[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
INTERNET PRIVACY: THE VIEWS OF THE FTC, THE FCC, AND NTIA
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
AND THE
SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
JULY 14, 2011
__________
Serial No. 112-75
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
72-908 PDF WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana JIM MATHESON, Utah
ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin
BILL CASSIDY, Louisiana Islands
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
(ii)
Subcommittee on Commerce, Manufacturing and Trade
MARY BONO MACK, California
Chairman
MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina
Vice Chairman Ranking Member
CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire JIM MATHESON, Utah
GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas MIKE ROSS, Arkansas
DAVID B. McKINLEY, West Virginia HENRY A. WAXMAN, California (ex
MIKE POMPEO, Kansas officio)
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)
------
Subcommittee on Communications and Technology
GREG WALDEN, Oregon
Chairman
LEE TERRY, Nebraska ANNA G. ESHOO, California
Vice Chairman Ranking Member
CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts
JOHN SHIMKUS, Illinois MICHAEL F. DOYLE, Pennsylvania
MARY BONO MACK, California DORIS O. MATSUI, California
MIKE ROGERS, Michigan JOHN BARROW, Georgia
MARSHA BLACKBURN, Tennessee DONNA M. CHRISTENSEN, Virgin
BRIAN P. BILBRAY, California Islands
CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York
PHIL GINGREY, Georgia FRANK PALLONE, Jr., New Jersey
STEVE SCALISE, Louisiana BOBBY L. RUSH, Illinois
ROBERT E. LATTA, Ohio DIANA DeGETTE, Colorado
BRETT GUTHRIE, Kentucky JOHN D. DINGELL, Michigan
ADAM KINZINGER, Illinois HENRY A. WAXMAN, California (ex
JOE BARTON, Texas officio)
FRED UPTON, Michigan (ex officio)
C O N T E N T S
----------
Page
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, opening statement............................... 2
Prepared statement........................................... 4
Hon. G.K. Butterfield, a Representative in Congress from the
State of North Carolina, opening statement..................... 6
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 7
Prepared statement............................................... 9
Hon. Lee Terry, a Representative in Congress from the State of
Nebraska, opening statement.................................... 11
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, opening statement............................... 11
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, opening statement.................................... 13
Prepared statement............................................... 14
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 15
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 15
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, opening statement............................... 16
Hon. Edward J. Markey, a Representative in Congress from the
Commonwealth of Massachusetts, opening statement............... 17
Hon. Joe Barton, a Representative in Congress from the State of
Texas, opening statement....................................... 17
Prepared statement............................................... 19
Hon. Pete Olson, a Representative in Congress from the State of
Texas, opening statement....................................... 21
Hon. John Barrow, a Representative in Congress from the State of
Georgia, opening statement..................................... 21
Hon. Doris O. Matsui, a Representative in Congress from the State
of California, opening statement............................... 22
Hon. Janice D. Schakowsky, a Representative in Congress from the
State of Illinois, opening statement........................... 22
Hon. Edolphus Towns, a Representative in Congress from the State
of New York, prepared statement................................ 113
Witnesses
Edith Ramirez, Commissioner, Federal Trade Commission............ 23
Prepared statement........................................... 25
Answers to submitted questions............................... 116
Julius Genachowski, Chairman, Federal Communications Commission.. 43
Prepared statement........................................... 45
Answers to submitted questions............................... 124
Lawrence E. Strickling, Assistant Secretary for Communications
and Information, National Telecommunications and Information
Administration, Department of Commerce......................... 49
Prepared statement........................................... 51
Answers to submitted questions............................... 135
Submitted Material
Article, ``You're Not Google's Customer--You're the Product:
Antitrust in a Web 2.0 World,'' dated March 29, 2011, by Nathan
Newman in the Huffington Post, submitted by Mr. Scalise........ 84
Statement, dated July 14, 2011, of Commissioner J. Thomas Rosch,
submitted by Mrs. Bono Mack.................................... 100
INTERNET PRIVACY: THE VIEWS OF THE FTC, THE FCC, AND NTIA
----------
THURSDAY, JULY 14, 2011
House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade
joint with the
Subcommittee on Communications and Technology,
Committee on Energy and Commerce,
Washington, DC.
The subcommittees met, pursuant to call, at 11:04 a.m., in
room 2123 of the Rayburn House Office Building, Hon. Mary Bono
Mack (chairman of the Subcommittee on Commerce, Manufacturing,
and Trade) presiding.
Members present from the Subcommittee on Commerce,
Manufacturing, and Trade: Representatives Bono Mack, Blackburn,
Stearns, Bass, Harper, Lance, Cassidy, Olson, McKinley, Pompeo,
Butterfield, Rush, Schakowsky, and Waxman (ex officio).
Members present from the Subcommittee on Communications and
Technology: Representatives Walden, Terry, Bilbray, Gingrey,
Scalise, Latta, Guthrie, Kinzinger, Barton, Upton (ex officio),
Eshoo, Markey, Matsui, Barrow, and DeGette.
Staff present: Jim Barnette, General Counsel; Ray Baum,
Senior Policy Advisor/Director of Coalitions; Allison Busbee,
Legislative Clerk; Paul Cancienne, Policy Coordinator,
Commerce, Manufacturing, and Trade; Nick Degani, Detailee,
Federal Communications Commission; Neil Fried, Chief Counsel,
Communications and Technology; Brian McCullough, Senior
Professional Staff Member, Commerce, Manufacturing, and Trade;
Jeff Mortier, Professional Staff Member; Gib Mullan, Chief
Counsel, Commerce, Manufacturing, and Trade; David Redl,
Counsel, Telecom; Kelsey Guyselman, Legal Intern; Shannon
Weinberg, Counsel, Commerce, Manufacturing, and Trade; Michelle
Ash, Democratic Chief Counsel, Commerce, Manufacturing, and
Trade; Roger Sherman, Democratic Chief Counsel, Communications
and Technology; Felipe Mendoza, Democratic Counsel; William
Wallace, Democratic Policy Analyst; Sarah Fisher, Democratic
Policy Analyst; and Alex Reynolds, Democratic Legal Intern.
Mrs. Bono Mack. Please come to order. Good morning.
From data breaches in the United States to a cell phone
hacking scandal in Great Britain, consumer privacy has become
part of our national consciousness. Today, we have a unique
opportunity to make a real difference in the lives of millions
of Americans, and I look forward to working with Chairman
Walden and members of both of our subcommittees on this unique
challenge.
We often hear that privacy laws in Europe are much stricter
than they are in the U.S., and if that is so, it is hard to
understand how the phone hacking incidents in Britain could
have gotten so far out of hand. It raises the question of
whether American consumers are as vulnerable as politicians and
celebrities in London. I hope that Chairman Genachowski will
address this issue as we continue to gather facts.
The chair now recognizes herself for an opening statement.
OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
This morning, we begin a very important and, some say,
long-overdue debate. When it comes to the Internet, how do we--
as Congress and as Americans--balance the need to remain
innovative with the need to protect privacy?
The explosive growth of technology has made it possible to
collect information about consumers in increasingly
sophisticated ways. Sometimes the collection and the use of
this information is extremely beneficial; other times, it is
not. Frankly, I am somewhat skeptical right now of both
industry and government. I don't believe industry has proven
that it is doing enough to protect American consumers, while
government, unfortunately, tends to overreach whenever it comes
to new regulations. That is why this debate must be deliberate
and thoughtful, but without question, it is time for this
debate to take place.
Even though it serves billions of users worldwide--and this
year e-commerce in the U.S. will top $200 billion for the first
time--the Internet pretty much remains a work in progress.
Still, in just 25 years, the Internet already has spurred
transformative innovations. It has indefinite value and it has
become a part of our daily lives. And it has unlimited
potential to affect positive social and political change, as
the world dramatically witnessed during the Arab Spring.
But the Internet has brought about more subtle cultural
changes as well. Think about it for a second. If a total
stranger knocked on your door one day and asked you for your
name, your birthday, your relationship status, your number of
children, your educational background, email address, and
Social Security number, would you give that information out
freely? Probably not.
Yet today, as consumers, we willingly dole out this
personally identifiable information online--literally bit by
bit. This information is then compiled and collated by
computers to produce personal profiles used in online
behavioral marketing and advertising. This data mining helps to
pay the freight for all of the information that we get for free
on the Internet. But does it come at too great of an expense to
consumer privacy? That question cuts to the heart of this very
important issue.
Applications providers continue to increase the variety of
tools available to American consumers to control their privacy
settings, but a nagging problem for most consumers is the lack
of a basic understanding about how companies use and collect
this information. While survey after survey indicates that
consumers harbor serious concerns about their privacy, it is
unproven and unclear whether more stringent laws and
regulations relating to the collection and use of data will
satisfy these concerns in a way that encourages continued
innovation and an expansion of electronic commerce.
As Congress takes a closer look at online privacy issues,
industry has stepped up its self-regulatory efforts relating to
the collection and use of consumer information. These industry-
wide efforts include expanded consumer education and site
transparency to increase consumer comfort with how industry
uses their information, as well as the development of new
preference profiles so consumers can personalize their browsing
experience and control just how much information they actually
want to share.
As I listen closely to all of your thoughts, I would also
like to share a few of my own with you. First and foremost,
greater transparency is needed to empower consumers. While it
is still unclear to me whether government regulations are
really needed, providing consumers with more transparency is
the first step in better protecting Americans.
Consumers should be notified promptly if there is a
material change in a privacy policy; no bait-and-switch schemes
should be allowed nor tolerated.
Sensitive information should have greater safeguards in
place, especially when it comes to financial and personal
health records.
We should take a long look at how our children are treated
online and how they are marketed to.
And we need to closely re-examine privacy laws that are
currently on the books. Do we need a single regulator to
protect consumer privacy? While I personally support this
concept, we should first look at its potential impact on
consumers.
And finally, what part should ``no harm, no foul'' play in
this debate? Over the last few months, the FTC and the
Department of Commerce have issued extensive reports concerning
online privacy. However, there is little proof of any
substantive consumer harm. Before regulations are enacted,
there should be a ``definable'' problem such as we are seeing
in the area of data protection.
As we move ahead with our hearings, I look forward to a
robust discussion with all of my colleagues on the committee as
well as industry and consumer groups. Working together, we can
make innovation and privacy a shared priority, and the Internet
will be the eighth Wonder of the World.
And now I would like to recognize the gentleman from North
Carolina, Mr. Butterfield, the ranking member of the
Subcommittee on Commerce, Manufacturing, and Trade for 5
minutes for his opening statement.
[The prepared statement of Mrs. Bono Mack follows:]
Mr. Butterfield. Let me inquire. Was it my understanding
that this side was going to be allowed 20 minutes to make
opening statements and I can yield those as I see fit? Is that
right?
Mrs. Bono Mack. I will yield them for you.
Mr. Butterfield. I see. That will be fine. That will be
fine.
OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NORTH CAROLINA
Let me thank the two chairmen for holding today's joint
hearing on Internet privacy. I look forward to the testimony
from the three witnesses as we begin to talk about this very
important issue. I also look forward to learning how Congress
can better equip these three agencies so that we can best
protect American's online privacy.
With nearly every aspect of our lives now containing an
online component, it is vitally important that American's have
reasonable protections for the personal information held and
sold by the data-gathering industry. That personal information
can include specific Web sites a user has visited, how long
they spent on that Web site, whether or not they purchased
something, what they purchased, and what they looked at while
they were there. It can even record their keystrokes. The
personal information is collected often without a user's
knowledge and without their consent.
When a Web site installs tiny files on a user's computer to
record Internet activity, these files are called cookies or
flash cookies or beacons. While the term ``cookie'' doesn't
sound particularly invasive, a recent investigation by the Wall
Street Journal found that a test computer visiting the 50 most
popular Web sites resulted in more than 2,000 cookies being
installed without notification or consent on the test computer.
What is worse is that the top 50 Web sites directed at children
placed substantially more tracking files on visitors' computers
than general audience Web sites. The Wall Street Journal found
children's Web sites place 4,100 cookies and other tracking
mechanisms on their test computer, again, without notice or
consent.
Even more concerning is that the data-gathering industry
has developed ways to marry online data with offline data like
warranty cards and property records and voter registration
records and even driver's licenses to build super-files that
are sold for pennies. Some companies are even using these
super-files to differentiate which of the same type of product
they will offer to potential customers. For example, a life
insurance clearing house Web site tested a system that would
recommend different policies based on the personal information
contained in the files. This practice is called ``boxing,'' and
I would argue that it is nothing more than a high-tech form of
economic and social discrimination.
In addition, having all this data in one place puts
Americans at risk of other more traditional high-tech harms
like identity theft and fraud. It is clear that businesses need
to collect some information for their operational needs. Beyond
that, however, I think it is well past the time to put in place
some clear and comprehensive rules to let consumers know and
exercise some control over what data gatherers can collect, how
they can collect, and what they can do with it once they have
it.
Madam Chairman, I hope you will work with me to craft
legislation that will safeguard American's personal information
so they can continue to use the amazing and infinite potential
of the Internet in the safest and most secure ways possible.
Thank you. I yield back the balance of my time.
Mrs. Bono Mack. I thank the gentleman. The chair now
recognizes Mr. Walden, chairman of the Subcommittee on
Communications and Technology, for 5 minutes.
Mr. Walden. Thank you, Madam Chairman. I want to welcome
our witnesses.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
As consumers are increasingly living their lives on the
Internet--and even more on their Smartphones--concern is
obviously growing over electronic communications privacy.
Indeed, the Energy and Commerce Committee has taken an active
role in investigating online privacy in the last few
Congresses. Mr. Barton, for example, has sought out information
from a number of companies about their practices regarding
Internet advertising and consumers' online information. Members
of the committee have reached out to Google about privacy
concerns arising from ``Google Buzz,'' as well as their
collection of data from personal Wi-Fi networks, something I
know the FCC is examining.
And just this past April, Chairman Upton, Chairwoman Bono
Mack, and myself, along with our Democratic colleagues, also
sent letters to several mobile operating system providers such
as Apple asking hard questions about the location-based
services they provide and about the privacy protections
attached to those services. And both the Communications and
Technology and the Commerce, Manufacturing, and Trade
Subcommittees have had a number of hearings in recent years.
Now, we are having this hearing because we want to make
sure Americans have adequate information regarding how data
about them and their Internet use is collected, used, and
shared, and to make sure their privacy is protected. But we
must balance that need with the recognition that regulatory
overreach could curb the ability of entrepreneurs to invest,
innovate, and create jobs and new technologies. At this point,
it is not clear what legislation--if any--is necessary, but
this hearing will help shed light on this question.
As we move forward, one thing stands out in my mind:
Today's regime is neither competitively nor technologically
neutral. Section 222 of the Communications Act gives the
Federal Communications Commission broad authority to implement
privacy protections for consumers of wireline and wireless
telephone services. Section 222 also specifically calls out
location-based services for regulation, but applies that
regulation only to carriers and not providers of devices,
operating systems, or applications. Other parts of the
Communications Act give the Commission authority over cable
operators and satellite television providers under a ``prior
consent'' framework.
