[Senate Hearing 111-1038]
[From the U.S. Government Publishing Office]

                                                       S. Hrg. 111-1038
                        CONSUMER ONLINE PRIVACY



                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE


                             SECOND SESSION


                             JULY 27, 2010


    Printed for the use of the Committee on Commerce, Science, and 

67-686                    WASHINGTON : 2011
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]  



                             SECOND SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas, 
JOHN F. KERRY, Massachusetts             Ranking
BYRON L. DORGAN, North Dakota        OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California            JOHN ENSIGN, Nevada
BILL NELSON, Florida                 JIM DeMINT, South Carolina
MARIA CANTWELL, Washington           JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey      ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas                 GEORGE S. LeMIEUX, Florida
CLAIRE McCASKILL, Missouri           JOHNNY ISAKSON, Georgia
AMY KLOBUCHAR, Minnesota             DAVID VITTER, Louisiana
TOM UDALL, New Mexico                SAM BROWNBACK, Kansas
MARK WARNER, Virginia                MIKE JOHANNS, Nebraska
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                   Bruce H. Andrews, General Counsel
                 Ann Begeman, Republican Staff Director
             Brian M. Hendricks, Republican General Counsel
                  Nick Rossi, Republican Chief Counsel

                            C O N T E N T S

Hearing held on July 27, 2010....................................     1
Statement of Senator Rockefeller.................................     1
Statement of Senator Johanns.....................................     3
Statement of Senator LeMieux.....................................    22
Statement of Senator Thune.......................................    24
Statement of Senator Dorgan......................................    26
Statement of Senator Kerry.......................................    87
Statement of Senator McCaskill...................................    90
Statement of Senator Klobuchar...................................    92
Statement of Senator Begich......................................    94


Hon. Julius Genachowski, Chairman, Federal Communications 
  Commission.....................................................     3
    Prepared statement...........................................     5
Hon. Jonathan D. Leibowitz, Chairman, Federal Trade Commission...     6
    Prepared statement...........................................     8
Dr. Guy ``Bud'' Tribble, Vice President, Software Technology, 
  Apple Inc......................................................    35
    Prepared statement...........................................    37
Bret Taylor, Chief Technology Officer, Facebook..................    44
    Prepared statement...........................................    46
Dr. Alma Whitten, Privacy Engineering Lead, Google Inc...........    53
    Prepared statement...........................................    54
Jim Harper, Director of Information Policy Studies, The Cato 
  Institute......................................................    63
    Prepared statement...........................................    65
Dorothy Attwood, Senior Vice President, Public Policy and Chief 
  Privacy Officer, AT&T Inc......................................    77
    Prepared statement...........................................    79
Joseph Turow, Ph.D., Robert Lewis Shayon Professor of 
  Communication, The Annenberg School for Communication, 
  University of Pennsylvania.....................................    82
    Prepared statement...........................................    84


Laura W. Murphy, Director, Washington Legislative Office and 
  Christopher Calabrese, Legislative Counsel, American Civil 
  Liberties Union, prepared statement............................   111
Response to written questions submitted by Hon. John F. Kerry to:
    Hon. Jon Leibowitz...........................................   116
    Guy ``Bud'' Tribble..........................................   117
Response to written questions submitted to Bret Taylor by:
    Hon. John D. Rockefeller IV..................................   118
    Hon. John F. Kerry...........................................   120
Response to written questions submitted by Hon. John F. Kerry to:
    Dr. Alma Whitten.............................................   120
    Professor Joseph Turow.......................................   122

                        CONSUMER ONLINE PRIVACY


                         TUESDAY, JULY 27, 2010

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:36 p.m. in room 
SR-253, Russell Senate Office Building, Hon. John D. 
Rockefeller IV, Chairman of the Committee, presiding.


    The Chairman. This hearing will come to order.
    And I should warn our participants here that we have, I 
believe, a vote at 3 o'clock; originally, it was at 2:45, so we 
have 15 minutes of grace, some of which will be taken up by my 
opening statement, for which I apologize, but which I am going 
to enormously enjoy giving. So, thank you very much for being 
here. And others are trying to juggle stuff, but they will all 
be here.
    Today, our committee is going to examine the issue of 
consumer privacy in an online world. Mark Pryor had a 
subcommittee hearing on this subject, with respect to children. 
But, this is actually the first time, I think, in committee's 
history, that we have had precisely this kind of, writ large, 
online privacy hearing. So, it's very important to me. It's an 
issue I am deeply interested in, and I know my colleagues, 
especially Senators Kerry and Pryor, who chair the 
Subcommittees on Communications Consumer Protection, are, also. 
I thank them for their work on this issue.
    Imagine this scenario: You're in a shopping mall. And while 
you're there, there's a machine recording every store you enter 
and every product that you look at and every product that you 
buy. You go into a bookstore, the machine records every book 
you purchase and every book you peruse. Then you go to a 
drugstore. The machine is watching you there, meticulously 
recording every product you pick up, from the shampoo and the 
allergy medicine to your personal prescription, if you are 
searching for one.
    The machine records your every move that day--every single 
move. Then, based on what you look at, where you shop, what you 
buy, it builds a personality profile on you. It predicts what 
you may want in the future and starts sending you coupons. 
Further, it tells businesses what a good potential client you 
may be and shares your personality profile with them. Do they 
have your permission for doing that? Of course not. Is it 
possible that they give you some alternatives, in fine print, 
which nobody has the time or the interest or the eyesight to 
read? They might, but that doesn't count, if we're doing this 
straight up.
    So, this sounds fantastic, something like out of a science 
fiction. But, this fantastic scenario is essentially what 
happens every second of every day to anyone who uses the 
Internet. Every time you go online, a computer server tracks 
the websites that you visit. When you send or receive an e-
mail, a computer may scan the contents of that e-mail. And when 
you use a mobile device, a computer often tracks your 
location--very interesting--your location, where you are. 
Moreover, these computers--computer servers, these machines, as 
I call them, are storing all of this information about you and 
using it to build your personality profile, which, as it 
happens, they share with others. And thus, we enter the briar 
patch. From this profile, they determine your personal tastes 
and private characteristics. They inundate you with 
advertisements based on this information. They can spam and 
potentially scam you.
    So, the questions we ask today are: Do consumers know what 
these online practices do? Are they--do they have a sense of 
awareness about this? Do consumers realize that computers are 
tracking what streets they walk on and what websites they 
visit? If they're not, is that important? Do they realize that 
the information they put on their personal websites is being 
shared with third parties? That wouldn't occur to a lot of 
teenagers. And what are consumers getting in exchange for this 
information-sharing, to which they have not given consent? Some 
can argue, ``Well, the fine print is there, and it's not our 
fault that you didn't read it.'' I say that's a 19th-century 
argument, not one suitable for the 21st century or for honest 
relations with customers.
    We must also ask: If consumers fully understand just what 
was being collected and shared about them, what could they do 
to stop it? Is there an opt-out? Is it in fine print? Is it 
visible? Do they have this choice, to stop it? Consumers demand 
the same degree of anonymity on the Internet that they have in 
a shopping mall? Fair question.
    I want to close by emphasizing an important point. The 
consumer I'm concerned about is not a savvy computer whiz kid. 
I'm not talking about a lawyer who reads legalese for a living 
and can delve into fine print of what privacy protections he or 
she is getting. I am talking about ordinary Internet users. I'm 
talking about a 55-year-old coal miner in West Virginia who 
sends an e-mail to his son in college, where he is very proud 
that he is studying. I'm talking about a 30-year-old mother who 
uses her broadband connection to research the best doctor she 
can take her sick toddler to see. I'm talking about a 65-year-
old man who has just signed up for a Facebook account so he can 
view photos of his grandson and reconnect with old friends.
    We have a duty to ask whether these people, and the 
millions of Americans just like them, fully understand and 
associate what information is being collected about them, and 
whether or not they're empowered to stop certain practices from 
taking place.
    We have two terrific panels of witnesses today. I want to 
thank those two chairmen before me, and the others who will 
follow, for spending their time with us.
    Senator Hutchison is not here. This is an extraordinarily 
important hearing--groundbreaking, I hope; and problem solving, 
I hope. So, I would ask any of my colleagues--Senator Warner, 
do you have a statement you would like to make?
    Senator Warner. No comments at this time.
    The Chairman. Absolute silence from the Committee?

                   U.S. SENATOR FROM NEBRASKA

    Senator Johanns. Mr. Chairman, your comments were so good; 
I want to associate myself with them. Most importantly, I want 
to say thank you for conducting this hearing.
    You can see, by the turnout, that obviously people are 
interested in this topic. I don't like the sounds of what you 
describe, just to be very blunt about it. And I am hoping the 
witnesses, as they parade before us, can soothe my fears here 
about how much people know about my background just because I 
choose to use a certain search engine.
    And so, I think maybe it's time to just go to the 
witnesses. But, excellent opening comment.
    The Chairman. I added, with amusement, a comment. My wife 
and I have four children. They're all between 30 and 40 years 
old. They're all really good on the computer. Not as good as 
the two witnesses at the table, but pretty close. And I told 
them about the hearing we were having today. They were shocked, 
``How can you do that? This is the future?'' and, ``These are 
great companies,'' et cetera, et cetera. So, I left my hearing 
book with them, including my statements and the explanations, 
questions and all that kind of thing. And they said, ``Well, 
we're busy right now.'' I said, ``Well, just return it to my 
door before dawn,'' which they did. So, that goes in the 
    The Chairman. Julius Genachowski, do you want to start?


    Mr. Genachowski. I'm happy to.
    Mr. Chairman, members of the Committee, thank you for this 
opportunity to discuss the important issue of consumer privacy.
    Privacy is central to our Nation's values and way of life. 
And the FCC has long worked to protect the privacy of consumers 
who rely on our Nation's communications infrastructure. Privacy 
has deep intrinsic value. It is also critical for promoting 
investment, innovation, and adoption of cutting-edge 
communications technologies that bolster our economy, promote 
our global competitiveness, and improve our daily lives. When 
consumers fear that privacy is at risk, they are less likely to 
use new communications technologies and services.
    The Commission's National Broadband Plan concluded that 
even as consumers learn the benefits of Internet connectivity, 
they are rightly concerned about privacy online. The plan also 
discusses how both consumers and companies can benefit from 
innovative personalized services based on an appropriate use of 
consumer information.
    The plan that's recognized is that promoting both broadband 
and consumer privacy are key to harnessing the opportunities of 
the Internet. Among the Commission's key principles, when it 
comes to privacy, are to ensure that consumers--ordinary 
consumers--are empowered to control how their information is 
used, that providers are transparent about their practices, and 
that personal data is secured in a way that protects consumers, 
including from malicious third parties.
    The Communications Act includes provisions on consumer 
privacy relating to telecommunications carriers, cable and 
satellite companies. And the Commission has extended privacy 
protections to consumers of interconnected voice-over-IP 
    The Commission has been active in enforcing the consumer 
privacy rules under our jurisdiction. In just the last year, 
the Commission took action against nearly 300 companies that 
failed to certify their compliance with our privacy rules, 
actions against these telecommunications carriers that ranged 
from issuing notices of apparent liability to imposing fines.
    The Commission has also adopted rules and worked with the 
Federal Trade Commission to implement the Do Not Call law, to 
protect consumers from unsolicited calls, and has adopted rules 
to prohibit junk faxes. In 2009, the Commission has enforced 
these provisions against over 400 companies. Historically, the 
Commission has also worked with the FTC to prevent pre-texting.
    As telephone and cable companies increasingly provide 
broadband services, they have growing access to significant and 
sensitive consumer information. In this regard, the National 
Broadband Plan reviewed the current regulatory landscape 
regarding online privacy and found that the existing framework, 
in some cases, is confusing and would benefit from increased 
    The Broadband Plan recommended that the FCC work closely on 
these issues with the Federal Trade Commission. I'm pleased to 
report that, as recommended by the Broadband Plan, our agencies 
have formed a joint task force to develop effective and 
coordinated approaches to protecting online privacy.
    We're currently working together on education and 
transparency initiatives to help inform and empower consumers. 
The FCC is a leading member of OnGuard Online, a coalition of 
private and private--public and private organizations, 
spearheaded by the FTC, that provides advice to consumers on 
protecting their personal information. The FTC has shown 
consistent leadership here.
    And, as part of the FCC's focus on consumers, the agency 
is, today, launching a new online consumer help center. This 
website will allow consumers to easily access the many 
resources that the FCC has developed to help consumers, 
including with respect to privacy issues, such as a consumer-
friendly system for filing complaints; and news, information, 
and advice for consumers.
    The National Broadband Plan also emphasized that our 
networks are vulnerable to cyber attacks that can expose 
personal information. In this regard, the FCC recently began an 
inquiry on the merits of establishing a certification program 
for cybersecurity standards and best practices as part of its 
work on privacy and security.
    As we continue to move forward in online privacy, security, 
and other vital issues, it is important that uncertainties in 
the regulatory framework be resolved. What matters most is the 
consumer. I look forward to working with the Committee on these 
issues. And I look forward to your questions.
    [The prepared statement of Mr. Genachowski follows:]

       Prepared Statement of Hon. Julius Genachowski, Chairman, 
                   Federal Communications Commission

    Mr. Chairman, Ranking Member Hutchison, members of the Committee, 
thank you for this opportunity to discuss the important issue of 
consumer privacy.
    The right to privacy is central to our Nation's values and way of 
life, and the Federal Communications Commission has long worked to 
implement Congress's directive to protect the privacy of consumers who 
rely on our Nation's communications infrastructure.
    The Commission also recognizes that privacy has more than intrinsic 
value: it is critical for promoting investment, innovation, and 
adoption of cutting edge communications technologies and services that 
bolster our economy, promote our global competitiveness, and improve 
our daily lives. When consumers fear that their privacy is at risk, 
they are less likely to use new means of communication.
    As the National Broadband Plan that the FCC sent to Congress in 
March recognizes, even as consumers learn the benefits of Internet 
connectivity, they are rightly concerned about their privacy online. 
Consumers are concerned about third parties having access to, and 
potentially misusing, sensitive information about their online 
activities, including website visits and searches, e-mail messages, 
geographic location, health records, energy usage, and purchasing 
    At the same time, the National Broadband Plan explains that both 
consumers and companies can benefit from innovative personalized 
services based on an appropriate use of consumer information. In the 
digital economy, digital identities can potentially be beneficial, if 
consumers are empowered and private information is safeguarded.
    The Plan thus recognizes that promoting both broadband and privacy 
are key to harnessing the opportunities of the Internet.
    The Commission's overarching goals when it comes to privacy are to 
ensure that consumers are empowered to control how their information is 
used; that providers are transparent about their practices; and that 
personal data is handled in a way that protects consumers, including 
from malicious third parties. In some respects the Internet presents 
unique privacy challenges, but these principles remain the starting 
point for protecting consumer privacy.
    The Communications Act includes several key provisions on consumer 
privacy. Section 222, for example, requires telecommunications carriers 
to safeguard information about who consumers communicate with, the 
length of time they spend using the network, and their location when 
they use wired or wireless services. Sections 338 and 631 provide 
corresponding protections for users of services provided over cable and 
satellite systems. The Commission has formed an internal working group 
to coordinate the work of its bureaus and offices as they develop 
policies and take enforcement action under these provisions.
    The Commission has adopted strong rules to protect consumers of 
traditional services, and has extended protections to consumers of 
interconnected Voice over IP services. In just the last year, the 
Commission has taken action against nearly 300 companies that failed to 
file timely certifications of their compliance with these rules, 
including issuing thirteen notices of apparent liability to repeat 
offenders who failed to file timely certifications for two consecutive 
years. The FCC also issued an Enforcement Advisory reminding companies 
of their obligation to file an annual certification of compliance with 
the CPNI rules, and settled an investigation into one carrier's privacy 
rule violations. The settlement includes a fine and a compliance plan 
designed to prevent future violations.
    In addition, implementing the important ``Do Not Call'' provisions 
of the Communications Act, the Commission has worked with the FTC to 
protect consumers from unsolicited calls, and has adopted rules to 
prohibit junk faxes. Since 2009, the Commission has enforced these 
provisions against over 400 companies. Among other actions, the FCC has 
issued 14 forfeiture orders. The Commission has also collaborated with 
the FTC to prevent pre-texting, the practice whereby third parties 
attempt to gain unauthorized access to telephone subscribers' personal 
    As telephone and cable companies increasingly provide Internet 
access services, they continue to have access to significant and 
sensitive consumer information regarding customers' Internet 
communications. The networks operated by Internet service providers are 
a conduit for their customers' Internet communications, and providers' 
failure to properly protect consumers' account information can result 
in the unintended disclosure of personal data to third parties.
    The National Broadband Plan reviewed the current regulatory 
landscape regarding online privacy, and found that the existing 
framework in some cases is confusing and would benefit from increased 
    The Broadband Plan recommended that the FCC work closely on these 
issues with the Federal Trade Commission, which has strong expertise on 
online privacy. I am pleased to report that, as recommended by the 
Broadband Plan, our agencies have formed a Joint Task Force to develop 
innovative, effective and coordinated approaches to protecting online 
    We are currently working together on education and transparency 
initiatives to help inform and empower consumers in connection with 
online privacy. We are also working on strategies to help educate 
consumers with wireless home networks about the need to adopt 
encryption or other security protections to safeguard their 
    In addition, the FCC is a leading member of OnGuard Online, a 
coalition of public and private organizations spearheaded by the FTC 
that provides advice to consumers on protecting their personal 
information, guarding against Internet fraud, and protecting children's 
privacy online. Several months ago, I was pleased to join Chairman 
Leibowitz and Secretary of Education Arne Duncan to unveil Net Cetera, 
a guide for parents that covers a variety of issues that children face 
growing up in an increasingly digital world, including privacy.
    And as part of its focus on consumers, the FCC is today launching a 
new online Consumer Help Center. This website will allow consumers to 
easily access the many resources that the FCC has developed to help 
consumers, including a consumer-friendly system for filing complaints; 
news about our major consumer initiatives; and tips and advisories.
    The National Broadband Plan emphasized that the vulnerability of 
our communications networks to malicious attack--including malware and 
other attacks that can expose personal information--is a vital issue 
that is appropriately receiving broader and more focused attention. 
This October, the Commission will work closely with the FTC and other 
Federal agencies to launch a consumer education campaign for National 
Cybersecurity Awareness Month.
    The FCC recently began an inquiry into whether we should establish 
a certification program under which service providers could be 
certified for their compliance with specific cybersecurity standards 
and best practices.
    As we move forward on online privacy, cybersecurity, and other 
vital issues, it is important that uncertainties in the regulatory 
framework be resolved. I look forward to working with the Committee on 
these issues.
    And I look forward to your questions.

    The Chairman. Thank you very much.
    Jon Leibowitz.

                        TRADE COMMISSION

    Mr. Leibowitz. Thank you. Thank you, Mr. Chairman, Senator 
Kerry, Senator Warner, Senator Thune, Senator LeMieux, Senator 
Johanns. I appreciate the opportunity to be here at this, the 
first full Committee privacy hearing in the Commerce Committee.
    And let me begin by thanking you, Mr. Chairman and, really, 
this entire committee, for your support in protecting the FTC's 
jurisdiction to stop predatory financial practices as part of 
the financial reform legislation.
    Let me also note how pleased I am to be here with my friend 
and colleague Julius Genachowski.
    Consumer privacy has been a key FTC priority for the past 
two decades. Our privacy program operates on two main tracks: 
enforcement and policy development.
    On the enforcement front, one of our most successful 
privacy initiatives has been the ``Do Not Call Registry,'' 
which has given Americans some peace and quiet during their 
dinner hour, and which the humorous Dave Barry called, ``The 
most successful government program since the Elvis stamp.'' We 
vigorously enforce the requirements of the registry. We brought 
more than 64 actions alleging violations of the ``Do Not Call'' 
rule. And, just this month, the Do Not Call Registry surpassed 
200 million telephone numbers--200 million. We think that might 
make us almost as popular, perhaps even more popular, than the 
Elvis stamp.
    Another enforcement priority is data security, where we 
have brought dozens of cases. Just today, we announced our 
latest data security case, this one against Rite Aid. Our 
complaint alleges that Rite Aid violated FTC Act by, among 
other things, throwing away personal, private health 
information, financial information, and employment records into 
open dumpsters, where anyone could find them and take what they 
wanted. Our order requires Rite Aid to maintain reasonable data 
security and independent security audits every 2 years for the 
next 20 years. Rite Aid has also agreed to pay a million 
dollars to resolve HHS allegations that it violated HIPAA.
    Let me now turn to policy development. Over the years, 
we've hosted workshops, we've issued reports, and encouraged 
self-regulation on privacy issues. For example, last year we 
released a report setting forth principles to guide self-
regulatory efforts in the area of behavioral advertising. The 
report was a catalyst for a number of private-sector 
initiatives. And, while these initiatives are in their 
formative stages, they are encouraging.
    More broadly, over the last few months we've hosted a 
series of roundtables examining consumer privacy in light of 
changing technologies and business models, including social 
networking, cloud computing, and mobile devices. We intend to 
release a public report on the roundtables, later this year, 
containing additional recommendations in three main areas:
    First, many roundtable participants stated that companies 
should begin to bake in, or incorporate, privacy protections 
into their everyday business practices, such as reasonable 
security and data accuracy. This is sometimes known as 
``privacy by design.'' We'd like to further explore how to 
encourage companies to implement this concept.
    Second, the FTC is considering how to simplify the privacy 
choices presented to consumers. One way would be to recognize 
that consent may not be needed for certain commonly accepted 
business practices. So, for example, it may be unnecessary, and 
even distracting, to ask a consumer to consent to sharing his 
or her address information with a shipping company for purposes 
of shipping a product, like a book from Amazon that he or she 
may have requested. By eliminating the need for choice for 
these practices, consumers can focus on the choices that really 
    Another way to simplify choice is to present it at a time 
and place when the consumer is making a decision about his or 
her data, rather than a long, small-print, difficult-to-read, 
multiple-clicks-away privacy policy. It may also be useful to 
have some consistency and simplicity in the way that choices 
are presented so that consumers aren't constantly bombarded 
with having to make choices.
    To this end, one idea we may explore, in the context of 
behavioral advertising, is a Do Not Track mechanism that's more 
comprehensive and easier to use than the procedures currently 
available, usually through a browser. Under such a mechanism 
consumers could opt-out of behavioral advertising more easily, 
rather than having to make choices on a web-site-by-web-site 
    Third idea from the roundtables involves increasing 
transparency about privacy. For example, privacy policies could 
use standard formats so that consumers could compare privacy 
protections offered by different companies, and companies could 
sort of compete on their ability to protect privacy. The 
Commission is also considering how to best improve transparency 
in the data broker industry.
    One final item before I conclude. We have a long history of 
working cooperatively with the FCC, including, most recently, 
on the net neutrality proceedings in National Broadband Plan. 
In connection with that work, we're, today, announcing a joint 
FCC/FTC task force to implement the privacy recommendations of 
the National Broadband Plan. But, to further our ability to 
work together, we renew our longstanding request to repeal the 
anachronistic common-carrier exemption in the FTC Act. Repeal 
of the common-carrier exemption would not affect the FCC's 
ability to protect consumers, but it would ensure that both 
agencies are able to work collaboratively to best protect 
    Let me thank you for the opportunity to appear here today. 
We look forward to working with this committee, and are happy 
to take questions.
    [The prepared statement of Mr. Leibowitz follows:]

      Prepared Statement of Hon. Jonathan D. Leibowitz, Chairman, 
                        Federal Trade Commission

    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee, I am Jon Leibowitz, Chairman of the Federal Trade Commission 
(``FTC'' or ``Commission''). I appreciate the opportunity to present 
the Commission's testimony on privacy.\1\
    \1\ This written statement represents the views of the Federal 
Trade Commission. My oral presentation and responses are my own and do 
not necessarily reflect the views of the Commission or of any 
    Privacy has been central to the Commission's consumer protection 
mission for more than a decade. Over the years, the Commission has 
employed a variety of strategies to protect consumer privacy, including 
law enforcement, regulation, outreach to consumers and businesses, and 
policy initiatives.\2\ In 2006, recognizing the increasing importance 
of privacy to consumers and a healthy marketplace, the FTC established 
the Division of Privacy and Identity Protection, which is devoted 
exclusively to privacy-related issues.\3\
    \2\ Information on the FTC's privacy initiatives generally may be 
found at http://www.ftc.gov/privacy/index.html.
    \3\ Prior to 2006, the Commission's Division of Financial Practices 
worked on privacy issues in addition to enforcing laws related to 
mortgage transactions, debt servicing, debt collection, fair lending, 
and payday lending. A different division was responsible for identity 
    Although the FTC's commitment to consumer privacy has remained 
constant, its policy approaches have evolved over time. This testimony 
describes the Commission's efforts to protect consumer privacy over the 
past two decades, including its two main policy approaches: (1) 
promoting the fair information practices of notice, choice, access, and 
security (the ``FTC Fair Information Practices approach''); and (2) 
protecting consumers from specific and tangible privacy harms (the 
``harm-based approach''). It then discusses recent developments, 
including the FTC staff's Privacy Roundtables project--a major 
initiative to re-examine traditional approaches to privacy protection 
in light of new technologies and business models. Next, it sets forth 
some preliminary suggestions for moving forward on consumer privacy 
issues. It concludes by discussing our proposal to repeal the common 
carrier exemption for telecommunications providers.
I. The FTC's Efforts to Protect Consumer Privacy
    The FTC has a long track record of protecting consumer privacy. The 
Commission's early work on privacy issues dates back to its initial 
implementation in 1970 of the Fair Credit Reporting Act (``FCRA''),\4\ 
which includes provisions to promote the accuracy of credit reporting 
information and protect the privacy of that information. With the 
emergence of the Internet and the growth of electronic commerce 
beginning in the mid-1990s, the FTC expanded its focus to include 
online privacy issues. Since then, both online and offline privacy 
issues have been at the forefront of the Commission's agenda, as 
discussed in greater detail below.
    \4\ 15 U.S.C.  1681e-i.
A. The FTC's Fair Information Practices Approach
    Beginning in the mid-1990s, the FTC began addressing consumer 
concerns about the privacy of personal information provided in 
connection with online transactions. The Commission developed an 
approach by building on earlier initiatives outlining the ``Fair 
Information Practice Principles,'' which embodied the important 
underlying concepts of transparency, consumer autonomy, and 
accountability.\5\ In developing its approach, the FTC reviewed a 
series of reports, guidelines, and model codes regarding privacy 
practices issued since the mid-1970s by government agencies in the 
United States, Canada, and Europe. From this work, the FTC identified 
four widely accepted principles as the basis of its own Fair 
Information Practices approach: (1) businesses should provide notice of 
what information they collect from consumers and how they use it; (2) 
consumers should be given choices about how information collected from 
them may be used; (3) consumers should be able to access data collected 
about them; and (4) businesses should take reasonable steps to ensure 
the security of the information they collect from consumers. The 
Commission also identified enforcement--the use of a reliable mechanism 
to impose sanctions for noncompliance with the fair information 
principles--as a critical component of any self-regulatory program to 
ensure privacy online.\6\
    \5\ This work included the Department of Health, Education, and 
Welfare's 1973 report, Records, Computers, and the Rights of Citizens, 
available at http://aspe.hhs.gov/datacncl/1973privacy/c7.htm, and the 
Organisation for Economic Cooperation and Development's 1980 Guidelines 
on the Protection of Privacy and Transborder Flows of Personal Data, 
available at http://www.oecd.org/document/18/
    \6\ See Federal Trade Commission, Privacy Online: A Report to 
Congress (June 1998), available at http://www.ftc.gov/reports/privacy3/
    To evaluate industry's compliance with these principles, the 
Commission examined website information practices and disclosures; 
conducted surveys of online privacy policies, commented on self-
regulatory efforts, and issued reports to Congress. In 2000, the 
Commission reported to Congress that, although there had been 
improvement in industry self-regulatory efforts to develop and post 
privacy policies online, approximately one-quarter of the privacy 
policies surveyed addressed the four fair information practice 
principles of notice, choice, access, and security.\7\ A majority of 
the Commission concluded that legislation requiring online businesses 
to comply with these principles, in conjunction with self-regulation, 
would allow the electronic marketplace to reach its full potential and 
give consumers the confidence they need to participate fully in that 
    \7\ See Federal Trade Commission, Privacy Online: Fair Information 
Practices in the Electronic Marketplace (May 2000) at 13-14, available 
at http://www.ftc.gov/reports/privacy2000/privacy2000.pdf.
    \8\ Id. at 36-38.
    Although Congress did not pass the legislation recommended by the 
Commission, the Commission's efforts during this time, particularly its 
surveys, reports, and workshops, were widely credited with raising 
public awareness about privacy and leading companies to post privacy 
policies for the first time.\9\ The Commission also encouraged self-
regulatory efforts designed to benefit consumers, such as the 
development of best practices, improvements in privacy-enhancing 
technologies, and the creation of online privacy certification 
    \9\ In 1999, Congress also passed the Gramm-Leach Bliley-Act, 15 
U.S.C.  6821-27, requiring all financial institutions to provide 
notice of their data practices and choice for sharing data with third 
    The Commission also brought law enforcement actions to hold 
companies accountable for their privacy statements and practices. In 
February 1999, for example, the Commission alleged that GeoCities, one 
of the most visited websites at the time, had misrepresented the 
purposes for which it was collecting personal information from both 
children and adults.\10\ In 2000, the Commission challenged a website's 
attempts to sell personal customer information, despite the 
representation in its privacy policy that such information would never 
be disclosed to a third party.\11\ These cases stressed the importance 
of keeping promises about the use of consumer information and 
demonstrated the Commission's commitment to protecting online privacy.
    \10\ In the Matter of GeoCities, Inc., FTC Docket No. C-3850 (Feb. 
5 1999) (consent order).
    \11\ FTC v. Toysmart.com LLC, 00-CV-11341-RGS (D. Mass. filed July 
10, 2000). See also In the Matter of Liberty Fin. Cos., FTC Docket No. 
C-3891 (Aug. 12, 1999) (consent order) (alleging that site falsely 
represented that personal information collected from children, 
including information about family finances, would be maintained 
anonymously); FTC v. ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan. 
10, 2000) (consent order) (alleging that online auction site obtained 
consumer data from competitor site and then sent deceptive, unsolicited 
e-mail messages to those consumers seeking their business); FTC v. 
Rennert, No. CV-S-00-0861-JBR (D. Nev. July 24, 2000) (consent order) 
(alleging that defendants misrepresented their security practices and 
how they would use consumer information); In the Matter of Educ. 
Research Ctr. of Am., Inc., FTC Docket No. C-4079 (May 6, 2003) 
(consent order) (alleging that personal data collected from students 
for educational purposes was sold to commercial marketers); In the 
Matter of The Nat'l Research Ctr. for College & Univ. Admissions, FTC 
Docket No. C-4071 (June 28, 2003) (consent order) (same); In the Matter 
of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004) 
(consent order) (alleging that company rented customer information to 
list brokers in violation of its privacy policy); In the Matter of 
Vision I Properties, LLC, FTC Docket No. C-4135 (Apr. 19, 2005) 
(consent order) (alleging that a service provider disclosed customer 
information in violation of merchant privacy policies).
B. The Harm-Based Approach
    In the early 2000s, the FTC de-emphasized its fair information 
practices approach as the primary means of addressing privacy issues, 
and shifted its focus to a ``harm-based approach'' for protecting 
consumer privacy. The approach was designed to target harmful uses of 
information--those presenting risks to physical security or economic 
injury, or causing unwarranted intrusions in our daily lives--rather 
than imposing costly notice and choice for all uses of information.\12\ 
The Commission's privacy agenda began to focus primarily on: (1) data 
security enforcement; (2) identity theft; (3) children's privacy; and 
(4) protecting consumers from spam, spyware, and telemarketing.
    \12\ See, e.g., Speech of Timothy J. Muris, Protecting Consumers' 
Privacy: 2002 and Beyond, Cleveland, Ohio, Oct. 4, 2001, available at 
1. Data Security Enforcement
    Maintaining and promoting data security in the private sector has 
been a key component of the FTC's privacy agenda. Through its 
substantial record of enforcement actions, the FTC has emphasized the 
importance of maintaining reasonable security for consumer data, so 
that it does not fall into the hands of identity thieves and other 
    The FTC enforces several laws with data security requirements. The 
Commission's Safeguards Rule under the Gramm-Leach-Bliley Act, for 
example, contains data security requirements for financial 
institutions.\13\ The FCRA requires consumer reporting agencies to use 
reasonable procedures to ensure that the entities to which they 
disclose sensitive consumer information have a permissible purpose for 
receiving that information,\14\ and imposes safe disposal obligations 
on entities that maintain consumer report information.\15\ In addition, 
the Commission enforces the FTC Act's prohibition against unfair or 
deceptive acts or practices in cases where a business makes false or 
misleading claims about its data security procedures, or where its 
failure to employ reasonable security measures causes or is likely to 
cause substantial consumer injury.\16\
    \13\ 16 C.F.R. Part 314, implementing 15 U.S.C.  6801(b). The 
Federal Deposit Insurance Corporation, National Credit Union 
Administration, Securities and Exchange Commission, Office of the 
Comptroller of the Currency, Board of Governors of the Federal Reserve 
System, Office of Thrift Supervision, Secretary of the Treasury, and 
state insurance authorities have promulgated comparable safeguards 
requirements for the entities they regulate.
    \14\ 15 U.S.C.  1681e.
    \15\ Id., 1681w. The FTC's implementing rule is at 16 C.F.R. Part 
    \16\ 15 U.S.C.  45(a). See, e.g., In the Matter of Microsoft 
Corp., FTC Docket No. C-4069 (Dec. 20, 2002) (consent order) (alleging 
deception); In the Matter of BJ's Wholesale Club, Inc., FTC Docket No. 
C-4148 (Sept. 20, 2005) (consent order) (alleging unfairness).
    Since 2001, the Commission has used its authority under these laws 
to bring 29 cases alleging that businesses failed to protect consumers' 
personal information.\17\ The FTC's early enforcement actions in this 
area addressed deceptive privacy statements--that is, the failure of 
companies to adhere to the promises they made to consumers regarding 
the security of their personal information.\18\ Since 2005, the 
Commission has also alleged, in appropriate cases, that the failure to 
maintain reasonable security is an ``unfair'' practice that violates 
the FTC Act.\19\
    \17\ See In the Matter of Twitter, Inc., FTC File No. 092 3093 
(June 24, 2010) (consent order approved for public comment); In the 
Matter of Dave & Buster's, Inc., FTC Docket No. C-4291(Jun. 8, 2010) 
(consent order); FTC v. LifeLock, Inc., No. 2:10-cv-00530-NVW (D. Ariz. 
final order filed Mar. 15. 2010); United States v. ChoicePoint, Inc., 
No. 1:06-CV-0198-JTC (N.D. Ga. final order filed Oct. 14, 2009); In the 
Matter of James B. Nutter & Co., FTC Docket No. C-4258 (June 12, 2009) 
(consent order); United States v. Rental Research Servs., Inc., No. 
0:09-CV-00524 (D. Minn. final order filed Mar. 6, 2009); FTC v. Navone, 
No. 2:08-CV-001842 (D. Nev. final order filed Dec. 30, 2009); United 
States v. ValueClick, Inc., No. 2:08-CV-01711 (C.D. Cal. final order 
Mar. 17, 2008); United States v. American United Mortgage, No. 1:07-CV-
07064 (N.D. Ill. final order filed Jan. 28, 2008); In the Matter of CVS 
Caremark Corp., FTC Docket No. C-4259 (Jun. 18, 2009) (consent order); 
In the Matter of Genica Corp., FTC Docket No. C-4252 (Mar. 16, 2009) 
(consent order); In the Matter of Premier Capital Lending, Inc., FTC 
Docket No. C-4241 (Dec. 10, 2008) (consent order); In the Matter of The 
TJX Cos., FTC Docket No. C-4227 (July 29, 2008) (consent order); In the 
Matter of Reed Elsevier Inc., FTC Docket No. C-4226 (July 29, 2008) 
(consent order); In the Matter of Life is good, Inc., FTC Docket No. C-
4218 (Apr. 16, 2008) (consent order); In the Matter of Goal Fin., LLC, 
FTC Docket No. C-4216 (Apr. 9, 2008) (consent order); In the Matter of 
Guidance Software, Inc., FTC Docket No. C-4187 (Mar. 30, 2007) (consent 
order); In the Matter of CardSystems Solutions, Inc., FTC Docket No. C-
4168 (Sept. 5, 2006) (consent order); In the Matter of Nations Title 
Agency, Inc., FTC Docket No. C-4161 (June 19, 2006) (consent order); In 
the Matter of DSW, Inc., FTC Docket No. C-4157 (Mar. 7, 2006) (consent 
order); In the Matter of Superior Mortgage Corp., FTC Docket No. C-4153 
(Dec. 14, 2005) (consent order); In the Matter of BJ's Wholesale Club, 
Inc., FTC Docket No. C-4148 (Sept. 20, 2005) (consent order); In the 
Matter of Nationwide Mortgage Group, Inc., FTC Docket No. C-9319 (Apr. 
12, 2005) (consent order); In the Matter of Petco Animal Supplies, 
Inc., FTC Docket No. C-4133 (Mar. 4, 2005) (consent order); In the 
Matter of Sunbelt Lending Servs., Inc., FTC Docket No. C-4129 (Jan. 3, 
2005) (consent order); In the Matter of MTS Inc., FTC Docket No. C-4110 
(May 28, 2004) (consent order); In the Matter of Guess?, Inc., FTC 
Docket No. C-4091 (July 30, 2003) (consent order); In the Matter of 
Microsoft Corp., FTC Docket No. C-4069 (Dec. 20, 2002) (consent order).
    \18\ See In the Matter of Guidance Software, Inc., FTC Docket No. 
C-4187 (Mar. 30, 2007) (consent order); In the Matter of Petco Animal 
Supplies, Inc., FTC Docket No. C-4133 (Mar. 4, 2005) (consent order); 
In the Matter of Guess?, Inc., FTC Docket No. C-4091 (July 30, 2003) 
(consent order); In the Matter of Microsoft Corp., FTC Docket No. C-
4069 (Dec. 20, 2002) (consent order).
    \19\ See In the Matter of BJ's Wholesale Club, Inc., File No. 042 
3160 (Sept. 20, 2005) (consent order).
    These cases, against well-known companies such as Microsoft, 
ChoicePoint, CVS, LexisNexis, and more recently, Twitter, have involved 
such practices as the alleged failure to: (1) comply with posted 
privacy policies; \20\ (2) take even the most basic steps to protect 
against common technology threats; \21\ (3) dispose of data safely; 
\22\ and (4) take reasonable steps to guard against sharing customer 
data with unauthorized third parties.\23\ In each case, the Commission 
obtained significant relief, including requiring the companies to 
implement a comprehensive information security program and obtain 
regular third-party assessments of the effectiveness of that 
program.\24\ In some cases, the Commission also obtained substantial 
monetary penalties or relief.\25\ The Commission's robust enforcement 
actions have sent a strong signal to industry about the importance of 
data security, while providing guidance about how to accomplish this 
    \20\See, e.g., In the Matter of Premier Capital Lending, Inc., FTC 
Docket No. C-4241 (Dec. 10, 2008) (consent order); In the Matter of 
Life is good, Inc., FTC Docket No. C-4218 (Apr. 16, 2008) (consent 
order); In the Matter of Petco Animal Supplies, Inc., FTC Docket No. C-
4133 (Mar. 4, 2005) (consent order); In the Matter of MTS Inc., FTC 
Docket No. C-4110 (May 28, 2004) (consent order); In the Matter of 
Microsoft Corp., FTC Docket No. C-4069 (Dec. 20, 2002) (consent order).
    \21\ See, e.g., In the Matter of Twitter, Inc., FTC File No. 092 
3093 (June 24, 2010) (consent order approved for public comment); In 
the Matter of The TJX Cos., FTC Docket No. C-4227 (July 29, 2008) 
(consent order); In the Matter of Reed Elsevier, Inc., FTC Docket No. 
C4226 (July 29, 2008) (consent order).
    \22\ See, e.g., FTC v. Navone, No. 2:08-CV-001842 (final order 
filed D. Nev. Dec. 30, 2009); United States v. American United 
Mortgage, No. 1:07-CV-07064 (N.D. Ill. final order filed Jan. 28, 
2008); In the Matter of CVS Caremark Corp., FTC Docket No. C-4259 (June 
18, 2009).
    \23\ See, e.g., United States v. Rental Research Servs., No. 09 CV 
524 (D. Minn. final order filed Mar. 6, 2009); United States v. 
ChoicePoint, Inc., No. 1:06-CV-0198 (final order filed N.D. Ga. Oct. 
14, 2009).
    \24\ In addition, beginning with the CVS case announced last year, 
the Commission has begun to challenge the reasonableness of security 
measures to protect employee data, in addition to customer data. See, 
e.g., In the Matter of CVS Caremark Corp., FTC Docket No. C-4259 (Jun. 
18, 2009) (consent order).
    \25\ See, e.g., FTC v. Navone, No. 2:08-CV-001842 (D. Nev. final 
order Dec. 29, 2009); United States v. ChoicePoint, Inc., No. 1:06-CV-
0198 (final order filed N.D. Ga. Oct. 14, 2009).
    \26\ Developments in state law have also played a major role in 
data security. The passage of state data breach notification laws 
beginning in 2003 required increased transparency for companies that 
had suffered data breaches and thus further enhanced the Commission's 
data security enforcement efforts. See, e.g., Cal. Civ. Code  
1798.29, 1798.82-1789.84 (West 2003).
2. Identity Theft
    Another important part of the Commission's privacy agenda has been 
protecting consumers from identity theft, which victimizes millions of 
consumers every year. In 1998, Congress enacted the Identity Theft 
Assumption and Deterrence Act (``the Act''), which provided the FTC 
with a specific role in combating identity theft.\27\ To fulfill the 
Act's mandate, the Commission created a telephone hotline and dedicated 
website to collect complaints and assist victims, through which 
approximately 20,000 consumers contact the FTC every week. The FTC also 
maintains and promotes a centralized database of victim complaints that 
serves as an investigative tool for over 1,700 law enforcement 
    \27\ 18 U.S.C.  1028 note.
    The Commission also played a lead role in the President's Identity 
Theft Task Force (``Task Force''). The Task Force, comprised of 17 
Federal agencies and co-chaired by the FTC's Chairman, was established 
by President Bush in May 2006 to develop a comprehensive national 
strategy to combat identity theft.\28\ In April 2007, the Task Force 
published its national strategy, recommending 31 initiatives to reduce 
the incidence and impact of identity theft.\29\ The FTC, along with the 
other Task Force agencies, has been actively implementing these 
initiatives and submitted a final report in September 2008.\30\ Among 
other things, the Commission has trained victim assistance counselors, 
Federal and state prosecutors, and law enforcement officials; developed 
and published an Identity Theft Victim Statement of Rights; and worked 
closely with the American Bar Association on a pro bono legal 
assistance program for identity theft victims.
    \28\ Exec. Order No. 13,402, 71 Fed. Reg. 27,945 (May 15, 2006).
    \29\ See The President's Identity Theft Task Force, Combating 
Identity Theft: A Strategic Plan (2007), available at http://
www.idtheft.gov/reports/StrategicPlan.pdf (recommending that key 
agencies work together to combat identity theft by strengthening law 
enforcement, educating consumers and businesses, and increasing the 
safeguards employed by Federal agencies and the private sector to 
protect personal data).
    \30\ See The President's Identity Theft Task Force Report (2008), 
available at http://www.idtheft.gov/reports/IDTReport2008.pdf.
    Finally, the Commission has worked to implement the identity theft 
protections of the Fair and Accurate Credit Transactions Act of 2003 
(the ``FACT Act'').\31\ Among other things, the FTC has acted 
aggressively to enforce consumers' right under the FACT Act to receive 
a free credit report every twelve months from each of the nationwide 
consumer reporting agencies, so they can spot incipient signs of 
identity theft. For example, the Commission has brought action against 
a company offering a so-called ``free'' credit report that was actually 
tied to the purchase of a credit monitoring service.\32\
    \31\ Pub. L. 108-159 (2003).
    \32\ FTC v. Consumerinfo.com, Inc., SACV05-801AHS(MLGx) (C.D. Cal. 
final order filed Jan. 8, 2007).
    To provide further clarity to consumers, Congress recently enacted 
legislation requiring entities that advertise ``free'' credit reports 
to disclose that such reports are available pursuant to Federal law at 
www.annualcreditreport.com. See Pub. L. 111-24, codified at 15 U.S.C. 
1681j(g). The FTC has promulgated a rule to implement this requirement, 
16 C.F.R.  610, and announced last week that it issued eighteen 
warning letters to companies alleging failures to comply with the rule.
3. Children's Privacy
    The Commission has also undertaken an aggressive agenda to protect 
children's privacy. Since the enactment of the Children's Online 
Privacy Protection Act in 1998 (``COPPA'') and its implementing 
rule,\33\ the FTC has brought 15 actions against website operators that 
collect information from children without first obtaining their 
parents' consent. Through these actions, the FTC has obtained more than 
$3.2 million in civil penalties.\34\ The Commission is currently 
conducting a comprehensive review of its COPPA Rule in light of 
changing technology, such as the increased use of mobile devices to 
access the Internet.\35\
    \33\ 15 U.S.C.  6501-6508; 16 C.F.R. Part 312.
    \34\ For a list of the FTC's COPPA cases, see http://www.ftc.gov/
    \35\ In spring 2010, the FTC announced it was seeking comment on a 
broad array of issues as part of its review of the COPPA Rule. See 
4. Unwarranted Intrusions
    The Commission has also acted to protect consumers from unwarranted 
intrusions into their daily lives, particularly in the areas of 
unwanted telemarketing calls, spam, and spyware. Perhaps the 
Commission's most well-known privacy initiative is the Do Not Call 
Registry, which has been an unqualified success. The Commission 
vigorously enforces the requirements of the Registry to ensure its 
ongoing effectiveness. The FTC has brought 64 actions alleging 
violations of the Do Not Call Rule. These actions have resulted in 
$39.9 million in civil penalties and $17.7 million in consumer redress 
or disgorgement. During the past year, the Commission has filed several 
new actions that attack the use of harassing ``robocalls''--the 
automated delivery of prerecorded messages--to deliver deceptive 
telemarketing pitches that promise consumers extended auto warranties 
and credit card interest rate reduction services.\36\
    \36\ See, e.g., FTC v. Asia-Pacific Telecom, Inc., No. 10 CV 3168 
(N.D. Ill., filed May 24, 2010).
    In addition, since the enactment of the CAN-SPAM Act in 2003,\37\ 
the Commission has brought dozens of law enforcement actions 
challenging spam, including cases involving deceptive spam, failure to 
honor opt-out requests, and failure to comply with requirements for 
adult labeling of spam messages.\38\ For example, in June 2009, the FTC 
moved quickly to shut down a rogue Internet Service Provider (``ISP'') 
that knowingly hosted and actively participated in the distribution of 
illegal spam, child pornography, and other harmful electronic content. 
The FTC complaint alleged that the defendant actively recruited and 
colluded with criminals seeking to distribute illegal, malicious, and 
harmful electronic content.\39\ After the Commission shut down this 
ISP, there was a temporary 30 percent drop in spam worldwide.\40\ 
Finally, since 2004, the Commission has brought 15 spyware cases, 
targeting programs foisting voluminous pop-up ads on consumers and 
subjecting them to nefarious programs that track their keystrokes and 
online activities.\41\
    \37\ 15 U.S.C.  7701-7713.
    \38\ Detailed information regarding these actions is available at 
    \39\ FTC v. Pricewert, LLC, No. 09-CV-2407 (N.D. Cal. final order 
issued Apr. 4, 2010).
    \40\ See Official Google Enterprise Blog, Q2 2009 Spam Trends, 
available at http://googleenterprise.blogspot.com/2009/07/q2-2009-spam-
    \41\ Detailed information regarding each of these law enforcement 
actions is available at http://www.ftc.gov/bcp/edu/microsites/spyware/
C. Ongoing Outreach and Policy Initiatives
    While the Commission's consumer privacy models have evolved 
throughout the years, its activities in a number of areas have remained 
constant. In addition to enforcement, these include consumer and 
business education, research and policymaking on emerging technology 
issues, and international outreach.
1. Consumer and Business Education
    The FTC has done pioneering outreach to business and consumers, 
particularly in the area of consumer privacy and data security. The 
Commission's well-known OnGuard Online website educates consumers about 
threats such as spyware, phishing, laptop security, and identity 
theft.\42\ The FTC also developed a guide to help small and medium-
sized businesses implement appropriate data security for the personal 
information they collect and maintain.\43\
    \42\ See http://www.onguardonline.gov. Since its launch in 2005, 
OnGuard Online and its Spanish-language counterpart Alertaena L!nea 
have attracted nearly 12 million unique visits.
    \43\ See Protecting Personal Information: A Guide For Business, 
available at http://www.ftc.gov/infosecurity.
    The FTC has also developed resources specifically for children, 
parents, and teachers to help kids stay safe online. In response to the 
Broadband Data Improvement Act of 2008, the FTC produced the brochure 
Net Cetera: Chatting with Kids About Being Online to give adults 
practical tips to help children navigate the online world.\44\ In less 
than 10 months, the Commission already has distributed more than 3.8 
million copies of its Net Cetera brochure to schools and communities 
nationwide. The Commission also offers specific guidance for certain 
types of Internet services, including, for example, social networking 
and peer-to-peer file sharing.\45\ In addition, the Commission recently 
launched Admongo.gov, a campaign to help kids better understand the ads 
they see online and offline.\46\
    \44\ See FTC Press Release, OnGuardOnline.gov Off to a Fast Start 
with Online Child Safety Campaign (Mar. 31, 2010), available at http://
    \45\ See http://www.onguardonline.gov/topics/social-networking-
    \46\ See FTC Press Release, FTC Helps Prepare Kids for a World 
Where Advertising is Everywhere (Apr. 28, 2010), available at http://
2. Research and Policymaking on Emerging Technology Issues
    Over the past two decades, the Commission has hosted numerous 
workshops to examine the implications of new technologies on privacy, 
including forums on spam, spyware, radio-frequency identification 
(RFID), mobile marketing, contactless payment, peer-to-peer file 
sharing, and online behavioral advertising. These workshops often spur 
innovation and self-regulatory efforts. For example, the FTC has been 
assessing the privacy implications of online behavioral advertising for 
several years. In February 2009, the Commission staff released a report 
that set forth several principles to guide self-regulatory efforts in 
this area: (1) transparency and consumer control; (2) reasonable 
security and limited retention for consumer data; (3) affirmative 
express consent for material retroactive changes to privacy policies; 
and (4) affirmative express consent for (or prohibition against) the 
use of sensitive data.\47\ This report was the catalyst for industry to 
institute a number of self-regulatory advances. While these efforts are 
still in their developmental stages, they are encouraging. We will 
continue to work with industry to improve consumer control and 
understanding of the evolving use of online behavioral advertising.
    \47\ FTC Staff Report: Self-Regulatory Principles for Online 
Behavioral Advertising (Feb. 2009), available at http://www.ftc.gov/os/
3. International Outreach
    Another major privacy priority for the FTC has been cross-border 
privacy and international enforcement cooperation. The Commission's 
efforts in this area are gaining greater importance with the 
proliferation of cross-border data flows, cloud computing, and on-
demand data processing that takes place across national borders. To 
protect consumers in this rapidly changing environment, the FTC 
participates in various international policy initiatives, including 
those in multilateral organizations such as the Organization for 
Economic Cooperation and Development (OECD) and the Asia-Pacific 
Economic Cooperation forum (APEC).
    In APEC, the FTC actively promotes an initiative to establish a 
self-regulatory framework governing the privacy of data transfers 
throughout the APEC region. The FTC just announced that it was one of 
the first participants in the APEC cross-border Privacy Enforcement 
Arrangement, a multilateral cooperation network for APEC privacy 
enforcement authorities.
    In a similar vein, earlier this year, the FTC, joined by a number 
of its international counterparts, launched the Global Privacy 
Enforcement Network, an informal initiative organized in cooperation 
with OECD, to strengthen cooperation in the enforcement of privacy 
    Finally, the Commission is using its expanded powers under the U.S. 
SAFE WEB Act of 2006 \48\ to promote cooperation in cross-border law 
enforcement, including in the privacy area. The FTC has also brought a 
number of cases relating to the U.S.-EU Safe Harbor Framework, which 
enables U.S. companies to transfer personal data from Europe to the 
U.S. consistent with European privacy law.\49\ For example, last fall, 
the Commission announced enforcement actions alleging that seven 
companies falsely claimed to be part of the Framework. The orders 
against six of these companies prohibit them from misrepresenting their 
participation in any privacy, security, or other compliance 
program.\50\ The seventh case is still in litigation.\51\
    \48\ Pub. L. No. 109-455 (2006) (codified in scattered sections of 
15 U.S.C. and 12 U.S.C.  3412(e)).
    \49\ Companies self-certify to the U.S. Department of Commerce 
their compliance with a set of Safe Harbor privacy principles. If a 
company falsely claims to be part of this program, or fails to abide by 
its requirements, the FTC can challenge such actions under its 
deception authority.
    \50\ See In the Matter of Directors Desk LLC, FTC Docket No. C-4281 
(Jan. 12, 2010); In the Matter of World Innovators, Inc., FTC Docket 
No. C-4282 (Jan. 12, 2010); In the Matter of Collectify LLC, FTC Docket 
No. C-4272 (Nov. 9, 2009); In the Matter of ExpatEdge Partners, LLC, 
FTC Docket No. C-4269 (Nov. 9, 2009); In the Matter of Onyx Graphics, 
Inc., FTC Docket No. C-4270 (Nov. 9, 2009); In the Matter of 
Progressive Gaitways LLC, FTC Docket No. C-4271 (Nov. 9, 2009).
    \51\ See FTC v. Kavarni, Civil Action No. 09-CV-5276 (C.D. Cal. 
filed July 31, 2009).
II. Lessons Learned
    Although the Commission plans to continue its ongoing enforcement, 
policy, and education initiatives, it recognizes that the traditional 
models governing consumer privacy have their limitations.
    The Fair Information Practices model, as implemented, has put too 
much burden on consumers to read and understand lengthy and complicated 
privacy policies and then make numerous choices about the collection 
and use of their data. Indeed, privacy policies have become complicated 
legal documents that often seem designed to limit companies' liability, 
rather than to inform consumers about their information practices.
    The harm-based model has principally focused on financial or other 
tangible harm rather than the exposure of personal information where 
there is no financial or measurable consequence from that exposure.\52\ 
Yet there are situations in which consumers do not want personal 
information to be shared even where there may be no risk of financial 
harm. For example, a consumer may not want information about his or her 
medical condition to be available to third-party marketers, even if 
receiving advertising based on that condition might not cause a 
financial harm. In addition, some have criticized the harm-based model 
as being inherently reactive--addressing harms to consumers after they 
occur, rather than taking preventative measures before the information 
is collected, used, or shared in ways that are contrary to consumer 
    \52\ See Speech of Timothy J. Muris, Protecting Consumers' Privacy: 
2002 and Beyond, Cleveland, Ohio, October 4, 2001, available at http://
    \53\ See Daniel J. Solove, Identity Theft, Privacy, and the 
Architecture of Vulnerability, 54 Hastings L.J. 1, 5 (2003).
    In addition, there are questions about whether these models can 
keep pace with the rapid developments in such areas as online 
behavioral advertising, cloud computing, mobile services, and social 
networking. For example, is it realistic to expect consumers to read 
privacy notices on their mobile devices? How can consumer harm be 
clearly defined in an environment where data may be used for multiple, 
unanticipated purposes now or in the future?

