[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]






       INTERNET PRIVACY: THE VIEWS OF THE FTC, THE FCC, AND NTIA

=======================================================================

                             JOINT HEARING

                               BEFORE THE

           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE

                                AND THE

             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 14, 2011

                               __________

                           Serial No. 112-75











      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov

                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

72-908 PDF                WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001






                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chairman                      DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia                MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana              Islands
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                  (ii)
           Subcommittee on Commerce, Manufacturing and Trade

                       MARY BONO MACK, California
                                 Chairman
MARSHA BLACKBURN, Tennessee          G.K. BUTTERFIELD, North Carolina
  Vice Chairman                        Ranking Member
CLIFF STEARNS, Florida               CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire       JIM MATHESON, Utah
GREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey            EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana              BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky              JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas                    MIKE ROSS, Arkansas
DAVID B. McKINLEY, West Virginia     HENRY A. WAXMAN, California (ex 
MIKE POMPEO, Kansas                      officio)
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)
                                 ------                                

             Subcommittee on Communications and Technology

                          GREG WALDEN, Oregon
                                 Chairman
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
  Vice Chairman                        Ranking Member
CLIFF STEARNS, Florida               EDWARD J. MARKEY, Massachusetts
JOHN SHIMKUS, Illinois               MICHAEL F. DOYLE, Pennsylvania
MARY BONO MACK, California           DORIS O. MATSUI, California
MIKE ROGERS, Michigan                JOHN BARROW, Georgia
MARSHA BLACKBURN, Tennessee          DONNA M. CHRISTENSEN, Virgin 
BRIAN P. BILBRAY, California             Islands
CHARLES F. BASS, New Hampshire       EDOLPHUS TOWNS, New York
PHIL GINGREY, Georgia                FRANK PALLONE, Jr., New Jersey
STEVE SCALISE, Louisiana             BOBBY L. RUSH, Illinois
ROBERT E. LATTA, Ohio                DIANA DeGETTE, Colorado
BRETT GUTHRIE, Kentucky              JOHN D. DINGELL, Michigan
ADAM KINZINGER, Illinois             HENRY A. WAXMAN, California (ex 
JOE BARTON, Texas                        officio)
FRED UPTON, Michigan (ex officio)










                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, opening statement...............................     2
    Prepared statement...........................................     4
Hon. G.K. Butterfield, a Representative in Congress from the 
  State of North Carolina, opening statement.....................     6
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     7
Prepared statement...............................................     9
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................    11
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, opening statement...............................    11
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, opening statement....................................    13
Prepared statement...............................................    14
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................    15
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................    15
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................    16
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, opening statement...............    17
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, opening statement.......................................    17
Prepared statement...............................................    19
Hon. Pete Olson, a Representative in Congress from the State of 
  Texas, opening statement.......................................    21
Hon. John Barrow, a Representative in Congress from the State of 
  Georgia, opening statement.....................................    21
Hon. Doris O. Matsui, a Representative in Congress from the State 
  of California, opening statement...............................    22
Hon. Janice D. Schakowsky, a Representative in Congress from the 
  State of Illinois, opening statement...........................    22
Hon. Edolphus Towns, a Representative in Congress from the State 
  of New York, prepared statement................................   113

                               Witnesses

Edith Ramirez, Commissioner, Federal Trade Commission............    23
    Prepared statement...........................................    25
    Answers to submitted questions...............................   116
Julius Genachowski, Chairman, Federal Communications Commission..    43
    Prepared statement...........................................    45
    Answers to submitted questions...............................   124
Lawrence E. Strickling, Assistant Secretary for Communications 
  and Information, National Telecommunications and Information 
  Administration, Department of Commerce.........................    49
    Prepared statement...........................................    51
    Answers to submitted questions...............................   135

                           Submitted Material

Article, ``You're Not Google's Customer--You're the Product: 
  Antitrust in a Web 2.0 World,'' dated March 29, 2011, by Nathan 
  Newman in the Huffington Post, submitted by Mr. Scalise........    84
Statement, dated July 14, 2011, of Commissioner J. Thomas Rosch, 
  submitted by Mrs. Bono Mack....................................   100

 
       INTERNET PRIVACY: THE VIEWS OF THE FTC, THE FCC, AND NTIA

                              ----------                              


                        THURSDAY, JULY 14, 2011

                  House of Representatives,
 Subcommittee on Commerce, Manufacturing, and Trade
                             joint with the
     Subcommittee on Communications and Technology,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittees met, pursuant to call, at 11:04 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Mary Bono 
Mack (chairman of the Subcommittee on Commerce, Manufacturing, 
and Trade) presiding.
    Members present from the Subcommittee on Commerce, 
Manufacturing, and Trade: Representatives Bono Mack, Blackburn, 
Stearns, Bass, Harper, Lance, Cassidy, Olson, McKinley, Pompeo, 
Butterfield, Rush, Schakowsky, and Waxman (ex officio).
    Members present from the Subcommittee on Communications and 
Technology: Representatives Walden, Terry, Bilbray, Gingrey, 
Scalise, Latta, Guthrie, Kinzinger, Barton, Upton (ex officio), 
Eshoo, Markey, Matsui, Barrow, and DeGette.
    Staff present: Jim Barnette, General Counsel; Ray Baum, 
Senior Policy Advisor/Director of Coalitions; Allison Busbee, 
Legislative Clerk; Paul Cancienne, Policy Coordinator, 
Commerce, Manufacturing, and Trade; Nick Degani, Detailee, 
Federal Communications Commission; Neil Fried, Chief Counsel, 
Communications and Technology; Brian McCullough, Senior 
Professional Staff Member, Commerce, Manufacturing, and Trade; 
Jeff Mortier, Professional Staff Member; Gib Mullan, Chief 
Counsel, Commerce, Manufacturing, and Trade; David Redl, 
Counsel, Telecom; Kelsey Guyselman, Legal Intern; Shannon 
Weinberg, Counsel, Commerce, Manufacturing, and Trade; Michelle 
Ash, Democratic Chief Counsel, Commerce, Manufacturing, and 
Trade; Roger Sherman, Democratic Chief Counsel, Communications 
and Technology; Felipe Mendoza, Democratic Counsel; William 
Wallace, Democratic Policy Analyst; Sarah Fisher, Democratic 
Policy Analyst; and Alex Reynolds, Democratic Legal Intern.
    Mrs. Bono Mack. Please come to order. Good morning.
    From data breaches in the United States to a cell phone 
hacking scandal in Great Britain, consumer privacy has become 
part of our national consciousness. Today, we have a unique 
opportunity to make a real difference in the lives of millions 
of Americans, and I look forward to working with Chairman 
Walden and members of both of our subcommittees on this unique 
challenge.
    We often hear that privacy laws in Europe are much stricter 
than they are in the U.S., and if that is so, it is hard to 
understand how the phone hacking incidents in Britain could 
have gotten so far out of hand. It raises the question of 
whether American consumers are as vulnerable as politicians and 
celebrities in London. I hope that Chairman Genachowski will 
address this issue as we continue to gather facts.
    The chair now recognizes herself for an opening statement.

 OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    This morning, we begin a very important and, some say, 
long-overdue debate. When it comes to the Internet, how do we--
as Congress and as Americans--balance the need to remain 
innovative with the need to protect privacy?
    The explosive growth of technology has made it possible to 
collect information about consumers in increasingly 
sophisticated ways. Sometimes the collection and the use of 
this information is extremely beneficial; other times, it is 
not. Frankly, I am somewhat skeptical right now of both 
industry and government. I don't believe industry has proven 
that it is doing enough to protect American consumers, while 
government, unfortunately, tends to overreach whenever it comes 
to new regulations. That is why this debate must be deliberate 
and thoughtful, but without question, it is time for this 
debate to take place.
    Even though it serves billions of users worldwide--and this 
year e-commerce in the U.S. will top $200 billion for the first 
time--the Internet pretty much remains a work in progress. 
Still, in just 25 years, the Internet already has spurred 
transformative innovations. It has indefinite value and it has 
become a part of our daily lives. And it has unlimited 
potential to affect positive social and political change, as 
the world dramatically witnessed during the Arab Spring.
    But the Internet has brought about more subtle cultural 
changes as well. Think about it for a second. If a total 
stranger knocked on your door one day and asked you for your 
name, your birthday, your relationship status, your number of 
children, your educational background, email address, and 
Social Security number, would you give that information out 
freely? Probably not.
    Yet today, as consumers, we willingly dole out this 
personally identifiable information online--literally bit by 
bit. This information is then compiled and collated by 
computers to produce personal profiles used in online 
behavioral marketing and advertising. This data mining helps to 
pay the freight for all of the information that we get for free 
on the Internet. But does it come at too great of an expense to 
consumer privacy? That question cuts to the heart of this very 
important issue.
    Applications providers continue to increase the variety of 
tools available to American consumers to control their privacy 
settings, but a nagging problem for most consumers is the lack 
of a basic understanding about how companies use and collect 
this information. While survey after survey indicates that 
consumers harbor serious concerns about their privacy, it is 
unproven and unclear whether more stringent laws and 
regulations relating to the collection and use of data will 
satisfy these concerns in a way that encourages continued 
innovation and an expansion of electronic commerce.
    As Congress takes a closer look at online privacy issues, 
industry has stepped up its self-regulatory efforts relating to 
the collection and use of consumer information. These industry-
wide efforts include expanded consumer education and site 
transparency to increase consumer comfort with how industry 
uses their information, as well as the development of new 
preference profiles so consumers can personalize their browsing 
experience and control just how much information they actually 
want to share.
    As I listen closely to all of your thoughts, I would also 
like to share a few of my own with you. First and foremost, 
greater transparency is needed to empower consumers. While it 
is still unclear to me whether government regulations are 
really needed, providing consumers with more transparency is 
the first step in better protecting Americans.
    Consumers should be notified promptly if there is a 
material change in a privacy policy; no bait-and-switch schemes 
should be allowed nor tolerated.
    Sensitive information should have greater safeguards in 
place, especially when it comes to financial and personal 
health records.
    We should take a long look at how our children are treated 
online and how they are marketed to.
    And we need to closely re-examine privacy laws that are 
currently on the books. Do we need a single regulator to 
protect consumer privacy? While I personally support this 
concept, we should first look at its potential impact on 
consumers.
    And finally, what part should ``no harm, no foul'' play in 
this debate? Over the last few months, the FTC and the 
Department of Commerce have issued extensive reports concerning 
online privacy. However, there is little proof of any 
substantive consumer harm. Before regulations are enacted, 
there should be a ``definable'' problem such as we are seeing 
in the area of data protection.
    As we move ahead with our hearings, I look forward to a 
robust discussion with all of my colleagues on the committee as 
well as industry and consumer groups. Working together, we can 
make innovation and privacy a shared priority, and the Internet 
will be the eighth Wonder of the World.
    And now I would like to recognize the gentleman from North 
Carolina, Mr. Butterfield, the ranking member of the 
Subcommittee on Commerce, Manufacturing, and Trade for 5 
minutes for his opening statement.
    [The prepared statement of Mrs. Bono Mack follows:]





    Mr. Butterfield. Let me inquire. Was it my understanding 
that this side was going to be allowed 20 minutes to make 
opening statements and I can yield those as I see fit? Is that 
right?
    Mrs. Bono Mack. I will yield them for you.
    Mr. Butterfield. I see. That will be fine. That will be 
fine.

OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE STATE OF NORTH CAROLINA

    Let me thank the two chairmen for holding today's joint 
hearing on Internet privacy. I look forward to the testimony 
from the three witnesses as we begin to talk about this very 
important issue. I also look forward to learning how Congress 
can better equip these three agencies so that we can best 
protect American's online privacy.
    With nearly every aspect of our lives now containing an 
online component, it is vitally important that American's have 
reasonable protections for the personal information held and 
sold by the data-gathering industry. That personal information 
can include specific Web sites a user has visited, how long 
they spent on that Web site, whether or not they purchased 
something, what they purchased, and what they looked at while 
they were there. It can even record their keystrokes. The 
personal information is collected often without a user's 
knowledge and without their consent.
    When a Web site installs tiny files on a user's computer to 
record Internet activity, these files are called cookies or 
flash cookies or beacons. While the term ``cookie'' doesn't 
sound particularly invasive, a recent investigation by the Wall 
Street Journal found that a test computer visiting the 50 most 
popular Web sites resulted in more than 2,000 cookies being 
installed without notification or consent on the test computer. 
What is worse is that the top 50 Web sites directed at children 
placed substantially more tracking files on visitors' computers 
than general audience Web sites. The Wall Street Journal found 
children's Web sites place 4,100 cookies and other tracking 
mechanisms on their test computer, again, without notice or 
consent.
    Even more concerning is that the data-gathering industry 
has developed ways to marry online data with offline data like 
warranty cards and property records and voter registration 
records and even driver's licenses to build super-files that 
are sold for pennies. Some companies are even using these 
super-files to differentiate which of the same type of product 
they will offer to potential customers. For example, a life 
insurance clearing house Web site tested a system that would 
recommend different policies based on the personal information 
contained in the files. This practice is called ``boxing,'' and 
I would argue that it is nothing more than a high-tech form of 
economic and social discrimination.
    In addition, having all this data in one place puts 
Americans at risk of other more traditional high-tech harms 
like identity theft and fraud. It is clear that businesses need 
to collect some information for their operational needs. Beyond 
that, however, I think it is well past the time to put in place 
some clear and comprehensive rules to let consumers know and 
exercise some control over what data gatherers can collect, how 
they can collect, and what they can do with it once they have 
it.
    Madam Chairman, I hope you will work with me to craft 
legislation that will safeguard American's personal information 
so they can continue to use the amazing and infinite potential 
of the Internet in the safest and most secure ways possible.
    Thank you. I yield back the balance of my time.
    Mrs. Bono Mack. I thank the gentleman. The chair now 
recognizes Mr. Walden, chairman of the Subcommittee on 
Communications and Technology, for 5 minutes.
    Mr. Walden. Thank you, Madam Chairman. I want to welcome 
our witnesses.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    As consumers are increasingly living their lives on the 
Internet--and even more on their Smartphones--concern is 
obviously growing over electronic communications privacy. 
Indeed, the Energy and Commerce Committee has taken an active 
role in investigating online privacy in the last few 
Congresses. Mr. Barton, for example, has sought out information 
from a number of companies about their practices regarding 
Internet advertising and consumers' online information. Members 
of the committee have reached out to Google about privacy 
concerns arising from ``Google Buzz,'' as well as their 
collection of data from personal Wi-Fi networks, something I 
know the FCC is examining.
    And just this past April, Chairman Upton, Chairwoman Bono 
Mack, and myself, along with our Democratic colleagues, also 
sent letters to several mobile operating system providers such 
as Apple asking hard questions about the location-based 
services they provide and about the privacy protections 
attached to those services. And both the Communications and 
Technology and the Commerce, Manufacturing, and Trade 
Subcommittees have had a number of hearings in recent years.
    Now, we are having this hearing because we want to make 
sure Americans have adequate information regarding how data 
about them and their Internet use is collected, used, and 
shared, and to make sure their privacy is protected. But we 
must balance that need with the recognition that regulatory 
overreach could curb the ability of entrepreneurs to invest, 
innovate, and create jobs and new technologies. At this point, 
it is not clear what legislation--if any--is necessary, but 
this hearing will help shed light on this question.
    As we move forward, one thing stands out in my mind: 
Today's regime is neither competitively nor technologically 
neutral. Section 222 of the Communications Act gives the 
Federal Communications Commission broad authority to implement 
privacy protections for consumers of wireline and wireless 
telephone services. Section 222 also specifically calls out 
location-based services for regulation, but applies that 
regulation only to carriers and not providers of devices, 
operating systems, or applications. Other parts of the 
Communications Act give the Commission authority over cable 
operators and satellite television providers under a ``prior 
consent'' framework.
    In stark contrast, there are few if any communications 
privacy regulations governing web-based companies, even those 
that can access a user's search queries, emails, voice and 
video online conversations, web browser, and even operating 
systems.
    So why should a wireless provider that transmits data to 
and from a Smartphone be subject to Federal oversight but not 
an operating system provider that has access to the exact same 
data?
    If we move forward with legislation, how do we create a 
fair playing field? Do we regulate web-based companies up? Do 
we deregulate traditional phone and video companies down? Do we 
create a unified regime at the FCC? At the FTC? Or do we have 
both agencies administer equivalent regimes over different 
subsets of companies or devices?
    So I look forward to hearing from our witnesses on what 
steps they are taking on electronic communications privacy and 
what recommendations they have for us as we examine these 
issues.
    One more thing: Although we are here today to talk about 
Internet privacy, I want to echo Mrs. Bono Mack's concerns 
about what happened in the United Kingdom. And I will be 
interested in hearing from Chairman Genachowski if things like 
this have happened in the United States, whether it falls 
within the FCC's purview and, if so, what the FCC and other 
Federal agencies typically do about it.
    With that, I appreciate the opportunity to share those 
comments and yield the balance of my time to the vice chairman 
of the Communications and Technology Subcommittee, the 
gentleman from Nebraska, Mr. Terry.
    [The prepared statement of Mr. Walden follows:]





   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEBRASKA

    Mr. Terry. Thank you, Mr. Chairman.
    And this is a necessary hearing and I want to thank our 
panel. It is a powerhouse panel and I thank you for coming up 
here, Mr. Strickling. I think we should have an office for you 
you are up here so much anymore.
    I think two words or two principles regarding privacy 
policy--one is balance and the next is transparency. There is 
no doubt that if there is one drawback or inhibition about 
ecommerce, it is the consumers fear over violation of privacy. 
We know when we do a transaction online that we have to provide 
information to the entity that we are doing business with or 
engaging in some type of commerce with. What we don't expect--
unless it is transparent and open to us to help make our 
decision--is the use of that data. It has to be easy for the 
consumer and for the company but also something that everyone 
knows up front.
    What we can't have and what degrades the confidence is what 
has occurred with Google Buzz, a trusted company that now has 
obtained personal information and we have no idea what it can 
be used for or will be used for. Or when major companies or 
entities hack to obtain personal information. All of these 
things should be clear. They are not transparent. There is no 
balance involved in those and that is what we need to deal 
with.
    Mrs. Bono Mack. I thank the chair and the vice chair and I 
am happy to now recognize the ranking member of the 
Communications and Technology Subcommittee, Ms. Eshoo, for her 
5 minutes.
    Ms. Eshoo. Thank you, Madam Chair. It is nice to see you in 
the chair.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Today marks our first joint subcommittee hearing of the 
112th Congress on Internet privacy. And I welcome it and 
welcome the distinguished witnesses that we are going to hear 
from.
    The government agencies that are testifying today have 
taken initial steps to address the issue of Internet privacy, 
but I think we need a unified approach that leverages the 
expertise of both the public and the private sectors. The FTC 
has conducted a series of roundtables exploring privacy issues 
and has proposed a framework for approaching these issues. The 
FCC brings years of experience managing communications, privacy 
issues dating back to wiretap legislation in the late 1960s. 
And the NTIA has played a significant role in establishing the 
Department of Commerce's Internet Policy Taskforce's Report on 
Commercial Data Privacy and Innovation in the Internet Economy. 
That is a real mouthful. There should be some acronym for that 
I guess.
    Personal privacy is, I believe, a very closely held 
American value. I think it is in our DNA. We don't want the 
government to know; we don't want companies to know. We just 
hold it very, very close. And today, information is shared more 
freely and faster than ever before, especially by the younger 
generation. We need in our country a comprehensive approach to 
privacy. And it may be appropriate to start by updating the 
rules protecting children online.
    Children on the Internet share photos, email addresses and 
phone numbers with friends and family. There are advancements 
in Smartphone technology, which enables parents to monitor the 
location of their children. But based on a town hall meeting 
that I had on the issue, parents need an awful lot of education 
on this. They have a sense of what is going on but they don't 
know what to do with it or how to.
    The Children's Online Privacy Protection Act enacted more 
than 10 years ago--I can't believe that over a decade has 
passed since we did that--never really anticipated these 
advancements. So whether dealing with children, teens, or 
adults, transparency really needs to be the coin of the realm. 
It should be the central focus of ours.
    Consumers should know what personal information is being 
collected, how it is being used, and who has access to that 
data. At a minimum, companies should be required to disclose if 
they buy or sell consumers' information or if they track the 
whereabouts of consumers even after they have left a company's 
Web site. Both the public and private sectors have a lot of 
work to do to educate consumers and businesses and ensure that 
the collection of data is done in a transparent and secure 
manner.
    I think it is also important that we don't overlook the 
proactive steps being taken by industry to enhance user 
privacy. According to Facebook, almost 35 percent of their 350 
million users customize their privacy settings using options 
provided by the company. Similarly, millions of users of the 
popular Web browser Mozilla Firefox install add-ons to prevent 
online advertisers from collecting their information. And 
Reputation.com, based in my district, is developing tools to 
help consumers and businesses protect their online privacy. But 
it is spotty. There isn't anything that ties all of this 
together and I think that is why we are here today.
    So I think with the right balance, we can protect privacy 
without inhibiting job creation and the development of new 
innovative data-driven apps and services. There is such a 
demand for that in our country and we don't want to stand in 
the way of it. Our government agencies have a difficult task 
ahead of them, I think. Each of our agency witnesses today is 
going to provide an expert view on the issue of Internet 
privacy and I really look forward to hearing what you have to 
say.
    Specifically, I would like to know what each agency thinks 
their role should be, what their hand is in this, and how we 
can leverage the wide range of online privacy tools developed 
by the private sector because it is both. And how do we 
increase coordination between government agencies, as well as 
industry?
    At this point, Madam Chair, it has been mentioned today, I 
would like to call on the chairman of the full committee to use 
the jurisdictions of this committee to probe the whole issue of 
privacy, hacking, and this burgeoning scandal of News 
Corporation. It fits with the subject matter that we are here 
in a joint hearing today for. This is one of the most powerful 
committees in the Congress. We certainly have the jurisdiction 
and I think it needs to be exercised.
    So again, I welcome the panel and I thank you for the 
testimony that you are going to give and look forward to 
hearing it.
    And I yield back.
    Mrs. Bono Mack. The gentlelady's time has expired. And the 
chair is pleased to recognize the chairman of the full 
committee, Mr. Upton, for 3 minutes.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. Thank you, Madam Chair. I am excited about the 
hearing. This committee has been at the forefront of protecting 
the privacy of Americans for many, many years. And that mission 
certainly continues today.
    When I became chairman of this great committee about 6 
months ago, I guaranteed that our focus would be on jobs, the 
economy, and the preservation of individual freedoms. And I ask 
everyone to look at our mid-year report, which we released last 
week. There is a good deal in there about the literally 
millions--hundreds of thousands of jobs that this committee has 
worked to protect and create.
    Today, though, we begin a very thorough analysis of what 
has become an essential freedom for all Americans. The Internet 
has changed all of our lives in so many ways. Our freedom--
unlike that elsewhere in the world--to use the Internet for 
information, commercial purposes, consumer needs, even 
healthcare--is unrivalled. And anyone who has access to a 
computer, even a BlackBerry, has access to the entire world. 
But that freedom also brings some very serious challenges. 
Privacy is chief among them.
    So I commend these two subcommittees for holding this 
hearing. And as we begin the effort, it is entirely appropriate 
to hear first from our Federal witnesses, and I certainly 
welcome them.
    But I want to get the issue right. We all do. It is not and 
should not be partisan in any way and I don't believe that it 
is. If it means that the CMT and the C and T Subcommittees, 
even Oversight, need to hold multiple hearings, so be it. We 
need to hear from everyone with a stake in Internet privacy 
before we contemplate legislating.
    I yield now the balance of time to the gentlelady from 
Tennessee, Ms. Blackburn.
    [The prepared statement of Mr. Upton follows:]





