[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



 
            DO-NOT-TRACK LEGISLATION: IS NOW THE RIGHT TIME? 

=======================================================================

                                HEARING

                               BEFORE THE

                    SUBCOMMITTEE ON COMMERCE, TRADE,
                        AND CONSUMER PROTECTION

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                            DECEMBER 2, 2010

                               __________

                           Serial No. 111-161


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

78-138 PDF                       WASHINGTON : 2013 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


                    COMMITTEE ON ENERGY AND COMMERCE

                 HENRY A. WAXMAN, California, Chairman
JOHN D. DINGELL, Michigan            JOE BARTON, Texas
  Chairman Emeritus                    Ranking Member
EDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas
RICK BOUCHER, Virginia               FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida
BART GORDON, Tennessee               NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky
ANNA G. ESHOO, California            JOHN SHIMKUS, Illinois
BART STUPAK, Michigan                JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York             ROY BLUNT, Missouri
GENE GREEN, Texas                    STEVE BUYER, Indiana
DIANA DeGETTE, Colorado              GEORGE RADANOVICH, California
  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California               MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon
JANE HARMAN, California              LEE TERRY, Nebraska
TOM ALLEN, Maine                     MIKE ROGERS, Michigan
JANICE D. SCHAKOWSKY, Illinois       SUE WILKINS MYRICK, North Carolina
CHARLES A. GONZALEZ, Texas           JOHN SULLIVAN, Oklahoma
JAY INSLEE, Washington               TIM MURPHY, Pennsylvania
TAMMY BALDWIN, Wisconsin             MICHAEL C. BURGESS, Texas
MIKE ROSS, Arkansas                  MARSHA BLACKBURN, Tennessee
ANTHONY D. WEINER, New York          PHIL GINGREY, Georgia
JIM MATHESON, Utah                   STEVE SCALISE, Louisiana
G.K. BUTTERFIELD, North Carolina
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin 
    Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE L. BRALEY, Iowa
PETER WELCH, Vermont
        Subcommittee on Commerce, Trade, and Consumer Protection

                        BOBBY L. RUSH, Illinois
                                  Chairman
JANICE D. SCHAKOWSKY, Illinois       CLIFF STEARNS, Florida
    Vice Chair                            Ranking Member
JOHN SARBANES, Maryland              RALPH M. HALL, Texas
BETTY SUTTON, Ohio                   ED WHITFIELD, Kentucky
FRANK PALLONE, Jr., New Jersey       GEORGE RADANOVICH, California
BART GORDON, Tennessee               JOSEPH R. PITTS, Pennsylvania
BART STUPAK, Michigan                MARY BONO MACK, California
GENE GREEN, Texas                    LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas           MIKE ROGERS, Michigan
ANTHONY D. WEINER, New York          SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina
JOHN BARROW, Georgia
DORIS O. MATSUI, California
KATHY CASTOR, Florida
ZACHARY T. SPACE, Ohio
BRUCE L. BRALEY, Iowa
DIANA DeGETTE, Colorado
JOHN D. DINGELL, Michigan (ex 
    officio)



  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................     2
Hon. Ed Whitfield, a Representative in Congress from the 
  Commonwealth of Kentucky, opening statement....................     3
    Prepared statement...........................................     5
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................    10
Hon. Betty Sutton, a Representative in Congress from the State of 
  Ohio, prepared statement.......................................    11
Hon. Steve Scalise, a Representative in Congress from the State 
  of Louisiana, opening statement................................    12
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, prepared statement..............................   125
Hon. John D. Dingell, a Representative in Congress from the State 
  of Michigan, prepared statement................................   130
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, prepared statement......................................   131
Hon. John Barrow, a Representative in Congress from the State of 
  Georgia, prepared statement....................................   135
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, prepared statement..............................   136

                               Witnesses

Daniel J. Weitzner, Associate Administrator for Policy, National 
  Telecommunications and Information Administration, U.S. 
  Department of Commerce.........................................    13
    Prepared statement...........................................    16
    Answers to submitted questions...............................   138
David Vladeck, Director, Bureau of Consumer Protection, Federal 
  Trade Commission...............................................    29
    Prepared statement...........................................    31
Susan Grant, Director of Consumer Protection, Consumer Federation 
  of America.....................................................    62
    Prepared statement...........................................    66
    Answers to submitted questions...............................   144
Joseph Pasqua, Vice President of Research, Symantec Corporation..    72
    Prepared statement...........................................    74
Joan Gillman, Executive Vice President and President, Media 
  Sales, Time Warner Cable.......................................    85
    Prepared statement...........................................    87
Eben Moglen, Legal Advisor, Diaspora, Professor of Law, Columbia 
  University, Founding Director, Software Freedom Law Center.....    95
    Prepared statement...........................................    97
Daniel Castro, Senior Analyst, Information Technology and 
  Innovation Foundation..........................................   101
    Prepared statement...........................................   103
    Answers to submitted questions...............................   149


            DO-NOT-TRACK LEGISLATION: IS NOW THE RIGHT TIME?

                              ----------                              


                       THURSDAY, DECEMBER 2, 2010

              House of Representatives,    
           Subcommittee on Commerce, Trade,
                           and Consumer Protection,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 11:14 a.m., in 
Room 2123, Rayburn House Office Building, Hon. Bobby L. Rush 
[chairman of the subcommittee] presiding.
    Present: Representatives Rush, Dingell, Schakowsky, Sutton, 
Green, Gonzalez, Barrow, Matsui, Space, Markey, Whitfield, 
Pitts, Bono Mack, Terry, Murphy, Gingrey, Latta, and Scalise.
    Staff Present: Michelle Ash, Chief Counsel; Tim Robinson, 
Counsel; Felipe Mendoza, Counsel; Michael Ostheimer, Counsel; 
Will Wallace, Special Assistant; Brian McCullough, Minority 
Counsel; and Sam Costello, Minority Counsel.
    Mr. Rush. Good morning to all who are gathered here.
    And we want to convene this hearing on the Subcommittee on 
Commerce, Trade, and Consumer Protection. So the hearing is now 
called to order. And we will begin with opening statements, 
with two announcements by the chair.
    There are possibly five votes that are currently occurring 
on the floor. So, at this time, we will have the opening 
statements from the chair and from the ranking member. At the 
conclusion of those opening statements, we will recess and go 
vote, and we will reconvene probably close to around the noon 
hour. And then we will leave the--we will allow Members on both 
sides to continue their opening statements for a half an hour. 
So, upon reconvening, the Members will be given an additional 
half an hour for their opening statements.
    And the purpose of that is to allow Members to deliver 
their opening statements, but also to do it within a certain 
specified time span so that we won't have stragglers coming in 
and keeping the opening statements--keeping this phase--
prolonging this phase.
    So that is how we will operate this morning.
    Mr. Barrow. Mr. Chairman?
    Mr. Rush. Yes?
    Mr. Barrow. Mr. Chairman, some of us have conflicting 
committee hours. Would this be an appropriate time to ask for 
unanimous consent that all Members of the committee might have 
5 legislative days within which to submit a statement for the 
record?
    Mr. Rush. I would think so. If there is no objection?
    Hearing no objection, so ordered.
    Mr. Barrow. Thank you, Mr. Chairman.

 OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Rush. The chair recognizes himself for 5 minutes for 
the purpose of an opening statement.
    Good morning. We are pleased to welcome into our midst 
today seven witnesses. They have graciously offered to share 
their views with this subcommittee about the feasibility of a 
legislative Do Not Track mechanism and how technological 
solutions to privacy perils and pitfalls could augment a 
comprehensive national privacy framework.
    Through such a mechanism, consumers could advise would-be 
trackers unambiguously and persistently that they do not wish 
to be followed by digital snoopers and spies across Web sites 
and their various fixed and mobile computing devices.
    More than 2 years ago, I heard testimony, as chairman of 
this very same subcommittee, from Ms. Lois Greisman, the FTC's 
associate director of Division of Marketing Practices. And Ms. 
Greisman spoke about the FTC's successes in routing out the 
excessive and abusive telemarketing acts and practices through 
the Do Not Call Registry.
    From fiscal years 2003 through 2007, more than 145 million 
telephone numbers had been entered into the Do Not Call 
Registry. Over the same period, approximately $80 million in 
fees have been collected from a base of over 18,000 unique 
entities who access from the registry.
    As part of that opt-out and enforcement regime, the FTC 
stood prepared to initiate cases under its telecommunications 
sales rules to obtain temporary and permanent injunctions 
against violations, secure orders for more than half a million 
dollars in consumer restitution, and refer civil penalty action 
to the Department of Justice.
    Almost a year before Associate Director Greisman's 2010 
testimony and following 2 days of FTC town-hall meetings on 
online behavior tracking in the fall of 2007, the Consumer 
Federation of America and other privacy groups noted that self-
regulatory initiatives devised by industry had, sadly, failed. 
One of those groups, the Consumer Federation of America, which 
happens to be represented today by Ms. Susan Grant, called upon 
the FTC way back then to implement a one-stop opt-out for 
online tracking, similar to the agency's successful Do Not Call 
Registry.
    At the end of this second session of the 111th Congress, it 
would appear that we have come full circle with the FTC's 
endorsement of a Do Not Track mechanism that was released just 
yesterday as part of its preliminary staff report. The title of 
that draft report is ``Protecting Consumer Privacy in an Era of 
Rapid Change.''
    Being the last hearing of this subcommittee that I will 
chair in this Congress, please allow me to reflect briefly on 
some of the major accomplishments and achievements of the CTCP 
Subcommittee over the 110th and 111th Congresses.
    With the assistance of my able colleagues on both sides of 
the aisle, I have convened hearings, markups, and helped to 
guide, under the leadership of Chairman Waxman, to guide 
successfully more than a dozen bills out of the full committee, 
including the Consumer Product Safety Improvement Act and the 
Wall Street Reform Act.
    Our subcommittee was also very active in conducting 
oversight over the National Highway and Traffic Safety 
Administration in the wake of massive recalls of unsafe 
automobiles. We have also asked questions at hearings about the 
effects of the disastrous Macondo oil well spill on the gulf-
area tourism and travel industry and the health effects of 
formaldehyde on persons in post-Katrina trailers.
    I am especially and I am immensely proud of the 
collaboration that has existed between this subcommittee and 
the CTI, the Communications, Technology, and Internet 
Subcommittee, currently led by my friend, Chairman Boucher. In 
working closely with CTI to conduct oversight and to draft 
legislation, our two subcommittees held six joint hearings 
during the 111th Congress on a range of public safety and 
consumer protection topics, including texting while driving and 
online and offline privacy.
    And I do believe that the record will show that this 
subcommittee was highly productive, very effective in 
accomplishing a lot, much, in a relatively short period of 
time.
    With that said, I once again thank the witnesses for coming 
in this morning. I thank my colleagues on both sides of the 
aisle who are members of this subcommittee. And I yield back 
the balance of my time.
    And I recognize now the ranking member of the subcommittee, 
Mr. Whitfield, for 5 minutes for the purpose of an opening 
statement.

  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY

    Mr. Whitfield. Thank you, Chairman Rush.
    And we appreciate your holding this hearing today on the Do 
Not Track concept. I say that because I don't think we really 
have any legislation, but it is an idea. And we all recognize 
that consumer protection for the Internet is an important issue 
and one that I am glad this subcommittee continues to address.
    I believe that all of us understand that the Do Not Call 
Registry, which was developed over many years of legislation 
and dialogue, has been very successful because it does provide 
a mechanism for consumers to stop unsolicited cold calls from 
telemarketers.
    However, I am concerned with taking a similar model and 
applying it to the Internet by establishing a Do Not Track 
system simply because we are not really comparing apples to 
apples.
    First, I am not sure the technology is in place to 
establish such a mechanism. It is my understanding that there 
are several competing technologies out there on how exactly to 
create a Do Not Track list. And so the question would be, is 
the government really the best entity to make that decision?
    I also think we need to ask what will happen to 
advertisement-supported Internet content if a Do Not Track 
system is implemented. In order for Internet content to remain 
largely free to consumers, it is supported by advertising. 
Would an advertising model be sustainable in the absence of 
marketers' ability to track?
    In addition, I assume most consumers would rather see 
advertisements they are interested in rather than completely 
irrelevant advertising. So if a Do Not Track system was 
implemented, would consumers receive less-relevant ads?
    While I agree that it is important for consumers to have an 
understanding of what information is being collected and how it 
is used, we need to seriously discuss the Do Not Track model to 
evaluate whether it accomplishes the appropriate objectives.
    Some have expressed concern that a one-size-fits-all Do Not 
Track model could impact consumers' choices by preventing their 
access to the benefits of online advertising. Now, personally, 
I believe a better approach may be to empower consumers to have 
better control over their online experience. For example, why 
not have disclosures which let consumers know what type of 
information is being collected and how it is being used or 
allow consumers to tailor their online browsing experience so 
that they may promptly have the benefits of information 
specific to their interests?
    Lastly, I think we should be mindful about the economic 
impact this proposal could have, particularly since we are in 
the middle of the holiday gift-giving season and we understand 
that more shoppers are buying their holiday gifts online each 
year--a benefit to many consumers and businesses that never 
would have reached each other before the Internet became 
mainstream. We need to be mindful not to enact legislation that 
would hurt a recovering economy. To that end, I am curious to 
find out if there have been any economic-impact studies or 
reports to see how implementing a Do Not Track system would 
impact our economy.
    Once again, I appreciate Chairman Rush's interest in the 
issue, his strong dedication to online privacy. And I look 
forward to the testimony of our witnesses today.
    And one other comment that I might make on an unrelated 
matter. I know that Chairman Genachowski and the FCC are 
looking at issuing some new Net neutrality rules. As we know, 
there have been some court decisions on that issue. And I hope 
that the FCC does not move in that direction right now, and 
give us an opportunity to further explore that issue here in 
the Congress.
    And I yield back the balance of my time. Thank you, Mr. 
Chairman.
    [The prepared statement of Mr. Whitfield follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Rush. I think we have 5 minutes remaining--2 minutes? 
Two minutes, OK.
    Well, the subcommittee now stands in recess until the 
conclusion of this series of five votes on the floor.
    [Recess.]
    Mr. Space [presiding]. The hearing will come to order.
    And we were in the middle of opening statements when we 
were called for a vote. And I believe the gentleman from 
Nebraska, Mr. Terry is next.

