you are 
on your own in a city. A user really needs the independence 
enjoyed by an older teen or adult to enjoy LBSs. The mobility 
of a driver's license helps too. Urban youth may have more 
physical mobility without a driver's license but there is no 
reason to believe they have proportionately more freedom from 
adult supervision.
    Meanwhile, LBSs are, to young people, just another twist on 
status updates. The 75 percent of teens owning cell phones now, 
they have for some time had other ways to let each other know 
their plans and whereabouts and they are constantly in touch, 
text messages, updates to social network profiles, Gmail chat 
and instant messages, to name a few. They are always in touch 
with each other. And remember, the operative phrase is ``each 
other.'' Virtually all of this communication is with known 
peers.
    Still, understandably, the most visceral and concerning 
risk associated with location-based and all Net services is 
predation. So let us go into that a little bit. Research about 
LBS use is needed in this area too but we do already know a lot 
about youth risk online. First, not all youth are equally at 
risk. The young people most at risk online, on phones are those 
most at risk already offline, and a child's psychosocial makeup 
and home and school environments are better predictors of risk 
than any technology a child uses.
    Second, the risk of Net-related predation is extremely low 
relative to real-life risk, according to David Finkelhor, 
director of the Crimes Against Children Research Center. In a 
report just last spring, Dr. Finkelhor and his co-authors 
wrote, ``There is no evidence that online predators are 
stalking or abducting unsuspecting victims based on information 
they posted at social networking sites.'' A recent study of how 
teens deal with strangers in a social site found that 92 
percent of those who had received sexual solicitations had 
responded appropriately, ignoring, blocking or reporting the 
sender.
    Finally, a quick snapshot of an emerging privacy challenge. 
Because Google Buzz is brand new and a hybrid of LBSs, Gmail, 
microblogging and social networking, we are all at the early 
stages of figuring out its implications for kids, a lot of whom 
use Gmail. Charlene Lee, a mom and well-known industry analyst 
in San Francisco, blogged just this past Sunday that she 
discovered her 9-year-old daughter was using Buzz with her 
friends. They had only had one conversation so far but they had 
no idea their conversation was public. She thought about just 
disabling Buzz on her daughter's computer but the kids were 
enjoying it so much that Lee decided she would let her daughter 
keep going if all the kids kept the conversation private. And 
there is the rub. Ensuring that all the girls keep it private 
will be a project for her, probably involving communication 
with all the other parents.
    Privacy is now a collective effort on the part of users 
every bit as much as providers in this user-generated medial 
environment. It is a negotiation among users in a peer group 
sharing thoughts, tagging photos, et cetera. Privacy protection 
is user generated too, not just a matter of privacy features. 
This is going to take a lot of consumer education by us NGOs 
and the industry and government.
    This issue also points to the impact on children's, 
everybody's privacy of combining social media products within 
companies across devices and platforms and then across users' 
networks like Facebook Connect. A lot of consumer education is 
needed with support from industry best practices. Thank you.
    [The prepared statement of Ms. Collier follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Rush. The Chair now yields to the chairman of the 
Telecommunications Subcommittee, my friend, Mr. Boucher.
    Mr. Boucher [presiding]. Well, let me thank our witnesses 
for their statements this morning and for your participating in 
our hearing and informing us on your well-studied views with 
regard to location-based services and privacy as associated 
with them. I have a series of questions I will propound to the 
witnesses but I want to say a word of welcome first to Mr. 
Whitfield from Kentucky, a friend of long standing, who is the 
new ranking Republican member of the Subcommittee on Consumer 
Protection and just say to him how much I look forward to 
working with him on privacy matters.
    The Communications Act requires opt-in consent before 
telecommunications carriers can disclose geolocation 
information but there is no federal statute or regulation that 
governs privacy rights associated with non-carriers who come 
into possession of that information whether they collect it 
themselves or whether they receive it from someone who does, 
and I am wondering what our witnesses would say to this 
question. Has the time arrived for Congress to adopt a statute 
that applies a consent requirement with respect to geolocation 
services information, not only to telecommunications carriers 
but to others who come into contact with that information? Let 
us begin with Mr. Morris.
    Mr. Morris. My answer to that question is a very short yes 
but with a qualification to say that we would certainly urge 
Congress to do just what you said and focus careful attention 
on location but we would hope it would be in the context of a 
larger privacy bill as opposed to a sectorially focused bill 
just on location itself. I mean, we have an anomalous situation 
in this country where my video rental records are more 
protected than my e-mail on Gmail and that to us doesn't make 
sense, so we hope that the work you do on location privacy is 
in the context of a broader baseline privacy bill.