    
    Mrs. Blackburn. Thank you, Mr. Chairman.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    And to add a couple of points to the discussion as we move 
forward with our witnesses today--whom we do welcome and we 
appreciate your being here--we should bear in mind that online 
advertising sales, online ad revenue totaled $31 billion last 
year and that represented 40 percent of global online sales. 
That spending sustains much of our free press and free content 
online. That is something we should be mindful on as we look at 
regulation in a space that really is growing by leaps and 
bounds, creating jobs, and providing consumers with a dynamic 
platform for free content and innovative services. I think the 
European-style Do Not Track technology would short-circuit much 
of this innovation. And as Chairman Bono Mack said, it did not 
stop this situation there in the U.K.
    I think that what we also have to do is be mindful of 
moving forward with anything where there is an ill-defined harm 
standard without respect to the cost that would be placed on 
private innovators and on the industry that is experiencing 
growth. We need to be cautious, thoughtful, and well-measured 
in our approach to this evolving issue.
    And I yield back my time.
    Mrs. Bono Mack. I thank the gentlelady. And the chair now 
recognizes Mr. Stearns for 1 minute.
    Mr. Stearns. Thank you, Madam Chair.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Having had some experience developing privacy bills--I have 
with Jim Matheson from Utah this H.R. 1528, the Consumer 
Privacy Protection Act of 2011--and having been through these 
hearings, one of the things that clearly came out is exactly 
what you said, Madam Chairman, when you talked about consumers 
want transparency and a basic understanding of how their 
information is used. That came out time and time again so you 
are absolutely right there.
    And I think that when we look at this very important issue 
and I listen to stakeholders, I find that, Madam Chair, that 
the stakeholders by and large would like to know if there is 
one agency that has jurisdiction so they know where to go to, 
how to comply, and if we are not careful and we have this 
jurisdiction that is moved between two or three--two or three 
government agencies can make it more difficult. So I think one 
of the things that we have today is a hearing to talk about 
jurisdiction. And I hope in the end that we won't have 
competing jurisdiction and we will have at least one central 
agency with this jurisdiction.
    Thank you.
    Mrs. Bono Mack. Thank the gentleman. And the chair now 
recognizes the ranking member of the full committee, Mr. 
Waxman, for 5 minutes.
    Mr. Waxman. I want to thank our Chairs Bono Mack and Walden 
for holding this hearing today.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    As the Wall Street Journal just pointed out, firms are 
stripping away our Internet users' anonymity and ``gaining the 
ability to decide whether or not you would be a good customer 
before you tell them a single thing about yourself.'' The 
collection, use, and dissemination of consumer information 
provides many benefits to consumers, businesses, and the 
marketplace, but they raise legitimate concerns about whether 
consumers have adequate control over personal information that 
is shared.
    Sophisticated business models and rapidly evolving 
technologies allow vast amounts of data to be collected, 
aggregated, analyzed, mined, and sold in ways that were 
unimaginable only 10 years ago. Many of these business 
practices conflict with consumers' expectation of privacy.
    I understand that the Republican majority is weary of 
passing any piece of legislation that calls for new 
regulations. We have heard the repeated calls for self-
regulation. The problem is that self-regulation isn't working. 
Just this week, Stanford researcher Jonathan Mayer reported in 
Tracking the Trackers that eight members of the self-regulatory 
group Network Advertising Initiative, NAI, seemed to outright 
violate their own privacy policies. That is nearly 13 percent 
of the 64 companies investigated. In addition, NAI is just one 
of many self-regulatory efforts. So the consumer is not left 
knowing where to turn.
    Furthermore, even if the firms were complying, the self-
regulatory efforts seem to be limited to allowing the consumer 
to opt out of behaviorally targeted advertising, but not the 
collection of information that makes targeting possible. The 
Tracking of the Trackers study found that 33 members of NAI 
either left tracking cookies on users' computers or installed 
tracking cookies after the users opted out. The firm seemed to 
argue that they could continue to keep cookies on your machine 
as long as those cookies aren't being used to create 
specifically targeted ads.
    I also understand that the Republican majority has stated 
that it is not sure whether legislation is needed or that it 
does not intend to move too quickly on this important issue. I 
think it is well past time to move ahead. There were six 
privacy hearings in the 111th Congress. At each of those six 
hearings, they made me more and more convinced that current law 
does not ensure proper privacy protections for consumer 
information.
    As I have stated in the past, I stand ready to work with my 
colleagues. This is not a partisan issue. It should not be a 
partisan issue. We have got to give the consumers the tools to 
protect their privacy without unduly burdening industry or 
stifling innovation. That should be our goal. This hearing can 
move us in that direction and I look forward to the testimony 
that we are going to receive.
    Am I permitted to reserve the time or do I have to yield?
    Mrs. Bono Mack. You are allowed to yield your time.
    Mr. Waxman. I would like to yield to Mr. Markey.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

    Mr. Markey. I thank the gentleman very much. And it is good 
to see you in the chair, Madam Chair. Nancy Pelosi has 
acclimated the Democrats to a woman in the chair and it is good 
to see a Republican woman as well in such a position.
    In May, I introduced bipartisan legislation with Joe Barton 
to strengthen privacy safeguards for children and teenagers. A 
bill--the Do Not Track Kids Act--would update the Children's 
Online Privacy Protection Act for the 21st Century to cover 
newer applications and services like geo-location technologies 
that didn't exist when we passed the Children's Privacy Act 13 
years ago that I was the author of. That bill is the 
communications constitution when it comes to protecting kids 
online, but we need to amend it to take into account the 
explosive growth and innovation in the online ecosystem since 
1998. 1998 was way back in the BF era, the before-Facebook era.
    And in addition to updating that law, our bill also 
contains commonsense protections for teenagers. Our bill's 
digital marketing bill of rights stipulates that Web sites, 
online apps, operators, and operators of mobile apps directed 
to teens clearly explain why they need to collect the data. Our 
bill also prohibits operators from collecting geo-location 
information without permission from parents when we are talking 
about children. And it finally includes an eraser button. That 
is an important privacy protection which requires operators of 
Web sites' online applications that contain or display personal 
information about children or minors to enable users to erase 
or otherwise eliminate publicly available personal information 
on a Web site about children.
    I would hope that the least that we can accomplish this 
year is to provide a privacy bill of rights for children in our 
country. We can see now what the implications are if that 
information gets hacked, and my hope is that we can update the 
1999 law to accomplish that goal.
    I thank you, Madam Chair. I thank the gentleman from 
California.
    Mrs. Bono Mack. I thank the gentleman. And the chair now 
recognizes Mr. Barton for 5 minutes.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Madam Chairwoman. I appreciate you 
and Chairman Walden holding this hearing. I want to associate 
myself with what Mr. Waxman and Mr. Markey just said. If you 
have Joe Barton and Ed Markey on a bill, you pretty well 
covered the political spectrum not only of this committee but 
of the Congress.
    And I couldn't agree more with what former Chairman Waxman 
and current Ranking Member Waxman said, that privacy is not a 
partisan issue, and I do believe, as he said, that it is time 
to act. And hopefully, this hearing and several others that we 
have already had with the testimony we hope to hear from our 
administration officials will lead to action in this Congress.
    I am cochairman of the bipartisan Privacy Caucus. I have 
been an advocate for privacy for almost 20 years in the 
Congress. In this year alone I have sent letters, most of them 
with Mr. Markey or Mr. Walden or Mr. Stearns or others to 
Facebook, AT&T, Sprint, the College Board, ACT, and even the 
Social Security Administration questioning activities that they 
have engaged in that appear to impinge on our citizens' 
privacy.
    As Mr. Markey indicated, I have also introduced H.R. 1895, 
the Do Not Track Kids Act of 2011. And this legislation does 
five important things. First of all, it updates the Children's 
Online Privacy Protection Act of 1998. It adds protections for 
our citizens between the ages of 13 and 17. It would prohibit 
an Internet company from sending targeting advertising to 
children and minors. It would also prohibit Internet companies 
from collecting personal and location information from anyone 
who is less than 13 years of age without parental consent, and 
anyone less than 18 without individual consent. It would 
require Web site operators to develop something called an 
eraser button, which would give children and minors the ability 
to request deletion of their personal information that they do 
not wish to be available on the Internet.
    The time has come, Mr. Chairman and Madam Chairwoman. We 
know that we need a vigorous Internet, we know that we need a 
vibrant economy, but we should all agree that we certainly need 
to protect our privacy in the Internet age just as much as we 
did in the age before the Internet.
    With that, I would like to yield the balance of my time to 
Mr. Olson of Texas for such comments as he wishes to make.
    [The prepared statement of Mr. Barton follows:]





    
   OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Olson. I thank my colleague from Texas. And I thank 
Chairmen Upton, Walden, and Madam Chairman Bono Mack for you 
all's leadership in calling this important hearing.
    As this is my first privacy-related hearing, I am 
approaching the issue with an open mind but not an empty mind. 
I think the key with approaching privacy is doubts, 
transparency, and facts. And that is why we are here today.
    Consumers are becoming increasingly aware of their own 
privacy. It is important for them to know what information is 
being collected about them and how it is being used. In today's 
global economy, information is a valuable commodity, but we 
have to closely examine the many economic benefits the Internet 
and the data collection provides consumers and our economy and 
balance those with legitimate privacy concerns. We cannot 
legislate in search of a problem.
    So I look forward to examining this important issue further 
and to playing a proactive role in the future privacy 
discussions.
    I thank my colleague from Texas for the time and yield 
back.
    Mrs. Bono Mack. I thank the gentleman and am happy to 
recognize the gentleman from Georgia, Mr. Barrow, for 1 minute.