   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEBRASKA

    Mr. Terry. Thank you, Mr. Space.
    The issue that we are here on, targeting and creating this 
``do not target'' list or whatever it will be called is--I 
think it is worthy of discussion and looking into. Of course, 
it is going to be an issue of how we define it and how we 
really help consumers here.
    I was one of the eight, I think, classified the ``Do Not 
Call Eight.'' There were eight of us that voted against the Do 
Not Call list. And there are ways of helping consumers and not 
helping consumers, and we want to make sure we do it the right 
way.
    I am actually more frustrated with the FCC than either two 
of you sitting here today, and the actions taken by the FCC 
chairman to usurp congressional power and authority in a new 
proposed order of regulating the Internet. Certainly, doing 
that on the eve of a new Congress is a message to us that they 
want to ram it down the public's throats before an opportunity 
comes for a different majority in the House of Representatives. 
But the issue is very bipartisan against the FCC's power grab.
    Now, the order has been circulated amongst the Members. We 
don't get to see it in Congress yet. This committee, Energy and 
Commerce, Telecom Subcommittee, partially this subcommittee, 
have authority, jurisdiction. We are cut out of the deal. AT&T 
has ostensibly agreed to something under duress, is my personal 
opinion. It was, ``Either you agree to this, or we are really 
going to come after you.''
    And I think those type of tactics of the public not 
knowing, that order of how to regulate the Internet, doing it 
under duress, making parties agree to things under threat of, 
``Well, it will be worse for you if you don't,'' those are the 
type of tactics that the public rejected on November 2nd. And 
so I would call on the FCC to stand down, don't go forward with 
the proposed order on regulating the Internet.
    I yield back.
    Mr. Space. Thank you, Mr. Terry.
    The gentlewoman from Ohio, Ms. Sutton.
    Ms. Sutton. Thank you, Mr. Chairman. I will just submit my 
opening statement for the record so we can move along to the 
testimony. Thank you.
    [The prepared statement of Ms. Sutton follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Rush. Thank you, Ms. Sutton.
    The congressman from Louisiana, Mr. Scalise.

 OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF LOUISIANA

    Mr. Scalise. Thank you, Mr. Chairman.
    We have learned at previous hearings that Web tracking can 
provide valuable information to businesses and marketers, thus 
enabling them to provide targeted online advertisements. And 
these benefits are not just limited to businesses. Consumers 
can enjoy a personalized Web experience and receive ads 
tailored to their interests without having to search or sit 
through a sales pitch.
    And just as important, tracking and behavioral 
advertisements benefit the Internet itself, because it helps 
underwrite the cost of these sites that so many consumers enjoy 
and with many of these services that are provided for free.
    But we also recognize the growing concern over the 
information that is collected on consumers, many of whom may 
not even know that their online activity is being tracked, and 
the potential for that personal information to be compromised 
or used illegally.
    That is why we must proceed prudently and find the 
appropriate balance between protecting consumers and promoting 
a dynamic Internet environment that continues to produce the 
innovations and advancements that we have all come to enjoy.
    Our first step should not be finding ways the government 
can regulate the issue. We do not need more government 
directives on the Internet. A surefire way to stifle innovation 
would be to pass more government regulations that restrict 
innovation in this dynamic industry without a proper approach. 
Constructive roles for government to play would include 
encouraging public-private partnerships, promoting best 
practices, and encouraging investment, innovation, and 
competition.
    But I believe we must first look to self-regulation and 
what steps the industry will take and has already taken to 
protect consumers. Today we can see examples of self-
regulation, including the development of built-in opt-out 
mechanisms on Internet browsers.
    We must also further examine the concept of Do Not Track. 
The idea itself leads to questions that must be answered as we 
move forward. Will a Do Not Track mechanism adequately protect 
consumers in light of developing technologies? Will it be 
consistent across different industries and technologies? And 
will it restrict the exchange and use of consumer data in ways 
that deter innovation and growth?
    As I have stated at previous hearings, the technology in 
the Internet industries are among the most advanced and 
competitive in our country, and they are also among the most 
beneficial, both for consumers and our economy. And they have 
achieved this status by advancing and growing on their own, 
with little interference from the Federal Government. And some 
would say that is one of the reasons that they have been so 
successful in innovating.
    We must continue to allow these industries to develop and 
innovate, and I believe we can do this in a way that 
strengthens consumer privacy. Protecting consumers and 
protecting the Internet economy are not mutually exclusive 
goals. We must ensure that government intervention does not 
stifle innovation.
    And, finally, I will chime in and concur in what my 
colleague from Nebraska said. I strongly oppose the effort by 
the FCC to regulate the Internet through Net neutrality and 
especially in some dark-of-night attempt that didn't go through 
the proper scrutiny that it deserves.
    Thank you, and I yield back.
    Mr. Rush. Thank you, Mr. Scalise.
    And seeing no other Members present, at this point I would 
like to introduce and thank our witnesses for appearing before 
the committee today.
    We have with us today Mr. Daniel Weitzner, associate 
administrator for policy at the National Telecommunications and 
Information Administration and U.S. Department of Commerce; 
also Mr. David Vladeck, director of the Bureau of Consumer 
Protection with the FTC.
    Welcome, gentlemen. It is the practice of the subcommittee 
to swear in witnesses, so I would ask that you stand and raise 
your right hand.
    [Witnesses sworn.]
    Mr. Space. Please let the record reflect that the witnesses 
have answered in the affirmative.
    And, with that, I would introduce again Mr. Weitzner for 
his 5-minute opening statement.

 TESTIMONY OF DANIEL J. WEITZNER, ASSOCIATE ADMINISTRATOR FOR 
      POLICY, NATIONAL TELECOMMUNICATIONS AND INFORMATION 
  ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE; DAVID VLADECK, 
    DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE 
                           COMMISSION

                TESTIMONY OF DANIEL J. WEITZNER

    Mr. Weitzner. Thank you, Congressman Space and Ranking 
Member Whitfield and members of the subcommittee. I thank you 
for the opportunity to testify on behalf of the United States 
Department of Commerce and the National Telecommunications and 
Information Administration. NTIA appreciates your leadership on 
commercial privacy policy and thanks you for the opportunity to 
engage on the question of how best to protect consumer privacy 
in the rapidly evolving Internet age.
    And I am especially pleased to be here with my colleague, 
David Vladeck. And I hope you will allow me to congratulate the 
FTC on the important privacy report that they released 
yesterday. Their expert insight on privacy matters will 
certainly inform the administration's thinking on the issue 
going forward. I know it is a lot of work to get those out, so 
thank you.
    I would like to highlight three points from my written 
remarks, if I could: first, the Commerce Department's approach 
to privacy as part of our overall efforts to develop 
innovation-sustaining Internet policy principles; second, the 
urgency for the United States to reassert global leadership on 
privacy policy; and, third, our view of how to approach the 
goals behind the Do Not Track concepts.
    We are all well-aware of the transformations enabled by the 
Internet. Politics, education, scientific research, health 
care, and even romance have all moved online. These powerful, 
exciting, and innovative developments also feed a growing 
concern among citizens about how their data is being stored, 
monitored, and analyzed.
    This is the policy challenge that confronts us. To harness 
the full potential of the digital age, we need to establish 
ground rules that promote innovative uses of information while 
building a well-founded sense of trust that consumers' 
legitimate expectations of privacy will be respected.
    Earlier this year, in order to develop a broad policy 
framework that promotes innovation in the Internet environment, 
Commerce Secretary Gary Locke established the Department's 
Internet Policy Task Force. The task force, which draws from a 
number of bureaus in the Commerce Department, including my own, 
NIST, the Patent and Trademark Office, the International Trade 
Administration, and others, is developing policy 
recommendations in a range of areas, including protecting 
privacy, assuring cybersecurity, establishing balanced 
copyright protection models, and preserving the global free 
flow of information.
    Consumer privacy is our first order of business. After 
consulting with a wide variety of consumer and commercial 
stakeholders, we have heard the unmistakable message that it is 
time to shore up privacy protection in the United States and 
abroad. So what needs to be done to enhance privacy protection 
while encouraging ongoing innovation?
    First, we need to affirm a privacy baseline regarding the 
handling of consumer information. This baseline should be built 
on a full set of fair information practice principles. To 
paraphrase a comment we received in our notice of inquiry, 
baseline FIPS are something that consumers want, companies 
need, and the economy will appreciate.
    Second, we realize that the government is not going to have 
all the answers. With or without legislation, the centerpiece 
of Internet privacy protection will have to be an increased 
sense of urgency and incentives for the development of 
voluntary but enforceable codes of conduct. These are what 
Chairman Rush's bill calls ``choice programs and safe 
harbors.'' This approach recognizes that technologists and 
entrepreneurs, privacy and consumer advocates, business and the 
government have to work together to develop best practices for 
managing commercial data.
    Best practices or a code of conduct are an indispensable 
mechanism by which all companies must adopt a strategy for 
implementing fair information practices. In order to be sure 
that these codes of conduct reflect the perspective of all 
stakeholders, all the stakeholders must be involved in the 
development of these codes.
    The alternative, however, is to wait for lengthy and 
conceivably contentious agency rule-making procedures. This 
will neither serve consumers, who need protection in today's 
new services, nor businesses, which need flexibility in the 
application of privacy rules. The FTC, through after-the-fact 
enforcement, would provide critical legal assurance to 
consumers that the companies are actually adhering to the 
commitments that they make.
    Finally, I want to say that there is an urgent need to 
renew our commitment to leadership in the global privacy policy 
debate. All around the world, including in the European Union, 
policymakers are rethinking their privacy frameworks. As 
leaders in the global Internet economy, it is incumbent on the 
United States to develop an online privacy framework that 
enhances trust and encourages innovation. Congressional 
leadership, continued FTC enforcement efforts, and 
administration engagement will all be important to show the 
world that the U.S. has a strong privacy framework and that we 
are committed to strengthening it further.
    Turning to the question of Do Not Track, allow me to start 
from first principles. We believe that individual choice and 
control over the flow of information has always been the 
foundation of Internet policy. To the extent that tools provide 
effective protection for individual choices, government 
properly avoids regulations that would otherwise restrict the 
free flow of information.
    There has been continued innovation in these tools 
available to users over time, but we believe that we need to 
see more rapid action by businesses in providing users with 
easy-to-understand ability to control how their personal 
information is used.
    I just want to say in closing to all the members of the 
committee that I think that we have seen, across the history of 
Internet policymaking, strong bipartisan commitment to helping 
the Internet to develop, to keeping it open, and to protecting 
people's basic rights. We saw this with Section 230 of the 
Communications Decency Act that is a foundation of our Internet 
policy framework. We saw it with the notice and take-down 
provisions in the Digital Millennium Copyright Act, and even in 
institutions such as the Congressional Internet Caucus. They 
have all benefitted from leadership of support of Democratic 
and Republican Members of Congress alike.
    Like these other issues, safeguarding consumer privacy, we 
hope, will remain a bipartisan priority. And we look forward to 
this committee's continued leadership in the next Congress.
    Thanks very much.
    [The prepared statement of Mr. Weitzner follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Space. Thank you, Mr. Weitzner.
    And, Mr. Vladeck, you have 5 minutes for your opening 
testimony.