    Mr. Boucher. I couldn't have provided a better answer 
myself. Thank you. I think you can expect to see this measure 
emerge as part of a larger legislative item.
    Mr. Altschul, I want to commend CTIA for the adoption of 
your series of best practices, guidelines and recommendations. 
I have a couple of questions for you. First of all, can you 
tell me the percentage of your carriers that are part of CTIA 
who are complying with your guidelines and recommendations at 
the moment?
    Mr. Altschul. We believe that all of the carriers are 
complying with the guidelines, which were intended to build on 
the principles in section 222(f) and they provide guidance and 
examples for how to convert----
    Mr. Boucher. So you think you have 100 percent compliance?
    Mr. Altschul. We do, for the carriers that are supporting 
these services.
    Mr. Boucher. I want to give you an opportunity to respond 
to some of the statements that Professor Cranor in her 
testimony made. I missed her oral testimony but her written 
testimony, which I have reviewed, suggests that your voluntary 
guidelines could be sharpened a bit, and I want you to respond 
to this. She says that they do not specify the form, placement 
or content of notices, there is no mechanism for enforcement 
within our guidelines, there are no assurances that the 
location-based service providers follow the practices--that is 
kind of a subset of the previous comment--and your guidelines 
as they specify the disclosures that the carriers should make 
are somewhat confusing and might lead to different kinds of 
disclosures being made with regard to the same kind of 
information among the various different carriers. Would you 
like to respond to those comments?
    Mr. Altschul. Yes. Thank you. First, by design, our 
guidelines do not provide a one-size-fits-all set of guidance 
or statements because the applications that fall within both 
the guidelines and, more importantly, the category of location-
based services, do not fit one category. Certainly there is a 
very different set of privacy and customer expectations 
associated with a one-time query for a concierge-type service, 
where is the nearest gas station, to a continuing social 
networking application that links users by consent to one 
another's location. So rather than specifying one kind of 
notice, which we don't think would be appropriate across the 
broad spectrum of services, our guidelines address the fact 
that the notices should be tailored to the type of location 
service. I view that as a strength rather than a weakness in 
the guidelines.
    As for not all of the applications that were in her survey 
following even rudimentary privacy practices and notices, we 
recently did a survey that didn't purport to be scientific. We 
actually went to the Web sites of some of the application 
service providers, created a snapshot of what is being 
provided, and there is a range of notice and consent and 
privacy statements. We submitted this paper to the Federal 
Trade Commission last month for their privacy workshop.
    But through guidelines--and this will get to your question 
about the lack of enforcement--the industry and all of the 
participants in the industry, carriers and application 
providers alike, play a very important role in educating 
themselves and their customers as to what they should expect 
and should insist upon in using any kind of application 
location-based service, and that is the primary role of 
industry guidelines. We are not being codified in Title 18 of 
the U.S. Code. We are trying to understand the issues----
    Mr. Boucher. Well, in the interests of time, Mr. Altschul--
I am intrigued by your answers, I would like to hear more, but 
my time is expiring. Let me just suggest this. It might be 
helpful if you review Professor Cranor's comments and consider 
modifying your guidelines to the extent that you can sharpen 
them so that they provide greater clarity to the carriers, 
particularly on what kinds of disclosures the carriers should 
make with regard to services, to the information they come into 
contact with. I think it might be helpful. Would you be willing 
to consider doing that?
    Mr. Altschul. Absolutely.
    Mr. Boucher. I have one further question. My time has 
expired. I intend to be generous with the other members in 
terms of their time for questions as well.
    Mr. King, Mr. Bernard, let me just pose this question to 
you. Do you think that your customers are aware of the 
secondary uses that your services are making of the geolocation 
information about them, and do they have a reasonable 
expectation based on information that is made available to them 
that their geolocation information is going to be used by 
advertisers in order to target advertising to them. Mr. 
Bernard, Mr. King.
    Mr. King. Thank you, Mr. Chairman. One way to answer that 
is that the location information goes out to an advertising 
network and requests an ad so the location is just--it is not 
personally identifiable so that there is no information about 
that consumer going to the advertiser. We are selecting from an 
inventory of ads and then bringing them in and showing what we 
think are the most appropriate ad, given that context.