  OPENING STATEMENT OF HON. JOHN BARROW, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF GEORGIA

    Mr. Barrow. Thank you, Madam Chair.
    I am glad we are meeting today to discuss this issue. You 
know, this issue is a whole lot more important to a lot of 
people than most folks realize because most folks just don't 
realize how much they open themselves up when they go online, 
how much of their personal information is being stolen or 
misused every time they go online.
    In the interest of time, I am going to cut to the chase. I 
understand industry's need for legitimate and even playing 
field across the country and customers' need on different sides 
of the same state boundary to a reasonable expectation of 
privacy every time they go online. I recognize the need for 
that. I come down heavily on the side of privacy, though, but I 
am interested in understanding how we can set forth rules of 
the road that are good for industry but protect the same shared 
expectation of privacy that folks have on different sides of 
the same state boundary. Folks have a right to expect a 
reasonable degree of privacy when they go online no matter 
where they live in this country. So I feel the need for us to 
do that.
    I look forward to discussing how we can do this, and I 
believe today's hearing is a big step in that direction. I want 
to thank our witnesses for addressing these concerns today. And 
with that, I yield back.
    Mrs. Bono Mack. I thank the gentleman. And the chair 
recognizes the gentlelady from California, Ms. Matsui, for 2 
minutes.

OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Matsui. Thank you, Madam Chair, and all the other 
chairs for holding today's hearing. I would like to thank our 
distinguished panelists for being with us this morning. It is 
nice to see you all on this important issue.
    Today, millions of Americans rely on a variety of services 
and applications for a number of activities, including social 
networking and navigation and mapping services, among many 
others. As we all know, in today's economy, information is 
everything to everyone. We also know that technology changes 
continuously, every day. What is new today may not be new 
tomorrow. We must continue to encourage American innovation and 
foster growth and development of the next-generation 
technologies. But it is also essential that we properly protect 
the private and personal information of consumers, particularly 
our young people.
    Privacy policies and disclosures should be clear and 
transparent. We should also understand the scope of information 
that is being collected, what it is being used for, the length 
of time it is being retained, and its security. Ultimately, 
meaningful privacy safeguards should be in place while ensuring 
that we don't stifle innovation. It is clearly a fine balance 
but we need to do it.
    I thank you again for holding this important hearing today, 
and I look forward to working with my colleagues on this issue, 
and I yield back my time.
    Mrs. Bono Mack. I thank the gentlelady. And the chair 
recognizes the gentlelady from Illinois, Ms. Schakowsky, for 1 
minute.

       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A 
     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS

    Ms. Schakowsky. I wanted to thank you, Madam Chairman and 
Congressman Walden, for holding today's hearing. I especially 
want to say to you that I appreciate the work that we have done 
over several years on the issues of Internet security and your 
leadership on this issue.
    As a long-time consumer advocate, I have serious concerns 
about tracking practices, especially the undisclosed data 
gathering of user behavior. That is why I am an original 
sponsor of Congresswoman Speier's Do Not Track Me Online Act. 
This bill would establish standards for a consumer-friendly do-
not-track mechanism. I am also a cosponsor of Congressman 
Markey's Do Not Track Kids Act, which would offer enhanced 
protections against the tracking of children and teens, and I 
urge the committee to consider these and other commonsense 
solutions to the tracking issue as soon as possible.
    I associate myself also with my colleagues who want to 
investigate the--or want more answers anyway--on the hacking 
scandal of the Murdoch Enterprises and its implications. We 
must hold Internet service providers and search engines 
accountable for their actions and I look forward to hearing 
from our panel today.
    Thank you and I yield back.
    Mrs. Bono Mack. I thank the gentlelady and thank my 
colleagues for their opening statements and now we turn our 
attention to our panel.
    We have one panel of witnesses joining us today. Each of 
our witnesses has prepared an opening statement that will be 
placed into the record. Each of you will have 5 minutes to 
summarize the statement in your remarks.
    On our panel we have the Honorable Julius Genachowski, 
chairman of the Federal Communications Commission; we have the 
Honorable Edith Ramirez, Commissioner of the Federal Trade 
Commission; and our third witness is the Honorable Lawrence 
Strickling, Assistant Secretary for the National 
Telecommunications and Information Administration.
    Good morning. We welcome you back to the hearing room. And 
again, you will be each recognized for 5 minutes, and I am sure 
you are very familiar with the timers on the table. As you 
know, when the light turns yellow, you will have 1 minute left. 
So as I have been admonished, please remember to make sure your 
microphone is on and close to your mouth.
    And at this point I am pleased to recognize Commissioner 
Ramirez for 5 minutes.

   STATEMENTS OF EDITH RAMIREZ, COMMISSIONER, FEDERAL TRADE 
       COMMISSION; JULIUS GENACHOWSKI, CHAIRMAN, FEDERAL 
    COMMUNICATIONS COMMISSION; AND LAWRENCE E. STRICKLING, 
  ASSISTANT SECRETARY FOR COMMUNICATIONS AND INFORMATION, AND 
   ADMINISTRATOR, NATIONAL TELECOMMUNICATION AND INFORMATION 
                         ADMINISTRATION

                   STATEMENT OF EDITH RAMIREZ

    Ms. Ramirez. Thank you. Chairman Bono Mack, Chairman 
Walden, Ranking Members Butterfield and Eshoo, and members of 
the subcommittees, I am Edith Ramirez, a commissioner of the 
Federal Trade Commission. I appreciate the opportunity to 
present the Commission's testimony on Internet privacy.
    Today, personal information about consumers may be 
collected, sold, and used in almost every conceivable 
interaction a consumer has both online and offline. For 
instance, a college freshman sits in her dorm room using the 
Internet to research depression for a paper she is writing for 
a psychology class. When her research is done, she applies 
online for student loans to help her pay for her tuition. 
Later, heading out of her dorm room, she grabs her smartphone, 
which she uses to find the closest drugstore. At the drugstore, 
she uses a loyalty card to get discounts. Afterwards, when the 
student is back online surfing the Web and keeping up with 
friends on a social network, she sees advertisements for 
medication for depression and anxiety, as well as ads for high-
interest credit cards and payday loans.
    These activities--made possible by technology unimaginable 
years ago--offer clear benefits to the student. She enjoyed 
easy access to information, received discounts at the 
drugstore, and connected with friends, all in the course of a 
few hours. But the student is likely unaware that data about 
her drugstore purchases, Web activities, and location may have 
been sold to data brokers she has never heard of and added to a 
growing digital profile about her. She may not know that this 
information may be used for marketing purposes or to make 
decisions about her eligibility for credit. And she might be 
especially surprised to learn that her research into depression 
may be included in her digital profile and could be used when 
she applies for life insurance or might be sold to prospective 
employers when she graduates a few years later.
    This student is not alone in her lack of awareness that 
vast quantities of information about her are mined and sold 
every day. Most consumers have no idea that so much information 
about them can be accumulated and shared among so many 
companies, including employers, retailers, advertisers, data 
brokers, lenders, and insurance companies.
    The FTC wants consumers to have an effective notice and 
meaningful choices about what data is collected about them and 
how it is used. That in turn will engender the consumer 
confidence and trust that are essential for industry to 
continue to innovate and flourish.
    For decades, the FTC has been the Nation's lead law 
enforcer on consumer privacy and data security. During this 
time, we have also engaged in substantial policy initiatives 
and educated consumers and businesses on privacy and data 
security. In recent months, we have brought a number of 
significant enforcement actions in this area, as described in 
our written testimony. Just 2 weeks ago, we announced an action 
against Teletrack, a company that sold lists identifying cash-
strapped consumers to marketers in violation of the Fair Credit 
Reporting Act. To resolve our allegations, the company has 
agreed to pay a $1.8 million civil penalty and to submit to a 
court order that ensures that consumers' sensitive credit 
report information is not sold for marketing purposes.
    Privacy and data security also continue to be at the 
forefront of the FTC's policy agenda. In December, Commission 
staff issued a preliminary privacy report that recommended 
three bedrock principles. The first is privacy by design, the 
idea that companies should embed privacy protections into their 
products and services from the start. Second, companies should 
present choices about the privacy of personal data in a simple 
way and at the time they are making decisions about that data. 
Third, companies should improve the transparency of their 
privacy practices thereby promoting competition on privacy.
    Finally, a staff report called for the adoption of Do Not 
Track, a one-stop tool for consumers to control online 
behavioral tracking. The Commission has not taken a position on 
whether Do Not Track legislation is needed, but a majority of 
commissioners, myself included, supports widespread 
implementation of Do Not Track.
    In closing, I want to note that the Commission appreciates 
the committee's focus on consumer privacy and data security and 
we are prepared to provide any assistance that you may need on 
these critical issues. Thank you.
    [The prepared statement of Ms. Ramirez follows:]





    
    Mrs. Bono Mack. Thank you, Commissioner.
    And the chair is now pleased to recognize Chairman 
Genachowski for his 5 minutes.