                   TESTIMONY OF DAVID VLADECK

    Mr. Vladeck. Thank you, Mr. Space, Ranking Member 
Whitfield, members of the subcommittee. I appreciate the 
opportunity to be here today to underscore the Commission's 
support for Do Not Track, a view shared by four of our 
commissioners. At this point, the Commission has not taken a 
position on how Do Not Track should be implemented.
    But before I discuss Do Not Track specifically, let me note 
that it is only one aspect of a robust framework for protecting 
consumer privacy. Throughout its 40-year history of enforcement 
and policymaking experience, the Commission has tried to 
protect consumer privacy and build consumer trust in a fast-
evolving marketplace.
    Yesterday, the Commission issued a preliminary staff report 
on protecting consumer privacy in the marketplace. This report 
makes three main points: One, companies should adopt a privacy-
by-design approach, baking in protections like security and 
accuracy throughout their business processes. Two, current 
practices place too heavy a burden on consumers to safeguard 
their own privacy. Companies should provide choices about data 
collection and sharing in a simpler way at a time when 
consumers are making decisions about their data. And consumer 
decisions, once made, need to be respected. And three, 
companies should improve transparency of their information 
collection and use practices.
    Now, Do Not Track is an important component of the second 
piece of the framework because it would allow consumers to 
exercise choices about online tracking in a simple, universal, 
and persistent way. We believe that there is strong public 
support for a new Do Not Track mechanism, that it is 
technologically feasible and enforceable, and that, once 
implemented, it will put consumers back in control of their own 
data.
    Now, we have heard three main objections to the 
Commission's proposal for a Do Not Track mechanism that I would 
like to discuss.
    Objection number one: Do Not Track would create new privacy 
problems because it would require the Federal Government to 
create a registry or list of consumers who do not want to be 
tracked. Our response? We are not proposing the creation of a 
list, nor are we proposing a centralized system managed by the 
Federal Government. While the FTC must be able to ensure 
through enforcement that a Do Not Track mechanism effectively 
implements consumer choice, there is no need for a Do Not Track 
mechanism to be administered by the Federal Government.
    Objection two: Industry already provides adequate opt-out 
choices to consumers. The FTC's response? Self-regulation has 
been too slow to afford consumers meaningful choice. Many 
industry representatives agree with the Federal Trade 
Commission that providing consumers with choices about third-
party tracking is essential to build the trust necessary for 
the marketplace to grow. So, in that respect, there is no 
difference between the Federal Trade Commission and industry.
    And some industry members have taken important positive 
steps, but existing choices are hard to find and hard to use. 
Many of these mechanisms also may lead consumers to believe 
that they are opting out of third-party tracking when, in fact, 
they are just opting out of receiving targeted ads.
    Finally, these mechanisms may not be fully effective. 
Consumers may believe they have opted out of tracking if they 
block third-party cookies on their browser, yet they still may 
be tracked through flash cookies and other devices. A robust Do 
Not Track mechanism must be clear, easy to locate and use, and 
effectively implement the user's choice to opt out of third-
party tracking.
    Objection number three: Do Not Track is neither feasible 
nor enforceable. The FTC's response? We have learned from our 
roundtables and from the technologists we have on staff that a 
Do Not Track mechanism is feasible technologically. Browsers or 
computers could be programmed to send a Do Not Track signal as 
the consumers surf the Web. Servers run by ad networks and 
other companies that engage in tracking would be programmed to 
receive and honor that request.
    Most importantly, this Do Not Track setting would be 
designed to apply to all third-party tracking methods, thereby 
putting an end to the current arms race in which some companies 
subvert consumer choice by developing and using new tracking 
technologies.
    Compliance with tracking by companies is essential. But 
tracking leaves digital footprints, and the technical means 
exist that may identify parties that do not respect consumer 
choice. We believe that these tools can be effective in 
oversight and enforcement.
    Although we are confident that Do Not Track is feasible and 
can be effective, we are seeking comment on the best way to 
implement this mechanism.
    Let me conclude by saying that if Congress chooses to enact 
legislation, the Commission requests authority to conduct APA 
rulemaking and to obtain civil penalties for violations. 
Rulemaking is important so that the Commission can have 
flexibility in an area where technology evolves rapidly. And 
the ability to find violators would provide strong incentives 
for companies to comply with any legal requirements, helping to 
deter future violations.
    Thank you. We are happy to answer any questions you may 
have.
    [The prepared statement of Mr. Vladeck follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Space. Thank you, Mr. Vladeck.
    And, at this time, the chair will entertain questions of 
the witnesses. And our first on the list will be our chairman 
emeritus, Mr. Dingell.
    Mr. Dingell. Mr. Chairman, thank you very much.
    The time that you have and I have is very limited, so if 
you would please, gentlemen, could you give me ``yes'' or 
``no'' answers to the first question here?
    Do you believe the current industry efforts to regulate 
itself with respect to consumer data privacy are sufficient 
enough to address consumer concerns? Yes or no?
    Mr. Vladeck. No.
    Mr. Dingell. Sir?
    Mr. Weitzner. No.
    Mr. Dingell. Now, gentlemen, again, yes or no. Do you 
believe that such efforts could be improved, or do you believe 
that the Congress should pass comprehensive online privacy 
legislation?
    Mr. Vladeck. That is two questions.
    Mr. Dingell. Well, all right. Then to the first half, yes 
or no, and then to the second half, yes or no. And you are 
perfectly right.
    Mr. Vladeck. On the first half, yes, we believe that self-
regulation can improve the current system.
    And with respect to the second question, the Commission has 
not taken a position on whether legislation is needed.
    Mr. Dingell. OK.
    Sir?
    Mr. Weitzner. With respect to the first question, we are 
confident that the industry efforts can improve.
    With respect to the second question, the administration 
hasn't taken a position yet.
    Mr. Dingell. Now, gentlemen, here is a problem that I think 
all of us confront. Is there a single Federal agency that is 
capable of implementing and enforcing Do Not Track 
requirements? Is there a single agency?
    Mr. Vladeck. We believe there is.
    Mr. Dingell. OK. Now, then--and, sir, your comment, if you 
please?
    Mr. Weitzner. I think there is an agency that could.
    Mr. Dingell. All right. Now, which one is it, or which one 
should it be--FTC, NTIA, or the FCC?
    Mr. Weitzner. You go first on that one.
    Mr. Vladeck. Yes, we believe that we have both the ability 
and the enforcement infrastructure. Of those agencies, the 
Federal Trade Commission is the enforcement agency. And we 
think that we are up to the task.
    Mr. Weitzner. We have great confidence in the FTC as an 
enforcement agency. And NTIA, as you know, is not a regulatory 
agency.
    Mr. Dingell. And I hope you don't take that as being an 
unfair question to you.
    Very frankly, I would make this observation. The FTC has a 
rather proud record of doing these kinds of things at the 
behest of the Congress and doing them well.
    Now, gentlemen, again, advertising plays an essential role 
in the support of free Web sites and Internet applications. 
What impact would--and this can't be a yes-or-no question--what 
impact would a Do Not Track proposal have on that support?
    Mr. Weitzner. I think the answer is going to depend quite a 
bit on what the Do Not Track mechanism is and what it means.
    What we know is that there are more and more companies that 
are offering users some kind of opt-out and enhanced notice 
mechanism. I don't believe that we have seen dramatic falloff 
of advertising revenue as a result.
    I think that there are mechanisms that could be mandated 
which could have a dramatic impact on advertising revenue. I 
think that counsels to look at the issue very carefully so that 
we don't disrupt the Internet economy.
    Mr. Dingell. It is a concern, then?
    Mr. Weitzner. Yes.
    Mr. Dingell. Thank you.
    Now, gentlemen, should a Do Not Track mechanism involve 
simply no collection of information, or should it include a 
prohibition on the use of such information to target consumers?
    Mr. Vladeck. I will take the first stab at that.
    I think that what we envision is a Do Not Track mechanism 
that would permit consumers--first of all, we don't believe 
that a Do Not Track mechanism is necessarily an all-or-nothing, 
one-time-or-forever mechanism. We believe that the point of Do 
Not Track is to give consumers control over the collection of 
data, through tracking, that they do not want to have 
collected.
    And so, if you look at both the testimony, our report, and 
the questions that the report poses for industry, we want to 
explore tailored Do Not Track that would enable consumers to 
permit certain kinds of tracking but to exclude other kinds of 
data collection and, therefore, data use.
    Mr. Dingell. Sir?
    Mr. Weitzner. I would say that data collection limitations 
are a very blunt instrument and tend to have unexpected 
consequences and sometimes may make false promises to users. I 
think that the concerns that we see, however, are split between 
concerns about collection and concerns about use. It is a 
difficult question.
    Mr. Dingell. Gentlemen--and my time is running out here--it 
seems that Do Not Track, as it is presently discussed, is all 
or nothing, meaning that either a user permits his data to be 
collected or he does not allow such data to be collected.
    Is there a middle-of-the-road approach that could be 
adopted and a regulatory structure that could be constructed 
that would enable us to do this in a proper way, giving 
consideration to the concerns of everybody?
    Mr. Vladeck. I think the answer to your question is 
``yes.'' And one of the things the Federal Trade Commission is 
exploring is a Do Not Track mechanism that provides consumers 
with great choice about what information they are willing to 
have collected through tracking and what information they are 
not.
    And so, our effort is to--we have solicited comment on 
this, but our effort is to devise a system that gives consumers 
very broad and granular control over the tracking of their 
personal information.
    Mr. Dingell. Sir?
    Mr. Weitzner. Congressman Dingell, I think it is very 
important to recognize that this question doesn't arise in a 
vacuum. For 10 or 15 years in the evolution of the Internet 
advertising environment, we have had an evolution of mechanisms 
that give users increasing control over how their information 
is used and increasing awareness of how it is used.
    We think it is very important to continue that trend and to 
encourage that to continue to happen. I think that will help to 
get to some of the more nuanced mechanisms that my colleague, 
Mr. Vladeck, is talking about.
    Mr. Dingell. Thank you, gentlemen.
    Mr. Chairman, I would like to pay just a brief word of 
tribute to you. You have served here well and with distinction. 
I am proud to see you running the committee today. I am 
grateful to you for your excellent service in this institution. 
And I want to congratulate you and commend you and wish you 
well on behalf of John Dingell and, I think, on behalf of the 
rest of my colleagues on the committee.
    Thank you.
    Mr. Space. Thank you very much, Mr. Chairman.
    And our next questioner is the ranking member, Mr. 
Whitfield of Kentucky.
    Mr. Whitfield. Well, thank you very much.
    I would like to echo Mr. Dingell's comments, Mr. Space, and 
tell you how much we enjoyed serving with you. And we know we 
will look forward to seeing you in the future as we move along.
    Thank you all for your testimony very much. We appreciate 
it.
    With the release of the privacy report yesterday, I believe 
Chairman Leibowitz referred to a privacy deficit, and he sort 
of compared that to a budget deficit. And there is no question, 
we have a budget deficit.
    And so that raises the question, when he is talking about a 
privacy deficit--and I think both of you have indicated that 
you are not advocating Do Not Track legislation at this time--
how severe do you think this privacy deficit is that Mr. 
Leibowitz talked about yesterday?
    Mr. Vladeck. We spent a full year developing a record that 
underpins the report that we issued yesterday. And there are 
two themes that I think emerged from the roundtables that we 
held and from our interactions with every imaginable 
stakeholder.
    One is the general concern that consumers are not aware 
that they are being tracked online and the extent of tracking 
and what has really happened, which is there is a commodity now 
in personal data. There is, you know, a data collection and use 
industry. And so, I think one concern is that we need to make 
this clear to the public, we need to educate the public. And I 
suspect that when Chairman Leibowitz was talking about the 
deficit, that was part of what he was addressing.
    The other theme is that people do not feel they have 
adequate control over their data when they browse. And I 
recognize that industry has come up with some browser-based 
options and some other efforts to try to respond to consumer 
demand for greater control. Our concern is those efforts have 
fallen short. And one of the reasons why we thought we needed 
to issue this report is to talk about the gap, the mismatch 
between consumer demand and expectation and what is presently 
being offered. And we are hoping that a report will stimulate 
discussions like this so we all collectively can move forward.
    Mr. Whitfield. Thank you.
    Mr. Weitzner. Congressman Whitfield, here is what I think 
we know. I wouldn't necessarily say that we have a deficit 
because that presumes it is quantifiable in some way. But I 
think we have two almost disparate facts, almost contradictory 
facts before us. We see people using the Internet more and more 
and more. We had a very positive Cyber Monday, if that is what 
it is called. So we see people embracing this technology in so 
many ways, and we certainly want that to continue.
    What we also know from surveys, from public comments, from 
the consultations that we have done at the Commerce Department 
with a very wide range of stakeholders is that there is 
increasing concern on the part of the public about how privacy 
is being handled. People are not sure exactly what their rights 
are, they are not exactly sure how to protect them, who to go 
to when they feel wronged.
    I think that, if there is a gap, it is perhaps there, in 
the fact that the Internet is more and more important to us but 
we have increasing uncertainties. And I think it is worth 
working collectively to close that gap.
    Mr. Whitfield. Thank you very much. I appreciate that.
    Recognizing that the advertising model is so important to 
the Internet and trying to balance that versus privacy 
protection, do both of you feel confident that we could come to 
a solution on this issue somewhere down the road where you can 
protect both of these in an adequate manner?
    Mr. Weitzner. I think that what we have seen, as I alluded 
to in the previous interchange, is that Internet users have 
actually been given more and more control through the various 
services that we all use on the Internet. We haven't seen 
advertising revenue go down. If anything, we have seen it go up 
and we have seen it proliferate into a whole new variety of 
business models.
    That is a very positive change. I think we would certainly 
want to watch very carefully to make sure not to take steps 
that would turn that in the other direction. But I think it is 
a mistake to assume that giving people more control means a 
reduction in advertising revenue.
    Mr. Whitfield. OK.
    Mr. Vladeck. Yes, we share that view. And let me make two 
brief points. One is, you know, no one wants to interfere with 
innovation and business development on the Internet. It is a 
very powerful engine that drives a big part of our economy. But 
we don't want to sacrifice consumer privacy at the same time.
    And, in fairness to industry, industry recognizes this. I 
mean, the advertisers have banded together to give consumers 
opt-out rights against targeted advertising. I can't imagine 
that they would want to kill the golden goose that laid the 
golden egg. And so I don't think--I think that, in terms of our 
aspirational goals, you know, we are not that far apart.
    Mr. Whitfield. Well, thank you very much. I really 
appreciate your testimony.
    And my time has expired, Mr. Chairman.
    Mr. Space. Thank you, Mr. Whitfield.
    Mr. Green from Texas.
    Mr. Green. Thank you, Mr. Chairman.
    I would like to ask unanimous consent that my statement be 
placed into the record.
    [The information was unavailable at the time of printing.]
    Mr. Green. And thank each of you for being here. This is an 
issue that our committee and not only this Subcommittee on 
Consumer Affairs but also our Telecom Subcommittee has dealt 
with for many years. And I have always come down on the side 
of, if I am using the internet, I would rather have the option 
of opting in to have someone track me than opting out.
    And that is my first question, is, would constructing a 
framework that allowed the Internet users to actively opt in to 
tracking be a more feasible approach? Now, we know, in 
practicality, very few people opt in. And if you opt out, there 
will be more people who just won't take the time to opt out.
    What are the strengths of the opt-in? And how is Do Not 
Track better? The two options, opt-in or opt-out.
    Mr. Vladeck. Let me answer that question in two ways.
    In terms of the strength of Do Not Track, our view is that 
it would be uniform, easy-to-use, and a durable choice by 
consumers, a choice they can change and a choice they can 
modify. But under the existing regime, in order for consumers 
to, for example, not receive delivered, targeted behavioral 
advertising, they have to go to multiple sites that are hard to 
use and often are confusing. So we are trying to relieve the 
burden on the consumer to exercise choice. And, in our view, a 
Do Not Track mechanism is the ideal solution to that problem.
    Now, in terms of opt-in and in terms of opt-out, we have 
requested comments on this, because we have seen both 
mechanisms used by marketers in a way that are confusing to 
consumers. You have seen opt-ins that simply require you to 
click a button after reading through a long, you know, end-user 
licensing agreement that you don't read because no one reads 
them. And we have seen opt-out mechanisms that are also 
confusing to use.
    So what we are hoping to do here is to find a simple, easy-
to-use, easy-to-find tool that consumers can use to express 
their choice about being tracked and how much they want to be 
tracked, if at all. That is the goal of the Federal Trade 
Commission.
    Mr. Weitzner. Congressman Green, I would just echo my 
colleague's views here.
    Historically, as you know, the privacy debate has always 
been framed as this kind of stark opt-in versus opt-out choice. 
I think our goal should be to move beyond that and to create an 
easy set of choices for users to have access when it makes 
sense for them to have access.
    I think that this opt-in/opt-out model really ignores the 
fact that Internet technology can make choices much more easy 
and much more accessible.
    Mr. Green. OK. Will implementing a Do Not Track list create 
a false sense of security for users? What can complement the Do 
Not Track system to keep users informed of the remaining 
potential data collections and tracking and inform them of 
measures they can take to limit if they choose? Because even if 