    Mr. Boucher. Well, that is understood, but the question is, 
does that person have a reasonable expectation that those 
events are going to happen, that the advertisers are going to 
be marketing to them based in part on their location?
    Mr. King. Yes. We have a location-based application that is 
both free and ad driven where you can pay a subscription fee so 
they are free applications we believe that consumers expect to 
be ad driven, so the short answer would be yes to that.
    Mr. Boucher. Mr. Bernard.
    Mr. Bernard. Thank you. Useful Networks does not support 
secondary uses to now, as I think about them, where secondary 
use is using that location subsequently beyond that for which 
you have already provided notice. So specifically in our mind, 
we provide primary use, and an example of that is our location-
based advertising trial. End-users were presented with a banner 
ad on the mobile Web site enticing them to click on it to see a 
viewer location or a quick serve burger location near them. The 
next page they saw explicitly said please allow us to use your 
location to provide a list of stores near you, and only if they 
clicked were they provided----
    Mr. Boucher. All right. That is very clear. Thank you. Mr. 
King and Mr. Bernard, I just want to pose one further question 
to you, and it is the same question I asked Mr. Morris at the 
outset. Is it time that we had a federal statute in order to 
provide a uniform set of standards across applications, not 
just for the telecom carriers but for those who are providing 
applications, selling applications, using applications as well?
    Mr. King. I would say in general, yes.
    Mr. Boucher. Thank you. That is a great answer. That is 
what I am looking for.
    Mr. Bernard?
    Mr. Bernard. It should be a uniform set of practices, not 
necessarily legislation.
    Mr. Boucher. Well, OK. That is half a loaf. Thank you all 
very much.
    The gentleman from Kentucky, Mr. Whitfield, is recognized 
for his questions.
    Mr. Whitfield. Thank you, Mr. Chairman.
    And Mr. Bernard, I didn't hear the last part of your 
answer. Would you repeat that for me?
    Mr. Bernard. The last part of that more specifically spoke 
to self-regulation. We believe there are certainly business 
incentives both on the part of the distribution centers, 
whether they are carriers or device manufacturers, as well as 
on consumers in that they won't use services where they feel 
like their privacy is not respected.
    Mr. Whitfield. Well, everyone----
    Mr. Bernard. We do agree with a level playing field.
    Mr. Whitfield. Everyone on the panel has had the 
opportunity to answer that question except a few. Professor 
Cranor, what is your position on Chairman Boucher's question?
    Ms. Cranor. Yes, I think that it is probably time to have 
some legislation to have some privacy rules, but like Mr. 
Morris, I think that we shouldn't have a very narrow view on 
just location if we are going to set privacy rules, that there 
is a need for more general privacy legislation.
    Mr. Whitfield. And Ms. Collier, what is your position?
    Ms. Collier. I agree with that. I think it is time to 
update privacy law but, you know, it needs to coordinate with 
COPPA, the Children's Online Privacy Protection Act, but it 
shouldn't refer to just a single technology.
    Mr. Whitfield. And Mr. Altschul?
    Mr. Altschul. Well, we certainly endorse the idea of a 
level playing field and the consumers don't have to guess as to 
what their privacy rights are. We are always concerned that 
despite the best of intentions, when these principles are 
codified, either technology or unintended consequences will get 
in the way.
    Mr. Whitfield. Professor Cranor, in your testimony you 
talked about a system that was developed at Carnegie Mellon, 
and I am not sure the pronunciation but is it Locaccino? 
Locaccino. Now, how widespread is that type of technology being 
used?
    Ms. Cranor. So our particular system is a research system 
that is being used by a thousand people. It is similar 
technology to what is being used by commercial providers. The 
main difference is that we have gone out of our way to provide 
privacy controls at a very fine-grained level for people who 
use it.
    Mr. Whitfield. I see. And, you know, this is deviating a 
little bit from the technical aspect of this but also I found 
it interesting in your testimony, you said in your survey, we 
found that most of our participants did not expect that 
location-sharing technologies would be all that beneficial to 
them, and then that they did have significant concerns about 
their privacy when sharing their locations online. So what is 
your overall conclusion of that? It sounds like to me this is a 
service that is really not all that beneficial but----
    Ms. Cranor. Well, so what we found is that the general 
public for the most part doesn't understand why they would want 
location-based services. Now, there are plenty of people who 
have adopted them who do get it and they say yes, this is 
useful to me and I want to use them. But they are right now the 
minority of the population.
    Mr. Whitfield. So you found most people just simply were 
not aware of the benefits of it?