III. The FTC Privacy Roundtables
    To explore the privacy challenges posed by emerging technology and 
business practices, the Commission announced late last year that it 
would examine consumer privacy in a series of public roundtables.\54\ 
Through these roundtables, held in December 2009, and January and March 
2010, the Commission obtained input from a broad array of stakeholders 
on existing approaches, developments in the marketplace, and potential 
new ideas.\55\
    \54\ See FTC Press Release, FTC to Host Public Roundtables to 
Address Evolving Privacy Issues (Sept. 15, 2009), available at http://
    \55\ Similar efforts are underway around the world. For example, 
the OECD is preparing to review its 1980 Privacy Guidelines (see http:/
34255_44946983_1_1_1_1,00.html); the European Commission is undertaking 
a review of the 1995 Data Protection Directive (see http://
ting_public/news_consulting_0003_en.htm); and the International Data 
Protection Commissioners' Conference released a set of draft privacy 
guidelines (see http://www.privacycon
ference2009.org/dpas_space/Resolucion/index-iden-idphp.php). The FTC is 
closely following these international developments, recognizing that 
the market for consumer data is becoming increasingly globalized and 
consumer data is more easily accessed, processed, and transferred 
across national borders.
    In addition, following the FTC roundtables, the Department of 
Commerce also held a workshop and issued a Notice of Inquiry on the 
related subject of privacy and innovation, in which the FTC has 
submitted a comment. See In the Matter of Privacy and Innovation in the 
Information Economy, Docket No. 100402174-0175-01, Comments of the 
Federal Trade Commission (June 2008), available at http://www.ftc.gov/
    The roundtables generated significant public interest. Over 200 
representatives of industry, consumer groups, academia, and government 
agencies participated in the roundtables, and the Commission received 
over 100 written comments.
    Several common themes emerged from these comments and the 
roundtable discussions. First, consumers do not understand the extent 
to which companies are collecting, using, aggregating, storing, and 
sharing their personal information. For example, as evidence of this 
invisible data collection and use, commenters and panelists pointed to 
enormous increases in data processing and storage capabilities; 
advances in online profiling and targeting; and the opaque business 
practices of data brokers,\56\ which are not understood by consumers. 
In addition, as commenters noted, consumers rarely realize that, when a 
company discloses that it shares information with affiliates, the 
company could have hundreds of affiliates.
    \56\ Data brokers compile information about individuals and sell it 
to others.
    Second, commenters and panelists raised concerns about the tendency 
for companies storing data to find new uses for that data. As a result, 
consumers' data may be used in ways that they never contemplated.
    Third, commenters and roundtable participants pointed out that, as 
tools to re-identify supposedly anonymous information continue to 
evolve, the distinction between personally identifiable information 
(``PII'') and non-PII is losing its significance. Thus, information 
practices and restrictions that rely on this distinction may be losing 
their relevance.
    Fourth, commenters and roundtable participants noted the tremendous 
benefits from the free flow of information. Consumers receive free 
content and services and businesses are able to innovate and develop 
new services through the acquisition, exchange and use of consumer 
information. Commenters and participants noted that regulators should 
be cautious about restricting such information exchange and use, as 
doing so risks depriving consumers of benefits of free content and 
    Fifth, commenters and roundtable participants voiced concerns about 
the limitations of the FTC Fair Information Practices model. Many 
argued that the model places too high a burden on consumers to read and 
understand lengthy privacy policies and then ostensibly to exercise 
meaningful choices based on them. Some participants also called for the 
adoption of other substantive data protections--including those in 
earlier iterations of the Fair Information Practice Principles--that 
impose obligations on companies, not consumers, to protect privacy. 
Such participants argued that consumers should not have to choose basic 
privacy protections, such as not retaining data for longer than it is 
needed, that should be built into everyday business practices.
    Sixth, many commenters called upon the Commission to support a more 
expansive view of privacy harms that goes beyond economic or tangible 
harms. There are some privacy harms, these participants argued, that 
pose real threats to consumers--such as exposure of information about 
health conditions or sexual orientation--but cannot be assigned a 
dollar value.
    Finally, many participants highlighted industry efforts to improve 
transparency for consumers about the collection and use of their 
information. At the same time, commenters questioned whether the tools 
are consistent and simple enough for consumers to embrace and use 

IV. Next Steps
    The themes that emerged through the roundtable project have led the 
Commission to consider several ways to improve consumer privacy. 
Commission staff intends to release a report later this year in which 
it expects to discuss several issues, as described preliminarily below.

A. Integrating Privacy Into Business Practices
    Many roundtable panelists and commenters raised the importance of 
companies' incorporating privacy and security protections into their 
everyday business practices.\57\ A number of roundtable participants 
and commenters emphasized the value of building privacy and security 
protections into company procedures, systems, and technologies at the 
outset, so that they are an integral part of a company's business 
model. Such protections include providing reasonable security for 
consumer data, collecting only the data needed for a specific business 
purpose, retaining data only as long as necessary to fulfill that 
purpose, and implementing reasonable procedures to promote data 
    \57\ See generally, Privacy Roundtable Transcripts of December 7, 
2009, January 28, 2010, and March 17, 2010, available at http://htc-
01.media.globix.net/COMP008760MOD1/ftc_web/FTCindex.html and the 
Privacy Roundtable public comments, available at http://www.ftc.gov/os/
    Panelists and commenters stated that these measures would provide 
consumers with substantive protections without placing the burden on 
them to read long notices and make cumbersome choices. The Commission 
also notes that many businesses already are providing these types of 
protections as a matter of good business practice or due to existing 
sectoral laws.\58\ Accordingly, the Commission is exploring whether and 
how to encourage companies to incorporate these protections into their 
practices, whether there are other protections that companies should 
incorporate, and how to balance the costs and benefits of such 
    \58\ See Fair Credit Reporting Act, 15 U.S.C.  1681e-i; Gramm-
Leach-Bliley Act, 16 C.F.R. Part 314, implementing 15 U.S.C.  6801(b); 
cases cited supra n. 17.
B. Simplifying Choice
    The Commission is also considering whether and how to simplify the 
privacy choices presented to consumers. One way would be to recognize 
that consumers do not need to exercise choice for certain commonly 
accepted business practices--those that fall within reasonable consumer 
expectations. By eliminating the need to exercise choice for these 
practices, consumers can focus on the choices that really matter to 
them, and on uses of data that they would not expect when they engage 
in a transaction. Simplifying choice should also reduce the burdens on 
    Such commonly accepted business practices may include fulfillment, 
fraud prevention and responding to legal process, internal analytics, 
and sharing data with service providers that are acting at the 
company's direction. For example, it may be unnecessary, and even 
distracting, to ask a consumer to consent to sharing his or her address 
information with a shipping company for purposes of shipping a product 
that the consumer has requested. The Commission is considering how to 
define these commonly accepted business practices.
    The Commission is also exploring--in cases where choice would be 
needed--how to ensure that such choice is more meaningful. For example, 
rather than discussing choices in a long privacy policy, it may be most 
effective to present choices ``just-in-time,'' at the point when the 
consumer is providing the data or otherwise engaging with a company. It 
also may be beneficial to have greater consistency in the way that 
choices are presented and expressed, so that consumers can better 
understand and compare companies' privacy practices. In addition, the 
Commission is examining how best to protect and provide effective 
choice for the use of sensitive information, such as health, financial, 
children's, and location data.

C. Improving Transparency
    The Commission also is considering a number of other ways to 
increase transparency about commercial data practices. First, the 
Commission believes that privacy policies should be improved. Indeed, 
although excessive reliance on privacy policies has been widely 
criticized, roundtable participants and commenters recognized the 
continuing value of privacy notices to promote accountability for 
companies. Accordingly, in its upcoming report, the Commission will 
discuss ways to improve the disclosures in privacy policies. One 
possible approach is the use of standardized terms or formats. Clearer, 
more standardized privacy disclosures could allow consumers to compare 
the privacy protections offered by different companies and potentially 
increase competition on privacy practices.
    Second, the Commission also is considering issues related to the 
practice of data aggregation. Roundtable participants and commenters 
expressed concern that data collected for one purpose can be combined 
with other data and then used for purposes not anticipated by the 
consumer. Further, unbeknownst to many consumers, companies such as 
data brokers collect and sell such aggregated data on a routine basis. 
At the roundtables, some panelists suggested that one solution would be 
to give consumers access to their data as a means of improving 
transparency. Others discussed the costs of providing access, and 
suggested that, if access is provided, it should vary with the 
sensitivity of the data and its intended use. The Commission recognizes 
the significant policy issues raised by access, and is examining 
whether the benefits of access are commensurate with the costs of 
implementation. The Commission is also considering whether there are 
other ways to promote greater transparency about the data aggregation 
practices of data brokers and others.
    Third, the Commission continues to believe that requiring 
affirmative express consent for material retroactive changes to how 
data will be used is an essential means of maintaining 
    \59\ See In the Matter of Gateway Learning Corp., FTC Docket No. C-
4120 (Sept. 10, 2004) (consent order); FTC Staff Report: Self-
Regulatory Principles for Online Behavioral Advertising (Feb. 2009), 
available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.
    Finally, the Commission is examining the role of education in 
promoting greater awareness about privacy among both businesses and 
consumers. For example, the Commission is interested in exploring 
whether businesses, industry associations, consumer groups, and the 
government can do a better job of informing consumers about privacy. 
The Commission is also evaluating the roles that government agencies 
and trade and industry associations can play in educating the business 
    The FTC looks forward to developing these concepts further and to 
working with Congress and this Committee as the agency moves forward.

V. FCC/Common Carrier Exemption Issues
    In recognition of the Federal Communication Commission's (``FCC'') 
participation in this hearing, the Commission notes that it has a long 
history of cooperation and coordination with the FCC in policy matters 
and law enforcement, including those related to privacy. For example, 
the FCC and FTC cooperated extensively in implementation of the 
National Do Not Call Registry and continue to cooperate on enforcement 
of the Do Not Call rules, pursuant to a Memorandum of Understanding 
signed by staff of the two agencies.\60\ Similarly, the FCC and FTC 
collaborated in efforts to address concerns raised by phone pretexters 
obtaining consumers' calling records without authorization.\61\ That 
tradition continues as the FCC works on implementing its National 
Broadband Plan.
    \60\ See Annual Report to Congress for FY 2003 and 2004 Pursuant to 
the Do Not Call Implementation Act on Implementation of the National Do 
Not Call Registry, available at http://www.ftc.gov/reports/donotcall/
    \61\ See Prepared Statement of the Federal Trade Commission Before 
the Committee on Energy and Commerce, U.S. House of Representatives, 
``Combating Pretexting: H.R. 936, Prevention of Fraudulent Access to 
Phone Records Act (Mar. 9, 2007), at 4, available at http://
    With this history of productive cooperation in mind, the FTC renews 
its request for repeal of the telecommunications common carrier 
exemption from the FTC Act. The Commission believes that repealing the 
exemption would better enable the FTC and FCC to work together on 
privacy and other issues, and to leverage their relative expertise and 
resources, to achieve their common goal of protecting consumers of 
telecommunication services.
    The FTC Act exempts common carrier activities subject to the 
Communications Act from its prohibitions on unfair and deceptive acts 
or practices and unfair methods of competition.\62\ This exemption 
dates from a period when telecommunications were provided by highly-
regulated monopolies. The exemption is now outdated. Congress and the 
FCC have dismantled much of the economic regulatory apparatus formerly 
applicable to this industry. The current environment requires 
telecommunications firms to compete in providing telecommunications 
services. Removing the exemption from the FTC Act would not alter the 
jurisdiction of the FCC, but would give the FTC the authority to 
protect consumers from unfair and deceptive practices by common 
carriers in the same way that it protects them against other unfair and 
deceptive practices.
    \62\ 15 U.S.C.  44, 45(a).
    Repeal of the common carrier exemption is particularly timely as 
the array of communications-related services continues to expand. The 
FTC has a long track record of addressing competition, consumer 
protection, and privacy issues with respect to information, 
entertainment, and payment services. In addition, the FTC has 
procedural and remedial tools that could be used effectively to address 
developing problems in the telecommunications industry.\63\
    \63\ These tools for injured consumers include the FTC's ability to 
obtain, in appropriate cases, preliminary and permanent injunctions, 
asset freezes, restitution, and disgorgement under the FTC Act, 15 
U.S.C.  44 et seq.
    FTC staff continues to work with the FCC on a number of 
initiatives. Repeal of the common carrier exemption will lead to 
further and even more productive collaboration and ensure that consumer 
protection interests are well protected.

VI. Conclusion
    Thank you for the opportunity to provide the Commission's views on 
the topic of consumer privacy. We look forward to continuing to work 
with Congress and this committee on this important issue.

    The Chairman. Thank you very much.
    The vote is in 5 minutes, so I'm going to ask a question. 
By that time, John Kerry will have voted and come back, and 
he'll chair until I get back.
    This is for Chairman Leibowitz. Millions of consumers go 
online everyday to buy books, to watch videos, and communicate 
with friends and family. Because they are sitting in the 
privacy of their homes, people think that they are not being 
watched, but they are. When a woman researches breast cancer 
online, she is not thinking that the Website she visits may be 
collecting data on her and shared--sharing that data with 
others. It would never occur to her, never occur to me, but it 
happens. And she should not have to worry about her online 
activity being shared with a prospective employer. This is not 
just games, here, this is--gets to be very serious stuff. 
People get hired or don't get hired.
    I know the Federal Trade Commission plans to release a 
privacy report in the fall, so my questions are the following: 
What is the FTC--what will you present in the way of 
establishing base-level privacy protections for consumers that 
are enforceable and which you have the authority to enforce? 
Which leads to the second question: Are there limitations on 
FTC's authority that prevent you from protecting consumers' 
    Mr. Leibowitz. Well, let me take the second question first. 
You know, one of the things that we pushed very hard for--and 
you pushed very hard for with us, in the context of financial 
reform--was the ability to sanction malefactors--to fine 
malefactors. And we weren't able to get it this time. But, that 
seems to me to be a limitation. When you have a company that 
engages in truly inadequate data security, or a company engaged 
in fraud--and we go after a lot of people who are engaged in 
fraud--it would help to have the stronger deterrent of a civil 
fine. So, that would be one area where we have limitations.
    On the other hand, our statute that prohibits unfair and 
deceptive acts or practices is pretty broad, and it is very, 
very useful. And we have brought more than 100 spam and spyware 
cases, we've brought about 30 data-security cases, and we are 
going to continue to do more. Protecting American consumers' 
privacy is one of our highest priorities.
    I would say this: Going back to your opening statement, 
where you made an analogy to someone walking through a mall, 
and they're being followed by someone who's sending out 
information to the stores ahead, further down along the way the 
consumer is walking. That's a really good analogy, I think, to 
what is going on, on the Internet today. Because people don't 
really understand privacy policies and people don't understand 
third-party cookies, and sometimes they'll sign up for 
something and their Web browsing will be followed.
    I will say this: For vulnerable populations and for 
sensitive information, we have said--and we issued a report 
last year--that those should be ``opt-in,'' rather than ``opt-
out.'' And we believe very strongly in that.
    Now, occasionally you can have a better opt-out policy than 
an opt-in policy; but, in general, in terms of informing 
consumers and protecting their privacy, opt-in, particularly 
with vulnerable populations, like teens; or sensitive 
information, like medical records--that's a better approach.
    The Chairman. Let me ask a second question, and then I have 
to go.
    When I do, Byron Dorgan, if you would mind--not mind taking 
over? Senator Kerry, who just went to vote, when he comes back, 
then he will chair. When I come back from voting, I will chair.
    The second is, your example, that you use in your 
testimony, the company Game Station, quote, ``bought the souls 
of its customers by adding a line to its terms and 
conditions,'' demonstrates how few people actually read the--
licensing agreements, and privacy practices.''
    One, please elaborate on that.
    Mr. Leibowitz. Sure. I mean, one of the things that became 
absolutely clear to us during our roundtables this year is that 
there's a huge disconnect between what consumers think happens 
to their data and what really happens to their data; and also 
consumers' understanding of privacy policies. Most consumers 
believe that a privacy policy protects their privacy. Instead, 
a privacy policy delineates their rights, and their lack 
    There is a story about this company--I think it was called 
Game Station; it's a British gaming company--on April 1 of this 
year, they decided to put a clause in that said, ``Unless you 
opt-out, we take possession of your immortal soul.'' And if you 
do opt-out, they game you 5 pounds sterling--about $8--as a 
rebate. And only 12 percent of the people opted out, because 
nobody else read privacy policies. And I think it was kind of a 
clever way to make a very disturbing point, which is that 
privacy policies don't generally protect consumers, and 
consumers don't generally read them. And that's part of the 
reason why we're doing this rethink of privacy.
    The Chairman. Are the licensing agreements and privacy 
policies effective disclosures? Do they have weight?
    Mr. Leibowitz. Well, I would say that some do and some 
don't. You know, in our spyware cases--and we've brought more 
than a dozen spyware cases--very often they were designed to 
obfuscate the fact that, if you clicked on a policy, companies 
would do all sorts of things with your data. I think some 
privacy policies are actually pretty good, but the question is: 
What should be the rules of the road, going forward? How do we 
move everyone up to the right standard? That's part of the 
reason we're going through this process, this initiative, and 
writing a report. And that----
    The Chairman. As well as the size of the print.
    Mr. Leibowitz. Yes. And one thing that we've talked about 
is the notion of having a box with the most important privacy 
principles in them, and the most important terms and 
conditions, so consumers will understand it. And it'll be on 
the first click, not the third or the fourth. And that's a good 
way to bake in privacy principles. And we'd like to see more of 
    The Chairman. Can you create that?
    Mr. Leibowitz. We can certainly----
    The Chairman. Or enforce it?
    Mr. Leibowitz.--encourage it. And I think some companies 
are in the process of migrating toward that. I think if we work 
together, we use our bully pulpit; and maybe if companies don't 
move forward quickly enough there might be a legislative 
approach, as well, and we want to work with you on that, if 
that is where this committee is going.
    The Chairman. Thank you.
    Senator Dorgan [presiding]. Thank you, Senator Rockefeller.
    Senator Johanns.
    Senator Johanns. Let me ask you a couple of specific 
questions. And I'll tell you where I'm headed on this. I hear 
your statement about, you know, let's put the privacy policy 
up, and then I can read it, and I can figure out whether I want 
to click on, ``Yes, I agree with this,'' or, ``I don't agree 
with it.''
    I'm coming from a different angle. Why don't we want the 
power of that on my side? And here are a couple of examples:
    Every once in a while--and I'll bet people in the audience 
and listening in can relate to this--I get an e-mail from 
somebody advising me on the latest deal in penny stocks, ``Buy 
this stock today.'' First time I got it I thought, ``Well, this 
is easy. I'll just send an e-mail back to Joe Smith,'' whoever 
the person was, and tell him, ``Please take me off your list. I 
don't want your e-mails anymore.'' So, it comes back to me, 
``Your e-mail is not deliverable.'' Why can't we require that, 
if I don't want to be on Joe's list to get his advice on penny 
stocks, I don't have to get it?
    Mr. Leibowitz. May I just respond to that? So, there's 
supposed to be an easy opt-out, under the CAN-SPAM Act, 
legislation that came out of this committee--Senator Dorgan was 
very involved in it. And if you can't simply click on an easy 
opt-out mechanism, then they're in violation of CAN-SPAM. So, 
you can send those e-mails to me, we'll have a discussion about 
it, and we'll follow up, because they're not supposed to do it. 
And I think most legitimate companies want to have an easy opt-
out mechanism. They want to be in compliance with the law.
    Senator Johanns. Great.
    Senator Dorgan. Senator Johanns, might I just point out 
that there is--in almost all cases, when you get that kind of 
e-mail, there is, way down at the end, an--generally, an 
    Mr. Leibowitz. Unsubscribe.
    Senator Dorgan.--``icon,'' and so--but, if that does not 
exist, I think they are in violation of the law.
    Mr. Leibowitz. If they are in violation of the law--and, I 
actually went online to buy movie tickets a few weeks ago, and 
I have been pushing the ``unsubscribe'' button because I'm 
getting all sorts of--I wouldn't call it ``spam,'' because it's 
permissible, I suppose, it's just junk corporate mail from this 
film-buying service. And so, not all the ``unsubscribe'' 
buttons work properly, but we're also going to work on that----
    Senator Johanns. Yes.
    Mr. Leibowitz.--company, as well.
    Senator Johanns. Well, the second question is along the 
same lines. And again, people relate to this. I go to my 
doctor, the doctor says, ``You've got this condition.'' Quite 
honestly, I want that to be enormously private, maybe only 
share it with my wife. And so, I go on--what's the first thing 
you do when you get home? You go online to your favorite search 
engine, and you start looking up everything you can possibly 
look up. And you spend half the night trying to figure out, 
``Am I dying of cancer, or whatever it is?'' Now, is there 
somebody out there, with that search engine company, tracing 
that? And next week, I start getting mailings or e-mails, or 
whatever, saying, you know, ``You need to contact this company. 
They've got a product that will help with this medical 
condition''? Why can't I have, in my e-mail, a disclaimer that 
says, ``Look, folks, I don't want this to be used for that 
    Mr. Leibowitz. Well, let me respond to that. If you're 
going on a large search engine, presumably they're anonymizing 
your data, and they're supposed to do that. And so, you do have 
some layer of protection. I think, when you're clicking on 
advertisements and you're doing other things--or you're 
browsing through the Internet--that's where I begin to worry 
about third-party cookies that track all of your wanderings 
    Senator Johanns. Right.
    Mr. Leibowitz.--cyberspace. I would say this, though. Even 
with respect to Google or another search engine, sometimes 
there's an aggregation of data that, if it became public, even 
though it doesn't have any, what we would call, ``original 
personally identifiable information,'' could still create a 
pretty good profile of you.
    And AOL, a few years ago, had a search engine; they 
released, for research purposes, a bunch of anonymized 
searches. And the New York Times did a very clever thing. They 
sort of reconstructed it, and they came up with some of the 
people who had done these searches. And so, I think the concern 
you raise is a very legitimate one.
    Again, we all understand that there are some wonderful 
benefits of being able to do all of the things that we need to 
do and want to do on the Internet, but we have to be very 
mindful--and we try to be, and I know the FCC does, under 
Chairman Genachowski--about protecting people's privacy.
    Senator Johanns. Well, I'm out of time. But, you can kind 
of see where my questions are going. My point is this: I don't 
think this is what people are signing up for. I think it is a 
wonderful tool. I think you can do rather remarkable things, 
more things than even I would ever understand. But, I think we 
have an obligation here to try to deal with people's 
expectation of privacy. And, if I'm out there--maybe I do want 
to click on an advertisement, see what the best remedy for 
cancer is, or whatever--I don't want to be subjected, then, to 
some kind of analysis of my behavioral profile.
    Mr. Leibowitz. We absolutely agree with you, and we have a 
two-pronged approach to this. One is when we see a company 
violating a privacy policy or making a representation to 
consumers that they then don't live up to, we go after them. 
And we have brought lots of cases, well over 100 in this area. 
And then, we're trying to think through what the rules of the 
road ought to be in--for privacy protections and for clear 
privacy notices.
    And that's what we're trying to do, sir. I think we're in 
general agreement.
    Senator Johanns. Great.
    Thank you, Mr. Chairman.
    Senator Dorgan. Thank you.
    Senator LeMieux.

                   U.S. SENATOR FROM FLORIDA

    Senator LeMieux. Thank you, Mr. Chairman.
    I know Chairman Rockefeller is not here, but I want to 
commend him for calling this hearing.
    And I want to thank you both for the work that you're doing 
on this topic.
    And I want to especially commend you, Chairman Leibowitz, 
on the common sense, practical way you're trying to work with 
the community through these roundtables to have the private 
sector, hopefully, fashion their own remedies so that it 
doesn't have to be done by regulation. I think that's always 
the best method, if it can be achieved. I mean, I think the 
private sector knows that, if it can't be, that Congress will 
step in. So, we're there as the backstop to, maybe, give you a 
little negotiating leverage. But, if the private sector will do 
that, I think that's the best, to all concerned.
    And I want to speak to the issue that my colleague from 
Nebraska was talking about, and that is, this really all comes 
down to making sure the consumer knows what the disclosure 
issues are. And it's not a privacy statement, as you correctly 
pointed out, because you are not gaining rights by going 
through the privacy statement. It is a ``disclosure of personal 
information'' statement, and if it were titled that way, people 
would look at it a lot differently than if they see 
``privacy.'' And if we had some uniformity, like I know was 
done with credit cards, with the box that you see, on your 
credit card statement, that is in bold--that this Congress 
passed that regulation in the past, and people on this 
committee, I know, worked on that--allows you to see, in clear 
writing, what it is, and there's some uniformity to it--I think 
that that is good for consumers. I also think it's good for the 
private sector, because, if people feel secure in their 
privacy, they're more likely to engage in transactions on the 
Internet, and are not going to feel like they cannot.
    So, I commend you for that, and encourage you to go forward 
on that.
    Mr. Leibowitz. Well, we agree with you. And the notion of a 
box, where those rights are clearly articulated, in a way that 
consumers can see it, is one thing that we're certainly 
thinking about.
    Senator LeMieux. And I like the affirmative check-off that 
you're talking about, so that it's not that--you know, people 
don't know what ``cookies'' are. And this--you know, when you 
see the little thing come up on your Website, you know, 
``enable cookies'' or ``disable cookies,'' that is not clear to 
folks. And the idea that, if you were shopping in a shopping 
center, and you were in The Gap, and the sales associate said 
to you, ``OK, from now on, since you shopped here today, we are 
going to follow you around the mall and view your consumer 
transactions,'' no person would ever agree to that.
    So, I understand that, in some transactions, I may want my 
search engine to provide me with information that will help me 
in my searches, but I think that that has to be a clear 
consumer choice. And I think that having the opt-in portion, 
that you mentioned, is very important about that.
    Tell me what kind of complaints you're getting from 
consumers. Is there anything that's new to your attention? Are 
there new developments on the online world that we should be 
aware of?
    Mr. Leibowitz. Well, I would say this. You know, we get 
lots of inadequate data-security complaints, and we've brought 
cases, and I think we brought some of them with State AGs. 
We've done a lot of mortgage cases with----
    Senator LeMieux. Right.
    Mr. Leibowitz.--State AGs, which is a----
    Senator LeMieux. You've done a lot of them in Florida.
    Mr. Leibowitz.--terrific partnership, and a lot of work in 
Florida. That's exactly right. We get a lot of general privacy 
complaints that we go and we investigate. And we have brought a 
number of cases here.
    One of the most interesting cases was a case involving 
Sears. Sears did data mining of consumers. It took a lot of 
their personal information, like prescription drug records. 
They paid consumers $10, and they said, ``If you opt into our 
Sears Club we'll help you with your browsing.'' And they 
collected all this information--bank account information, 
prescription drug information, all sorts of personal 
information that they shouldn't have gotten from consumers. And 
consumers had no clear notice that they were getting it. It was 
multiple clicks away.
    And we brought a case against Sears, and they stopped their 
bad practices. But, one of the most interesting things was that 
Sears wasn't doing anything bad with this information, they 
didn't quite know what they were doing with this information. 
But, in and of itself, that's kind of disturbing, because 
here's a wonderful corporation, and they were collecting this 
information. They weren't giving, in our opinion, consumers 
adequate notice.
    And again, part of the reason we partner with State AGs is 
because we are a tiny agency, by Washington standards. You 
know, we do consumer protection, we do antitrust. But, you do 
wonder how many other instances there are of companies 
collecting data and doing inappropriate things with them.
    Senator LeMieux. Well, again, I commend you for trying to 
work with business on it. Coming to clear agreed-to standards 
is good for the business community, because it allows them to 
operate, and it's also good for consumers. And I know that--on 
the FCC side, that there are probably resources that you can 
use to bring to bear to help in these efforts, so--appreciate 
the collaboration between the two agencies.
    Senator LeMieux. Thank you, Mr. Chairman.
    Senator Dorgan. Thank you, Senator LeMieux.
    Senator Thune?

                 STATEMENT OF HON. JOHN THUNE, 

    Senator Thune. Thank you, Mr. Chairman.
    Let me just ask, from a regulatory perspective--there seems 
to be a significant debate over how to address the collection 
of certain types of information. If new regulations were to be 
enacted, should they address the collection of different types 
of information in different ways? For example, how should 
Congress make this distinction? And, maybe to put a finer point 
on it, if Congress were to try to and define what constitutes 
``personally identifiable information,'' how would we go about 
doing that?
    Mr. Leibowitz. So, ``personally identifiable information'' 
includes the core traditional things. It's your name, it's your 
address, it's your Social Security number. But, of course, we 
have pretty much said--and all the commissioners, Democrat or 
Republican, Independent--are in agreement that ``personally 
identifiable information,'' in the Information Age we live in, 
with these extraordinary amounts of aggregated data, is a 
little bit broader than that.
    One thing you might focus on, if this committee moves ahead 
with legislation, is thinking about different rules of the road 
for sensitive information being collected, going back to your 
point. I think that's important. You always want clear notice, 
but maybe, in that instance, you want clear notice and some 
sort of opt-in, so consumers have to affirmatively opt in for 
use of this kind of data.
    But, as you know, it's very complicated--it's easy to go 
after bottom feeders and malefactors and good companies that 
just make mistakes, when we find them. It's hard to figure 
out--because we all want the free content in applications that 
flows through the Internet--it's hard to figure out exactly 
what the instrument might be.
    I'll just make one more point and then I'll turn it over to 
my colleague, Mr. Genachowski.
    One promising area--and we're trying to figure out whether 
the technology is quite there yet--is to do a Do Not Track, 
through browsers. If we could have some sort of universal easy-
to-use mechanism for consumers--it could be run through the 
FTC, or it could be run through some sort of private-sector 
entity--consumers could make that choice. Now, my guess is, 
most consumers like seeing targeted ads for most subjects. And 
so, you wouldn't see a huge number of people opting out. If you 
opt-out, you still get advertisements, they just won't be 
targeted. So, that's one thing we're focusing on. And we'll be 
back to you when we finish our report, in the fall, and tell 
you what our recommendations are and whether this is one viable 
way to proceed.
    Mr. Genachowski. The one thing I'd add to that is, you 
know, at the FCC we focus on the on-ramps----
    Senator Thune. Right.
    Mr. Genachowski.--to the Internet, and on the goal of 
extending broadband and its benefits everywhere. And, one of 
the things that's clear to us, in our work, is that the privacy 
issues and concerns that we're discussing here are important, 
not only because they're a fundamental moral issue, a 
fundamental individual issue, but also because, to get the 
benefits of broadband--the economic benefits, telehealth, 
education--people need to be confident that the Internet is a 
safe, trustworthy place. And the more people have the concerns 
that we're hearing today, the less likely they are to take 
advantage of this medium that, we've talked about in other 
settings, has enormous potential to generate economic growth in 
the United States, innovation, transform healthcare in a 
positive way.
    So, the multiple reasons--and I heard a couple of Senators 
mention this-- of the importance of addressing this issue is 
something that we see, in our work, is very important. There's 
a long history, at the FCC, on focusing on the on-ramps. The 
statute talks about telecommunications carriers, cable and 
satellite companies--CPNI is the phrase that we use at the FCC, 
with respect to ensuring that personal information that 
providers have is adequately protected, secured. And--as I 
mentioned in my opening statement, even today there's no 
shortage of enforcement actions that we're called upon to bring 
as part of the certification program that we have for providers 
to make sure that they are living up to the expectations, with 
respect to securing the personal data that, in an analogous 
way, is available to companies when you make a phone call, when 
you connect to the Internet.
    And so, collaboration, here, is very important, and we work 
on that on a regular basis.
    Mr. Leibowitz. We do. And if I could just say one more 
thing. You know, we also collaborate on education, which is 
very, very important, too. And so, here's a brochure we wrote 
up. And Chairman Genachowski and I announced it with the 
Education Secretary, Arne Duncan, called Net Cetera. And it's 
about how parents can talk to their kids about being online. 
And more than 3 million of them have distributed through 
schools. So, education is critically important in this area.
    Senator Thune. And I'm interested in what you mentioned in 
your testimony today that would allow consumers to opt-out of 
tracking and behavioral--at a browser level, as opposed to 
website-by-website. And so, as you continue to pursue that, I'd 
be interested in----
    Mr. Leibowitz. We will----
    Senator Thune.--your findings.
    Mr. Leibowitz. We will----
    Senator Thune. One other----
    Mr. Leibowitz. We'll submit----
    Senator Thune.--quick question, if I might. And it has to 
do with the whole issue of cloud computing networks and how 
that bears on this. As government data's moving to a cloud 
computing network, does that improve the data security of that 
information? And are there particular security or privacy 
threats that we ought to be cognizant of as government agencies 
make that transition?
    Mr. Leibowitz. Well, cloud computing, I think, can, in some 
instances, increase the efficiency and provide more options for 
businesses, including small businesses that want to store data. 
In terms of the data security, and in terms of the data 
security for government, I think it's a really important issue. 
We were one of the agencies that got shut down for a day, by 
virtue of an attack on us from a foreign country. And so, we're 
very, very mindful about both securing our own data, at the 
FTC, and trying to make sure that there's a security component 
added--reasonable data security or really good data security in 
cloud computing.
    Senator Thune. Yes.
    I see my time has expired, Mr. Chairman, so thank you very 
    Senator Dorgan. Senator Thune, thank you.