In stark contrast, there are few if any communications
privacy regulations governing web-based companies, even those
that can access a user's search queries, emails, voice and
video online conversations, web browser, and even operating
systems.
So why should a wireless provider that transmits data to
and from a Smartphone be subject to Federal oversight but not
an operating system provider that has access to the exact same
data?
If we move forward with legislation, how do we create a
fair playing field? Do we regulate web-based companies up? Do
we deregulate traditional phone and video companies down? Do we
create a unified regime at the FCC? At the FTC? Or do we have
both agencies administer equivalent regimes over different
subsets of companies or devices?
So I look forward to hearing from our witnesses on what
steps they are taking on electronic communications privacy and
what recommendations they have for us as we examine these
issues.
One more thing: Although we are here today to talk about
Internet privacy, I want to echo Mrs. Bono Mack's concerns
about what happened in the United Kingdom. And I will be
interested in hearing from Chairman Genachowski if things like
this have happened in the United States, whether it falls
within the FCC's purview and, if so, what the FCC and other
Federal agencies typically do about it.
With that, I appreciate the opportunity to share those
comments and yield the balance of my time to the vice chairman
of the Communications and Technology Subcommittee, the
gentleman from Nebraska, Mr. Terry.
[The prepared statement of Mr. Walden follows:]
OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEBRASKA
Mr. Terry. Thank you, Mr. Chairman.
And this is a necessary hearing and I want to thank our
panel. It is a powerhouse panel and I thank you for coming up
here, Mr. Strickling. I think we should have an office for you
you are up here so much anymore.
I think two words or two principles regarding privacy
policy--one is balance and the next is transparency. There is
no doubt that if there is one drawback or inhibition about
ecommerce, it is the consumers fear over violation of privacy.
We know when we do a transaction online that we have to provide
information to the entity that we are doing business with or
engaging in some type of commerce with. What we don't expect--
unless it is transparent and open to us to help make our
decision--is the use of that data. It has to be easy for the
consumer and for the company but also something that everyone
knows up front.
What we can't have and what degrades the confidence is what
has occurred with Google Buzz, a trusted company that now has
obtained personal information and we have no idea what it can
be used for or will be used for. Or when major companies or
entities hack to obtain personal information. All of these
things should be clear. They are not transparent. There is no
balance involved in those and that is what we need to deal
with.
Mrs. Bono Mack. I thank the chair and the vice chair and I
am happy to now recognize the ranking member of the
Communications and Technology Subcommittee, Ms. Eshoo, for her
5 minutes.
Ms. Eshoo. Thank you, Madam Chair. It is nice to see you in
the chair.
OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Today marks our first joint subcommittee hearing of the
112th Congress on Internet privacy. And I welcome it and
welcome the distinguished witnesses that we are going to hear
from.
The government agencies that are testifying today have
taken initial steps to address the issue of Internet privacy,
but I think we need a unified approach that leverages the
expertise of both the public and the private sectors. The FTC
has conducted a series of roundtables exploring privacy issues
and has proposed a framework for approaching these issues. The
FCC brings years of experience managing communications, privacy
issues dating back to wiretap legislation in the late 1960s.
And the NTIA has played a significant role in establishing the
Department of Commerce's Internet Policy Taskforce's Report on
Commercial Data Privacy and Innovation in the Internet Economy.
That is a real mouthful. There should be some acronym for that
I guess.
Personal privacy is, I believe, a very closely held
American value. I think it is in our DNA. We don't want the
government to know; we don't want companies to know. We just
hold it very, very close. And today, information is shared more
freely and faster than ever before, especially by the younger
generation. We need in our country a comprehensive approach to
privacy. And it may be appropriate to start by updating the
rules protecting children online.
Children on the Internet share photos, email addresses and
phone numbers with friends and family. There are advancements
in Smartphone technology, which enables parents to monitor the
location of their children. But based on a town hall meeting
that I had on the issue, parents need an awful lot of education
on this. They have a sense of what is going on but they don't
know what to do with it or how to.
The Children's Online Privacy Protection Act enacted more
than 10 years ago--I can't believe that over a decade has
passed since we did that--never really anticipated these
advancements. So whether dealing with children, teens, or
adults, transparency really needs to be the coin of the realm.
It should be the central focus of ours.
Consumers should know what personal information is being
collected, how it is being used, and who has access to that
data. At a minimum, companies should be required to disclose if
they buy or sell consumers' information or if they track the
whereabouts of consumers even after they have left a company's
Web site. Both the public and private sectors have a lot of
work to do to educate consumers and businesses and ensure that
the collection of data is done in a transparent and secure
manner.
I think it is also important that we don't overlook the
proactive steps being taken by industry to enhance user
privacy. According to Facebook, almost 35 percent of their 350
million users customize their privacy settings using options
provided by the company. Similarly, millions of users of the
popular Web browser Mozilla Firefox install add-ons to prevent
online advertisers from collecting their information. And
Reputation.com, based in my district, is developing tools to
help consumers and businesses protect their online privacy. But
it is spotty. There isn't anything that ties all of this
together and I think that is why we are here today.
So I think with the right balance, we can protect privacy
without inhibiting job creation and the development of new
innovative data-driven apps and services. There is such a
demand for that in our country and we don't want to stand in
the way of it. Our government agencies have a difficult task
ahead of them, I think. Each of our agency witnesses today is
going to provide an expert view on the issue of Internet
privacy and I really look forward to hearing what you have to
say.
Specifically, I would like to know what each agency thinks
their role should be, what their hand is in this, and how we
can leverage the wide range of online privacy tools developed
by the private sector because it is both. And how do we
increase coordination between government agencies, as well as
industry?
At this point, Madam Chair, it has been mentioned today, I
would like to call on the chairman of the full committee to use
the jurisdictions of this committee to probe the whole issue of
privacy, hacking, and this burgeoning scandal of News
Corporation. It fits with the subject matter that we are here
in a joint hearing today for. This is one of the most powerful
committees in the Congress. We certainly have the jurisdiction
and I think it needs to be exercised.
So again, I welcome the panel and I thank you for the
testimony that you are going to give and look forward to
hearing it.
And I yield back.
Mrs. Bono Mack. The gentlelady's time has expired. And the
chair is pleased to recognize the chairman of the full
committee, Mr. Upton, for 3 minutes.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. Thank you, Madam Chair. I am excited about the
hearing. This committee has been at the forefront of protecting
the privacy of Americans for many, many years. And that mission
certainly continues today.
When I became chairman of this great committee about 6
months ago, I guaranteed that our focus would be on jobs, the
economy, and the preservation of individual freedoms. And I ask
everyone to look at our mid-year report, which we released last
week. There is a good deal in there about the literally
millions--hundreds of thousands of jobs that this committee has
worked to protect and create.
Today, though, we begin a very thorough analysis of what
has become an essential freedom for all Americans. The Internet
has changed all of our lives in so many ways. Our freedom--
unlike that elsewhere in the world--to use the Internet for
information, commercial purposes, consumer needs, even
healthcare--is unrivalled. And anyone who has access to a
computer, even a BlackBerry, has access to the entire world.
But that freedom also brings some very serious challenges.
Privacy is chief among them.
So I commend these two subcommittees for holding this
hearing. And as we begin the effort, it is entirely appropriate
to hear first from our Federal witnesses, and I certainly
welcome them.
But I want to get the issue right. We all do. It is not and
should not be partisan in any way and I don't believe that it
is. If it means that the CMT and the C and T Subcommittees,
even Oversight, need to hold multiple hearings, so be it. We
need to hear from everyone with a stake in Internet privacy
before we contemplate legislating.
I yield now the balance of time to the gentlelady from
Tennessee, Ms. Blackburn.
[The prepared statement of Mr. Upton follows:]
Mrs. Blackburn. Thank you, Mr. Chairman.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
And to add a couple of points to the discussion as we move
forward with our witnesses today--whom we do welcome and we
appreciate your being here--we should bear in mind that online
advertising sales, online ad revenue totaled $31 billion last
year and that represented 40 percent of global online sales.
That spending sustains much of our free press and free content
online. That is something we should be mindful on as we look at
regulation in a space that really is growing by leaps and
bounds, creating jobs, and providing consumers with a dynamic
platform for free content and innovative services. I think the
European-style Do Not Track technology would short-circuit much
of this innovation. And as Chairman Bono Mack said, it did not
stop this situation there in the U.K.
I think that what we also have to do is be mindful of
moving forward with anything where there is an ill-defined harm
standard without respect to the cost that would be placed on
private innovators and on the industry that is experiencing
growth. We need to be cautious, thoughtful, and well-measured
in our approach to this evolving issue.
And I yield back my time.
Mrs. Bono Mack. I thank the gentlelady. And the chair now
recognizes Mr. Stearns for 1 minute.
Mr. Stearns. Thank you, Madam Chair.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Having had some experience developing privacy bills--I have
with Jim Matheson from Utah this H.R. 1528, the Consumer
Privacy Protection Act of 2011--and having been through these
hearings, one of the things that clearly came out is exactly
what you said, Madam Chairman, when you talked about consumers
want transparency and a basic understanding of how their
information is used. That came out time and time again so you
are absolutely right there.
And I think that when we look at this very important issue
and I listen to stakeholders, I find that, Madam Chair, that
the stakeholders by and large would like to know if there is
one agency that has jurisdiction so they know where to go to,
how to comply, and if we are not careful and we have this
jurisdiction that is moved between two or three--two or three
government agencies can make it more difficult. So I think one
of the things that we have today is a hearing to talk about
jurisdiction. And I hope in the end that we won't have
competing jurisdiction and we will have at least one central
agency with this jurisdiction.
Thank you.
Mrs. Bono Mack. Thank the gentleman. And the chair now
recognizes the ranking member of the full committee, Mr.
Waxman, for 5 minutes.
Mr. Waxman. I want to thank our Chairs Bono Mack and Walden
for holding this hearing today.
OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
As the Wall Street Journal just pointed out, firms are
stripping away our Internet users' anonymity and ``gaining the
ability to decide whether or not you would be a good customer
before you tell them a single thing about yourself.'' The
collection, use, and dissemination of consumer information
provides many benefits to consumers, businesses, and the
marketplace, but they raise legitimate concerns about whether
consumers have adequate control over personal information that
is shared.
Sophisticated business models and rapidly evolving
technologies allow vast amounts of data to be collected,
aggregated, analyzed, mined, and sold in ways that were
unimaginable only 10 years ago. Many of these business
practices conflict with consumers' expectation of privacy.
I understand that the Republican majority is weary of
passing any piece of legislation that calls for new
regulations. We have heard the repeated calls for self-
regulation. The problem is that self-regulation isn't working.
Just this week, Stanford researcher Jonathan Mayer reported in
Tracking the Trackers that eight members of the self-regulatory
group Network Advertising Initiative, NAI, seemed to outright
violate their own privacy policies. That is nearly 13 percent
of the 64 companies investigated. In addition, NAI is just one
of many self-regulatory efforts. So the consumer is not left
knowing where to turn.
Furthermore, even if the firms were complying, the self-
regulatory efforts seem to be limited to allowing the consumer
to opt out of behaviorally targeted advertising, but not the
collection of information that makes targeting possible. The
Tracking of the Trackers study found that 33 members of NAI
either left tracking cookies on users' computers or installed
tracking cookies after the users opted out. The firm seemed to
argue that they could continue to keep cookies on your machine
as long as those cookies aren't being used to create
specifically targeted ads.
I also understand that the Republican majority has stated
that it is not sure whether legislation is needed or that it
does not intend to move too quickly on this important issue. I
think it is well past time to move ahead. There were six
privacy hearings in the 111th Congress. At each of those six
hearings, they made me more and more convinced that current law
does not ensure proper privacy protections for consumer
information.
As I have stated in the past, I stand ready to work with my
colleagues. This is not a partisan issue. It should not be a
partisan issue. We have got to give the consumers the tools to
protect their privacy without unduly burdening industry or
stifling innovation. That should be our goal. This hearing can
move us in that direction and I look forward to the testimony
that we are going to receive.
Am I permitted to reserve the time or do I have to yield?
Mrs. Bono Mack. You are allowed to yield your time.
Mr. Waxman. I would like to yield to Mr. Markey.
OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS
Mr. Markey. I thank the gentleman very much. And it is good
to see you in the chair, Madam Chair. Nancy Pelosi has
acclimated the Democrats to a woman in the chair and it is good
to see a Republican woman as well in such a position.
In May, I introduced bipartisan legislation with Joe Barton
to strengthen privacy safeguards for children and teenagers. A
bill--the Do Not Track Kids Act--would update the Children's
Online Privacy Protection Act for the 21st Century to cover
newer applications and services like geo-location technologies
that didn't exist when we passed the Children's Privacy Act 13
years ago that I was the author of. That bill is the
communications constitution when it comes to protecting kids
online, but we need to amend it to take into account the
explosive growth and innovation in the online ecosystem since
1998. 1998 was way back in the BF era, the before-Facebook era.
And in addition to updating that law, our bill also
contains commonsense protections for teenagers. Our bill's
digital marketing bill of rights stipulates that Web sites,
online apps, operators, and operators of mobile apps directed
to teens clearly explain why they need to collect the data. Our
bill also prohibits operators from collecting geo-location
information without permission from parents when we are talking
about children. And it finally includes an eraser button. That
is an important privacy protection which requires operators of
Web sites' online applications that contain or display personal
information about children or minors to enable users to erase
or otherwise eliminate publicly available personal information
on a Web site about children.
I would hope that the least that we can accomplish this
year is to provide a privacy bill of rights for children in our
country. We can see now what the implications are if that
information gets hacked, and my hope is that we can update the
1999 law to accomplish that goal.
I thank you, Madam Chair. I thank the gentleman from
California.
Mrs. Bono Mack. I thank the gentleman. And the chair now
recognizes Mr. Barton for 5 minutes.
OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Barton. Thank you, Madam Chairwoman. I appreciate you
and Chairman Walden holding this hearing. I want to associate
myself with what Mr. Waxman and Mr. Markey just said. If you
have Joe Barton and Ed Markey on a bill, you pretty well
covered the political spectrum not only of this committee but
of the Congress.
And I couldn't agree more with what former Chairman Waxman
and current Ranking Member Waxman said, that privacy is not a
partisan issue, and I do believe, as he said, that it is time
to act. And hopefully, this hearing and several others that we
have already had with the testimony we hope to hear from our
administration officials will lead to action in this Congress.
I am cochairman of the bipartisan Privacy Caucus. I have
been an advocate for privacy for almost 20 years in the
Congress. In this year alone I have sent letters, most of them
with Mr. Markey or Mr. Walden or Mr. Stearns or others to
Facebook, AT&T, Sprint, the College Board, ACT, and even the
Social Security Administration questioning activities that they
have engaged in that appear to impinge on our citizens'
privacy.