                STATEMENT OF JULIUS GENACHOWSKI

    Mr. Genachowski. Thank you to the chairs and ranking 
members for holding this important joint hearing.
    The right to privacy is a fundamental American value, and 
the Federal Communications Commission has worked to implement 
congressional laws that protect the privacy of consumers when 
they use communications networks. The Internet and other new 
forms of communications raise new and difficult privacy 
challenges, particularly when it comes to children. The FCC is 
committed to working with Congress, the Federal Trade 
Commission, the Department of Commerce, and our colleagues 
across government as well as industry and all external 
stakeholders to tackle these issues.
    To understand the importance of privacy challenges in the 
digital age, one must appreciate the extraordinary 
opportunities created by broadband Internet services. High-
speed Internet, fixed and mobile, is an indispensible platform 
for innovation and economic growth, for our global 
competitiveness and opportunities to transform education, 
healthcare, energy, and public safety. To fully realize the 
benefits of broadband, people need to trust that the Internet 
and all communications networks are safe and secure.
    As our National Broadband Plan found, privacy concerns are 
a barrier to broadband adoption. When people and small 
businesses fear that new technology puts their privacy at risk, 
they are less likely to use those new technologies. Consider 
location-based services. McKinsey estimates that this growing 
sector will deliver $700 billion in value to consumers and 
businesses over the next decade.
    Two weeks ago, the FCC, with the participation of the FTC, 
hosted a workshop on location-based services, which identified 
consumer concerns about the use and security of their location 
information as something that must be addressed to seize the 
economic and other benefits of this new technology.
    In general in this area, we need to strike a smart balance, 
ensuring that private information is fully protected, and at 
the same time ensuring a climate that encourages new investment 
and new innovation that will create jobs and improve our 
quality of life.
    At the FCC, our approach to privacy centers on three 
overarching goals: consumer control and choice, meaningful 
transparency about privacy practices, and data security. The 
Communications Act charges the FCC with implementing a number 
of privacy protection provisions. Sections 222, 338, and 631 
give the FCC authority to protect the privacy and security of 
the network-related data of telephone, cable, and satellite 
subscribers. The FCC is also working to educate consumers and 
small businesses about privacy and data security. For example, 
we recently released a cybersecurity tip sheet to help small 
businesses understand and implement basic precautions to secure 
their networks and data with which we have partnered with both 
the Chamber of Commerce, the National Urban League, and others 
to distribute.
    To make sure consumers are getting consistent and clear 
information and guidance from government agencies, we have 
partnered with the Federal Trade Commission, the Commerce 
Department, and the Small Business Administration on a number 
of education efforts like Net Cetera and OnGuard Online, which 
offer advice on how to protect children's personal information 
and guard against identity theft. These education efforts are 
part of an established track record of effective coordination 
between the FCC, the FTC, and other agencies.
    Now, technology can and must be part of the solution. I 
continue to encourage industry to take this very seriously, to 
use its expertise to empower consumers, provide transparency, 
and protect data. And as the government's expert agency on 
broadband and communications networks with a long history of 
taking commonsense steps to protect consumer privacy, the FCC 
has an important role to play going forward. Our network-
focused privacy and data security rules are settled and legally 
tested. Some updating of the Communications Act network-
oriented privacy regime is appropriate for the digital age. 
This can be done harmoniously with other agencies' 
implementation of any generally applicable consumer privacy or 
data security legislation.
    We look forward to working with Congress, with my 
colleagues here at the table and elsewhere, and with all 
stakeholders outside of government to harness technology to 
promote innovation, job creation, and economic growth, while 
protecting fundamentally important principles of privacy.
    Thank you again for the opportunity to testify and I look 
forward to your questions.
    [The prepared statement of Mr. Genachowski follows:]





    Mrs. Bono Mack. Thank you.
    Secretary Strickling, you are recognized for 5 minutes.

              STATEMENT OF LAWRENCE E. STRICKLING

    Mr. Strickling. Chairwoman Bono Mack, Chairman Walden, 
Ranking Members Butterfield and Eshoo, thank you very much for 
holding today's hearing and inviting the participation of NTIA. 
I am also glad to be here with my colleagues Chairman 
Genachowski and Commissioner Ramirez. All of share a strong 
commitment to protecting consumers and promoting economic 
growth.
    For the past 2 years, NTIA has been hard at work as part of 
the Commerce Secretary Locke's Internet Policy Taskforce to 
conduct a broad assessment of how well our current consumer 
data privacy framework is serving consumers, businesses, and 
other participants in the Internet economy. To guide our work, 
we have focused on two key principles: the first--and you have 
heard them from the other witnesses this morning--is the idea 
of trust. It is imperative for the sustainability and continued 
growth and innovation of the Internet that we preserve the 
trust of all actors on the Internet, and nowhere is this 
clearer than in the context of consumer privacy.
    Our second key principle is that we want to encourage 
multi-stakeholder processes to address these key policy issues. 
We want all stakeholders to come together to deal with these 
issues in ways that allow for flexibility, speed, and 
efficiency. We want to avoid the delay, rigidity, and lack of 
quick response often associated with more traditional 
regulatory processes.
    Last December, the Department issued a ``green paper'' on 
consumer data privacy, which offered a set of 10 policy 
recommendations and asked for public input on a series of 
additional questions. In this document, we proposed a three-
part framework for consumer data privacy. First, we called for 
the establishment of baseline consumer data privacy protections 
that are flexible, comprehensive, and enforceable by the 
Federal Trade Commission. We refer to this baseline as a 
consumer privacy bill of rights. This set of basic principles 
would provide clear privacy protections for personal data in 
which Federal privacy laws that exist today do not apply or 
offer inadequate protection.
    Second, to flesh out the principles into more specific 
rules of behavior, we recommended that we rely on stakeholders 
in the industry working with civil society and others to 
develop enforceable codes of conduct through a multi-
stakeholder process. In our proposal, these codes would 
implement the basic consumer protections, but their adoption 
would be voluntary.
    And third, we recommended strengthening the FTC's consumer 
data privacy enforcement authority. I believe our approach 
should welcome and attract bipartisan support. It is neither 
traditional top-down regulation, nor is it self-regulation. I 
think to use the word that Vice Chair Terry used in his opening 
remarks, it provides a real balance between consumer protection 
and meeting the needs of industry to continue to grow and 
innovate.
    In March of this year, after engaging further with a wide 
array of stakeholders, the administration announced its support 
for legislation that would help better protect consumer data 
privacy in the digital age by establishing the baseline 
protections consumers need in legislation. And a broad array of 
stakeholders--including many businesses--have expressed support 
for this approach. Specifically, this legislation would provide 
consumers with more consistent privacy protections, thereby 
strengthening trust, and preserving the Internet as an engine 
of economic growth and innovation. Legislation would also 
provide businesses with a common set of ground rules and would 
put the United States in a stronger position to work toward 
reducing international barriers to trade in the free flow of 
information.
    Our recommendations for this baseline are based on a 
comprehensive set of fair information practice principles. In 
our ``green paper,'' we drew from existing statements of FIPS 
as the starting point for principles that should apply in this 
new commercial context. And as we develop a more definitive 
administration position, we are now examining how these 
principles would apply to the interactive and interconnected 
world of today.
    The Department is also continuing to work with others in 
the Federal Government to develop the administration policy on 
data security. Without sufficient data security, there cannot 
be effective data privacy. And in May, the administration 
submitted a legislative proposal to improve cybersecurity, 
which includes proposals to strengthen consumer protection in 
the case of data breaches. The administration proposal would 
help businesses by simplifying and standardizing the existing 
patchwork of state laws with a single clear nationwide 
requirement and would help ensure that consumers receive 
notification when appropriate standards are met.
    I want to thank you again for holding today's hearing and 
for the two subcommittees' commitment to addressing consumer 
data privacy issues. Working together, we can protect consumers 
in the digital age, as well as help businesses expand globally 
by reducing barriers to trade in international commerce.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. Strickling follows:]