    I want to mention that Senator Rockefeller left, as did 
Senator Kerry, to go for a 3 o'clock vote--cast a vote at 3 
o'clock. Turns out the vote was delayed, when they got to the 
floor of the Senate, until 3:20. So, the vote will begin 
momentarily. Let me ask a few questions in their absence.
    I held a couple of hearings on these issues, when I chaired 
a subcommittee in this committee. I chaired two hearings in 
2008. And that followed a company, called NebuAd, that was 
described as working with certain Internet service providers to 
gain access to the content on their networks to provide 
advertisers with profiles of those providers' customers. And 
so, I held a couple of hearings and we began to try to think 
through, How do we address these issues? And it is 
extraordinarily complicated, there's no question about that.
    It is the case that advertising supports the Internet, in 
large measure. And advertising, it is the case, can be very 
useful to customers, to those that are on the Internet 
searching for a pair of shoes or a wristwatch; perhaps they've 
searched before for these brands. And so, there are certain 
things that can be helpful to customers, with respect to 
advertising on the Internet. But, it's also the case that the 
Internet provides substantial access for what I call 
``snooping'' or ``tracking.'' And those of us who run in 
modern-day campaigns, those of us who've run Senate campaigns, 
understand what the word ``tracker'' would mean. Modern 
campaigns have trackers tracking the other campaign, and 
recording everything. And it's not a very pleasant thing, but 
if you're in public life, that's the way it works. Most of the 
Americans who aren't in public office or in public life would 
find it pretty unbelievable to have a tracker tracking 
    Let me give you an example. If someone, this afternoon, 
left the hearing and took the rest of the day off, and you went 
to Tysons Corner and stopped at Chipotle, because you're hungry 
and it has been a long hearing. And then you stopped that the 
Nordstrom's and went to ladies lingerie----
    Senator Dorgan.--it's not going to--the tracker's not going 
to describe whether you're weird of looking for a gift for your 
    Senator Dorgan. But, they're just going to say you stopped 
at ladies lingerie and purchased a little something at 
Nordstrom's; and then perhaps a jewelry store; and then maybe 
Annie's Pretzels; and then a bookstore, where you bought 
Rolling Stone, Better Homes and Gardens, and ``How to Make a 
Nuclear Weapon.''
    Senator Dorgan. And so, someone followed you at every step 
of the way, just over your shoulder, making copious notes on 
your behavior. Anyone would find that unbelievable. They would 
say, ``Are you kidding me? Who the hell are you, tracking me 
around, making notes about everything I'm doing?'' And yet, 
that's happening, every day across this country, to people that 
are using the Internet. And the question is: Who's gathering 
it? And, how is it being used? Or, how will it be used? Those 
are the operative questions. And that's what brings us to this 
    Let me say, to both of you----
    Julius Genachowski, you know, I think you're pulling a 
pretty heavy load down there, working on really important 
things. And I'm very supportive of what you're doing. I know 
there's some controversy about some of them.
    And, Mr. Leibowitz, the same thing with you.
    We--I think this committee relies on both of your agencies 
to help steer us and think through, How do we work with the 
industry to keep that which is good--I mean, advertising, 
supporting the Internet, is something all of us want to be 
allowed to flourish--without the kind of tracking and snooping, 
and particularly the danger of inappropriate use of material 
that has been gathered about individuals?
    So, having said that as a long preamble, since the two 
hearings that we held on this subject, Mr. Leibowitz, again, 
remembering NebuAd and that they--the short explosion of anger 
and concern about that--What do you think we have learned, from 
then until now, that should guide us, or could guiding us, in, 
first, making a judgment, Does there--Do--Is there a need for 
substantial additional regulations, either passed into law by 
the Congress or developed by the agency? Or can there be a 
partnership that appropriately develops the guidelines? Would 
that be sufficient?
    Mr. Leibowitz. So, here's, it seems to me, one lesson from 
the brief life of NebuAd and deep packet inspection. Deep 
packet inspection is, in many ways, worse than third-party 
cookies, because, the notion of deep packet inspection, you 
have to go through an ISP. So, they get all of your information 
with using this type of service, or they would have if, I 
think, that----
    Senator Dorgan. And it has to be with the concurrence of 
the Internet service provider. Presumably, the only reason an 
ISP would concur is that they--they're going to get something 
from it.
    Mr. Leibowitz. Well, that's right. That's right. I mean, it 
might be monetizable--I'd imagine it is--but there didn't have 
to be any concurrence of the consumer. And so, one thing I 
think that we've learned from this is there's a fair amount of 
corporate responsibility here, because the minute we started 
talking about the problems of deep packet inspection, you saw 
companies immediately, or pretty quickly, back off of it. I 
would say that.
    The other lesson, it seems to me, is, we need--and just 
following up on that, there's a group--they have the 
unfortunate name The Coalition--but it's a group of a number of 
private companies getting together to try to come up with an 
easy way for consumers to opt-out of targeted ads. And it's 
moving along, it's very promising. More than 100 corporations, 
I believe, are involved in this, that have big Internet 
presences. So, that's a good sign. And I think that's 
consistent with the corporate responsibility that we sometimes 
see, although they're not on market yet.
    And then, the other thing is that consumers need to have 
clear notice so they can make more informed decisions, because 
that's critically important as well.
    As for legislation, I think it's really in the hands of the 
private sector. If they want to do a better job of ensuring 
that consumers can make clear choices and have clear notice, 
then I think it's in their hands to avoid legislation. And I 
think, if they don't, and if we don't see more progress, I 
think you're going to see, probably next Congress, a fair 
amount of interest in moving legislation forward to have more 
prescriptive rules.
    Senator Dorgan. Do you have any recollection of how we 
discovered the issue of NebuAd?
    Mr. Leibowitz. I read about it after a committee hearing, I 
believe. But----
    Senator Dorgan. But----
    Mr. Leibowitz. Or----
    Senator Dorgan.--we didn't have----
    Mr. Leibowitz.--right before that. I think--go ahead.
    Senator Dorgan. Well, we didn't have a hearing, I think, 
because of original discovery. I mean, my recollection of that 
was, somebody did an enterprising piece of reporting----
    Mr. Leibowitz. Maybe it was in the paper.
    Senator Dorgan. And----
    Mr. Leibowitz. Yes.
    Senator Dorgan. And the result was, people saying, ``Oh my 
God. I had no idea this was going on.'' Is there any assurance 
that--although NebuAd is not around, I mean, do we know whether 
it's happening now?
    Mr. Leibowitz. I certainly think, based on--even when we're 
not doing investigations, we have cable companies and telephone 
companies in, at least to talk to them. We actually don't have 
jurisdiction over telephone companies for enforcement actions. 
We'd like to see the common carrier--and you've been a leader 
on that--common carrier exemption repealed. But, I think we 
would know about it. I would like to think that, consistent 
with the corporate responsibility we like to see, that they 
would come and tell us, and tell Chairman Genachowski what 
they're interested in and what they're doing.
    Mr. Genachowski. I think the one thing that I'd add to 
that--and I agree with what Chairman Leibowitz is saying--what 
that history underscores is the importance of real transparency 
and information to consumers. Anytime it's a story that, 
``Well, when consumers found out about it, they rebelled,'' 
that tells us things that are both good and bad. It tells us 
that, with adequate information, notice, real choice, there's 
an increasing chance that the market can work and that 
companies will be moved by the--an informed market to adopt 
policies that work.
    The other thing that I think it underscores is that the--
with the technology changing as rapidly as it does, the lessons 
that I think we should pull out of experiences like that go to 
core principles and strategies that will work, regardless of 
how technology evolves and different opportunities that may 
exist to benefit from personal information. And so, a real 
focus on transparency, meaningful consumer choice, the kinds of 
ideas, around boxes, or otherwise. I have personal--as Chairman 
Leibowitz knows--personal experience with the credit card box 
when I was a staffer on the Hill 20 years ago. And I think it's 
a--the core idea of working to make sure that consumers have 
information, in a way that makes sense to them, that's 
actionable, it's an idea that brings together the fundamental 
principles of consumer choice and empowerment with a market-
oriented approach that can help us get the benefits from 
broadband and the Internet, new technologies that we want.
    Senator Dorgan. Thank you very much.
    Senator Thune, did you wish to inquire----
    Senator Thune. Yes.
    Senator Dorgan.--further?
    Senator Thune. Very quickly, if I might, Mr. Chairman.
    Let me ask you both whether the FTC or the FCC should be 
the lead agency when it comes to enforcing online privacy 
policies. And if you had a National Broadband Plan that is 
fully implemented, would there be duplication of online privacy 
regulations between the two agencies?
    Mr. Genachowski. Well, as with so many other areas, it's 
important that we work together. Our agencies have different 
kinds of expertise. We've, historically, focused on the 
networks. We have technological expertise; the networks, 
whether they're wired and wireless. Our jurisdiction is 
different from that of the FTC, even where they overlap.
    And so, to me, continued collaboration in this area, with 
respect to the expertise that each of our agencies, and the 
kinds of enforcement tools that we have, is very important. I 
think it's important, as we've Net Cetera and other things--
where we're working on goals like consumer education, I think 
it's important--and we've talked about this with each other--to 
do this in a coordinated way and not to--you know, to agree on 
a single way to inform consumers, make sure that consumers are 
informed. One of the risks is, consumers get different 
information from different sources, and they're even more 
    Mr. Leibowitz. Yes, and I agree with Chairman Genachowski. 
We have complementary areas of expertise. I don't think anyone 
has ever accused us of piling on anyway. I mean, we're an 
enforcement agency. You're more of a regulatory agency. We have 
a policy component, too. And so, I think we want to work on 
this together.
    We bring a lot of privacy cases, but, in the broadband 
context, I think it's important that we work together and we 
think about all of these issues with this committee.
    Senator Thune. Right.
    Mr. Genachowski. And I would add, as I said in my opening 
statement, one of the things that the Broadband Plan pointed 
out, in addition to the point that having consumer confidence 
around privacy is actually important for economic growth 
relating to broadband, there is uncertainty in the landscape. 
You know, in the Communications Act, it speaks about 
telecommunications areas--carriers, cable, satellite--ad the 
traditional work that the FCC has done--to make sure that your 
personal information, when a telephone company has it or a 
cable company has it, is protected, needs to be clarified for 
the new technologies that provide communications access service 
to consumers.
    So, it is an area that we look forward to working on with 
the Committee and with each other. But, it is important that we 
look at all of the laws and regulations, and make sure that 
they actually make sense, given the way that consumers today 
access communications services.
    Senator Thune. One last question, very quickly, and this 
would be to Chairman Leibowitz. In 2009, the FTC released a set 
of voluntary principles that were to be used by Web 
advertisers, when it comes to this whole issue of protecting 
consumers and aiding the industry in self-regulation. How has 
the industry reacted to those guidelines?
    Mr. Leibowitz. I think they've liked them. I mean, we had 
all the stakeholders together in drafting them. Those 
guidelines were things like, if you change your privacy policy 
materially, you have to give consumers a clear opt-in, because 
you already have their information under a different policy if 
you said, ``We're not selling the information.'' But, if you 
change your mind, as a company, and say, ``We will,'' you have 
to get a clear authorization from consumers.
    So, I think it's worked out pretty well. And then as 
Chairman Genachowski pointed out, and as you pointed out--it's 
a very dynamic industry here. And so, in our next series of 
workshops we've done about privacy, we've also brought together 
all stakeholders. I think--and we're an agency that doesn't 
have much rulemaking authority--if you want to move forward on 
protecting consumers' privacy, you need to bring all the 
stakeholders along with you, maybe prod them a little bit more 
than they might like to be, and push them a little bit. But, 
that's the best approach. And so, I'd like to think that when 
we release our next guidance in the fall--or, our report--that 
we'll continue to have buy-in from both consumer groups and the 
business community and everyone else, and this committee, too.
    Senator Thune. I've got one I'll submit for the record, Mr. 
Chairman, on----
    Senator Dorgan. All right.
    Senator Thune.--on peer-to-peer software exchanging 
programs, which I'd be interested in getting your----
    Senator Dorgan. Right.
    Senator Thune.--answer to.
    Senator Dorgan. Let me say to you that I think--you know, 
with respect to Senator Johanns' question, I think that what we 
have required with respect to ``unsubscribe'' is simple and 
pretty easy to understand. I mean, it--you go to these sites, 
and you buy something someplace, and they begin pushing these 
e-mails at you, or these advertisements, and you just go down 
to the end of it, and says, ``Unsubscribe.'' Generally, it's in 
color or something, and fairly large, and it's just one 
sentence, ``If you wish to unsubscribe, punch this.'' I think 
that has been really successful. I'm wondering whether there--
and part of it's because it is simple. Is there a companion 
approach that we could use to dramatically simplify the issue 
of how this particular Internet site is going to use your 
    Because, frankly, my guess is neither of you--maybe I 
shouldn't guess. I was going to say ``I'd bet,'' and I wouldn't 
want to bet, either.
    Senator Dorgan. But, I'll bet neither of you read the full 
privacy statement on a site.
    Senator Dorgan. I'm just guessing you don't do that, 
    Mr. Leibowitz. Chairman Genachowski's very substantive. 
    Senator Dorgan. Yes, but you got to be substantive for a 
long, long time to read through that. And, you know, in most 
cases, it's long statements. And so, it'd be nice if we could 
find a way to also improve in that area, and simplify it, so 
that if I'm going to a site, as a consumer, I know, pretty 
simply, what that site will or won't--or what it says it will 
or won't do with my information.
    I know the site--if I'm buying a pair of shoes at a 
department store online, I know that particular department 
store is going to have my information about--I buy shoes, I buy 
9D, I like Loafers. You know, they're going to have that, and I 
understand that, as a consumer. So will a brick-and-mortar 
retailer have that in their records. So, I understand that. The 
question--well, the more important question is, What will that 
retailer do with the aggregated information? And it doesn't--
it's not easy to discern that, always.
    Mr. Leibowitz. Let me just respond to that. And the 
``unsubscribe'' box is a great example of this committee and 
the Commission working together to create something that we 
would call ``privacy by design,'' that really works. It's 
clear. It's often purple--or at the bottom, in purple or red--
that you can go down, and you can unsubscribe. And it's pretty 
uniform where it is. I think that's a result of our 
rulemakings, pursuant to your direction to us to do a rule on 
this in CAN-SPAM. And that's the kind of thing we're looking 
at. It's just ways to bake in easy, clear privacy policies that 
consumers can understand. It's also the reason why we've been 
gravitating toward, if the technology is there, the notion of a 
clear way to opt-out of behavioral targeting through a single 
entity that might use the browsers, because it's easy to 
understand. Consumers don't read privacy policies, and they 
don't have a lot of time, so you want to give them some clear 
options, up front.
    Senator Dorgan. Yes.
    Mr. Genachowski. I agree with that completely. And the 
other--the only other point I'd add is that technology 
provides, every day, new ways to answer that challenge, to 
develop ways to put in front of consumers, at the right time, 
information that's actionable. And so, 2 years before you held 
those hearings and worked on the ``unsubscribe'' button, people 
probably wouldn't have been able to imagine that you could 
actually have an ``unsubscribe'' button, in the e-mail, that 
you could press and it would be very simple. When we were 
working on credit card information, 20 years ago, I remember, 
we spent a lot of time thinking about, ``Well, even if there is 
a box, how do we get it in front of consumers in a way that 
actually informs their decision?'' The same technology that 
creates these problems also provides new ways to solve it.
    I think that one of the things that this hearing does, that 
we have both tried to do, is spur industry to use their 
technology expertise to help develop answers that empower 
consumers in a meaningful way. So, it's an important challenge, 
and it's one we both take up.
    Senator Dorgan. All right.
    In order that I don't miss this vote, I'm going to--and I 
think the Chairman will be here momentarily. Let me ask that 
the Committee stand in recess for 5 minutes.
    The Chairman [presiding]. People are obviously on their way 
back. And I apologize for interrupting the sacred protocol of 
the Senate Commerce Committee, but I do so because there's a 
very interesting witness in front of us, and I didn't quite 
    This question of small print haunts us on this committee. 
We run into it on pop-ups. We run into it on health insurance. 
We run--you know, mortgage fraud, ``We can settle your debts, 
just send us $10.'' And people call up, and the company doesn't 
exist, but they go on paying. I mean, it's just everywhere. And 
it's always brought forward and allowed--given freedom by 
something called small print.
    I want to know, from your point of view, if you think it's 
a deceptive--small print is deceptive inherently or if it's 
deceptive in cases of specific uses. And how on earth can 
either you or the user tell the difference?
    Mr. Leibowitz. So, I would say this--and I believe the 
Commission has had small-print issues going back to even before 
the Internet. If, in small print, you have material terms, 
important terms to the consumers, and they're clicks away, 
where the consumers can't possibly find them, or a reasonable 
consumer couldn't find them, they're inherently deceptive or 
unfair. And we are going to go after people for doing that.
    And then, just thinking through, in terms of the 
architecture of where we would like to see companies go and 
what we're thinking about in our report, is to have a kind of a 
small box. We're not quite there yet, but the idea of a small 
box with the material terms in them that the consumers have to 
see, so that you can't get away with burying things in the fine 
print. And we had one case----
    The Chairman. It's not necessarily large, but it's 
surrounded by bright red?
    Mr. Leibowitz. In a way that a reasonable consumer--someone 
who's on the Internet all the time, someone who's a coal miner 
from West Virginia who goes on the Internet from time to time, 
will understand the meaning of, and they won't be selling their 
soul for all eternity----
    The Chairman. Yes.
    Mr. Leibowitz.--for failure to opt out.
    The Chairman. Yes. That's--well, that was dramatic.
    Do--isn't there a point at which people simply fail to be 
able to read, physically, small print?
    Mr. Leibowitz. Yes.
    The Chairman. At a certain age?
    Mr. Leibowitz. Well, I think that there's a reason why in 
contracts, some clauses are buried in the fine print. It's 
because people want them buried there. Now, this is not the 
practice of the best companies, but it is certainly the 
practice of the worst companies.
    We had one case involving a company that acknowledged, in 
its pleadings--in its court papers, that it was responsible for 
6 billion popup ads to consumers--6 billion popup ads. I don't 
think consumers understood--and there was some sort of warning, 
multiple clicks away, but I don't think a single consumer 
consented to downloading software that was going to serve them 
pop-up ads, you know, until we shut the company down.
    So, we want to work with you on this. You missed Senator 
Dorgan, because he was leaving as you were coming, but he made 
the same point about the ``unsubscribe'' notice at the bottom 
of a lot of e-mails. You know, one of the things we want to try 
to do is to have this stuff baked into the interactions that 
companies have with consumers in a way that consumers can 
clearly understand it. And we're hoping companies will do this 
themselves, but, if they don't do it themselves, we'll be 
working with you on the Committee to try to craft legislation 
that will move forward.
    The Chairman. When you ask large and successful companies, 
who are riding the waves of success and popular demand, to do 
something on a voluntary basis, which they really don't want to 
do, do they generally not do it?
    Mr. Leibowitz. I think it's different responses by 
different companies. I think a lot of companies recognize that 
their brand is enhanced if they're not doing things that are, 
if not deceptive, then in a gray area. For some companies, you 
have to push and prod to get them to do the right thing. A lot 
of them will do it--and then some companies just don't.
    We brought a major case against Sears for data mining 
without giving consumers notice and consent. And they weren't 
doing anything bad with the information, they just were taking 
it without the permission of consumers, and it included 
prescription drug information and other personal information.
    And so, it really depends, but I think having these 
hearings is enormously important in moving companies forward 
toward doing the right thing.
    The Chairman. When you were here, before we all left, you 
referred to the opt-in/opt-out question, and you seemed to come 
down on the side of opt-in.
    Mr. Leibowitz. I----
    The Chairman. Tell me what you--what--how you discern the 
one from the other.
    Mr. Leibowitz. So, the most important thing is----
    The Chairman. I mean----
    Mr. Leibowitz.--clear notice----
    The Chairman.--I know what it means.
    Mr. Leibowitz.--to consumers.
    The Chairman. But, I mean----
    Mr. Leibowitz. Right.
    The Chairman.--how do you----
    Mr. Leibowitz. The most important thing is clear notice to 
consumers. From my perspective--and not everyone on the 
Commission shares this view--I think it's probably a majority, 
but I'm not entirely certain--I think opt-in protects 
consumers' privacy better than opt-out under most 
circumstances. I don't think it undermines a company's ability 
to get information that it needs to advertise back to 
consumers. And so, that's my preference.
    And then, I think the entire Commission believes that, when 
you're dealing with sensitive information, or changing an 
existing privacy policy, that has to be opt-in. You have to 
give consumers clear notice that you're changing your privacy 
policy and that they're opting into it.
    The Chairman. And your argument there would be, because if 
you wait for the opt-out, that means they've already been had- 
and haven't had a chance to--they can't undo----
    Mr. Leibowitz. Well, I----
    The Chairman.--what they've done.
    Mr. Leibowitz. Right. I mean, speaking hypothetically, not 
with respect to a particular instance, the argument is this: If 
a company says, ``I am going to not share your information with 
any other companies or any of our affiliates,'' and then they 
decide to change their policy, most consumers won't read that 
policy, because why would they? And so, you have to give them a 
clear ability to opt in to your new policy.
    And, with respect to sensitive information, like medical 
information or bank records or personal medical information, 
the privacy level is so important, because this is the kind of 
information you don't want circulating around on the Internet, 
that you want an additional degree of privacy protection. And 
there, I think the whole Commission agrees that this should be 
an opt-in approach.
    The Chairman. One more question.
    Mr. Leibowitz. Yes, sir.
    The Chairman. And I apologize. What if the privacy policy 
discloses that it will sell a consumer data to a third party, 
or parties, who can use that information for increasing 
insurance rates or creating profiles for potential employers? 
Is that fair, if the consumer never reads the policy?
    Mr. Leibowitz. It would be something we would want to take 
a very close look at. And if your staff has any instances of 
policies like that, please send them our way.
    The Chairman. How do you describe, then, what the--and I'm 
not on the side of the question I'm asking. I want to make----
    Mr. Leibowitz. Right.
    The Chairman.--that clear. People often say, ``Well parents 
should do this. They should set the remote so kids can't watch 
such-and-such on TV when they're double working, stressed, and 
all kinds of things.'' But, second, the responsibility of the 
consumer, that's a little bit of the argument I heard last 
night at the dinner table. And I didn't like it.
    In other words, if people have a responsibility--they're 
entering into a situation--they know that, they know it's a 
complex world--and therefore they should take all of that very 
seriously. I think that's asking the impossible of the average, 
non-elite user.
    Mr. Leibowitz. Well, I agree with that. But, I will say 
this: We're not at the level yet where every company even gives 
consumers clear notice so that they can make clear choices. 
Most of the cases we've brought involve instances where, going 
back to your first point, the disclosures or the use of the 
information was in the fine print that was designed to ensure 
that consumers really wouldn't find it.
    And so, I think the best companies want to make these 
things clear. I think we need to ensure that other companies 
move to that level.
    The Chairman. Well, thank you, Chairman Leibowitz.
    Mr. Leibowitz. Thank you, Chairman Rockefeller.
    The Chairman. All right.
    Mr. Leibowitz. All right.
    The Chairman. Thank you, sir.
    Our second panel--maybe this is outrageous on my part, to 
call them, but I'm going to--is Dr. Guy Tribble, who's Vice 
President, Software Technology, Apple; Mr. Bret Taylor, Chief 
Technology Officer, Facebook; Dr. Alma Whitten, Privacy 
Engineering Lead, Google; Mr. Jim Harper, Director of 
Information Policy Studies at The Cato Institute; Ms. Dorothy 
Attwood, Senior Vice President of Public Policy, and Chief 
Privacy Officer, AT&T; and Professor Joseph Turow, Annenberg 
School of Communication, who has been before us many times. If 
you can possibly find seats----
    The Chairman. And make sure they have plenty of water. This 
is a hydration-type day--not ``hearing,'' day.
    Let me just go in the order of the way it appears before me 
here, Panel 2.
    Dr. Tribble, of Apple.

                     TECHNOLOGY, APPLE INC.

    Dr. Tribble. Good afternoon, Chairman Rockefeller, and 
members of the Committee.
    My name is Bud Tribble. I'm Vice President for Software 
Technology at Apple. Thank you for inviting me today to testify 
about Apple's approach to consumer privacy.
    Apple shares your concerns about privacy, and we remain 
deeply committed to protecting the privacy of our customers 
through a comprehensive approach implemented throughout the 
company. We're committed to providing our customers with clear 
notice, choice, and control over their information.
    For instance, as part of our location-based service, we 
provide our customers with easy-to-use tools that let them 
control the collection and use of location data on all our 
devices. I'd also like to point out, considering the opening 
remarks, that Apple does not share our customers' private data, 
or sell our customers' private data, to third parties for their 
marketing purposes.
    As we have provided the Committee an explanation of our 
privacy practices in our written testimony, I'd like to use my 
limited time this afternoon to emphasize a few points about our 
innovative and easy-to-use controls which let customers manage 
how applications use and collect their location data. We 
believe that, in addition to a published privacy policy, it's 
very helpful to have privacy features actually built and 
designed into the device's user interface, and would like to 
describe some of Apple's innovations and practices in this 
    First, Apple does not allow any application to receive 
device location information without the user's permission. 
Apple's rule with respect to the use of location data by an 
application is simple. If an app, whether a third-party app or 
an Apple app, wants to use the device's location it must get 
the consumer's explicit consent. This consent is obtained 
through a simple popup dialogue box. The dialogue box is 
mandatory. Neither the third-party app nor Apple apps are 
permitted to override this notification. Only after the user 
has authorized it will the app be allowed to use device 
location data.
    So, how does this work? Say you're in an unfamiliar 
neighborhood looking for a nearby restaurant. You launch a 
third-party app, that you've just installed, that can provide 
you with that information, but first it needs to know where you 
are in order to help. After it launches, before the app 
receives any device location information, the software prompts 
you that the app would like to use your current location. And 
it presents two options: ``Don't allow,'' or ``OK.'' With your 
OK, your device sends encrypted anonymous location data to 
Apple, which in turn provides the app with the coordinates it 
needs to determine which restaurants are nearby.
    In this example, information about the device's actual 
location is only transmitted to the third-party application 
after the customer expressly consents. Equally important, Apple 
has built a Master Location Services switch into our iOS mobile 
operating system, which makes it extremely easy to opt out, 
entirely, of location-based services. The user simply switches 
the location services to ``Off,'' in the settings screen. When 
this switch is turned off, all location-sharing is turned off.
    With our iOS4 released in June, the iPhone 4, iPhone 3GS, 
and iPhone 3G, as well as our more recent iPod touch devices, 
now display an arrow icon in the status bar at the top of the 
screen, near the battery indicator, as a reminder to the user 
that location data is being shared with apps. In addition, with 
iOS4, customers are able to view a list of every app that they 
have authorized to access their location information. And this 
innovation even uses that arrow icon to indicate which apps 
have used your location-based data within the past 24 hours, 
and allows customers to easily turn location-sharing off and on 
individually for each app, with a simple tap.
    I should point out, as well, that not using these location 
services does not impact the nonlocation-based functionality of 
the iPhone.
    With more than 100 million iOS devices sold to date, and 
more than 3 billion apps downloaded from our apps store, 
millions of people around the world have experienced this 
process. We believe it's a simple and direct way to keep 
customers informed and in control of their location-based data.
    In closing, let me state again that Apple is strongly 
committed to giving our customers clear notice, choice, and 
control over their information. And we believe that our 
products do this in a simple and elegant way. We share the 
Committee's concerns about the collection and misuse of all 
customer data, particularly location data, and appreciate this 
opportunity to explain our approach this afternoon. I'll be 
happy to answer any questions you may have.
    [The prepared statement of Dr. Tribble follows:]

    Prepared Statement of Dr. Guy ``Bud'' Tribble, Vice President, 
                    Software Technology, Apple Inc.

    Good afternoon Chairman Rockefeller, Ranking Member Hutchison, and 
members of the Committee. My name is Bud Tribble, and I am Vice 
President for Software Technology for Apple Inc. Thank you for inviting 
me today to testify about Apple's approach to consumer privacy.
Apple's Customer Privacy Commitment
    First, Apple shares your concerns about privacy, and we remain 
deeply committed to protecting the privacy of our customers through a 
comprehensive approach implemented throughout the company. At Apple, we 
are committed to providing our customers with clear notice, choice and 
control over their information. To accomplish this goal, we have 
innovated easy to use tools that allow our consumers to control the 
collection and use of location-based services data on all of our 
devices. Finally, we do not share personally identifiable information 
with third parties for their marketing purposes.
    In order to explain our comprehensive approach to privacy, I have 
divided my testimony in to three sections: (1) Apple's Privacy Policy; 
(2) Location-Based Services; and (3) Third-Party Applications.
1. Apple's Privacy Policy
    Apple has a single Customer Privacy Policy (the ``Policy'') that 
applies across all Apple businesses and products, including the iTunes 
Store and App Store.\1\ The Policy, written in easy-to-read language, 
details what information Apple collects and how Apple and its partners 
and licensees may use the information. The Policy is available from a 
link on every page of Apple's website.\2\
    \1\ As used in the policy and in this letter, ``Apple,'' refers to 
Apple Inc. and affiliated companies.
    \2\ The links take customers to http://www.apple.com/legal/privacy, 
which may also be accessed by customers directly.
    As you may be aware, Apple updated its Policy just this past month, 
to add, among other changes discussed below, the following provision 
regarding location-based information:

        To provide location-based services on Apple products, Apple and 
        our partners and licensees may collect, use, and share precise 
        location data, including the real-time geographic location of 
        your Apple computer or device. This location data is collected 
        anonymously in a form that does not personally identify you and 
        is used by Apple and our partners and licensees to provide and 
        improve location-based products and services. For example, we 
        may share geographic location with application providers when 
        you opt in to their location services.

        Some location-based services offered by Apple, such as the 
        MobileMe ``Find My iPhone'' feature, require your personal 
        information for the feature to work.

    This provision incorporated similar language regarding location-
based information that appears in Apple End User Software License 
Agreements (``SLAs'') for products that provide location-based 
services. For example, the current iPhone 3GS SLA, last updated in May 
2009, states:

        Apple and its partners and licensees may provide certain 
        services through your iPhone that rely upon location 
        information. To provide these services, where available, Apple 
        and its partners and licensees may transmit, collect, maintain, 
        process and use your location data, including the real-time 
        geographic location of your iPhone, and location search 
        queries. The location data collected by Apple is collected in a 
        form that does not personally identify you and may be used by 
        Apple and its partners and licensees to provide location-based 
        products and services. By using any location-based services on 
        your iPhone, you agree and consent to Apple's and its partners' 
        and licensees' transmission, collection, maintenance, 
        processing and use of your location data to provide such 
        products and services. You may withdraw this consent at any 
        time by not using the location-based features or by turning off 
        the Location Services setting on your iPhone. Not using these 
        location features will not impact the non location-based 
        functionality of your iPhone. When using third party 
        applications or services on the iPhone that use or provide 
        location data, you are subject to and should review such third 
        party's terms and privacy policy on use of location data by 
        such third party applications or services.

    Similar provisions regarding location-based information appear in 
the iPhone 4, iPad, iPod Touch, Mac OS X, and Safari 5 SLAs.
    The Policy identifies dedicated e-mail addresses for privacy-
related inquiries and comments. Apple monitors these e-mail addresses 
and responds to appropriate inquiries in a timely manner. Customers may 
also address privacy concerns to TRUSTe, Apple's third-party privacy 
monitor. A link to TRUSTe is displayed within the Policy.
June 2010 Policy Update
    In the past 3 years, Apple revised its Policy three times: June 29, 
2007, early February 2008, and June 21, 2010.
    The June 29, 2007 update advised customers about the necessary 
exchange of information between Apple and the relevant cellular carrier 
when an iPhone is activated. Apple also added a provision stating that 
it does ``not knowingly collect personal information from children.'' 
The provision explained that if such information was collected 
inadvertently, Apple would attempt to delete it ``as soon as 
    The February 2008 Policy update revised language regarding Apple's 
use of ``pixel tags.'' Pixel tags are tiny graphic images used to 
determine what parts of Apple's website customers visited or to measure 
the effectiveness of searches performed on Apple's website. The revised 
language stated that: ``[Apple] may use this information to reduce or 
eliminate messages sent to a customer.''
    On June 21, 2010, Apple updated the Policy to incorporate the 
language regarding location-based services from Apple SLAs, as 
discussed above. Apple also added provisions regarding new Apple 
services, such as Apple's MobileMe ``Find My iPhone'' feature and the 
iAd network. Apple made the following, additional material changes to 
the Policy:

   Revised provisions regarding: (i) what information Apple 
        collects from customers and how Apple and its partners and 
        licensees may use the information, (ii) the use of ``Cookies 
        and Other Technologies,'' (iii) the safeguards in place to 
        prevent the collection of personal information from children, 
        and (iv) the collection and use of information from 
        international customers; and

   Added provisions: (i) advising customers to review the 
        privacy practices of third-party application providers and (ii) 
        cautioning customers about posting personal information on an 
        Apple forum, chat room, or social networking service.

    As noted above, customers may access the updated Policy from every 
page on Apple's website. The updated Policy also was placed where Apple 
believed the largest number of customers would see it: the iTunes 
Store. Following the update, every customer logging onto the iTunes 
Store is prompted to review the iTunes Store Terms and Conditions. For 
customers with existing iTunes accounts, the webpage states:

        iTunes Store Terms and Conditions have changed. Apple's Privacy 

        The changes we have made to the terms and conditions include 
        the following:

        Apple's Privacy Policy has changed in material ways. Please 
        visit www.apple.com/legal/privacy or view below.

    Customers are asked to click an unchecked agreement box stating: 
``I have read and agree to the iTunes Terms and Conditions and Apple's 
Privacy Policy.'' Customers who do not agree to the Terms and 
Conditions and the Policy will not be able to use the iTunes Store 
(e.g., will not be able to make purchases on the iTunes Store or the 
App Store), but they may continue to use iTunes software.
    Customers attempting to open a new iTunes account are directed to a 
webpage titled: ``iTunes Store Terms & Conditions and Apple's Privacy 
Policy.'' They are asked to click the same unchecked agreement box 
stating: ``I have read and agree to the iTunes Terms and Conditions and 
Apple's Privacy Policy.'' Customers who do not accept the Terms and 
Conditions and the Policy will not be able to open an iTunes account 
but may still activate and use their devices.

2. Location-based Services
    In response to increasing customer demand, Apple began to provide 
location-based services in January 2008. These services enable 
applications that allow customers to perform a wide variety of useful 
tasks such as getting directions to a particular address from their 
current location, locating their friends or letting their friends know 
where they are, or identifying nearby restaurants or stores.
    Apple offers location-based services on the iPhone 3G, iPhone 3GS, 
iPhone 4, iPad Wi-Fi + 3G, and, to a more limited extent, older models 
of the iPhone, the iPad Wi-Fi, iPod touch, Mac computers running Snow 
Leopard,\3\ and Windows or Mac computers running Safari 5.\4\
    \3\ All of Apple's Mac computers, e.g., MacBook, MacBook Pro, 
MacBook Air, iMac, Mac mini, and Mac Pro, run on its proprietary Mac OS 
operating system. Apple released the current version, Mac OS X version 
10.6, known as ``Snow Leopard,'' on August 28, 2009.
    \4\ Safari is Apple's proprietary Internet browser. Apple released 
the current version of Safari version 5, on June 7, 2010.
    Although Apple's customers value these services and may use them on 
a daily basis, Apple recognizes that some customers may not be 
interested in such services at all times. As discussed below, Apple 
provides its customers with tools to control if and when location-based 
information is collected from them.

A. Privacy Features
    Apple has always provided its customers with the ability to control 
the location-based service capabilities of their devices. In fact, 
Apple now provides customers even greater control over such 
capabilities for devices running the current version of Apple's mobile 
operating system--iOS 4.\5\
    \5\ All of Apple's mobile devices run on its proprietary mobile 
operating system. Apple released the current version, iOS 4, on June 
21, 2010. Currently, iOS 4 may be run on the iPhone 3G, iPhone 3GS, 
iPhone 4, and iPod touch. The iPad Wi-Fi + 3G, iPad Wi-Fi, and older 
models of the iPhone run on prior versions of Apple's mobile operating 
system, referred to as iPhone OS. Apple has released iPhone OS versions 
1.0 through 3.2.
    First, customers have always had the ability to turn ``Off'' all 
location-based service capabilities with a single ``On/Off'' toggle 
switch. For mobile devices, the toggle switch is in the ``General'' 
menu under ``Settings.'' For Mac computers running Snow Leopard, the 
toggle switch is in the ``Security'' menu under ``System Preferences.'' 
And for Safari 5, the toggle switch is in the ``Security'' menu in 
Safari ``Preferences.'' If customers toggle the switch to ``Off,'' they 
may not use location-based services, and no location-based information 
will be collected.
    Second, Apple has always required express customer consent when any 
application or website requests location-based information for the 
first time. When an application or website requests the information, a 
dialogue box appears stating: ``[Application/Website] would like to use 
your current location.'' The customer is asked: ``Don't Allow'' or 
``OK.'' If the customer clicks on ``Don't Allow,'' no location-based 
information will be collected or transmitted. This dialogue box is 
mandatory--neither Apple nor third-parties are permitted to override 
the notification.
    Third, iOS 4 permits customers to identify individual applications 
that may not access location-based information, even though the global 
location-based service capabilities setting may be toggled to ``On.'' 
The ``General'' menu under ``Settings'' provides an ``On/Off'' toggle 
switch for each application. When the switch for a particular 
application is toggled to ``Off,'' no location-based information will 
be collected or transmitted for that application. And even if the 
switch for an application is toggled to ``On,'' the ``Don't Allow/OK'' 
dialogue box will request confirmation from the customer the first time 
that application requests location-based information. Customers can 
change their individual application settings at any time.
    Finally, an arrow icon (c) alerts iOS 4 users that an application 
is using or has recently used location-based information. This icon 
will appear real-time for currently running applications and next to 
the ``On/Off'' toggle switch for any application that has used 
location-based information in the past twenty-four hours.

B. Location-Based Information
    To provide the high quality products and services that its 
customers demand, Apple must have access to comprehensive location-
based information. For devices running the iPhone OS versions 1.1.3 to 
3.1, Apple relied on (and still relies on) databases maintained by 
Google and Skyhook Wireless (``Skyhook'') to provide location-based 
services. Beginning with the iPhone OS version 3.2 released in April 
2010, Apple relies on its own databases to provide location-based 
services and for diagnostic purposes. These databases must be updated 
continuously to account for, among other things, the ever-changing 
physical landscape, more innovative uses of mobile technology, and the 
increasing number of Apple's customers. Apple always has taken great 
care to protect the privacy of its customers.

1. Cell Tower and Wi-Fi Information
  a. Collections and Transmissions from Apple Mobile Devices
    To provide location-based services, Apple must be able to determine 
quickly and precisely where a device is located. To do this, Apple 
maintains a secure database containing information regarding known 
locations of cell towers and Wi-Fi access points. The information is 
stored in a database accessible only by Apple and does not reveal 
personal information about any customer.
    Information about nearby cell towers and Wi-Fi access points is 
collected and sent to Apple with the GPS coordinates of the device, if 
available: (1) when a customer requests current location information 
and (2) automatically, in some cases, to update and maintain databases 
with known location information. In both cases, the device collects the 
following anonymous information:

   Cell Tower Information: Apple collects information about 
        nearby cell towers, such as the location of the tower(s), Cell 
        IDs, and data about the strength of the signal transmitted from 
        the towers. A Cell ID refers to the unique number assigned by a 
        cellular provider to a cell, a defined geographic area covered 
        by a cell tower in a mobile network. Cell IDs do not provide 
        any personal information about mobile phone users located in 
        the cell. Location, Cell ID, and signal strength information is 
        available to anyone with certain commercially available 

   Wi-Fi Access Point Information: Apple collects information 
        about nearby Wi-Fi access points, such as the location of the 
        access point(s), Media Access Control (MAC) addresses, and data 
        about the strength and speed of the signal transmitted by the 
        access point(s). A MAC address (a term that does not refer to 
        Apple products) is a unique number assigned by a manufacturer 
        to a network adapter or network interface card (``NIC''). The 
        address provides the means by which a computer or mobile device 
        is able to connect to the Internet. MAC addresses do not 
        provide any personal information about the owner of the network 
        adapter or NIC. Anyone with a wireless network adapter or NIC 
        can identify the MAC address of a Wi-Fi access point. Apple 
        does not collect the user-assigned name of the Wi-Fi access 
        point (known as the ``SSID,'' or service set identifier) or 
        data being transmitted over the Wi-Fi network (known as 
        ``payload data'').

    First, when a customer requests current location information, the 
device encrypts and transmits Cell Tower and Wi-Fi Access Point 
Information and the device's GPS coordinates (if available) over a 
secure Wi-Fi Internet connection to Apple.\6\ For requests transmitted 
from devices running the iPhone OS version 3.2 or iOS 4, Apple will 
retrieve known locations for nearby cell towers and Wi-Fi access points 
from its proprietary database and transmit the information back to the 
device. For requests transmitted from devices running prior versions of 
the iPhone OS, Apple transmits--anonymously--the Cell Tower Information 
to Google \7\ and Wi-Fi Access Point Information to Skyhook. These 
providers return to Apple known locations of nearby cell towers and Wi-
Fi access points, which Apple transmits back to the device. The device 
uses the information, along with GPS coordinates (if available), to 
determine its actual location. Information about the device's actual 
location is not transmitted to Apple, Skyhook, or Google. Nor is it 
transmitted to any third-party application provider, unless the 
customer expressly consents.
    \6\ Requests sent from devices running older versions of the iPhone 
OS also include a random identification number that is generated by the 
device every ninety days. This number cannot be used to identify any 
particular user or device.
    \7\ For GPS-enabled devices running prior versions of the iPhone 
OS, Apple also sends the device's GPS coordinates, if available, 
anonymously to Google so that Google can update its database of known 
    Second, to help Apple update and maintain its database with known 
location information, Apple may also collect and transmit Cell Tower 
and Wi-Fi Access Point Information automatically. With one 
exception,\8\ Apple automatically collects this information only: (1) 
if the device's location-based service capabilities are toggled to 
``On'' and (2) the customer uses an application requiring location-
based information. If both conditions are met, the device 
intermittently and anonymously collects Cell Tower and Wi-Fi Access 
Point Information from the cell towers and Wi-Fi access points that it 
can ``see,'' along with the device's GPS coordinates, if available. 
This information is batched and then encrypted and transmitted to Apple 
over a Wi-Fi Internet connection every twelve hours (or later if the 
device does not have Wi-Fi Internet access at that time).
    \8\ For GPS-enabled devices with location-based service 
capabilities toggled to ``On,'' Apple automatically collects Wi-Fi 
Access Point Information and GPS coordinates when a device is searching 
for a cellular network, such as when the device is first turned on or 
trying to re-establish a dropped connection. The device searches for 
nearby Wi-Fi access points for approximately thirty seconds. The device 
collects anonymous Wi-Fi Access Point Information for those that it can 
``see.'' This information and the GPS coordinates are stored (or 
``batched'') on the device and added to the information sent to Apple. 
None of the information transmitted to Apple is associated with a 
particular user or device.
  b. Collections and Transmissions from Computers Running Snow Leopard 
        and/or Safari 5
    Apple collects Wi-Fi Access Point Information when a Mac computer 
running Snow Leopard makes a location-based request--for example, if a 
customer asks for the current time zone to be set automatically. The 
information is collected anonymously and is stored in a database 
accessible only by Apple. Snow Leopard users can prevent the collection 
of this information by toggling the ``Location Services'' setting to 
``Off'' in the ``Security'' menu under ``System Preferences.''
    Apple also provides location-based services in Safari 5. When a 
customer is using Safari 5 and runs an Internet application that 
requests location-based information (e.g., Google Maps), a dialog box 
will appears stating: ``[Website name] would like to use your computer 
location.'' If the customer selects ``Don't Allow,'' no location-based 
information is transmitted by the computer. If the customer selects 
``OK,'' Wi-Fi Access Point Information is transmitted to Apple with the 
request, so that Apple can return information about the computer's 
location. Apple does not store any Wi-Fi Access Point Information sent 
with requests from Safari 5.

2. Diagnostic Information
    To evaluate and improve the performance of its mobile hardware and 
operating system, Apple collects diagnostic information from randomly-
selected iPhones and analyzes the collected information. For example, 
when an iPhone customer makes a call, Apple may determine the device's 
approximate location at the beginning and end of the call to analyze 
whether a problem like dropped calls is occurring on the same device 
repeatedly or by multiple devices in the same area. Apple determines 
the approximate location by collecting information about nearby cell 
towers and Wi-Fi access points and comparing that with known cell tower 
and Wi-Fi access point locations in Apple's database. Apple may also 
collect signal strength information to identify locations with 
reception issues.
    Before any diagnostic information is collected, the customer must 
provide express consent to Apple. If the customer consents, the 
information is sent to Apple over a secure connection. The information 
is sent anonymously and cannot be associated with a particular user or 
device. The diagnostic information is stored in a database accessible 
only by Apple. If the customer does not consent, Apple will not collect 
any diagnostic information.

3. GPS Information
    The iPhone 3G, iPhone 3GS, iPhone 4, and iPad Wi-Fi + 3G are 
equipped with GPS chips. A GPS chip attempts to determine a device's 
location by analyzing how long it takes for satellite signals to reach 
the device. Through this analysis, the GPS chip can identify the 
device's latitude/longitude coordinates, altitude, speed and direction 
of travel, and the current date and time where the device is located 
(``GPS Information'').
    Apple collects GPS Information from mobile devices running the 
iPhone OS 3.2 or iOS 4. GPS Information may be used, for example, to 
analyze traffic patterns and density in various areas. With one 
exception,\9\ Apple collects GPS Information only if: (1) the location-
based service capabilities of the device are toggled to ``On'' and (2) 
the customer uses an application requiring GPS capabilities. The 
collected GPS Information is batched on the device, encrypted, and 
transmitted to Apple over a secure Wi-Fi Internet connection (if 
available) every twelve hours with a random identification number that 
is generated by the device every twenty-four hours. The GPS Information 
cannot be associated with a particular customer or device.
    \9\ GPS Information is also collected during the short period of 
time (approximately thirty seconds) when a GPS-enabled device with 
location-based service capabilities toggled to ``On'' is searching for 
a cellular network. This information is sent anonymously to Apple to 
assist the device with locating an available channel. Apple does not 
retain this GPS Information in its database.
    The collected GPS Information is stored in a database accessible 
only by Apple.

C. iAd Network
    On July 1, 2010, Apple launched the iAd mobile advertising network 
for iPhone and iPod touch devices running iOS 4. The iAd network offers 
a dynamic way to incorporate and access advertising within 
applications. Customers can receive advertising that relates to their 
interests (``interest-based advertising'') and/or their location 
(``location-based advertising''). For example, a customer who purchased 
an action movie on iTunes may receive advertising regarding a new 
action movie being released in the theaters or on DVD. A customer 
searching for nearby restaurants may receive advertising for stores in 
the area.
    As specified in the updated Policy and the iPhone 4 and iPod touch 
SLAs, customers may opt out of interest-based advertising by visiting 
the following site from their mobile device: https://oo.apple.com. 
Customers also may opt out of location-based advertising by toggling 
the device's location-based service capabilities to ``Off.'' \10\
    \10\ A customer who opts out of interest-based and location-based 
advertising may still receive ads. The ads, however, will likely be 
less relevant to the customer because they will not be based on either 
interests or location. The customer also may receive interest-based or 
location-based ads from networks other than the iAd network.
    For customers who do not toggle location-based service capabilities 
to ``Off,'' Apple collects information about the device's location 
(latitude/longitude coordinates) when an ad request is made. This 
information is transmitted securely to the Apple iAd server via a 
cellular network connection or Wi-Fi Internet connection. The latitude/
longitude coordinates are converted immediately by the server to a 
five-digit zip code. Apple does not record or store the latitude/
longitude coordinates--Apple stores only the zip code. Apple then uses 
the zip code to select a relevant ad for the customer.
    Apple does not share any interest-based or location-based 
information about individual customers, including the zip code 
calculated by the iAd server, with advertisers. Apple retains a record 
of each ad sent to a particular device in a separate iAd database, 
accessible only by Apple, to ensure that customers do not receive 
overly repetitive and/or duplicative ads and for administrative 
    In some cases, an advertiser may want to provide more specific 
information based on a device's actual location. For example, a 
retailer may want its ad to include the approximate distance to nearby 
stores. A dialogue box will appear stating: ``iAd would like to use 
your current location.'' The customer is presented with two options: 
``Don't Allow'' or ``OK.'' If a customer clicks ``Don't Allow,'' no 
additional location information is transmitted. If the customer clicks 
``OK,'' Apple uses the latitude/longitude coordinates to provide the ad 
application with more specific location information--the information is 
not provided to the advertiser.

3. Third-Party Applications
    In July 2008, Apple launched the App Store where customers may shop 
for and acquire applications offered by third-party developers for the 
iPhone, iPad, and iPod touch. Currently the App Store includes more 
than 200,000 third-party applications covering a wide variety of areas 
including news, games, music, travel, health, fitness, education, 
business, sports, navigation, and social networking. Each application 
includes a description prepared by the developer regarding, among other 
things, what the application does, when it was posted, and, if 
applicable, what information the application may collect from the 
    Any customer with an iTunes account may purchase and download 
applications from the App Store. Developers do not receive any personal 
information about customers from Apple when applications are purchased. 
Only Apple has access to that information.

A. Third-Party Developers
    Third-party application developers must register as an ``Apple 
Developer'' by paying a fee and signing the iPhone Developer Agreement 
(the ``IDA'') and the Program License Agreement (the ``PLA''). 
Registered Apple Developers gain access to the software development kit 
(``SDK'') and other technical resources necessary to develop 
applications for mobile devices.
    The current PLA contains several provisions governing the 
collection and use of location-based information, including the 

   Developers may collect, use, or disclose to a third party 
        location-based information only with the customer's prior 
        consent and to provide a service or function that is directly 
        relevant to the use of the application (PLA  3.3.9);

   Developers must provide information to their customers 
        regarding the use and disclosure of location-based information 
        (e.g., a description on the App Store or adding a link to the 
        applicable privacy policy) (PLA  3.3.10);

   Developers must take appropriate steps to protect customers' 
        location-based information from unauthorized use or access 

   Developers must comply with applicable privacy and data 
        collection laws and regulations regarding the use or 
        transmission of location-based information (PLA  3.3.11);

   Applications must notify and obtain consent from each 
        customer before location data is collected, transmitted, or 
        otherwise used by developers (PLA  3.3.12); and

   Applications must not disable, override, or otherwise 
        interfere with Apple-implemented alerts, including those 
        intended to notify the customer that location-based information 
        is being collected, transmitted, maintained, processed, or 
        used, or intended to obtain consent for such use (PLA  

    Developers that do not agree to these provisions may not offer 
applications on the App Store. Apple has the right to terminate the PLA 
if a developer fails to comply with any of these provisions. (PLA  
    Apple reviews all applications before adding them to the App Store 
to ensure, for example, that they run properly and do not contain 
malicious code. Apple, however, does not monitor applications after 
they are listed in the App Store, unless issues or problems arise.
    In closing, let me state again that Apple is strongly committed to 
giving our customers clear notice and control over their information, 
and we believe our products do this in a simple and elegant way. We 
share the Committee's concerns about the collection and misuse of all 
customer data, particularly privacy data, and appreciate this 
opportunity to explain our policies and procedures.
    I will be happy to answer any questions you may have.

    The Chairman. Can I just pop one right in? Excuse me, 
please, everybody else.
    When you say they go up to a certain place and click and 
they're out, where is that place on their computer? Is it at 
the top, at the side, bottom? Is it big? Is it little?
    Dr. Tribble. We have a settings menu or a settings page 
that--where you set everything about your phone, from how 
bright it is to--including the location settings. If you tap on 
``Location Settings'' on that page, it immediately takes you to 
a page with a switch that says, ``Location Services On/Off.'' 
It's a slide switch.
    The Chairman. And again, where do they have to go to tap so 
that they can get that choice? I'm just asking, is it----
    Dr. Tribble. Yes.
    The Chairman.--is it something that----
    Dr. Tribble. On your home screen, there's an app called 
``Settings.'' It has an icon that has some little gears in it. 
It's the settings for your phone.
    The Chairman. Then it's at the bottom-right?
    Dr. Tribble. As we ship the phone, it's on your home 
screen. On the home screen, there are various apps like mapping 
and compass and things like that, or mail. One of those apps is 
called ``Settings.'' Clicking on that app brings you to the 
place where the slide switch for ``Location Services'' can be 
turned on or off.
    The Chairman. I understand that, sir, and I appreciate it. 
And I'd appreciate it, actually, if it's possible, if you could 
send me a picture.
    Dr. Tribble. I'd be happy to show you, if you want.
    The Chairman. Just a simple picture.
    Dr. Tribble. Yes. Sure.
    The Chairman. You can send it and I'll pay the mail.
    Dr. Tribble. Happy to do that.
    The Chairman. OK. Thank you very, very much.
    On my list, Mr. Bret Taylor, Chief Technology Officer, 

                   STATEMENT OF BRET TAYLOR, 

    Mr. Taylor. Thank you very much.
    Good afternoon, Chairman Rockefeller and other members of 
the Committee.
    The Chairman. Well, they're all here to hear it.
    Mr. Taylor. I am Bret Taylor. I'm the Chief Technology 
Officer of Facebook. Thank you for the opportunity to testify 
today before the Committee.
    Facebook is a service that gives people the power to 
connect and share with one another, reestablishing and 
strengthening relationships that enrich our lives and our 
social discourse.
    Last week, we were proud to announce that more than 500 
million people around the world are now actively using 
Facebook. While marking this milestone, we also remind 
ourselves that the people who use Facebook, and their 
satisfaction, lie at the heart of what we do.
    My written testimony highlights three points: First, 
Facebook and other social technologies are making the Internet 
a forum for social interaction, sharing information, and 
building communities. In just a few years, the Internet has 
been transformed from a useful, but passive, repository of 
information into a uniquely powerful means of connecting with 
others and creating communities that better the lives of 
    Since its creation in a college dorm room in 2004, Facebook 
has contributed to this transformation, growing from a network 
of a handful of universities to a worldwide community spanning 
over 180 countries. Facebook has become an invaluable 
communication tool, enabling individuals to connect for myriad 
purpose: for connecting with friends and relatives, for 
charitable causes, in the political realm, for grassroots 
organization, and for local community-building.
    When we reached 500 million users, we asked people who use 
Facebook to share some of their experiences with the service. 
Some of these stories are intimate and personal.
    Holly Rose, for example, a mother in Phoenix, credits a 
friend's status message, asking women to check for breast 
cancer, with her being diagnosed in time to treat the disease. 
She used Facebook for support during the treatment, and became 
an online prevention advocate, herself.
    Other stories have broader significance. The 2008 
Presidential race has been called ``the Facebook election,'' as 
candidates relied on the service for developing grassroots 
support. It's estimated that over 300 Members over Congress use 
Facebook to communicate officially with constituents, and 22 
out of 24 major Federal agencies use Facebook.
    By providing tools and services that people can use to 
build their Internet experience around their personal 
interests, we're helping to make the Internet more personal and 
more relevant.
    My second point is that one of the primary reasons for 
Facebook's success is that Facebook provides uniquely powerful 
controls for sharing information. It is our belief that when 
people have control over what they share, when they share it, 
and with whom they share it, they will feel more comfortable 
sharing. That's why we're not only focused on creating new ways 
for people to share and connect, but also focused on building 
innovative new controls for sharing.
    The people who use Facebook continuously give us real-time 
feedback on these product decisions by the choices they make: 
to join the site, to use our tools, or even to engage less. In 
this way, it is the people who use Facebook that ultimately 
drive all of our product decisions.
    Recent changes we've made offer great examples of these 
innovative new controls. In my written testimony, I highlight 
four recent changes: the privacy transition tool, the 
contextual privacy control, the one-click-sharing control, and 
granular-data permissions. I'm happy to discuss any and all of 
these in response to your questions.
    And finally, I want to highlight the important economic 
growths created and supported by the people who use Facebook 
and those companies that innovate by building on Facebook's 
social platform. The growing economic vitality of the Internet 
makes Facebook--the Facebook experience possible and free of 
charge to our users without Facebook ever sharing personally 
identifiable information with advertisers.
    Facebook is a U.S.-based company. Even though 70 percent of 
Facebook users are outside the United States, more than 80 
percent of its employees are located here.
    But, this is only a fraction of Facebook's economic impact. 
In 2007, we launched the Facebook platform, which enables 
developers to deploy innovative and social applications to 
Facebook's large user base. The explosion of innovation and 
activity has created an entire economy around the platform. 
More than a million applications are now available on the 
platform. Some of these applications are built with businesses 
that employ hundreds of people and make hundreds of millions of 
dollars in revenue.
    As just one example, the New York Times ran an article this 
weekend about a leading Facebook games developer called Zynga. 
Zynga has nearly 1,000 employees, up from 375 a year ago, and 
now has 400 job openings. The company has been valued at over 
$4.5 billion.
    Another Facebook developer, Playfish, was acquired by 
Electronic Arts for an estimated $400 million in 2009.
    These are two of the largest success stories in Facebook's 
platform economy, but we see many others coming, as well.
    In conclusion, I want to emphasize that the real power of 
Facebook lies with the individuals who use the service to 
connect and share with their friends and engage with the world 
around them. We're proud of the service we provide them. And 
using innovative technologies, Facebook will continue to 
facilitate a more personalized, more engaging Internet 
    I am grateful for the opportunity to be here, and I look 
forward to your questions.
    [The prepared statement of Mr. Taylor follows:]

 Prepared Statement of Bret Taylor, Chief Technology Officer, Facebook

    Good afternoon, Chairman Rockefeller, Ranking Member Hutchison, and 
members of the Committee. I am Bret Taylor, Chief Technology Officer 
for Facebook. Thank you for the opportunity to be here today to testify 
before the Committee.
Executive Summary
    Facebook is a service that enables people to connect and share with 
one another, forming and deepening relationships and communities that 
enrich their lives and our social discourse as a whole. Last week we 
were proud to announce that more than 500 million people all over the 
world are now actively using Facebook. We take pride in this growth 
because we are empowering people to share and connect with the world 
around them. While marking this milestone, we also remind ourselves 
that the people who use Facebook and their satisfaction lie at the 
heart of what we do.
    In my testimony today I will address three topics. First, I will 
describe how Facebook and other social technologies are making the 
Internet a forum for social interaction, sharing information, and 
building communities. In just a few years the Internet has been 
transformed from an isolated, passive, and anonymous experience into a 
uniquely powerful means of connecting with other people, deepening 
personal relations, and creating communities that better the lives of 
    Second, I will discuss how user control and responsiveness are 
essential to sharing and connecting using Facebook. The people who use 
Facebook supply Facebook's content, and are the driving force behind 
the continued innovation and constant improvement of our service. Our 
goal is to make it simpler for people to connect and share, and to give 
them the tools to control their information.
    Third, I will describe the important economic growth created and 
supported by the people who use Facebook and by those companies that 
innovate based on Facebook's social technology. Facebook provides a 
platform for thousands of entrepreneurs to develop, offer, and market 
valued products and services to people across the globe. We connect 
advertisers with people in a way that is unobtrusive, and that enables 
the advertiser to direct information toward the people who are most 
likely to find it relevant and valuable. We do this without selling 
user information to advertisers or giving advertisers access to 
personal information.