As Mr. Markey indicated, I have also introduced H.R. 1895,
the Do Not Track Kids Act of 2011. And this legislation does
five important things. First of all, it updates the Children's
Online Privacy Protection Act of 1998. It adds protections for
our citizens between the ages of 13 and 17. It would prohibit
an Internet company from sending targeting advertising to
children and minors. It would also prohibit Internet companies
from collecting personal and location information from anyone
who is less than 13 years of age without parental consent, and
anyone less than 18 without individual consent. It would
require Web site operators to develop something called an
eraser button, which would give children and minors the ability
to request deletion of their personal information that they do
not wish to be available on the Internet.
The time has come, Mr. Chairman and Madam Chairwoman. We
know that we need a vigorous Internet, we know that we need a
vibrant economy, but we should all agree that we certainly need
to protect our privacy in the Internet age just as much as we
did in the age before the Internet.
With that, I would like to yield the balance of my time to
Mr. Olson of Texas for such comments as he wishes to make.
[The prepared statement of Mr. Barton follows:]
OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Olson. I thank my colleague from Texas. And I thank
Chairmen Upton, Walden, and Madam Chairman Bono Mack for you
all's leadership in calling this important hearing.
As this is my first privacy-related hearing, I am
approaching the issue with an open mind but not an empty mind.
I think the key with approaching privacy is doubts,
transparency, and facts. And that is why we are here today.
Consumers are becoming increasingly aware of their own
privacy. It is important for them to know what information is
being collected about them and how it is being used. In today's
global economy, information is a valuable commodity, but we
have to closely examine the many economic benefits the Internet
and the data collection provides consumers and our economy and
balance those with legitimate privacy concerns. We cannot
legislate in search of a problem.
So I look forward to examining this important issue further
and to playing a proactive role in the future privacy
discussions.
I thank my colleague from Texas for the time and yield
back.
Mrs. Bono Mack. I thank the gentleman and am happy to
recognize the gentleman from Georgia, Mr. Barrow, for 1 minute.
OPENING STATEMENT OF HON. JOHN BARROW, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF GEORGIA
Mr. Barrow. Thank you, Madam Chair.
I am glad we are meeting today to discuss this issue. You
know, this issue is a whole lot more important to a lot of
people than most folks realize because most folks just don't
realize how much they open themselves up when they go online,
how much of their personal information is being stolen or
misused every time they go online.
In the interest of time, I am going to cut to the chase. I
understand industry's need for legitimate and even playing
field across the country and customers' need on different sides
of the same state boundary to a reasonable expectation of
privacy every time they go online. I recognize the need for
that. I come down heavily on the side of privacy, though, but I
am interested in understanding how we can set forth rules of
the road that are good for industry but protect the same shared
expectation of privacy that folks have on different sides of
the same state boundary. Folks have a right to expect a
reasonable degree of privacy when they go online no matter
where they live in this country. So I feel the need for us to
do that.
I look forward to discussing how we can do this, and I
believe today's hearing is a big step in that direction. I want
to thank our witnesses for addressing these concerns today. And
with that, I yield back.
Mrs. Bono Mack. I thank the gentleman. And the chair
recognizes the gentlelady from California, Ms. Matsui, for 2
minutes.
OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Matsui. Thank you, Madam Chair, and all the other
chairs for holding today's hearing. I would like to thank our
distinguished panelists for being with us this morning. It is
nice to see you all on this important issue.
Today, millions of Americans rely on a variety of services
and applications for a number of activities, including social
networking and navigation and mapping services, among many
others. As we all know, in today's economy, information is
everything to everyone. We also know that technology changes
continuously, every day. What is new today may not be new
tomorrow. We must continue to encourage American innovation and
foster growth and development of the next-generation
technologies. But it is also essential that we properly protect
the private and personal information of consumers, particularly
our young people.
Privacy policies and disclosures should be clear and
transparent. We should also understand the scope of information
that is being collected, what it is being used for, the length
of time it is being retained, and its security. Ultimately,
meaningful privacy safeguards should be in place while ensuring
that we don't stifle innovation. It is clearly a fine balance
but we need to do it.
I thank you again for holding this important hearing today,
and I look forward to working with my colleagues on this issue,
and I yield back my time.
Mrs. Bono Mack. I thank the gentlelady. And the chair
recognizes the gentlelady from Illinois, Ms. Schakowsky, for 1
minute.
OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. I wanted to thank you, Madam Chairman and
Congressman Walden, for holding today's hearing. I especially
want to say to you that I appreciate the work that we have done
over several years on the issues of Internet security and your
leadership on this issue.
As a long-time consumer advocate, I have serious concerns
about tracking practices, especially the undisclosed data
gathering of user behavior. That is why I am an original
sponsor of Congresswoman Speier's Do Not Track Me Online Act.
This bill would establish standards for a consumer-friendly do-
not-track mechanism. I am also a cosponsor of Congressman
Markey's Do Not Track Kids Act, which would offer enhanced
protections against the tracking of children and teens, and I
urge the committee to consider these and other commonsense
solutions to the tracking issue as soon as possible.
I associate myself also with my colleagues who want to
investigate the--or want more answers anyway--on the hacking
scandal of the Murdoch Enterprises and its implications. We
must hold Internet service providers and search engines
accountable for their actions and I look forward to hearing
from our panel today.
Thank you and I yield back.
Mrs. Bono Mack. I thank the gentlelady and thank my
colleagues for their opening statements and now we turn our
attention to our panel.
We have one panel of witnesses joining us today. Each of
our witnesses has prepared an opening statement that will be
placed into the record. Each of you will have 5 minutes to
summarize the statement in your remarks.
On our panel we have the Honorable Julius Genachowski,
chairman of the Federal Communications Commission; we have the
Honorable Edith Ramirez, Commissioner of the Federal Trade
Commission; and our third witness is the Honorable Lawrence
Strickling, Assistant Secretary for the National
Telecommunications and Information Administration.
Good morning. We welcome you back to the hearing room. And
again, you will be each recognized for 5 minutes, and I am sure
you are very familiar with the timers on the table. As you
know, when the light turns yellow, you will have 1 minute left.
So as I have been admonished, please remember to make sure your
microphone is on and close to your mouth.
And at this point I am pleased to recognize Commissioner
Ramirez for 5 minutes.
STATEMENTS OF EDITH RAMIREZ, COMMISSIONER, FEDERAL TRADE
COMMISSION; JULIUS GENACHOWSKI, CHAIRMAN, FEDERAL
COMMUNICATIONS COMMISSION; AND LAWRENCE E. STRICKLING,
ASSISTANT SECRETARY FOR COMMUNICATIONS AND INFORMATION, AND
ADMINISTRATOR, NATIONAL TELECOMMUNICATION AND INFORMATION
ADMINISTRATION
STATEMENT OF EDITH RAMIREZ
Ms. Ramirez. Thank you. Chairman Bono Mack, Chairman
Walden, Ranking Members Butterfield and Eshoo, and members of
the subcommittees, I am Edith Ramirez, a commissioner of the
Federal Trade Commission. I appreciate the opportunity to
present the Commission's testimony on Internet privacy.
Today, personal information about consumers may be
collected, sold, and used in almost every conceivable
interaction a consumer has both online and offline. For
instance, a college freshman sits in her dorm room using the
Internet to research depression for a paper she is writing for
a psychology class. When her research is done, she applies
online for student loans to help her pay for her tuition.
Later, heading out of her dorm room, she grabs her smartphone,
which she uses to find the closest drugstore. At the drugstore,
she uses a loyalty card to get discounts. Afterwards, when the
student is back online surfing the Web and keeping up with
friends on a social network, she sees advertisements for
medication for depression and anxiety, as well as ads for high-
interest credit cards and payday loans.
These activities--made possible by technology unimaginable
years ago--offer clear benefits to the student. She enjoyed
easy access to information, received discounts at the
drugstore, and connected with friends, all in the course of a
few hours. But the student is likely unaware that data about
her drugstore purchases, Web activities, and location may have
been sold to data brokers she has never heard of and added to a
growing digital profile about her. She may not know that this
information may be used for marketing purposes or to make
decisions about her eligibility for credit. And she might be
especially surprised to learn that her research into depression
may be included in her digital profile and could be used when
she applies for life insurance or might be sold to prospective
employers when she graduates a few years later.
This student is not alone in her lack of awareness that
vast quantities of information about her are mined and sold
every day. Most consumers have no idea that so much information
about them can be accumulated and shared among so many
companies, including employers, retailers, advertisers, data
brokers, lenders, and insurance companies.
The FTC wants consumers to have an effective notice and
meaningful choices about what data is collected about them and
how it is used. That in turn will engender the consumer
confidence and trust that are essential for industry to
continue to innovate and flourish.
For decades, the FTC has been the Nation's lead law
enforcer on consumer privacy and data security. During this
time, we have also engaged in substantial policy initiatives
and educated consumers and businesses on privacy and data
security. In recent months, we have brought a number of
significant enforcement actions in this area, as described in
our written testimony. Just 2 weeks ago, we announced an action
against Teletrack, a company that sold lists identifying cash-
strapped consumers to marketers in violation of the Fair Credit
Reporting Act. To resolve our allegations, the company has
agreed to pay a $1.8 million civil penalty and to submit to a
court order that ensures that consumers' sensitive credit
report information is not sold for marketing purposes.
Privacy and data security also continue to be at the
forefront of the FTC's policy agenda. In December, Commission
staff issued a preliminary privacy report that recommended
three bedrock principles. The first is privacy by design, the
idea that companies should embed privacy protections into their
products and services from the start. Second, companies should
present choices about the privacy of personal data in a simple
way and at the time they are making decisions about that data.
Third, companies should improve the transparency of their
privacy practices thereby promoting competition on privacy.
Finally, a staff report called for the adoption of Do Not
Track, a one-stop tool for consumers to control online
behavioral tracking. The Commission has not taken a position on
whether Do Not Track legislation is needed, but a majority of
commissioners, myself included, supports widespread
implementation of Do Not Track.
In closing, I want to note that the Commission appreciates
the committee's focus on consumer privacy and data security and
we are prepared to provide any assistance that you may need on
these critical issues. Thank you.
[The prepared statement of Ms. Ramirez follows:]
Mrs. Bono Mack. Thank you, Commissioner.
And the chair is now pleased to recognize Chairman
Genachowski for his 5 minutes.
STATEMENT OF JULIUS GENACHOWSKI
Mr. Genachowski. Thank you to the chairs and ranking
members for holding this important joint hearing.
The right to privacy is a fundamental American value, and
the Federal Communications Commission has worked to implement
congressional laws that protect the privacy of consumers when
they use communications networks. The Internet and other new
forms of communications raise new and difficult privacy
challenges, particularly when it comes to children. The FCC is
committed to working with Congress, the Federal Trade
Commission, the Department of Commerce, and our colleagues
across government as well as industry and all external
stakeholders to tackle these issues.
To understand the importance of privacy challenges in the
digital age, one must appreciate the extraordinary
opportunities created by broadband Internet services. High-
speed Internet, fixed and mobile, is an indispensible platform
for innovation and economic growth, for our global
competitiveness and opportunities to transform education,
healthcare, energy, and public safety. To fully realize the
benefits of broadband, people need to trust that the Internet
and all communications networks are safe and secure.
As our National Broadband Plan found, privacy concerns are
a barrier to broadband adoption. When people and small
businesses fear that new technology puts their privacy at risk,
they are less likely to use those new technologies. Consider
location-based services. McKinsey estimates that this growing
sector will deliver $700 billion in value to consumers and
businesses over the next decade.
Two weeks ago, the FCC, with the participation of the FTC,
hosted a workshop on location-based services, which identified
consumer concerns about the use and security of their location
information as something that must be addressed to seize the
economic and other benefits of this new technology.
In general in this area, we need to strike a smart balance,
ensuring that private information is fully protected, and at
the same time ensuring a climate that encourages new investment
and new innovation that will create jobs and improve our
quality of life.
At the FCC, our approach to privacy centers on three
overarching goals: consumer control and choice, meaningful
transparency about privacy practices, and data security. The
Communications Act charges the FCC with implementing a number
of privacy protection provisions. Sections 222, 338, and 631
give the FCC authority to protect the privacy and security of
the network-related data of telephone, cable, and satellite
subscribers. The FCC is also working to educate consumers and
small businesses about privacy and data security. For example,
we recently released a cybersecurity tip sheet to help small
businesses understand and implement basic precautions to secure
their networks and data with which we have partnered with both
the Chamber of Commerce, the National Urban League, and others
to distribute.
To make sure consumers are getting consistent and clear
information and guidance from government agencies, we have
partnered with the Federal Trade Commission, the Commerce
Department, and the Small Business Administration on a number
of education efforts like Net Cetera and OnGuard Online, which
offer advice on how to protect children's personal information
and guard against identity theft. These education efforts are
part of an established track record of effective coordination
between the FCC, the FTC, and other agencies.
Now, technology can and must be part of the solution. I
continue to encourage industry to take this very seriously, to
use its expertise to empower consumers, provide transparency,
and protect data. And as the government's expert agency on
broadband and communications networks with a long history of
taking commonsense steps to protect consumer privacy, the FCC
has an important role to play going forward. Our network-
focused privacy and data security rules are settled and legally
tested. Some updating of the Communications Act network-
oriented privacy regime is appropriate for the digital age.
This can be done harmoniously with other agencies'
implementation of any generally applicable consumer privacy or
data security legislation.
We look forward to working with Congress, with my
colleagues here at the table and elsewhere, and with all
stakeholders outside of government to harness technology to
promote innovation, job creation, and economic growth, while
protecting fundamentally important principles of privacy.
Thank you again for the opportunity to testify and I look
forward to your questions.
[The prepared statement of Mr. Genachowski follows:]
Mrs. Bono Mack. Thank you.
Secretary Strickling, you are recognized for 5 minutes.
STATEMENT OF LAWRENCE E. STRICKLING
Mr. Strickling. Chairwoman Bono Mack, Chairman Walden,
Ranking Members Butterfield and Eshoo, thank you very much for
holding today's hearing and inviting the participation of NTIA.
I am also glad to be here with my colleagues Chairman
Genachowski and Commissioner Ramirez. All of share a strong
commitment to protecting consumers and promoting economic
growth.
For the past 2 years, NTIA has been hard at work as part of
the Commerce Secretary Locke's Internet Policy Taskforce to
conduct a broad assessment of how well our current consumer
data privacy framework is serving consumers, businesses, and
other participants in the Internet economy. To guide our work,
we have focused on two key principles: the first--and you have
heard them from the other witnesses this morning--is the idea
of trust. It is imperative for the sustainability and continued
growth and innovation of the Internet that we preserve the
trust of all actors on the Internet, and nowhere is this
clearer than in the context of consumer privacy.
Our second key principle is that we want to encourage
multi-stakeholder processes to address these key policy issues.
We want all stakeholders to come together to deal with these
issues in ways that allow for flexibility, speed, and
efficiency. We want to avoid the delay, rigidity, and lack of
quick response often associated with more traditional
regulatory processes.