you opt out of the tracking, what is the security that you know 
that you are not being tracked?
    Mr. Weitzner. I think that that comes, in many ways, to a 
definitional question about just what Do Not Track or Do Not 
Profile or Do Not Advertise really comes to mean and the 
question of who is ultimately going to be accountable to answer 
the preferences that are expressed by users.
    I would say that I think there is a growing agreement in 
the technical community that it is not so hard to understand 
how to enable a user to send out a Do Not Track signal. The 
question is, who is supposed to listen to that signal? And I 
think that is a hard question to answer.
    As Mr. Vladeck noted, we want to give users a subtle set of 
choices so that their complex preferences can be represented, 
but I think we risk, if we try to draw lines too firmly, we do 
risk creating a false sense of security.
    Mr. Vladeck. Well, can I respond briefly?
    We want to provide a sense of security. And one of the 
design features that can be built into a Do Not Track mechanism 
is an end to what we now see as an arms race, that many 
companies are engaged in defeating consumer choice by 
developing tracking devices that are not easily removed.
    And so, part of our concern is we do not want to get into 
an endless cycle where a browser is able to remove cookies, 
tracking cookies, but isn't able to deal with flash cookies or 
super cookies or the next generation of tracking devices.
    Mr. Green. One of the concerns I have is--and we haven't 
dealt with this before--is there authority with the FTC and 
even with NTIA to do this? What is to keep it from happening in 
Great Britain or, you know, somewhere else, Switzerland or 
somewhere else? They just move those browsers there, and we 
lose the ability to control them in our own country.
    Mr. Weitzner. I think that the point that you are 
underscoring, Congressman Green, is the need to have broad 
agreement about just what these promises and these commitments 
really mean, what should a consumer really be able to expect.
    We have urged, as we have talked about this issue, the need 
to come to broad voluntary agreements amongst industry groups 
that spread across the globe and consumer groups that 
increasingly represent different countries so that we can have 
what is something closer to a global set of expectations. The 
Internet is a global marketplace, and we are going to need that 
more and more.
    Mr. Vladeck. Well, there is another answer, as well, 
Congressman, which is that, if we successfully implement a Do 
Not Track regime in the United States, tracking devices, for 
example, launched in another country, will not be able to track 
the consumer unless the consumer starts visiting sites 
somewhere else.
    And that question is a question that we have explored with 
our own technologists, including--and I am happy to introduce 
Dr. Ed Felton, who is a Princeton University computer science 
professor who will be joining the Federal Trade Commission as 
our chief technologist at the first of the year.
    But, I mean, there are real disadvantages to trying to end-
run a Do Not Track system simply by moving a server, you know, 
into another country. And we would be glad to, at another time, 
explain why that would not necessarily bypass a Do Not Track 
system.
    Mr. Green. Well, I think, having dealt with this for many 
years, I think our committee on a bipartisan basis falls on the 
side of the privacy. And my last question is, are there any 
types of information that you feel shouldn't be tracked or just 
hardcore shouldn't be collected at all?
    Mr. Vladeck. One of the reasons why we have gravitated to a 
Do Not Track option is because there are certainly categories 
of information--health information, family information, 
financial information, maybe information concerning not only 
children but teens, geo-location data, religious information, 
political information--that people probably do not want tracked 
and that data collected.
    And, therefore, a Do Not Track option would empower 
consumers to avoid being tracked and have their data collected 
in those sensitive areas.
    Mr. Green. Thank you, Mr. Chairman.
    Mr. Space. Thank you, Mr. Green.
    I do have a couple of questions of my own before we get to 
the next panel. First, I would be remiss if I didn't reference 
something that I always reference in hearings having to do with 
broadband and digital technology, and that is, and I know it is 
a little off point, but it is important to a lot of people in 
this country who don't have any access to the Internet. And I 
want to commend both NTIA and the FTC for their efforts in 
promoting rural broadband access universally.
    That digital technology has become such a profound part of 
our everyday life experience, our economies, and has happened 
in just the last 10 or 15 years. And imagine where we will be 
in 10 or 15 years from now.
    So I mention that just because I want to underscore the 
importance of making up for this rural divide that exists in 
this country when it comes to access.
    The fact of the matter is digital communication is 
integrated very heavily into our economy and integrated very 
heavily into the everyday life of consumers in all realms, 
health care, education, et cetera.
    One of the concerns I have on this particular issue, the 
privacy issue, is the lack of sophistication of the normal 
consumer vis--vis that of the normal carrier and telecom 
provider. At the same time, I am cognizant of the importance of 
profitability and that Do Not Track legislation may have an 
adverse effect on that bottom line.
    I further understand that the industry itself has attempted 
several times to deal with the privacy concerns, and my 
assumption from your testimony is that you feel it has 
inadequately done so. My understanding is there is a coalition 
in the industry with approximately 5,000 participating 
companies, according to the Interactive Advertising Bureau. And 
we checked just last week, I think there were 58 actual 
participating companies.
    I would be interested in your impression as to the level of 
industry commitment to this issue and what nonlegislative means 
might be available to help stimulate greater interest among 
industry?
    Mr. Weitzner. Thank you, Congressman Space.
    And, first of all, thank you for your attention and your 
leadership on the rural Internet access issues. It is a major 
priority, as you know, for NTIA, and we appreciate your support 
on that.
    I would say that there have been ongoing industry efforts 
from the very beginning of the commercial Internet environment 
to help users understand how to use their services, how to 
protect themselves, for example, against content that they 
don't want to receive, that they don't want their children to 
receive. And I would say as well there have been efforts to 
help educate users about privacy protection. Those efforts, I 
believe, have to be ongoing and have to be stepped up. I think 
it is not fair to say that there have been no efforts, but 
certainly, we think the efforts ought to be increased.
    In the work that we have been doing on privacy at the 
Department of Commerce, one of the things that we have learned 
is that it is really critical to develop what we have called a 
multi-stakeholder approach to privacy protection, to have 
industry groups working together with consumer advocates, 
together with regulators, together with State attorneys 
general, all of whom have a significant responsibility in this 
area, and we certainly hope, going forward, that it will be 
possible to find ways to encourage those efforts. They clearly 
have to be stepped up.
    I think that consumer education on the Internet happens 
very often really through the design of services, not so much 
through talking to users. You think about how we have had 
hundreds of millions of people learn to use the Internet. It 
has been because services have been built so that they are easy 
to use, so that the tools that people want are accessible, and 
I think we have to apply that kind of innovation and 
accessibility to the privacy area.
    Mr. Vladeck. Let me just add have few thoughts, if I may.
    One is, on the educational side, I agree completely with 
Mr. Weitzner that we need to do more. One important 
recommendation we make in our privacy report is that we start 
engaging in privacy by design; we build privacy in from the 
start. And we need to do a better job of doing that.
    On some of the smartphones, for example, now, they will let 
you know when your geolocation data is being shared. We need to 
broaden those kind of technological innovations to alert 
consumers about privacy issues.
    Second, I think that the Federal agencies need to do a 
better job as well as industry in terms of public education. We 
take public education very seriously. We have distributed now 
nearly 5 million copies of a booklet designed for parents and 
kids to learn about Internet use, smartphone use. This is a 
book called ``Net Cetera'' that has been distributed in school 
districts around the country.
    Finally, the second point is that with respect to your 
industry stepping up to the plate question, nothing in our 
report and nothing in our testimony would preclude a robust, 
inclusive, enforceable, Do Not Track regime, self-administered 
by industry, provided that these commitments were backed up by 
an enforceable regime, such as the one that the Federal Trade 
Commission administers under Section V. We need to have a 
system in place in which consumers have confidence that their 
choices are being respected.
    There is nothing that would preclude a self-regulatory 
regime, as long as, at the end of the day, there is a law 
enforcement agency that would be able to single out and to go 
after people who did not engage in that kind of respect.
    Mr. Space. Thank you, gentlemen.
    The gentleman from Massachusetts, Mr. Markey, is 
recognized.
    Mr. Markey. Thank you, Mr. Chairman, very much.
    As cochairman of the Bipartisan Privacy Caucus with Joe 
Barton and former chairman of the Telecommunications and 
Internet Subcommittee, I have long believed that consumers 
should have control over their own personal information.
    When it comes to kids and their use of the Internet, it is 
particularly important that stringent privacy protections are 
applied so that children do not have their online behavior 
tracked or their personal information collected or disclosed.
    In 1998, I was the House author of the Children's Online 
Privacy Protection Act, or COPPA, which was signed into law by 
President Clinton. COPPA places parents in control over what 
information is collected from their children online. My law 
covers children aged 13 and under, and it requires operators of 
commercial Web sites and online services directed to children 
under 13 to abide by various privacy safeguards as they 
collect, use, or disclose personal information about kids.
    Those requirements are still on the books and are kind of 
the ``constitution'' right now for the protection of children, 
and those were important safeguards. But in Internet years, 
1998 is so long ago. We might as well be talking about the 
Peloponnesian War. The 1990s was back in the BF era, Before 
Facebook, just another time and place.
    Now is the time for new legislation to protect kids and to 
prevent them from being tracked online. That is why next year I 
plan to introduce comprehensive children's privacy legislation 
that will include a Do Not Track requirement so that kids do 
not have their online behavior tracked or their personal 
information collected or profiled. I look forward to working 
with my colleagues to move this legislation forward.
    I also want to commend Commonsense Media and its CEO, Jim 
Steyer, for their excellent work in this area. For many kids, 
the Internet is like online oxygen. They can't live without it. 
The Internet enables kids to access incredible opportunities 
that were unimaginable only a few years ago. But we must also 
protect children from the dangers that can lurk in this online 
environment.
    We thank the two of you for your longstanding commitment to 
ensuring that protection is there for children.
    May I ask, Mr. Vladeck, in your testimony, you indicate the 
Federal Trade Commission's support for development of a Do Not 
Track capability so consumers can avoid having their activities 
monitored online. As you know, in its ongoing series on online 
privacy, the Wall Street Journal has reported that popular 
children's Web sites install more tracking technologies on 
personal computers than do the top Web sites aimed at adults. 
Now, I am extremely concerned about that trend.
    Is that practice used by those Web sites covered by COPPA?
    Mr. Vladeck. So, remember, we are talking--COPPA covers 
children 12 and under, and we believe it is--that COPPA would 
apply.
    We have accelerated our review of COPPA in large measure 
because of exactly the concerns that you have outlined. That 
is, today, for many children, the Internet is a playground of 
the sort that we used to play in, except they spend a lot of 
time on the Internet. So we have accelerated a review of our 
COPPA rule.
    We just held a roundtable a few months ago to explore these 
issues and other issues that are raised; online gaming sites 
where children spend a fair amount of time only, the migration 
of these interaction sites to smartphones. So, yes, we share 
your concerns about this and we look forward to working with 
you in crafting legislation.
    Mr. Markey. Do you want legislation to pass that gives you 
the specific authority to be able to deal with these issues?
    Mr. Vladeck. I am not authorized to speak for the 
commission on this issue. I will say that in beginning our 
COPPA review process, one possible end of it would be 
legislative recommendations. And so we may well--our interests 
may well coincide here because we are hoping to make our 
recommendations about COPPA within the next few months.
    Mr. Markey. Well, I will be looking forward to your 
comments on my legislation.
    In response to the question of whether or not self-
regulation in fact works in this industry, your answer is 
that----
    Mr. Vladeck. It is not--in our view, self-regulatory 
efforts have thus far fallen short.
    Mr. Markey. And you agree with this as well?
    Mr. Weitzner. We think they could be a lot more urgent and 
robust, and we are looking at ways to encourage those efforts, 
particularly as to children.
    Mr. Space. The gentleman's time has expired.
    Mr. Markey. I thank the gentleman for the time you have 
given me and thank you for your excellent service to our 
country as well.
    Mr. Space. Thank you. At this point, the chair recognizes 
the gentlewoman from the great State of Ohio, Betty Sutton.
    Ms. Sutton. I thank the chairman.
    And I, too, add my voice to those who thank you so very 
much for your service to our country and, of course, to the 
great State of Ohio. We appreciate all that you have done. You 
have made the lives of the people that I represent better 
through your service, and we will miss you on this committee 
and in this Congress.
    Thank you, gentlemen, for your testimony. The first thing I 
want to talk about is, the Wall Street Journal pointed out, in 
a story called ``Slow Going for Web Piracy Software,'' that it 
is a challenge to get people to pay for Web privacy software. 
Nonetheless, there are firms that are sprouting up that, for a 
fee, will help people protect their online privacy. And the 
purveyors of these companies, despite the slow going, appear 
sort of optimistic about the future of this.
    In fact, the head of one such firm has glowingly referred 
to the emergence of a ``privacy economy'' in response to a 
growing concern about the amount of information being collected 
and stored about each of us and how it could potentially be 
used.
    This particular service, for an ongoing fee, helps people 
scrub their online reputations and to remove themselves from 
tracking networks. One of the ways it gets data collectors to 
remove its clients information is by paying them a fee.
    This notion of a privacy economy seems to be premised more 
on the idea that data collectors will make their money either 
by selling your information to someone else or by getting you 
to pay to stop it from being used.
    It also sounds like privacy is being transformed into a 
commodity available to those who can afford it.
    So, gentlemen, should we be concerned that if government 
and industry fail to address quickly and appropriately in a 
more robust baseline privacy protections, that what we might 
have emerge instead is something like a privacy economy, where 
some people will be able to buy privacy and others won't?
    Mr. Weitzner. That is a complex question, Congresswoman 
Sutton.
    I would say that, first of all, it is great news that there 
is innovative energy out there looking to give people more 
control over their information, to shape their Internet 
experience as they choose, and I think we can all hope that 
those efforts succeed.
    I think that some of those--it is not clear that that is 
going to ever offer the whole answer to the privacy question. 
There is no doubt that there is money to be made, businesses to 
be developed in this increasingly complex economy of personal 
information, and we welcome that.
    Some of the privacy concerns that people have, however, are 
not economic; they are not just about whether they get a penny 
or two for the use of their information. It is about how 
trustworthy they feel the online environment is. It is about 
whether they are treated fairly by those who they do business 
with. So I think we have to always keep in mind that there is a 
non-economic component to this as well, where I think a lot of 
the Federal Trade Commission's work over the last decade has 
been very important.
    Mr. Vladeck. Let me add one thought, which is, we want to 
build confidence and trust in the Internet economy, and having 
to pay a fee in order to engage in a retrospective effort to 
claw back personal information doesn't seem to us the right way 
to go about this.
    Ms. Sutton. And as I indicated in my question, that is 
actually what currently is starting to evolve. OK.
    I appreciate the work that both the FTC and the Department 
of Commerce have devoted thus far to developing the frameworks 
for protecting consumers' privacy as indicated by your answers 
here today, and how to best protect consumers' privacy is 
clearly an important and complicated issue.
    But both the FTC and Commerce have devoted nearly a year to 
listening to and distilling stakeholders' views and 
recommendations on this issue, and the idea that a more robust 
and effective approach must be taken to protecting consumers' 
privacy has been percolating for even longer than that. And 
while the FTC report provides a proposed framework for 
protecting consumers' privacy, it also raises more questions 
and asks for more feedback, and I understand that, and I 
understand the report from the Department of Commerce is going 
to take the same approach.
    So, Mr. Weitzner, do you know when we should expect 
Commerce to issue its report?
    Mr. Weitzner. We are hoping it will be very soon now, 
Congresswoman Sutton, certainly in weeks, not months, is our 
expectation.
    Ms. Sutton. And will that report also raise more questions 
and request more feedback?
    Mr. Weitzner. It will, Congresswoman. And I will say that 
our goal really is to be able to contribute to the public 
dialogue in general and also to the administration, the broad 
administration deliberation on privacy policy questions, 
including the question of how to respond to legislative 
proposals that are out there now and additional ones that will 
come.
    So we felt that we have had to take a--do a very broad 
consultation, and we have had a chance to do that. We are 
optimistic that that will contribute to the debate. We do feel 
a real sense of urgency about moving forward on this issue, 
both because of the domestic situation and also because of the 
global situation.
    Ms. Sutton. Thank you.
    Mr. Space. Does the gentlewoman yield the balance of her 
time?
    Ms. Sutton. Do I still have time?
    Mr. Space. Now your time has expired.
    Ms. Sutton. I would love to ask more questions.
    Mr. Space. Thank you, gentlemen, for your testimony.
    In dismissing you, I would like to again extend the 
committee's gratitude for the work you do and for your 
testimony today.