1. The Transformative Effect of Social Technology
    The Internet now connects nearly 2 billion people around the 
world.\1\ Until recently, though, the Internet was an isolated, one-
way, one-dimensional experience. Users visited websites, read articles, 
and gathered information, but had little if any meaningful interaction 
with one another on the web. Internet communications that did occur 
often were anonymous, with users' identities obscured by pseudonyms or 
meaningless sequences of letters and numbers. The Internet was 
responsive to users' requests and instructions, but it was not truly 
    \1\ Internet Usage Statistics, The Internet Big Picture, World 
Internet Users and Population Stats, http://www.internetworldstats.com/
    In a few short years the Internet has evolved from an impersonal, 
anonymous medium to an interactive social experience defined by a 
person's connections, interests, and communities. That transformation 
has occurred in tandem with what has been called ``Web 2.0,'' an 
explosion in innovative functionalities that could not have been 
imagined during the Internet's infancy. These developments provide 
interactive experiences and allow users to generate and define relevant 
content. They enlist people as both the viewers and creators of online 
content, frequently in a framework that is social and involves open 
forums or communities defined by the users themselves.
    Since its creation in a Harvard dorm room by Mark Zuckerberg in 
2004, Facebook has been at the forefront of this change, growing from a 
network at a handful of universities to a worldwide community of users 
in over 180 countries. As Facebook has expanded, we have also 
continually innovated and implemented new tools for users, responding 
to the immense public demand for more and better ways to share and 
connect. These immensely popular innovations include a photo-sharing 
feature that, with some 50 billion pictures online, constitutes the 
largest photo archive in the world; a ``Wall'' feature through which 
users can post messages on their friends' individual pages; and the 
``News Feed,'' which provides users up-to-the-minute interactive 
content based on updates by the user's friends and his or her interests 
and communities. Each of the 500 million people that use Facebook 
experience their own personalized homepage and News Feed when they go 
to Facebook.com, connecting them to their own community of friends and 
    Facebook and other social technologies have the power to enrich 
users' lives--and society as a whole--in ways that were un-imagined 5 
years ago. Families and friends in locations across the globe are in 
closer contact than ever before and can more easily follow issues, 
people, and causes of interest to them; identify others who share their 
enthusiasms; and deepen their knowledge and understanding of their 
world. Facebook has become an invaluable communication tool, allowing 
individuals to connect for myriad purposes--for charitable causes, in 
the political realm, for grassroots organization, and for local 
community building.
    To celebrate the 500 million people that have been empowered and 
connected by Facebook, last week we launched a new application called 
Facebook Stories (stories.facebook.com), which allows individuals to 
share stories about how Facebook has enriched their lives. Among the 
thousands of examples we have received are the following:

   Ben Saylor, a 17-year-old high school student, turned to 
        Facebook to organize a community effort to rebuild the oldest 
        outdoor theater in Kentucky, which had been damaged by floods 
        in May.

   Holly Rose, a mother in Phoenix, credits a friend's status 
        message asking women to check for breast cancer with her being 
        diagnosed in time to treat the disease. She used Facebook for 
        support during the treatment and became an online prevention 
        advocate herself.

   Many have now even begun using Facebook to reach out to 
        their communities to find organ donors--Sarah Taylor of 
        Pennsylvania quickly found a kidney donor after spending 8 
        years in renal failure.

    As more and more people join and use Facebook, the possibilities 
for individual and collective action will multiply almost 
    Facebook and other social technologies have even played a key 
democratic function at home and abroad. Because these services allow 
users to quickly share information and build communities, democratic 
organizers have embraced Facebook as a key tool in places such as Iran 
and Colombia.\2\ Government leaders and policymakers are now using 
Facebook to communicate with citizens.
    \2\ Lev Grossman, Iran Protests: Twitter, the Medium of the 
Movement, Newsweek, June 17, 2009; Sibylla Brodzinsky, Facebook Used to 
Target Colombia's FARC with Global Rally, Christian Sci. Monitor, Feb. 
4, 2008.

   In the U.K., Prime Minister David Cameron launched a 
        ``crowdsourcing'' initiative to seek out citizen proposals on 
        cutting government spending. On a web conference with Mark 
        Zuckerberg, Prime Minister Cameron thanked Facebook for 
        providing the medium for such an initiative.\3\
    \3\ Gina Lovett, Government Drafts in Facebook for Second 
Crowdsourcing Initiative, New Media Age, July 9, 2010, http://

   Here at home, the 2008 Presidential race has been called the 
        ``Facebook Election,'' as President Obama and Senator McCain 
        relied on the service for developing grassroots support, and 
        Facebook cosponsored one of the Presidential debates (together 
        with a traditional media outlet, ABC News).\4\
    \4\ Brian Stelter, ABC News and Facebook in Joint Effort to Bring 
Viewers Closer to Political Coverage, N.Y. Times, Nov. 26, 2007; 
Virginia Heffernan, Clicking and Choosing: The Election According to 
YouTube, N.Y. Times, Nov. 14, 2008; Matthew Fraser & Soumitra Dutta, 
Barack Obama and the Facebook Election, U.S. News and World Rep., Nov. 
19, 2008.

   It is estimated that more than 300 Members of Congress use 
        Facebook in their official capacity.\5\
    \5\ Posting of Tony Romm to The Hill, ``Congress on Facebook' Goes 
Live, http://thehill.com/blogs/hillicon-valley/technology/97683-
congress-on-facebook-goes-live (May 13, 2010 7:58 EDT).

   Even Federal agencies have adopted Facebook as a powerful 
        communication tool--22 out of 24 major Federal agencies use 
    \6\ Information Management: Challenges in Federal Agencies' Use of 
Web 2.0 Technologies, Hearing Before the Subcomm. on Information 
Policy, Census, and National Archives of the H. Comm. on Oversight and 
Government Reform, 111th Cong. (July 21, 2010) (statement of Gregory C. 
Wilshusen, Director of Information Security Issues, Government 
Accountability Office).

    In these and other ways, Facebook has become an integral part of 
everyday communication and community-building across the globe. 
Continual innovation and new technologies have been essential to this. 
These innovations and new technologies are designed to improve not only 
how people interact with one another on the Internet, but also how they 
interact with the Internet itself. By providing tools and services that 
people can use to build their Internet experience around their personal 
interests, we help make the Internet more responsive and relevant to 
them even when they visit sites other than Facebook.
    To that end, in 2007 Facebook launched Facebook Platform, which 
allows developers to create innovative social applications and make 
them available to people who use Facebook. This innovation made 
Facebook an entry point to a new universe of tools, experiences--and of 
course, games--that deepen the connection among people on the Internet. 
The hundreds of thousands of applications made available through 
Facebook Platform include the following:

   The Causes application, which provides an online platform 
        for individuals and organizations to raise funds for charitable 

   The Circle of Moms application, a local support group for 
        mothers that draws on the collective knowledge of the community 
        for support.

   The Birthday Calendar application, which allows you to track 
        birthdays, anniversaries, and other important dates of friends.

    These developments on Facebook Platform go beyond mere socializing, 
and provide real, meaningful interactions for people who use Facebook.
    Earlier this year we extended Facebook Platform to offer this 
connectivity and customization to other sites on the Internet. In 
April, we introduced ``social plugins,'' easy-touse tools that allow 
previously generic websites to become customized to an individual's 
interests and network of friends and associations. For example, a 
Facebook user visiting a website can instantly share content of 
interest by clicking on the Facebook ``Like'' button, which can bring 
that content to the attention of the person's friends on their real-
time News Feed on their home page, and when they visit the same site. 
With social plugins, websites are instantly made more social, 
interactive, and relevant to the individual; as people move through the 
Internet, websites increasingly reflect their body of relationships and 
connections on the Internet.
    This customization can be seen on many of the Internet's most 
frequently visited websites. The popular movie database, IMDb, which 
previously served simply as a repository of movie information, now 
offers a way for friends to share information about their favorite 
movies and actors. Traditional news outlets, such as CNN and the 
Washington Post, have also adopted the power of the social network, 
offering the ability to access tailored and personalized news sources. 
Instead of wading through an entire newspaper, people who use Facebook 
now have the option to focus on the information that is relevant in the 
context of their interests and connections, in much the same way that 
Members of this Committee are greeted in the morning by news clips that 
have been selected according to issues of special importance to you and 
your constituents. Facebook's ``Like-button has become a ubiquitous 
feature of the web, allowing individuals to quickly and easily share 
their favorite parts of the Internet with their friends and broader 
    As Mark Zuckerberg put it at the conference where Facebook launched 
these social plugins, ``Our goal is [for] people [to] have instantly 
social experiences wherever they go.'' \7\ At the same time, social 
plugins do not require any personal information to pass from Facebook 
to an external website. Plugins promote a tailored Internet experience, 
while maintaining user control over personal information. Since the 
launch of social plugins in April of this year, they have been 
incorporated by more than 350,000 websites, bringing a more 
personalized Internet to millions.
    \7\ Mark Zuckerberg, CEO, Facebook, Inc., Remarks at f8 Developers' 
Conference, Apr. 21, 2010.
    Facebook is now offering a pilot program, Instant Personalization, 
which will allow individuals to have a more robust personalized 
experience with partner sites, initially Yelp, Pandora, and Microsoft 
Docs.com. These sites now provide a truly personal and tailored 
experience to visitors as soon as they arrive. These innovations 
address people's real frustration with the static, anonymous Internet 
of the past. Instead of visiting a generic website and wading through a 
lot of irrelevant content, Instant Personalization makes it possible 
for you to go to a site and immediately receive content that is 
relevant to you and your friends, the place you live, and the things 
you like to do. By offering personalized service, these partner sites 
experience greater engagement from people who use Facebook.
    For example, the website Yelp already offered a valuable service by 
compiling user reviews of restaurants, bars, clubs, and other services. 
These reviews could come from any reviewer, anywhere on the Internet. 
Through Facebook's Instant Personalization, Yelp became a tailored 
experience that is even more relevant and useful. While you can still 
read generic reviews on the site, you can also now choose to focus on 
reviews by your friends and acquaintances. By enabling you to learn the 
favorite restaurants of people you trust in a city you're visiting for 
the first time, Instant Personalization immeasurably increases the 
value of the site.
    Similarly, the music streaming service Pandora already offered a 
highly personalized service by using advanced algorithms to tailor 
music playlists to your tastes--based on the music you currently listen 
to, Pandora introduces you to new music that you're also likely to 
enjoy. By adopting Instant Personalization, Pandora can magnify the 
personalization of this experience by identifying music through the 
lens of your social networks. People have long relied on friends, 
coworkers, and relatives for music recommendations; now Pandora can 
enhance this experience online with the help of Facebook. Of course, 
Facebook has worked diligently to provide multiple and meaningful 
opportunities for users to learn about and choose to participate in 
Instant Personalization, and to ensure that our partners adopt and 
enforce adequate protections for personal information.

2. Facebook's Focus on User Control and Responsiveness
    People are at the heart of what we do at Facebook. On Facebook, 
individuals provide the content--they have the freedom to share what 
they want, when they want, and how they want. As a result, Facebook is 
personalized to each individual user. Unlike other web companies, 
Facebook does not offer a single homepage; each of the 500 million 
people that use Facebook has their own personalized News Feed, 
customized to their interests, friends, and communities. For these 
reasons, user control has always been integral to Facebook. People who 
use Facebook determine what content is shared and how it is shared. 
Facebook is built from the bottom up, taking what we call a hyper-
grassroots approach to sharing information.
    People who use Facebook are engaged in building a safe, secure 
experience for themselves and their friends. As a result, we have 
developed powerful mechanisms for self-regulation and user protection. 
Individuals use social technologies to connect and share information, 
but they also play an important role in policing the medium itself. In 
fact, users are actively involved in monitoring and controlling their 
online presences, and can often provide the best check on a company's 
information sharing policies. An important recent study by the Pew 
Research Center found that 57 percent of adult Internet users monitor 
their online presence.\8\ Among users age 18 to 29, 71 percent have 
adjusted their settings and controls to regulate how much they are 
sharing with others, and 65 percent of all social-networking site users 
have done so.\9\ If these users feel that a service is overstepping its 
bounds, they will actively take steps to control their own personal 
    \8\ Mary Madden & Aaron Smith, Pew Internet & American Life 
Project, Pew Research Center, Reputation Management and Social Media 8, 
21 (May 26, 2010).
    Facebook continually seeks to improve our user interface, our data-
sharing policies, and the overall experience of people who use our 
service. Recent changes to Facebook's controls and privacy policy 
provide a prime example of how social technologies have a dynamic 
ability to respond to users and self-correct. Over the last year, 
Facebook has continued to innovate new ways to offer simpler and better 

   Privacy Transition Tool. When Facebook introduced a new 
        privacy framework in December of last year, we took the 
        unprecedented step of requiring all users to navigate through a 
        privacy ``transition tool'' to confirm their settings for 
        sharing information and to change the settings if they chose. 
        Instantly, hundreds of millions of individuals took time to 
        meaningfully engage with the concept of privacy and consider 
        whether their settings accurately reflected their preferences, 
        in a manner that had never occurred before, on or off the 

   Contextual Privacy Control. Also last year, Facebook 
        deployed a contextual privacy control, which allows people to 
        control who will see their content when it is shared. Like the 
        transition tool, Facebook sought to maximize both simplicity 
        and control, a delicate balance, while assisting each user to 
        select the extent of sharing that makes them feel comfortable.

   One-Click Sharing Control. In April, Facebook offered a new 
        simplified control for sharing that lets people control over 
        twenty categories of information with just one click. Facebook 
        implemented these changes and additions to its controls working 
        quickly--in the face of enormous technical complexity--to 
        respond to views expressed in the user community. In addition, 
        Facebook offered an easy way for people to control the access 
        that Platform developers have to their information.

   Granular Data Permissions. In June, Facebook became the 
        first provider to require developers to obtain ``granular data 
        permissions.'' Developers using Platform must now specifically 
        request data directly from the individual--who retains the 
        ultimate simple choice of whether to share information with an 
        outside developer. This granular permissions model actually 
        gives people more control over their information than 
        comparable services, while allowing developers to continue the 
        vibrant innovation that has marked the Platform economy.

    To facilitate responsiveness to users, Facebook introduced a 
``notice and comment'' process for vetting some of its potential 
changes, modeled in part on the Federal Government's rulemaking 
procedures. This process also serves to educate and engage users about 
potential policy changes. At times we will even hold a user vote on 
proposed policy changes, as we did in April when we issued our 
Statement of Rights and Responsibilities and revised Privacy Policy. We 
are aware of no Internet-based company, large or small, that goes to 
such lengths to publicize and incorporate individuals' feedback into 
those key documents. It is a further reflection of our commitment to 
hearing peoples' voices in the governance of their community. This 
commitment translates into real practical tools that people can and do 
    As we move forward, the people who use Facebook will continue to 
shape our future by how they balance their demand for sharing and 
connection on the one hand, with their desire to control the content 
they share on the other hand. just as we innovate new ways for sharing 
and connection, we also innovate new ways to offer users control. And, 
of course, the people who use Facebook also retain control over the 
service and offer us real-time feedback by the choices they make--to 
join, to leave, to use our tools, or to engage less. In this way too, 
it is the people who use Facebook that ultimately drive our innovation.
    Such innovation is essential to the Internet, yet the best 
innovations can be unexpected--they can surprise. This was the case 
with Facebook's News Feed, which gives users a real-time and 
interactive ``ticker'' of the updates and content their friends are 
sharing on Facebook, along with customized content related to the 
interests the user has identified and the associations he or she has 
formed on the Internet. The News Feed is integral to the connectivity, 
personalization, and immediacy of the Facebook experience and today is 
among our most popular features, but when it was introduced in 2006 it 
initially drew strong opposition from a large number of Facebook users. 
Appropriately, some formed Facebook groups against the News Feed. We 
listened, made some modest changes, and now most Facebook users could 
not imagine our service without it.
    Facebook is thus an example of the tremendous self-corrective 
capacity of Internet-based services, particularly with respect to the 
balance between openness and privacy. Facebook's response to user 
feedback has helped it to become a better service while continuing to 
enhance the user experience and pioneer new ways to share information. 
And, Facebook's pioneering development of user controls for the 
information they share is an example for regulators in the U.S. and 
abroad of how approaches that vest decisionmaking in individual users, 
rather than in government regulators, are the most promising means of 
furthering user satisfaction and Internet innovation.
    Of course, the involvement of the Federal Government is also 
needed, for example, to guard against criminals and miscreants who 
would leverage the Internet's openness to engage in scams, identity 
theft, and other activities that cause financial or even physical harm. 
That is why we applaud Congress for enacting targeted statutes that 
address those problems without cabining the creative freedom that is 
the life force of the Internet. The Computer Fraud and Abuse Act,\10\ 
the Child Online Privacy Protection Act,\11\ and the Controlling the 
Assault of Non-Solicited Pornography and Marketing Act (the ``CAN-
SPAM'' Act) \12\ all have served to protect the public from some of the 
Internet's dangers and annoyances.
    \10\ Pub. L. No. 99-474, 100 Stat. 1213 (Oct. 16, 1986).
    \11\ Pub. L. No. 105-277, 112 Stat. 2581 (Oct. 21, 1998).
    \12\ Pub. L. No. 108-187, 117 Stat. 2699 (Dec. 16, 2003).
    Facebook often works arm-in-arm with the government in these areas. 
For example, it has invoked the CAN-SPAM Act vigorously to defend its 
users against malicious online attacks and to help make the Internet 
safer for all by taking spammers out of commission: we have obtained 
the two largest-ever civil judgments under the Act.\13\ We are also 
proud that last year TRUSTe, a nonprofit privacy standard-setting 
organization, rated Facebook one of its ten most trusted companies 
based on a public survey and an expert review.\14\
    \13\ A 2008 judgment against Adam Guerbez and Atlantis Blue Capital 
($873 million) and a 2009 judgment against the ``Spam King'' Sanford 
Wallace ($740 million).
    \14\ TRUSTe, Press Release: 2009 Most Trusted Companies in Privacy, 
Sept. 16, 2009.
    Facebook and other social technologies are increasingly important 
forums for public communication, speech, and debate on a broad range of 
social and even political matters. Our country's traditions 
appropriately include a great hesitancy to regulate communication and 
the sharing of information in such areas. We believe that Congress's 
approach toward the Internet to date, which has avoided open-ended 
grants of regulatory authority or over-inclusive prohibitions, should 
serve as a model for any future legislative initiatives. As always is 
the case, it will be valuable for Congress to build an evidentiary 
record establishing the need for intervention before it acts. Overbroad 
or burdensome regulation carries the risk of stifling the innovation 
that is the lifeblood of the Internet and has served as a major source 
of jobs and economic growth.
    To conclude on this topic, user control is central to how Facebook 
operates, and will remain so. We share the commitment of Congress to 
ensure a safe, secure Internet experience, while facilitating the 
innovation and sharing of information that people expect. We value our 
relationships with the Federal Government, with states, and with 
enforcement agencies throughout the world, and will continue to work 
with Congress and others to ensure that our users, especially young 
people, have a safe and productive Internet experience.\15\
    \15\ Facebook offers its service to people age 13 and over. We 
clearly describe this age limit in our Privacy Policy, and if we learn 
that a child under 13 has shared information on our service, we will 
delete that information as quickly as possible. See also The Role of 
Innovation in Creating a Safer Online Environment--The Facebook 
Experience, Before the Subcomm. on Consumer Protection, Product Safety, 
and Insurance of the S. Comm. on Commerce, Science, and Transportation, 
111th Cong. (2010) (Testimony of Timothy Sparapani, Director, Public 
Policy, Facebook), available at http://commerce.senate.gov/public/
3. Facebook's Economic Role for Users and American Business and Workers
    Facebook and its leadership are driven by a vision of the 
Internet's capacity to make the world more connected, enriching our 
personal lives, our society, even our democracy. But of course the 
Internet is also an important economic presence, particularly in these 
challenging economic times. It is this economic vitality that makes the 
Facebook experience possible and free of charge to our users, without 
Facebook ever sharing personally identifiable information with 
    In 2009, online retail spending in the United States was nearly 
$130 billion, only slightly lower than in 2008 despite the enormous 
impact of the recession on the U.S. economy.\16\ One estimate suggests 
that the commercial Internet adds $1.5 trillion in value to businesses 
and consumers worldwide.\17\ And in a time of economic hardship, Web 
2.0--and social networking services in particular--are providing a much 
needed source of jobs, growth, investment, and innovation. Facebook is 
a U.S.-based company--even though 70 percent of Facebook users are 
outside of the United States, 80 percent of its employees are located 
here. The Chairman of the Federal Communications Commission recently 
recognized how the entrepreneurial power of services like Facebook can 
drive economic growth and create jobs here at home.\18\
    \16\ Jeff Clabaugh, Online Spending in 2009 Falls, Milwaukee Bus. 
J., Feb. 9, 2010.
    \17\ Robert D. Atkinson et al., The Info. Tech. & Innovation 
Found., The Internet Economy 25 Years after .Com 1, 4 (2010).
    \18\ Referring to Facebook, FCC Chairman Julius Genachowski noted 
the power of the Internet's ``distributed innovation and ubiquitous 
entrepreneurship,'' which creates ``jobs and opportunity everywhere 
there is broadband.'' Julius Genachowski, Chairman, Fed. Comms. Comm'n, 
Prepared Remarks at the Brookings Institute (Sept. 21, 2009), available 
at http://www.openInternet.gov/readspeech.html (emphasis added).
    Facebook Platform, which helps create innovative and more 
personalized experiences for users, also serves American businesses and 
workers by fostering what is in a sense an entire Platform economy. It 
is a marketplace to which hundreds of thousands of third-party 
developers may bring their ideas and inventions and offer them to 
Facebook users. More than half a million applications are now available 
on Platform. Some of these applications are associated with businesses 
that employ hundreds of people and have hundreds of millions, even 
billions of dollars in value:

   Leading games developer Zynga, creator of the popular 
        Farmville game that was developed on Facebook Platform, has 
        nearly 1,000 employees, up from 375 employees a year ago, and 
        now has some 400 job openings. Its games have 211 million 
        players every month (according to AppData.com's count), and the 
        company has been valued at more than $4.5 billion.\19\
    \19\ Miguel Helft, Will Zynga Become the Google of Games?, N.Y. 
Times, July 24, 2010.

   In 2009, games developer Playfish was acquired by Electronic 
        Arts for an amount reported to be as much as $400 million. 
        Although based in the U.K., Playfish has developed a 
        substantial presence in the United States, which includes at 
        least four development studios.\20\
    \20\ Erick Schonfeld, Not Playing Around. EA Buys Playfish for $300 
Million, Plus a $100 Million Earnout, Techcrunch, Nov. 9, 2009.

    This vibrant economy of features and applications has shattered the 
barriers that may have previously limited what one company could offer 
to users. Facebook for its part helps protect users' Platform 
experience by arming users with control over the information 
applications receive, through rigorous policies and technical controls 
that apply to our Platform, and in reviews and investigations conducted 
by our Platform Operations Team.
    Online advertising is of course a critical component of the 
economic growth that the Internet has spurred. As mentioned, it also 
enables Facebook to offer its service for free, without ever sharing 
personally identifiable information with advertisers. Facebook believes 
that social advertisements complement the way people already use 
Facebook to discover, share, and connect with people and the world 
around them. Whether it's a new car, clothes, or music, many of the 
things people discover on the Internet come from their friends--through 
Facebook, advertisers can complement what people learn from their 
friends in an unobtrusive way.
    We achieve this by only providing advertisers with anonymous, 
aggregated data. We ask advertisers to identify characteristics of 
users they wish to advertise to, such as age, gender, or location. 
Facebook then itself distributes those advertisements to the 
appropriate audience on its site, without ever disclosing personally 
identifiable information to its advertisers. After the advertisements 
run, Facebook will provide a report to the advertiser so they can 
measure the success of their ads--these reports, too, contain no 
personally identifiable information.
    This model allows consumers and businesses alike to enjoy the 
efficiencies of personalized advertising, while protecting personal 
information. The advertisements that result--which are a far cry from 
the annoying pop-ups and flashing banner ads of days past--provide 
people with relevant and targeted commercial messages that further 
growth and innovation on the Internet.

    The 500 million people across the globe that actively use Facebook 
have made the world a more open and connected place. They have driven 
innovation in ways that few would have predicted a decade ago; the 
promise of this thriving community is limitless. But the real power of 
Facebook lies with the individuals who use the service to connect and 
share on a daily basis. Facebook seeks to remake the Internet for them 
and for those who have yet to join. We will continue to show leadership 
in giving people greater control over personal information. And using 
innovative technologies like social plugins and the economic catalyst 
of social advertising, Facebook will continue to facilitate a more 
personalized, more responsive Internet experience.

    The Chairman. Thank you very much, Mr. Taylor.
    And next on my list here is Dr. Whitten, Privacy 
Engineering Lead, Google.


    Dr. Whitten. Thank you, Chairman Rockefeller, Senator 
    I've devoted my career, both as an academic and now as 
Google's lead privacy engineer, to one primary goal: making it 
intuitive, simple, and useful for Internet users to take 
control of their privacy and security. This is the central 
challenge of privacy engineering.
    Products and services, particularly on the Internet, 
constantly evolve. Valuable new services, from social 
networking to online video to mobile computing, change the way 
that we interact with each other and use information. These 
services, built in part from the information that providers 
learn from their users, offer tremendous value. Many are 
offered for free.
    They certainly have been good for our economy. In 2009 
alone, Google's search and online advertising generated a total 
of $54 billion of economic activity for American businesses, 
Website publishers, and nonprofits, including over $5 billion 
of revenue that we paid to publishers last year. And that's not 
to mention the positive economic impact of our free products, 
like Gmail and YouTube.
    Google's greatest asset is our users' trust. The 
information that our users entrust to us enables us to better 
match searchers to the information that they seek; to fight off 
those who would scam our users or undermine the usefulness of 
our search results, and to create new services, like 
translation, speech to text, and many others. We focus on 
building transparency, user control, and security into our 
products. And we constantly renew, innovate, and iterate to 
make sure that we are honoring our users' privacy expectations 
and security needs. And, because our users' trust is so 
critical to us, it's important for us to note that we do not 
sell our users' personal information.
    The Google Dashboard is a cornerstone of our efforts. If 
you haven't seen this tool, I urge you to take a look at 
google.com/dashboard. We developed the Dashboard to provide 
users with a one-stop, easy-to-use control panel for the 
personal information associated with their Google accounts, 
from Gmail to Picasa to Search to more than 20 other Google 
products. With the Dashboard, a user can see, edit, and delete 
the data stored with her individual Google account. She can 
change her privacy settings, see what she is sharing and 
keeping private, and click into the settings for any individual 
    I was adamant, when we created the Dashboard, that we not 
make it seem strictly a privacy tool. I wanted it to be, above 
all, a useful tool that our users would come back to and 
interact with, even if they were not consciously thinking about 
    We took a similar approach with our advertising network. 
Our Ads Preferences Manager, which is linked from every ad in 
our advertising network, allows users to opt out of ad 
targeting and to learn about our privacy practices. But, 
equally important, it allows users to look at the categories of 
ads that they will see, select new interest categories, and 
remove ones that don't match their interests. By offering this 
useful service, we hope to get more people to understand and 
confirm their privacy settings. Interestingly, for every one 
user who opts out, we see four edit their preferences, and ten 
view the page and do nothing.
    These are great examples of transparency and control 
designed into products in a way that is prompting individual 
users to learn more about how to control their information. And 
we're proud of this track record. However, despite our best 
efforts, on occasion we have made mistakes.
    In May, Google disclosed that we had mistakenly included 
code in the software on our Street View cars that collected 
samples of Wi-Fi payload data, information sent over a network 
from open unencrypted Wi-Fi networks. To be clear, Google never 
used the mistakenly collected data in any product or service, 
and there was no breach or disclosure of any personal 
information to any third party. And as soon as we learned about 
this incident, we disclosed what had happened and acknowledged 
our mistake.
    Google is working hard to fully and completely address this 
incident. We need to do better. We are taking the review of 
this matter very seriously, and we will announce the changes 
that we will make to prevent such a thing from happening in the 
    At the same time, we continue to develop industry-leading 
privacy and security tools. For instance, we recently launched 
encrypted search, allowing users worldwide to protect their 
search queries from snooping or interception. We are also the 
only major Webmail provider to encrypt all e-mail traffic, by 
default. This is the proactive approach that my team brings to 
our jobs, and the goal of all of us at Google.
    I look forward to answering your questions. Thank you.
    [The prepared statement of Dr. Whitten follows:]

   Prepared Statement of Dr. Alma Whitten, Privacy Engineering Lead, 
                              Google Inc.

    Chairman Rockefeller, Ranking Member Hutchison, and members of the 

    I am pleased to appear before you this afternoon to discuss online 
privacy and the ways that Google protects our users' personal 
information. My name is Dr. Alma Whitten, and I am Google's Privacy 
Engineering Lead. I am responsible for a team of dedicated privacy and 
security engineers who develop and improve Google's privacy tools, like 
our Dashboard, and work with our other engineers and product teams to 
build transparency, user control, and security into Google's products.
    Google is most well known for our search engine, which is available 
to Internet users throughout the world. We also offer dozens of other 
popular services, from YouTube to Gmail to Google Earth. Our products 
are free to individuals for personal use, supported by revenue from 
online advertising.
    While our users benefit from our free services, Google's innovative 
advertising system is also helping businesses grow in a challenging 
economic time. In 2009 alone, our advertising products generated a 
total of $54 billion of economic activity for American businesses, 
website publishers, and non-profits. This number only covers economic 
activity generated by Google's search and advertising tools, including 
the over $5 billion of revenue we generate for online publishers in 
2009. It does not include the positive economic impact of products like 
Gmail and others that allow consumers, entrepreneurs, and businesses of 
all sizes to communicate and collaborate for free--or, in the case of 
enterprise customers, at a lower cost than alternative platforms.
    Our recent economic impact report (google.com/economicimpact) 
explains Google's contribution to the American economy, and features 
small businesses that rely on Google's advertising products to reach 
customers and generate revenue.
    One example is OVIS, a 20 year-old cabinet hardware and woodworking 
supplier based in Millwood, West Virginia (www.ovisonline.com). OVIS's 
owner Chip Wimbauer told us that Google's advertising system is ``the 
best way for a small business to compete and look like a big company,'' 
and that with online advertising OVIS has gone from a regional company 
to one that does as much business in Hawaii as it does within West 
Virginia. In Texas last year we created over $3 billion in economic 
value for over 100,000 advertisers and online publishers. And we 
donated almost $3 million in advertising to non-profit groups like the 
American Heart Association and the Susan G. Komen Breast Cancer 
Foundation through our Google Grants program (information about which 
is available at www.google.com/grants). These types of success stories 
happen in every state in partnership with hundreds of thousands of 
businesses and numerous not-for-profit organizations.
    In a time of tight budgets, we're glad to help so many small 
businesses and entrepreneurs find customers more efficiently and 
increase revenue through relevant advertising. We also take pride in 
building trust with users, and privacy is a core part of that effort.
    At Google, privacy is something we think about every day across 
every level of our company. We make this effort because privacy is both 
good for our users and critical for our business. If we fail to offer 
clear, usable privacy controls and strong security, our users will 
simply leave. This is the basic truth that guides me in my job as 
Google's lead privacy engineer.
    In my testimony today, I'm going to talk about three topics:

        First, I'd like to discuss how Google's approach to privacy 
        manifests itself in our products. In other words, how do we put 
        our privacy principles into executable code? I'll provide 
        several examples to give the Committee a tangible sense of the 
        considerations that go into designing privacy as part of our 
        products and the transparency, control, and security that are 
        built into Google's products.

        Second, I will discuss the challenges companies like Google 
        face when designing for privacy and security. How do we harness 
        the power and value of data for our users while protecting 
        against privacy harms? How can we communicate about evolving 
        data practices and controls to users in a meaningful way?

        Third, while I'm far from a legal expert, I'll offer a bit of 
        thought as to how Congress can help protect consumers and 
        improve user trust in data-intensive services--including 
        through the development of comprehensive, baseline privacy 
How We Approach Privacy at Google
    When I think about privacy at Google, I start with our five privacy 
principles. In brief, these are:

   Use information to provide our users with valuable products 
        and services.

   Develop products that reflect strong privacy standards and 

   Make the collection and use of personal information 

   Give users meaningful choices to protect their privacy.

   Be a responsible steward of the information we hold.

    The principles are located at www.google.com/corporate/
    Let's break these down a bit. As with every aspect of our product, 
we follow the motto of ``Focus on the user and all else will follow.'' 
We are committing ourselves to use information only where we can 
provide value to our users. That's what we mean by our first principle.
    For instance, we do not sell our users' personal information.
    To further guide us, under the second principle, we aim to build 
privacy and security into our products and practices from the ground 
up. From the design phase through launch we are considering a product's 
impact on privacy. And we don't stop at launch--we continue to innovate 
and iterate as we learn more from users.
    Our last three principles give substance to what we mean by 
privacy: We commit to transparency, user control, and security.
    We work hard to embed privacy considerations into our culture 
through our principles and in the way we're organized. As Google's 
Privacy Engineering Lead, I'm only one of many individuals at the 
company who work on privacy from every angle--including technology, 
products, policy, and compliance initiatives. This cross-functional 
team, all focused on our users' privacy interests, ensures that privacy 
doesn't exist as a silo within Google. For example, our Privacy 
Council, a cross-functional group of Google employees, helps us 
identify and address potential privacy issues across all our products.
    In just the last 18 months, we have been tackling four broad 
privacy issues that face our industry in a way that is consistent with 
our principles:

   Transparency and control in the online advertising 

   Easy data portability for information that is processed and 
        stored by Google.

   A comprehensive and useful dashboard of privacy and account 
        controls for a suite of web services.

   Strong security for users of Google's services, like Gmail 
        and Google Search.

    In the next section of my testimony I'll discuss these privacy 
issues and illustrate how Google works to bring transparency, user 
control, and security to its users.
Transparency and Control for Interest-based Advertising
    The availability of Google Search and our other products--and the 
improvements that we make to our products on a daily basis--is funded 
by online advertising: by far our primary source of revenue. As we work 
to bring more relevant ads to our users, we continually seek to 
preserve transparency and user control over the information used in our 
ad system.
    Google was not the first to offer interest-based advertising (known 
as IBA) online, but it was important to us that we offer clear and 
strong privacy controls before introducing this product. When we 
launched IBA, in March 2009, we included a number of groundbreaking 
privacy features. As Google tells its users:

        Many websites, such as news sites and blogs, use Google's 
        AdSense program to show ads on their sites. It's our goal to 
        make these ads as relevant as possible for you. While we often 
        show you ads based on the content of the page you are viewing, 
        we also developed new technology that shows some ads based on 
        interest categories that you might find useful.

    Google's interest-based ads contain notice in the actual 
advertisement indicating that it is a Google ad. The in-ad notice is 
linked to information about IBA, including our Ads Preferences Manager, 
which allows users to change the interest categories used to target ads 
or to opt-out of interest-based advertising altogether. Note that we 
use only non-personally-identifiable data for IBA targeting.

    Fig. 1: Sample advertisement with in-ad privacy notice

    With the launch of our Ads Preferences Manager (www.google.com/ads/
preferences), Google became the first major industry player to empower 
users to review and edit the interest categories we use to target ads. 
The Ads Preferences Manager enables a user to see the interest 
categories Google associates with the cookie stored on her browser, to 
add interest categories that are relevant to her, and to delete any 
interest categories that do not apply or that she does not wish to be 
associated with.
    I should also clarify that Google does not serve interest-based ads 
based on sensitive interest categories such as health status or 
categories relating to children under 13.
    The Ads Preferences Manager also permits users to opt out of 
interest-based ads altogether. Google implements this opt-out 
preference by setting an opt-out cookie that has the text ``OPTOUT'' 
where a unique cookie ID would otherwise be set. We have also developed 
tools to make our opt-out cookie permanent, even when users clear other 
cookies from their browser (see www.google.com/ads/preferences/plugin). 
We are encouraged that others are using the open-source code for this 
plugin, released by Google, to create their own persistent opt-out 

    Fig. 2: Ads Preferences Manager

    As an engineer, I like to evaluate things by looking at the data. 
In this case, we have begun to receive information about how users are 
interacting with the Ads Preferences Manager. While our data are 
preliminary, we have discovered that, for every user that has opted 
out, about four change their interest categories and remain opted in 
and about ten view their settings but do nothing. We take from this 
that online users appreciate transparency and control, and become more 
comfortable with data collection and use when we offer it on their 
terms and in full view.

Control Through Data Portability
    Providing our users with control over their personal information 
must also mean giving them the ability to easily take their data with 
them if they decide to leave. Starting with our Gmail service and now 
covering more than 25 Google products where users create and store 
personal information, a cadre of Google engineers--self-named the 
``Data Liberation Front''--has built tools to allow our users to 
``liberate'' their data if they choose to switch providers or to stop 
using one of our services. The critical insight of these engineers was 
to recognize that users should never feel stuck using a service because 
they are unable to easily retrieve the content they created and 
transfer it to another service or provider at no additional cost.
    Every user of Gmail, Picasa, Reader, YouTube, Calendar, Apps for 
Business, Docs, iGoogle, Maps, and many other products already have 
access to data portability tools, and the team continues to work on 
additional products. Detailed information for users is available at 

    Fig. 3: Data Liberation Front

    Data portability has benefits for our users and for Google. First, 
it keeps our product teams on their toes--they know just how easy it is 
for their users to move to a competitor's product, and understand that 
their success depends upon continuing to be responsive to privacy and 
product concerns and acting quickly to address them. Second, allowing 
our users the freedom to leave honors our commitment to put users in 
    In considering the testimony today and as the Committee develops 
its approach to consumer privacy, I urge you to consider the role that 
data portability can play in ensuring that consumer-facing businesses 
remain accountable for their privacy choices. Regulators should 
encourage this kind of ``user empowerment by design'' as an effective 
means of ensuring respect for user privacy without chilling innovation.

One-stop Shop for Transparency and Control: the Google Dashboard
    Google developed the Google Dashboard (www.google.com/dashboard) to 
provide users with a one-stop, easy-to-use control panel to manage the 
use and storage of personal information associated with their Google 
accounts and products--from Gmail to Picasa to Search.
    With the Dashboard, a user can see and edit the personally 
identifiable data stored with her individual Google account. A user 
also can change her password or password recovery options using 
Dashboard, and click to manage various products' settings, contacts 
stored with the account, or documents created or stored through Google 
Docs. Dashboard also lets a user manage chat data, by choosing whether 
or not to save it in her Google account.

    Fig. 4: Google Dashboard

Industry-leading Security: Encrypted Search and Gmail
    Along with transparency and user control, good security is vital in 
maintaining user trust. Google faces complex security challenges while 
providing services to millions of people every day, and we have world-
class engineers working at Google to help secure information. In fact, 
my own research background is in security. In a 1999 paper, ``Why 
Johnny Can't Encrypt,'' I argued that security tools must be simple and 
usable to be effective. Unfortunately, it is sometimes the case that 
security technology is so complicated that it isn't usable, and thus 
ineffective. I have continued that theme at Google, working to build 
user-friendly, simple security features into our products.
    For example, Google recently became the first (and still only) 
major webmail provider to offer session-wide secure socket layer (SSL) 
encryption by default. Usually recognized by a web address starting 
with ``https'' or by a ``lock'' icon, SSL encryption is regularly used 
for online banking or transactions. As our Gmail lead engineer wrote:

        In 2008, we rolled out the option to always use https--
        encrypting your mail as it travels between your web browser and 
        our servers. Using https helps protect data from being snooped 
        by third parties. . . . We initially left the choice of using 
        it up to you because there's a downside: https can make your 
        mail slower since encrypted data doesn't travel across the web 
        as quickly as unencrypted data. Over the last few months, we've 
        been researching the security/latency tradeoff and decided that 
        turning https on for everyone was the right thing to do.

    We hope other companies will soon join our lead.
    We also hope to see our competitors adopt another security tool we 
offer our users: encryption for search queries. Users can simply type 
in ``encrypted.google.com'' and encrypt their search queries and 
results. As we said in our blog post about encrypted search, ``an 
encrypted connection is created between your browser and Google. This 
secured channel helps protect your search terms and your search results 
pages from being intercepted by a third party on your network.''
    And in March Google launched a system to notify users about 
suspicious activities associated with their accounts. By automatically 
matching a user's IP address to broad geographical locations, Google 
can help detect anomalous behavior, such as a log-in appearing to come 
from one continent only a few hours after the same account holder 
logged in from a different continent. Thus, someone whose Gmail account 
may have been compromised will be notified and given the opportunity to 
change her password, protecting her own account and her Gmail contacts.

    Fig. 5: Recent Account Activity Warning

    Similarly, we built Google Chrome with security in mind from the 
beginning, including features such as:

   Safe Browsing, which warns a user before he visits a site 
        that it is suspected of phishing or containing malware;

   Sandboxing, which works automatically to help prevent web 
        browser processes from harming one another or a user's 
        computer, and

   Automatic updates that deliver security patches to users as 
        quickly as possible.

    Google also conducts extensive security research and provides free 
security resources to the broader Internet community. We make security 
tools available for free to webmasters to help them operate more secure 
sites, as well as to application developers to help them build more 
secure applications. For example, we recently released a tool called 
``skipfish'' under an open source license to help identify web 
application vulnerabilities through fully automated, active security 

The Challenges of Designing for Privacy and Security
    In addition to discussing Google's efforts to offer transparency, 
user control, and security, I want to also discuss just two of the many 
challenges I and others in similar roles face as we try to build 
privacy and security into innovative products. The first relates to 
data collection and use. The second involves how to best communicate to 
individuals how to manage their privacy.
    Every day we receive information from our users' interaction with 
our products and services. That information may be in the form of an e-
mail that we process, store, and protect in our Gmail product--or it 
could be generated by the interaction between a user's computer and our 
servers, such as a search query and the IP address associated with a 
specific computer or network of computers.
    We are asked often why we retain this query and IP address data--
which can be very sensitive even if it does not personally identify 
individuals. We certainly treat this data with strong security, and 
seek to build in transparency and user controls where appropriate--
including tools like our Ads Preferences Manager. We also voluntarily 
anonymize IP addresses after 9 months.
    But this data is actually tremendously helpful to us in improving 
our products and protecting our networks from hackers, spammers, and 
fraudsters. For example, bad actors continually seek to manipulate our 
search ranking, launch denial-of-service attacks, and scam our users 
via e-mail spam or malware. We use our log files to track, block, and 
keep ahead of the bad guys.
    We also use information like IP addresses and search queries to 
develop products like Flu Trends (www.google.com/flutrends). A team of 
our engineers found that examining certain search terms on an aggregate 
basis can provide a good indicator of flu activity. Of course, not 
every person who searches for ``flu'' is actually sick, but a pattern 
emerges when many flu-related search queries are added together. By 
counting how often we see these search queries, we can estimate how 
much flu is circulating in different countries and regions around the 
world. Our results have been published in the journal Nature.
    For epidemiologists, this is an exciting development, because early 
detection of a disease outbreak can reduce the number of people 
affected. If a new strain of influenza virus emerges under certain 
conditions, a pandemic could ensue with the potential to cause millions 
of deaths. Our up-to-date influenza estimates may enable public health 
officials and health professionals to better respond to seasonal 
epidemics and pandemics.

    Fig. 6: Google Flu Trends

    A second challenge is how to best communicate with our users about 
    At Google, we take great pride in our effort to provide our users 
with a better understanding of how we collect, use, and protect their 
data. For example, we have produced a series of short videos on privacy 
and made the videos available at Google.com and on YouTube. We also 
blog often about privacy in plain language aimed at educating our 
users. We believe that companies that interact and have relationships 
with consumers need to do more than simply provide and link to privacy 
policies; we all need to offer consumer-friendly materials in a variety 
of media to help users better understand how their information is 
collected and used, and what choices they have to protect their 
    We also believe in ``transparency in context'' so that consumers 
can benefit from privacy information when and where they're actually 
using a product or service, in addition to through a privacy policy. 
The concept of transparency in context underlies our desire to provide 
in-ad notice for interest-based ads. With such notice, consumers have 
easy access to both information and choice tools at the point of 
interaction with the relevant product.
    There are times, of course, where we do not get it right on the 
first try. When we launched Google Buzz, a social networking service 
for sharing updates, photos, videos, and more, we heard from some users 
that they were unhappy. So our engineers worked around the clock and 
within 48 hours we had made significant product changes. Now, instead 
of automatically creating a list of followers, we suggest people for 
Buzz users to follow. We also made it easier for users to block others 
from following them. And we added a tab to Gmail settings making it 
easier to hide Buzz or disable it completely. Soon after, we sent out a 
confirmation page to early Buzz users giving them another opportunity 
to understand and reconfirm their settings.
    These are the kind of updates and improvements we are making to all 
our products all the time, from Gmail to search to mobile, because 
control is what our users want and deserve--and what we want to 

Understanding the WiFi Incident
    In those instances where mistakes occur, we try to understand and 
learn from our mistakes. I'd like to address the recent issue involving 
WiFi data in that context.
    Several months ago, Google disclosed that we had mistakenly 
included code in the software on our Street View cars that collected 
samples of WiFi ``payload data''--information sent over a WiFi 
network--from open (unencrypted) WiFi networks. Importantly, these 
samples of payload data have never been used in any Google product or 
service; nor do we intend to use them. If you would like more 
information about the facts and background of this incident, including 
the independent, third-party review of our software, my colleague Alan 
Eustace has described it on the Official Google Blog.
    As Alan concluded, ``We are profoundly sorry for this error and are 
determined to learn all the lessons we can from our mistake.'' While 
our legal team is still reviewing the matter, I can attest that it was 
not consistent with the value we place on the responsible handling of 
personal data. Google is taking the review of this matter very 
seriously and we will report back with the changes we'll make to 
prevent such a thing from happening in the future.
    The incident also reaffirms to us the importance of transparency. 
Data collection and use practices should be disclosed, and in plain 
language. When mistakes occur, companies ought to continue providing 
that transparency--as Google did here even in the absence of any breach 
of personal data--by quickly and simply disclosing what occurred, any 
risk posed to users, and how users can mitigate that risk.