Last December, the Department issued a ``green paper'' on
consumer data privacy, which offered a set of 10 policy
recommendations and asked for public input on a series of
additional questions. In this document, we proposed a three-
part framework for consumer data privacy. First, we called for
the establishment of baseline consumer data privacy protections
that are flexible, comprehensive, and enforceable by the
Federal Trade Commission. We refer to this baseline as a
consumer privacy bill of rights. This set of basic principles
would provide clear privacy protections for personal data in
which Federal privacy laws that exist today do not apply or
offer inadequate protection.
Second, to flesh out the principles into more specific
rules of behavior, we recommended that we rely on stakeholders
in the industry working with civil society and others to
develop enforceable codes of conduct through a multi-
stakeholder process. In our proposal, these codes would
implement the basic consumer protections, but their adoption
would be voluntary.
And third, we recommended strengthening the FTC's consumer
data privacy enforcement authority. I believe our approach
should welcome and attract bipartisan support. It is neither
traditional top-down regulation, nor is it self-regulation. I
think to use the word that Vice Chair Terry used in his opening
remarks, it provides a real balance between consumer protection
and meeting the needs of industry to continue to grow and
innovate.
In March of this year, after engaging further with a wide
array of stakeholders, the administration announced its support
for legislation that would help better protect consumer data
privacy in the digital age by establishing the baseline
protections consumers need in legislation. And a broad array of
stakeholders--including many businesses--have expressed support
for this approach. Specifically, this legislation would provide
consumers with more consistent privacy protections, thereby
strengthening trust, and preserving the Internet as an engine
of economic growth and innovation. Legislation would also
provide businesses with a common set of ground rules and would
put the United States in a stronger position to work toward
reducing international barriers to trade in the free flow of
information.
Our recommendations for this baseline are based on a
comprehensive set of fair information practice principles. In
our ``green paper,'' we drew from existing statements of FIPS
as the starting point for principles that should apply in this
new commercial context. And as we develop a more definitive
administration position, we are now examining how these
principles would apply to the interactive and interconnected
world of today.
The Department is also continuing to work with others in
the Federal Government to develop the administration policy on
data security. Without sufficient data security, there cannot
be effective data privacy. And in May, the administration
submitted a legislative proposal to improve cybersecurity,
which includes proposals to strengthen consumer protection in
the case of data breaches. The administration proposal would
help businesses by simplifying and standardizing the existing
patchwork of state laws with a single clear nationwide
requirement and would help ensure that consumers receive
notification when appropriate standards are met.
I want to thank you again for holding today's hearing and
for the two subcommittees' commitment to addressing consumer
data privacy issues. Working together, we can protect consumers
in the digital age, as well as help businesses expand globally
by reducing barriers to trade in international commerce.
Thank you, and I look forward to your questions.
[The prepared statement of Mr. Strickling follows:]
Mrs. Bono Mack. Thank you, Mr. Secretary. And thank you all
for your unique insights. And I will recognize myself now for 5
minutes for questions.
And Chairman Genachowski, we have all seen the headlines
about the phone hacking scandal in Britain. Are you satisfied
that sufficient safeguards are in place to prevent similar
privacy breaches here in the U.S., or should Americans be
concerned?
And also, as mobile devices become integrated in our daily
lives and consumers use them more and more for critical
functions like banking, are we going to see an explosion of
hacking incidents?
Mr. Genachowski. There are several laws in place that
address hacking issues. There are Federal wiretapping laws that
prevent unauthorized hacking. Hacking, I guess, by definition
is unauthorized. There are provisions of the Communications Act
that criminalize interception of information. There are state
laws that prevent it. Any hacking of phones should be
investigated. There are criminal provisions and they should be
addressed very seriously.
There are also issues around the security of devices
themselves. Several years ago, there was an effort to improve
the security of phones, including voicemails, for example, by
providing for password protection on voicemails. The state of
play now is that many carriers automatically provide password
protection for voicemails. Others give consumers the choice.
There is no question that greater protection can be
accomplished by using the password protections, and that is an
area that should be looked at.
Mrs. Bono Mack. Thank you.
Commissioner Ramirez, the question of why a privacy
regulation is needed is a policy question you must decide. If a
regulation is needed, presumably there is harm or consumer
injury and the regulation is seeking to prevent. Setting aside
data security related to personally identifiable information,
or PII, where we know the potential harm of identity theft and
other unlawful conduct, what is the harm or consumer injury
when we are discussing Internet privacy? Are you aware of
specific cases or examples?
Ms. Ramirez. What I would say is that the fundamental issue
that the FTC is trying to address is the issue that
increasingly, information is being used in unexpected ways.
Consumers simply do not know how the information that is being
collected about them is--number one, what information is being
collected, and number two, how that data is being used. So the
framework that the staff has proposed in its initial report
seeks to balance basic privacy protections for consumers
against the needs of the business community. But the
fundamental aim is to provide increased information to
consumers and choice and control over the information that is
being collected about them and how it is being used.
Mrs. Bono Mack. So we have heard from many stakeholders
that we really don't know enough about what the average
consumer thinks about privacy nor the use of his or her
information in exchange for free content. We do know that opt-
out rates are low even in those cases where people click
through the pages that describe what information is gathered
and shared. That is not necessarily conclusive evidence that
consumers don't care about their information, but it must mean
something. What is the Commission doing to find out how
consumers really feel about privacy and the use of their PII?
Ms. Ramirez. Well, we do know from public reports that
there is survey after survey that shows that consumers are
increasingly concerned about how their information is being
used. They are increasingly concerned about privacy. We also
know from public reports that there has been outcry by part of
the public when certain companies have not provided basic
privacy protections for them.
Furthermore, industry itself has recognized that there is a
need for increased and greater consumer trust. The Digital
Advertising Alliance has conducted a study and they themselves
recognize that there is a greater need to have consumers have
greater trust in the marketplace in order for the marketplace
to continue to flourish and for innovation to be promoted.
Mrs. Bono Mack. The Federal Government hasn't done a study
in, what, 10 years? Do you or any of the other agencies have
plans to conduct another study soon to gather hard data?
Ms. Ramirez. What we have done is that, as the process
laying the groundwork for the report that was issued by staff
in December of last year, the Agency conducted a series of
public roundtables soliciting input from all relevant
stakeholders that included industry, consumers, academics,
technologists. We have also solicited written comments and
received approximately 450 written comments that are currently
being analyzed by staff, and the Agency does intend to issue a
final report later this year.
Mrs. Bono Mack. I thank the commissioner.
And the chair now recognizes Mr. Waxman for 5 minutes.
Mr. Waxman. Thank you very much for recognizing me.
The committee will soon be marking up a data security bill.
That markup may involve defining what data must be secured. One
approach might include requiring all data to have some minimum
level of security if stored in the cloud or as it travels over
a dump pipe. Under Section 222 of the Communications Act,
customer proprietary network information, CPNI, must be
protected. CPNI includes the time, date, duration, and
destination number of each call, the type of network a consumer
subscribes to, and any other information that appears on the
consumer's telephone bill. Under the Cable Act, cable operators
are supposed to secure personally identifiable information.
Now, that term is not defined.
Under the chair's draft proposal, the term ``personal
information'' means an individual's name or address or phone
number in combination with an identifying number such as a
Social Security number or driver's license number or financial
account number, but only if there is the required security code
or password. I agree with Commissioner Ramirez that this is a
very narrow definition.
Mr. Strickling, we know what the administration thinks
should be covered thanks to its draft proposal, so I won't need
to ask you to answer this one, but I am going to run through a
long list and I would like to hear from Chairman Genachowski
and Commissioner Ramirez to tell me, answering yes or no,
should the following types of data be required to be secured?
Whichever one of you--IP address? Mr. Genachowski?
Mr. Genachowski. Yes. And I think the CPNI rules that we
have implemented at the FCC are a very good starting point, but
yes.
Mr. Waxman. Ms. Ramirez?
Ms. Ramirez. Yes.
Mr. Waxman. OK. How about any unique persistent identifier
such as a customer number, a unique pseudonym or user alias
such as a Facebook user name and/or password. Ms. Ramirez?
Ms. Ramirez. Yes, it if could be linked to a specific
individual or computer or device. Yes.
Mr. Genachowski. I would agree.
Mr. Waxman. How about medical history information, physical
or mental condition, and information regarding the provision of
healthcare to the individual?
Ms. Ramirez. Yes.
Mr. Genachowski. Yes, I would agree. And these are
commonsense things that people would expect should be kept
secured.
Mr. Waxman. Well, they are not in the bill now, so I am
trying to get the record to indicate that you think they ought
to be protected.
Race or ethnicity?
Ms. Ramirez. Yes.
Mr. Genachowski. I would assume so.
Mr. Waxman. Religious beliefs and affiliation, sexual
orientation or sexual behavior, do you agree those ought to be
covered?
Ms. Ramirez. I do.
Mr. Genachowski. Yes.
Mr. Waxman. Mother's maiden name?
Ms. Ramirez. Yes.
Mr. Genachowski. I would assume so. I haven't thought about
that.
Mr. Waxman. Well, a lot of Web sites ask for your mother's
maiden name.
Income, assets, liabilities, or financial records and other
financial information associated with a financial account,
including balances and other financial information?
Ms. Ramirez. Yes.
Mr. Genachowski. I agree.
Mr. Waxman. Precise geo-location information and any
information about the individual's activities and relationships
associated with such geo-location?
Ms. Ramirez. Yes.
Mr. Genachowski. Agree.
Mr. Waxman. Unique biometric data including a fingerprint
or retina scan?
Ms. Ramirez. Yes.
Mr. Genachowski. Agree.
Mr. Waxman. Commissioner Ramirez, when you were here a few
week ago to testify about the Republican's draft Data Security
Bill, you mentioned that the Federal Trade Commission is
concerned about the limited scope of personal information that
would be subject to the bill's data security and breach
notification requirements. In particular, you discussed health
information collected from companies not covered by the HIPAA
law. I agree that the FTC should be concerned about this, but I
have another concern. It is not clear to me what would happen
when the company that is breached can argue that it does not
know what type of information was breached.
Recently, we heard of an extensive breach at Dropbox.
Dropbox is a popular cloud computing service that allows its 25
million users to store documents and other files on its
servers. These users may store innocuous documents like a
grocery list or pictures of nature or they may store sensitive
information such as an application for a loan or compromising
or embarrassing photos. Dropbox could argue that it is in a
cloud provider of storage that doesn't know what its users put
there and that those users expect it not to go snooping through
their files to find out. Shouldn't Dropbox and companies like
it be required to have a certain level of data security? And
similarly, shouldn't Dropbox and companies like it be required
to notify its customers of a breach even if it does not know
what data it holds?
Ms. Ramirez. I am not in a position to comment on specific
practices, but what I will say is that companies should provide
reasonable security for personal information and private
information of consumers. So depending on the nature of the
specific facts and depending on the information that is being
stored and the size of the company, a number of other factors,
reasonable security measures ought to be provided, yes.
Mr. Waxman. Thank you very much.
Thank you, Madam Chair.
Mrs. Bono Mack. I thank the gentleman. And the chair is
pleased to recognize Chairman Walden for 5 minutes.
Mr. Walden. I thank the chairwoman for that.
And I wonder if I might enter into a colloquy with the
former chairman. Could you just tell us what bill you were
referencing? We were trying to figure that out over here.
Mr. Waxman. It is a draft that has not been introduced with
a number, but we have a markup in the Consumer Affairs
Committee next Wednesday, as I understand it.
Mr. Walden. OK. I am not on that committee, so we were just
curious what it was.
Mr. Waxman. Yes. This is a joint hearing of the two
subcommittees.
Mr. Walden. Right. Understood.
Mr. Strickling, I am kind of interested in some of the
things that your colleagues there were able to comment on. Does
the administration's position through your NTIA legislation, do
you share those same positions as were articulated by the FCC
and FTC?
Mr. Strickling. The administration put forward in May a
proposal for data breach legislation that covered many--I can't
say all--of the items that Congressman Waxman listed out for
these folks.
Mr. Walden. Right.
Mr. Strickling. But many of them, such as the unique
biometric data, unique account identifiers, those are all
within the category of----
Mr. Walden. Right.
Mr. Strickling [continuing]. Sensitive personal
information.
Mr. Walden. Were there any that were articulated here that
you would disagree with?
Mr. Strickling. There might be some I would reserve
judgment on but none I would disagree with listening to the
list today.
Mr. Walden. OK. Thank you.
Chairman Genachowski and Commissioner Ramirez, I am
concerned about the uneven competitive playing field given the
convergence of communications out there in the marketplace. Do
you think it is fair or competitively neutral to apply privacy
protections to carriers but not, for example, operating system
providers like Apple who have access to exactly the same
consumer information?
Mr. Genachowski. The level playing field is a completely
reasonable goal. How to achieve it is obviously a harder
question and to the extent that different sectors come from
different backgrounds, have different competitive frameworks,
the exact regulatory scheme might be different, but at the end
of the day, I agree on your principles on technological and
competitive neutrality.
Mr. Walden. Commissioner?
Ms. Ramirez. I also agree that there should be a level
playing field. From the FTC's perspective, it is important that
consumers be provided with basic privacy protections
irrespective of the entity that is providing the service. So
the Agency does take the view that if there is legislation, the
Agency ought to have jurisdiction over telecom common carriers.
Mr. Walden. Chairman Genachowski?
Mr. Genachowski. Well, there is a longstanding issue here.
We disagree with our friends at the Federal Trade Commission on
this point.
Mr. Walden. I wondered.
Mr. Genachowski. The FCC brings years of experience and
expertise operating under congressional statutes with respect
to networks wired and wireless----
Mr. Walden. Right.
Mr. Genachowski [continuing]. And privacy issues around
them. That system has worked well. And any revisions to the
statutory framework in my strong opinion should continue to
recognize and take advantage of this long history of expertise.
Now, our two agencies have worked very well together----
Mr. Walden. Right.
Mr. Genachowski [continuing]. Cooperatively and
collaboratively.
Mr. Walden. I guess I think it is important there is some
cop on the beat if you will allow me to use that, so I am kind
of curious about the Commission's actions to enforce its CPNI
rules and other consumer privacy protections. Can you just
elaborate on that process for us?
Mr. Genachowski. Yes. First of all, there is an ongoing
education process making sure that companies are certifying us
as to their compliance and on a regular basis, our enforcement
bureau issues notices of liabilities when companies are not
doing that. Over the years, issues have emerged that the
Commission is taking an action on. Some people may remember the
pretexting discussion of a number of years ago where it was
found that people were posing in order to gain access to
records. The Commission at that point adopted some commonsense
rules to make it clear----
Mr. Walden. Right.
Mr. Genachowski [continuing]. That that couldn't happen and
to put in place opt-in requirements for third-party efforts to
access data.
Mr. Walden. Ms. Ramirez?
Ms. Ramirez. If I may add, I did want to clarify that I was
by no means suggesting that the FCC's role should be displaced
here. All I was saying was that we do believe that the FTC has
significant enforcement experience that ought to be brought to
bear here.
Mr. Walden. Got it.
Mr. Strickling, do you want to comment on any of that?
Mr. Strickling. I was hoping to stay out of that actually,
Mr. Chairman.