    Mrs. Bono Mack. Thank you, Mr. Secretary. And thank you all 
for your unique insights. And I will recognize myself now for 5 
minutes for questions.
    And Chairman Genachowski, we have all seen the headlines 
about the phone hacking scandal in Britain. Are you satisfied 
that sufficient safeguards are in place to prevent similar 
privacy breaches here in the U.S., or should Americans be 
concerned?
    And also, as mobile devices become integrated in our daily 
lives and consumers use them more and more for critical 
functions like banking, are we going to see an explosion of 
hacking incidents?
    Mr. Genachowski. There are several laws in place that 
address hacking issues. There are Federal wiretapping laws that 
prevent unauthorized hacking. Hacking, I guess, by definition 
is unauthorized. There are provisions of the Communications Act 
that criminalize interception of information. There are state 
laws that prevent it. Any hacking of phones should be 
investigated. There are criminal provisions and they should be 
addressed very seriously.
    There are also issues around the security of devices 
themselves. Several years ago, there was an effort to improve 
the security of phones, including voicemails, for example, by 
providing for password protection on voicemails. The state of 
play now is that many carriers automatically provide password 
protection for voicemails. Others give consumers the choice. 
There is no question that greater protection can be 
accomplished by using the password protections, and that is an 
area that should be looked at.
    Mrs. Bono Mack. Thank you.
    Commissioner Ramirez, the question of why a privacy 
regulation is needed is a policy question you must decide. If a 
regulation is needed, presumably there is harm or consumer 
injury and the regulation is seeking to prevent. Setting aside 
data security related to personally identifiable information, 
or PII, where we know the potential harm of identity theft and 
other unlawful conduct, what is the harm or consumer injury 
when we are discussing Internet privacy? Are you aware of 
specific cases or examples?
    Ms. Ramirez. What I would say is that the fundamental issue 
that the FTC is trying to address is the issue that 
increasingly, information is being used in unexpected ways. 
Consumers simply do not know how the information that is being 
collected about them is--number one, what information is being 
collected, and number two, how that data is being used. So the 
framework that the staff has proposed in its initial report 
seeks to balance basic privacy protections for consumers 
against the needs of the business community. But the 
fundamental aim is to provide increased information to 
consumers and choice and control over the information that is 
being collected about them and how it is being used.
    Mrs. Bono Mack. So we have heard from many stakeholders 
that we really don't know enough about what the average 
consumer thinks about privacy nor the use of his or her 
information in exchange for free content. We do know that opt-
out rates are low even in those cases where people click 
through the pages that describe what information is gathered 
and shared. That is not necessarily conclusive evidence that 
consumers don't care about their information, but it must mean 
something. What is the Commission doing to find out how 
consumers really feel about privacy and the use of their PII?
    Ms. Ramirez. Well, we do know from public reports that 
there is survey after survey that shows that consumers are 
increasingly concerned about how their information is being 
used. They are increasingly concerned about privacy. We also 
know from public reports that there has been outcry by part of 
the public when certain companies have not provided basic 
privacy protections for them.
    Furthermore, industry itself has recognized that there is a 
need for increased and greater consumer trust. The Digital 
Advertising Alliance has conducted a study and they themselves 
recognize that there is a greater need to have consumers have 
greater trust in the marketplace in order for the marketplace 
to continue to flourish and for innovation to be promoted.
    Mrs. Bono Mack. The Federal Government hasn't done a study 
in, what, 10 years? Do you or any of the other agencies have 
plans to conduct another study soon to gather hard data?
    Ms. Ramirez. What we have done is that, as the process 
laying the groundwork for the report that was issued by staff 
in December of last year, the Agency conducted a series of 
public roundtables soliciting input from all relevant 
stakeholders that included industry, consumers, academics, 
technologists. We have also solicited written comments and 
received approximately 450 written comments that are currently 
being analyzed by staff, and the Agency does intend to issue a 
final report later this year.
    Mrs. Bono Mack. I thank the commissioner.
    And the chair now recognizes Mr. Waxman for 5 minutes.
    Mr. Waxman. Thank you very much for recognizing me.
    The committee will soon be marking up a data security bill. 
That markup may involve defining what data must be secured. One 
approach might include requiring all data to have some minimum 
level of security if stored in the cloud or as it travels over 
a dump pipe. Under Section 222 of the Communications Act, 
customer proprietary network information, CPNI, must be 
protected. CPNI includes the time, date, duration, and 
destination number of each call, the type of network a consumer 
subscribes to, and any other information that appears on the 
consumer's telephone bill. Under the Cable Act, cable operators 
are supposed to secure personally identifiable information. 
Now, that term is not defined.
    Under the chair's draft proposal, the term ``personal 
information'' means an individual's name or address or phone 
number in combination with an identifying number such as a 
Social Security number or driver's license number or financial 
account number, but only if there is the required security code 
or password. I agree with Commissioner Ramirez that this is a 
very narrow definition.
    Mr. Strickling, we know what the administration thinks 
should be covered thanks to its draft proposal, so I won't need 
to ask you to answer this one, but I am going to run through a 
long list and I would like to hear from Chairman Genachowski 
and Commissioner Ramirez to tell me, answering yes or no, 
should the following types of data be required to be secured?
    Whichever one of you--IP address? Mr. Genachowski?
    Mr. Genachowski. Yes. And I think the CPNI rules that we 
have implemented at the FCC are a very good starting point, but 
yes.
    Mr. Waxman. Ms. Ramirez?
    Ms. Ramirez. Yes.
    Mr. Waxman. OK. How about any unique persistent identifier 
such as a customer number, a unique pseudonym or user alias 
such as a Facebook user name and/or password. Ms. Ramirez?
    Ms. Ramirez. Yes, it if could be linked to a specific 
individual or computer or device. Yes.
    Mr. Genachowski. I would agree.
    Mr. Waxman. How about medical history information, physical 
or mental condition, and information regarding the provision of 
healthcare to the individual?
    Ms. Ramirez. Yes.
    Mr. Genachowski. Yes, I would agree. And these are 
commonsense things that people would expect should be kept 
secured.
    Mr. Waxman. Well, they are not in the bill now, so I am 
trying to get the record to indicate that you think they ought 
to be protected.
    Race or ethnicity?
    Ms. Ramirez. Yes.
    Mr. Genachowski. I would assume so.
    Mr. Waxman. Religious beliefs and affiliation, sexual 
orientation or sexual behavior, do you agree those ought to be 
covered?
    Ms. Ramirez. I do.
    Mr. Genachowski. Yes.
    Mr. Waxman. Mother's maiden name?
    Ms. Ramirez. Yes.
    Mr. Genachowski. I would assume so. I haven't thought about 
that.
    Mr. Waxman. Well, a lot of Web sites ask for your mother's 
maiden name.
    Income, assets, liabilities, or financial records and other 
financial information associated with a financial account, 
including balances and other financial information?
    Ms. Ramirez. Yes.
    Mr. Genachowski. I agree.
    Mr. Waxman. Precise geo-location information and any 
information about the individual's activities and relationships 
associated with such geo-location?
    Ms. Ramirez. Yes.
    Mr. Genachowski. Agree.
    Mr. Waxman. Unique biometric data including a fingerprint 
or retina scan?
    Ms. Ramirez. Yes.
    Mr. Genachowski. Agree.
    Mr. Waxman. Commissioner Ramirez, when you were here a few 
week ago to testify about the Republican's draft Data Security 
Bill, you mentioned that the Federal Trade Commission is 
concerned about the limited scope of personal information that 
would be subject to the bill's data security and breach 
notification requirements. In particular, you discussed health 
information collected from companies not covered by the HIPAA 
law. I agree that the FTC should be concerned about this, but I 
have another concern. It is not clear to me what would happen 
when the company that is breached can argue that it does not 
know what type of information was breached.
    Recently, we heard of an extensive breach at Dropbox. 
Dropbox is a popular cloud computing service that allows its 25 
million users to store documents and other files on its 
servers. These users may store innocuous documents like a 
grocery list or pictures of nature or they may store sensitive 
information such as an application for a loan or compromising 
or embarrassing photos. Dropbox could argue that it is in a 
cloud provider of storage that doesn't know what its users put 
there and that those users expect it not to go snooping through 
their files to find out. Shouldn't Dropbox and companies like 
it be required to have a certain level of data security? And 
similarly, shouldn't Dropbox and companies like it be required 
to notify its customers of a breach even if it does not know 
what data it holds?
    Ms. Ramirez. I am not in a position to comment on specific 
practices, but what I will say is that companies should provide 
reasonable security for personal information and private 
information of consumers. So depending on the nature of the 
specific facts and depending on the information that is being 
stored and the size of the company, a number of other factors, 
reasonable security measures ought to be provided, yes.
    Mr. Waxman. Thank you very much.
    Thank you, Madam Chair.
    Mrs. Bono Mack. I thank the gentleman. And the chair is 
pleased to recognize Chairman Walden for 5 minutes.
    Mr. Walden. I thank the chairwoman for that.
    And I wonder if I might enter into a colloquy with the 
former chairman. Could you just tell us what bill you were 
referencing? We were trying to figure that out over here.
    Mr. Waxman. It is a draft that has not been introduced with 
a number, but we have a markup in the Consumer Affairs 
Committee next Wednesday, as I understand it.
    Mr. Walden. OK. I am not on that committee, so we were just 
curious what it was.
    Mr. Waxman. Yes. This is a joint hearing of the two 
subcommittees.
    Mr. Walden. Right. Understood.
    Mr. Strickling, I am kind of interested in some of the 
things that your colleagues there were able to comment on. Does 
the administration's position through your NTIA legislation, do 
you share those same positions as were articulated by the FCC 
and FTC?
    Mr. Strickling. The administration put forward in May a 
proposal for data breach legislation that covered many--I can't 
say all--of the items that Congressman Waxman listed out for 
these folks.
    Mr. Walden. Right.
    Mr. Strickling. But many of them, such as the unique 
biometric data, unique account identifiers, those are all 
within the category of----
    Mr. Walden. Right.
    Mr. Strickling [continuing]. Sensitive personal 
information.
    Mr. Walden. Were there any that were articulated here that 
you would disagree with?
    Mr. Strickling. There might be some I would reserve 
judgment on but none I would disagree with listening to the 
list today.
    Mr. Walden. OK. Thank you.
    Chairman Genachowski and Commissioner Ramirez, I am 
concerned about the uneven competitive playing field given the 
convergence of communications out there in the marketplace. Do 
you think it is fair or competitively neutral to apply privacy 
protections to carriers but not, for example, operating system 
providers like Apple who have access to exactly the same 
consumer information?
    Mr. Genachowski. The level playing field is a completely 
reasonable goal. How to achieve it is obviously a harder 
question and to the extent that different sectors come from 
different backgrounds, have different competitive frameworks, 
the exact regulatory scheme might be different, but at the end 
of the day, I agree on your principles on technological and 
competitive neutrality.
    Mr. Walden. Commissioner?
    Ms. Ramirez. I also agree that there should be a level 
playing field. From the FTC's perspective, it is important that 
consumers be provided with basic privacy protections 
irrespective of the entity that is providing the service. So 
the Agency does take the view that if there is legislation, the 
Agency ought to have jurisdiction over telecom common carriers.
    Mr. Walden. Chairman Genachowski?
    Mr. Genachowski. Well, there is a longstanding issue here. 
We disagree with our friends at the Federal Trade Commission on 
this point.
    Mr. Walden. I wondered.
    Mr. Genachowski. The FCC brings years of experience and 
expertise operating under congressional statutes with respect 
to networks wired and wireless----
    Mr. Walden. Right.
    Mr. Genachowski [continuing]. And privacy issues around 
them. That system has worked well. And any revisions to the 
statutory framework in my strong opinion should continue to 
recognize and take advantage of this long history of expertise. 
Now, our two agencies have worked very well together----
    Mr. Walden. Right.
    Mr. Genachowski [continuing]. Cooperatively and 
collaboratively.
    Mr. Walden. I guess I think it is important there is some 
cop on the beat if you will allow me to use that, so I am kind 
of curious about the Commission's actions to enforce its CPNI 
rules and other consumer privacy protections. Can you just 
elaborate on that process for us?
    Mr. Genachowski. Yes. First of all, there is an ongoing 
education process making sure that companies are certifying us 
as to their compliance and on a regular basis, our enforcement 
bureau issues notices of liabilities when companies are not 
doing that. Over the years, issues have emerged that the 
Commission is taking an action on. Some people may remember the 
pretexting discussion of a number of years ago where it was 
found that people were posing in order to gain access to 