    Ms. Cranor. Right. They don't find it beneficial, and when 
we talk about this with people, you know, the notion that there 
is a map and there is a pinpoint and that is me on it, that 
really scares people.
    Mr. Whitfield. Right. I would just ask you, Mr. Morris, let 
us assume for the moment that we are going to regulate Internet 
privacy. Should the FCC do the regulating or should the FTC do 
the regulating or should different regulators govern different 
parties?
    Mr. Morris. Well, we would suggest that the FTC is probably 
the better place to go for two independent reasons. One, the 
FTC has a very long track record and experience in looking at 
consumer privacy issues, and they have already through a number 
of workshops over the years have been looking specifically at 
location privacy. And secondly, the FCC is frankly really not 
the federal Internet commission. It really doesn't have a broad 
mandate to regulate the Internet. It doesn't frankly have 
regulatory experience at the application layer. It is obviously 
critically important at the lower layers of the communications 
stack and so, you know, its regulation of telecommunications 
carriers and underlying broadband services is clear and 
appropriate but it doesn't really have as extensive experience 
in the privacy area at the applications layer as the FTC does.
    Mr. Whitfield. Thank you all, and I see my time is expired.
    Mr. Boucher. Thank you, Mr. Whitfield.
    The gentlelady from Florida, Ms. Castor, is recognized for 
5 minutes.
    Ms. Castor. Thank you, Chairman Boucher.
    Mr. Altschul, I thought it was interesting, you said that 
even though all of your members are adherent to best practices 
that technology has overtaken best practices. So I guess in 
effect you are conceding that given how valuable the location 
data could be to marketers and it is to advertisers, that 
industry self-regulation is not realistic.
    Mr. Altschul. No, what I meant to convey by saying the 
technology has overtaken our guidelines, our guidelines just 2 
years ago were carrier centric. Carriers were clearly covered 
by section 222 of the Communications Act. That was before the 
introduction of iPhones and introduction of smartphones that 
have their own GPS receivers and before the broad adoption of 
WiFi public access points. What surprised the experts in the 
industry was how quickly the landscape changed in using this 
technology so that as you heard from everyone on the panel and 
many of the opening remarks today, increasingly location-based 
services and applications do not touch a wireless carrier's 
network. They have no knowledge of the application being used. 
What we have done is, we have gone back and in effect broadened 
our guidelines so that they are no longer going to be carrier 
centric but provide the same touchstones of consumer notice and 
consent regardless of whether the application runs with a 
carrier's knowledge or not.
    Ms. Castor. So I think you stated clearly, you see your 
responsibility and your membership educating the consumer. Does 
that need to be something that is promoted in a specific sort 
of way as we develop new consumer consent provisions?
    Mr. Altschul. I think that is the responsibility for all of 
the stakeholders, the industry, public policymakers, educators 
and the like, yes.
    Ms. Castor. Ms. Collier, could you touch on what are some 
of the innovations in the arena of emergency services? Are we 
doing enough there as the law? Do we need to focus on any 
specific provisions in updating that?
    Ms. Collier. Emergency services and helping children be 
found?
    Ms. Castor. The children's angle is really your area of 
expertise.
    Ms. Collier. Yes.
    Ms. Castor. Who best on the panel can address whether or 
not we need updates when it comes to emergency services in 
relation to LBS? Mr. Morris, go ahead.
    Mr. Morris. I am always game to try to answer a question. 
You know, the emergency--and I have actually worked in 
technical standard-setting bodies on the transition in the 
emergency system from the old analog system to kind of a new 
IP-enabled Internet protocol-enabled, system, and the emergency 
community is very aggressively trying to make that transition 
but it is a very costly transition, and so I believe, my 
perception is that the FCC and the emergency community is 
actually proceeding at a fairly healthy pace to make the 
transition to IP-enabled emergency services and ultimately, you 
know, I think that some years from now, a couple of years from 
now, we really will have the ability to both dial 911 on this 
device and then take a picture of the auto accident that 
happened so that the emergency response facility can actually 
see the situation even before they send their responders. So my 
perception is that we are in fact making that transition, it is 
going to be a costly transition because there are lot of public 
service answering points, PSAPs, that are not currently 
technically and physically set up to do IP-enabled services 
like that. But the transition is underway.
    Ms. Castor. Any other comments on that?
    Thank you. I yield back.
    Mr. Boucher. Thank you, Ms. Castor.
    The gentleman from Florida, Mr. Stearns, ranking member on 
our Telecom Subcommittee, is recognized.