How Congress Can Encourage Responsible Privacy Practices and Build 
    Congress has a vital role to play in encouraging responsible 
privacy and security practices, both by bringing attention to these 
issues and through appropriate legislation. Google supports the 
development of comprehensive, baseline privacy legislation that can 
ensure broad-based user trust and that will support continued 
innovation and serve the privacy interests of consumers.
    I am a scientist and engineer, not a lawyer, but I have some basic 
thoughts about what good policy needs to accomplish in this area.

   Even-handed application. A pro-innovation privacy framework 
        must apply even-handedly to all personal data regardless of 
        source or means of collection. Thus, offline data collection 
        and processing should, where reasonable, involve similar data 
        protection obligations.

   Recognition of benefits and costs. As with any regulatory 
        policy, it is appropriate to examine the benefits and costs of 
        legislating in this area, including explicit attention to 
        actual harm and compliance costs.

   Security requirements and breach notification. We pride 
        ourselves at Google for industry-leading security features, 
        including the use of encryption for our search and Gmail 
        services I discussed. A thorough privacy framework should 
        promote uniform, reasonable security principles, including data 
        breach notification procedures.

   Clear process for compelled access. The U.S. law governing 
        government access to stored communications is outdated and out 
        of step with what is reasonably expected by those who use cloud 
        computing services. The problems in the law threaten the 
        growth, adoption, and innovation of cloud technologies without 
        a corresponding benefit. As part of the Digital Due Process 
        coalition, we are working to address this issue. The Committee 
        can play an important role in encouraging clear rules for 
        compelled access to user data.

   Consistency across jurisdictions. Generally, Internet users 
        neither expect nor want different baseline privacy rules based 
        on the local jurisdiction in which they or the provider reside. 
        Moreover, in many instances, strict compliance with differing 
        state or national privacy protocols would actually diminish 
        consumer privacy, since it would require Internet companies to 
        know where consumers are located at any given time.

    Any new privacy law must also offer baseline protections on which 
providers can innovate. A pro-innovation privacy framework offers 
providers the flexibility to both develop self-regulatory structures 
and individually innovate in privacy practices and tools. The 
advertising industry and online publisher efforts to develop self-
regulatory rules for interest-based advertising, for example, are a 
strong example of the need for and utility of industry-driven efforts. 
As I have discussed, Google has been a leader in developing innovative 
privacy tools.
    Continued innovation in the privacy space is vital for users. 
Unfortunately, compliance-based or overly complex rules can lock in a 
specific privacy model that may quickly become obsolete or insufficient 
due to the speed with which Internet services evolve. A principles-
based model encourages innovation and competition in privacy tools.
    A baseline framework needs to encourage the development of 
innovative tools like the ones I've described. We believe that stable, 
baseline principles set by law can permit flexible, adaptive structures 
to develop on top--much like the stable protocols and standards at the 
physical and network layers of the Internet allow flexible and 
innovative development at the content and application layers. With 
comprehensive, baseline privacy legislation establishing ground rules 
for all entities, self-regulatory standards and best practices of 
responsible industry actors will evolve over time. On top of that 
structure, individual companies will be free (and encouraged) to create 
innovative privacy tools and policies rather than stick with 
potentially outdated compliance structures.

    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee, thank you for inviting me to testify today. We at Google 
appreciate the opportunity to discuss online privacy and how our 
company has helped lead in the effort to protect our users by providing 
them with transparency, user control, and security.
    I look forward to answering any questions you might have about our 
efforts, and Google looks forward to working with members of the 
Committee and others in the development of better privacy protections.
    Thank you.

    The Chairman. Thank you, Dr. Whitten.
    Now Mr. Jim Harper, Director of Information Policy Studies 
at The Cato Institute.


    Mr. Harper. Thank you, Mr. Chairman. Good afternoon. Thanks 
for inviting me to testify today. And I definitely appreciate 
that you're educating the Committee and the public about 
consumer online privacy.
    My 21-page single-spaced written testimony----
    Mr. Harper.--is only a brief glance at the many issues that 
are involved in privacy regulation and fair information 
practices. I suspect that the much more useful 1-page executive 
summary is what'll benefit you and your staff in your early 
examination of the issue.
    What it says is that privacy is a complicated human 
interest. When people talk about privacy, they may mean desire 
for fair treatment, they may mean security from identity fraud 
and other crimes, they may mean distaste for being marketed to 
as objects of crass commercialism, and they may mean something 
more like liberty or autonomy. I think the strongest sense of 
the word ``privacy'' refers to control of personal information. 
That is, having the ability to selectively reveal things about 
yourself so that you can craft the image you portray to all the 
different communities that you interact with in your life.
    As we've seen in discussion here today, the online 
environment is new and different. Many people literally don't 
know how to control information about themselves. Other 
technologists with me on the panel today are doing good work, I 
think, to try to rectify that, but it won't be easy.
    I may play ``skunk at the garden party'' when I say that I 
have doubts about the capacity of fair information practices 
and regulatory solutions to solve these problems and deliver 
privacy. Fair information practices have a long history, nearly 
40 years, and there are many good practices, described by fair 
information practices, that many companies should probably do. 
But, just like there are many different senses of privacy, 
there are many different data practices that matter in 
different degrees at different times. So, blanket use of fair 
information practices is probably inappropriate and unhelpful.
    In my written testimony I focused heavily on notice and the 
failure of notice, really, over the last decade, to deliver 
privacy like many thought it would, 10 years ago. I think the 
short-notice project is wonderful and fine, but I don't hold 
out much hope that it will lead to an upwelling of privacy 
awareness, like I think we all would like to have.
    I also emphasize how changing business models and changing 
Internet protocols make it difficult to regulate, 
prospectively, in ways that'll work. Regulations may prevent 
new protocols--even worse--and new ways of interacting online 
from coming into existence. This would be a pity, because it 
would deny all of us the next generation of Internet-enabled 
    It would also be a pity if privacy regulation were to lock 
in competitive advantages for the companies that are leading 
the pack today. For all the good they do consumers, the 
companies represented by my copanelists at the table, I think, 
should always be met by searing competition. And companies can 
use the legislative and regulatory process to lock out 
competition, foreclose new business models as privacy-
    Before I conclude, I want to change hats, really briefly, 
and talk about an issue that I know is on the mind of many 
people, and that's targeted advertising. Targeted advertising 
is sensitive, I think, because it represents a loss of control 
over personal information, like we've talked about. It also 
objectifies consumers, as such, rather than treating them as 
human beings who laugh and cry and aspire and get frustrated 
and fall in love. I think I understand that concern, but it 
doesn't motivate me as a privacy advocate.
    But, what I want to talk about is my experience as the 
operator of a small website. As I noted in my written 
testimony, I run a website called washingtonwatch.com. It had 
about 1.6 million visitors last year, which is pretty good. One 
bill has 150,000 comments, I'll tell you, so I'm quite aware of 
the passions that unemployment compensation generates. I run 
the site in my spare time, and I've built it with my own funds, 
over several years. I'm fond of joking that it's the reason why 
I don't have a boat in my driveway. In fact, it might be the 
reason why I don't have a driveway.
    I run Google ads to help defray the costs. AdSense is a 
pretty good product, though I am looking around. Amazon has a 
pretty cool thing going right now, called Omakase.
    Here's the thing. I have tons of features that I want to 
add to washingtonwatch.com, and I decide to add new features 
when I feel like I have the money to do it. OK? I pay my Web 
developers about twice what I make per hour to work on the 
site. Of course, my sob story doesn't matter, but I probably 
stand in the shoes of many small Website operators and bloggers 
who choose whether they're going to add more content and more 
features based on whether they can afford it.
    Targeted advertising is a way for sites, small and large, 
to support themselves better so that they can do more cool 
stuff for American citizens and consumers. Targeted ads, I 
think it's clear from economic study, are more valuable than 
contextual ads, more valuable that noncontextual, just blanket 
    My point is only this: Curtailing targeted advertising in 
the name of privacy involves tradeoffs with other important 
consumer issues. And these things are all important to discuss.
    Thanks, again, so much for inviting me to testify today. 
Happy to answer your questions.
    [The prepared statement of Mr. Harper follows:]

   Prepared Statement of Jim Harper, Director of Information Policy 
                      Studies, The Cato Institute

Executive Summary
    Privacy is a complicated human interest. People use the word 
``privacy'' to refer to many different things, but its strongest sense 
is control of personal information, which exists when people have legal 
power to control information and when they exercise that control 
consistent with their interests and values.
    Direct privacy legislation or regulation is unlikely to improve on 
the status quo. Over decades, a batch of policies referred to as ``fair 
information practices'' have failed to take hold because of their 
complexity and internal inconsistencies.
    Even modest regulation like mandated privacy notices have not 
produced meaningful improvements in privacy. Consumers generally do not 
read privacy policies and they either do not consider privacy much of 
the time, or they value other things more than privacy when they 
interact online.
    The online medium will take other forms with changing times, and 
regulations aimed at an Internet dominated by the World Wide Web will 
not work with future uses of the Internet. Privacy regulations that 
work ``too well'' may make consumers worse off overall, not only by 
limiting their access to content, but by giving supernormal profits to 
today's leading Internet companies and by discouraging consumer-
friendly innovations.
    The ``online'' and ``offline'' worlds are collapsing rapidly 
together, and consumers do not have separate privacy interests for one 
and the other. Likewise, people do not have privacy interests in their 
roles as consumers that are separate from their interests as citizens. 
If the Federal Government is going to work on privacy protection, it 
should start by getting its own privacy house in order.
    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee, thank you for inviting me to address your hearing on 
``Consumer Online Privacy.''
    My name is Jim Harper, and I am Director of Information Policy 
Studies at the Cato Institute. In that role, I study and write about 
the difficult problems of adapting law and policy to the challenges of 
the information age. Cato is a market liberal, or libertarian, think-
tank, and I pay special attention to preserving and restoring our 
Nation's founding traditions of individual liberty, limited government, 
free markets, peace, and the rule of law.
    My primary focus is on privacy and civil liberties, and I serve as 
an advisor to the Department of Homeland Security as a member of its 
Data Integrity and Privacy Advisory Committee. I am not a technologist, 
but a lawyer familiar with technology issues. As a former committee 
counsel in both the House and Senate, I understand lawmaking and 
regulatory processes related to technology and privacy. I have 
maintained a website called Privacilla.org since 2000,\1\ cataloguing 
many dimensions of the privacy issue, and I also maintain an online 
Federal legislative resource called WashingtonWatch.com,\2\ which has 
had over 1.6 million visitors in the last year.
    \1\ http://www.privacilla.org
    \2\ http://www.washingtonwatch.com Disclosure: WashingtonWatch.com 
defrays some costs of its otherwise money-losing operation by running 
Google AdSense ads.
What is Privacy?
    Your hearing to explore consumer online privacy is welcome. There 
are many dimensions to privacy, and it is wise to examine all of them, 
making yourselves aware of the plethora of issues and considerations 
before turning to legislation or regulation.
    People use the word ``privacy'' to describe many concerns in the 
modern world, including fairness, personal security, seclusion, and 
autonomy or liberty. Given all those salutary meanings, everyone wants 
``privacy,'' of course. Few concepts have been discussed so much 
without ever being solidly defined. But confusion about the meaning of 
the word makes legislation or regulation aimed at privacy difficult.
    ``Privacy'' sometimes refers to the interest violated when a 
person's sense of seclusion or repose is upended. Telephone calls 
during the dinner hour,\3\ for example, spam e-mails,\4\ and--
historically--the quartering of troops in private homes \5\ undermine 
privacy and the vaunted ``right to be let alone.'' \6\
    \3\ See Federal Trade Commission, ``Unwanted Telephone Marketing 
Calls'' web page http://www.fcc.gov/cgb/consumerfacts/tcpa.html.
    \4\ The CAN-SPAM Act of 2003 (15 U.S.C. 7701, et seq., Public Law 
No. 108-187) was intended to remedy the problem of spam, but it remains 
a huge amount of the SMTP traffic on the Internet. See Jim Harper, 
``CAN-SPAM Didn't--Not By a Long Shot,'' [email protected] (Nov. 6, 2006) 
    \5\ See U.S. Const. amend. III (barring quartering of troops in 
    \6\ Olmstead v. United States, 277 U.S. 438 (1928) (Brandeis, J, 
dissenting). Unfortunately, the Olmstead case was not about 
``seclusion'' but control of information traveling by wire.
    For some, it is marketing that offends privacy--or at least 
targeted marketing based on demographic or specific information about 
consumers. Many people feel something intrinsic to individual 
personality is under attack when people are categorized, labeled, 
filed, and objectified for commerce based on data about them.
    This is particularly true when incomplete data fails to paint an 
accurate picture. The worst denial of personality occurs in the 
marketing area when data and logic get it wrong, serving inappropriate 
marketing communications to hapless consumers. A couple who recently 
lost their baby receives a promotion for diapers or children's toys, 
for example. Or mail for a deceased parent continues coming long after 
his or her passing. In the informal sector, communities sometimes 
attack individuals because of the inaccurate picture gossip paints on 
the powerful medium of the Internet.\7\
    \7\ In his book, The Future of Reputation: Gossip, Rumor, and 
Privacy on the Internet, George Washington University Law School 
professor Daniel Solove details the story of ``Dog Poop Girl,'' for 
example, who was selected for worldwide ridicule when a photo of her 
failing to clean up after her pooch was uploaded and disseminated over 
the Internet. Daniel Solove, the Future of Reputation: Gossip, Rumor, 
and Privacy on the Internet (New Haven: Yale University Press, 2007) 
pp. 1-4.
    The ``privacy'' damage is tangible when credit bureaus and other 
reputation providers paint an incomplete or wrong picture. Employers 
and credit issuers harm individual consumers when they deny people work 
or credit based on bad data or bad decision rules.\8\
    \8\ Congress passed the Fair Credit Reporting Act (codified at 15 
U.S.C.  1681 et seq.) in 1970 intending to produce fairness in the 
credit reporting world, which is still an area of difficulty for 
    Other kinds of ``privacy'' violations occur when criminals acquire 
personal information and use it for their malign purposes. The scourge 
of identity theft is a well known ``privacy'' problem. Drivers Privacy 
Protection Acts \9\ passed in many state legislatures and in the U.S. 
Congress after actress Rebecca Schaeffer was murdered in 1989. Her 
stalker got her residence information from the California Department of 
Motor Vehicles. In a similar notable incident a decade later, Vermont 
murderer Liam Youens used a data broker to gather information as part 
of an Internet-advertised obsession with the young woman he killed.\10\
    \9\ The Federal Drivers Privacy Protection Act, Public Law No. 103-
322, amended by Public Law 106-69, prohibits the release or use by any 
State DMV (or officer, employee, or contractor thereof) of personal 
information about an individual obtained by the department in 
connection with a motor vehicle record. It sets penalties for 
violations and makes violators liable on a civil action to the 
individual to whom the released information pertains.
    \10\ See Remsburg v. Docusearch, Inc. (N.H. 2003) http://
    ``Privacy'' is also under fire when information demands stand 
between people and their freedom to do as they please. Why on earth 
should a person share a phone number with a technology retailer when he 
or she buys batteries? The U.S. Department of Homeland Security has 
worked assiduously in what is now called the ``Secure Flight'' program 
to condition air travel on the provision of accurate identity 
information to the government, raising the privacy costs of otherwise 
free movement.
    Laws banning or limiting medical procedures dealing with 
reproduction offend ``privacy'' in another sense of the word.\11\ There 
are a lot of privacy problems out there, and many of them blend 
    \11\ See Griswold v. Connecticut, 381 U.S. 479 (1965); Roe v. Wade, 
410 U.S. 113 (1973).
Privacy as Control of Personal Information
    The strongest and most relevant sense of the word ``privacy,'' 
which I will focus on here, though, is its ``control'' sense--privacy 
as control over personal information. Privacy in this sense is 
threatened by the Internet, which is an unusual new medium for many 
people over the age of eighteen.
    In his seminal 1967 book Privacy and Freedom, Alan Westin 
characterized privacy as ``the claim of individuals, groups, or 
institutions to determine for themselves when, how, and to what extent 
information about them is communicated to others.'' \12\ A more 
precise, legalistic definition of privacy in the control sense is: the 
subjective condition people experience when they have power to control 
information about themselves and when they have exercised that power 
consistent with their interests and values.\13\ The ``control'' sense 
of privacy alone has many nuances, and I will parse them here briefly.
    \12\ Alan F. Westin, Privacy and Freedom, p. 7 (New York: Atheneum 
    \13\ See generally, Jim Harper, ``Understanding Privacy--and the 
Real Threats to It,'' Cato Policy Analysis No. 520 (Aug. 4, 2004) 
    Importantly, privacy is a subjective condition. It is individual 
and personal. One person cannot decide for another what his or her 
sense of privacy is or should be.
    To illustrate this, one has only to make a few comparisons: Some 
Americans are very reluctant to share their political beliefs, refusing 
to divulge any of their leanings or the votes they have cast. They keep 
their politics private. Their neighbors may post yard signs, wear 
brightly colored pins, and go door-to-door to show affiliation with a 
political party or candidate. The latter have a sense of privacy that 
does not require withholding information about their politics.
    Health information is often deemed intensely private. Many people 
closely guard it, sharing it only with doctors, close relatives, and 
loved ones. Others consent to have their conditions, surgeries, and 
treatments broadcast on national television and the Internet to help 
others in the same situation. More commonly, they relish the attention, 
flowers, and cards they receive when an illness or injury is 
publicized. Privacy varies in thousands of ways from individual to 
individual and from circumstance to circumstance.
    An important conclusion flows from the observation that privacy is 
subjective: government regulation in the name of privacy can be based 
only on guesses about what ``privacy'' should look like. Such rules can 
only ape the privacy-protecting decisions that millions of consumers 
make in billions of daily actions, inactions, transactions, and 
refusals. Americans make their highly individual privacy judgments 
based on culture, upbringing, experience, and the individualized costs 
and benefits of interacting and sharing information.
    The best way to protect true privacy is to leave decisions about 
how personal information is used to the people affected. Regulatory 
mandates that take decision-making power away from people will prevent 
them striking the balances that make them the best off they can be. 
Sometimes it is entirely rational and sensible to share information.

    At its heart, privacy is a product of autonomy and personal 
responsibility. Only empowered, knowledgeable citizens can formulate 
and protect true privacy for themselves, just as they individually 
pursue other subjective conditions, like happiness, piety, or success.

The Role of Law
    The legal environment determines whether people have the power to 
control information about themselves. Law has dual, conflicting effects 
on privacy: Much law protects the privacy-enhancing decisions people 
make. Other laws undermine individuals' power to control information.
    Various laws foster privacy by enforcing individuals' privacy-
protecting decisions. Contract law, for example, allows consumers to 
enter into enforceable agreements that restrict the sharing of 
information involved in, or derived from, transactions.
    Thanks to contract, one person may buy foot powder from another and 
elicit as part of the deal an enforceable promise never to tell another 
soul about the purchase. In addition to explicit terms, privacy-
protecting confidentiality has long been an implied term in many 
contracts for professional and fiduciary services, like law, medicine, 
and financial services. Alas, legislation and regulation of recent 
vintage have undermined those protections.\14\
    \14\ The Gramm-Leach-Bliley Act and Federal regulations under the 
Health Insurance Portability and Accountability Act institutionalized 
sharing of personal information with government authorities and various 
``approved'' institutions. See 15 U.S.C.  6802(e)(5)&(8); various 
subsections of 45 C.F.R. 164.512.
    Many laws protect privacy in other areas. Real property law and the 
law of trespass mean that people have legal backing when they retreat 
into their homes, close their doors, and pull their curtains to prevent 
others from seeing what goes on within. The law of battery means that 
people may put on clothes and have all the assurance law can give that 
others will not remove their clothing and reveal the appearance of 
their bodies without permission.
    Whereas most laws protect privacy indirectly, a body of U.S. state 
law protects privacy directly. The privacy torts provide baseline 
protection for privacy by giving a cause of action to anyone whose 
privacy is invaded in any of four ways.\15\
    \15\ Privacilla.org, ``The Privacy Torts: How U.S. State Law 
Quietly Leads the Way in Privacy Protection,'' (July 2002) http://
    The four privacy causes of action, available in nearly every state, 

   Intrusion upon seclusion or solitude, or into private 

   Public disclosure of embarrassing private facts;

   Publicity that places a person in a false light in the 
        public eye; and

   Appropriation of one's name or likeness.

    While those torts do not mesh cleanly with privacy as defined here, 
they are established, baseline, privacy-protecting law.
    Law is essential for protecting privacy, but much legislation plays 
a significant role in undermining privacy. Dozens of regulatory, tax, 
and entitlement programs deprive citizens of the ability to shield 
information from others. You need only look at the Internal Revenue 
Service's Form 1040 and related tax forms to see that.

Consumer Knowledge and Choice
    I wrote above about the role of personal responsibility in privacy 
protection. Perhaps the most important, but elusive, part of privacy 
protection is consumers' exercise of power over information about 
themselves consistent with their interests and values. This requires 
consumers and citizens to be aware of the effects their behavior will 
have on exposure of information about them.
    Technology and the world of commerce are rapidly changing, and 
personal information is both ubiquitous and mercurial. Unfortunately, 
there is no horn that sounds when consumers are sufficiently aware, or 
when their preferences are being honored. But study of other, more 
familiar, circumstances reveals how individuals have traditionally 
protected privacy.

    Consider privacy protection in the physical world. For millennia, 
humans have accommodated themselves to the fact that personal 
information travels through space and air. Without understanding how 
photons work, people know that hiding the appearance of their bodies 
requires them to put on clothes. Without understanding sound waves, 
people know that keeping what they say from others requires them to 
lower their voices.
    From birth, humans train to protect privacy in the ``natural'' 
environment. Over millions of years, humans, animals, and even plants 
have developed elaborate rules and rituals of information sharing and 
information hiding based on the media of light and sound.
    Tinkering with these rules and rituals today would be absurd. 
Imagine, for instance, a privacy law that made it illegal to observe 
and talk about a person who appeared naked in public without giving the 
nudist a privacy notice and the opportunity to object. People who 
lacked the responsibility to put on clothes might be able to sue people 
careless enough to look at them and recount what they saw. A rule like 
that would be ridiculous.
    The correct approach is for consumers to be educated about what 
they reveal when they interact online and in business so that they know 
to wear the electronic and commercial equivalents of clothing.
    Of all the online privacy concerns, perhaps the most fretting has 
been done about ``behavioral advertising''--sometimes referred to as 
``psychographic profiling'' to get us really worked up. What is truly 
shocking about this problem, though, is that the remedy for most of it 
is so utterly simple: exercising control over the cookies in one's 
    Cookies are small text files that a website will ask to place in 
the memory of computers that visit it. Many cookies have distinct 
strings of characters in them that allow the website to ``recognize'' 
the computer when it visits the site again. When a single domain places 
content across the web as a ``third party''--something many ad networks 
do--it can recognize the same computer many places and gain a sense of 
the interests of the user.
    The solution is cookie control: In the major browsers (Firefox and 
Internet Explorer), one must simply go to the ``Tools'' pull-down menu, 
select ``Options,'' then click on the ``Privacy'' tab to customize 
one's cookie settings. In Firefox, one can decline to accept all third-
party cookies (shown inset), neutering the cookie-based data collection 
done by ad networks. In Internet Explorer, one can block all cookies, 
block all third-party cookies, or even choose to be prompted each time 
a cookie is offered.\16\
    \16\ These methods do not take care of an emerging tracker known as 
``Flash cookies'' which must be disabled another way, but consumers 
aware of their ability and responsibility to control cookies can easily 
meet the growth of Flash cookies. See ``Flash Player Help'' web page, 
Global Privacy Settings panel, http://www.macromedia.com/support/

    Again, consumers educated about what they reveal when they interact 
online can make decisions about how to behave that will protect privacy 
much better--in all online contexts--than consumers unaware of how the 
world around them works.

Can Direct Regulation Protect Privacy Better?
    Above, I wrote about how law protects people's privacy-protecting 
decisions. This unfortunately leaves them with the responsibility of 
making those decisions. Naturally, most privacy advocates--myself 
included--believe that people do not do enough to protect their 
privacy. Consciously or not, people seem to prioritize the short-term 
benefits of sharing personal information over the long-term costs to 
their privacy.
    This poses the question: Can direct regulation protect consumers 
privacy better than they can protect themselves?
    There is a decades-long history behind principles aimed at protect 
privacy and related interests, principles that are often put forward as 
a framework for legislative or regulatory directives.
    In the early 1970s, a group called ``The Secretary's Advisory 
Committee on Automated Personal Data Systems'' within the Department of 
Health, Education, and Welfare did an important study of record-keeping 
practices in the computer age. The intellectual content of its report, 
commonly known as the ``HEW Report,'' \17\ formed much of the basis of 
the Privacy Act of 1974. The report dealt extensively with the use of 
the Social Security Number as the issues stood at that time.
    \17\ ``Records, Computers and the Rights of Citizens: Report of the 
Secretary's Advisory Committee on Automated Personal Data Systems,'' 
Department of Health, Education, and Welfare [now Department of Health 
and Human Services] (July, 1973) http://www.aspe.dhhs.gov/datacncl/
    The HEW report advocated the following ``fair information 

   There must be no personal-data record-keeping systems whose 
        very existence is secret.

   There must be a way for an individual, to find out what 
        information about him is in a record and how it is used.

   There must be a way for an individual to prevent information 
        about him obtained for one purpose from being used or made 
        available for other purposes without his consent.

   There must be a way for an individual to correct or amend a 
        record of identifiable information about him.

   Any organization creating, maintaining, using, or 
        disseminating records of identifiable personal data must assure 
        the reliability of the data for their intended use and must 
        take reasonable precautions to prevent misuse of the data.

    These things sound wonderful in the abstract, but their relevance, 
worthiness, and cost-justifications vary widely from circumstance to 
    In 1980, the Organization for Economic Cooperation and Development 
(OECD) \18\ issued similar, if more detailed guidelines. The OECD 
Guidelines involve eight principles, which in different variations are 
often touted as ``fair information practices'' or ``fair information 
practice principles.''
    \18\ The OECD consists of bureaucrats from 29 countries that work 
to coordinate policies with the nominal aim of fostering international 
trade. The United States is a member of the OECD and the largest 
funders of its $424 million dollar 2010 budget. See Organization for 
Economic Cooperation and Development, ``Member Countries' Budget 
Contributions for 2010'' web page http://www.oecd.org/document/14/
    They include a ``Collection Limitation Principle,'' a ``Data 
Quality Principle,'' a ``Purpose Specification Principle,'' a ``Use 
Limitation Principle,'' a ``Security Safeguards Principle,'' an 
``Openness Principle,'' an ``Individual Participation Principle,'' and 
an ``Accountability Principle.'' The full OECD principles, in their 
sprawling glory, are reproduced in a footnote below.\19\
    \19\ 1. Collection Limitation Principle: There should be limits to 
the collection of personal data and any such data should be obtained by 
lawful and fair means and, where appropriate, with the knowledge or 
consent of the data subject.
    2. Data Quality Principle: Personal data should be relevant to the 
purposes for which they are to be used, and, to the extent necessary 
for those purposes, should be accurate, compete and kept up-to-date.
    3. Purpose Specification Principle: The purposes for which personal 
data are collected should be specified not later than at the time of 
collection and the subsequent use limited to the fulfilment of those 
purposes or such others as are not incompatible with those purposes and 
as are specified on each occasion of change of purpose.
    4. Use Limitation Principle: Personal data should not be disclosed, 
made available or otherwise used for purposes other than those 
specified in accordance with Principle 3 except:

    --with the consent of the data subject; or
    --by the authority of law.

    5. Security Safeguards Principle: Personal data should be protected 
by reasonable security safeguards against such risks as loss or 
unauthorised access, destruction, use, modification or disclosure of 
    6. Openness Principle: There should be a general policy of openness 
about developments, practices and policies with respect to personal 
data. Means should be readily available of establishing the existence 
and nature of personal data, and the main purposes of their use, as 
well as the identity and usual residence of the data controller.
    7. Individual Participation Principle: An individual should have 
the right:

    --(a) to obtain from the data controller, or otherwise, 
confirmation of whether or not the data controller has data relating to 
    --(b) to have communicated to him, data relating to him
    --within a reasonable time;
    --at a charge, if any, that is not excessive;
    --in a reasonable manner; and
    --in a form that is readily intelligible to him;
    --(c) to be given reasons if a request made under sub-paragraphs 
(a) and (b) is denied, and to be able to challenge such denial; and
    --(d) to challenge data relating to him and, if the challenge is 
successful, to have the data erased, rectified, completed or amended.
    8. Accountability Principle: A data controller should be 
accountable for complying with measures which give effect to the 
principles stated above.
    In a 2000 report, the Federal Trade Commission came out with a 
relatively briefer list of ``fair information practices'' (notice, 
choice, access, and security) and asked Congress for authority to 
impose them on the businesses of the country,\20\ even though a 
committee convened by the FTC could not reconcile the inherent tensions 
between access and security.\21\ Congress declined to take the FTC's 
    \20\ Federal Trade Commission, ``Privacy Online: Fair Information 
Practices in the Electronic Marketplace,'' (May 2000) http://
    \21\ See FTC Advisory Committee on Online Access and Security, 
``Final Report of the Federal Trade Commission Advisory Committee on 
Online Access and Security'' (May 15, 2000) http://www.ftc.gov/acoas/.
    These examples illustrate one of the problems with the idea of 
``baseline privacy regulation'' for the Internet that has been a 
consistent call of many for over a decade. There are many good ideas 
and good practices described in the HEW Report, the OECD Guidelines, 
and in various other iterations of ``fair information practices,'' but 
tensions among the principles and variations in their applicability to 
different circumstances make ``FIPs'' a poor guide for smart 
    ``Fair information practices'' remain largely aspirational after 
nearly 40 years, and where they have been implemented, privacy has not 
blossomed. The principal example is the Privacy Act of 1974, which has 
done little to give American citizens control over information the 
government collects. It is shot through with exceptions, and it is 
largely a paper tiger.
    The Fair Credit Reporting Act has guided the development of the 
credit reporting industry for four decades, while insulating credit 
bureaus from state tort laws. During that period, the industry has 
become highly cartelized, consisting of three players (as discussed 
below, a typical consequence of regulatory barriers to entry). It has 
failed to innovate and become the reputation and identity service that 
the world of e-commerce could use. And--most importantly for these 
purposes--credit reporting is a consumer-unfriendly industry. Rather 
than working with consumers to develop mutually beneficial personal 
data repositories, the credit reporting industry serves its financial 
industry partners first, Federal regulators second, and consumers as a 
rather distant afterthought.
    The privacy regulations implemented under the Health Insurance 
Portability and Accountability Act are sometimes touted as reflecting 
``fair information practices.'' (With their breadth, any good data 
practice is arguably a FIP.) But health privacy has not materialized 
since Congress shrugged its shoulders and handed the privacy problem to 
the Department of Health and Human Services.\22\ Pre-HIPAA studies 
showing that patients sometimes avoided treatment due to privacy 
worries have not been matched by post-HIPAA studies showing that 
consumers confident of health privacy are getting medical care they 
would not have gotten.
    \22\ See Privacilla.org, ``Health Privacy in the Hands of 
Government: The HIPAA Privacy Regulation--Troubled Process, Troubling 
Results'' (April, 2003) http://www.privacilla.org/releases/
    Fair information practices are widely touted as models for direct 
regulation that would protect privacy. But the examples we have of FIP-
style laws and regulations have not delivered privacy. Privacy 
protection is hard, and it is not amenable to top-down solutions.
Keeping it Simple: What About Privacy Notice?
    If the full suite of ``fair information practices'' is too 
intricate and internally inconsistent to produce a flowering of privacy 
across the land, perhaps some minimal privacy regulation would move the 
ball in the right direction. Mandated privacy notices are widely 
regarded as a step that would put consumers in a position to protect 
privacy themselves.
    One would think. But they haven't.
    A decade ago, market pressure spurred commercial websites to adopt 
and publish privacy policies. The FTC found in its 2000 report that 100 
percent of the most popular sites on the web and 88 percent of randomly 
sampled sites had privacy disclosures of some kind.\23\ This was in the 
absence of any regulation requiring notice; it was simply the product 
of market-based consensus that privacy notice was an appropriate 
business practice.
    \23\ See Federal Trade Commission, ``Privacy Online: Fair 
Information Practices in the Electronic Marketplace,'' Appendix C, 
Table 2A (May 2000) http://www.ftc.gov/reports/privacy
    However, over the ensuing decade it has become clear that privacy 
notices do not materially improve consumers' privacy practices. The 
Federal Trade Commission, other agencies, researchers like Lorrie Faith 
Cranor at Carnegie Mellon University's ``CUPS'' laboratory,\24\ and 
others are diligently pursuing strategies to make notices effective at 
communicating privacy information to consumers in the hope that they 
will act on that information. But none has yet borne fruit.
    \24\ http://cups.cs.cmu.edu/.
    The FTC and seven other regulators recently revealed a new, 
``short'' financial privacy notice (required annually of financial 
services providers by the Gramm-Leach-Bliley Act) that they say ``will 
make it easier for consumers to understand how financial institutions 
collect and share information about consumers.'' \25\ Perhaps privacy 
awareness will flourish in the financial services area under this new 
regime, validating the widely derided privacy notices that clutter 
Americans' mailboxes. More likely, artificial ``notice'' will continue 
to lose currency as a tool for generating consumer focus on privacy.
    \25\ Press release, ``Federal Regulators Issue Final Model Privacy 
Notice Form'' (Nov. 17, 2009) http://www.cftc.gov/ucm/groups/public/
    Nutrition labels, the beloved model for privacy notices, have 
failed to stem the tide of fat washing over Americans' waistlines. 
Consumer behavior is difficult to control, as it should be in a free 
    Notice has other challenges. If it ever was, the ``online'' 
environment is no longer confined to a series of web pages, of which 
one could contain a universal privacy policy. The Internet is amenable 
to endless new protocols and forms of communication, which may defy the 
idea that there is somewhere for a notice to be located.
    Even the growth of handheld devices--an incremental step in 
comparison to what may come in the future--challenges the idea of 
notice. Given the very small screen space of many devices, where is a 
notice to be located? And where is a notice to be located when there 
isn't a hypertext ``link'' structure to follow?
    A hint of how unsuited privacy notices are to the future of the 
Internet lies in a dust-up about Google's privacy notice that occurred 
in mid-2008. A California law passed in 2003 requires websites to have 
privacy policies linked to from their home pages.\26\ At some point, 
privacy advocates noticed that Google did not have such a link. Access 
to Google's industry-leading ``Privacy Center'' was accessible by doing 
a search on any number of terms or phrases, such as: What is Google's 
privacy policy?
    \26\ See Jim Harper, ``Google Fakes Compliance with Privacy Law. 
Obscure Blogger Demands Investigation. Developing . . .'' 
TechLiberation.com (July 4, 2008) http://techliberation.com/2008/07/04/
    Google, after all, is a search engine. In fact, it is the search 
engine that augured the decline of the Internet ``portal'' in favor of 
more fluid, search-based entree to the web. Yet the California law 
requires a portal-style link, something that Google agonized over, 
being very proud of their very clean home page.\27\ Google now has a 
privacy link on its home page. It has cured its online paperwork 
    \27\ See Marissa Meyer, ``What comes next in this series? 13, 33, 
53, 61, 37, 28 . . .'' The Official Google Blog (July 3, 2008) http://
    As this story illustrates, Americans are not going on the web 
through portals any more. Americans are not going ``online'' sitting at 
computers looking at web pages any more. There is no end to the 
protocols that people may use to communicate on the Internet, and a 
notice regime designed for the World Wide Web so popular in the decade 
just past will fail to reach people in the decades to come.

What Does ``Online'' Mean Anyway? And Why Is It Important?
    It is important to consider changes in technology of a different 
kind, particularly the vanishing border between ``online'' and 
``offline.'' As I deliver my oral testimony to the Committee today, for 
example, I will be nominally ``offline.'' However, audio and video of 
my presentation may be streamed live over the Internet or recorded and 
posted on the Committee's website or elsewhere. Reporters and 
researchers may take snippets of what I say and weave them into their 
work, posting those works online.
    The phone in my pocket will be signaling its whereabouts (and 
inferentially mine) to nearby cell towers. Video of me entering, 
walking around inside, and leaving the Russell building may be captured 
and stored by the Capitol Police. Should the need arise, they may move 
this video into permanent storage.
    There are privacy consequences from all these things. More than 
others, I suppose, I knowingly and willingly encounter privacy loss in 
order to be here and speak to you.
    But what is the difference between the privacy consequences of this 
``offline'' behavior and ``online'' behavior. Why should special 
privacy protections kick in when one formally sits down in front of a 
computer or uses a handheld device to go ``online'' if so much of 
``offline'' life means the same thing?
    The distinction between online and offline is blurring, and 
legislation or regulation aimed at protecting consumers ``online'' 
could create strange imbalances between different spheres of life. 
Consumers do not have a set of privacy interests that applies to the 
``online'' world and another set that applies ``offline.''
    To address online privacy alone is to miss the mark. This is not to 
say that the flesh-andblood world should have privacy regulations like 
those that have been dreamed up for the Internet. Rather, privacy on 
the Internet might better be produced the way it is in the ``real'' 
world, by people aware of the consequences of their behavior acting in 
their own best interests.

Privacy Regulation Might Also Work ``Too Well''
    Consumer privacy legislation and regulation might fail because they 
miss new protocols or technologies, uses of the Internet that are not 
web-based, for example. But there is an equally plausible likelihood 
that privacy regulation works too well, in a couple of different 
    Privacy regulation that works ``too well'' would give people more 
privacy than is optimal, making consumers worse off overall. Consumers 
have interests not just in privacy, but also in publicity, access to 
content, customization, convenience, low prices, and so on. Many of 
these interests are in tension with privacy, and giving consumers 
privacy at the cost of other things they prefer is not a good outcome.
    The dominant model for producing Internet content--all the 
interaction, commentary, news, imagery, and entertainment that has the 
Internet thriving--is advertising support. Many of the most popular 
services and platforms are ``free'' because they host advertisements 
directed at their visitors and users. Part of the reason they can 
support themselves with advertising is because they have good 
information about users that allow ads to be appropriately targeted. It 
is a fact that well-targeted ads are more valuable than less-well-
targeted ads.
    This is important to note: Most web-based businesses do not 
``sell'' information about their users. In targeted online advertising, 
the business model is generally to sell advertisers access to people 
(``eyeballs'') based on their demographics. It is not to sell 
individuals' personal and contact info. Doing the latter would undercut 
the advertising business model and the profitability of the websites 
carrying the advertising.
    If privacy regulation ``blinded'' sites and platforms to relevant 
information about their visitors, the advertising-supported model for 
Internet content would likely be degraded.
    Consumers would be worse off--entombed by an excess of privacy when 
their preferences would be to have more content and more interaction 
than regulation allows advertising to support.
    If the Federal Trade Commission's recommendations for ``notice, 
choice, access, and security'' had been fully implemented in 2000, for 
example, it is doubtful that Google would have had the same success it 
has had over the last decade. It might be a decent, struggling search 
engine today. But, unable to generate the kind of income it does, the 
quality of search it produces might be lower, and it may not have had 
the assets to produce and support fascinating and useful products like 
Gmail, Google Maps, Google Docs, and the literally dozens of author 
products it provides consumers.\28\
    \28\ See Wikipedia ``List of Google products'' page http://
    Not having these things at our fingertips is difficult to imagine--
it is much easier to assume that the Google juggernaut was fated from 
the beginning--but the rise of Google and all the access to information 
it gives us was contingent on a set of circumstances that allowed it to 
target ads to visitors in a highly customized and--to some--privacy-
dubious way.
    As a thought experiment, imagine taking away Google, Facebook, 
Apple's suite of consumer electronics (and the app universe that has 
sprung up within it), and the interactivity that AT&T facilitates. 
Consumers would rightly howl at the loss of richness to their lives, 
newly darkened by privacy. And we would all be worse off as the economy 
and society were starved of access to information.
    All this is just to show that trading on personal information can 
make consumers better off overall. It is not to say that Google or any 
other company is the be-all and end-all, or that public policy should 
do anything to ``prefer'' any company. In fact, the other way that 
privacy regulation might work ``too well'' is by giving today's leading 
firms an advantage against future competitors.
    A ``barrier to entry'' is something that prevents competition from 
entering a market. Barriers to entry often allow incumbents (like the 
established companies joining me at the witness table today) to charge 
higher prices and make greater profits than they otherwise would. 
Common barriers to entry (fair or unfair) include customer loyalty, 
economies of scale, control of intellectual property, and network 
effects, to name a few.
    Government regulation can act as a barrier to entry in a few 
different ways. Aside from direct regulation of entry through licensing 
or grants of monopoly (issues not relevant here), incumbent firms can 
comply with regulations at a lower cost per sales unit. With a staff of 
lawyers already in place, the cost per customer of interpreting and 
applying any regulation are lower for large firms. Whether regulation 
is merited and tailored or not, small competitors ``pay more'' to 
comply with it. Regulation impedes their efforts to challenge 
established firms.
    Established firms can strengthen this dynamic by taking part in 
crafting legislation and regulation. Their lobbyists, lawyers, and 
interest-group representatives--the good people gathered at this 
hearing today--will crowd around and work to protect their clients' 
interests in whatever comes out of the drafting process, here in 
Congress and at whatever agency implements any new law. Small, future 
competitors--unrepresented--will have no say, and new ways of doing 
business those competitors might have introduced may be foreclosed by 
regulation congenial to today's winners.
    In his paper, The Durable Internet,\29\ my colleague, Cato adjunct 
fellow Timothy B. Lee, provides a useful history of how regulatory 
agencies have historically been turned to protecting the companies they 
are supposed to regulate. This would occur if the FCC were to regulate 
Internet service under a ``net neutrality'' regulation regime. It would 
occur if a Federal agency were tasked with protecting privacy. It 
appears to have happened with the Minerals Management Service. The 
dynamic of ``agency capture'' is a mainstay of the regulatory studies 
    \29\ Timothy B. Lee, ``The Durable Internet: Preserving Network 
Neutrality without Regulation,'' Cato Policy Analysis No. 626 (Nov. 12, 
2008) http://www.cato.org/pub_display.php
    Returning to the example of Google and the FTC's proposal for 
comprehensive regulation a decade ago: Had Congress given the FTC 
authority to impose broad privacy/fair information practice 
regulations, companies like Microsoft and Yahoo! may have turned the 
regulations to their favor. Today, the company the produces that most 
popular operating system might still be the most powerful player, and 
we might still be accessing the web through a portal. Consumers would 
be worse off for it.
    For all the benefits today's leading companies provide, there is no 
reason they should not be subjected to as much competition as our 
public policy can allow. The spur of competition benefits consumers by 
lowering prices and driving innovations. Privacy regulation might work 
``too well'' for them, locking in competitive advantages that turn away 
competition and allow them super-normal profits.
    Comparisons between existing companies and future competitors are 
one thing. But a major defect of most proposals for privacy protection 
are their bald omission of an entire category of privacy threat: 

Privacy for Consumers But Not for Citizens?
    Just as people do not have one set of privacy interests for the 
online world and one for offline, they do not have one set of privacy 
interests for commerce and another set for government. The privacy 
protections Americans have as consumers should be made available to 
them as citizens.
    Indeed, given the unique powers of governments--to take life and 
liberty--Americans should have greater privacy protections from 
government than they do from private sector entities.
    Governments thrive on information about people. Personal 
information allows governments to serve their citizenry better, to 
collect taxes, and to enforce laws and regulations. But governments 
stand in a very different position to personal information than 
businesses or individuals. Governments have the power to take and use 
information without permission. And there is little recourse against 
governments when they use information in ways that are harmful or 
    In the modern welfare state, governments use copious amounts of 
information to serve their people. A program to provide medical care, 
for example, requires the government to collect a beneficiary's name, 
address, telephone number, sex, age, income level, medical condition, 
medical history, providers' names, and much more.
    Governments also use personal information to collect taxes. This 
requires massive collections of information without regard to whether 
an individual views it as private: name, address, phone number, Social 
Security number, income, occupation, marital status, investment 
transactions, home ownership, medical expenses, purchases, foreign 
assets. The list is very, very long.
    A third use government makes of personal information is to 
investigate crime and enforce laws and regulations. Governments' 
ability to do these things correlates directly to the amount of 
information they can collect about where people go, what they do, what 
they say, to whom they say it, what they own, what they think, and so 
on. We rely on government to investigate wrongdoing by examining 
information that is often regarded as private in the hands of the 
innocent. It is a serious and legitimate concern of civil libertarians 
that government collects too much information about the innocent in 
order to reach the guilty. The incentives that governments face all 
point toward greater collection and use of personal information about 
citizens. This predisposes them to violate privacy.
    Yet ``consumer privacy'' bills planned and introduced in the 
current Congress do nothing to protect Americans' privacy from 
government. The leading proposals in the House--Rep. Boucher's (D-VA) 
draft legislation and H.R. 5777, the ``BEST PRACTICES Act,'' introduced 
by Rep. Rush (D-IL)--simply exclude the Federal Government from their 
    In fairness, there may be jurisdictional reasons for these 
exemptions, but the hypocrisy would be a little too rank if the Federal 
Government were to impose privacy regulations on the private sector 
while its own profligacy with citizens' information continues.
    If there is to be privacy legislation, the U.S. Congress should 
demonstrate the commitment of the Federal Government to getting its own 
privacy house in order. The Federal Government should practice what it 
preaches about privacy.

    Privacy is a complicated human interest, of that there should be no 
doubt. In this long written testimony I have only begun to scratch the 
surface of the issues.
    People use the word privacy to refer to many different human 
interests. The strongest sense of the word refers to control of 
personal information, which exists when people have legal power to 
control information and when they exercise that control consistent with 
their interests and values.
    Direct privacy legislation or regulation is unlikely to improve on 
the status quo. Over decades, a batch of policies referred to as ``fair 
information practices'' have failed to take hold because of their 
complexity and internal inconsistencies. In the cases when they have 
been adopted, such as in the Privacy Act of 1974, privacy has not 
    Even modest regulation like mandated privacy notices have not 
produced privacy in any meaningful sense. Consumers generally do not 
read privacy policies and they either do not consider privacy much of 
the time or value other things more than privacy when they interact 
    The online medium will take other forms with changing times, and 
regulations aimed at an Internet dominated by the World Wide Web will 
not work with future uses of the Internet, as we are beginning to see 
in handheld devices. Privacy regulations that work ``too well'' may 
make consumers worse off overall, not only by limiting their access to 
content, but by giving super-normal profits to today's leading Internet 
companies and by discouraging consumer-friendly innovations.
    It is an error to think that there are discrete ``online'' and 
``offline'' experiences. Consumers do not have separate privacy 
interests for one and the other. Likewise, people do not have privacy 
interests in their roles as consumers, and a separate set of interests 
as citizens. If the Federal Government is going to work on privacy 
protection, the Federal Government should start by getting its own 
privacy house in order.