Mr. Walden. I figured as much. That is why I thought I
would ask you to wade on in there.
Mr. Strickling. I think what I will say is that the
framework we are proposing, which would apply to all of
industry, does not intend by the proposal we are making to
displace sector-specific regulation if there is a need for
that. And I think we could all agree that there are certain
industries such as the financial services and healthcare
industry where I think additional protections are absolutely
justified.
Mr. Walden. Indeed. Well, we appreciate your testimony
today and working with you as we go forward to deal with this
issue that we are all affected by and want to do the right
thing on.
Thank you, Madam Chair.
Mrs. Bono Mack. Thank you, Chairman Walden. And recognize
now the gentlelady from California, Ms. Eshoo, for 5 minutes.
Ms. Eshoo. Thank you again, Madam Chairwoman.
Thank you to each of you for your testimony and for the
work that you have done on this.
I mentioned in my opening statement that we need a unified
approach. And while I really respect and appreciate the work
that you have been doing, each Agency is taking on what they
are taking on. It is the same subject matter but it is very
difficult for me to see how this is all stitched together so
that there is a comprehensive policy for the country. I think
we can draw from the work that you are doing but I think that
the Congress really either needs to update some of the laws
that are on the books or do something that is overarching that
is going to protect innovation but also speak to, what, the
second decade of the 21st Century that we are already in. That
is what my sense of what I have heard.
To Chairman Genachowski, under current law, does the FCC
have authority over ISPs to ensure that the proprietary network
information of Internet customers is not being sold to third
parties or used for the ISPs on marketing efforts?
Mr. Genachowski. Well, that is an area where clarification
of the Communications Act would be helpful. There is
uncertainty and unpredictability about that now. And in
thinking about a level playing field, looking at Telco's cable
satellite where there is clear jurisdiction of VoIP, telephony,
voice-over-Internet telephone service where the FCC has acted
as well. This is an area where clarification would be very
helpful. And in the absence of it, there is a gap.
Ms. Eshoo. You do need legislative clarification?
Mr. Genachowski. Yes.
Ms. Eshoo. I hope all the members heard that because
there----
Mr. Genachowski. Legislative clarification would be
beneficial----
Ms. Eshoo. OK.
Mr. Genachowski [continuing]. And would eliminate
uncertainty and unpredictability.
Ms. Eshoo. Each word counts. Each word counts.
Help me with this and whomever wants to lean in on this. We
are all concerned about children. And I think if there were to
be a starting place, you know, I think that we could develop
consensus around that because I think consensus already exists
on it. Children, no matter what, are always the most
vulnerable, no matter what the category is that we speak of. I
think just about across the board that applies.
Now, if we are talking about children versus those that are
a little older but they are still teenagers, who is going to
tell the truth about their age when they are online? You know,
I mean if it is an 11-year-old who is probably more adept at,
you know, traveling all of these lanes than someone that is 32
years old, but there is a restriction because of their age, why
would they tell the truth? So it seems to me that, you know,
this is something we need to figure out. I don't know how we
protect children if, in fact, we start out with that as an
approach to this issue of privacy and all that is attached to
it. Have any of the agencies given thought to this? And if so,
what is it?
Ms. Ramirez. I will take the lead, if I may.
Ms. Eshoo. Sure. You are brave.
Ms. Ramirez. The FTC has certainly thought about these
issues and you certainly raised some very important practical
concerns. The Agency is currently undergoing a review of the
rules----
Ms. Eshoo. Um-hum.
Ms. Ramirez [continuing]. And staff is analyzing comments
on the----
Ms. Eshoo. When are you going to finish that?
Ms. Ramirez. We are moving forward with that and expect to
be coming out with recommendations shortly.
Ms. Eshoo. But does it cover this issue?
Ms. Ramirez. Well, I can't comment on the specific
recommendations that will ultimately be made, but I will tell
you that----
Ms. Eshoo. No, I am not asking you what your recommendation
is going to be. I am asking you if you are examining this
specific issue and when you are going to be finished.
Ms. Ramirez. We are examining the practical difficulties
that do apply when applying that statute, yes. And in
particular, the issue has frankly become of greater concern
when one speaks about teenagers who may raise even more
significant concerns along those lines. And that is an issue
that we are also seeking comment on and will be addressing in
our final----
Ms. Eshoo. My time is running out.
Mr. Chairman?
Mr. Genachowski. I agree that a focus on children as a
starting point is something that should be strongly looked at.
Part of the reason is it is an area where there is the widest
consensus----
Ms. Eshoo. Um-hum.
Mr. Genachowski [continuing]. That as a parent that we want
to make sure that we know how to basically protect our children
and that the Internet is a safe place for them as well as a
place that they can learn----
Ms. Eshoo. Are you looking at this?
Mr. Genachowski. We are looking at it with respect to
communications networks, and we have been working with
innovators in the area----
Ms. Eshoo. Um-hum.
Mr. Genachowski [continuing]. Encouraging them to develop
tools. And I was in your district a couple of months ago and at
the Computer History Museum we organize a showcase of tools and
technologies that were being developed to help parents exactly
with these issues online----
Ms. Eshoo. Well, a lot of companies are becoming that much
more sensitive about--well, I think my time has run out but I
think that this hearing is most helpful to move this issue
along. Thank you.
Mrs. Bono Mack. I thank the gentlelady and know recognize
the vice chair of the subcommittee, Ms. Blackburn, for 5
minutes.
Mrs. Blackburn. Thank you, Madam Chairman. Thank you all
for your patience.
Ms. Ramirez, I want to go back. In your testimony you
stated that you thought the harm was lack of choice or lack of
knowledge of how their information is being used and your
comments about the public. So what I am wanting to know from
you is do you think that is justification for implementing Do
Not Track? Are you going to come forward and identify some real
harms so that you are articulating what the bad practices or
the bad actions are that would require Do Not Track addressing,
and are you planning to do any market analysis and market
impact of any steps that you come forward with?
Ms. Ramirez. Let me first emphasize that the Commission is
not advocating legislation in the privacy arena at this time.
What we have done is to put out a broad framework of best
practices that we recommend to industry and also a framework
that policymakers can consider should Congress decide to pursue
legislation in this arena.
As to your specific question regarding Do Not Track, that
is just simply one element and one aspect of the
recommendations that relates solely to behavioral advertising--
--
Mrs. Blackburn. So you are not wedded to that as a
template?
Ms. Ramirez. So what we have stated--and the majority of
those of us on the Commission do advocate--is a universal Do
Not Track mechanism. We have identified several elements that
we think are important to----
Mrs. Blackburn. OK. Are you separating the online
advertising from some of the aggressive social media networking
as you do that analysis? Are you separating those two
transactions?
Ms. Ramirez. Again, online advertising, the majority of us
do believe that there should be a Do Not Track mechanism that
gives consumers greater choice about what information about
them is collected and how that information is----
Mrs. Blackburn. OK. Let me move on with you then. The
Supreme Court case, Sorrell v. IMS Health Incorporated, the
Court struck down Vermont's Prescription Confidentiality Act.
And Vermont's law restricted the ability of the pharmacist and
drug manufacturers from using previous prescription data for
marketing. Legal experts have claimed that this case will have
implications for existing and proposed privacy laws. So yes or
no, do you agree with the Supreme Court's ruling that
restrictions on the collection and use of data must first pass
the First Amendment's scrutiny?
Ms. Ramirez. I do believe that if there is legislation
enacted in this arena, there need to be considerations that
were identified by the Supreme Court in that particular case.
Mrs. Blackburn. OK. Do you believe the government must
defer to less-restrictive alternatives in remedying privacy
harms as the Court found in the recent Sorrell case?
Ms. Ramirez. Again, I think the applicable standards of
First Amendment principles apply.
Mrs. Blackburn. OK. All right. Let me move on with you,
then. Has anybody asked about Google+ and what you all are
doing?
Ms. Ramirez. No.
Mrs. Blackburn. No one has? OK. What is the FTC doing--I
will come to you in just a minute, Chairman Genachowski. What
is the FTC doing now to oversee Google+ and the new service
that apparently there are some problems with? If you will very
quickly.
Ms. Ramirez. The FTC entered into a settlement with Google
with regard to its rollout of its Google Buzz service, which
was a social network service that it provided. The proposed
order, which is yet to become final, contains a few key
elements. One, it bars misrepresentations on the part of Google
with regard to data practices. It requires Google to provide a
comprehensive data privacy program and also to conduct privacy
audits.
Mrs. Blackburn. OK. And what is the FTC doing in regard to
Facebook and the facial recognition technology? Do you think
that poses a threat to privacy?
Ms. Ramirez. I am afraid that I can't comment on specific
practices or specific companies. What I will tell you is that
the Agency is looking very closely at the social networking
arena as evidenced by the Google Buzz case that we just
discussed.
Mrs. Blackburn. OK. Thank you.
Chairman Genachowski, back to who has the jurisdiction
here. How do you square this? How do you think that overseeing
the issue of privacy fits into the FCC's mission? Because I see
it more closely aligned with the FTC. So just 30 seconds on
that.
Mr. Genachowski. Congress is assigned the Federal
Communications Commission force since at least 1984 the
responsibility for protecting CPNI or PII, various personal
information on communications networks. And we have developed
expertise around the engineering of those networks, the
business practices of those networks that continues to be
important even as we move forward into this new area. And so it
is the reason that we collaborate so closely with the Federal
Trade Commission. We have a joint task force where we look
together at some of these issues of overlap and we bring
different experiences and expertise to the table that I think
on a net basis is very beneficial in the area. We have an
obligation to make sure that anything we do together or any
areas of overlap and jurisdiction are communicated clearly and
that the public and industry has clear guidance about what the
landscape is and what they are supposed to----
Mrs. Blackburn. OK. I am over time. So thank you so much.
Mr. Strickling, you are off scot-free.
Mrs. Bono Mack. If the gentlelady would just yield for 10
seconds to Commissioner Ramirez. I thought I heard Ms.
Blackburn ask about Google+ and your answer was not Google+. I
was wondering if----
Ms. Ramirez. I believe the reference was to the Google Buzz
matter.
Mrs. Blackburn. No, ma'am. I said Google+.
Ms. Ramirez. OK. Again, I can't comment on nonpublic
matters, so my response was in reference to a recent----
Mrs. Blackburn. To Google Buzz.
Ms. Ramirez [continuing]. Commission order on Google Buzz
that relates to social networking.
Mrs. Bono Mack. Thank you just for the clarification.
Mrs. Blackburn. Thank you, Madam Chairman.
Mrs. Bono Mack. And the chair is happy to recognize Mr.
Butterfield for 5 minutes.
Mr. Butterfield. Thank you very much, Madam Chairman.
Right now, we are grappling with how a data security bill
should treat activities regulated under Gramm, Leach, Bliley.
We are all weary of duplicative regulation. On the other hand,
we don't want gaps in consumer protection. Both CNN and NPR
have reported that banks--which aren't within the FTC's
jurisdiction--are selling information that they collect from
credit and debit purchases. That is they are selling their
consumers entire purchase histories to retailers. All calls for
privacy legislation may be pointless if such legislation is
limited to a select group of data collectors.
For example, if privacy legislation is limited to companies
within the FTC's jurisdiction, as are many of current proposals
in the House and the Senate, retailers such as Amazon would be
limited in collecting and selling data about a consumer's
shopping habits, but Citibank would be totally free to collect
and sell that same information to Amazon. Do any of you have
any concerns about such a scenario?
Ms. Ramirez. I can address the question and I will do it in
reference to the draft bill that was discussed earlier, the
Safe Data Act, where the Agency does have a concern that it
drafted--there is a carve-out with regard to data security and
breach notification. There is a carve-out for entities that
would be subject to the FTC's jurisdiction. So we do have a
concern about that gap.
Mr. Butterfield. Some have suggested that any data security
legislation or privacy legislation we draft should be written
very narrowly because there are sector-specific laws on the
books already. Others want it broad enough to ensure that all
gaps are covered. FTC has experienced sharing jurisdiction in
other areas. Do you support data security or privacy
legislation that could overlap with existing sector-specific
regulation? Ms. Ramirez? Yes?
Ms. Ramirez. With regard to data security we do support
legislation, again, keeping in mind that gap that I talked
about. That is a concern. We do have limited jurisdiction in
certain other respects. We do not have jurisdiction over banks,
for instance, but we do support general data security
legislation.
Mr. Butterfield. All right. And to the chairman, Mr.
Chairman, as you may know, the Internet service providers argue
that they should not be subject to the requirements of any data
security bill that this committee might consider. We have heard
two basic arguments from them. One is that ISPs are just so-
called dump pipes and they don't know what information is being
passed to and from their customers. The ISPs have also argued
that the FTC regulation would be duplicative because FCC
regulates telecommunication service providers through the CPNI
rules that include breach notification requirements for CPNI.
Should those who provide dump pipes--and I just heard that word
for the first time the other day--should those who provide dump
pipes that sometimes carry innocuous documents and that
sometimes carry sensitive documents also be subject to some
minimum security requirements for the data that moves along
those pipes?
Mr. Genachowski. Well, one way to look at it is from the
perspective of consumer and outcomes. I think consumers just
want to know that their private information that is put out on
networks--and they don't know all the different details about
what is this, what is that--that there are effective data
security policies in place that they can rely on. And we want
that as a country because not having that will hinder broadband
adoption and the economic benefits of broadband. So I think we
need to find a way to make sure that consumers have confidence
in the safety and security of the Internet and the services
that ISPs provide.
Mr. Butterfield. CPNI is the data collected by
telecommunications companies about a consumer's telephone
calls. It includes the time, the date, duration and destination
number of each call, the type of network a consumer subscribes
to, and any other information that appears on the consumer's
telephone bill. That is pretty vast. Does FCC under these rules
protect data breaches of content? For example, if I subscribe
to the service of one of the traditional telecom carriers and I
receive a voicemail which is content stored by that carrier,
does that voicemail information have to be secured?
Mr. Genachowski. So there are two issues. I think from the
perspective of the FCC rules and obligations on telephone
companies, they have an obligation to provide security. From
the perspective of third parties who might seek to hack in and
get that information, that is a criminal violation that would
be prosecuted by the appropriate authorities.
Mr. Butterfield. Well, what about if I subscribe to voice
over IP service? I understand that voice over IP can transcribe
a subscriber's voicemail message into email and text messages
so that voicemail, email, and text will exist as content to the
extent--and Madam Chairman, I didn't realize my time had
expired. I will save it for the next round. Thank you.
Mrs. Bono Mack. I would allow the gentleman to answer the
question, though.
Mr. Butterfield. Yes. All right.
Mr. Genachowski. Well, I would say that the FCC has applied
Section 222, the CPNI provisions, to voice over the Internet.
We are viewing whether there are gaps as technology evolves,
and that is something that we would look forward to work with
the committee on.
Mr. Butterfield. All right. Thank you.
Mrs. Bono Mack. I thank the gentleman. And the chair now
recognizes the chairman emeritus of the full committee, Mr.
Barton, for 5 minutes.
Mr. Barton. Thank you, Madam Chairwoman.