    Mr. Stearns. Thank you, Mr. Chairman.
    Mr. Morris, I was watching the television back in my office 
and I saw that the gentleman from Kentucky asked you about 
jurisdiction and about whether the FCC or the Federal Trade 
Commission should be involved, and I think your statement was 
that the jurisdiction for the Internet should be the Federal 
Trade Commission. Is that what I am to understand you said?
    Mr. Morris. Well, really, my position would be more that 
the jurisdiction of a privacy should be at the Federal Trade 
Commission. Frankly, I would urge that the Internet generally 
speaking doesn't need to have a designated agency that has 
broad jurisdiction over it. It really is a success story of 
non-regulation, and Congress in 1996 in section 230 of the 
Communications Code really set out its policy of having the 
Internet grow and develop without regulation.
    Mr. Stearns. All right. Let us assume what you are saying 
is that the privacy on the Internet--as you know, the FCC now 
has taken steps to address what they perceive as a problem and 
they have called it Net neutrality. I call it Net regulation. 
Based upon what you said dealing with privacy, would you agree 
with me that perhaps the FCC does not have the jurisdiction to 
regulate with its promulgating a Net Neutrality under the same 
assumptions that you made from the gentleman from Kentucky that 
privacy should be under the Federal Trade Commission and the 
FCC has no jurisdiction over it?
    Mr. Morris. Well, let me----
    Mr. Stearns. Would that be a fair statement?
    Mr. Morris. No, it wouldn't, Your Honor, if I could--Your 
Honor----
    Mr. Stearns. I was hoping you would say yes.
    Mr. Morris. If I could explain, let me answer it by saying 
that the Internet first grew up in a dial-up world where it 
rode on top----
    Mr. Stearns. I need you to be concise, so you say no. But 
let me ask you----
    Mr. Morris. I think I can offer a one-sentence answer.
    Mr. Stearns. So I am just trying to sort of pigeonhole you 
here.
    Mr. Morris. I appreciate that.
    Mr. Stearns. OK. So your argument was, the Internet grew up 
without regulation, you talked about in 1996, and how the idea 
was not to have regulation and let it expand without 
interference. That is what you said. And then you indicated 
that privacy should be under the Federal Trade Commission 
rather than the FCC. So would it be fair to say that any type 
of regulation of the Internet should not come through the FCC?
    Mr. Morris. I think it is appropriate for the FCC to 
regulate the underlying telecommunications platform on which 
the Internet runs.
    Mr. Stearns. Phones, cable, broadcasting but not the 
Internet itself?
    Mr. Morris. Not the applications and services that ride on 
top of----
    Mr. Stearns. OK. That is good enough for us. We appreciate 
your opinion. Let me follow up. You described a potential risk 
of location data being stored and used well into the future. Is 
there harm if the information is not tied to an individual? How 
often is the identity of the user known to the application 
provider and what information can an application provider 
gather about a consumer's identity and his or her habits?
    Mr. Morris. Well, certainly if information is truly 
deidentified and anonymized, it presents less concern. But as 
Professor Cranor noted, there is a unique individual in this 
world who lives where I live and works where I work and so 
tracking my location over time could easily be tracked back to 
me through that. So I do think there are very serious concerns 
about retaining location over a longer period of time beyond 
the use that it is first obtained for.
    Mr. Stearns. Professor Cranor, location-based services are 
still I think in their infancy with their development and we 
just don't know where it is going to go from here. Would you 
believe that the federal government should address with 
regulation some of the new technology concerns that could 
possibly even hinder the development of future benefits? In 
other words, if we step in right now, is it a concern of yours 
that we could actually hinder this infancy type of industry and 
you might even say in your best mind where this industry will 
be 10 years from now, 5 years from now.
    Ms. Cranor. So I agree that the industry is in its infancy, 
and it is somewhat hard to predict where it will be but I would 
imagine it will be very different 10 years from now than it is 
today and probably location-based services will be in much more 
widespread use. I think there is always a risk of stifling 
innovation with legislation. On the other hand, I think we do 
have some serious concerns, and rather than waiting 10 years 
and discovering that we are all in trouble, it would be good to 
kind of set things straight from the beginning and really have 
systems built with privacy designed in from the beginning. So I 
would urge you to consider legislating on privacy from the 
beginning and making that part of a more general privacy 
framework.
    Mr. Stearns. If you were me and you were doing a privacy 
bill, what would you suggest as being part of location-based 
privacy? You are writing the bill now yourself.