                               Appendix I

Privacy Advocates Who Don't Understand Privacy
    In 2006 an engineer working on an experimental WiFi project for 
Google wrote a piece of code that sampled publicly broadcast data--the 
information that unencrypted WiFi routers make available by radio to 
any receiver within range. A year later, this code was included when 
Google's mobile team started a project to collect basic WiFi network 
data using Google's Street View cars.
    When Google discovered this issue, they stopped running their 
Street View cars and segregated the data on their network, which they 
then disconnected to make it inaccessible.\30\ Google announced the 
error to the public and have since been working with European data 
authorities to try to get rid of it. The European authorities are 
making them keep it pending their investigations.
    \30\ See ``WiFi Data Collection: An Update,'' the Official Google 
Blog (May 14, 2010) http://googleblog.blogspot.com/2010/05/wifi-data-
    Now a U.S. advocacy group, tripping over itself to make this a 
Federal issue, has done more to invade privacy than Google did.
    WiFi nodes are like little radio stations. When they are 
unencrypted, the data they send out can be interpreted fairly easily by 
whoever receives the radio signals.
    Radio signals can travel long distances, and they pass through or 
around walls and vehicles, people, shrubs and trees. Broadcasting data 
by radio at the typical signal-strength for a WiFi set-up creates a 
good chance that it is going to travel outside of one's house or office 
and beyond one's property line into the street.
    For this reason, people often prevent others accessing the 
information on Wifi networks by encrypting them. That is, they scramble 
the data so that it is gibberish to anyone who picks it up. (Or at 
least it takes an enormous amount of computing power to unscramble the 
signal.) Most people encrypt their WiFi networks these days, which is a 
good security practice, though it denies their neighbors the courtesy 
of using a handy nearby Internet connection if they need to.
    Even on an unencrypted WiFi network, much sensitive content will be 
encrypted. Transactions with banks or payments on commerce sites will 
typically be encrypted by the web browser and server on the other end 
(the ``s'' in ``https:'' indicates this is happening), so their 
communications are indecipherable wherever they travel.
    Given all this, it's hard to characterize data sent out by radio, 
in the clear, as ``private.'' The people operating these unsecure WiFi 
nodes may have wanted their communications to be private. They may have 
thought their communications were private. But they were sending out 
their communications in the clear, by radio--again, like a little radio 
station broadcasting to anyone in range.
    Picking up the data it did using its Street View cars, Google 
captured whatever it did during the few seconds that the car was in 
range of the unencrypted WiFi node. The flashes of data would be quite 
similar to driving past a row of apartments and seeing snippets of life 
inside whichever apartments had not fully drawn their curtains. Often, 
there is nothing happening at all. Once in a while, there may be a 
flicker of something interesting, but it is not tied to any particular 
    Google never used this useless data. Not a single fact about a 
single identifiable WiFi user has been revealed. No personal 
information--much less private information--got any meaningful 
    But a U.S. advocacy group seeking to make a Federal case of this 
story tripped over its privacy shoelaces in doing so. Apparently, 
researchers for this self-described consumer organization looked up the 
home addresses of Members of Congress. They went to the homes of these 
representatives, and they ``sniffed'' to see if there were WiFi 
networks in operation there. Then they publicized what they found, 
naming Members of Congress who operate unencrypted WiFi nodes.
    If you care about privacy, this behavior is worse than what Google 
did. In its gross effort to rain attention on Google's misdeed, this 
group collected information on identifiable individuals--these Members 
of Congress--and put that information in a press release. That is more 
``stalkerish'' and more exposing of personal information than driving 
past in an automobile picking up with indifference whatever radio 
signals are accessible from the street.
    The behavior of this group is not a privacy outrage. Politicians 
volunteer to be objects of this kind of intrusion when they decide that 
they are qualified to run for Federal elective office. It simply 
illustrates how difficult the ``privacy'' issue is, when a group 
pulling off a stunt to draw attention to privacy concerns does more 
harm to privacy than the ``wrongdoer'' they are trying to highlight.

                              Appendix II

Facebook's ``News Feed'': Consumers Privacy Interests are Unpredictable 
        and Changing
    In September 2006, Facebook--the rapidly growing ``social 
networking'' site--added a feature that it called ``News Feed'' to the 
home pages of users. News Feed would update each user regularly on 
their home pages about the activities of their friends, using 
information that each friend had posted on the site.\31\ ``News Feed'' 
was met with privacy outrage.\32\ In the view of many Facebook users, 
the site was giving too much exposure to information about them.
    \31\ See ``Facebook Gets a Facelift,'' The Facebook Blog (Sept. 5, 
2006) http://blog.facebook.com/blog.php?post=2207967130.
    \32\ See Michael Arrington, ``Facebook Users Revolt, Facebook 
Replies'' TechCrunch (Sept. 6, 2006) http://techcrunch.com/2006/09/06/
    But Facebook pushed back. In a post on the Facebook blog titled, 
``Calm down. Breathe. We hear you,'' \33\ CEO Mark Zuckerberg wrote:
    \33\ ``Calm down. Breathe. We hear you,'' The Facebook Blog (Sept. 
5, 2006) http://blog.

        This is information people used to dig for on a daily basis, 
        nicely reorganized and summarized so people can learn about the 
        people they care about. You don't miss the photo album about 
        your friend's trip to Nepal. Maybe if your friends are all 
        going to a party, you want to know so you can go too. Facebook 
        is about real connections to actual friends, so the stories 
        coming in are of interest to the people receiving them, since 
        they are significant to the person creating them.

    Though Facebook did make some changes, users ultimately found that 
News Feed added value to their experience of the site. Today, News Feed 
is an integral part of Facebook, and many users would probably object 
vociferously if it were taken away.
    This is not to say that Facebook is always right or that it is 
always going to be right. It illustrates how consumers' privacy 
interests are unsettled and subject to change. Their self-reported 
interests in privacy may change--and may change rapidly.
    The Facebook ``News Feed'' example is one where consumers looked at 
real trade-offs between privacy and interaction/entertainment. After 
balking, they ultimately chose more of the latter.
    Consider how well consumers might do with privacy when they are not 
facing real tradeoffs. Consumer polling on privacy generally uses 
abstract questions to discover consumers' stated privacy preferences. 
There is little policymaking value in polling data.\34\ Determining 
consumers' true interests in privacy and other values is difficult and 
complex, but it is taking place every day in the rigorous conditions of 
the marketplace, where market share and profits are determined by 
companies' ability to serve consumers in the best ways they can devise.
    \34\ Jim Harper and Solveig Singleton, ``With a Grain of Salt: What 
Consumer Privacy Surveys Don't Tell Us'' (June, 2001) http://cei.org/
    Some economic studies have suggested how much people value 
privacy.\35\ The goal of privacy advocacy should not be to force 
unwanted privacy protections on a public that does not want them, but 
to convince consumers to value privacy more.
    \35\ Alessandro Acquisti at Carnegie Mellon University has made a 
specialty of studying how consumers value privacy. http://

    The Chairman. Thank you, sir.
    Mr. Dorothy Attwood, Senior Vice President of Public 
Policy, and Chief Privacy Officer, AT&T.




    Ms. Attwood. Thank you, Chairman Rockefeller and Ranking 
Member Hutchison, for providing AT&T, today, with the 
opportunity to participate in this hearing.
    For the 2 billion of us who access the Internet, the 
possibilities are boundless. The Internet is a venue for almost 
every type of human interaction. From love to money, we search 
for it on the Web. Yet, we only have glimpsed the 
possibilities. Digital signals sent from the rubble in Haiti 
enabled relief workers to locate earthquake survivors. Electric 
grids can be organized and managed efficiently, thanks to the 
instant interexchange of information over broadband networks. 
Businesses can cut costs by storing data in the cloud.
    But, these advantages are not guaranteed. At its heart, the 
Internet runs on information shared willingly among its users. 
The continued growth of the Internet, as well as its positive 
social and economic benefits, are dependent upon earning and 
maintaining the trust, of Internet users, that their 
information is being shared in the way they intend.
    When I appeared before this committee 2 years ago, I 
articulated the four pillars of AT&T's approach to our 
customers' privacy: transparency, customer control, privacy 
protection, and consumer value. We urged then, and we continue 
to believe, that these principles can be the foundation of a 
privacy regime applicable to all entities in the online 
ecosystem. Indeed, we're now even more convinced that consumers 
have a consistent set of expectations about their privacy that 
should be met by a consistent standard used throughout the 
    Last summer, AT&T, through an open and inclusive rollout 
process that incorporated a 45-day preview period and comments 
from our customers, adopted a new plain-language privacy policy 
that applies to all AT&T services. In consolidating 17 policies 
into one, we recognized that, when it came to privacy, our 
customers' expectations are the same, regardless of the nature, 
let alone the legacy regulatory classification, of the services 
they purchase. They want their privacy to be respected and 
regard the information they share as theirs to govern.
    AT&T has also emphasized ``privacy by design'' as a means 
of increasing transparency and the availability of privacy-
enhancing technologies by ensuring these features are built in 
at the outset, rather than added on as an afterthought. For 
example, earlier this year we added an ``Advertising Choices'' 
link onto our yp.com website that explains our use of what 
customers search for on yp.com to target ads to users elsewhere 
on the Internet, tells them how to opt-out of their use of that 
information, and how to locate the interest category or profile 
manager that we developed.
    We also launched an advertising-supported social-networking 
recommender site called ``buzz.com.'' Users cannot join this 
information-sharing site without first establishing their 
privacy preferences. We provide additional notice about 
information-sharing on the site through a separate link, and we 
call it what it is, ``information sharing,'' not ``privacy.''
    Other industry groups have, likewise, made important 
progress in standardizing the users' experience so they can 
better understand the use of their online information for 
targeted advertising. The IAB has unified the presentation of 
the NAI opt-out tool and adopted an icon that will be used 
throughout the industry. AT&T is building on this momentum by 
working with better advertising to trial inclusion of the icon 
in certain of its ads, and with TRUSTe on behavioral 
advertising pilot seal program.
    We believe the industry should press even further, however, 
and develop a trust framework that enables the interoperability 
of permissions. With this framework, entities throughout the 
Internet ecosystem could cooperate in a back-office way to 
honor the information-sharing preferences of the customer.
    Such an approach can be likened to banking, where consumers 
initiating fund transfers are not involved in the details of 
when and how the automated clearinghouse handles the actual 
money transfers, but they have every confidence that their 
money goes where they intend.
    As detailed in my written testimony, groundbreaking work on 
such a trust-based ecosystem is already underway. It's easy to 
misinterpret the ease with which personal information is shared 
to mean that those sharing information are unconcerned about 
privacy. We don't think that's accurate. Privacy on the 
Internet is not the inverse of security, but, instead, it's 
about the creation and maintenance of an online identity. And 
consumers want control over the creation and sharing of that 
identity. We've seen, time and again, that users choosing to 
share their information is entirely different from companies 
choosing to share information about their users.
    It's beyond question that consumer information is the 
bedrock of online advertising, which, in turn, fuels a great 
deal of Internet investment and innovation. At the same time, 
we need to address the fundamental issue of how to preserve 
customer confidence and trust in the Internet. Working 
together, government and industry must take the bold step of 
moving beyond a balkanized system of notice and consent to a 
truly consumer-centric framework for information-sharing that 
will grow trust and confidence and keep the economic engine of 
the Internet running through successive decades of innovation.
    Thank you.
    [The prepared statement of Ms. Attwood follows:]

     Prepared Statement of Dorothy Attwood, Senior Vice President, 
           Public Policy and Chief Privacy Officer, AT&T Inc.

    Thank you, Chairman Rockefeller and Ranking Member Hutchison, for 
providing AT&T with another opportunity to participate in a thoughtful 
examination of how consumer information is shared in the online world 
and what role those doing the sharing have in creating a comprehensive, 
consumer-centric approach to online privacy.

    For those of us who access the Internet--perhaps 2 billion people 
worldwide--the online possibilities are boundless. It is a venue for 
almost every type of human interaction or transaction. We can connect 
with old friends and meet new ones, purchase every imaginable good or 
service, find answers to almost every question, do business with our 
bank, exchange health information with our doctor, access libraries, 
get services from the government, communicate with political leaders, 
organize social events, mobilize a community, or facilitate disaster 
recovery. From love to money, we search for it on the Web.
    Yet, for all that we already do on the Internet, we have only 
glimpsed the possibilities. Digital signals from the earthquake rubble 
of Haiti enabled relief workers to locate survivors, direct food and 
medicine delivery, and map transportation options to expedite emergency 
efforts. GPS data from wireless networks can be assembled to observe 
the flow of people, services, and cars so that urban planners can build 
more livable cities. Electric grids and other infrastructure can be 
organized and managed for efficiency thanks to the instant exchange of 
information over broadband networks. Businesses can cut costs by 
storing data in the cloud or use Web data to create tailored services 
for their customers.
    But these advances are not guaranteed. At its heart, beyond the 
computing power, software and backbone networks, the Internet runs on 
information shared willingly among its users. This sharing requires 
confidence and trust that the personal information we provide is safe 
from abuse and will be used in ways that we approve. Even in a digital 
world, most people continue to value their privacy--although they may 
approach their privacy differently from the way they did before the 
Internet entered our lives. Thus, the continued growth of the Internet, 
and the positive social and economic benefits of that growth, are 
dependent upon earning, maintaining and preserving the confidence and 
trust of Internet users worldwide that their information is being 
shared in the way they intend.

Online Privacy: Where We Started and What We've Learned
    Two years ago when I appeared before this committee, I articulated 
the four pillars of AT&T's approach to our customers' privacy: 
transparency, consumer control, privacy protection and consumer value--
all designed to create and preserve our customers' trust. We urged 
then, and we continue to believe, that these principles can be the 
foundation of a consistent regime applicable to all entities in the 
online ecosystem that inspires trust in users worldwide. At the same 
time we have learned through practical experience that, as good as the 
various individual privacy efforts and consensus best practices are, 
more concerted activity is needed across the entire Internet ecosystem. 
Consumers have a consistent set of expectations about their privacy 
wherever they go online, regardless of which portals they enter and the 
number of places they visit. In light of this, there ought to be 
consistent standards to meet those expectations throughout the Internet 
ecosystem. We are even more convinced today that the changing Internet 
marketplace requires a privacy regime that moves beyond the current 
patchwork of ad hoc practices for providing notice and obtaining 
consent to an interoperable framework--one in which a customer's 
consents and preferences are honored throughout the Internet ecosystem.

Transparency and Customer Control
    Since I last testified before this Committee, AT&T and others in 
the industry have developed a variety of innovative solutions that are 
the essential steppingstones to the next phase in the evolution of 
online privacy practices. For example, last summer AT&T, through an 
open and inclusive roll-out process that specifically incorporated a 
45-day preview period and comments from our customers, adopted a new, 
simplified, plain language privacy policy that applies to all AT&T 
services. Companies everywhere have come to the realization that 
privacy policies need to be readable and understandable, and we're 
especially proud of the way we have implemented transparency and 
control at the very outset of our customer relationship.
    In consolidating 17 separate written company privacy policies into 
a single, unified, easy-to-understand AT&T privacy policy, we 
recognized that there was no reason for treating AT&T Mobility customer 
relationships different from AT&T U-Verse customer relationships or 
AT&T Long Distance customer relationships--and on down the line. Our 
customer's privacy expectations are the same regardless of the nature, 
let alone legacy regulatory classifications, of the services they 
purchase from us. Our experience as the leading communications company 
in America with a diverse wireless, wireline, and video portfolio, 
combined with our experience as a major online advertiser, a website 
publisher, and Internet service provider, helped us to appreciate that 
customers not only want a clear understanding of how they can control 
the sharing of their personal information, but they want their 
expectations honored consistently regardless of what they do or where 
they go online. Bottom line, our Internet users want their privacy to 
be respected, and regard the information they share as theirs to 

AT&T's Innovation Through Privacy By Design
    AT&T has also emphasized bringing privacy-enhancing technologies to 
consumers through the roll out of new products, including the online 
advertising space, where we have actively improved our transparency as 
an advertiser and publisher. We apply these principles at the start of 
product development and strategy by embedding transparency and control 
features into the product itself, not as an add-on or afterthought. We 
have added an ``advertising choices'' link on our ``YP.com'' yellow 
pages website that explains how and where we use what consumers search 
for on YP.com to target ads to users elsewhere on the Internet. This 
link also explains to users how to opt-out as well as how to discover 
the ``interest'' category--or profile manager--that we have developed, 
and permits users to modify that profile. Essentially, we offer 
customers the ability to view and edit the interest categories that we 
have associated with them and a simple process for them to choose not 
to be targeted in this way.
    We have also launched an advertisement-supported social networking 
``recommender'' site that we call ``Buzz.com.'' Buzz.com combines 
aspects of social networking with local search, so that users can 
search local listings for a restaurant or a doctor and get 
recommendations from people that users know as well as from other 
Buzz.com users in general. Because the site is based upon information 
sharing, users cannot join the site without first establishing their 
privacy preferences. We provide notice to our customers beyond the 
official notice in the general privacy policy through a separate link 
entitled ``Things you should know about how your information is shared 
on buzz.com.'' Indeed, we call it what is--information sharing not 
privacy--and go the extra mile to explain the details of the 
information sharing that takes place. Specifically, we give our 
customers a number of choices that permit them to control the scope and 
extent of that information sharing during the initial registration 
process. We explain the different levels of information sharing in 
plain language and make clear that ``anonymous'' postings may not 
always stay that way, so that customers are not surprised down the 
    We believe these new capabilities not only represent an example of 
an industry best practice but also demonstrate that technological 
innovations can and do occur when firms embrace privacy by design--that 
is, when they design their customer facing offerings in a way that 
provides both transparency and meaningful tools to control whether and 
how their information is shared. For example, providers of location-
based services have demonstrated that functional integration of 
customer permissions can spur the acceptance of these new services. 
Indeed, location-based services continue to grow and incorporate 
consumer permission processes into the sign up and use of the service 
itself. Importantly, CTIA has established best practices and guidelines 
for entities that provide location-based services, including mobile 
operators, device manufacturers and applications developers that 
encourage industry-wide adoption of robust permission-based approaches 
as well as further innovations in privacy enhancing technologies.

Ecosystem Evolution of Online Privacy
    Other industry groups have likewise come together to make important 
progress in standardizing, clarifying and simplifying the user's 
understanding and control of how their online experience is used for 
targeted advertising. For example, the Internet Advertising Bureau has 
unified the presentation of the NAI opt-out tool, and adopted an icon 
that will be used throughout the industry to increase transparency. 
AT&T is helping to build on this momentum by working with Better 
Advertising to trial inclusion of the icon in certain of its ads, and 
by participating with TRUSTe on its behavioral advertising pilot seal 
program, which is designed to give customers confidence that their 
privacy trust is well placed. All of these steps represent important 
progress toward an ecosystem-wide approach based on customer engagement 
and the ultimate goal of giving customers the tools necessary to manage 
their online identity in one place, at one time, so that their 
preferences are respected wherever they travel on the Internet.
    Building on this progress, we believe the industry, which has 
innovation in its very DNA, should press even further and develop a 
trust framework that enables the ``interoperability of permissions.'' 
With this framework, entities throughout the Internet ecosystem could 
cooperate in a ``back-office'' way to honor the information sharing 
preferences of the customer. Such an approach can be likened to the 
existing process in banking, where consumers initiating fund 
transactions are not involved in the details of when and how the 
automated clearing houses handle the actual money transfers, but have 
every confidence that their money goes when and where they intend.
    Ground-breaking work on such a trust based ecosystem is already 
underway. For example, a draft White House report made public in June 
maps out a framework for ``trusted identities in cyberspace'' and 
suggests a ``user-centric model'' based around individual preferences. 
Private entities are working on user-centric identity management tools 
(``IDM tools'') that give consumers the opportunity to decide how much 
of their identity to reveal, when and to whom. The two most prominent 
IDM tools, ``OpenID'' and ``Information Cards'' put the user in control 
of identity-based interactions and potentially provide a uniform user-
driven approach to data collection and use. In addition, private 
companies are developing other technologies--browser controls, widgets 
and downloads--that will enable users to set and manage their privacy 
preferences. Firefox, for example, offers consumers a browser add-on 
that protects and automatically updates opt-out settings, including 
flash cookie controls. Tracker Watcher, another browser add-on, offers 
users a way of identifying companies that track consumer online 
    These tools have the potential to improve users' online experience 
and enhance privacy. For example, IDM tools have the potential to be 
used to establish privacy preferences, minimize the disclosure of 
personal, identifying information, enhance user choice about the nature 
and amount of data to be shared, and expand users' say regarding the 
timing and manner of updating and withdrawing data. Such tools also 
could provide websites with a secure, standardized means of 
authenticating users.

    It is easy to misinterpret the ease with which personal information 
is shared to mean that those sharing information are unconcerned about 
privacy. We don't think that is accurate. Privacy is a more multi-
dimensional idea on the Internet. It is not the inverse of security, 
but instead is about the creation and maintenance of an online 
identity--and consumers want control over how they present themselves 
online, and with whom and where they share information. We have seen 
time and again that users choosing to share their information is 
entirely different from companies choosing to share information about 
their users.
    Policy makers and industry should work together to promote an 
Internet that promotes permission-based, user-driven sharing of 
information in a safe and secure environment. It is beyond question 
that consumer information is the bedrock of online advertising, and 
that online advertising fuels a great deal of the investment and 
innovation across a wide range of Internet activities, providing the 
revenue that enables consumers to continue to enjoy a myriad of free 
and discounted services. Indeed, website publishers continue to make 
most of their money from advertising, which in turn funds the breadth 
and diversity of today's Internet content and information that is, in 
most cases, made available to consumers for free. At the same time, the 
lack of consumer trust in the Internet threatens to undermine the 
American economy. So we are back to the fundamental bedrock issue of 
how to preserve consumer confidence and trust in the Internet. Working 
together, government and industry must take the bold step of moving 
beyond a balkanized system of notice and consent regimes that seem more 
about the entities that are collecting consumer information than the 
rights of consumers in controlling that information. By doing so, we 
can maintain the consumer trust and confidence that will keep the 
economic engine of the Internet running through successive decades of 

    The Chairman. Thank you very much.
    And finally, Professor Joseph Turow, who's--at the 
Annenberg School for Communication.
    Mr. Turow. Thank you.
    The Chairman. We welcome you back.

               STATEMENT OF JOSEPH TUROW, Ph.D.,




    Mr. Turow. Thank you. Thank you, Chairman Rockefeller and 
the other committee members, for providing me the----
    The Chairman. Turn your mic on.
    Mr. Turow.--for providing--oh, sorry--for providing me the 
opportunity to contribute to this discussion. I'd like----
    The Chairman. You know what----
    Mr. Turow.--to highlight----
    The Chairman.--you're still a little hard to hear.
    Mr. Turow. Sorry.
    The Chairman. That's because you're off the end of the 
    Mr. Turow. Yes. Well--OK. I would like to highlight----
    The Chairman. There we go.
    Mr. Turow.--four points of my written testimony.
    The first is, we have a whole new world here. And, Chairman 
Rockefeller, your beginning statement, I think, really 
exemplified what's going on. It used to be that media firms 
sold segments of large populations through media outlets. 
Today, a detailed level of knowledge about people and their 
behaviors are being used in ways that were unheard of just a 
few years ago. It's now increasingly common to buy the right to 
deliver an ad to a person with specific characteristics at the 
precise moment that that person loads a web page. In fact, 
through cookie-matching activities, an advertiser can actually 
buy the right to reach someone on an exchange whom the 
advertiser knows--from previous contacts, and is now tracking 
around the Web.
    Point two: Industry claims of anonymity undermine the 
traditional meaning of the word ``anonymity.'' If a company can 
follow your behavior in the digital environment, and that 
includes the mobile phone and, potentially, your television 
set, its claim that you're anonymous is meaningless. Because we 
live so much of our lives in the digital arena, if they know 
I'm Joseph Turow or X53ZV, it doesn't matter, because they're 
following me and presenting me with certain views of the world.
    And more and more, we have a cavalcade of companies that 
are contributing. Not just the companies, the big firms that 
are here; companies that--just off the top of my head, eXelate, 
Rapleaf, BlueKai, Experian, Medicx Media Solutions--that 
contribute data they hold that can create quite a detailed 
picture of us, but we don't know it, and we don't give our 
permission about it, and sometimes may even harm our 
reputation. So, essentially, reputations are being created 
    Point three: People care a lot about data collection, but 
don't know what's going on. National surveys I've conducted at 
the Annenberg School since 1999 consistently show that, in 
large proportions, American adults do not understand how the 
new data-based marketing process that take place behind their 
screens work. And we found that over and over again. Privacy 
policies don't help.
    And I hate to be a negativist, but I'm very concerned that 
the box we've been talking about could bring the kind of 
problems that we've heard about regarding privacy policies.
    It's clear to me, for example, that newer tools, sometimes 
called ``dashboards,'' are counterproductive in some cases. 
These are tools, as we've heard, that firms, such as Google, 
provide for consumers to learn what the companies know about 
them. The reason dashboards are counterproductive, so far, is 
that they provide visitors with the incorrect impression that 
they fully reveal the information advertisers use to address 
them on those sites.
    I'd like to suggest to the Senators that they ask the 
Google representative whether the data available about us in 
the Google Display Network are really limited by what shows up 
about us on Google's Dashboard.
    The Annenberg study I mentioned also show consistently that 
Americans know their activities are being followed online, and 
are deeply uncomfortable and concerned about it.
    A recent national survey I conducted with researchers at UC 
Berkeley Law School showed, emphatically, that Americans don't 
want a situation where content is tailored for them based on 
the firm's use of their data without their knowing it. 
Unfortunately, the situation they don't want is getting worse.
    And so, I would suggest that the emerging digital world 
raises serious consumer protection issues. When companies track 
people without their knowledge, sell their data without their 
knowledge or permission, and then decide whether they are, in 
the words of the industry, ``targets'' or ``waste,'' we have a 
social problem. If it's allowed to fester, and when Americans 
begin to realize how it pits them against others in the ads 
they get, the discounts they receive, the TV Guide suggestions 
they're going to get, and the news stories they confront, and 
even the offers that they get relating to other parts of the 
world, we're in a situation--for example, in the supermarket--
they'll get even more disconcerted and angry than they are now.
    So, we have to move from the current marketing regime that 
uses information with abandon, where people's data are being 
sliced and diced to create reputations for them that they don't 
know about and might not agree with, to a regime that acts 
toward information with respect. That is where marketers 
recognize that people own their data, have rights to know where 
all their data are collected and used, and should not have to 
worry, when they travel through the media world, that their 
actions and backgrounds will cause them unwarranted social 
discrimination regarding what they later see and hear.
    So, I suggest that, to help the public, Congress should 
recognize that certain aspects of this new world raise serious 
consumer protection issues, and act with that in mind. One path 
might be to limit the extensiveness of data, or clusters of 
data, that a digital advertiser could keep about an individual 
or household.
    Some industry organizations resist such suggestions, 
depicting scenarios of Internet doom if Congress moves forward 
with privacy regulations regarding digital platforms. But, in 
the face of Americans' widespread concerns about the 
exploitation of their data, a level regulatory playing field, 
in the interests of privacy, will actually have the opposite 
effect. It will increase public trust in online actors and set 
the stage for new forms of commercial competition from which 
industries and citizens will benefit.
    And I thank the Committee for inviting me. Look forward to 
your questions.
    [The prepared statement of Mr. Turow follows:]

    Prepared Statement of Joseph Turow, Ph.D., Robert Lewis Shayon 
  Professor of Communication, The Annenberg School for Communication, 
                       University of Pennsylvania

    I thank Chairman Rockefeller, Ranking Member Kay Bailey Hutchinson 
and the other committee members for providing me the opportunity to 
contribute to this discussion. As a professor at the University of 
Pennsylvania's Annenberg School for Communication, I have been 
conducting research and writing about new media and marketing for over 
two decades. In addition to many articles, I have written two books 
directly on the topic and co-edited two others. I am currently 
finishing a book about digital marketing for Yale University Press.
    I come to this hearing as a media sociologist who cares deeply 
about Americans' ability to trust the companies we deal with, to get 
along with each other, and to believe that the government will protect 
us when we cannot protect ourselves. Each of these values is being 
threatened by the data policies of companies throughout our media 
system. Let me explain in four points.
    Point 1: We have a whole new world here. Prior to the digital 
revolution, marketers used media such as newspapers, magazines, radio, 
outdoor boards, and television to reach out to segments of the 
population. Marketers typically learned about these audience segments 
by using data from survey companies that polled representative portions 
of the population via a variety of methods, including panel research. 
Less commonly, they sent questionnaires to people they knew were 
readers or listeners.\1\
    \1\ See, for example, Joseph Turow, Breaking Up America: 
Advertisers and the New Media World (Chicago: University of Chicago 
Press, 1997), pp. 18-37.
    The emerging new world is dramatically different.\2\ Instead of 
large populations and population segments as audiences, advertisers now 
expect media firms to deliver to them very particular types of 
individuals--and increasingly particular individuals--with a detailed 
level of knowledge about them and their behaviors that was unheard of 
even a few years ago. Special online advertising exchanges, owned by 
Google, Yahoo!, Microsoft, Interpublic and other major players, allow 
for the auction of individuals with particular characteristics often in 
real time. That is, it is now possible to buy the right to deliver an 
ad to a person with specific characteristics at the precise moment that 
the person loads a web page. In fact, through cookie matching 
activities, an advertiser can actually buy the right to reach someone 
on an exchange whom the advertiser knows from previous contacts and is 
now tracking around the web.
    \2\ For a historical overview, see Joseph Turow, Niche Envy: 
Marketing Discrimination in the Digital Age (Cambridge: MIT Press, 
2006), pp. 44-98.
    Point 2: Industry claims of anonymity undermine the traditional 
meaning of the word. With the activities just described has come a new 
vocabulary that reflects potentially grave social divisions and privacy 
issues. Marketers talk about people as targets and waste. Increasingly, 
they offer individuals different products and discounts based on ideas 
marketers have gleaned about them without their knowledge. These social 
differentiations are spreading from advertising to information, 
entertainment and news, as media firms try hard to please their 
sponsors. Marketers also use words like anonymous and personal in ways 
that have lost their traditional meaning. If a company can follow your 
behavior in the digital environment--and that potentially includes the 
mobile phone and your television set--its claim that you are anonymous 
is meaningless. That is particularly true when firms intermittently add 
offline information to the online data and then simply strip the name 
and address to make it ``anonymous.''
    The business arrangements that use this new language are 
transforming the advertising and media landscapes. Companies track 
people on websites and across websites with the aim of learning what 
they do, what they care about, and whom they talk to. Firms that 
exchange the information often do keep the individuals' names and 
postal addresses anonymous, but not before they add specific 
demographic data and lifestyle information. Here are just three 

   eXelate is a leading targeting exchange with the motto 
        ``data anywhere. audience everywhere.'' \3\ It determines a 
        consumer's age, sex, ethnicity, marital status, and profession 
        by partnering with websites to scour website registration data. 
        It also tracks consumer activities online to note, for example, 
        which consumers are in the market to buy a car or are fitness 
        buffs, based on their Internet searches and the sites they 
        frequent. It sells these packages of information about 
        individuals as cookie data so advertisers can target them.\4\
    \3\ http://exelate.com/new/index.html , accessed July 23, 2010.
    \4\ See the exelate website: http://exelate.com/new/index.html , 
accessed July 23, 2010.

   Rapleaf is a firm that says it helps marketers ``customize 
        your customers' experience.'' \5\ To do that, it gleans data 
        from individual users of blogs, Internet forums, and social 
        networks. It uses ad exchanges to sell the ability to reach 
        those individual cookies. The company says it has ``data on 
        900+ million records, 400+ million consumers, [and] 52+ billion 
        friend connections.'' \6\
    \5\ http://www.rapleaf.com/, accessed July 23, 2010.
    \6\ Rapleaf, Webinar on ``How to Market to Your Influencers,'' 
3530390 (slide 3), accessed July 23, 2010.
    A company called Medicx Media Solutions links ``HIPAA certified 
medical and pharmacy insurance claims data'' \7\ for tens of millions 
of Americans to information about them from information suppliers such 
as Experian as well as from health surveys people fill out. Even though 
Medicx cannot tie the data to particular individuals, it does retain an 
ability to connect the medical, pharmacy, and survey findings to ZIP+4 
postal clusters of 3-8 homes where, it says, ``the incidence of any 
specific disease is three (3) to twenty (20) times what it is in the 
general population.'' \8\ To reach these patients for advertisers, 
Medicx licenses millions of cookies with ZIP+4 data and then serves its 
clients' display ads to cookied individuals in the targeted ZIP+4 
areas. The people receiving the ads about specific medical concerns 
would have no clue how they got them.
    \7\ [No author], ``Mindset Marketing Solutions Debuts Zip+4 
Geomedical Targeting With Launch of geoMEDICX,'' PRWeb, November 7, 
2008, http://www.prweb.com/releases/2008/11/prweb
    \8\ [No author], ``Mindset Marketing Solutions Debuts Zip+4 
Geomedical Targeting With Launmch of geoMEDICX,'' PRWeb, November 7, 
2008, http://www.prweb.com/releases/2008/11/prweb1576174.htm.
    Point 3: People care a lot about data collection but don't know 
what is going on: What I have just described is the tip of an iceberg 
of what goes on behind Americans' screens. National surveys that I have 
conducted since 1999 consistently show that in large proportions 
American adults know their activities are being followed online and are 
deeply uncomfortable and concerned about it.\9\ It is also quite clear 
from our surveys and other research that Americans do not understand 
how the processes that surround them work. Few people read privacy 
policies, and they are in any event uniformly turgid and ambiguous. 
Some firms provide cookie deletions as a solution to targeting (though 
not tracking), but marketers and media firms are increasingly finding 
ways to get around the deletion of cookies. In addition tools sometimes 
called dashboards that firms such as Google provide for consumers to 
learn what the companies know about them are counterproductive. That is 
because they provide visitors with the incorrect impression that the 
tools fully reveal the information advertisers can use to address them 
on those sites. I'd like to suggest to the senators that they ask the 
Google representative whether the data available about us in the Google 
Display Network are really limited by what shows up about us on 
Google's dashboard.
    \9\ See, for example, ``The Internet and the Family: The View from 
Parents, the View from the Press.'' A Report from the Annenberg Public 
Policy Center of the University of Pennsylvania under the direction of 
Joseph Turow, May 1999, 42 pp; Joseph Turow and Lilach Nir, ``The 
Internet and the Family 2000: The View From Parents, the View from 
Kids.'' A Report from the Annenberg Public Policy Center of the 
University of Pennsylvania, 35 pp; ``Americans and Online Privacy: The 
System is Broken.'' Report of the Annenberg Public Policy Center, June 
2003; Joseph Turow, ``Open to Exploitation: American Shoppers Online 
and Offline,'' Report of the Annenberg Public Policy Center, June 2005. 
These are available on the Annenberg Public Website: http://
www.annenbergpublicpolicycenter.org/AreaDetails.aspx?myId=2. See also 
Joseph Turow, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley, and 
Michael Hennessy, ``Americans Reject Tailored Advertising and Three 
Activities That Enable It,'' Annenberg School for Communication (U of 
Pennsylvania) and Berkeley School of Law (U California, Berkeley), 
November 2009 http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=1478214 ; and Chris Jay Hoofnagle, Jennifer 
King, Su Li, and Joseph Turow (listed in alphabetical order), ``How 
Different are Young Adults from Older Adults When It Comes to 
Information Privacy Attitudes and Policies?'' April 16, 2010. http://
    Point 4: The emerging digital world raises serious consumer 
protection issues. There are many great things about the new media 
environment. But when companies track people without their knowledge, 
sell their data without their knowledge or permission, and then decide 
whether they are, in the words of the industry, targets or waste, we 
have a social problem. A recent national survey I co-conducted showed 
emphatically that Americans don't want this type of situation.\10\ If 
it's allowed to fester, and when they begin to realize how it pits them 
against others in the ads they get, the discounts they receive, the TV-
guide suggestions and news stories they confront, and even the offers 
they receive in the supermarket, they will get even more disconcerted 
and angry than they are now. They will further distrust the companies 
that have put them in this situation, and they will be incensed at the 
government that has not helped to prevent it. A comparison to the 
financial industry is apt. Here was an industry engaged in a whole 
spectrum of arcane practices not transparent to consumers or regulators 
that had serious negative impact on our lives. It would be deeply 
unfortunate if the advertising system followed the same trajectory.
    \10\ Americans Reject Tailored Advertising and Three Activities 
That Enable It,'' Annenberg School for Communication (U of 
Pennsylvania) and Berkeley School of Law (U California, Berkeley), 
November 2009. http://papers.ssrn.com/sol3/
    We must move from the current marketing regime that uses 
information with abandon--where people's data are being sliced and 
diced to create reputations for them that they don't know about and 
might not agree with--to a regime that acts toward information with 
respect. That is where marketers recognize that people own their data, 
have rights to know where all their data are collected and used, and 
should not have to worry when they travel through the media world that 
their actions and backgrounds will cause them unwanted social 
discrimination regarding what they later see and hear.
    Until recently, I believed that educating publics about data 
collection and giving them options would be sufficient to deal with 
privacy issues related to advertising. I have come to realize, though, 
that Americans don't have and will not acquire the complex knowledge 
needed to understand the increasing challenges of this marketplace. 
Opt-out and opt-in privacy regimes, while necessary, are far from 
sufficient. The reason is that people will often have neither the time 
nor ability to make proper cost-benefit evaluations of how sites and 
marketers use their data under various opt-in or opt-out choices.
    To help the public, Congress should recognize that certain aspects 
of this new world raise serious consumer protection issues and act with 
that in mind. One path is to limit the extensiveness of data or 
clusters of data that a digital advertiser can keep about an individual 
or household. Some industry organizations resist such suggestions, 
depicting scenarios of Internet doom if Congress moves forward with 
privacy regulations regarding digital platforms. But in the face of 
Americans' widespread concern about the exploitation of their data, a 
level regulatory playing field in the interest of privacy will actually 
have the opposite impact. It will increase public trust in online 
actors and set the stage for new forms of commercial competition from 
which industries and citizens will benefit.
    I want to thank the Committee for inviting me today.

    The Chairman. Thank you for that.
    I'm going to start with Senator Kerry, who is the Chairman 
of the Subcommittee on Telecommunications, which is really over 
all of this.
    Senator Kerry.

               STATEMENT OF HON. JOHN F. KERRY, 

    Senator Kerry. Mr. Chairman, thank you. And I appreciate 
your having this hearing, a very, very important topic.
    And I'm sorry that I wasn't able to be here for the first 
panel, as we went over to vote and, unfortunately, wound up--
the vote slid backward. So, here we are.
    But, I appreciate all of the members of this panel coming 
    Professor Turow, I appreciate your comments, just now.
    I would say--I think it's fair to say that right now there 
is a lot of confusion and a lot of anxiety among the public at 
large about what power they have over the collection of 
information--and over their lives, in the end--and how it all 
is managed. And it's not just the commercial component of it, I 
think, but the information that is being collected sometimes--
it might be incorrect, it might be out of context; or it may be 
correct and in context, but lasts longer in the marketplace, if 
you will, than people might want it to, without the ability to 
explain it or to make up for some youthful transgression; or 
whatever it is that the information represents. And it could be 
meant for a specific audience and misunderstood if it's 
specifically, sort of, broadly distributed. And that can lead 
to harm, even to loss of job, loss of job opportunity.
    Let's say, for instance, you had a cancer patient who 
communicates through a network--a support network of cancer 
patients. And somehow that enters into--with e-mail or reaches 
some other source, and it winds up becoming a source of herbal 
cures being sent to her, or some other kind of information that 
suddenly, sort of, tracks in. That may not be the way that 
cancer patient wants to lead their life. It may not be the way 
they want to be identified. It may be that their insurance 
rates go up because some of the information gets out to 
somebody. Maybe they'll lose a job opportunity, conceivably. 
But, who knows.
    The bottom line is this. You know, we sat on this 
committee--I remember these conversations, 10 years ago, when 
Senator Hollings and we tried to pass a broadbased distribution 
of privacy rights. We couldn't do it. And we've learned a lot 
since then about, sort of, what happens. And I'd like to ask a 
few specific questions regarding some of that, if I may.
    Let me just ask you, first of all, Professor Turow, What do 
you think about this ``no harm, no foul'' school of 
enforcement? Does that do what we need to do? Does that provide 
a adequate standard by which we ought to live, here?
    Mr. Turow. As I was trying to suggest in my talk, ``harm'' 
is a very difficult concept. Sometimes, as you suggested, we 
can find harms. Sometimes we can quantify harms. I think the 
law would like to, historically, find harm that we can quantify 
monetarily, even. But, we're dealing with issues, often, of 
reputation, here. And we're dealing with, I would even argue, 
issues of respect and of social cohesion. So, I think we have 
to go a bit farther afield in looking at harm in the historical 
way that we've thought about it.
    Senator Kerry. Well, let me see if I can pin that down a 
little bit. Mr. Taylor, at Facebook, you guys have crossed the 
500 million users worldwide. And I think you've got more than 
130 million in the United States. How many people at Facebook 
work on privacy issues and design?
    Mr. Taylor. Everyone at Facebook works on privacy issues 
and design. Like security, privacy is a central part of our 
product planning and design process. So, during every aspect of 
the product's design and prototyping process, privacy is an 
aspect of discussion.
    Senator Kerry. Is it accurate or inaccurate that, at 
Facebook, for instance, when a privacy concern mounts, or 
there's a modification of service somehow, that you change a 
practice that effectively can increase the amount of 
information that users share with others. Users then express 
concern about that, conceivably. You modify that practice 
somewhat, but the process sort of repeats itself. And it's a 
viral spreading of the same practice, in essence, the same 
gathering of information, even though there's a slight 
modification. Is that----
    Mr. Taylor. Well, I just want to clarify one thing, that we 
have--we never retroactively have changed people's settings. 
There have been points where we have transitioned from one set 
of--I'll just give you one practical example, since this is 
somewhat abstract.
    When Facebook started expanding from college networks to 
the whole world, there was no notion of--at the time, everyone 
signed up as a member of a university, and so we needed to 
expand that notion to beyond universities. So, we made networks 
for entire countries. So, everyone who joined from the country 
of Turkey joined the Turkish regional network. At some point, 
it became sort of a meaningless distinction, because sharing 
with the entire country of Turkey is roughly equivalent to 
sharing with everyone in the world. So, when we got rid of 
regional networks and we were modifying the way privacy worked 
on Facebook, every single one of our users went through a 
wizard that--where they got to choose the new setting, because, 
for example, that particular type of setting had gone away.
    Senator Kerry. If you drop out or change your setting, does 
the old--is--what happens to the old information? How long is 
that kept?
    Mr. Taylor. What do you mean by ``old information''?
    Senator Kerry. Well, if you change it, is it lost forever 
in your main depot of information, in your mainframe or 
whatever your storage mechanism is, or is it--I mean, you still 
can operate and use it?
    Mr. Taylor. So, any information that you publish to 
Facebook, you can remove; and anytime you change a privacy 
setting to something, you can easily change it later, and it 
applies to all of the information you've published.
    Senator Kerry. But, do you keep the--do you still have the 
information? Even though it's changed, in terms of the 
presentation on the Internet, on Facebook, do you have that 
    Mr. Taylor. By ``that,'' you mean the privacy setting? Or--
    Senator Kerry. Whatever was there before.
    Mr. Taylor. Well, absolutely, if a user publishes a photo 
to Facebook, we consider it an obligation to retain that photo 
unless they choose to delete it, because it's a user's photo 
and a meaningful part of their lives.
    Senator Kerry. If they delete it, is it deleted from your 
    Mr. Taylor. That's correct, yes.
    Senator Kerry. It is. And all other information, likewise, 
if it got changed?
    Mr. Taylor. If--we've tried to take a very proactive 
approach with privacy. Today, if you went to your Facebook 
privacy page and you set your privacy setting to ``Friends 
Only,'' it would not only apply it to all future things that 
you share, but all things you had previously shared, as well. 
So, we've tried make it easy to not only--not only to enable 
people to change the--their privacy settings, but to enable 
them to change decisions they made in the past, as well.
    Senator Kerry. Final question. I know I've gone over my 
time, but----
    The Chairman. Go ahead.
    Senator Kerry. Do you have the ability to cull from that 
information? Do you have the ability to, sort of--is there some 
formula by which you can commercially scan the information 
that's there and make some kind of determinations?
    Mr. Taylor. Our exclusive focus at Facebook is the 
information users have explicitly decided to share on their 
profile. One thing that's fairly unique about Facebook is that 
it has been, from its inception, a service for sharing.
    People put information in their Facebook profile because 
they want to share it with their friends.
    Senator Kerry. I understand that----
    Mr. Taylor. Yes.
    Senator Kerry.--but do they want to share it with you in a 
way that you can, sort of, cull it and use it for various kinds 
of statistical analysis or broadbased breaking people up into 
categories and then putting them out and marketing something to 
them? Do you do that? Or can you?
    Mr. Taylor. So, there are sort of two parts to that 
question in my head. One is--I just want to make sure it's 
clear--Facebook never sells data to third parties, and never 
sells data to advertisers, without question.
    The other aspect is regarding advertising, I believe. The--
clarifying that we never sell information to advertisers. Ads 
are targeted on Facebook only to the information you've 
explicitly put in your profile. And if you remove that 
information from your profile, ads will no longer be targeted 
to that. So, for example, I list Green Day as one of the bands 
I like in my profile. That is something that--ads might be 
targeted on that information.
    If I remove that, ads would no longer be targeted on that 
    Senator Kerry. Thanks, Mr. Chairman.
    The Chairman. Thank you very much. It's a good line of 
    Senator McCaskill.

                   U.S. SENATOR FROM MISSOURI

    Senator McCaskill. Thank you.
    I recognize that advertising makes the Internet work. I 
completely get that. And it keeps it free. But, I'm a little 
spooked out at the way this is developing.
    Imagine how an ordinary American would react if someone 
took a camera and followed them around the store, videoing 
everything they were buying, watching them make selections 
between this makeup or that makeup, watching them make 
selections between this brand of soap and that brand of soap. 
There would be a hue and cry in this country that would be 
unprecedented, that somehow there were secret cameras following 
them around and figuring out what they're buying them, and then 
using that information to market them directly. And that's 
exactly what's occurring.
    I was sitting up here, and I thought, just for fun, I would 
go and surf for something that I didn't really want right now. 
And so, I went on the Web and I looked up a foreign SUV. I'm 
not in the market for a foreign SUV. Frankly, if I were going 
to buy an SUV right now, it would certainly be an American SUV. 
But, then I went on another website, within 10 minutes of when 
I did that, and guess what ads were on that website. There were 
a bunch of ads for foreign SUVs. Now, that's creepy. That means 
somebody is following me around with a camera and following 
what I'm doing. And if this is taken to its logical conclusion, 
we could kill the golden goose, here.
    And I would ask, especially those that--Google. I know you 
guys are using algorithms to read e-mails. And it's my 
understanding that you're doing it internally only. But, could 
you address the issue that I'm talking about, that you're 
reading e-mails internally and then using information, maybe 
not identified with anything other than a number, but, 
nonetheless, using the algorithms to predict marketing 
    Dr. Whitten. Certainly. So, this is a really good question. 
And I very much sympathize with this concern that people would 
have about the feeling of being followed. And I think it's a 
very, very important one for us to address.
    Specifically in the case of e-mail, let me clarify that 
Google systems are not attempting to do any prediction of 
marketing behavior based on the contents of e-mail. What Gmail 
has always done, from the very beginning, was to take the same 
systems that scan an e-mail in order to identify, for example, 
whether it's spam and should go in the spam folder and the user 
shouldn't be bothered with it, to have those very same systems 
trigger off of keywords to show an ad that might be relevant.
    And let me tell you about an example when I myself actually 
purchased something through a Gmail ad and had that happen. I 
was e-mailing back and forth with my mother, a couple of 
summers ago, a really, really hot summer. And she was 
complaining about the heat. And I offered to buy her an air-
conditioner, in my e-mail. And as I was sitting there looking 
at the e-mail I had just sent, in Gmail, because it had the 
keyword ``air-conditioner'' in it, there was an ad for air-
conditioner next to it. And, it was a pretty good deal, and I 
clicked on it, and I bought my mother an air-conditioner 
through that ad.
    But, that ad was shown purely because that keyword was in 
that mail message I was reading right then, and that was a 
transient thing. That was not used to build any kind of profile 
of me as someone who has an ongoing interest in air-
conditioners. It was purely something that happened in the 
moment right there.
    Senator McCaskill. Well, let me ask this. Isn't it true 
that, at this point, there are coupons that you print out on 
the Internet, and you take them into a store, and you use them, 
and embedded in that barcode is a whole bunch of information 
about you? And do you think the consumer has a right to know 
that, that by using that coupon they, in fact, are aiding the 
marketing to them of additional things that they may not want 
and, frankly, that--I mean, don't you see that as a privacy 
issue that you need to address? Because I don't think most 
Americans get that's what's going on. I think when they print 
out a coupon, they think that barcode tells them--the vendor 
what the product is. I don't think they know that barcode tells 
the vendor about them.
    Dr. Whitten. So, to be clear, this is not a practice that 
Google engages in. But, to your larger question, yes, 
absolutely, I think the challenge before all of us, and very 
much the challenge that I take personally and that my team 
takes personally, is to try to make these things not mysterious 
for people, because a lot of the distress, we think, comes from 
the fact that people experience these things as happening 
behind the scenes in a way that they don't have any control 
    And so, what we have really focused on, what we have really 
tried to do, is to find innovative ways to push that 
understanding of what's happening to the foreground, where it's 
visible to users in meaningful ways. And this is really what we 
were trying to do with the Ads Preferences Manager, especially 
by pushing for the in-ads notice, to have something in every 
ad, to build many ways to get the Ads Preferences Manager, to 
make that an engaging interface, so that hopefully people would 
actually want to look and see what interest categories were 
associated with their cookie, and to participate in editing it 
and taking some control over that.
    Senator McCaskill. It's a little different--and I know I'm 
over on my time, and I won't go further with this--it's not as, 
probably, disconcerting to all of us, because we're used to 
people poking around our lives and trying to find things.
    In fact, it'll be a great boon for opposition research, 
because now--I discovered this morning--my staff brought to me 
a printout--and I'm not going to use the name of the company, 
because I don't want to give them the press--but a company 
that, you can go on the Internet--and my colleagues would find 
this interesting--if you want to pay them five bucks, they'll 
tell you a whole bunch of stuff about you. They'll tell you 
where you like to shop, they'll tell you where you live, how 
many bathrooms your house has, whether or not you're wealthy, 
how old your mother is. And so, for the folks out there that 
have been making a lot of money on opposition research, the 
Internet is going to be a big help to them, because they're 
going to be able to find out a lot more stuff, for five bucks, 
than they typically have--it's usually spent thousands of 
dollars on opposition research.
    So, I don't know that all of us--I mean, we're kind of used 
to an invasion of privacy. We sign up for an invasion of 
privacy. We embrace it willingly. But, I do think that you all 
need to really address the phenomenon I'm talking about, 
because, as the American public catches on to this, they're 
going to be very unhappy.
    Thank you, Mr. Chairman.
    The Chairman. Thank you.
    Senator Klobuchar.