  STATEMENTS OF SUSAN GRANT, DIRECTOR OF CONSUMER PROTECTION, 
 CONSUMER FEDERATION OF AMERICA; JOSEPH PASQUA, VICE PRESIDENT 
OF RESEARCH, SYMANTEC CORPORATION; JOAN GILLMAN, EXECUTIVE VICE 
 PRESIDENT AND PRESIDENT, MEDIA SALES, TIME WARNER CABLE; EBEN 
  MOGLEN, LEGAL ADVISOR, DIASPORA, PROFESSOR OF LAW, COLUMBIA 
UNIVERSITY, FOUNDING DIRECTOR, SOFTWARE FREEDOM LAW CENTER; AND 
   DANIEL CASTRO, SENIOR ANALYST, INFORMATION TECHNOLOGY AND 
                     INNOVATION FOUNDATION

    Mr. Space. I would ask that the second panel step forward 
to the table. While you are situating yourselves, I will 
introduce you and then swear you in.
    We have with us Ms. Susan Grant, director of consumer 
protection of the Consumer Federation of America; Mr. Joseph 
Pasqua, vice president of research, Symantec Corporation; Ms. 
Joan Gillman, executive vice president and president, Media 
Sales, Time Warner Cable; Dr. Eben Moglen, legal advisor, 
professor of law, Columbia University, and founding director, 
Software Freedom Law Center; and Mr. Daniel Castro, senior 
analyst, Information Technology and Innovation Foundation.
    If you could find your seat, and I would ask that you rise 
so I may administer the oath.
    [Witnesses sworn.]
    Mr. Space. Let the record reflect that the witnesses have 
all answered in the affirmative.
    Ms. Grant, I will start with you. But before we begin with 
the testimony, I find it necessary, Mr. Moglen, to make some 
specific remarks in advance before, once again, I yield the 
floor.
    We as Members of Congress are never inclined to censor 
testimony or to influence a witness's remarks in open 
congressional forums, including this hearing.
    Having said that, Congress tries mightily to preserve the 
highest standards of decorum to foster the most constructive 
dialogue and debate possible on important matters like consumer 
privacy.
    Accordingly, I would ask you to provide your oral testimony 
without making any comments that could be construed as a 
personal attack against any company or any company's employees.
    I would also ask for unanimous consent that Mr. Moglen be 
given an opportunity to revise his written remarks and submit 
the same within 5 days.
    Hearing no objection, it is so granted.
    With that, I would introduce Ms. Susan Grant, director of 
consumer protection, Consumer Federation of America, for her 5 
minutes of testimony.