    Ms. Cranor. Right. Fortunately, that is not my job but----
    Mr. Stearns. Well, just hypothetically.
    Ms. Cranor. But hypothetically, so I think there probably 
should be some limits to the use of location data but also I 
think it is very important to make sure that individuals are 
fully aware and informed of use of their location data and that 
there are robust consent experiences available to them.
    Mr. Stearns. So a person could opt out or opt in? What 
would you prefer?
    Ms. Cranor. I think generally opt in, although I think it 
depends on what you mean by opt out and opt in in this 
situation.
    Mr. Stearns. Thank you, Mr. Chairman.
    Mr. Boucher. Thank you very much, Mr. Stearns.
    The gentleman from Maryland, Mr. Sarbanes, is recognized 
for 5 minutes.
    Mr. Sarbanes. Thank you very much, Mr. Chairman.
    Ms. Collier, I am going to direct these questions to you. I 
guess you can answer them generally when it comes to privacy 
and so forth and particularly with respect to location-based 
services if you want. Would you say that there should be a 
higher standard of privacy at work when you are dealing with 
children as opposed to adults just generally speaking?
    Ms. Collier. Yes, I would, and I think there is a higher 
standard applied right now with the Children's Online Privacy 
Protection Act that is being administered by the FTC.
    Mr. Sarbanes. One of the things that intrigues me is that 
children are the leading edge of the use of technology these 
days.
    Ms. Collier. Some technologies, yes.
    Mr. Sarbanes. Well, they are the leading edge of use of 
many technologies that have significant privacy implications. 
Wouldn't you agree, or not?
    Ms. Collier. Yes, some technologies that would have privacy 
implications. You know, they are not big on Twitter, they are 
not blogging as much anymore. It is a moving target. But, yes, 
absolutely, privacy is a tremendous consideration where 
children are concerned.
    Mr. Sarbanes. I mean, it strikes me that adolescence plus 
technology is a privacy nightmare in some ways.
    Ms. Collier. Yes, and that is what I was basically saying 
in my testimony is that location-based technologies and 
services are not, you know, a unique problem in this area. 
Children are constantly in touch with each other, constantly 
updating their status, their location with each other 
regardless of the technology.
    Mr. Sarbanes. And notification and notice and consent 
provisions or regimes that are established are also ones that 
sort of become like quicksand when you are dealing with kids. I 
mean, for example, Facebook I think has a rule that you have to 
be 13.
    Ms. Collier. Right. Facebook complies with COPPA.
    Mr. Sarbanes. Right. Well----
    Ms. Collier. There are a lot of kids under 13 who use 
Facebook.
    Mr. Sarbanes. Who we kidding?
    Ms. Collier. Right.
    Mr. Sarbanes. Yes. So the kids are going on and 
representing--I guess they have to, I mean, I haven't gone 
through the process--but representing that they are meeting the 
standard when everybody knows that they are not. The teachers 
know. I mean, two-thirds of these classes of 12-year-olds and 
11-year-olds, they are all on Facebook. So I guess what I am 
asking you is, how do we address that issue, which is that to 
me a lot of the privacy standards and expectations we have is 
either wishful thinking or it is a kind of wink-and-nod 
exercise when you lay it against just how compelling and 
seductive and powerful these technologies are, particularly for 
young people, and it makes me feel that it is almost futile, 
not quite perhaps, but to try to establish these things when it 
comes to protection of kids and privacy standards and other 
things, and I just ask you to reflect on that for the remainder 
of my time.
    Ms. Collier. Well, I completely agree that what we are 
dealing here largely with is adolescent and child development 
and behavior, not technology, and that is very, very difficult 
to regulate. I do think that COPPA is a very important sort of 
baseline standard and the FTC is currently reviewing, you know, 
the rules and the enforcement of COPPA, rightfully so, but it 
does effectively protect children's protection under 13. But 
regulation is not the solution here. I really believe that 
consumer education is the solution, and I would love to see 
more thought given to consumer education and product 
development teams, that product development teams and the 
industry would be putting on their parent hats more and that 
consumer education happens right with product launch or when a 
product is in beta. There is no substitute for parental care 
and so consumer education involves both parents and children 
and it has to come through schools, it has to come--you know, 
we can't keep these products and services out of children's 
experience in school either. They are part of 21st century 
education. And therefore to encourage schools to block social 
media from school is absurd because you can't teach swimming 
without a pool and we can't hold back the competitiveness of 
American education. We have got to get technology into schools 
and stop giving teachers an excuse not to teach with social and 
interactive and new media, whatever you want to call it.