I think the questions that the committee members have been
asking point out a fundamental issue that at some point in time
we have to deal with. What information is personal and what
information is private and who controls it? We get the same
question in a different format from every member of the
committee. And hopefully, in this Congress in conjunction with
our agencies we can put in the statute in the regulation the
answers to that question.
My first question is pretty straightforward to the
witnesses here before us. Congressman Markey and I have
introduced a bill, H.R. 1895, which is the Do Not Track Kids
Act privacy protection of 2011. Do your agencies have a
position on that bill yet, and if so, what is it?
Mr. Strickling. I will start. The administration has not
yet taken a position on that or any other Do Not Track
legislation at this point in time. I think, though, it is clear
and will emerge from the work we are doing now that the idea of
providing more protection for children and for adolescents is
one that we think ought to be incorporated in the Fair
Information Principles that we will be proposing.
Mr. Genachowski. And at the Federal Communications
Commission, the Agency hasn't taken a position. Speaking for
myself, the focus on children and the unique issues that are
raised by children in the context of new technologies I think
is appropriate.
Mr. Barton. Thank you.
Ms. Ramirez. And the FTC also has not taken a position on
the legislation but, as I have indicated earlier, the
Commission does support the adoption and implementation of a Do
Not Track universal system.
Mr. Barton. Thank you.
This question is for Commissioner Ramirez at the FTC.
Several years ago a company called Google used a technique
called street mapping. This street-mapping service amassed
quite a bit of data of very private and personal information.
Google testified before this subcommittee--or at least one of
these subcommittees--about it and promised that it was done
unaware at the corporate level and they were going to make
changes. They also, in response to an inquiry by the FTC, made
fairly significant verbal assurances that they would improve
their behavior and do certain things. But apparently that is
all they did. They really didn't change their business model
and it appears to me that Google has adopted a model of saying
one thing in Washington and doing another thing in their
business practices. We might need to drop the G from Google and
just call them Oogle because of what they appear to be doing. I
am not saying that are doing it intentionally.
So my question to you, Commissioner Ramirez, when you have
a company like Google that doesn't appear to really follow up
and doesn't appear to change their business practice, what
should a regulatory agency like yours do to insist that they
change business practices, and do you feel that you have the
adequate statutory authority to make that happen or do we need
to pass legislation to give you that authority?
Ms. Ramirez. Let me just say that I don't want to focus on
a particular company but the Agency is----
Mr. Barton. My question is on that particular company.
Ms. Ramirez. What I can say is that the Agency is very
vigilant when it comes to the issues about protecting personal
information of consumers. With regard to Google, I did mention
a recent proposed order that is soon to become final with
regard to Google Buzz. In the situation that identified, that
investigation was closed and I do believe that it highlights
the limits of the FTC's jurisdiction in the following way. The
Agency has done quite a bit with its Section 5 authority, but
there are limits. If a company has not engaged in a
misrepresentation, the Agency would not be able to use its
deception authority to pursue an enforcement action, and that
was the case in the Wi-Fi matter that you identified.
Mr. Barton. So you think the Congress needs to give
additional statutory authority to enforce that type of an
action?
Ms. Ramirez. The FTC is not taking a position as to whether
legislation is needed, but what I will say is that there are
limits to the Agency's Section 5 authority, and in my personal
view, there does need to be more work in order for consumers to
have basic privacy----
Mr. Barton. Under current law, your authority is limited?
Ms. Ramirez. That is right. Our Section 5 authority will
not reach all practices that can cause concern in this area.
Mr. Barton. OK. My time has expired, Madam Chairwoman, but
I would just point out for thoughtful purposes, if this
Congress or one of these regulatory agencies attempted to
either pass a law or pass a statute that required every citizen
to wear a transponder and keep it active so that everywhere we
went, any place we shopped would be automatically recorded not
just by the Federal Government but would be available to the
private sector for use, our voters and citizens would come
unglued. And yet if you go on the Internet without your
permission, that is the basic status quo. And I believe we need
to take steps to put privacy back into the personal realm and
take it out of the consumer marketing opportunity realm and
hopefully, on a bipartisan basis, we can begin to do that in
this Congress and in this committee.
And with that I want to thank my two subcommittee chairmen
and women for doing this hearing and the ranking members of
those two subcommittees for participating. Thank you.
Mrs. Bono Mack. I thank the gentleman and now recognize Mr.
Markey for 5 minutes.
Mr. Markey. Thank you. Thank you, Madam Chair.
I am just going to be following up upon the same line of
inquiry that the gentleman from Texas and his son Jack were
engaging in. Right now you can see his interest in child online
privacy sitting up there. He is waving to you in thanks for the
work that you are going to do to protect children online. That
is Jack Barton over there.
So you heard this concern about an eraser button, you know,
that can be used to just say that children and minors, what
were they thinking going to that site? What were they thinking
putting that picture up? What were they thinking when they were
13, 14. And in anticipation, now, of their Senate confirmation
hearing where someone has now gone and pulled it all up or the
admissions office at State U has now got someone kind of
checking out what the kid did at age 12, 13, 14, 15. And there
is a whole bunch of really young people going I know a lot of
things about a lot of these candidates. That is not a good
thing. There should be a way in which that information is
erased. And it would be the parents, of course, who will want
to erase it and that they have a right to do so and the
technology makes it possible for them to do so.
And again, this is not big brother. This is just big mother
and big father saying, you know, they were only 12, they were
only 13, they were only 14 to the company. We want to be able
to erase it. Do you think, Ms. Ramirez, that that makes sense,
that that be a right that parents have to be able to have that
technology available to them and that they can erase it not
just on a discretionary basis but it is their right to see it
mandated to the company that they have to delete it for a
minor, for a child?
Ms. Ramirez. I do believe that that is an interesting idea
that is deserving of exploration and we are happy to work with
you in addressing that.
Mr. Markey. So you are not sure if it should be a right
yet?
Ms. Ramirez. I would like to think about it further.
Mr. Markey. OK, good.
Chairman Genachowski?
Mr. Genachowski. Well, two points. One is the concerns
about children are very real, very serious; and the second is
empowering parents to do what they want to do when it comes to
educating, protecting their kids is also extremely important;
number three, technology as you have indicated can help solve
this. Technology can provide these tools. And so I think this
is a direction that makes sense.
Mr. Markey. OK. Mr. Strickling?
Mr. Strickling. The principle no one can disagree with. But
here is, I think, the caution I would urge everyone to keep in
mind, which is for the legislature or for the regulator to be
dictating technological solutions I think is something we need
to approach with caution. We need to establish the principles,
and that is important----
Mr. Markey. OK. The principle would be that the parents
have a right technologically to have the information erased and
then it is up to the company to figure out what the technology
is. Would that be oK with you? The principle is that parents
should be able to get it erased. Do you agree with that
principle?
Mr. Strickling. There is no way to disagree with that
principle----
Mr. Markey. OK, thank you.
Mr. Strickling [continuing]. But I still would urge some
restraint in terms of setting down in regulation something that
could inadvertently and unintendedly lead to a loss of
innovation on the Internet.
Mr. Markey. No, I appreciate that. We would depend upon
smart people to make sure that we didn't invoke the law of
unintended consequences.
Mr. Strickling. Right.
Mr. Markey. We would mandate to you to do it, to protect
children and give parents the right to do it and to make sure
that we don't invoke the law of unintended consequences. Do you
think you could do that?
Mr. Strickling. So, yes, our model would say set the
principle and then bring the stakeholders together to find the
ways to do it.
Mr. Markey. Good. So is the same thing true on geo-location
that you shouldn't have a tracking device on a 12-, 13-, 14-
year-old, you know, that the parent should be able to have that
shut off? Do you agree with that as well? Yes? I only have a
minute left. Could you say yes, please?
Mr. Strickling. Sure.
Mr. Markey. OK, good. Thank you.
Chairman Genachowski, it is not a good idea for a 12-, 13-,
14-year-old to have all this tracking information? Do you agree
with that?
Mr. Genachowski. So very quickly, I think there is a
balance here that has to be done right----
Mr. Markey. Yes, I get it.
Mr. Genachowski. I have a 17-year-old. I want him to have a
device where----
Mr. Markey. How about a 12-year-old, a 13-year-old?
Mr. Genachowski. Whatever the right age is, but at some
age, for emergency purposes, a parent might want to make the
decision.
Mr. Markey. OK. I got you.
Mr. Genachowski. The parental control is a powerful
principle.
Mr. Markey. OK. But the technology is there to shut it off
for all other purposes other than a parent. That is what I am
saying, big mother and big father. Do you agree with that, Ms.
Ramirez?
Ms. Ramirez. I do believe that parents should be able to
have control over that.
Mr. Markey. OK. Good. And finally, on the targeting of
marketing, you know, by these companies to children and minors,
do you agree that there should be a prohibition on targeting
minors? We don't let people advertise on children's
programming, you know, the kind of products we don't think
should be there with little kids. Do you agree as well that we
should have prohibitions on the targeting of minors when it
comes to, you know, these Internet- and Web-based services that
are out there? Ms. Ramirez?
Ms. Ramirez. I believe that, again, parents should have
control over it and should be able to provide----
Mr. Markey. And there should be a technology that makes it
possible?
Ms. Ramirez. That is right.
Mr. Markey. Yes. Good. Mr. Genachowski?
Mr. Genachowski. Basically, yes. There is a long history,
as you know, in the television area and I think borrowing from
what we have learned that that has worked makes sense.
Mr. Markey. OK. Thank you. Mr. Strickling?
Mr. Strickling. I would agree with the comments already
expressed.
Mr. Markey. Thank you. Thank you, Madam Chair.
Mrs. Bono Mack. Thank you. The gentleman's time has
expired. The chair recognizes Mr. Latta for 5 minutes.
Mr. Latta. Well, thank you very much, Madam Chair, and to
our panel, thanks very much for being here to discuss this
issue with us today.
And Mr. Strickling, if I could start, on page 1 of your
testimony, you noted that the Department of Commerce has been
working with the Internet Policy Task Force and the White House
to conduct a broad assessment of how well our current consumer
data privacy policy framework serves the consumers, businesses,
and other participants in the Internet community. Can you talk
a little bit about how the recently announced National Strategy
for Trusted Identities in Cyberspace fits in with that
assessment?
Mr. Strickling. Certainly. That is an effort, again, a
voluntary effort to allow industry to develop ways that people
can operate in the Internet environment with a trusted identity
that can replace passwords and otherwise improve the security
any individual might have transacting business on the Internet.
Totally voluntary, the goal is to have industry develop these
tools with government serving as a facilitator or convener. It
is very much part of our overall multi-stakeholder approach to
how to deal with these Internet policy issues.
Mr. Latta. OK. And just to follow up on that because as we
have been talking--you know, the whole discussion is with the
privacy and if individuals are to participate in the identity
management system, what protections would be in place to ensure
the privacy of the information that they turn over to their
credential provider.
Mr. Strickling. Well, keep in mind that our role in this
will be to work with industry to have them develop these sort
of trusted identify mechanisms. It is not a program that we are
going out to the public with to get people in the public to
sign up for these. The idea, though, is to create what the
market and what consumers would find to be a preferred approach
to operating and transacting business on the Internet than the
current system, the passwords, which in many ways is quite
insecure for people.
Mr. Latta. Well, have you in your discussions with the
folks out there that might be developing this, have they given
you any indication how it might work then and to protect that?
Mr. Strickling. This effort is actually headed up by NIST
at the Department of Commerce, so I have not had any of those
conversations with industry about how they would go about this.
But the folks at NIST are leading this effort.
Mr. Latta. If I could, could I ask if you might be able to
ask them if they could provide us with information of what they
might have at this time on that? That would be greatly
appreciated.
Mr. Strickling. Certainly.
Mr. Latta. And if I could go on, I have heard there are
certain allegations out there that certain foreign nations have
more onerous privacy laws on the books than we have here in the
United States, but they seem to apply those laws mainly only to
American businesses. What is the administration doing to ensure
that privacy protections aren't being used as a means of
preventing American companies from competing in the global
market?
Mr. Strickling. I will take that one. We are involved in a
lot of discussions internationally with the goal of trying to
reach some interoperability of privacy rules around the world.
We think it is absolutely critical for American business to be
able to operate in other countries. And while those countries
certainly have valid and legitimate interests in protecting the
privacy of their citizens, we think it is in everyone's
interest to find a regime or set of regimes that are
interoperable with each other.
I would mention that our emphasis on the creation of these
codes of conduct by industry working with other stakeholders
may be a way to bridge some of those differences between the
privacy protections in our country as compared to those that
might be employed in other countries, the idea being that if we
can get the various of these other countries to recognize codes
of conduct as an appropriate response to the privacy
imperatives of that nation or set of nations, that gives
industry an opportunity to create one operating approach that
meets the obligations of many different countries.
So very specifically, in Europe, they are in the process of
rewriting the European Union Privacy Directive, and we have had
a number of conversations with the folks at the EU to talk to
them about making sure that they have a role for codes of
conduct as a way to meet these obligations. We see that as a
fast way to achieve the interoperability our businesses need to
be able to thrive internationally.
Mr. Genachowski. If I could just echo the--this is a very
important effort. The threat to American businesses, our
economy if this doesn't succeed is very significant. And the
opportunity to make progress internationally on a set of
principles that can be complied with across multiple
jurisdictions is a window that is closing because if many
countries go ahead and adopt inconsistent regulations, ones
that make it extremely difficult, expensive, impossible for
American companies to comply with, reversing that will be much
more difficult than working now, as the Commerce Department is
doing--we are and others--to establish a level playing field
internationally from the start of this very important growing
industry.
Mr. Latta. Thank you very much. And Madam Chair, I see my
time has expired. I yield back.
Mrs. Bono Mack. I thank the gentleman and now recognize the
gentlelady from California, Ms. Matsui, for her 5 minutes.
Ms. Matsui. Thank you very much, Madam Chair.
As I have said previously, in today's economy, information
is everything to everyone even though we might think our
personal information is not that important on various things.
We might throw things away but it is important to somebody. And
with ever-changing technologies and applications emerging, it
is essential that we properly protect the private and personal
information of consumers. We must do it in such a way that
doesn't stifle innovation. And as I said before, I know this is
a delicate balance. But how do we find that delicate balance to
ensure consumers are aware of what information is being
collected and the scope of it while not stifling innovation?
Why don't you start off, Ms. Ramirez?
Ms. Ramirez. Yes. The approach that the FTC has taken has
been precisely to solicit input on these complicated questions
to ensure that we do undertake a balanced approach. And the
framework that has been proposed preliminarily in staff's
report issued last December is precisely an approach that we
believe balances the need for consumer protection here as well
as the needs of industry.
Mr. Genachowski. And I would answer that. The process that
our various agencies have undergone and the process that
Congress has undergone through the hearings on this topic, they
actually led to growing consensus around some core ideas:
focusing on consumer choice, transparency, and real data
security. Obviously, there are a lot of issues in
implementation, but I think where we are now collectively as
compared to where we were a year ago reflects real progress.