                    STATEMENT OF SUSAN GRANT

    Ms. Grant. Thank you.
    On behalf of Consumer Federation of America, an association 
of nearly 300 consumer organizations in the United States, I am 
pleased to provide our perspective on this important question, 
Is now the right time for Do Not Track legislation? And our 
answer is, not surprisingly, yes.
    As a recent Wall Street Journal investigation series, 
``What They Know,'' so clearly detailed, consumers are being 
tracked on the Internet, wherever they go, whatever they do, 
without their knowledge or consent. Information about their 
online activities, what they search for, what they click on, 
what they purchase, what they share with others, who their 
friends are in social networking sites, is compiled, analyzed 
and used to profile them. Sometimes information is gathered 
about their offline activities to create even richer profiles.
    This tracking is primarily used for marketing at this time, 
but it can also be used to make assumptions about people for 
employment, housing, insurance, and financial services, for 
purposes of lawsuits against individuals, and for government 
surveillance. There are no limits to what this type of 
information can be used for, what information can be collected, 
how long it can be retained, and with whom it can be shared.
    As the Wall Street Journal characterized it, ``one of the 
fastest growing businesses on the Internet is the business of 
spying on consumers.''
    If someone were following you around in the physical world, 
tailing you and making note of everywhere you go, what you 
read, who you talk to, what you eat, the music that you listen 
to, what you buy, what you watch, you might find this 
disturbing. The argument that we don't know your name, just the 
make and model of your car, and we are only going to use this 
information for advertising, might not assuage your concerns 
about being stalked.
    On the Internet, even if the tracker doesn't know your 
name, you are not anonymous. As the Federal Trade Commission 
and Members of Congress have recognized, your Internet protocol 
address and other unique persistent identifiers are essentially 
personally identifying information, and, as the Wall Street 
Journal put it, the skill of data handlers is ``transforming 
the Internet into a place where people are becoming anonymous 
in name only.''
    The ability to cross-reference data makes it easy to make 
assumptions about people and treat them a certain way based on 
information that has been collected about their activities, 
even if you don't know their names. Furthermore, as news 
reports and scholarly articles have described, it is relatively 
easy to re-identify data that is supposedly anonymous.
    With more and more people using the Internet as an 
essential tool for communications, education, managing their 
finances, researching health and other sensitive subjects, 
buying goods and services, sharing information through social 
networks, engaging in political and civil discourse, accessing 
government programs and benefits, and storing personal and 
workplace documents, it is crucial that they be able to exert 
effective control over the collection and use of what is 
gleaned about their online activities.
    No matter what one thinks about the benefits and risks of 
online tracking and behavioral advertising, and there are many 
different views, the fact is that consumers have the basic 
right to privacy and that right should be respected.
    While online behavioral tracking and targeting is less 
visible to consumers than telemarketing, surveys clearly show 
that people are uncomfortable with this practice. For instance, 
a 2009 survey by researchers at the University of Pennsylvania 
and the University of California found that 66 percent of 
respondents did not want Web sites they visit to show them 
tailored ads, and when the common tracking methods were 
explained to them, an even higher number rejected tailored 
advertising.
    More recently, a poll commissioned by the nonprofit 
organization Consumer Watchdog this past July revealed that 90 
percent of Americans wanted more laws to protect privacy; 86 
percent favored the creation of an anonymous button that allows 
you to go online without being tracked; and 80 percent wanted a 
Do Not Track me list.
    When the FTC announced in 2003 that it was creating the 
national Do Not Call registry, it acknowledged that the 
company-specific approach, which obliged consumers to inform 
each company one by one that they didn't want to receive tele 
marketing calls, was ``seriously inadequate to protect 
consumers' privacy from an abusive pattern of calls from a 
seller or telemarketer,'' and that consumers were angered and 
frustrated by the telemarketing calls that they were receiving.
    The FTC also said that industry's self-regulatory programs, 
such as the Direct Marketing Association's telephone preference 
service, fell short because they were voluntary, and to quote 
them, ``to the extent that sanctions exist for noncompliance, 
DMA may apply those sanctions only against its members, not 
nonmembers.''
    The National Do Not Call Registry is a big success because 
it provides consumers who don't want to receive telemarketing 
calls with an easy to use mechanism to opt out, and just as 
importantly, telemarketers have to honor their opt out request.
    As noted in the privacy report released by the FTC 
yesterday, voluntary programs by individual companies and 
industry associations through which consumers can opt out of 
online tracking are not adequate. We agree with the FTC that 
these programs have not been implemented widely enough; that 
consumers are unaware of them; that consumers may be confused 
by the lack of clarity and uniformity in the way that these 
various programs work; that these programs may not--may result 
in blocking personalized advertising from being delivered to 
consumers but may in fact not stop tracking, which could be 
used for other purposes; and that because these programs rely 
on cookies, they are not necessarily effective against all 
forms of tracking or persistent.
    Now is the time to create an easy-to-use mechanism for 
consumers who want to opt of online tracking if they wish to do 
and a legal requirement to honor their decisions, and this 
could be done in a way where consumers could give permission to 
specific trackers for specific purposes if they wished.
    Our ideas about how Do Not Track would work have evolved 
over time. Again, this would not be a list like the Do Not Call 
Registry, but would instead be a setting in Web browsers that 
consumers could use to indicate that they don't want to be 
tracked. The browsers would express the consumer's preference 
to the Web sites that they visit.
    I am not a technologist, but there are other experts from 
the Electronic Frontier Foundation and elsewhere, and we heard 
from the FTC that its experts concur that this mechanism would 
be easy to implement and simple for both consumers and trackers 
to use.
    In our vision, all browsers would be required to include a 
Do Not Track mechanism as a standard feature at no extra cost 
to consumers, and, just as importantly, all trackers should be 
required to honor consumers' preferences. Industry members 
would obviously have to work together, as they often do, in 
implementing technologies that have to be interoperable to 
ensure that these mechanisms work as intended.
    And we think that the FTC would have to be required to 
perform audits and mystery browsing to ensure that trackers are 
indeed complying with consumers' requests, since it is very 
difficult for consumers to tell themselves whether they are 
being tracked or how their information is being used.
    Mr. Space. Ms. Grant, if I could ask that you wrap it up. 
Unfortunately, we have a lot of witnesses.
    Ms. Grant. I am sorry. That is why I am speaking so fast.
    Let me just conclude by saying we have other concerns that 
will not necessarily be eliminated by Do Not Track. But to the 
extent that Do Not Track gives consumers an effective way to 
control the collection and use of their personal information, 
those concerns are

ameliorated. So we look forward to working with Congress on the 
creation of a Do Not Track tool for consumers.
    [The prepared statement of Ms. Grant follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Space. Thank you, Ms. Grant.
    Our next witness, Mr. Joseph Pasqua, vice president of 
research, Symantec Corporation.

                   STATEMENT OF JOSEPH PASQUA

    Mr. Pasqua. Mr. Chairman, Ranking Member Whitfield and 
members of the subcommittee, thank you for the opportunity to 
be here today as you consider a National Do Not Track proposal 
in an effort to protect consumer online privacy.
    As the global information security leader, Symantec 
supports Congress's goal to protect privacy and to enhance 
consumer trust online. Today, I would like the committee to 
take away three key points from my testimony.
    First, online privacy is not possible without security. 
Through spyware and certain harmful adware, online advertising 
can and increasingly does present a critical threat to security 
and therefore privacy on the Internet.
    Second, while privacy legislation can help protect 
Americans in the online world, we urge the committee to focus 
on regulating malicious behavior rather than underlying 
technologies. Privacy laws should avoid the trap of defining 
good or bad technology in order to avoid undermining both 
innovation and security.
    Third, while online privacy and security together are a 
critical foundation to trust on the Internet, the creation of a 
Do Not Track registry would be unlikely to advance these goals. 
Instead, Congress should focus on policies that foster an 
online environment where individuals and organizations can 
complete transactions with confidence, trusting each other's 
identities and the infrastructure on which the transactions 
run.
    Symantec believes that online privacy is a cornerstone of 
consumer trust. And let me just say that Do Not Track, and that 
mechanism is only one piece, as an earlier witness said, of the 
overall privacy question online.
    Without security, however, the expense of compliance and 
lost economic activity from individual privacy regulations may 
not be worth it. We urge Congress to deal with security first 
and not to inadvertently create impediments to security through 
new privacy laws or new safeguards which will amount to closing 
the barn door after the horses have left.
    The advantages of doing business over the Internet are 
tremendous, but only if exchanging information in cyberspace is 
secure. Interaction with Web sites increasing demands personal 
information, yet sharing such data requires trusting business 
partners and the integrity of transaction records online so 
individuals do not become victims of identity theft or fraud.
    The increased prevalence and complexity of online 
advertising make it a ripe target for attackers. Because an 
advertisement is basically a piece of software, the potential 
exists for that software to be malicious. Online behavioral 
advertising is not inherently bad, but it does carry with it, 
sometimes literally, collateral threats to information 
security.
    A whole class of threats, commonly known as spyware or 
malicious adware has proliferated over the last few years. 
Fortunately, the marketplace is responding to the need to 
address these challenges. Cyber security companies are 
investing heavily until newer generations of behavioral 
detection and white-listing technologies to handle the 
increasing volume and variety of spyware and malicious code 
threats.
    For our part, Symantec creates security programs that watch 
out for the most current malicious threats, as well as unknown 
software that exhibits suspicious behavior. The committee may 
find it of interest that given the millions of threats that 
Symantec products block every day, the detection most 
frequently encountered by our Norton antivirus users is a 
tracking cookie over everything else. And while many types of 
cookies serve a useful purpose and are used on most Web sites, 
tracking cookies are a privacy concern.
    Given the prevalence malware, including harmful adware and 
spyware, it is no surprise that there has been so much 
discussion about preventing advertising networks from being 
able to track the Web sites that consumers are visiting and 
other information about those consumers.
    The proposed Do Not Track list conceptually seems to be 
reasonable but, in practice, would be an extremely difficult 
technical task. In order to abide by an instruction not to 
track, a Web site must have a way to recognize that a given 
user connecting to that site has requested that they not be 
tracked. Because it is analogous to using phone numbers to 
identify a Do Not Call list, consideration has been given to 
using IP addresses to recognize a connecting user.
    This approach is problematic. As has been discussed 
earlier, IP addresses aren't really analogous to phone numbers. 
They change. Tracking them introduces their own security 
concerns.
    There is another concept, but basically a reverse, which 
would be a Do Not Track registry, which has also been 
discussed, and it implies advertisers would register their 
domains in a Do Not Track registry and browser plug-ins would 
enforce that.
    Symantec believes that that scenario could cause disruption 
to the user experience, significant disruption, and could 
influence the habits and fluidity of users' experience on the 
Internet.
    We have also heard today and in previous testimony about a 
proposed solution where a header, header information, is sent 
from the browser, from the user's computer, to the Internet, 
expressing the user's privacy preferences. That is a reasonable 
approach, but we would also like to indicate that the browser 
alone is not enough to support that. You have to have 
enforcement on the server side, and that can make things 
difficult.
    In summary, I would like to just point out one other thing. 
We have been talking a lot about browsers and consumers today 
using Web sites, but that is just one form of tracking. In the 
coming years, everything is going to be connected to the 
Internet. Your DVR is connected to the Internet. Your 
dishwasher is going to be connected to the Internet. Certainly 
your mobile phone. Advertisers would, in theory, be able to 
know how many loads of laundry you are doing a day.
    So we need to think about tracking and privacy in a broader 
scope than just browsers, though they are an important first 
step.
    [The prepared statement of Mr. Pasqua follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Space. Thank you, Mr. Pasqua.
    Our next panelist is Ms. Joan Gillman, executive vice 
president and president of Media Sales, Time Warner Cable.

                   STATEMENT OF JOAN GILLMAN

    Ms. Gillman. Thank you, Mr. Chairman, Ranking Member 
Whitfield, and other members of the subcommittee. I appreciate 
the opportunity to appear before you today to discuss consumer 
privacy, including the potential for Do Not Track legislation.
    For Time Warner Cable, our relationship with our customers 
is the bedrock foundation of our business. We operate in a 
highly competitive marketplace, and our ability to succeed 
depends on winning and retaining the trust of our customers. It 
is our job to preserve and strengthen that trust while 
delivering content and services to meet consumer needs as well 
as introduce the benefits of innovative network technologies 
and capabilities.
    I will make two points today. First, Do Not Track proposals 
cannot be considered in a vacuum but, rather, must be part of a 
larger conversation about the appropriate role of government in 
ensuring consumer privacy as more content, products and 
services move online.
    Second, we believe it would be premature to require Do Not 
Track through legislation or regulation, given the still 
conceptual nature of such a requirement.
    I will address each of these in turn.
    Advertising has emerged as a key driver of an incredible 
array of online content services and applications available to 
users at little or no cost. The more effective the advertising, 
the greater the advertising revenues available to fund these 
products and services. Simply put, advertising is more 
effective if the message is more relevant. This makes 
advertising more valuable to both the consumer and the 
advertiser. Traditional advertisers have employed such 
practices for decades.
    We would respectfully suggest that the appropriate 
framework for policy discussions is how to establish policies 
that encourage innovation while protecting privacy. In the 
first instance, policymakers should rely on industry best 
practices to achieve this result.
    Consumers have a keen interest in safeguarding their 
privacy, but they also want information about products and 
services, and they want access to free or reasonably priced 
products and services. That is possible only with broadbased 
advertiser support. It is in this context that policymakers 
should review the appropriateness of a Do Not Track 
requirement.
    Do Not Track raises some unique questions that make it 
significantly more complex than the popular Do Not Call list. 
For instance, how would Do Not Track affect consumers' online 
experience and expectations? Would they receive more pop-up 
ads? How would it affect diversity on the Internet? Would it 
negatively impact niche Web sites with small but loyal 
audiences? Would it prevent new Web sites from launching?
    With Do Not Track still at the conceptual stage, the next 
step should be industry-led efforts to refine and test the 
concept, rather than legislation and regulation.
    The codification of a Do Not Track requirement could 
quickly become moot in light of developing technologies. In 
contrast, self-regulation and best practices can quickly evolve 
to address the dynamic online environment. And while we believe 
that it is premature for Congress to move forward with Do Not 
Track legislation without further study, any privacy policy 
generally or Do Not Track policy specifically, whether adopted 
through industry best practice or government directive, should 
incorporate two principles: First, it should be focused on the 
kind of personally identifiable information that raises privacy 
concerns; and, second, it must be applied in the same way with 
respect to all entities operating in the Internet ecosystem.
    Allowing some businesses to track individuals while 
precluding others from doing so will lead to consumer 
confusion. Consumers would be better served by a single 
standard applied uniformly, based on the data being collected 
and how it will be used. Regulation that disfavors one 
technology or business model would also deter entry, thwart 
innovation, and limit competition in the advertising 
marketplace.
    We at Time Warner Cable look forward to working with you on 
these very important issues. Thank you, again, for the 
opportunity to appear before you today. I would be happy to 
answer any questions.
    [The prepared statement of Ms. Gillman follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Space. Thank you, Ms. Gillman.
    Our next witness, Eben Moglen, legal advisor, Diaspora; 
professor of law, Columbia University; and founding director, 
Software Freedom Law Center.
    Mr. Moglen.