records. The Commission at that point adopted some commonsense 
rules to make it clear----
    Mr. Walden. Right.
    Mr. Genachowski [continuing]. That that couldn't happen and 
to put in place opt-in requirements for third-party efforts to 
access data.
    Mr. Walden. Ms. Ramirez?
    Ms. Ramirez. If I may add, I did want to clarify that I was 
by no means suggesting that the FCC's role should be displaced 
here. All I was saying was that we do believe that the FTC has 
significant enforcement experience that ought to be brought to 
bear here.
    Mr. Walden. Got it.
    Mr. Strickling, do you want to comment on any of that?
    Mr. Strickling. I was hoping to stay out of that actually, 
Mr. Chairman.
    Mr. Walden. I figured as much. That is why I thought I 
would ask you to wade on in there.
    Mr. Strickling. I think what I will say is that the 
framework we are proposing, which would apply to all of 
industry, does not intend by the proposal we are making to 
displace sector-specific regulation if there is a need for 
that. And I think we could all agree that there are certain 
industries such as the financial services and healthcare 
industry where I think additional protections are absolutely 
justified.
    Mr. Walden. Indeed. Well, we appreciate your testimony 
today and working with you as we go forward to deal with this 
issue that we are all affected by and want to do the right 
thing on.
    Thank you, Madam Chair.
    Mrs. Bono Mack. Thank you, Chairman Walden. And recognize 
now the gentlelady from California, Ms. Eshoo, for 5 minutes.
    Ms. Eshoo. Thank you again, Madam Chairwoman.
    Thank you to each of you for your testimony and for the 
work that you have done on this.
    I mentioned in my opening statement that we need a unified 
approach. And while I really respect and appreciate the work 
that you have been doing, each Agency is taking on what they 
are taking on. It is the same subject matter but it is very 
difficult for me to see how this is all stitched together so 
that there is a comprehensive policy for the country. I think 
we can draw from the work that you are doing but I think that 
the Congress really either needs to update some of the laws 
that are on the books or do something that is overarching that 
is going to protect innovation but also speak to, what, the 
second decade of the 21st Century that we are already in. That 
is what my sense of what I have heard.
    To Chairman Genachowski, under current law, does the FCC 
have authority over ISPs to ensure that the proprietary network 
information of Internet customers is not being sold to third 
parties or used for the ISPs on marketing efforts?
    Mr. Genachowski. Well, that is an area where clarification 
of the Communications Act would be helpful. There is 
uncertainty and unpredictability about that now. And in 
thinking about a level playing field, looking at Telco's cable 
satellite where there is clear jurisdiction of VoIP, telephony, 
voice-over-Internet telephone service where the FCC has acted 
as well. This is an area where clarification would be very 
helpful. And in the absence of it, there is a gap.
    Ms. Eshoo. You do need legislative clarification?
    Mr. Genachowski. Yes.
    Ms. Eshoo. I hope all the members heard that because 
there----
    Mr. Genachowski. Legislative clarification would be 
beneficial----
    Ms. Eshoo. OK.
    Mr. Genachowski [continuing]. And would eliminate 
uncertainty and unpredictability.
    Ms. Eshoo. Each word counts. Each word counts.
    Help me with this and whomever wants to lean in on this. We 
are all concerned about children. And I think if there were to 
be a starting place, you know, I think that we could develop 
consensus around that because I think consensus already exists 
on it. Children, no matter what, are always the most 
vulnerable, no matter what the category is that we speak of. I 
think just about across the board that applies.
    Now, if we are talking about children versus those that are 
a little older but they are still teenagers, who is going to 
tell the truth about their age when they are online? You know, 
I mean if it is an 11-year-old who is probably more adept at, 
you know, traveling all of these lanes than someone that is 32 
years old, but there is a restriction because of their age, why 
would they tell the truth? So it seems to me that, you know, 
this is something we need to figure out. I don't know how we 
protect children if, in fact, we start out with that as an 
approach to this issue of privacy and all that is attached to 
it. Have any of the agencies given thought to this? And if so, 
what is it?
    Ms. Ramirez. I will take the lead, if I may.
    Ms. Eshoo. Sure. You are brave.
    Ms. Ramirez. The FTC has certainly thought about these 
issues and you certainly raised some very important practical 
concerns. The Agency is currently undergoing a review of the 
rules----
    Ms. Eshoo. Um-hum.
    Ms. Ramirez [continuing]. And staff is analyzing comments 
on the----
    Ms. Eshoo. When are you going to finish that?
    Ms. Ramirez. We are moving forward with that and expect to 
be coming out with recommendations shortly.
    Ms. Eshoo. But does it cover this issue?
    Ms. Ramirez. Well, I can't comment on the specific 
recommendations that will ultimately be made, but I will tell 
you that----
    Ms. Eshoo. No, I am not asking you what your recommendation 
is going to be. I am asking you if you are examining this 
specific issue and when you are going to be finished.
    Ms. Ramirez. We are examining the practical difficulties 
that do apply when applying that statute, yes. And in 
particular, the issue has frankly become of greater concern 
when one speaks about teenagers who may raise even more 
significant concerns along those lines. And that is an issue 
that we are also seeking comment on and will be addressing in 
our final----
    Ms. Eshoo. My time is running out.
    Mr. Chairman?
    Mr. Genachowski. I agree that a focus on children as a 
starting point is something that should be strongly looked at. 
Part of the reason is it is an area where there is the widest 
consensus----
    Ms. Eshoo. Um-hum.
    Mr. Genachowski [continuing]. That as a parent that we want 
to make sure that we know how to basically protect our children 
and that the Internet is a safe place for them as well as a 
place that they can learn----
    Ms. Eshoo. Are you looking at this?
    Mr. Genachowski. We are looking at it with respect to 
communications networks, and we have been working with 
innovators in the area----
    Ms. Eshoo. Um-hum.
    Mr. Genachowski [continuing]. Encouraging them to develop 
tools. And I was in your district a couple of months ago and at 
the Computer History Museum we organize a showcase of tools and 
technologies that were being developed to help parents exactly 
with these issues online----
    Ms. Eshoo. Well, a lot of companies are becoming that much 
more sensitive about--well, I think my time has run out but I 
think that this hearing is most helpful to move this issue 
along. Thank you.
    Mrs. Bono Mack. I thank the gentlelady and know recognize 
the vice chair of the subcommittee, Ms. Blackburn, for 5 
minutes.
    Mrs. Blackburn. Thank you, Madam Chairman. Thank you all 
for your patience.
    Ms. Ramirez, I want to go back. In your testimony you 
stated that you thought the harm was lack of choice or lack of 
knowledge of how their information is being used and your 
comments about the public. So what I am wanting to know from 
you is do you think that is justification for implementing Do 
Not Track? Are you going to come forward and identify some real 
harms so that you are articulating what the bad practices or 
the bad actions are that would require Do Not Track addressing, 
and are you planning to do any market analysis and market 
impact of any steps that you come forward with?
    Ms. Ramirez. Let me first emphasize that the Commission is 
not advocating legislation in the privacy arena at this time. 
What we have done is to put out a broad framework of best 
practices that we recommend to industry and also a framework 
that policymakers can consider should Congress decide to pursue 
legislation in this arena.
    As to your specific question regarding Do Not Track, that 
is just simply one element and one aspect of the 
recommendations that relates solely to behavioral advertising--
--
    Mrs. Blackburn. So you are not wedded to that as a 
template?
    Ms. Ramirez. So what we have stated--and the majority of 
those of us on the Commission do advocate--is a universal Do 
Not Track mechanism. We have identified several elements that 
we think are important to----
    Mrs. Blackburn. OK. Are you separating the online 
advertising from some of the aggressive social media networking 
as you do that analysis? Are you separating those two 
transactions?
    Ms. Ramirez. Again, online advertising, the majority of us 
do believe that there should be a Do Not Track mechanism that 
gives consumers greater choice about what information about 
them is collected and how that information is----
    Mrs. Blackburn. OK. Let me move on with you then. The 
Supreme Court case, Sorrell v. IMS Health Incorporated, the 
Court struck down Vermont's Prescription Confidentiality Act. 
And Vermont's law restricted the ability of the pharmacist and 
drug manufacturers from using previous prescription data for 
marketing. Legal experts have claimed that this case will have 
implications for existing and proposed privacy laws. So yes or 
no, do you agree with the Supreme Court's ruling that 
restrictions on the collection and use of data must first pass 
the First Amendment's scrutiny?
    Ms. Ramirez. I do believe that if there is legislation 
enacted in this arena, there need to be considerations that 
were identified by the Supreme Court in that particular case.
    Mrs. Blackburn. OK. Do you believe the government must 
defer to less-restrictive alternatives in remedying privacy 
harms as the Court found in the recent Sorrell case?
    Ms. Ramirez. Again, I think the applicable standards of 
First Amendment principles apply.
    Mrs. Blackburn. OK. All right. Let me move on with you, 
then. Has anybody asked about Google+ and what you all are 
doing?
    Ms. Ramirez. No.
    Mrs. Blackburn. No one has? OK. What is the FTC doing--I 
will come to you in just a minute, Chairman Genachowski. What 
is the FTC doing now to oversee Google+ and the new service 
that apparently there are some problems with? If you will very 
quickly.
    Ms. Ramirez. The FTC entered into a settlement with Google 
with regard to its rollout of its Google Buzz service, which 
was a social network service that it provided. The proposed 
order, which is yet to become final, contains a few key 
elements. One, it bars misrepresentations on the part of Google 
with regard to data practices. It requires Google to provide a 
comprehensive data privacy program and also to conduct privacy 
audits.
    Mrs. Blackburn. OK. And what is the FTC doing in regard to 
Facebook and the facial recognition technology? Do you think 
that poses a threat to privacy?
    Ms. Ramirez. I am afraid that I can't comment on specific 
practices or specific companies. What I will tell you is that 
the Agency is looking very closely at the social networking 
arena as evidenced by the Google Buzz case that we just 
discussed.
    Mrs. Blackburn. OK. Thank you.
    Chairman Genachowski, back to who has the jurisdiction 
here. How do you square this? How do you think that overseeing 
the issue of privacy fits into the FCC's mission? Because I see 
it more closely aligned with the FTC. So just 30 seconds on 
that.
    Mr. Genachowski. Congress is assigned the Federal 
Communications Commission force since at least 1984 the 
responsibility for protecting CPNI or PII, various personal 
information on communications networks. And we have developed 
expertise around the engineering of those networks, the 
business practices of those networks that continues to be 
important even as we move forward into this new area. And so it 
is the reason that we collaborate so closely with the Federal 
Trade Commission. We have a joint task force where we look 
together at some of these issues of overlap and we bring 
different experiences and expertise to the table that I think 
on a net basis is very beneficial in the area. We have an 
obligation to make sure that anything we do together or any 
areas of overlap and jurisdiction are communicated clearly and 
that the public and industry has clear guidance about what the 
landscape is and what they are supposed to----
    Mrs. Blackburn. OK. I am over time. So thank you so much.
    Mr. Strickling, you are off scot-free.
    Mrs. Bono Mack. If the gentlelady would just yield for 10 
seconds to Commissioner Ramirez. I thought I heard Ms. 
Blackburn ask about Google+ and your answer was not Google+. I 
was wondering if----
    Ms. Ramirez. I believe the reference was to the Google Buzz 
matter.
    Mrs. Blackburn. No, ma'am. I said Google+.
    Ms. Ramirez. OK. Again, I can't comment on nonpublic 
matters, so my response was in reference to a recent----
    Mrs. Blackburn. To Google Buzz.
    Ms. Ramirez [continuing]. Commission order on Google Buzz 
that relates to social networking.
    Mrs. Bono Mack. Thank you just for the clarification.
    Mrs. Blackburn. Thank you, Madam Chairman.
    Mrs. Bono Mack. And the chair is happy to recognize Mr. 
Butterfield for 5 minutes.
    Mr. Butterfield. Thank you very much, Madam Chairman.
    Right now, we are grappling with how a data security bill 
should treat activities regulated under Gramm, Leach, Bliley. 
We are all weary of duplicative regulation. On the other hand, 
we don't want gaps in consumer protection. Both CNN and NPR 
have reported that banks--which aren't within the FTC's 
jurisdiction--are selling information that they collect from 
credit and debit purchases. That is they are selling their 
consumers entire purchase histories to retailers. All calls for 
privacy legislation may be pointless if such legislation is 
limited to a select group of data collectors.
    For example, if privacy legislation is limited to companies 
within the FTC's jurisdiction, as are many of current proposals 
in the House and the Senate, retailers such as Amazon would be 
limited in collecting and selling data about a consumer's 
shopping habits, but Citibank would be totally free to collect 
and sell that same information to Amazon. Do any of you have 
any concerns about such a scenario?
    Ms. Ramirez. I can address the question and I will do it in 
reference to the draft bill that was discussed earlier, the 
Safe Data Act, where the Agency does have a concern that it 
drafted--there is a carve-out with regard to data security and 
breach notification. There is a carve-out for entities that 