Obviously, now, the difficult task of converting that into
rules where necessary at agencies--or not because I think to
the point Mr. Strickling made before, industry-led efforts here
can have particular benefits if they move and if they put those
measures in place.
Ms. Matsui. Do you have anything further to add, Mr.
Strickling?
Mr. Strickling. Certainly. I will make it easy for you.
Pass legislation along the lines of what we recommend. Baseline
principles allow industry working with all stakeholders to
develop codes of conduct and give the FTC the enforcement power
it needs to enforce the baseline principles. I think that is
exactly the balance we want to have. It gives industry the
flexibility to craft specific rules of behavior that meet their
needs and allow them to continue to innovate, but at the same
time, it is based on a bedrock set of a bill of rights of
privacy that ensure that everyone gets a basic amount of
protection.
Ms. Matsui. OK. Thank you.
And as you know, OMB is implementing a cloud computing
initiative to improve government efficiency while saving
taxpayers money. And I do support an initiative like this.
Now, Chairman Genachowski, do you support cloud initiatives
and what kind of impact do you think it will have on our
economy? And how can we ensure any potential privacy concerns
with a cloud are properly met?
Mr. Genachowski. I strongly support these cloud
initiatives. On the part of both government, large businesses,
small business, they are efficiency-enhancing, productivity-
enhancing, they will save money. They are new areas of
tremendous growth for our economy. It is an example of a new
technology that has extraordinary opportunities that also
presents challenges. And there is no question that data
security and privacy are some of the challenges. I would not
tackle that by slowing down cloud computing. I would tackle
that by working diligently hard with industry to make sure that
security is fully protected and taking advantage of the
extraordinary technological expertise that we have in this
country to make sure that that happens.
Ms. Matsui. OK. Thank you.
As we all know, often these policies that we are talking
about are drafted in complicated legal language. And more
importantly, even if a consumer is able to understand a privacy
policy of one company, the policies can't easily be compared
from company to company. Thus, there is no means for consumers
to comparison shop for privacy in any meaningful way. What can
industry to do to improve privacy policies and set some
standards so that privacy practices can be compared from
company to company? Ms. Ramirez?
Ms. Ramirez. I first want to say that I agree that privacy
policies--the way they have developed poses significant
challenges. This is particularly acute in the mobile arena when
you have a very small screen and sometimes you have to scroll
through 100 screens to read a single privacy policy. So one of
the key elements of what the FTC has proposed in its framework
is that there be simplified consumer notice and choice. And
that is an essential feature of the framework that we are
proposing.
Ms. Matsui. OK. I see my time is running out. Can you two
just comment quickly on this, too?
Mr. Genachowski. I agree. I think the importance of
industry-led efforts to ensure compliance with these principles
that I think there is broad agreement on choice, transparency,
real security is an important part of what we all need to be
going forward.
Ms. Matsui. Thank you. And Mr. Strickling?
Mr. Strickling. We totally subscribe to transparency and
more simplicity.
Ms. Matsui. OK. Thank you.
Thank you very much, Madam Chair.
Mrs. Bono Mack. Thank you. The chair recognizes Mr. Scalise
for 5 minutes.
Mr. Scalise. Thank you, Madam Chair.
And I know as we are all struggling with the balance
between protecting privacy while also making sure that as
people use the Internet, one of the great things about the
Internet is that for the most part there are so many things you
can do free where there are services that are provided but at
the same time in many cases you are not necessarily paying for
some of those services. And of course the hook comes in is that
in many cases the things that you are doing on the Internet,
there is some tracking that goes on and ultimately it is sold
to advertisers, and the advertising money that those companies
make allows them to provide the service for free. So you have
got to weigh that balance and make sure that we can protect
privacy and then also allow for that ability for consumers who
do want to participate in that transaction to be able to still
have those services offered if they so choose. And I guess that
is where we really get into the policy side is how best to make
sure that framework gives the consumer, the online user the
choice.
I want to first just get your take on something. There was
an article I read. It was called ``You're Not Google's
Customer--You're the Product.'' And it kind of lays out an
interesting scenario of who is the product, who is the
customer. And in many cases you are a customer if you walk into
a store and you pay for something, you are the customer. And it
seems like in some cases some of these companies--not just
Google but all of the companies that have this kind of business
model--are you really the customer if you are really not paying
for anything but in fact your actions on their Web site is what
is used for them to then go and sell advertising and in essence
would then the advertiser be the customer and not you? And then
how does that relationship all come down to how you as
regulators treat those various entities? And so if I could just
get each of your takes on that, that business model and how you
really view--where is the user of the service in that
transaction?
Mr. Strickling. I will give my first impression. I haven't
seen the article so I am not sure exactly the context in
which----
Mr. Scalise. I ask unanimous consent to enter this into the
record and make it available to the witnesses as well.
Mrs. Bono Mack. No objection.
[The information follows:]
Mr. Strickling. That would be great, but I think I can
answer your question, which is that what is key here is if you
are collecting information about people, so I think there is
nothing to be gained by a distinction between a customer and a
non-customer or a product or whatever. The issue is information
about you being collected by this particular entity when you go
online to their Web site. And it needs to be made very
transparent and in clear language, you know, to you in whatever
capacity you are coming to that Web site, what that information
is and how it is going to be used. But I don't think the
distinction is important. The question really is are you
collecting information about this individual when they visit
your Web site?
Mr. Scalise. Chairman Genachowski?
Mr. Genachowski. I would add this. We are in a period now
in this country of tremendous and technological and business
model innovation and that is a really good thing. It is part of
what makes our country great. It is part of what will
ultimately make our economy sound and strong. And we wouldn't
want to be seeing this happen in other countries and not here.
Now, new technologies, new business models gives rise to new
concerns, and it is appropriate that we are having this
discussion, this debate involving industry, involving agencies,
involving Congress to identify core principles that should be
protected even as we encourage world-leading business model and
technological innovation. And so it is what I keep coming back
to and I think Mr. Strickling--we all do--core principles that
can help provide guidance even as we make sure we are
encouraging world-leading innovation and technology in business
models.
Mr. Scalise. Thanks. Commissioner Ramirez?
Ms. Ramirez. We also recognize that consumer information is
becoming a commodity. We do believe that you can craft
standards that take into account the benefits provided to
consumers while at the same time providing protection. And to
me, the core issue is, again, providing transparency, providing
information to consumers so that they can exercise choice. And
let me just use the example of the Do Not Track mechanism that
I believe should be implemented. I believe there can be an
intermediate approach that can be used where consumers can
select what type of advertising they are willing to receive and
what type of information about them can be collected so that in
that fashion advertising would continue. But, for instance, if
a consumer doesn't want to receive advertising relating to
health information, that would not be done, but they could
receive advertising----
Mr. Scalise. OK. Thanks. And I have got just a few seconds.
One last--Chairman Genachowski, in relation to a question that
I think Congresswoman Blackburn had asked, I am not sure if you
implied it, but it seemed like you might have been referring to
the Internet as a telecommunications service. I mean, I
wouldn't consider it a telecommunications service in that
sense. Was that your intention or----
Mr. Genachowski. I am not sure I used that phrase. I may
have referred to it as a communications network and I think it
clearly is.
Mr. Scalise. But not a telecommunications service because
that would in terms of classification----
Mr. Genachowski. Which I didn't intend to raise.
Mr. Scalise. Great. No, I appreciate it. Well, thank you
all for your answers and I yield back.
Mrs. Bono Mack. I thank the gentleman and recognize Mr.
Rush for 5 minutes.
Mr. Rush. Thank you, Madam Chair. And Madam Chair, I
certainly want to thank you and all the other very important
people who have put together this hearing. And I want to thank
all of the witnesses for appearing before us today. I know they
are quite busy but to come over and share with us their
opinions and their conclusions.
Commissioner Ramirez stated correctly, I believe, that
individuals can and do have varying privacy tolerance
thresholds, and these thresholds can and do turn on several
variables, including who has their personal information and
what that information--which is personal in nature--what it
represents. And I introduced a bill in the last Congress and
reintroduced it in this Congress. It is called the Best
Practices Act, H.R. 611, which would require covered entities
to obtain express consent from consumers for collection, use,
or disclosure of particularly sensitive information or
comprehensive online data collection. Among other things, it
would give the FTC APA rulemaking authority to further modify
the definition of ``sensitive information.'' Given how complex
a person's decision-making process and all the dependencies
that are involved, I would like to ask each of the witnesses
today--and especially you, Commissioner Ramirez--your opinion
on whether such a grant of authority is prudent and would it
make for a good public policy?
Ms. Ramirez. Again, let me just say that the FTC has not
taken a formal position on legislation but I will note that in
the privacy report that was issued in December, the staff does
recommend that sensitive information be provided, both
additional data security protections and that consumers be
given an opportunity to provide express affirmative consent for
the use of that information. I also do believe that if
legislation were to be enacted, it would be beneficial to
accord the agency APA rulemaking authority to make
modifications should that prove necessary with regard to the
types of sensitive information that would be protected.
Mr. Rush. Chairman Genachowski?
Mr. Genachowski. Let me just add that the less clear and
more confusing disclosures are about how information is being
used, the stronger the argument for an opt-in requirement. The
more clear, easy-to-understand, transparent disclosures are,
the weaker the argument is. And so it is an area where the
industry can step up, provide disclosures about how they are
using information, what they are collecting that are so clear
that make it so easy for consumers to choose that there would
be no need to have an opt-in/opt-out debate. If the industry
doesn't do that and the disclosures are less clear/more
confusing, I imagine we will continue to hear from consumers
saying we don't understand this. We need some defaults.
Mr. Rush. Mr. Strickling?
Mr. Strickling. I guess I would like to take your question
up just one level because it could be raised about any number
of things and again point out, you know, our concern about
getting too detailed and too regulatory in terms of specific
prohibitions and the mechanisms that are used to implement
them. What is important we can all agree is that there be
meaningful consent. None of us can predict today what
technology might be available in 2 or 3 years by which
meaningful consent could be obtained from a consumer. And
therefore, we are quite concerned about incorporating into
legislative language or in rulemakings that by themselves will
take quite some time to conduct, you know, very specific
approaches. To preserve the ability for business to innovate,
we think this is a perfect example of where you set the
principle and then ask industry working with all stakeholders,
civil society and other folks that are interested in this to
devise the rules of behavior that would actually be engaged in
and which can be changed on a regular basis to accommodate----
Mr. Rush. I want to move on. Commissioner Ramirez also
stated that some consumers may be more predisposed than others
to be taken advantage of, including consumers who are put on
marketing sucker lists based on their past behavior. This may
beg additional question as to what could be deemed to be
sensitive information. Along that line of logic, how sensitive
would you say other forms of compulsive disorder-related
personal information about consumers such as drugs, sex,
gambling addiction, for example? How sensitive would those
particular areas and other areas be to you?
Ms. Ramirez. And again, I will turn to the recommendations
that were made in our privacy report to identify certain
categories such as health information, financial information,
geo-location information. So those I would classify as being
sensitive.
Mr. Rush. Commissioner?
Mr. Genachowski. I would agree with that.
Mr. Strickling. In our legislative proposal on data breach
in May, we provided a list of what the administration would
believe to be sensitive personal information. And I would refer
to that list.
Mr. Rush. I yield back.
Mrs. Bono Mack. I thank the gentleman and recognize Dr.
Cassidy for 5 minutes.
Mr. Cassidy. Commissioner Ramirez, you helped me last time
understand what HIPAA applies to and what it does not. Now,
your opening statement was kind of like a good Hemingway story.
That first sentence kind of grabbed me and took me off with
you. So when I go to CVS and I buy my Advil for my bad knee, is
that HIPAA-protected that I just purchased Advil over the
counter or can CVS integrate that with other bits of data so
now I start getting advertisements for Advil or other non-
steroidals on my side bar as I do the net.
Ms. Ramirez. If you go to a retailer, that would not be
protected under HIPAA. HIPAA only covers things like hospitals,
medical providers. So retailers would be able to use that
information.
Mr. Cassidy. Well, I buy glucosamine chondroitin just to
tell you more about myself than you care to know.
Ms. Ramirez. I am sorry. Say that one----
Mr. Cassidy. I buy something for osteoarthritis and it is
non-protected. It is over-the-counter. And they can integrate
that with other things known about me since I have a little
kind of rewards card, and that can go into this database that
says here is Bill Cassidy. Let us tag the son of a gun.
Ms. Ramirez. That can be done, yes.
Mr. Cassidy. Now, what if it is a prescription medication?
Ms. Ramirez. Prescription medication would have other
protections, but again if, for example, one does research
online, it is conceivable that certain personal health
information could then be part of a profile that is compiled
digitally.
Mr. Cassidy. Well, I go to PubMed, the National Institute
of Health Web site--I am a physician--regarding medical
information. I may look up anything I want to there. I am a
physician. So I look up hepatitis. Now, that I don't see things
on the sidebar about hepatitis. So clearly it is possible to
keep that even if I start off--but let me ask you if I go to
Google and just put in hepatitis and I come up with Wikipedia
and I come up with PubMed and I go to PubMed, the very fact
that I put it into Google means that now Google knows I am
interested in hepatitis, correct?
Ms. Ramirez. Correct.
Mr. Cassidy. But what about my credit card company? If my
credit card company I am purchasing airplane tickets to come to
Washington, D.C., does American Express or U.S. Air or Visa
integrate that into my overall profile?
Ms. Ramirez. I would note that the Agency doesn't have
jurisdiction over banks so there are certain safeguards that
apply to financial information that might be more strict. So
there is a difference there.
Mr. Cassidy. Got you. The other thing I am noticing that is
in my inbox now, I will get an email from somebody suggesting
that I have requested information from them and I happen to
know that I have not. It is almost a form of phishing. Is this
something that is common now that some bank will say you need
to update your records? We see there has been a recent change
and so our--not a bank because you don't have banks but some
other company that basically entices me to go to their Web site
to update my records even though I haven't used that service?
Ms. Ramirez. There are a number of scams that we are aware
of where fraudulent operators may try to get confidential
information from consumers----
Mr. Cassidy. I see. So that may be the company or that may
be a scam?
Ms. Ramirez. So consumers need to be careful about that,
certainly.
Mr. Cassidy. Yes, I got you. And now the children's aspect
of this, Commissioner--and I guess it is you--I have a daughter
who is 9 and she just kind of whizzes past. She accepts
everything, oK? I am struck that some of these do-you-accept
are so long that unless you are an obsessive compulsive
attorney you are just never going to read it. So is it possible
to surely make me fully aware of this but I am not fully aware
of it because it is somewhere on line 47 of paragraph 42? Do
you follow where I am going with that? To put it differently,
when we ask someone to opt in or opt out, an effective
technique would be to bury it within long contract language. Is
there currently any rule that would make the companies say
listen, if you are going to have them opt in/opt out or agree
to a certain type of advertising, it has to be understandable
and not buried deep within a contract? Does that make sense?