                    STATEMENT OF EBEN MOGLEN

    Mr. Moglen. Thank you, Chairman Rush, Ranking Member 
Whitfield, Mr. Space, and other members of this subcommittee. I 
very much appreciate the invitation to testify, and I would 
like to express my particular gratitude for the committee's 
strong respect for free speech in the legislative process.
    I think it would be useful to begin with a technical 
clarification. The receipt of advertising on the Web is already 
completely optional. I receive no advertisements in my browser, 
on my laptop or on my mobile devices. Any member of the 
committee or any member of the listening on C-SPAN, using the 
Firefox browser, could search briefly for Adblock Plus and 
discover that advertising is already optional to receive 
entirely, whether it is targeted advertising or nontargeted 
advertising.
    The apparent connection made in the course of this 
discussion between the economics of the advertising business 
and whether surveillance ought to be authorized or acceptable 
on the Web therefore escapes me.
    It is already possible for anyone wishing to receive no 
advertising to do so. Civilization has not collapsed. The 
distinguished businesses represented here are still in 
business. And I believe there is no justification for the 
conclusion that legitimate control of surveillance on the Web 
in the public interest would have any effect on the economics 
of the situation, since a blanket ban on receipt of advertising 
by individual consumers is already fully implemented and 
available at no charge.
    I also believe that the concept of tracking is perhaps a 
part of the general mystification in which consumers find 
themselves. We should, I think, be more clear with consumers 
who do not have our level of interest in or expertise in these 
questions if we simply pointed out that the Internet has become 
a very highly surveilled locale relative to all previous social 
environments.
    As Mr. Markey pointed out earlier this afternoon in his 
questioning, we already have a world in which more than half a 
billion people live all of their social lives online inside a 
service provider structure, which puts everything they do, 
everything they say to one another, every photograph they post, 
every piece of information they distribute about their social 
lives, in one great big database owned by a single for-profit 
business which Mr. Markey named.
    I think we ought therefore to conclude that the idea of Do 
Not Track, which really ought to be described to the public 
whose interests we are protecting as ``Do Not Surveil,'' is a 
problem more serious and more comprehensive than the problem of 
addressing behavioral advertising, which is merely one wrinkle 
in a rapidly changing technical environment, as others have 
noted.
    The problem we really face is the problem of identifying 
the level of surveillance of human beings in their daily 
activities, the ``online oxygen'' that Mr. Markey referred to. 
How much surveillance is socially tolerable?
    Never mind whether it is for profit or for the protection 
of people from wrongdoing of one kind or another. How much are 
we prepared to abandon our traditional human understanding, 
that what we do, when we read, when we speak to our friends, 
when we go about our social lives, is nobody's business except 
the business of the people with whom we choose to share?
    Many technologies, including technologies being developed 
by my client base, the client base of nonprofit entities who 
make software for everyone to share, freely and at no cost, 
many technologies under development would allow us to achieve 
the enormous benefits of the Web we know now, along with many 
other benefits of the Web we will still enjoy, with minimal 
levels of surveillance.
    That will undoubtedly bring significant economic change, as 
the Web itself has brought economic change during the last 
8,000 days, which is the total life of the Web. In the next 
8,000 days, we can decide whether what we want is all the 
benefits of social networking and all of the benefits of online 
culture with comprehensive spying going on all the time or 
without comprehensive spying going on all the time.
    As public servants, all of us, I think our role is to 
arrange to have as little spying as we can. I do not think that 
is an obligation we can trade off against any other, because I 
think it reaches directly to the heart of what constitutional 
freedom is.
    In my judgment, what we require is a comprehensive national 
privacy policy act in which Congress does what Congress does 
best: set large, general, societal goals and empower all 
Federal agencies in the conduct of their activities to achieve 
those goals.
    The National Environmental Policy Act has within one 
generation done enormous amounts to clean our water, our air 
and our environment because of Congress's wisdom in the 
declaration of broad general principles for the protection of 
the public interest.
    Privacy online is the single largest environmental issue in 
the online world, and it should be addressed with the same 
degree of seriousness and comprehensiveness with which the 
physical environment was addressed by Congress one generation 
ago.
    Businesses will naturally regard such regulation as 
burdensome, and that is not a big deal. We must have a clean 
environment to live in, and we must have a clean online 
environment that protects our freedom. Our principles 
acknowledged, there will be plenty of money for everybody to 
earn, but without our principles acknowledged, we will buy our 
convenience with our freedom, and that is far too high a price 
to pay.
    Thank you for your time. I am happy to answer your 
questions.
    [The prepared statement of Mr. Moglen follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Space. Thank you, Dr. Moglen.
    Our final panelist, Mr. Daniel Castro, senior analyst, 
Information Technology and Innovation Foundation.