                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman.
    You know I started my day, just to follow up on what 
Senator McCaskill was saying, with Erin Andrews the ESPN 
reporter who had her images of her undressing in a hotel room 
distributed all over the Internet, as well as some other 
members of the House were sponsoring a bill to do something to 
improve our stalker laws so maybe they are as sophisticated as 
the predators who are violating them. And so, I hope all your 
companies will support these changes. I think it's going to 
pass the House today. But, as we know, the Senate always takes 
a little more time. And I think it'd be helpful to have the 
support of your companies, something that clearly goes beyond 
just your responsibilities, as predators involve, but the tools 
that are used by these predators: the Internet.
    My first question is of you, Mr. Taylor, from Facebook. I 
appreciate the work that you're doing in the privacy areas. You 
know, I've raised a concern about having a--more accessible 
safety information on the Facebook pages, because, as I know 
from my 15-year-old daughter, who did all her birthday 
invitations on Facebook, a lot of young kids are using these--
your number of even like 5-year-olds using is incredible. And 
if you could be--I know you have your ``Privacy'' button on 
there, I know you're working on this, but if there's a way to 
have a more easily accessible safety information, so kids know 
what to do if they suddenly get a request for a friend of 
someone they don't know, as opposed to having it a few clicks 
down. Could you respond to that, Mr. Taylor?
    Mr. Taylor. Yes, absolutely. We recently launched a Safety 
Center, which is accessible from a fairly prominent part of our 
Help Center. And I think we, as a company, share your concern 
about safety, throughout the company. Like privacy and like 
security, it's something we think about with every product that 
we launch.
    And I just wanted to highlight a few of the things I think 
are really important, because this is a really subtle issue. 
One of the things we've focused on is contextually giving our--
the people who use Facebook the ability to report suspicious 
activity or offensive content. And so, throughout the site 
there are links for people to report content that they either 
think came from someone who's either bullying or perhaps 
predatory in some way or any content that they feel is 
    I think that's a very--it's a very important issue that's 
not highlighted in some of the discussions I've heard, but it's 
important because, at the time that someone's experiencing 
something suspicious, giving them the ability to report that, 
and having our automated systems, as well as our operations 
teams, have as much information as possible to pursue these 
cases and disable accounts and, as it's relevant, report it to 
authorities, is very important.
    The other thing is, I'm sure you're aware, but I just also 
wanted to highlight, we've worked with every single State's 
attorneys general to run their list of known predators against 
our accounts, disabling a very large number of accounts and 
reporting it back to authorities. But, the reason I wanted to 
highlight the report links is because that only goes so far. 
And we hold ourselves to a much higher standard than that. And 
having those inline report links is a very important part of 
maintaining a safe environment on our site.
    Senator Klobuchar. I appreciate that. And I just hope we 
can continue to work on this issue to see if there's a way we 
can just highlight those safety links so these kids know what 
to do, because these are just kids. And the more we can make it 
relevant, you know, with a button that says, ``If you're,'' you 
know, ``something's''--``you're worried about, scared about 
something''--``safety,'' as opposed to just ``privacy''--I 
think that that would trigger them more to look at it. So, we 
can continue working on that.
    Dr. Whitten, in May we learned that Google had 
inadvertently captured and archived private data from unsecured 
home wireless networks while compiling photos for the Street 
View map feature. After the incident I exchanged letters with 
your CEO, Eric Schmidt, and I'm glad that we're working 
together, moving forward. Could you talk about the outcomes of 
this--what I consider a serious privacy violation? And has 
Google conducted a thorough audit to ensure that other products 
and services do not contain unsanctioned code?
    Dr. Whitten. So, we are still conducting our very thorough 
follow-up investigation. I, myself, am not a member of the team 
focusing on that directly, so I will be somewhat limited in 
what I can reply to.
    We have committed to, however, when we have finished the 
investigation, to communicating publicly what changes we will 
make to ensure that this kind of mistake doesn't happen again. 
We take this very seriously.
    Senator Klobuchar. I appreciate that. So, that it's not an 
ongoing--it is stopped, but you're just figuring out how to 
change things so it doesn't happen again? Is that a fair----
    Dr. Whitten. The----
    Senator Klobuchar.--characterization?
    Dr. Whitten.--investigation is still underway.
    Senator Klobuchar. OK. Thank you.
    One issue that isn't often discussed is peer-to-peer file-
sharing and the privacy concerns that arise when kids use these 
programs. We've had a number of unbelievable stories in our 
state, where someone who works at a gardening company goes 
home, does her company's business on the home computer, and 
doesn't know, but her kids has put a peer-to-peer file on 
there, and then all the company's data goes out onto the 
Internet, and they became victims of identity theft, their 
Social Security numbers stolen. Anyone want to comment about 
what we should be doing on this? Senator Thune and I have a 
bill to try to address it.
    Anything? Peer-to-peer? No takers?
    Oh, Mr. Harper, thank you.
    Mr. Harper. I'll take it up. I haven't been on a peer-to-
peer network in a lot of years now, actually. What that really 
calls for most is, like everything we've talked about, better 
consumer awareness and better education. That's the hard way, 
but it's really the only way to get good outcomes like this. 
Good parenting, I emphasize again and again, which is not 
distinct from controls and things like that--good parenting is 
always right at the center of protecting children online. 
You're not going to----
    Senator Klobuchar. Right.
    Senator Harper.--come up with a magical technology solution 
beyond what parents can do.
    Senator Klobuchar. Well, as a parent who didn't even know, 
when I was running for office, what ``LOL'' meant, much to my 
daughter's embarrassment when I was asked the question in a 
campaign event, I don't think every parent can know everything 
about what's going on, and that's why I suggest you look at our 
bill, just because we're trying to give adults that--on that 
computer more information about what their kids have put on 
there, so that they can maybe stop it. And that's what we're 
trying to do.
    I've got to step out for something, and I'll be back, Mr. 
Chairman. Thank you.
    The Chairman. That was dramatic.
    Senator Klobuchar. As I always am.
    The Chairman. Senator Begich.

                    U.S. SENATOR FROM ALASKA

    Senator Begich. Thank you, Mr. Chairman.
    I just have a couple comments and question, but first, to 
Facebook, to Mr. Taylor. Could you--how do you notify, when you 
make these changes--you described this--the new safety security 
component--how do you notify your customers of this?
    Mr. Taylor. There's a variety of mechanisms, depending on 
the magnitude of the change. So, on some----
    Senator Begich. Let's start with the one where--the safety 
changes--security changes you changed. Or you might----
    Mr. Taylor. So, I believe--my understanding, which I 
believe is--in--accurate, but I'm not directly working on this, 
so excuse any minor inaccuracies--is that we launched it to a 
prominent part of our Help Center, which is the central support 
part of the Facebook website. And we also launched ads, within 
our own ad system, to advertise the presence of this new center 
to our users.
    Senator Begich. OK. And where would you label this one, in 
the sense of importance to your customers? In other words, 
would this be the maximum amount of notification you'd make to 
your customer base?
    Mr. Taylor. No. It's definitely not the maximum amount of 
notification. Some prominent changes to our service will notify 
with a prominent notice at the top of your Facebook home page, 
which is the entrance point to Facebook as a product, and by 
far the most important page on our site. And that's where we'll 
include information about significant changes to the user 
interface of Facebook or to other product launches that we 
think have a significant impact to the Facebook user 
    Senator Begich. OK. Thank you very much.
    Ms. Whitten, let me, if I can--I want to take that air-
conditioning example, there, one step further, if I can. Once 
that company then sold you that air-conditioning unit, now they 
have data on you, correct?
    Dr. Whitten. So, let me walk through what happened, step by 
    Senator Begich. Let me----
    Dr. Whitten.--because----
    Senator Begich. Let me----
    Dr. Whitten.--I think that would----
    Senator Begich.--pause you there----
    Dr. Whitten.--be the clearest----
    Senator Begich.--for a second, because I'm--I consider some 
of this like the catalog business on steroids. You know, you 
order one catalog; before you know it, it's 80 percent of your 
mail. So----
    Dr. Whitten. Sure.
    Senator Begich. So, now you've ordered--I want to take it 
from that point--you've ordered this air-conditioning. What 
happens to that data, that they have now collected, that took 
the phrase, or the words, ``air-conditioning'' out of an e-
    Dr. Whitten. So, first of all the air-conditioning company 
told Google it would pay to have this particular ad----
    Senator Begich. Right, through association.
    Dr. Whitten.--shown to that--right.
    Senator Begich. Right.
    Dr. Whitten. So, then I'm reading my e-mail, and my e-mail 
has the words ``air-conditioner,'' and so, that triggers the 
system, and it shows me that air-conditioning ad. And then I 
click on that ad, and I am taken----
    Senator Begich. To their website.
    Dr. Whitten.--to that advertiser's website. At that point, 
thereafter, I am no longer dealing with Google. I am now----
    Senator Begich. I see.
    Dr. Whitten.--talking directly to the advertiser. And I put 
the air-conditioner in my shopping cart, and I give them my 
delivery address and my payment information, and the ongoing 
relationship that I might have with the air-conditioner company 
is established through that transaction.
    Senator Begich. But, in essence, started with just ``air-
conditioning'' in your e-mail?
    Dr. Whitten. That's what triggered me being directed to 
    Senator Begich. Right.
    Dr. Whitten.--to the air-conditioner----
    Senator Begich. Yes.
    Dr. Whitten.--company. But, they had no information to 
pursue an ongoing relationship with me, until I went to their 
site and----
    Senator Begich. Understood.
    Dr. Whitten.--interacted----
    Senator Begich. And you----
    Dr. Whitten.--with them directly.
    Senator Begich.--made a commitment at that point, at 
whatever that level was. Did the Website say to you, when you 
purchased the air-conditioning unit--I mean, the assumption is, 
because you're in the industry, that the minute you do that, 
you're going to get a lot of stuff from them. Will that----
    Dr. Whitten. I don't remember, for that particular air-
conditioner company. I must say, I don't actually remember 
getting a lot of air-conditioning-related----
    Senator Begich. May not be air-conditioning company, but--
    Dr. Whitten.--solicitation e-mails afterward.
    Senator Begich. But, I mean, the assumption----
    Dr. Whitten. So----
    Senator Begich.--is that, once you go on there----
    Dr. Whitten. Yes.
    Senator Begich.--it asks for your e-mail and all kinds of 
stuff to confirm the order, that you're in their system.
    Dr. Whitten. Yes.
    Senator Begich. Is that a fair assumption?
    Dr. Whitten. I mean, my experience, as a consumer is that 
industry practices, generally--they're sort of an opt-in/opt-
out, too, ``Can we send you more promotional e-mails?''
    Senator Begich. What--for the companies that are here, what 
more--what one thing would you recommend, if any, that should 
be done to increase the level of security and privacy to the 
users of your facilities? I use ``facilities'' in broad, 
because one's AT&T, one's Google, Facebook. But, I mean, what's 
the one thing that should be improved? Because I'm not--have 
you--tell me you're doing it all right, I'm going to----
    Ms. Attwood. Well, let me----
    Senator Begich.--the----
    Ms. Attwood.--let me comment on that.
    Senator Begich.--the radar will go up, and that won't 
really be a good answer. So----
    Ms. Attwood. So, what's remarkable in this hearing----
    Senator Begich. I'm trying to be very polite.
    Ms. Attwood.--is for all of us to acknowledge or address 
the fact that we believe we're ``best practices'' in the 
industry. We're adopting the notice-and-consent framework that 
the FTC talked about; we are, in fact, innovating in the way in 
which we're talking to our customers. But, the one thing that's 
missing is that we're not, in fact, honoring each other's 
customers' permissions. So, every day there are literally 
millions of customers who use AT&T's service on Apple's iPhone 
to go to Facebook and check their friends' status, and then go 
to Google to check on where they should meet for dinner. That 
happens millions of times every day.
    That customer, in order to understand where their 
information has gone, has to read all of our privacy policies. 
And, I--you know, I'm very proud of our policy. We've worked 
very hard to make it very secure and very clean--very 
straightforward to the customer, but there is nothing that, in 
fact, gives the customer who--comes to AT&T and says, I want to 
have my information protected. I, in fact, can only do what I 
can do with AT&T. I can't, in fact, honor that across all of my 
partners who are here.
    And I do believe that's the next phase of what we have to 
do when we think about demystifying it for the consumer, making 
it less creepy. We have to, in fact, work as a industry, as 
we're doing, and push the boundaries of saying, when somebody 
says to me, ``I want my information protected in a certain 
way,'' or says to Google they want their information protected, 
I honor that, Google honors me, and we give a single unified 
face to the customer, in terms of their permissions.
    Senator Begich. Very good.
    Mr. Harper. Senator, can I interject with one thing that I 
don't think companies would probably want to bring up. That's 
the idea of individual consumers exercising control over 
cookies. We talked about it a lot. Cookies are the primary way 
that you're tracked from site to site----
    Senator Begich. Right.
    Mr. Harper.--usually on ad networks or that kind of thing.
    Senator Begich. Right.
    Mr. Harper. In both Firefox and Internet Explorer, the most 
popular browsers, you go to the tools menu, select options, 
click on the privacy tab, and you can decide whether you accept 
cookies from no site at all, or the sites--the primary site 
you're visiting. You can deny third-party sites, which are 
usually the basis for tracking.
    Senator Begich. Right.
    Mr. Harper. I'm a little bit of a stickler. I look at every 
cookie coming onto my computer, it doesn't take too long once 
you're into it. But, people can create blanket rules about that 
kind of tracking and put a--take a big chunk out of the kind of 
tracking that Senator McCaskill was worried about. That's the 
one thing that consumers can do that'll put them in a good 
    Senator Begich. And I know my time's up, so let me--I'm 
sorry, Mr. Chairman----
    Mr. Turow. I just----
    Senator Begich.--maybe you want----
    Mr. Turow.--quickly want to add, while that--I think you're 
absolutely right about that. It has to be said that, 
increasingly, companies are trying to get around cookie 
problems. Just, as you say--companies are beginning to use 
first-party cookies because they knew third-party cookies are 
zapped. Toolbars can be used without any cookies at all. And, 
as people know, there are some things called ``flash cookies'' 
that don't extinguish.
    Mr. Turow. There are lots of ways--registration. The 
industry knows that cookies are sometimes fallible and in 
danger, and there are ways that people are trying to get around 
    Senator Begich. I apologize, Mr. Chairman, I exceeded my 
    The Chairman. Thank you, Senator Begich.
    Dr. Tribble, I'm afraid that, one, you feel you're being 
ignored, and second, I've stolen----
    Mr. Turow. No. I'm not being ignored.
    The Chairman.--something from you.
    Dr. Tribble. What was that?
    Mr. Turow. The--oh----
    The Chairman. So, I want to tell you----
    Dr. Tribble.--that's his.
    The Chairman.--that it's still here.
    Dr. Tribble. OK.
    Mr. Turow. That's his.
    Mr. Turow. Mine's in my pocket.
    Dr. Tribble. Thank you.
    The Chairman. But I want to--oh. Did--was that yours?
    Mr. Turow. No, that's his.
    Dr. Tribble. Yes.
    The Chairman. That's his. Yes.
    Dr. Tribble. Yes.
    The Chairman. I wanted to make a point from it, because it 
makes a point for me. You indicate--now, let's say I'm a 55-
year-old forester from central Montana. And you indicated that 
all they have to do is go to the particular ``click'' and then 
they'll get their capacity to protect themselves.
    It turns out that on your machine here, the particular 
click is labeled ``Settings.'' And I'm trying to figure myself 
coming down out of the top part of a tree and finally reaching 
the ground and running and getting this, that if I go like 
this--in theory, I get what you gave me and I get my choice. 
But, on the other hand, I had to go to that ``Setting.'' What 
does the word ``Setting''--how is that meant to mean something, 
not just to a--somebody who's cutting up trees or mining coal, 
but, as Senator Klobuchar said, to some 13-, 15-year-old kid?
    In other words, to you it's very clear. And one of the 
things that interests me in all of this is that there's total 
clarity with all of you, and total certainty. Occasional 
mistakes. But, to the rest of the world--and I am going to have 
somebody return this to you.
    The Chairman. Keep my reputation intact. But, it isn't all 
that clear. And I think that's a hard connection for somebody 
to make. I wouldn't go from--you know, to ``Settings.'' I'd 
look at all the other things--clock, time, weather, sports, 
stocks--and maybe I could eliminate, if I spent time on it, 
getting down to ``Settings''--``Well, maybe it's here,'' push 
it, get what you want. But, see my point?
    Dr. Tribble. I see your point. And I actually agree with 
your goals of clarity, and I can tell you that we strive for 
that, in terms of the usability of our devices. And finding 
things like this easily on a device is a challenge. It's 
something that we try and excel at, actually.
    One of my points, about this particular feature, was that 
it's important that privacy issues not just be relegated to a 
privacy policy, that they actually be designed so that they're 
part of the user interface that the user would encounter 
normally during the use of their device. And, you know, we may 
not have reached perfection there. I don't think we have. In 
fact, I think, more innovation is actually required in this 
area. It's a simple fact that not every particular feature, 
including privacy, can be at the top level, one click away from 
the home screen, or things actually get back to being so 
complex that it's hard to deal with them again.
    So, making the decision where in the user interface should 
the privacy issue be--we think it's very important. As I 
mentioned, if your location is being tracked, we actually went 
ahead and took space next to the battery indicator to go ahead 
and put an icon right there, that's always showing you, Is your 
location being tracked? We think that's at least--if not more 
important than how much battery you have left.
    Integrating this into the user interface is one of the 
areas where we're actively innovating. I think there's more 
innovation yet to be done there.
    The Chairman. I do, too.
    Dr. Tribble. So, I agree.
    The Chairman. I'm going to--Dr. Whitten, I'm going to say 
something not entirely pleasant to you, but it surprised me 
that you're in charge of security and, you know, openness for 
Google, and you start out with a 3-minute lecture on how much 
money Google makes, how huge it is. We all know that. So, 
psychologically, I'm sort of interested, why did you start out 
on that? I don't need to have you answer, unless you want to. 
But, I just want to say that for the record. It was interesting 
to me that you started talking about how successful Google is.
    You have nothing to say, so I'm going on to Mr. Taylor.
    Mr. Taylor, your privacy policy has the following: quote, 
``Even after you remove information from your profile or delete 
your account''--this gets back to Senator Kerry--``copies of 
that information may remain viewable elsewhere.''
    And then, it goes on to say, quote, ``Certain types of 
communications that you send to other users cannot be removed, 
such as messages,'' which are kind of basic.
    Now, it sort of begs the question, if the Facebook user 
wants to permanently--and this is what Senator Kerry asked--to 
delete--and you gave him a very firm answer, ``It's gone.'' 
This says otherwise.
    Mr. Taylor. I just want--I'm sorry, are you done? Would--is 
it an appropriate time to answer?
    The Chairman. Yes. Go right ahead.
    Mr. Taylor. All right. I think it's a very good point. And 
you bring up some of the most subtle issues that we'll deal 
with in working on a social product.
    The issue about, ``Your data may still be viewable 
elsewhere,'' it's an important point to just give our--the 
people reading that policy a realistic expectation about how 
information may flow throughout the Internet.
    So, for example, you may publish your phone number to your 
Facebook profile. And your friend might take that number and 
copy it into their phone, that interaction came from Facebook, 
and, even though you deleted your Facebook profile, that copy 
of that information may continue to exist because your friend 
copied it into their phone. Likewise, your friend might take a 
photo that you published to Facebook and print it out and put 
it on a collage or put it on their personal home page because 
they copied it off of Facebook.
    And, you know, when you're sharing information with other 
human beings on the Internet, you know, it's not just a 
technical thing, it's a social thing. And people may choose to 
do things with that information outside of the bounds of the 
things that we can control. And I believe, if I'm recalling the 
part of the policy you're talking about, that's specifically 
the realistic expectation that we are trying to make sure 
people using our service understood.
    Regarding, ``There are some pieces of information that 
can't be deleted, like messages,'' we thought a lot about this, 
and a lot of people use our messaging product much like they 
use e-mail. And when you send someone an e-mail you don't have 
the ability to delete it from their inbox. You've sent it to 
them. Just like once you've sent a letter to someone and it 
ends up in their hands, you have the social ability to ask for 
it back, but, you know, at that point, it's in their hands. And 
when you send someone a message, we consider that piece of 
information, at that point, owned by two people, just because 
it abided by the existing conventions that existed with e-mail 
and even postal mail.
    And so, those are very specific instances. Certainly, the 
information that you've shared on your profile is information 
you can delete permanently. And I think, in those particular 
instances, we were just trying to take a thoughtful approach 
that abided by the people who use Facebook, their expectations 
of the service.
    The Chairman. Is it not true that somewhere--and this 
applies to intelligence agencies, too--that there is some point 
at which there is a residual place of keeping information that 
cannot be deleted under any circumstances?
    Mr. Taylor. So, I can't really speak to what our 
intelligence agencies do. I can tell you that----
    The Chairman. I'm not making it--the point out of the 
intelligence agencies. I'm asking that to you.
    Mr. Taylor. Is there--do you mind clarifying your question? 
Are you asking, Is there--certainly, on--from our servers, when 
you delete your account fully, we delete all of the information 
associated with your account.
    The Chairman. So, there's no backup anything anywhere which 
retains that.
    Mr. Taylor. Certainly, these technical systems are complex, 
and there may be backups of some pieces of information 
somewhere, due to the complexity of these systems.
    The Chairman. What if you're subject to a lawsuit and you 
have to defend yourself, and there's a lot of money at stake, 
and you have to go back and pull out that particular e-mail, 
whatever it was. You have to be able to do that, don't you?
    The Chairman. You just say, ``Well, I'm sorry. We can't 
defend ourselves.''
    Mr. Taylor. So, you're talking about if someone has deleted 
their Facebook account, what mechanisms we would have to look 
up that information of the deleted account?
    The Chairman. Yes.
    Mr. Taylor. You know, some of this may get into very 
specific details of our infrastructure that I'm not intimately 
familiar with. Certainly, the spirit of the account deletion 
feature on Facebook is that your information is deleted. As I 
mentioned, these technical systems, due to the technical 
requirements of making a system that's extremely reliable and 
available at all times of the day, may mean that there are 
backups and archival forms of this data in some parts of our 
system. So, I think that is a reality that--so, I'm not sure, 
in that specific instance, what information would be available.
    The Chairman. And then, I move from my person, who's high 
up in a tree cutting off branches, to a 13-year-old, who is 
vulnerable, is lonely, is socializing. The--Senator Klobuchar 
making this point--and the ability to--for a predator. We've 
had hearings on this subject, too. And I do a lot of 
roundtables, in my State of West Virginia, about precisely that 
subject, the vulnerability of students, the vulnerability of 
young people. They are your future; they are your present. I 
don't know how much of your profits come from them, but a lot. 
And when I asked--when somebody asked you the question, ``Who's 
responsible for privacy protection?'' and you said, ``Everybody 
who works at Facebook is.'' Everybody who works there is. And I 
found that somehow suspicious and disingenuous, because I think 
companies have to be divided up in certain things, and people 
don't spend all of their time on every single question that 
comes before them, saying, ``What are the privacy consequences 
of this?'' I don't believe what you said.
    Mr. Taylor. I think that's a very fair point, Mr. Chairman. 
What I intended to say is that the engineers and product 
managers who are developing the products at Facebook take into 
account privacy in every aspect of the product design. We do 
have a team devoted exclusively to security----
    The Chairman. I'd like----
    Mr. Taylor.--and safety.
    The Chairman. And I accept that.
    Mr. Taylor. Yes.
    The Chairman. But, don't you think there's the possibility, 
here, of beginning to divide the world into--and users--into 
two categories, those who know just exactly what to expect and 
how to handle themselves, what the consequences are of what 
they do--I'd put that group at 50 percent--and then others who 
are simply thrilled to be on Apple, on Facebook, on Google, 
whatever, and--but they're not really quite sure what they're 
doing? They're not sure of the consequences of what they do. 
They don't know what it means to be following them around, in 
terms of identifying their location. They're innocents. But, 
they're seriously into it. And it seems to me that we're almost 
dividing ourselves into two worlds.
    You've got the world working for you, because you're making 
a--you're being tremendously successful, and people are signing 
up like crazy. And so, why complain? But there are 
consequences. There are inherent consequences. You know, the 
bullying thing, that was casually mentioned here, is not 
inconsequential. It's huge. Sexual predators is huge. And it's 
a part of what you do.
    Now, if you can defend yourself against this, and if you go 
to the right clicks and the right icons, and do all--make all 
the right moves, I suppose you can stay out of trouble. But 
then, always lurking is the record. People--you know, people 
are tracking you.
    I didn't mean to leave out AT&T. I apologize.
    You're being tracked. People are using you to advertise. 
The word ``air-conditioning'' did come up for a certain reason. 
And it was very convenient, in your case, because you were 
trying to help your mother. In other cases, it might not be so 
convenient, or it may even be confusing.
    So, my philosophical question--actually, I aim at you, 
professor, this question, the question of, Are we dividing 
ourselves into two classes of people, people who understand it 
and who can handle themselves in this world, on all of these 
instruments that we have now before us, and those who cannot? 
And those who cannot are paying a price, which we do not yet 
fully understand, but which we're beginning to understand, and 
that does get into the abuse, and sexual this, and predator 
that, and bullying, and all the rest of it; or misinformation; 
or simply being marketed.
    I mean--you know, it's the same question of--I mean, 
Senator Kerry and I get, frequently, telephone calls at our 
home, which are meant to be unlisted numbers. And somebody 
proceeds to grill us with a whole series of questions about 
something. You just hang up. That's an annoyance that should 
not occur in American life, if you don't want it to happen, but 
I have no way of stopping it. Hence, to the question, Can I 
really stop Facebook from having records on me? You say yes. 
I'm not so sure. In fact, I think not.
    So, what do you say, professor?
    Mr. Turow. Well, there are lots of----
    The Chairman. And the larger question is, Are we becoming 
two different societies, and isn't that wrong on something 
which is this dominant in our culture?
    Mr. Turow. I think we're becoming multiple-level societies, 
for a number of different reasons. I'll make it quite short.
    One is exactly what you say, the people who know and the 
people who don't know. Increasingly, as I get into the data 
that we've dealt with, and that other people have done research 
on--I used to believe that a lot of these problems could be 
solved by education. I no longer believe that everything can be 
solved by people learning. It's much, much too complex. I find 
that professionals in the field, when I call them to check on 
things I'm thinking about, will not know the answers.
    Reading privacy policies is becoming a scavenger hunt, 
because not only do you try to read the privacy policy and make 
sense of verbiage which is basically understood by the people 
who create it and not many others, you're also into links that 
send you to links that tell you that other parts of this are 
related to other companies. And they use words like 
``affiliates,'' that most people wouldn't understand. So, at 
that level, we have people who--I would say even very 
intelligent people couldn't make sense of that.
    On another level, I'm concerned that we're moving into a 
world--and this gets us into television, not just what we call 
the Internet, because the television is going to be the 
Internet. IPTV, digital TV--we're going to have a situation 
where people will receive views of the world based upon what 
others know about them, and what they don't know others know 
    So, it's quite possible--and I've spoken to people now who 
are beginning to think about, for interesting reasons having to 
do with marketing--of changing the news profile you get, based 
upon the particular parameters that people know about you and, 
as a consequence, that will put people into certain kinds of, 
what I might call, ``reputation silos.'' We're not there yet, 
but we're defining people's reputations in ways that they don't 
    So, there are multiple levels relating to status, relating 
to education, relating to so many things, that I'm beginning to 
despair that we can ever really understand it. And that's why 
I'm beginning to think that some parts of this have to be 
regulated. Not everything, by any means. But, there are some 
issues that people will simply not be able to contain, 
    The Chairman. I'm so wildly over my time, it's 
    Senator Kerry?
    Thank you, all of you.
    Senator Kerry. Ms. Attwood, can you share with us what the 
recent glitch was about that saw the distribution of more than 
100,000--I guess they were the iPad owners' e-mails?
    Ms. Attwood. Sure, I'd be happy to.
    We had an incident recently in--that was largely called a 
``brute-force attack.'' It was a security breach by a--some 
hackers who were trying to collect information about iPad 
users. It was an incident where they--the hackers developed--
looked at--developed software in which they would--used to 
capture e-mail addresses that were able to be captured on a 
Website, or actually on the Website that they pinged, because 
there was a certain--well, the--for the ease of the customer, 
the Website that they went to retained information about the e-
mail address using the ICC ID code, which is the serial number 
of the iPad. And by writing a code, they were able to randomly 
seek to capture the information of that e-mail address, and 
constructed a list of those addresses.
    We found out about the security breach when a media outlet 
said that the hackers had gone to them and proposed that there 
was a vulnerability in the security of the e-mail address. And 
within 24 hours, we fixed that vulnerability. Then we tried to 
assess whether there was additional vulnerabilities. We 
concluded that, in fact, the only information that was 
potentially vulnerable was the ICC ID code as well as--which is 
that serial number on your SIM card--as well as the e-mail 
address, and, in an abundance of caution, we notified all the 
purchasers of the iPad 3G device that there was a potential 
exposure of their e-mail address.
    To date, though, I want to say, we have not seen that 
information be released in any other way, other than to these 
media outlets. But, we're cooperating with the criminal 
investigation that is looking into seeing how that security 
breach occurred.
    Senator Kerry. How often do you guys get attacked like 
    Ms. Attwood. It is a daily event that there are----
    Senator Kerry. Is that true for all of you? Google, daily 
event? Facebook?
    Ms. Attwood. We spend millions of dollars on hardening and 
securing the network. It is a constant--there is a--it is 
almost a sport, in trying to expose vulnerabilities, as it is 
for the Federal Government, as well.
    Senator Kerry. So, how is it that people who have their 
information trusted to you--entrusted to you--what kind of 
confidence can they have?
    Ms. Attwood. Oh, I think that developing the confidence, 
and maintaining the confidence of the security of the network, 
is absolutely essential. And in this instance, we were really 
disappointed. We spend literally millions of dollars 
establishing very secure networks, and, in this instance, we 
failed our customers. That's why, in fact, we--as soon as we 
understood the nature of the problem, we fixed it, and we 
notified them. We also have, you know, made available new SIM 
cards, if our customers feel that they need them. We don't 
think--you know, from a security perspective, we don't think 
that they're necessary, but we've also made that available. So, 
absolutely, it's--you know, they demand and expect more.
    Senator Kerry. I think--you're an engineer, aren't you?
    Ms. Attwood. No, I'm a policy person. I--sadly, on this 
    Senator Kerry. Well, can you tell me--are you able to tell 
me where in the system there's the greatest vulnerability and 
potential for abuse? Where in the networks?
    Ms. Attwood. Where in the networks? I mean, I think you 
have multiple areas that are capable of security violations. 
So, you have databases that--where you store information; you 
have physical links where, in fact, there--individuals try--you 
have devices where there are actually efforts to corrupt 
devices. So, in--I would describe, in the entire, you know, 
product line, you have multiple areas where you could see 
security breakages. And, in fact, we have, you know, a lab that 
is set up just to try to ferret out where those breakages could 
    Senator Kerry. Can you tell us what ``deep packet 
inspection'' is?
    Ms. Attwood. Well, ``deep packet inspection'' can mean a 
lot of different things, but, essentially, it is the ability to 
read beyond shallow--every bit has a--certain information. Some 
of it is considered shallow information, kind of like 
addresses, and other portions of it are called ``deep packet,'' 
which is payload information. It's the content of that bit.
    And ``deep packet inspection'' is a--is the capability to 
evaluate the shallow and deep information contained in that 
bit. It's used, in our network, for trying to find malware--
spyware--for purposes of network security. And----
    Senator Kerry. Is it used for any other--is it used for any 
commercial purpose?
    Ms. Attwood.--thank you for saying so, because I heard the 
previous testimony. No, we do not use deep packet inspection 
for marketing purposes, which was the subject of the NebuAd 
interest a couple of years ago.
    Importantly, I would also tell you that we have gone so far 
as to, in our privacy policy, explain that we will not use it, 
absent express permission of the customer. In the event that 
there seems to be a desire for the use of that information, 
we'd ask our customers first. So, no.
    But, we do--deep packet inspection, like any technical 
advancement--and I would say, you know, all of us have had--
there have been discussions about recent issues that have been 
faced by companies on this panel, and each one of those 
involved the use of technology inappropriately. And so, in this 
context, deep packet inspection--I don't think there is anybody 
who suggests that that is not used appropriately when it's in 
finding and ferreting out fraud and abuse.
    Where the issue was, was the use of that in a way that 
seemed to offend customers' and users' expectations. And 
because of that--AT&T was not doing that, was not planning to 
do that--but we went so far as to make clear we would not do 
that without our customers' permission.
    Senator Kerry. Mr. Taylor, in response to the Chairman's 
question about the deleting of information and the storage of 
information, you repeatedly said that if it is deleted, it is 
gone. What if somebody simply deactivates their Facebook page? 
It's there forever, isn't it?
    Mr. Taylor. So, I may get some of these details wrong, so--
but, I'm basing this on my understanding of it. When you 
deactivate your Facebook account, for some period of time, you 
can reclaim it. It's--often people will--it's actually very 
frequent that someone might choose to disable their account at 
some point and then want to restore it at a later point. So, we 
added that as a feature to our users, at a point where we 
noticed a lot of people sort of had buyer's remorse about the 
decision to delete their account. People buildup a----
    Senator Kerry. What's the----
    Mr. Taylor. I'm sorry for interrupting you.
    Senator Kerry. What's the point? I mean, at what point? How 
    Mr. Taylor. I don't know, off the top of my head?
    Senator Kerry. Do you know, if they don't? So, you don't 
know whether or not it stays for several years.
    Mr. Taylor. I don't think it does, but, because I'm not 
intimately familiar with the details, I'm uncomfortable giving 
a specific answer.
    I think it is worthwhile to provide just a--one specific 
bit of context. The--people publish a lot of information to 
their Facebook profile. I recently had a baby, for example, and 
a lot of my baby's initial photos are in there, and the act of 
deleting all of that is a very significant operation. Just like 
there shouldn't be, you know, a button that deletes all the 
contents on your laptop's hard drive without, you know, a fair 
amount of deliberation; that's really the motivation for that 
particular piece of functionality. I just wanted to provide 
that context.
    Senator Kerry. Fair enough.
    Well, I--as everybody here knows, our counterparts in the 
House have introduced legislation, and I--we have sort of a 
cross-jurisdiction in this committee, with Senator Pryor and 
myself, the Consumer Protection Subcommittee and the 
Communications Subcommittee. So, we're going to work with the 
Chairman and--with the goal of trying to build the record. 
We've got these reports coming out, obviously, from the 
Commerce Department and the FTC. We'd like to work with all of 
you. I mean, the key question is, can we come up with a 
standard, some kind of a set of expectations that are more 
effective? We struggled with this 10 years ago, and I guess it 
failed because we--you know, the offline/online sort of 
debate--and we got caught up in that, and tried to reach, 
maybe, too far at that point in time.
    I think--incidentally, I think a--you know, I'm not 
suggesting your companies have not made differing and 
significant kinds of initiatives to try to respect people's 
privacy. And I think, all in all, the opt-in/opt-out debate 
that we were all worried about has been resolved pretty 
effectively, and I give you all credit for that. And I--but, 
you know, it's tricky. That's a long page of, you know, 
complicated conditions, and, you know, most people just zap 
down to the ``I Agree,'' and they punch the ``I Agree,'' and 
off they go. And so, I'm not sure that there's, you know, 
knowledge in the ``caveat emptor'' component of all of it, et 
cetera. And I think we ought to figure out if we can get a 
baseline here, where it's simpler and more direct. And I think 
that's the kind of thing we really have to work at. So, we 
certainly look forward to it.
    Mr. Chairman, thank you for the lenience on the time, I 
appreciate it, and my colleague. Thank you.
    The Chairman. Go ahead.
    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank 
    The day is getting late here, and I had a few additional 
questions for you, Dr. Tribble, just about the subject that 
Senator Kerry just raised about the opt-in/opt-out. And you 
said, in your testimony, that customers may opt-out of 
interest-based advertisements by visiting, is it, oo.apple.com? 
Right?--``OO,'' not for double-agent-00, but for opt-out. And 
how do your users learn about opt-out? Because I think that's 
one of the things we're trying to figure out as people get 
these, you know, small-print policies. They're looking up on 
the computer, and they're trying to figure out what to do. How 
do they learn about the opt-out?
    Dr. Tribble. Yes. In this case, the opt-out link is, in 
fact, in our privacy policy document, which is linked to from 
every page on our Website. And, you know, we work hard, 
actually, to try and make sure that our privacy policy is in as 
plain English and is not lengthier than it needs to be. And, 
you know, we think it compares pretty favorably with other 
privacy policies that are out there. But, that is currently the 
    I should point out that, in the case of iAds, that is 
something that we are just starting to do. In fact, we just 
started, earlier this month, to enable iAds on--which are ads 
that come up in the applications that you run on your iPhone. 
And, you know, that mechanism may evolve over time as we, 
perhaps, innovate new ways to, as I mentioned before, 
incorporate the control over a user's information into the user 
interface itself, rather than just relying on the privacy 
    Senator Klobuchar. Well, in your testimony you also 
indicated that your customers have an opt-in model for 
location-based privacy disclosures when using third-party 
applications, but they have an opt-out model for location-based 
privacy disclosure to Apple. Is that right?
    Dr. Tribble. I think what you said is correct.
    Senator Klobuchar. You can clarify it later if you want, in 
writing, or for the record. I'm just trying to figure out how a 
uniform opt-out privacy disclosure policy would affect Apple, 
if, you know, we were to mandate that, or something like that.
    Dr. Tribble. Well, with respect to location, as I mentioned 
previously, there is a master on-off switch for location-based 
data, so that the user always has the option of completely 
opting out from any location data collection at all. As 
Chairman Rockefeller pointed out, perhaps that could be at a 
more easy-to-find place in the user interface. But, that is the 
goal of that feature.
    Senator Klobuchar. OK.
    And again, with--Dr. Whitten--with Google, along these same 
lines, about trying to read privacy policies when people aren't 
looking at everything--and we all know that--you might even 
have data on that, I don't know--how many of them actually read 
    Could you talk about how your users learn about Dashboard, 
and how do you inform them of the privacy options and what work 
you've done in this area?
    Dr. Whitten. I'd be delighted to.
    So, we've sort of developed a bit of a pithy saying as we 
try--internally--as we try to make progress on this, and this 
is to say that, you know ``Show is better than tell, and show-
and-tell is better than show.'' Right?
    So, I--my perspective on this is that privacy policies are 
necessary, but they're only a beginning of the efforts that we 
should be making to try to explain, consistently, the same 
important things that our users need to understand about their 
privacy, in many different ways. And this is why at Google if 
you click the privacy link, you will go, not just to a privacy 
policy, but to a privacy center, which contains the privacy 
policies, but it also contains frequently asked questions. It 
contains things like, for example, when we were first launching 
Chrome, we commissioned a comic book from a famous artist, to 
explain some of the things about the way Chrome worked, and the 
controls that we had built into it. It contains YouTube videos 
of me and others explaining aspects of how Google uses data, 
what controls are there, and how the Dashboard works.
    So, all of this is, I think, a really important component 
of trying to present that same information many, many different 
ways, so that people will have a good chance of finding clear 
explanations in the way that's most accessible to them.
    But, another component of it, and one very dear to my 
heart, is working to build the clarity of what's going on, 
right into the experience of the product. And again, with the 
Google Dashboard, it was very important to us to make that be, 
ideally, something that people would go to just because they 
wanted to know, ``Where's all my stuff?'' That it would be like 
going to your desktop, almost. And that, because the Dashboard 
presented in this, ``Here, this is just useful, in a practical 
way,'' a view of what all of the information stored in the 
account was, and what the options are, people would be 
consciously aware of that, even if they weren't thinking 
privacy, privacy, privacy. We didn't want people to first be 
concerned, and then click through and see things. We want to 
find ways to really put it in front of them.
    And, you know, I think there's still a lot of work to be 
done, there's still a lot of mysteriousness to be cleared up, 
and hopefully that'll keep my team busy.
    Senator Klobuchar. And I know that the Chairman had asked 
you about your testimony in talking about the--Google and how 
you've grown, and I was thinking about that--that question 
some. And I think one of the messages that we all have for you 
is that you have been very successful, and we appreciate that. 
We appreciate the jobs that you have brought, all of you, to 
our country, in this development, here.
    But, with that growth comes responsibility for piracy--
privacy--and as well as warding off piracy, may I add, Ms. 
Atwood. But, this responsibility for privacy of these things 
that we just wouldn't imagine people are trying to do to steal 
things, and predators getting information. And that's what I 
think you're hearing from all of us today, is what we hear from 
our constituents, of experiences they've had. And I know you've 
heard them, as well. But, it's our duty to be here to say, ``We 
need to do something better here.'' And you know some of it's 
going to be enacting laws, and some of it's obviously going to 
be things that you all do.
    So, I want to thank you for your testimony, and we look 
forward to continuing to work with you as we draft laws and try 
to do the best thing for the people of this country.
    Thank you.
    Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Klobuchar.
    I don't have a question, I just have a closing thought.
    I remember 10, 15 years ago--when was Y2K? When was that? 
Ten? Cato comes down with 10. Do I have a 12?
    The Chairman. And what was fascinating about that, and what 
is sort of on my mind, is what an unbelievably naive display 
that was of an enormous number of very large jets coming in, 
the day before a vote, to land--as you could then do at the 
Washington Airport--and Senators, right and left, were summoned 
into absolutely cannot-miss meetings to tell us what the stakes 
were, and how we should vote--the next day.
    And I--that's still very much in my mind. And it describes, 
I think, the separation, in some respects, between your world 
and our world. It's not just a matter of Silicon Valley, East 
Coast, those horrible people in government.
    But, there's the unfortunate fact that we do have oversight 
over you. And this is hard for you to live with, because you're 
off on a tear, doing great things for this country, and Senator 
Klobuchar and I are left with incredibly frustrated parents, 
principals, school board members, police officers, coming and 
complaining to us, on a regular basis, about the fallout of 
what it is that you do. And I don't say that with hostility, I 
say that with a sense of--that we each have to reach out to 
each other.
    But, you should know that this committee--it's called the 
Commerce Committee, and I've been on it for 26 years--we've 
changed. And we've changed much more into a consumer- 
protection type of committee. We find ourselves up to our ears 
in scams, and pop-ups, and what the health insurance industry 
did all during the healthcare debate, the way they finally were 
taken to court, and we had to let--deal with that, and how 
they're still trying to take the medical loss ratio, which we 
finally had to pass when the public option couldn't pass, and 
they're trying to twist that before Health and Human Services 
can put out a final ruling on it.
    I mean, aggressively, people trying to shape the world the 
way they want the world to be. That is behavior which I can 
fully forgive, provided there is a counter on the other side. 
The other side, in this case, happens to be us.
    You've heard some very, very bright people, with some very 
passionate thoughts, and some very deep reflections on the 
success of your industries and the use of your industries by 
all of us.
    But, there is, as Senator Klobuchar said, the other side. 
And that's where we use words like--that's--Dr. Tribble, that's 
why I pointed that thing out; I made myself into a coal miner, 
a tree-climber, something of that sort. But, it was right to do 
so, because that's what most people are like in this country--
in the East, the Midwest, the Southwest, the Northwest, and 
    And so, I just hold that out as a thought for you, that 
we're doing this together, and we are--the people who sit 
behind us on these things are incredibly sophisticated wizards 
at what you do. And if we're going to make American better, if 
we're going to protect children, we're going to protect--cause 
parents to do as much as they can to be responsible, but 
understand when they can't be, because they just don't have the 
time--they're dead tired, they're on their third job of the 
day, whatever it is--that, still, this--all of the system has 
to work.
    You started out the day, it seems to me, just a bit--
talking about ``We are all about privacy protection online.'' 
And it ended up a little bit more, ``Well, we still have a lot 
to do. We have a long way to go.'' And there were things that 
came up, which I didn't find--what--didn't find satisfaction 
in, but found interest in, to simply say, in closing, that we 
need each other. But, it's important to understand that you 
need us, too. Because we represent the American people in ways 
that you do not. They do more business with you, but they 
depend upon us. So, we have our work to do, all of us.
    You're terrific to be here, and to stay this long. Most 
wouldn't have done it. But, you did get your machine back.
    The Chairman. Thank you all.
    [Whereupon, at 5:38 p.m., the hearing was adjourned.]

                            A P P E N D I X

Prepared Statement of Laura W. Murphy, Director, Washington Legislative 
 Office and Christopher Calabrese, Legislative Counsel, American Civil 
                            Liberties Union

    Chairman Rockefeller, Ranking Member Hutchison and members of the 

    On behalf of the American Civil Liberties Union (ACLU), a 
nonpartisan public interest organization dedicated to protecting the 
constitutional rights of individuals, and its more than half a million 
members, countless additional activists and supporters, and fifty-three 
affiliates nationwide, we applaud you for turning your attention to the 
important question of consumer online privacy. The ACLU has long been 
concerned about the growing collection of personal information by 
private entities. In our 2004 report ``Surveillance-Industrial Complex: 
How the American Government Is Conscripting Businesses and Individuals 
in the Construction of a Surveillance Society'' we wrote about the 
widespread collection of information by the private sector.\1\
    \1\ This report is available at: http://www.aclu.org/national-
    To identify the policy issues related to consumer interactions with 
corporations and other private parties, it is crucial to understand the 
larger context of information sharing throughout our society, including 
sharing with the government. Rapid technological advances and a lack of 
updated privacy law make information sharing between private parties 
and the government easier than ever, which in turn means that privacy 
invasions from the private sector can quickly become privacy invasions 
from the security agencies as well. This broader context must be 
considered when policymakers form judgments about the risks and 
benefits of sharing personal information and establish necessary 
protections to safeguard online consumer privacy.
    This statement includes a brief description of this problem and two 
concrete measures--data retention limits and bars to third party access 
to personal information--that the Committee can take to limit it.
    Acting under the broad mandate of the so-called war on terrorism, 
the U.S. security establishment is making a systematic effort to extend 
its surveillance capacity by pressing the private sector into service 
to report on the activities of Americans. That effort colors all 
discussions of privacy focused on the private sector.\2\
    \2\ See Dana Priest and William Arkin, ``A Hidden World, Growing 
Beyond Control,'' Washington Post, July 19, 2010.
    Public-private surveillance is not new. During the cold war, for 
example, the major telegraph companies--Western Union, RCA and ITT--
agreed to provide the Federal Government with copies of all cables sent 
to or from the United States every day--even though they knew it was 
illegal. The program, code named ``Operation Shamrock,'' continued for 
decades, coming to an end only with the intelligence scandals of the 
    Even such flagrant abuses as Operation Shamrock pale in comparison 
to the emergence of an information-age ``surveillance-industrial 
complex.'' Nothing in our history compares to the efforts at mass 
surveillance now underway. Today's abuses combine the longstanding 
police impulse to utilize private-sector information sources with 
awesome new technological capabilities for vacuuming up, storing and 
keeping track of vast oceans of information. The ongoing revolution in 
communications, computers, databases, cameras and sensors, combined 
with the private sector's increasingly insatiable appetite for consumer 
information, have created new opportunities for security agencies. 
These agencies are increasingly relying on mass sorting, sifting, and 
monitoring of populations as a means of stopping terrorism.
    Most of the interactions and transactions in Americans' lives are 
not conducted with the government, but with corporations and other 
private entities, who therefore hold most of the details of Americans' 
lives--including much of what is private and most important to them. 
From social networking to e-mail to photo sites, the more consumers 
learn, share, and connect online, the more personal information they 
leave behind. For example, as more people switch from hard-copy 
photographs in albums at home to online photo websites to develop and 
store digital photos, many do not realize that these photographs are 
stored in corporate databases, where they can be easily searched to 
compile information about consumers, their family and friends, and 
their private activities. As more people move information from hard 
copy calendars, address books, filing cabinets and home computers to 
online services, many do not realize that detailed information about 
who we know, where we go, and what we do in our personal lives could 
end up being collected and ultimately used in ways that we did not 
    The combination of that rich detail with the awesome powers of the 
Federal Government is a prospect that ought to give every American 
pause, and that needs to figure prominently in evaluations of the 
privacy issues facing Americans today.
Security Agencies Have Many Options for Accessing Private-Sector Data
    With the private sector tracking more and more of our activities 
for its own reasons, the government is free to leverage this private 
collection as a way of extending its own powers of surveillance.
    Corporate compliance with government data-surveillance efforts 
ranges from unwilling resistance to indifferent cooperation to eager 
participation to actual lobbying of the government to increase such 
activities. With an array of options at its disposal, the government 
can acquire a valuable stream of information about private activities 
from any source. These techniques add up to a startling advance in 
government monitoring of American life.
    The security agencies' options for accessing third-party 
information include:

        Asking for data to be shared voluntarily. For example, in 2003, 
        the online retailer eBay stated that it would be willing to 
        give over all its information and everything it knows to law 
        enforcement on request.\3\ The C.I.A., via its investment arm 
        In-Q-Tel, has invested in a software company that specializes 
        in monitoring blogs and social networks.\4\
    \3\ http://lawmeme.research.yale.edu/
modules.php?name=News&file=article&sid=925. This policy seems to remain 
largely in force: according to eBay's current privacy policy, in 
response to a ``verified request relating to a criminal investigation 
or alleged illegal activity,'' eBay will disclose ``information 
relevant to the investigation, such as name, city, state, zip code, 
telephone number, e-mail address, User ID history, IP address, fraud 
complaints, and bidding and listing history.''
    \4\ Noah Shactman, U.S. Spies Buy Stake in Firm That Monitors 
Blogs, Tweets, Wired, Oct. 19, 2009 at http://www.wired.com/dangerroom/
blog-monitoring-firm/ (last visited October 23, 2009).