You are looking at me blankly so was I----
Ms. Ramirez. I am sorry. I wasn't sure if you were speaking
to----
Mr. Cassidy. To whoever is the person----
Ms. Ramirez. I will take this. Again, we do have concerns
about long privacy policies. One of the key elements of the
FTC's recommendations is that notice and choice be provided in
a simple, understandable manner. There is no current
requirement that that be done, but we believe as a best
practice, companies ought to do that.
Mr. Cassidy. Got you. OK. I yield back. Thank you.
Mrs. Bono Mack. Thank you, Dr. Cassidy. And the chair
recognizes Mr. Harper for 5 minutes.
Mr. Harper. Thank you, Chairman Bono Mack.
Commissioner Ramirez, I want to follow up on some questions
or an area that Mrs. Bono Mack had done regarding harm to
consumers. And does the Commission or can the Commission
provide specific examples of actual harm or we talking more of
hypotheticals?
Ms. Ramirez. The harms that we are concerned about are not
speculation. We have heard public reports of activities along
the lines of the hypothetical that I used in my opening
statement as actually happening. Insurance companies, for
instance, today are developing models by which they can
assemble information that is available to them through this
aggregation of data that we have been discussing as a means of
substituting what formerly would be more complicated
underwriting analyses. So the potential is clearly there. There
are public reports that these things are happening today.
Mr. Harper. Are you able to provide to us evidence or
documentation of those specific harms?
Ms. Ramirez. The FTC, we are certainly happy to work with
you to provide more details and information about those harms.
Mr. Harper. All right. As we look at this, before we look
at additional regulations or we look at information, should the
Federal Government be required to show what significant
consumer harm exists to justify the type of additional costs
that we could be talking about when it comes to market
regulation on privacy or Do Not Track legislation that that
might impose upon businesses?
Ms. Ramirez. I believe that if Congress decides to move
forward with legislation, certainly, one has to take into
account the implications for all relevant stakeholders, yes.
Mr. Harper. Have you done any analysis of that potential
cost, the cost to businesses for that?
Ms. Ramirez. Again, we have solicited comments and have
received over 450 comments from industry, consumers, and other
stakeholders. We do have a Bureau of Economics that is involved
in our review and we will be putting out recommendations later
this year.
Mr. Harper. OK. And do you have a time frame? Later this
year----
Ms. Ramirez. Later this year.
Mr. Harper [continuing]. When you think that might be?
Ms. Ramirez. I am afraid I can't be more specific.
Mr. Harper. OK. We will give you that much wiggle room.
Ms. Ramirez. I appreciate it.
Mr. Harper. Can you tell me how much we know about what
information Internet sites collect about users and how much do
we know about the sharing of that information? I know we have
covered that some in this hearing, but can you enlighten us?
Ms. Ramirez. I am afraid that I can't quantify the scope.
What I can tell you is that there is clearly a need for the
principles that we are advocating. There is clearly a need for
greater transparency. There is a greater need for companies to
take into account privacy protections when they provide
services and products to consumers and a greater need for
simplified choice.
Mr. Harper. You know, some critics have expressed concern
that self-regulatory schemes could constitute a barrier to
entry, perhaps erected by, you know, more powerful market
participants against smaller and newer companies. How do we
guard against such a result as that?
Ms. Ramirez. I do think it is a concern and that one has to
take into consideration the impact on small- and medium-sized
businesses. It is an issue that the Agency is looking at very
closely and we do intend to address the issue in our final
report.
Mr. Harper. And what would be the best alternative to self-
regulation? Is that going to work?
Ms. Ramirez. Well, that is an issue that I think you will
have to ultimately decide as to whether or not legislation is
needed. But if one is to rely on self-regulation, what I will
say is that is very important that there be an enforcement
element. There has to be accountability, and I think the FTC
ought to play a role in enforcement.
Mr. Harper. Thank you, Madam Chairman. I yield back.
Mrs. Bono Mack. Thank you. The chair recognizes Mr. Olson
for 5 minutes.
Mr. Olson. I thank the chair. I would like to welcome the
witnesses again and thank you all for coming and giving us your
expertise and your time.
And my first questions are for you, Commissioner Ramirez. I
want to kind of follow up on the line of questioning from my
colleague from Mississippi, Mr. Harper, was pursuing.
In December of 2010, the FTC issued a preliminary staff
privacy report to open up discussion on consumer privacy issues
and in that report advanced the concept of Do Not Track. This
concept has been compared by the FTC and others to the national
Do Not Call Registry already managed by the Commission, but in
reality, they are very different. Do Not Call, as you know, was
created because people being bothered by unsolicited
telemarketing calls particularly during their dinner hours. But
online advertising is not invasive in that way the way
telemarketing calls are, and consumers can simply ignore ads
online when they come up. You know, in my experience, none of
my friends has slammed their computer on the floor for online
advertising, but I have seen many of them slam the phones on
the floor because of repeated calls from telemarketers.
And so there are many benefits to targeted ads online such
as giving consumers information about products and services
they might actually be interested in. This type of advertising
also has great value to consumers because this advertising
revenue funds the free online content and service consumers
enjoy. But I ask you, do you concur that Do Not Track is
analogous to the Do Not Call Registry?
Ms. Ramirez. I do not. I agree with you that there are
significant differences. First of all, the Do Not Track system
would not call for the creation of any kind of national
registry. It is also not something that has to be implemented
necessarily by government. So what the Agency has advocated is
we have put out a description of various elements that we feel
would be important, but again, the key feature of it would be
that it is a universal mechanism to allow the consumers that do
have a concern about online collection and use of information
to have greater choice and control over how their data is being
used.
Mr. Olson. Is Do Not Track feasible now, ma'am?
Ms. Ramirez. Yes, it is. We have a distinguished team of
technologists at the FTC and a number of companies do agree,
there is consensus that it is feasible.
Mr. Olson. You can kind of take in my colleague from
Mississippi's line of questioning. Since you say it is
feasible, have you performed any economic analysis of adopting
a Do Not Track on our businesses?
Ms. Ramirez. No, we have not. And again, what we have done
so far is to simply identify the elements that we think are
important to a Do Not Track system but we are not advocated a
particular mechanism.
Mr. Olson. Are you planning on doing those?
Ms. Ramirez. We will be issuing final recommendations at
the end of the year.
Mr. Olson. And those will include the impacts of the
economic impact?
Ms. Ramirez. I can't comment on the details but what I can
tell you, as I mentioned before, is that we certainly
understand the importance of taking into account the impact on
business and we think that a carefully crafted standard can be
adopted that will both help restore confidence in the online
marketplace and I think businesses themselves recognize that
consumer trust is vital.
Mr. Olson. Yes, ma'am. And I have heard from some companies
that legislation is needed to create an online privacy
framework that is technologically neutral based on industry
self-regulation and enforced exclusively by the FTC. And with
respect to technological neutrality, is it true today that the
FTC and FCC would have jurisdiction over the download of a
video on demand from a cable company but only the FTC would
have jurisdiction over the download of a video from an over-
the-top provider like Netflix? Anybody can chime in there. You
are the experts.
Mr. Genachowski. I think that is probably a correct
description of the current framework.
Mr. Olson. So can we come up with a proposition where we
can have some common system where there is one regulator?
Mr. Genachowski. I am not sure that that is the answer. The
FCC and the FTC have worked very well together over more than
20 years in areas of complementary jurisdiction to make sure
that the expertise and experience that are different that each
agency brings to the table informs solutions that get the
balance right between taking in the account of impact on our
economy and protecting basic values like privacy.
Mr. Olson. OK. Thank you. And again, with respect to
industry self-regulation--and this is mainly for you,
Commissioner Ramirez--can you please advise the committee
whether the FTC uses industry self-regulation in other contexts
to protect consumers and what role the FTC believes industry
self-regulation should have in protecting customers' online
privacy?
Ms. Ramirez. Yes. We believe that self-regulation can play
a key role. In fact, the FTC alone cannot undertake the effort
that is necessary here to ensure that consumers have basic
protections. So we think self-regulation is vital but again
provided that there is an accountability mechanism, an
enforcement mechanism and we believe that the FTC ought to
provide that.
Mr. Olson. Thanks to the answers to the questions. I see
that the clock is going up and that means I will yield back the
balance of my time.
Mrs. Bono Mack. Thank you, Mr. Olson. The chair recognizes
Mr. Kinzinger for 5 minutes.
Mr. Kinzinger. Thank you. And thank you, Madam Chairman,
and thank you----
Mrs. Bono Mack. Excuse me. Can you check your microphone?
Mr. Kinzinger. Yes, it is on.
Mrs. Bono Mack. Probably the one next--yes. Thank you.
Mr. Kinzinger. Well, thank you. Thank you for coming out. I
appreciate it.
The explosive expansion we have seen in online marketing
and tracking over the past few years has been unprecedented.
From 2010 to 2014, the industry is projected to grow to about
$2.6 billion from $1.3 billion in 2010. As a consumer who uses
free services that have been made available by the Internet, I
understand the value of behavior advertising and the effect it
is having on this country's economic growth and job creation.
Any privacy legislation that this committee considers must
fully contend with the implications of what slower growth will
have on both our economy and the services provided to the
consumer.
It is estimated that privacy legislation could cost the
industry as much as $623 million in growth if the legislation
imposes limits on online tracking. I am also keenly aware that
the decisions we make in this committee will profoundly impact
the question of whether or not privacy is still a right in this
country. The accelerated accumulation of aggregated data over
the past few years is troubling for many consumers. I believe
one important action this committee should take is determine
what type of information is aggregated. Do a few companies
control both sensitive health information and my shoe size? And
as a consumer, am I allowed to know what information is stored
about me? These are all important issues that I believe we need
to consider when drafting privacy legislation.
So while some of these may have been asked in a different
way, I will ask the first question to Commissioner Ramirez.
What impact do you think Do Not Track legislation will have
specifically on free Internet service itself?
Ms. Ramirez. Well, I think it all depends on how a Do Not
Track mechanism is implemented. And of course, that is the key
question. What the FTC has done is to outline what it considers
to be the core elements that any such mechanism ought to have
in order to assure basic protections for consumers and to allow
them to have choice. And again, the emphasis here is on choice.
I personally believe that a mechanism can be constructed that I
would call an intermediate option that would allow consumers to
have granular choice about what type of advertising to receive.
And I think such a system would benefit both consumers and
industry.
Mr. Kinzinger. OK. And I guess to all three of you, do you
believe consumers have a right to know as far as what
information is obtained and--on them both in the online and in
the offline space and how do we determine what information is
private and what is not? Again, this may have been addressed
but I am curious as to--you know, do consumers have the right
to know? And then also how do we determine what should be
private and what should not, just generally? Mr. Strickling, go
ahead.
Mr. Strickling. Yes, we think one of the fair information
practices should incorporate this notion of the consumers
knowing what is being collected about them and how it is going
to be used. As a broader point, though, I would just say that
the specific regulation about how that be done is not something
we propose either Congress or a regulatory agency do. Again, we
see the benefits. And this goes to your question about the
costs that legislation and regulation impose on businesses. We
think it is vitally important that we give industry the
opportunity to take the principles and then create the
voluntary codes of conduct that they will commit to live by
without sacrificing innovation, without costing them the
dollars that perhaps a less-well-crafted regulation might
impose on them.
Mr. Kinzinger. OK. Sir?
Mr. Genachowski. I agree.
Mr. Kinzinger. We are all in agreement? Great. That is
easy. Those are easy questions. No, I am kidding.
All right. Do we know the amount of data that companies are
collecting specifically and do we know how that is being
collected, bought, and sold? I know that is pretty basic, too.
Ms. Ramirez. I am sorry. Could you again--I didn't quite
hear----
Mr. Kinzinger. Yes, do we know the amount of data that
companies are actually collecting on consumers and do we know
how that is bought and sold?
Ms. Ramirez. As I mentioned before, I can't quantify
exactly what is taking place. What we do know is that
information is being compiled and that there are very
significant concerns. Again, the hypothetical that I used in my
opening statement highlights how this information can be used.
And again, this is not speculation. That is happening today.
Mr. Kinzinger. Sure. Well, I appreciate everybody's
patience and everybody coming in and spending some time with
us, and I look forward to continuing to tackle this problem.
And I yield back.
Mrs. Bono Mack. Thank you very much.
And Mr. Rush has asked for a second round of a single
question and the ranking member and I have agreed to allow Mr.
Rush to ask one more question before we conclude.
Mr. Rush. I really want to thank you, Madam Chair, and the
ranking member for your kind indulgence. I also thank the
witnesses.
This morning and this afternoon, you have been asked over
and over what is the harm if a consumer Web site, social
network, or supermarket knows about my personal habits and my
private life? And today's testimony references have been made
to broadband's possible effects on job creation and
productivity. Assuming Americans are unemployed and searching
for work, are there some issues that we may be overlooking
regarding privacy safeguards that may be making it more
difficult for Americans to obtain employment? Specifically,
Commissioner Ramirez, has the FTC heard complaints from the
public suggesting that their efforts to obtain jobs have
somehow been hampered or harmed due to any privacy-related
abuses?
Ms. Ramirez. Yes. And I think a number of the enforcement
matters that the Agency has brought, I think it shows that
there is a failing sometimes with regard to basic privacy
protections. And those are highlighted in the written testimony
that I have submitted.
But in addition to that, there is survey after survey that
shows that consumers increasingly are very concerned about how
their information is being used. So I think there is evidence
that supports the idea that additional privacy protection is
needed.
Mr. Rush. Mr. Genachowski, do you want to comment on this
particular matter?
Mr. Genachowski. I think that the relationship between what
happens in the privacy arena and achieving the economic and
job-creation potential of the Internet really are related. And
so being very thoughtful about that is important. I mentioned
in my opening statement the relationship between trust of the
Internet and increases in broadband adoption in a world where
almost all job postings are online. So I think you are raising
a very important set of sensitivities that need to be very
carefully considered in this area.
Mr. Rush. Thank you. I yield back.
Mrs. Bono Mack. I thank the gentleman. And on his point I
want to again reiterate that his question was a terrific one
while we are here and the extensive deliberations and thought
we need to put into all of this as we move forward. And as you
know, this is a first in a series of privacy hearings that we
will be holding this year, and I look forward to our continued
discussions and our work together on how we can best balance
these needs that everybody has brought up today. And it is
clear to me anyway that personal data truly is a gold rush of
our time.
And I would like to say Commissioner Ramirez, in her
written testimony, referred to a statement by her fellow
Commissioner Rosch with his separate views on Internet privacy
and it has been shared with minority staff. And with unanimous
consent, it will be included in the record. And without
objection, so ordered.
[The information follows:]
Mrs. Bono Mack. And I would like to thank my colleagues for
their participation today. I would like to thank the ranking
members on both subcommittees as well as Chairman Walden. I
would like to wish Joe Barton good luck tonight in the
congressional baseball game and remind you all to attend if you
are interested and remind members that they have 10 business
days to submit questions for the record. I ask witnesses to
please respond promptly to any questions they receive. And
again, I thank our panelists very much for your time today. And
the hearing is now adjourned.
[Whereupon, at 1:33 p.m., the subcommittees were
adjourned.]
[Material submitted for inclusion in the record follows:]