    Mr. Sarbanes. That is a great answer. Thank you.
    Mr. Boucher. Thank you very much, Mr. Sarbanes.
    The gentleman from Indiana, Mr. Buyer, is recognized for 7 
minutes.
    Mr. Buyer. Ms. Collier, I want to pick up where you just 
left off. The level of cyber bullying and sexting that is going 
on right now, so for you to make a blanket statement that says 
that, you know, don't take these devices away from kids, I am 
almost to the point as a parent--my children went through 
public school. It has gotten so bad, I would probably find a 
private school that says my children are going to wear a 
uniform and they are not going to have access to technology 
like cell phones during school hours, and that is almost to the 
point where it has gotten.
    Ms. Collier. That would be the easy way. I have kids in 
public school too, 12 and 18, and it would be easy just to ban 
all technology from their lives. But what would that do to 
them? What would that do their social lives?
    Mr. Buyer. I don't believe it is banning it from their 
lives but it is definitely----
    Ms. Collier. Within reason?
    Mr. Buyer. The cyber bullying is really extraordinary that 
is going on right now, or how--I won't get into the sexting 
part of it. Let us just do the cyber bullying for a moment, how 
they can marginalize, isolate and then destroy someone that is 
13 whereby that reputation is everything to them. Also, 
reputation is everything to us. I mean, if you want to talk 
about cyber bullying, be a member of Congress and deal with the 
yahoos that we get to deal with, and I don't mean the Web site 
either. I mean, we experience cyber bullying all the time.
    I am going to pick up on something else Mr. Sarbanes had 
just said. He is absolutely correct, I believe, about the 
nightmares that this creates when you put technology in the 
hands of our children. At the same time, when it comes to 
privacy, as a parent, my children had limited privacy, and 
guess what? I have the right as a parent to spy on my children.
    Ms. Collier. Yes.
    Mr. Buyer. I have that right in my oversight to ensure that 
they are where they said they are going to be.
    Ms. Collier. Absolutely.
    Mr. Buyer. And I will tell you what, I would love to have 
as a parent the actual location ability on a GPS to know where 
my children are.
    Ms. Collier. You can have that.
    Mr. Buyer. I know. That is why I am saying. So with regard 
to this ``privacy'' so how we have to balance this, Mr. 
Sarbanes, with regard to how we protect our children from the 
outside in. At the same time, as a parent, how do we gain 
access to know what they are doing at all times. And there is a 
balance. And so when you made this comment about how do we get 
parents to take an active role and interest in the lives of 
their children, government isn't going to be able to do that. 
But you are right when you say about education. You are right, 
I also believe in corporate responsibility when the products 
come out. I also believe that our schools, since they are also 
the guardian of our children while they are gone, also have a 
social responsibility.
    Ms. Collier. We have also got to stop scaring the bejeebers 
out of parents. We have done a very bad job of that. We have 
had a predator panic in this country for several years, and 
what that fear does is cause parents to overreact and shut 
things down rather than communicate with their kids.
    Mr. Buyer. But how do we--we can do all the things I just 
said. This issue on cyber bullying, how do we----
    Ms. Collier. Cyber bullying is just an electronic extension 
of bullying so what you are asking me is what do we do about 
bullying, and that is probably beyond the purview of this 
hearing but we should all be thinking about that. Bullying is--
--
    Mr. Buyer. But bullying used to be a little more isolated. 
If they find themselves out at recess, if they find themselves 
at the gym, if they find themselves at the cafeteria, but now 
you can be in the classroom, you can be anywhere and you can be 
cyber bullied at any moment at any time because they make some 
statement or they make up a scenario and this kid then is 
tortured, you know, constantly. So it is more aggravated.
    Ms. Collier. We need to get the schools up to speed on 
this, so we are working hard at that.
    Mr. Buyer. As a parent, my children are now grown but I can 
tell you, I think the cyber bullying is really getting out of 
hand. I mean, you can turn on the news and you find that 
someone has now committed suicide and you discover that they 
were cyber bullied or some 16-year-old thought it would be cute 
to send a naked picture to her boyfriend, he then sent that to 
someone else and she commits suicide. I mean, this technology 
is also being used in a manner which we never anticipated by 
individuals who don't completely understand the realm of 
responsibility. Anyway, I appreciate you having this 
conversation with me. I yield back.