        Buying information. Security agencies are not the only 
        organizations that are interested in creating high-resolution 
        pictures of individuals' activities by drawing together data 
        from a variety of sources. Commercial data aggregators do the 
        same thing for profit. These companies are largely invisible to 
        the average person, but make up an enormous, multibillion-
        dollar industry. The Privacy Act of 1974 banned the government 
        from maintaining information on citizens who are not the 
        targets of investigations--but law enforcement agencies are 
        increasingly circumventing that requirement by simply 
        purchasing information that has been collected by data 
        aggregators.\5\ For example, the Department of Defense, the 
        C.I.A., and the F.B.I. have all purchased use of private 
        databases from Choicepoint, one of the largest aggregators of 
        personal data.\6\
    \5\ See Chris Jay Hoofnagle, ``Big Brother's Little Helpers: How 
ChoicePoint and Other Commercial Data Brokers Collect, Process, and 
Package Your Data for Law Enforcement,'' University of North Carolina 
Journal of International Law & Commercial Regulation, Vol. 29 No. 4 
(Summer 2004).
    \6\ Shane Harris, FBI, Pentagon Pay For Access to Trove of Public 
Records, Nat'l J., Nov. 11, 2005, available at http://www.govexec.com/
story page.cfm?articleid=32802 (last visited October 7, 2009); Robert 
O'Harrow Jr., In Age of Security, Firm Mines Wealth Of Personal Data, 
Washington Post at A01, Jan. 20, 2005, available at http://
www.washingtonpost.com/wp-dyn/articles/A22269-2005Jan19.html (last 
visited October 7, 2009).

        Demanding information, using legal powers granted by the 
        Patriot Act and other laws. Section 215 of the Patriot Act 
        gives the FBI the power to demand customer records from 
        Internet Service Providers (ISPs) and other communications 
        providers, libraries, book stores or any other business--with 
        inadequate judicial oversight. National Security Letters, which 
        can be issued by FBI officials in field offices without the 
        approval of a judge, give the government broad power to demand 
        records with no judicial oversight. In both cases, businesses 
        can be subject to a gag order prohibiting them from talking 
        about the government's data demands.

        Using laws and regulations to dictate handling and storage of 
        private-sector data in order to increase its surveillance value 
        for the government. The Communications Assistance for Law 
        Enforcement Act of 1994 (CALEA) forced telecommunications 
        providers to design their equipment according to the FBI's 
        specifications in order to make eavesdropping easier and more 
        convenient. Another law mandates that airlines collect 
        identifying information from their passengers so that the 
        government, among other things, can keep records of who is 
        flying where. And there are proposals for mandatory retention 
        of communications data, which has been enacted in Europe and 
        which the security establishment would like to enact in the 
        United States.\7\
    \7\ See Declan McCullagh, ``FBI director wants ISPs to track 
users,'' CNET News, Oct. 17, 2006; at http://news.cnet.com/2100-7348 3-

        Creating systems for standing access to records of private 
        activities. The Patriot Act expanded systems for the regular 
        feeding of financial data to the government through 
        ``suspicious'' transaction reporting,\8\ and a system for the 
        government to conduct broad-ranging, nationwide ``Google 
        searches'' through financial records by giving the security 
        agencies the power to order a search of financial institutions 
        across the Nation for records matching a suspect.\9\
    \8\ The USA-Patriot Act, P.L. 107-56, Section 365, 115 Stat. 272 
(Oct. 26, 2001). Scott Bernard Nelson, ``Patriot Act would make 
watchdogs of firms,'' Boston Globe, November 18, 2001.
    \9\ ``Financial Crimes Enforcement Network; Special Information 
Sharing Procedures to Deter Money Laundering and Terrorist Activity: 
Final Rule,'' 67 Federal Register, 60,579 (Sept. 26, 2002); the 
regulations stem from section 314 of the Patriot Act; Michael Isikoff, 
``Show Me the Money: Patriot Act helps the Feds in cases with no tie to 
terror,'' Newsweek, Dec. 1, 2003, online at http://www.msnbc.com/news/

    Other recent examples of close relationships between private-sector 
companies and government security agencies include:

        The NSA spying scandal. When it was revealed that the NSA was 
        conducting illegal warrantless eavesdropping within the United 
        States, it quickly became apparent that several 
        telecommunications companies were active and willing 
        participants in this illegal and unconstitutional mass invasion 
        of Americans' privacy. Congress eventually granted retroactive 
        immunity to the companies despite the pending claims of those 
        wholly innocent individuals whose privacy had been breached.

        Fusion centers. Many proponents of these catch-all law 
        enforcement data collection and analysis centers envision an 
        active role for the private sector. Fusion Center guidelines 
        crafted by the Department of Justice suggest the centers 
        incorporate corporate participants, as well as private-sector 
        data sources such as retail stores, apartment facilities, 
        sporting facilities, hotels, supermarkets, restaurants, and 
        financial companies.\10\
    \10\ Bureau of Justice Assistance, Office Of Justice Programs, U.S. 
Dep't. Of Justice, ``Fusion Center Guidelines: Developing And Sharing 
Information and Intelligence In A New Era,'' p. iii, (Aug. 2006).
    There are at least two key areas for possible legislation or 
regulation which would not only protect consumer privacy but also limit 
the widespread collection of information by the government: data 
retention and third party access.
Data Retention
    Currently, there is no uniform practice or industry standard 
regarding data retention limitations for information detailing 
consumers' online habits. The Federal Trade Commission has declined to 
regulate in the area of data retention, instead adopting a hands-off 
policy ``[s]o long as self-regulation is making forward progress.'' 
\11\ Other uses of online information likewise remain unregulated. The 
result has been disparate approaches to data retention among online 
industry leaders.
    \11\ John Eggerton, Liebowitz: FTC Not Interested In Regulating 
Behavioral Ads, Multichannel News (May 12, 2010), available at http://
    For example, Facebook collects a wide range of information about 
its users, including not only content created by the users themselves 
but also ``[i]nformation we collect when you interact with Facebook''. 
However, Facebook does not specify how long such information will be 
retained. Facebook also collects information when any logged-in user 
visits a third party website that contains a ``like button'' or 
``social plugin'' the company's current policy allows it to retain this 
information for up to 90 days in identifiable format and to retain 
``aggregate and anonymized data'' indefinitely.\12\
    \12\ Facebook Help Center, Social Plugins and Instant 
Personalization, http://www.facebook.com/help/?faq=17512. In addition, 
Facebook publicly announced this policy only after the press revealed 
the fact that the like button and social plugins allowed Facebook to 
collect this information. See Declan McCullagh, Facebook ``Like'' 
Button Draws Privacy Scrutiny, CNN.com, June 2, 2010, http://
    Search engine giants also have widely varying policies about data 
retention. Google retains a complete record of every search, including 
the user's complete IP address and cookie data if the user is logged 
into a Google account, for a full 9 months. It deletes part of the IP 
address after 9 months and deletes any associated cookie data after 18 
months.\13\ Microsoft retains complete search records for 6 months, 
deletes the entire IP address after 6 months, and deletes any 
associated cookie data after 18 months.\14\ Yahoo! retains complete 
records for 3 months and deletes part of the IP address \15\ as part of 
a ``multi-step process to replace, truncate, or delete identifiers in 
order to de-identify data'' after 3 months \16\ before it completes an 
``anonymization,'' in which it deletes the last octect of the IP 
address. Google's cookie data used to track and analyze user search 
logs are retained for a full 18 months.\17\
    \13\ See Google privacy FAQ at: http://www.google.com/intl/en/
    \14\ See Bing Community, Updates to Bing Privacy, at http://
    \15\ N.Y.Times, Yahoo! Limits Retention of Personal Data, http://
    \16\ See Yahoo! Privacy Policy, Data Storage and Anonymization, at 
    \17\ See Google privacy FAQ at: http://www.google.com/intl/en/
privacy faq.html#toc-anon
    These data retention limits are particularly important because they 
often apply to other services offered by the same company. Google, for 
example, offers not only a search function but also Gmail, Calendar, 
Maps, Picasa, YouTube, and various other services. Thus Google's data 
retention policy means that Google is able to retain and analyze data 
about users' web page visits, searches, online purchases, videos 
watched, posts on social networks, and other activities, for up to a 
year and a half. This creates an overwhelming, comprehensive, and 
intrusive picture of a user and his or her online behavior.
    Imagine then if this vast amount of information were turned over to 
law enforcement or other government agencies. This would give the 
government unprecedented access to the lives and actions of law-abiding 
Americans and provide opportunities for government surveillance more 
intrusive than ever before. With access to the records held by online 
entities, the government could compile both broad and incredibly 
detailed profiles of people's activities and behaviors: not only who 
your friends are but where you met and how often you interact; not only 
which books you read but how you found them and which page you read 
most recently; not only which religion you claim but how often you 
actually attend services. The list of information that could be derived 
by government actors from data stored by private entities spans the 
entire spectrum of modern life.
    Unfortunately, this ``imaginary'' scenario is all too real, as the 
line between commercial data and the government becomes increasingly 
indistinct. For example, in 2003 the online retailer eBay stated that 
``if you are law enforcement agency you can fax us on your letterhead 
to request information: who is that beyond the seller ID, who is beyond 
this user ID. We give you their name, their address, their e-mail 
address and we can give you their sales history without a subpoena.'' 
(sic) \18\ Google reported that it received over 3,500 demands for 
information in the last 6 months of 2009.\19\ If Google is receiving 
thousands of demands digging into the intimate details of individual 
lives captured in e-mails, search histories, reading and viewing logs, 
and elsewhere, how many more are going out to Yahoo, Microsoft, 
Facebook and the thousands of other online services that Americans use 
every day?
    \18\ See Lawmeme, Ebay to Law Enforcement, http://
.php?name=News&file=article&sid=925. This policy seems to remain 
largely in force: according to eBay's current privacy policy, in 
response to a ``verified request relating to a criminal investigation 
or alleged illegal activity,'' eBay will disclose ``information 
relevant to the investigation, such as name, city, state, zip code, 
telephone number, e-mail address, User ID history, IP address, fraud 
complaints, and bidding and listing history.''
    \19\ Government Requests Tool, http://www.google.com/
governmentrequests. Note this does not include National Security 
letters or demands received outside of criminal investigations. It also 
does not count the actual number of users whose records disclosed 
pursuant to each demand. All of this means this number likely only 
reflects a fraction of the number of users whose records were demanded.
    Reducing the amount of information held by private parties can 
address this threat without severely impacting Internet commerce. 
Recent research suggests that data reaches its maximum potential for 
marketing purposes in approximately twenty-four hours.\20\ Forward-
thinking companies have started to set data retention policies that 
reflect the reality that business needs do not require long retention 
times, while continuing to store data unnecessarily increases the 
privacy risks to consumers. Ask.com developed the AskEraser, allowing 
users to conduct online searches without the company logging any 
information. In 2008, Yahoo! announced an anonymization policy to de-
identify most user log files records after 3 months. Yahoo!'s policy 
applies to user's web search data, information that tracks user's web 
page and advertisements views, and mouse click data.\21\
    \20\ See Jun Yan, Ning Liu, Gang Wang, Wen Zhang, Yun Jiang & Zheng 
Chen, How Much Can Behavioral Targeting Help Online Advertising? 
(2009),available at http://www
    \21\ See Yahoo.com, Yahoo! Privacy Policy: Data Storage and 
Anonymization, http://info.yahoo.com/privacy/us/yahoo/datastorage/
details.html (last visited July 26, 2010).
    These consumer friendly policies demonstrate that it is possible to 
balance the need for innovative services and technological advances 
with the important priority of giving users adequate privacy 
protections. The ACLU encourages this committee to safeguard consumers 
by enacting mandatory data retention limitations for online service 

Third-Party Access
    Online behavioral advertising and other online information services 
involve the collection of a staggering amount of information about 
people's online activities and the aggregation of that information in a 
few central locations.\22\ For example behavioral marketers seek to 
form a thorough picture of users. They do so by combining information 
gleaned from different websites over time, including web page visits, 
searches, online purchases, videos watched, posts on social networking, 
and other sources.\23\ Any particular website may provide little 
information, but when a large number of these data points are 
aggregated, the result is an extremely detailed picture.\24\
    \22\ Behavioral Advertising: Industry Practices and Consumers' 
Expectations: Hearing before the H. Subcomm. on Communications, 
Technology and the Internet of the H. Comm. on Energy and Commerce, and 
the H. Subcomm. on Commerce, Trade, and Consumer Protection of the H. 
Comm. on Energy and Commerce, 111th Cong. (2009) (Statement of Edward 
W. Felten, Professor of Computer Science and Public Affairs, Princeton 
University), available at http://energycommerce.house.gov/Press 111/
20090618/testimony--felten.pdf (last visited October 7, 2009); id. 
(Statement of Jeff Chester, Executive Director, Center for Digital 
    \23\ Felten, supra note 15 , at 3-4; Center for Digital Democracy, 
et al., Online Behavioral Tracking and Targeting: Legislative Primer 
2009 3, available at http://www.uspirg.org/uploads/s6/9h/
s69h7ytWnmbOJEV2uGd4w/Online-Privacy---Legislative-Primer.pdf (last 
visited October 5, 2009); see also Omniture, the Rise of Onsite 
Behavioral Targeting 1 (May 2008) (``On-site Behavioral Targeting 
leverages each individual Web visitor's observed click-stream behavior, 
both on the current Web visit and from all previous visits, to decide 
what content is likely to be most effective to serve to that 
visitor.''), available at http://www.omniture.com/offer/281 (last 
visited October 7, 2009).
    \24\ Felten, supra note 15, at 3-4; Chester, supra n.15, at 8-10; 
Electronic Frontier Foundation, How Online Tracking Companies Know Most 
of What You Do Online (and What Social Networks Are Doing to Help 
Them), Sept. 21, 2009, http://www.eff.org/deeplinks/2009/09/online-
trackers-and-social-networks (last visited October 7, 2009).
    A striking recent development involves the potential to collect 
data from social networking sites like MySpace, Facebook, Twitter, and 
LinkedIn. Many of these sites explicitly allow third parties, including 
advertisers, to access information about their users through various 
means.\25\ In addition, a scholarly paper reports that eleven of twelve 
sites studied had the potential to ``leak'' personally identifiable 
information about users unintentionally to advertisers and other third 
parties, including information such as name, address, phone number, 
gender, and birthday.\26\
    \25\ These sites ordinarily provide some form of user control over 
this data sharing. However, approximately 90 percent of users do not 
take advantage of privacy controls to limit access by third parties. 
Chester, supra note 15, at 3. In addition, even when available and 
used, these controls often prove ineffective against technically-savvy 
snoopers. Id.
    \26\ Balachander Krishnamurthy & Craig E. Wills, on the Leakage of 
Personally Identifiable Information via Online Social Networks (2009) 
available at http://conferences.sigcomm.org/sigcomm/2009/workshops/
wosn/papers/p7.pdf (last visited October 6, 2009).
    The collection of this online information is frequently being 
matched with real-world, offline identities. One expert, Professor Ed 
Felton, recently discussed the process by which an online ad service 
might combine its user profile with information purchased from a 
commercial database: ``If the ad service does know the identity, then 
third party services can provide a wealth of additional information, 
such as the user's demographics, family information, and credit 
history, which can be incorporated into the ad service's profile of the 
user, to improve ad targeting.'' \27\ While Professor Felten was 
careful to make clear that ``the fact that something is possible as a 
technical matter does not imply that reputable ad services actually do 
it,'' \28\ it seems likely the process is not uncommon. For example, 
the company Comscore, a leading provider of website analytic tools, 
boasts that ``online behavioral data can . . . be combined with 
attitudinal research or linked with offline databases in order to 
diagnose cross-channel behavior and streamline the media planning 
process.'' \29\
    \27\ Felten, supra n.15 at 4.
    \28\ Id.
    \29\ Why Comscore?, http://comscore.com/About_comScore/Why_comScore 
(last visited October 6, 2009). 30Harris, supra n.5 (quoting F.B.I. 
spokesman Ed Cogswell).
    This aggregated information can then be much more easily accessed 
by the government. This risk is certainly not theoretical. The FBI has 
admitted that it purchases information from ``a lot of different 
commercial databases . . .,'' and stated that once that information is 
collected by those databases, ``we legitimately have the authority to 
obtain `that information'.'' \30\ Given the government's demonstrated 
drive to access both online data and commercial databases of personal 
information, it seems nearly certain that law enforcement and other 
government actors will purchase or otherwise access the type of 
detailed profiles of online behavior compiled by behavioral marketers 
and others.
    \30\ Harris, supra n.5 (quoting F.B.I. spokesman Ed Cogswell).
    The best solution to this widespread surveillance of the American 
population is to limit the sharing of personal information with third 
parties and the aggregation of information into central databases. 
Limits on third party sharing would not hinder legitimate law 
enforcement investigations. Subpoenas and other law enforcement 
information gathering techniques would still be available to access 
records as part of an investigation. However, because personal 
information on innocent Americans would not be centralized, it would be 
harder to access and mass surveillance on the entire population would 
be more difficult. This is appropriate and necessary in our democracy. 
Innocent Americans have the right to be left alone. Detailed profiles 
of their interests, reading habits, and medical and financial 
information should not be readily available to their government.

    As you consider the important issue of collection of personal 
information for business purposes, we hope that you will not lose sight 
of the government use of information collected online. As intrusive as 
this data collection and use of information may be when performed by 
individual online advertisers and service providers, it is even more 
alarming when this information is disclosed to the government. The 
current legal framework offers little meaningful protection against 
such surveillance. Therefore, it is crucial that new laws addressing 
online privacy create a framework for data retention limitations and 
bars on third party data collection that help limit unwarranted 
government access of this information.
   Response to Written Questions Submitted by Hon. John F. Kerry to 
                           Hon. Jon Leibowitz

    Question 1. Chairman Leibowitz, in your roundtables and discussions 
at the FTC have you gotten a sense of the level of protection for 
privacy consumers believe exists in the law for the information they 
share online and how that compares to the actual protections in law?
    Answer. A number of the stakeholders that participated in the FTC's 
privacy roundtables discussed consumers' interest in the privacy of 
their personal information. For example, roundtable participants cited 
a study showing that consumers were willing to pay more to shop at 
websites that have better privacy policies, as well as other consumer 
surveys that consistently indicate that a majority of consumers are 
uncomfortable with being tracked online.
    Despite this concern, it appears that consumers, in large, do not 
understand the extent to which their data is collected online or how 
that data is used and shared with third parties. Some of this confusion 
is the result of the invisibility of many online data practices. In 
addition, it appears that consumers often believe that there are laws 
that prevent certain data practices. Survey evidence provided during 
our roundtable project showed that consumers have very little 
understanding regarding the laws that govern how companies may collect 
and use data. Many consumers believe, for example, that if a company 
has a privacy policy, the company is not permitted to share a 
consumer's information with other companies without the consumer's 
permission. Accordingly, there appears to be a gap between what many 
consumers expect about the information they share online and what many 
companies are, in fact, doing with such information. Educating 
consumers about data practices--both online and offline--remains a 
challenge, especially in light of rapidly changing technology and the 
development of new business models.

    Question 2. Chairman Leibowitz, do you believe that the private 
sector is meeting existing consumer expectations of privacy and is 
there something different about firms operating on the Internet versus 
firms that operate offline in terms of how much information they are 
collecting or the principles that should govern their operations?
    Answer. Although, as noted above, there appears to be a gap between 
some consumers' privacy expectations and actual practices, we have seen 
steps by industry to improve the transparency of their data practices 
and to offer consumers better tools to control the collection and use 
of their data. For instance, since the FTC issued its online behavioral 
advertising principles in 2007, a number of individual companies have 
developed new disclosures and tools to allow consumers to control their 
receipt of targeted advertisements. These are positive steps; however, 
we believe that industry needs to continue to improve its data 
practices in order to meet consumers' privacy expectations. This is 
true regardless of whether companies are collecting consumer data 
online or offline. Indeed, more companies appear to be merging data 
collected online and offline, rendering the distinction between the 
sources of collected data less meaningful.

    Question 3. Chairman Leibowitz, there are some who argue that the 
reason Google, Facebook, Yahoo and others are American firms and not 
European firms is due in part to their freedom to collect and use 
information here versus that allowed in Europe. Chairman Leibowitz, 
could you talk about privacy standards in Europe and how they compare 
to those here as well as what effect the disparity in rules has had on 
opportunities for innovation?
    Answer. Although the United States and Europe have different 
regulatory frameworks in the area of online privacy, we share the same 
goals. Specifically, we both want transparency, and for consumers to 
have control over who obtains their data and what is done with it. In 
addition, we each want reasonable security for personal information and 
expect and demand accountability from businesses that handle consumer 
information. Although there are already many harmonized goals, the 
difference lies in how they are achieved. A number of different 
factors, like enforcement priorities, the role of self-regulation, and 
freedom of expression, are implicated in how privacy is approached. 
Given these factors, a completely harmonized approach between the U.S. 
and Europe is challenging.
    The FTC has received feedback from U.S. industry that transborder 
data flows are a particular challenge in the privacy area, particularly 
when it comes to compliance costs and confusion as to how to even 
comply with laws in different jurisdictions. I do think that the 
requirement in European law that transfers of personal data outside of 
Europe can only occur when the receiving countries have been determined 
to have ``adequate'' protections has created certain compliance 
challenges. U.S. companies are looking for streamlined ways to meet 
those challenges, such as the U.S.-EU Safe Harbor Framework for data 
transfers, so that they can continue to innovate and develop new 
products for consumers.
   Response to Written Questions Submitted by Hon. John F. Kerry to 
                          Guy ``Bud'' Tribble

    Question 1. Mr. Tribble, technically, can firms at the browser 
level (Chrome, IE, Safari, etc.) establish private browsing capacity 
that would allow users to establish a baseline standard of protection 
that every site they visit would have to acknowledge and respect?
    Answer. Today, when using a browser to surf the Internet, 
individuals have a number of built-in browser features to help reduce 
the amount of unintended information shared directly with any 
particular website or stored on one's own computer. A considerable 
amount of the unintended information exchanged with visited websites 
and often used to monitor a user's interactions with those websites 
comes directly from browser cookies. While the Apple Safari browser, 
for example, is already configured by default not to allow third-party 
website cookies from being placed on one's computer, an individual also 
can turn off browser cookies entirely. However, turning off cookies 
from the browser will not prevent some third-party plug-ins or 
extensions, installed by the user, from placing their own cookies and 
exchanging information with websites. Those cookies must be managed 
separately by the plug-in. But there are also trade-offs as turning off 
cookies may degrade or disable many useful features on any given 
website. For example, on some websites a shopping cart may no longer 
store items or function at all.
    Managing cookies or turning them off entirely at the browser level 
is not enough to establish complete user privacy while surfing online. 
Modern browsers have evolved by giving users greater control over 
cookies and other mechanisms that websites might use to store 
information on the user's local computer--information which can be used 
to identify that browser while surfing. However, even with these 
privacy features, browsers cannot prevent websites from recognizing 
unique characteristics of the browser, the operating system and the 
network being used, and thus websites remain able to register 
information about the user's browsing. In order to connect with the 
user's browser and properly present web pages, websites are inherently 
able to identify such unique characteristics as a user's IP address, 
the type of browser being used and its version, the operating system 
and its version, its language, the plug-ins installed, installed fonts, 
and the screen resolution, among others. Taken together, these 
characteristics present enough information and are often variable 
enough to establish a unique profile for every website visitor. Once 
visited, a website would be able to identify a visitor each time he/she 
came back even with cookies turned off and private browsing enabled. 
Completely preventing this kind of information from flowing from the 
browser to the website during normal operation is an unsolved (and very 
difficult) technical issue. It may not even be possible to do while 
maintaining the efficiency and usability of the Web. It is for these 
reasons that we do not believe that browser level management alone can 
establish a complete baseline private browsing capacity that every 
website would have to acknowledge and respect.

    Question 2. Mr. Tribble, Apple teams with AT&T for the delivery of 
services to the iPhone and iPad. How are responsibilities for privacy 
protection distributed between your two companies?
    Answer. Apple is strongly committed to protecting the privacy of 
its customers. As we state in our Privacy Policy, we collect and share 
only the information that is necessary for AT&T to complete its 
activation process and to carry out its service. Once the data is given 
to AT&T, the data in their possession is treated in accordance with 
their privacy policy including their security practices. Data retained 
by Apple is governed by our privacy policy. As we stated in our 
testimony, Apple does not share the personally identifiable information 
of its customers with third parties for their marketing purposes.

    Question 3. Mr. Tribble, does Apple support baseline privacy 
protections in legislation and do you support either of the pending 
bills in the House and if not, what exactly would baseline protections 
    Answer. Apple supports baseline privacy protections governing clear 
notice and choice over the use of information, particularly personally 
identifiable information. As we have described in detail in our 
testimony, Apple is strongly committed to protecting the privacy of its 
customers by giving them control over the collection and use of their 
personal information and their location, and we believe that our 
products do this in a simple, elegant and transparent way. Further, as 
we stated in our testimony, Apple does not share the personally 
identifiable information of its customers with third parties for their 
marketing purposes. Finally, with respect to the legislative proposals 
and discussion drafts circulating on Capitol Hill to address online 
privacy, Apple has been working closely with our U.S. based technology 
industry colleagues and through our trade associations on matters 
governing consumer online privacy protections.
Response to Written Questions Submitted by Hon. John D. Rockefeller IV 
                             to Bret Taylor

    Question 1. Are Facebook users given the ability to review and 
approve what posts, videos, or photos of them are being ``tagged'' or 
labeled before they are posted publicly by others?
    Answer. Facebook offers users controls that enable them to 
determine what they share and with whom they share it. Facebook's 
system also offers users the ability to control who has permission to 
post on their Wall or comment on the content they share. Only people 
who have been confirmed by a user as friends can tag that user in 
third-party content, and users can control who has permission to see an 
aggregated view of content in which they have been tagged. For example, 
Last year Facebook introduced ``per-object-privacy control,'' an 
unprecedented tool, which allows users to determine on an item-by-item 
basis how broadly they want to share particular content. Similarly, 
this year, Facebook deployed an innovative setting that gives users a 
simple, one-click control over how widely they share their information. 
Facebook also provides users the ability to determine, when they are 
identified in content shared by other users, whether and the extent to 
which that identification is shared with other Facebook users. Users 
are also notified when they are tagged and can remove those tags so 
that they are no longer associated with that content. Finally, Facebook 
users have a setting they can use to determine whether and the extent 
to which photos and videos in which they are tagged are visible to 
other users.
    Facebook also sets forth rules in our Statement of Rights and 
Responsibilities (``SRR'') that make clear the types of content and 
behaviors that are prohibited on the site. The Facebook community of 
more than 500 million users takes the requirements in this SRR 
seriously. On the occasion when some users share content that other 
users feel violates our SRR, the community of users clicks our 
ubiquitous ``Report'' links, found throughout the site. This sends a 
report to Facebook's User Operations team that reviews reported content 
every hour of every day. Where we determine that content is in 
violation of the SRR, it is removed. When a user's behavior is 
particularly inappropriate or when action has been taken regarding that 
user's account on more than one occasion, that user's account may be 
disabled. In short, our users act as community police who enforce the 
standards of decency embodied in our SRR. This innovation has helped 
Facebook grow dramatically while keeping Facebook relatively free of 
inappropriate or offensive content.
    Finally, in the event that users post illegal content, we take 
appropriate action as soon as we are made aware of that content. We 
work closely with law enforcement at the Federal, state, local and 
international level. We have developed a strong partnership with the 
National Center for Missing and Exploited Children (``NCMEC''). In 
addition to developing methods of blocking the distribution of images 
of child sexual exploitation or violence that we encounter, we share 
unlawful images we encounter with either NCMEC or law enforcement as 

    Question 2. If not, has there been any consideration to give users 
this type of control?
    Answer. Facebook continually assesses and seeks to improve its 
privacy and sharing controls. We believe that our current framework--
which combines industry-leading sharing controls, coupled with robust 
community-based enforcement--provides users the best possible 
experience. Facebook's community of users plays an important role in 
determining what information is posted, when and with whom it is 
shared. They also play a critical role in helping to keep Facebook free 
of inappropriate content. The innovative approach Facebook employs of 
``crowd sourcing'' the identification and reporting of potentially 
inappropriate content on the site has allowed Facebook to grow without 
becoming an unpleasant place to visit. This practice motivates users to 
police the site and deters inappropriate conduct and content.

    Question 3. How straightforward and conspicuous is it for a 
Facebook user to permanently delete an account?
    Answer. Account deletion on Facebook is straightforward. Facebook 
users who want to delete their account may do so by clicking on the 
drop down menu under Account, found at the top of each page, and 
navigating to the Help Center. Currently, the first topic mentioned 
under ``Common Searches'' is ``delete account,'' with a hyperlink to 
the appropriate ``Frequently Asked Question'' page. The answer to the 
question ``how do I delete my account?'' includes a hypertext link to 
an explanation and a button the user can click to initiate account 

    Question 4. What is the process?
    Answer. Please see the response to Question 1 immediately above.

    Question 5. Have there been complaints about the deletion process?
    Answer. In addition to user inquiries, in 2009 the Office of the 
Privacy Commissioner of Canada (``OPC'') responded to a complaint 
raised by the Canadian Internet Policy and Public Interest Clinic 
alleging that Facebook made account deletion cumbersome. As a result, 
Facebook, in conjunction with the OPC, agreed to modify the 
descriptions of deactivation and deletion on Facebook and to make 
access to both processes more prominent.

    Question 6. Does a deleted account imply that all your information 
is erased?
    Answer. When a user deletes an account, the account is permanently 
deleted and cannot be reactivated by the user. However, as noted in our 
Statement of Rights and Responsibilities, ``removed content may persist 
in backup copies for a reasonable period of time.'' In addition, as 
explained in our Privacy Policy, ``[e]ven after you remove information 
from your profile or delete your account, copies of that information 
may remain viewable elsewhere'' based on the distributed nature of 
shared content.

    Question 7. If not, do Facebook users understand this?
    Answer. As a condition of using the Facebook site our users agree 
to abide by the Statement of Rights and Responsibilities. Users are 
responsible for reading and understanding the terms of the Statement of 
Rights and Responsibilities including the provisions that discuss 
Facebook's deletion policy. Facebook also provides prominent links to, 
and encourages users to review, its Privacy Policy, which as noted 
above includes information regarding account deletion.

    Question 8. Where and how is a user's information retained and for 
what purposes?
    Answer. Facebook user information is stored on a network of servers 
located in the United States. We store information in this manner so 
that we may provide Facebook to our users and allow each user to obtain 
access to information they have shared or that was shared with them 
through Facebook.

    Question 9. Can an account stay deactivated indefinitely?
    Answer. Yes. On occasion, some Facebook users want a way to step 
away from Facebook for a period of time without deleting the account. 
Users who deactivate do so for many reasons, including that they are 
busy with school or preparing for exams, are on a vacation or 
sabbatical, become ill, or are traveling for work. We make clear to 
users who deactivate their accounts that they may reactivate at any 
point in the future, and the vast majority of users who deactivate 
eventually do so.

    Question 10. If not, after what amount of time does a deactivated 
account permanently delete?
    Answer. Please see the answer to (1) immediately above this 
   Response to Written Questions Submitted by Hon. John F. Kerry to 
                              Bret Taylor

    Question 1. Mr. Taylor, there is some question about how long 
service providers should hold a person's information. When a user 
deactivates his account, but does not delete it, how long do you keep 
the information and why?
    Answer. Our experience suggests that occasionally some of our users 
want a way to step away from Facebook for a period of time but do not 
wish to eliminate the accounts they've created. For such users, we 
offer account deactivation. Although a deactivated account is 
inaccessible to other Facebook users, we retain that account 
indefinitely. Users who deactivate do so for many reasons, including 
that they are busy with school or preparing for exams, on a vacation or 
sabbatical, become ill, or traveling for work. We make clear to users 
who deactivate their accounts that they may reactivate at any point in 
the future, and the vast majority of users who deactivate eventually do 

    Question 2. Mr. Taylor, does Facebook support baseline privacy 
protections in legislation and do you support either of the pending 
bills in the House and if not, what exactly would baseline protections 
    Answer. We support enactment of baseline privacy protections such 
as those that enhance disclosure, increase transparency, and provide 
users with control over data, but that also still permit innovation.
   Response to Written Questions Submitted by Hon. John F. Kerry to 
                            Dr. Alma Whitten

    Question 1. Ms. Whitten, Google has made it clear that the 
collection of information from WiFi networks was a mistake and promises 
not to do it again. First, as the Chief Privacy Officer are Google 
practices not reviewed by your office and how was this missed? Second, 
if it was a mistake and not illegal, couldn't others right now be using 
similar techniques to steal information from WiFi networks?
    Answer. Thank you. As you note, Senator Kerry, this was an error 
for which we are profoundly sorry, and we are determined to learn all 
the lessons we can from our mistake.
    We are still reviewing our processes and the facts in this instance 
to understand how and why this occurred, but I can say as Google's 
Privacy Engineering Lead that it was not consistent with the value we 
place on the responsible collection of data. Google is taking the 
review of this matter very seriously and we will report back with the 
changes we'll make to prevent such a thing from happening in the 
    We appreciate your concerns about the potential misuse of WiFi 
technology. In fact, Google offers encrypted e-mail and search to help 
protect our users from others who might misuse their data. We remain 
the only major online provider to encrypt our e-mail service by 
    We also urge WiFi users to activate encryption settings on their 
WiFi routers. While some may prefer to leave their WiFi signals 
configured so as to be readily available to the general public, we 
believe most users would be best served by encrypting their 
communications--which would offer them both technological and legal 

    Question 2. Ms. Whitten, technically, can firms at the browser 
level (Chrome, IE, Safari, etc.) establish private browsing capacity 
that would allow users to establish a baseline standard of protection 
that every site they visit would have to acknowledge and respect?
    Answer. This is an important idea to pursue, Senator. Our product 
and engineering teams work hard to offer industry-leading privacy tools 
to users of all of our products, including Google Chrome.
    Browser-based efforts to enforce website privacy practices have 
unfortunately failed in the past. Website operators are not under the 
control of the browser providers, and so the browser cannot evaluate 
the practices of any website beyond its representations. The Platform 
for Privacy Preferences Project, or P3P, sought to implement a solution 
along these lines a decade ago, but was unable to overcome major 
implementation and enforcement hurdles.
    Nevertheless, we continue to work with technical groups and 
internally on developing robust browser privacy controls. While 
browsers cannot perfectly enforce what happens with data at the other 
end of the Internet connection, responsible providers should respect 
the preferences that the user indicates through browser settings.
    Chrome of course already offers Incognito Mode, in which webpages 
that a user opens and files downloaded are not recorded in the user's 
browsing and download histories. In addition, all cookies set in 
Incognito Mode are deleted after a user closes browser windows that she 
has opened. These features would prevent persistent cookies and other 
tracking mechanisms, if a user prefers a less personalized web 
    Note also that the use of cookies for personalization, targeted 
advertising, and analytics remains always under the control of the 
user. Moreover, they can recognize a browser on an anonymous basis 
without requiring a user to log in and reveal his or her identity. As 
Princeton University computer scientist Ed Felton wrote, ``if a site is 
going to track me, I want them to do it openly, using cookies.'' Google 
goes even further, by offering industry-leading opt-out mechanisms.

    Question 3. Ms. Whitten, does Google support baseline privacy 
protections in legislation and do you support either of the pending 
bills in the House and if not, what exactly would baseline protections 
    Answer. Yes, Google supports the development of comprehensive, 
baseline privacy legislation that can ensure broad-based user trust, 
support continued innovation, and serve the privacy interests of 
consumers. As I wrote in my testimony, I believe such legislation 
should at the least include:

   Even-handed application to all personal data regardless of 
        source or means of collection.

   Recognition of benefits and costs of legislating in this 
        area, including explicit attention to actual harm, compliance 
        costs, and continued online innovation.

   Uniform, reasonable security principles, including data 
        breach notification procedures.

   Clear process for compelled access. The U.S. law governing 
        government access to stored communications is outdated and out 
        of step with what is reasonably expected by those who use cloud 
        computing services.

   Consistency across jurisdictions. Generally, Internet users 
        neither expect nor want different baseline privacy rules based 
        on the local jurisdiction in which they or the provider reside.

    At Google, we believe that stable, baseline principles set by law 
can permit flexible, adaptive self-regulatory structures to develop on 
top--much like the stable protocols and standards at the physical and 
network layers of the Internet allow flexible and innovative 
development at the content and application layers.
    We would be glad to work with you and your staff on this important 
matter, as we share the same goal of increasing trust and security for 
all Internet users.
    We are encouraged by the sincere effort toward this goal 
represented by the House bills to which you refer in your question. We 
have provided direct feedback to Chairman Boucher on his draft, a copy 
of which we have attached to these responses. We are still reviewing 
the bill introduced by Chairman Rush, and we look forward to working 
with his office on this issue as well.
    Thank you again for the opportunity to address the Committee.
   Response to Written Questions Submitted by Hon. John F. Kerry to 
                         Professor Joseph Turow

    Question 1. Professor Turow, you have done research indicating that 
most consumers do not want firms using their information to target ads 
to them. Yet industry argues that once they explain to users that they 
receive ads more likely to be of interest to them this way, the concern 
disappears. How do you respond to the industry argument that most 
people benefit from the collection and use of their information and 
most are not concerned once educated?
    Answer. The research I carried out with colleagues at the 
University of California, Berkeley, Law School showed that a majority 
(66 percent) of Americans do not want ads ``tailored to your 
interests.'' The percentage gets much higher when the people who said 
they want tailored ads were told that that firms follow their 
activities in various ways (on the website they are visiting, on other 
websites they have visited, and in stores) in order to present the 
tailored material to them. Then many of those people as well tend to 
say they didn't want they ads, with percentages varying dependent on 
where they would be followed. In the end, around 80 percent of 
Americans said they didn't want the tailored advertising.\1\
    \1\ Joseph Turow, Jennifer Kind, Chris Jay Hoofnagle, Amy Bleakley 
and Michael Hennessy, ``Americans Reject Target Advertising,'' 
Annenberg School for Communication & Berkeley Law School, September 
2009. Electronic copy available at: http://ssrn.com/abstract=1478214.
    Two points ought to be emphasized about this research.

   First, the research was conducted in a ``gold-standard'' 
        manner. The well-known firm Princeton Research interviewed 
        1,000 randomly chosen Americans via both landline and cell 
        phones according to the best academic criteria for carrying out 
        this work. Although interviewing people by phone--and 
        especially on cell phones--is expensive, it is far preferable 
        to using the Internet to recruit and interview individuals. 
        Many, if not most, industry surveys use people recruited via 
        the internet. These cannot be random by their very nature 
        because the people volunteer in response to ads they see. 
        Moreover, there is the real danger that people who volunteer 
        over the Internet feel more comfortable doing things online 
        than the population as a whole. Consequently, their answers to 
        questions about their knowledge about the Internet and comfort 
        with it cannot be seen as reflecting the views of the 
        population as a whole.

   Second, the findings of our study about tailored advertising 
        are very much in line with findings of previous national 
        telephone surveys I have conducted. Moreover, our tailored-
        advertising study showed that Americans' concerns about being 
        followed are not just focused on advertising. We asked 
        questions about tailored discount coupons as well as tailored 
        news. The percentages were different; 57 percent didn't want 
        tailored news while 49 percent didn't want tailored 
        advertising. But when people who said tailored discount coupons 
        and news are OK were told that they were being followed in 
        order to get the information used for that customization, many 
        of those people said they didn't want it. That brought the 
        percentages of Americans saying no to tailored discounts and 
        news around 80 percent. We conclude, then, that Americans don't 
        say no to tailored advertising because they dislike advertising 
        and find it annoying. They say no, as they say no to tailored 
        discounts and news, because they dislike the idea of firms 
        following them around online and offline.

    A number of organizations representing Internet marketers have 
conducted research to try to rebut our findings. Their studies were 
done using Internet samples that are not representative. Yet they still 
confirm our result that in huge numbers Americans say they do not want 
tailored advertising. Using an online survey where at least 50 percent 
were recruited online, Datran tried a somewhat different tack to argue 
that most Americans ``are not concerned once educated.'' First Datran 
asked similar questions about advertising to the ones our studied 
asked, and it found similar results. Then the people were told about 
the following information called PreferenceCentral and then asked the 
question (Q9) below it:\2\
    \2\ Datran, ``Preference Central: Consumer Perspectives on Online 
Advertising 2010,'' Datran Media Powerpoint Slide Presentation, July 

        PreferenceCentral is a free service that provides consumers 
        with complete control of what targeted advertising they receive 
        online and complete visibility into what information 
        advertisers use to target the advertisements. More 
        specifically, PreferenceCentral provides consumers:

        Complete Control: Consumers will now be able to select what 
        online advertising they will get--Selecting the categories, 
        brands, or advertisers they are interested AND those they do 
        not want;

        Complete Transparency: Consumers will now know what information 
        is being used by specific advertisers to target advertising to 
        them AND have that specific advertiser stop use of that 
        information for targeting. This will happen through a 
        notification in every targeted ad that links to an account 
        where a consumer can exercise control;

        Monitoring and Enforcement: PreferenceCentral will also monitor 
        online advertising to assure that consumers' preferences and 
        industry best practices are being used by advertisers.

        Q9. Based on this description of PreferenceCentral, how 
        interested would you be in using this free service?

        Extremely Interested (5)

        Very Interested (4)

        Somewhat Interested (3)

        Not Very Interested (2)

        Not At All Interested (1)

    Datran says that after hearing the description about 
PreferenceCentral, ``41 percent became more comfortable.'' (It seems, 
though, that a substantial segment was still uncomfortable.) The 
company therefore posits that once educated and assured about 
protections, most Americans will be OK with tailored advertising. The 
problem is that the PreferenceCentral service that they describe for 
their subjects simply doesn't exist. Moreover, this kind of universal 
``complete control'' and ``complete visibility into what information 
advertisers use to target'' is not a serious possibility at this time. 
As a result, people are responding to an unrealistic hypothetical that 
gives them assurances that won't be achieved. For all intents and 
purposes, then, the findings agree that in the contemporary situation 
it will be difficult to sway Americans from being uncomfortable with 
tailored advertising. To simply say that Americans' concerns disappear 
``when they are educated'' is disingenuous.
    Furthermore, PreferenceCentral and other self-regulatory programs 
obscure the underlying issue: these programs still allow advertisers to 
track users pervasively. The ``control'' mechanism speaks to what ads 
the individual will receive, not to whether they can reject tracking. 
Much of our survey concerns the underlying data practices that 
advertisers are unwilling to address. For instance, we found that 
Americans strongly favor laws giving them a right to delete, a right to 
transparency, a right to vindicate wrongs in court for money damages, 
and for a requirement that advertising companies delete data after a 
certain amount of time. The industry's surveys and self-regulatory 
programs do not address any of these issues.
    As for the industry's argument that most people benefit from the 
collection and use of their information, the industry has not shown 
that most people believe that based on the ways that marketers and 
media firms are collecting and using their data. Apart from survey 
research that I have conducted, alone and with colleagues, other 
surveys and many qualitative studies and anecdotal reports suggest that 
people do not buy the cost-benefit calculation that the industry 
insists they accept.

    Question 2. Professor Turow, if there were a single stand out 
private sector actor that is doing right by consumers on privacy, who 
would you cite?
    Answer. It's difficult to cite such a company, especially among the 
major players. The key point to be made is the competition in the 
contemporary media scene is virtually forcing companies to ratchet up 
their ability to track people and exchange increasingly deep and 
``social'' information about them. There is no market for digital 
privacy, partly because consumers do not have an opportunity to make 
selections based on privacy criteria.

    Question 3. Professor Turow, do you support either of the pending 
bills in the House and if not, what exactly would baseline protections 
    Answer. I would prefer to state baseline protections. They include 
the following:

        (1) A universal opt-in ``do not follow'' mechanism should be 
        established for consumers across the digital space. Consumers 
        could adopt some universal mechanism, such as a 
        ``DONOTTRACKME'' setting in their http headers, that would 
        signal to website that the user does not want to be tracked. 
        Having this tag would mean that advertisers could not track 
        that person's computer and that sites the person visits could 
        not offer the person's data on an exchange. It would allow 
        individual sites to follow people around those sites and send 
        targeted commercials based on those activities. This plan would 
        not require a lot of work on the part of many parties to 
        construct and implement, because the infrastructure of the NAI 
        opt out is already in place. Advertisers would simply have to 
        look for the DONOTTRACKME setting, rather than an opt out 
        cookie, which are easily deleted.

        (2) With every targeted commercial message, a link should lead 
        to the presentation of the following information:

                a. Names and links to the companies involved in the 

                b. Descriptions of the specific data they collected and 
                where they got the data

                c. How the targeting took place--for example, as a 
                result of cookies or registration or Flash Cookies; 
                sold by the site, through an exchange; or via an ad 

                d. How to change some of the data, opt out of certain 
                data use by those firms, or fully opt out of the site 
                and/or the marketers following the consumer

        (3) Enhancement of data should be prohibited unless the person 
        gives explicit permission. Advertisers have long argued that 
        consumers could control their privacy by limiting revelation of 
        personal information. This is good advice, but can be 
        completely undone through the practice of ``enhancement.'' 
        Enhancement is a process where advertisers ``overlay'' or 
        ``bump up'' customer databases by adding information from other 
        sources. It adds to the data points organizations have to use 
        about citizens in ways that are beyond the citizens' control or 
        knowledge. Enhancement takes place when a party with certain 
        information about a person gets more information about that 
        person from another provider of the data. That may happen 
        through anonymous cookie matching. It may take place when a 
        publisher or marketer uses personally identifiable registration 
        data from its visitors to buy more information about them from 
        data firms. It may also happen when a publisher, marketer, or 
        data firm gets anonymous individuals to identify themselves (by 
        signing up for sweepstakes, for example) and then purchases 
        information about the person from various sources. In some of 
        these cases, the organizations may re-anonymous the