                   STATEMENT OF DANIEL CASTRO

    Mr. Castro. Mr. Chairman and members of the committee, I 
appreciate the opportunity to appear before you. I would like 
to talk with you about why a government mandated Do Not Track 
program would be a mistake.
    If widely adopted, this type of mandate would significantly 
harm the current funding mechanism for the Internet ecosystem, 
resulting in less free content and fewer free services online. 
In addition, it would be costly to implement, difficult to 
enforce, and result in more intrusive and less relevant 
advertising for consumers.
    First, it is important to understand that the Internet 
ecosystem is a significant source of economic activity in the 
United States, accounting for approximately $300 billion, or 
roughly 2 percent of GDP, and online advertising is the fuel 
powering this economic dynamo.
    Online advertising has grown dramatically over the past 
decade. As of 2009, the online advertising market was about $23 
billion in the United States, and analysts predict that, of the 
$600 billion spent globally on advertising each year, an 
increasingly larger share of this will go to the online sector.
    Many of the Web sites that millions of Americans use daily 
for work and play would not be around today without 
advertising. Of the top five most popular Web sites in the 
United States, Google, Facebook, Yahoo, YouTube, all of these 
used advertising almost exclusively to support their products 
and services, and number five on that list, Amazon.com, uses it 
to supplement theirs.
    Targeted ads represent a growing proportion of online ads 
on these Web sites. Targeted ads are a benefit to consumers, 
who get more utility from these ads. The percent of users who 
actually click on an ad are as much as 670 percent higher for 
targeted ads than nontargeted ads, and advertisers are willing 
to pay more to reach their desired audience. Advertising rates 
are almost three times higher for these targeted ads.
    Targeted advertising does not involve selling data about 
users. These Web sites match ads provided by advertisers to 
users based on their interests, often without even using any 
personally identifiable information.
    I want to emphasize that the impact of policy changes For 
online privacy can be profound. There is a study by professors 
at MIT and the University of Toronto on the impact of EU's 
privacy directive. The directive limits the ability of 
advertisers to collect and use information about consumers for 
targeted advertising.
    The study found that, in Europe, the privacy directed 
resulted in an average reduction in effectiveness of online ads 
by approximately 65 percent. Similar limits on targeted 
advertising in the United States, especially through a Do Not 
Track proposal, would be even more harmful. Not only would it 
eliminate the billions of dollars that targeted advertising 
pumps into the Internet economy, it would stunt the huge 
potential growth in innovation for new content and services 
that would come with more of these higher value ads.
    Do Not Track would also be costly to implement and 
difficult to enforcement. The most popular proposal right now 
on how Congress or FTC or anyone else can mandate a Do Not 
Track mechanism is through a modification of the HTTP header. 
Such a change would require substantial retooling of existing 
Web sites, Web browsers and other related software and devices, 
the cost of which, of course, would ultimately be borne by 
consumers.
    In addition, the proposal leaves much ambiguity about what 
does or does not constitute tracking. Do Not Track may allow 
sites which have large databases of user information to 
continue to provide targeted advertising but would hurt the 
ability of smaller publishers to rely on third party ad 
networks to deliver personalized ads. It may also not apply to 
other emerging forms of online advertising, such as deep packet 
inspection.
    Congress should be careful not to devise policies around a 
particular business model that would end up hurting some 
businesses while helping others. It should also not forget that 
consumers today have many tools to protect their privacy 
online.
    Finally, Do Not Track would result in more intrusive and 
less relevant advertising for consumers. Do Not Track, of 
course, doesn't actually stop online advertising. It only 
limits the ability of ad networks to deliver ads that the user 
might actually want. Users who opt out of tracking would 
receive more, not less, unwanted advertising.
    In addition, advertisers would likely resort to overlay and 
pop-up ads, which users may find annoying, but actually are 
more effective at getting their attention. The reason for this 
is that the small text-based ads are significantly less 
effective unless they can be tailored to a user's interest. If 
Do Not Track were widely implemented, another option, of 
course, is that Web sites may simply choose to block users who 
do not allow tracking.
    In short, privacy is important, but it must be balanced 
against competing goals, including usability, cost, future 
innovation and consumer benefit. A Do Not Track requirement 
would do more harm than good, and for that reason, I urge the 
Federal Government to not go forward with this approach.
    Thank you.
    [The prepared statement of Mr. Castro follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Space. And thank you, Mr. Castro.
    That is our final panelist, and now Members will be 
permitted to ask questions.
    And I would ask the chairman of this committee, Mr. Rush, 
if he intends to use his time.
    Mr. Rush. Thank you, Mr. Chairman.
    And before I ask the question, let me also join with 
previous commentary from those on the subcommittee in thanking 
you for your outstanding service to this subcommittee. You have 
been a very valuable part of this process that we are now 
engaged in and have been engaged in. And I certainly have 
always welcomed your friendship and your leadership, your 
insight and your commitment to the affairs of the American 
people. So congratulations on an outstanding job that you have 
done.
    And I do have just a couple of questions that I want to ask 
a couple of the panelists.
    On October the 4th, 2010, the Council of Better Business 
Bureaus, a group of the Nation's largest media and marketing 
trade organizations, announced their ``Self-Regulatory 
Principles for Online Behavior Advertising.'' They also 
launched an industrywide ``Advertising Option Icon,'' which was 
to be displayed on Web pages that collect user information for 
behavior advertising.
    Now, I have to ask Ms. Grant and Ms. Gillman, Mr. Pasqua 
and Mr. Castro, I am going to ask you two questions, and you 
can take your time to answer these questions.
    Have you had the opportunity to review the new consumer 
opt-out platform? And, two--which is part of the advertising 
alliance that was released on the said date?
    And the second question is, in its current configuration, 
what are some of the consumer opt-out platform's limitations? 
What are the limitations of the opt-out platform?
    Ms. Grant, I will start with you, and we will just go down 
the line.
    Ms. Grant. I have read the principles and the explanation 
for them for this new program, actually several times because 
it is extremely complicated. It was supposed to actually be 
launched in July. I don't believe that it is really functioning 
yet, at this point, so I don't think that we can tell much 
about how it is going to work.
    But one thing that troubled me was that there were many 
different options that companies had for, for instance, how 
they would explain to consumers what they were doing with their 
information, who was responsible in the chain of companies for 
doing this, where consumers would go to opt out, whether to a 
central Web site that some companies but not all companies 
would use or to individual companies' Web sites.
    I found the whole thing very potentially burdensome for 
consumers. And I don't think that it is the one-stop-shopping, 
easy mechanism that we are looking for.
    Mr. Rush. Ms. Gillman.
    Ms. Gillman. Yes, I did read it, but it was some time ago. 
I will tell you that we applaud the initiative that they took. 
The issue is complex, and I think it is early days; it is too 
soon to actually judge the effectiveness.
    I think a lot of the complexity is that many of the 
participants have very different businesses and systems, and 
they are trying to figure out the best way to do this. And no 
one today knows the best solution. So the fact that they are 
trying, I think, is heading in the right direction.
    I would also--you asked about limitations. I think it is 
time, it is consumer education, and it is applying many of 
these best practices and really learning from them. So it is 
just time, at this point, that is the limitation.
    Mr. Rush. Mr. Castro.
    Mr. Castro. Thank you.
    Yes, I have had a chance to review it. I would say the 
limitations are that obviously it is in its nascent stages, 
but, when you look at it, you know, this is certainly an 
iterative process, as all technology improvements are. And if 
you see the progress they have made in the past 6 months to a 
year to 5 years, I think, you know, it is very good.
    One thing that I think is important when you evaluate these 
solutions, you know, they don't have to necessarily come up 
with the best solution. They just have to have a platform that 
other people can apply a good solution to. In that sense, they 
are making a lot of progress.
    And the other main limitation that I see is that this is 
obviously only one type of advertising, display advertising on 
Web sites. You know, we need to look broadly at creating a fair 
platform so that all types of online advertising can be 
competitive.
    Mr. Rush. The CFA has said before that, quote, ``Online 
opt-out should be as well-known and as easy as the Do Not Call 
list,'' end quote, and that a Do Not Track list should be aimed 
at preventing tracking for, quote, ``advertising purposes.''
    Can you be more specific in terms of what you mean by 
``advertising purposes''? Can you be more precise about it? 
What of these online tracking tools and technologies would be 
permitted and they don't fall into, quote/unquote, 
``advertising purposes''?
    Ms. Grant. Well, we have heard today that there are already 
some solutions out there for consumers. It is not clear how 
widely known they are. And, in some cases, there are things 
that consumers have to pay for to protect their privacy.
    It is a challenge whenever you are educating consumers. You 
have to have very simple, central messages to give them, and 
you have to have very practical, easy things for them to do.
    Right now, if I was advising a consumer about how to avoid 
online tracking, I wouldn't be able to give that person very 
easy, practical advice about what to do, because there is not 
one easy-to-do thing, as we are advocating with a Do Not Track 
mechanism. There are various things out there that have their 
pros and cons, all of which people have to download or take 
various steps to do, not as easy as flipping the switch that we 
envision on one's browser with a Do Not Track mechanism.
    Mr. Rush. Ms. Gillman, would you take a stab at it from 
your perspective, in terms of what is--would you more precisely 
define ``advertising purposes''?
    Ms. Gillman. Can you actually rephrase the question? 
Because I would like to make sure----
    Mr. Rush. OK, let's try to define, quote, ``advertising 
purposes'' with a little bit more precision. What other uses of 
these online tracking tools and technologies would be permitted 
as not falling into, quote, ``advertising purposes''?
    Ms. Gillman. Oh, you are asking what would not be 
considered advertising use?
    Mr. Rush. A more precise definition of what an advertising 
purpose would be.
    Ms. Gillman. I am not a lawyer, so trying to actually draft 
that language is challenging. I think it is worth a deep 
discussion. Today, the advertising industry is a large 
industry, $250 billion. It encompasses communication with 
consumers through direct mail, through advertising in terms of 
display advertising. And the information that is often used to 
inform those campaigns is information that, you know, can cover 
purchase information and it can cover interests that they know 
about that individual, publicly available information about 
their college education, their level of education, their 
income.
    So, to me, the information that might be needed to be used 
is broad. But most, if not all, major advertising initiatives 
today do not actually need to use personally identifiable 
information to deliver marketing messages on the Web. So I 
don't know if that addresses it, but it is a lot of blended 
information, depending on the business.
    Mr. Rush. Ms. Grant.
    Ms. Grant. Can I take a stab? Because I may not have 
understood your question properly.
    Beyond the demographic information that is often used in 
advertising to target it to certain markets, increasingly we 
are seeing more sensitive kinds of information used--health 
information, other information--to do exactly what we have 
heard described, to personalize the advertising.
    And there are great concerns about that. There may be some 
people who are not troubled by that, but we know that there are 
a lot of other people who are, and that those people need an 
easy-to-use tool to prevent that kind of information from being 
collected if they don't wish it to be.
    Mr. Moglen. Mr. Chairman, may I comment?
    The purpose of advertisers is to collect information 
concerning the capabilities and intentions of the potential 
buyer and to affect that buyer's behavior. Oddly enough, those 
three points--collection of information about capabilities and 
intentions for the purpose of affecting behavior--is also the 
definition of what intelligence services do. There is, in fact, 
no practicable distinction between the public activity we call 
``collecting intelligence'' and the private activity we call 
``targeting advertising.'' They are both spying.
    The purpose of spying has got to be one which the public 
would find in its advantage and not merely in the advantage of 
the institution performing the spying. We do that with respect 
to public intelligence services because they are under 
democratic control. We don't do that with respect to 
advertisers. They are under nobody's control but their own, 
unless they are regulated.
    Thank you.
    Mr. Rush. Well, thank you.
    I yield back.
    Mr. Space. Thank you, Mr. Chairman.
    Thank you, also, for allowing me the opportunity to chair 
this hearing. This seat is much more comfortable than I 
imagined.
    The chair recognizes Ranking Member Whitfield from 
Kentucky.
    Mr. Whitfield. Mr. Castro, you just heard Dr. Moglen's 
comment about advertising. And I was just curious, would you 
have any comment to what he just said?
    Mr. Castro. Sure, absolutely. I mean, I think it is 
actually inaccurate. Spying is very different. Spying, you know 
what somebody is doing very specifically; it is identifiable. 
It is implied that it is harmful.
    In this case, what is happening for most targeted 
advertising, most of the collection and use of information 
online--you know, when we are talking about this problem, 95 
percent of everything that we talk about is things that most 
people are comfortable with. It is this, kind of, 5 percent 
gray area that is the exception.
    But, you know, overall there are a lot of good things that 
are being done with this data and good things that are helpful 
to consumers. You know, data is collected and used so that Web 
sites are more accessible, more usable, they are displaying 
more accurate information. Information is collected so that 
search engine rankings can be improved. Data is collected, you 
know, of course, to do targeted advertising. And all of these 
things help users, and I don't think most consumers would 
consider that they are spied on when they are given something 
that they want.
    Mr. Whitfield. Would you like to respond to that in any 
way, Mr. Moglen?
    Mr. Moglen. Well, it seems to me that it heightens, again, 
the point that thinking about targeted advertising in isolation 
is probably not a good idea. But if Mr. Castro is correct, we 
could test it with a very simple regulatory approach which 
would simply require businesses to disclose to consumers on 
request everything the business knows about them and what they 
have done with it. Then we will find out whether people are 
comfortable with what actually happens as opposed to what they 
can see.
    Online advertising firms are very secretive in their 
nature. I don't compare them lightly to intelligence services. 
They both protect very jealously their methods of collection of 
information and analysis, and they both protect very jealously 
what they do with the information that they have.
    I think, if Mr. Castro is correct that what is actually 
going on would be acceptable to consumers, then there ought to 
be no objection to regulation that would require consumers to 
have the power to get exact information about what is known 
about them and what is done with what is known.
    Mr. Whitfield. Yes.
    Mr. Castro. Sir, I would like to respond to that.
    Of course, the issue that we are talking about today and 
the broader issue with online tracking and implementing Do Not 
Track is there are lots of costs involved. So the question is 
always, is the cost necessary and appropriate?
    I do absolutely agree that, you know, broadly speaking, we 
do want government to look out for consumers' privacy rights. 
One way of doing this is looking specifically at harms--what 
harms are out there and how can we prevent harms from 
occurring. Because it doesn't matter to the consumer how 
somebody got data about them. They care if something bad 
happens to them. They care if somebody is discriminating 
against them or their information is being used in a harmful 
way. And so I think that is a very appropriate way that 
Congress can address these kinds of privacy concerns that are 
out there.
    Mr. Space. OK. And the ranking member had to step out, so I 
will reserve his 2 minutes and 13 seconds.
    And that leaves me. I do have some questions I would like 
to ask.
    Dr. Moglen, actually, you said something during your 
response to one of the questions I think asked by Chairman 
Rush--and while you equated the act of surveillance or tracking 
to spying, I am not sure I would agree with that. But you did 
say something that I think really gets to the heart of matter, 
and that is, who benefits from it?
    And I have heard testimony today from various people that 
not only does the advertiser or the digital company that is 
engaging in the tracking benefit, but there is some suggestion 
that consumers benefit, as well, specifically not just in terms 
of convenience but it allows, for example, low-income consumers 
easier access because of cheaper costs. Perhaps the argument 
could be made that it could allow telecommunication companies 
the flexibility of extending or expanding their networks to 
serve underserved and unserved areas.
    And I am curious--I am going to ask Mr. Castro--whether you 
have any qualifiable, measurable data that would provide us 
with details on how tracking legislation or an overall blanket 
prohibition would affect the business model within the 
industry.
    And then I am going to ask you, Ms. Grant, the extent to 
which you are concerned about the economic consequences of 
legislative action that might prohibit this kind of activity as 
it relates to the business model of the telecom companies and 
their ability, then, to reach and provide services to low-
income and rural--or unserved customers.
    Mr. Castro. Yes, so, you know, would this affect the 
industry? Certainly, when you look at the numbers, there are 
two numbers you have to look at. One is how much is being spent 
now and then what the trends are, so how much will be spent in 
the future.
    There have been studies on, of course, the effectiveness of 
online advertising and the impact of regulations. And I point 
to the study by Tucker and Goldfarb from MIT and University of 
Toronto that looked at the impact of the European privacy 
directive. And that study did find a loss in effectiveness.
    And what they did as the next step was they said, you know, 
what would that impact be if advertisers changed their spending 
in direct correlation to the effectiveness of the ad, which is, 
you know, a very logical thing. So they could either increase 
their spending, you know, and double the number of ads and get 
the same effectiveness or decrease it in line.
    So if they decrease it--and I think this was applied to the 
U.S. economy--if it was decreased, it would be something like a 
loss of revenue of about $5 billion.
    Mr. Space. Five billion dollars?
    Mr. Castro. Five billion dollars. It was from around--I can 
pull out the number in a minute, if you would like the exact--
it was over $5 billion.
    Mr. Space. Whose estimate was that?
    Mr. Castro. This was Tucker and Goldfarb from the 
University of Toronto and MIT.
    Mr. Space. Who commissioned this study, or was it an 
academic----
    Mr. Castro. It was an academic study.
    Mr. Space. All right.
    Ms. Grant, having heard those numbers, $5 billion is a lot 
of money and, not just conceivably but in all probability, 
might affect the ability of low- to middle-income consumers to 
obtain access and, again, underserved or unserved consumers to 
obtain access.
    What is your response to those monetary concerns?
    Ms. Grant. Well, first of all, if I understand correctly, 
this was a study of the EU privacy directive. So I don't think 
that it is exactly on point.
    I don't know what the impact of Do Not Track would be on 
telecom companies. But I would like to say a few things that I 
think would be helpful here.
    One is that we are not talking about no advertising. There 
are consumers who might not avail themselves of Do Not Track so 
would continue to receive tailored advertising. There are 
consumers who now and in the future will continue to get 
contextual advertising, which is based on what they are looking 
at at the time on the Internet and doesn't involve following 
them around and compiling a dossier of what they do and who 
they talk to.
    And consumers find information on the Internet about the 
products and services that they want in other ways, as well. 
They do it using search engines. They do it using price-
comparison Web sites.
    So there are lots of ways that people find what they are 
looking for online. And behavioral advertising is one part of 
this, but it is certainly not the main or only part. And I 
don't think that doing away with it will have a--or not doing 
away with it, but giving consumers control over whether they 
want to be tracked or not will create a great economic upheaval 
or turn the Internet dark overnight.
    I am sure that the Federal Trade Commission wouldn't be 
supporting the concept of a Do Not Track mechanism if it felt 
that it would have that effect either. We are all very 
concerned about the economy and making sure that it is strong 
and that e-commerce continues to grow, but we don't want to 
sacrifice consumers' privacy.
    We don't let companies do whatever they want just because 
it is profitable. I am sure that bombarding consumers with 
telemarketing calls was probably effective even though a lot of 
people didn't like it. It made money. But we drew the line. We 
drew the line in terms of time of day that telemarketers could 
call consumers, that they couldn't call with annoying 
frequency. And then we gave consumers a tool to actually use to 
reduce unwanted telemarketing if they chose. And that is the 
kind of thing that we are talking about here.
    Mr. Space. Thank you, Ms. Grant.
    Mr. Moglen. May I comment, Mr. Space?
    Mr. Space. Yes, in one moment, Dr. Moglen. I am going to 
call on you to comment.
    But I would like to know from Ms. Gillman whether Time 
Warner, for example, can quantify and give us some indication 
as to how this affects your business model and your ability to 
provide cable services to consumers at current pricing. Have 
you done studies? Is there any measurable data that we can look 
at?
    Ms. Gillman. We have not done a study that looked at that 
specifically. But I can speak to the fact that we need to 
innovate every day to adapt to consumer interests, consumer 
needs. They look to us to make improvements to our service 
every day. And this debate being a very important debate, the 
risk one runs is that there are unintended consequences of a Do 
Not Track policy, in that it prevents companies like ours from 
innovating.
    I would also like to add, though, that the vibrancy of the 
Internet is extremely important, as well. And what should be 
explored around this debate and discussion is really the 
unintended consequences for the smaller content providers and 
service providers, the small businesses in and around this 
ecosystem. The smaller the Web site, the smaller the audience, 
the more challenging times they have selling contextual 
advertising. So they do not have a large enough audience.
    So we really want to encourage innovation in the Internet 
ecosystem, and we want new players entering. And we want to 
make sure that any discussion around this debate does not 
prevent that from happening.
    Mr. Space. OK.
    Dr. Moglen, you have the last word.
    Mr. Moglen. I very much doubt, Mr. Chairman, that there is 
any person in this room whose life has not been altered by 
Wikipedia, which has provided opportunities for underserved 
populations of the kinds that you were talking about to conduct 
research and to learn at a level which is otherwise 
inaccessible to them.
    Wikipedia is unsupported by advertising. And of the 100 
most visited sites on the Net studies by the Wall Street 
Journal in the series previously referred to, it was the only 
one of the 100 not in any way surveilling or tracking its 
users.
    I think, once again, that the attempt to connect the 
advertising business model to the importance of vibrant content 
on the Net or life-changing possibilities of expansion of 
access to underserved populations is poppycock.
    Mr. Space. OK. With that, does the chairman have any 
additional questions?
    Mr. Rush. Mr. Chairman, in the interest of time, I am going 
to just pass, because I think that you and the other members of 
this panel have been here for quite some time. And I would be 
taking advantage of my freshness, my first legs if I were to 
ask another question, so I am going to pass.
    Mr. Space. Thank you, Mr. Chairman.
    And Ranking Member Whitfield?
    Mr. Whitfield. How do you spell ``poppycock''?
    Mr. Space. Yes, how do you spell ``poppycock''?
    Mr. Moglen. I will modify my remarks to spell it out. Thank 
you.
    Mr. Space. All right. With that, this hearing is adjourned.
    [Whereupon, at 2:34 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