    And thank you, Mr. Sarbanes. You brought up a really good 
issue.
    Mr. Boucher. Thank you very much, Mr. Buyer.
    We have recorded votes pending on the floor, and I think we 
probably have time for one more member to propound questions. 
Mr. Space is next. And then following that, we will need to 
have a recess. Mr. Doyle, I am sorry----
    Mr. Space. Well, actually, Mr. Chairman, I am going to 
pass.
    Mr. Boucher. Oh, you are going to pass? Well, thank you, 
Mr. Space. That does help us.
    Mr. Doyle, the gentleman from Pennsylvania.
    Mr. Doyle. Thank you, Mr. Chairman, and my apologies for 
being late. We had several hearings at the same time.
    Professor Cranor, welcome to this panel. It is always good 
to see someone from CMU here and not just because they are in 
my district, Mr. Chairman, but it is one of the great 
universities in America, and your work has been very helpful to 
this committee.
    Professor Cranor, tell me, in your testimony you mentioned 
that Internet users legitimately care about their location 
privacy but that the current system isn't set up in such a way 
to give users a good sense of how location-based service 
providers will use that information nor do most location-based 
service providers supply users with comprehensive privacy 
controls and protective default settings, and you add that 
further additional protections might be necessary. I wonder if 
you could just elaborate a little bit on what additional 
protections may be necessary to ensure that we have proper 
control over location information, and do you think it requires 
Congress to take any action?
    Ms. Cranor. So I think that we need to start with at least 
having some guidelines which give more specific guidance about 
what is acceptable notice to users. You know, the fact that 
providing notice, you know, buried in the legalese of a privacy 
policy is not providing adequate notice, and guidance that, you 
know, saying well, you have privacy but there are exceptions 
and you have to go read the fine print, those sorts of things 
are not providing people with adequate notice. You know, as Ms. 
Collier raised, you know, with Google Buzz, you know, people 
started using it and had no idea that everything was public and 
that is a very common thing that we have seen in our research 
is that people use these services, they think only their 
friends are seeing their information, only their friends are 
seeing their location and yet it is being made public. So I 
think we need at the very least guidelines for the service 
providers and perhaps actually regulation along those lines as 
well.
    Mr. Doyle. I mean, what options do consumers really have 
today for choosing or negotiating their own privacy 
preferences? I mean, are there technologies available that 
would let consumers express their own privacy preferences up 
front where they could say up front this is how I want my 
information to be used and this is who I want to be able to see 
it?
    Ms. Cranor. Well, I think in the commercial services today, 
you can do that to a limited extent so there are some that you 
can certainly turn off the location sharing. There are some 
that let you choose between sharing with the public or sharing 
with a group of designated friends. So there are some controls 
but they tend to be fairly course grained, and you can't really 
have your cake and eat it too with most of them. With some of 
the more experimental systems like our research on Locaccino at 
CMU, you can actually have much finer-grained controls and so I 
think it would certainly be possible to give consumers a lot 
more options and a lot more control but we are not actually 
seeing that being deployed in commercial services.
    Mr. Doyle. Now, Mr. Morris, I saw you either laughing or 
smiling so I want to give you a chance to grab the microphone 
and chime in if you would like.
    Mr. Morris. I started working in 2001 with the Internet 
engineering task force on a protocol called GeoPriv, geographic 
privacy, that attempts to do exactly what you are proposing, 
attempts to allow users to set the rules to say you can keep my 
information only for 24 hours and you can't pass it on to 
anybody else, and there's been some uptake with that technology 
but unfortunately at the applications layer, the Worldwide Web 
layer, that technology has not been accepted. We have been 
working to try to get it implemented at the applications there. 
So certainly the technology is out there. I frankly think it 
will take an act of Congress to really get the industry to 
really try to give users the level of control that you are 
talking about.
    Mr. Doyle. Mr. Chairman, I know we have votes pending. 
Thank you for your patience. And to all the panelists, thank 
you for being here today.
    Mr. Boucher. Thank you very much, Mr. Doyle, and I want to 
express appreciation also to each of you. Your testimony has 
been informative and helpful to us.
    The record for this hearing will remain open for a period 
of time, and there may be questions that members want to submit 
to you. If you receive those, please reply to them promptly. 
And we do appreciate your help. This has been very beneficial 
for us.
    This hearing stands adjourned.
    [Whereupon, at 12:04 p.m., the Subcommittees were 
adjourned.]
    [Material submitted for inclusion in the record follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