would be subject to the FTC's jurisdiction. So we do have a 
concern about that gap.
    Mr. Butterfield. Some have suggested that any data security 
legislation or privacy legislation we draft should be written 
very narrowly because there are sector-specific laws on the 
books already. Others want it broad enough to ensure that all 
gaps are covered. FTC has experienced sharing jurisdiction in 
other areas. Do you support data security or privacy 
legislation that could overlap with existing sector-specific 
regulation? Ms. Ramirez? Yes?
    Ms. Ramirez. With regard to data security we do support 
legislation, again, keeping in mind that gap that I talked 
about. That is a concern. We do have limited jurisdiction in 
certain other respects. We do not have jurisdiction over banks, 
for instance, but we do support general data security 
legislation.
    Mr. Butterfield. All right. And to the chairman, Mr. 
Chairman, as you may know, the Internet service providers argue 
that they should not be subject to the requirements of any data 
security bill that this committee might consider. We have heard 
two basic arguments from them. One is that ISPs are just so-
called dump pipes and they don't know what information is being 
passed to and from their customers. The ISPs have also argued 
that the FTC regulation would be duplicative because FCC 
regulates telecommunication service providers through the CPNI 
rules that include breach notification requirements for CPNI. 
Should those who provide dump pipes--and I just heard that word 
for the first time the other day--should those who provide dump 
pipes that sometimes carry innocuous documents and that 
sometimes carry sensitive documents also be subject to some 
minimum security requirements for the data that moves along 
those pipes?
    Mr. Genachowski. Well, one way to look at it is from the 
perspective of consumer and outcomes. I think consumers just 
want to know that their private information that is put out on 
networks--and they don't know all the different details about 
what is this, what is that--that there are effective data 
security policies in place that they can rely on. And we want 
that as a country because not having that will hinder broadband 
adoption and the economic benefits of broadband. So I think we 
need to find a way to make sure that consumers have confidence 
in the safety and security of the Internet and the services 
that ISPs provide.
    Mr. Butterfield. CPNI is the data collected by 
telecommunications companies about a consumer's telephone 
calls. It includes the time, the date, duration and destination 
number of each call, the type of network a consumer subscribes 
to, and any other information that appears on the consumer's 
telephone bill. That is pretty vast. Does FCC under these rules 
protect data breaches of content? For example, if I subscribe 
to the service of one of the traditional telecom carriers and I 
receive a voicemail which is content stored by that carrier, 
does that voicemail information have to be secured?
    Mr. Genachowski. So there are two issues. I think from the 
perspective of the FCC rules and obligations on telephone 
companies, they have an obligation to provide security. From 
the perspective of third parties who might seek to hack in and 
get that information, that is a criminal violation that would 
be prosecuted by the appropriate authorities.
    Mr. Butterfield. Well, what about if I subscribe to voice 
over IP service? I understand that voice over IP can transcribe 
a subscriber's voicemail message into email and text messages 
so that voicemail, email, and text will exist as content to the 
extent--and Madam Chairman, I didn't realize my time had 
expired. I will save it for the next round. Thank you.
    Mrs. Bono Mack. I would allow the gentleman to answer the 
question, though.
    Mr. Butterfield. Yes. All right.
    Mr. Genachowski. Well, I would say that the FCC has applied 
Section 222, the CPNI provisions, to voice over the Internet. 
We are viewing whether there are gaps as technology evolves, 
and that is something that we would look forward to work with 
the committee on.
    Mr. Butterfield. All right. Thank you.
    Mrs. Bono Mack. I thank the gentleman. And the chair now 
recognizes the chairman emeritus of the full committee, Mr. 
Barton, for 5 minutes.
    Mr. Barton. Thank you, Madam Chairwoman.
    I think the questions that the committee members have been 
asking point out a fundamental issue that at some point in time 
we have to deal with. What information is personal and what 
information is private and who controls it? We get the same 
question in a different format from every member of the 
committee. And hopefully, in this Congress in conjunction with 
our agencies we can put in the statute in the regulation the 
answers to that question.
    My first question is pretty straightforward to the 
witnesses here before us. Congressman Markey and I have 
introduced a bill, H.R. 1895, which is the Do Not Track Kids 
Act privacy protection of 2011. Do your agencies have a 
position on that bill yet, and if so, what is it?
    Mr. Strickling. I will start. The administration has not 
yet taken a position on that or any other Do Not Track 
legislation at this point in time. I think, though, it is clear 
and will emerge from the work we are doing now that the idea of 
providing more protection for children and for adolescents is 
one that we think ought to be incorporated in the Fair 
Information Principles that we will be proposing.
    Mr. Genachowski. And at the Federal Communications 
Commission, the Agency hasn't taken a position. Speaking for 
myself, the focus on children and the unique issues that are 
raised by children in the context of new technologies I think 
is appropriate.
    Mr. Barton. Thank you.
    Ms. Ramirez. And the FTC also has not taken a position on 
the legislation but, as I have indicated earlier, the 
Commission does support the adoption and implementation of a Do 
Not Track universal system.
    Mr. Barton. Thank you.
    This question is for Commissioner Ramirez at the FTC. 
Several years ago a company called Google used a technique 
called street mapping. This street-mapping service amassed 
quite a bit of data of very private and personal information. 
Google testified before this subcommittee--or at least one of 
these subcommittees--about it and promised that it was done 
unaware at the corporate level and they were going to make 
changes. They also, in response to an inquiry by the FTC, made 
fairly significant verbal assurances that they would improve 
their behavior and do certain things. But apparently that is 
all they did. They really didn't change their business model 
and it appears to me that Google has adopted a model of saying 
one thing in Washington and doing another thing in their 
business practices. We might need to drop the G from Google and 
just call them Oogle because of what they appear to be doing. I 
am not saying that are doing it intentionally.
    So my question to you, Commissioner Ramirez, when you have 
a company like Google that doesn't appear to really follow up 
and doesn't appear to change their business practice, what 
should a regulatory agency like yours do to insist that they 
change business practices, and do you feel that you have the 
adequate statutory authority to make that happen or do we need 
to pass legislation to give you that authority?
    Ms. Ramirez. Let me just say that I don't want to focus on 
a particular company but the Agency is----
    Mr. Barton. My question is on that particular company.
    Ms. Ramirez. What I can say is that the Agency is very 
vigilant when it comes to the issues about protecting personal 
information of consumers. With regard to Google, I did mention 
a recent proposed order that is soon to become final with 
regard to Google Buzz. In the situation that identified, that 
investigation was closed and I do believe that it highlights 
the limits of the FTC's jurisdiction in the following way. The 
Agency has done quite a bit with its Section 5 authority, but 
there are limits. If a company has not engaged in a 
misrepresentation, the Agency would not be able to use its 
deception authority to pursue an enforcement action, and that 
was the case in the Wi-Fi matter that you identified.
    Mr. Barton. So you think the Congress needs to give 
additional statutory authority to enforce that type of an 
action?
    Ms. Ramirez. The FTC is not taking a position as to whether 
legislation is needed, but what I will say is that there are 
limits to the Agency's Section 5 authority, and in my personal 
view, there does need to be more work in order for consumers to 
have basic privacy----
    Mr. Barton. Under current law, your authority is limited?
    Ms. Ramirez. That is right. Our Section 5 authority will 
not reach all practices that can cause concern in this area.
    Mr. Barton. OK. My time has expired, Madam Chairwoman, but 
I would just point out for thoughtful purposes, if this 
Congress or one of these regulatory agencies attempted to 
either pass a law or pass a statute that required every citizen 
to wear a transponder and keep it active so that everywhere we 
went, any place we shopped would be automatically recorded not 
just by the Federal Government but would be available to the 
private sector for use, our voters and citizens would come 
unglued. And yet if you go on the Internet without your 
permission, that is the basic status quo. And I believe we need 
to take steps to put privacy back into the personal realm and 
take it out of the consumer marketing opportunity realm and 
hopefully, on a bipartisan basis, we can begin to do that in 
this Congress and in this committee.
    And with that I want to thank my two subcommittee chairmen 
and women for doing this hearing and the ranking members of 
those two subcommittees for participating. Thank you.
    Mrs. Bono Mack. I thank the gentleman and now recognize Mr. 
Markey for 5 minutes.
    Mr. Markey. Thank you. Thank you, Madam Chair.
    I am just going to be following up upon the same line of 
inquiry that the gentleman from Texas and his son Jack were 
engaging in. Right now you can see his interest in child online 
privacy sitting up there. He is waving to you in thanks for the 
work that you are going to do to protect children online. That 
is Jack Barton over there.
    So you heard this concern about an eraser button, you know, 
that can be used to just say that children and minors, what 
were they thinking going to that site? What were they thinking 
putting that picture up? What were they thinking when they were 
13, 14. And in anticipation, now, of their Senate confirmation 
hearing where someone has now gone and pulled it all up or the 
admissions office at State U has now got someone kind of 
checking out what the kid did at age 12, 13, 14, 15. And there 
is a whole bunch of really young people going I know a lot of 
things about a lot of these candidates. That is not a good 
thing. There should be a way in which that information is 
erased. And it would be the parents, of course, who will want 
to erase it and that they have a right to do so and the 
technology makes it possible for them to do so.
    And again, this is not big brother. This is just big mother 
and big father saying, you know, they were only 12, they were 
only 13, they were only 14 to the company. We want to be able 
to erase it. Do you think, Ms. Ramirez, that that makes sense, 
that that be a right that parents have to be able to have that 
technology available to them and that they can erase it not 
just on a discretionary basis but it is their right to see it 
mandated to the company that they have to delete it for a 
minor, for a child?
    Ms. Ramirez. I do believe that that is an interesting idea 
that is deserving of exploration and we are happy to work with 
you in addressing that.
    Mr. Markey. So you are not sure if it should be a right 
yet?
    Ms. Ramirez. I would like to think about it further.
    Mr. Markey. OK, good.
    Chairman Genachowski?
    Mr. Genachowski. Well, two points. One is the concerns 
about children are very real, very serious; and the second is 
empowering parents to do what they want to do when it comes to 
educating, protecting their kids is also extremely important; 
number three, technology as you have indicated can help solve 
this. Technology can provide these tools. And so I think this 
is a direction that makes sense.
    Mr. Markey. OK. Mr. Strickling?
    Mr. Strickling. The principle no one can disagree with. But 
here is, I think, the caution I would urge everyone to keep in 
mind, which is for the legislature or for the regulator to be 
dictating technological solutions I think is something we need 
to approach with caution. We need to establish the principles, 
and that is important----
    Mr. Markey. OK. The principle would be that the parents 
have a right technologically to have the information erased and 
then it is up to the company to figure out what the technology 
is. Would that be oK with you? The principle is that parents 
should be able to get it erased. Do you agree with that 
principle?
    Mr. Strickling. There is no way to disagree with that 
principle----
    Mr. Markey. OK, thank you.
    Mr. Strickling [continuing]. But I still would urge some 
restraint in terms of setting down in regulation something that 
could inadvertently and unintendedly lead to a loss of 
innovation on the Internet.
    Mr. Markey. No, I appreciate that. We would depend upon 
smart people to make sure that we didn't invoke the law of 
unintended consequences.
    Mr. Strickling. Right.
    Mr. Markey. We would mandate to you to do it, to protect 
children and give parents the right to do it and to make sure 
that we don't invoke the law of unintended consequences. Do you 
think you could do that?
    Mr. Strickling. So, yes, our model would say set the 
principle and then bring the stakeholders together to find the 
ways to do it.
    Mr. Markey. Good. So is the same thing true on geo-location 
that you shouldn't have a tracking device on a 12-, 13-, 14-
year-old, you know, that the parent should be able to have that 
shut off? Do you agree with that as well? Yes? I only have a 
minute left. Could you say yes, please?
    Mr. Strickling. Sure.
    Mr. Markey. OK, good. Thank you.
    Chairman Genachowski, it is not a good idea for a 12-, 13-, 
14-year-old to have all this tracking information? Do you agree 
with that?
    Mr. Genachowski. So very quickly, I think there is a 
balance here that has to be done right----
    Mr. Markey. Yes, I get it.
    Mr. Genachowski. I have a 17-year-old. I want him to have a 
device where----
    Mr. Markey. How about a 12-year-old, a 13-year-old?
    Mr. Genachowski. Whatever the right age is, but at some 
age, for emergency purposes, a parent might want to make the 
decision.
    Mr. Markey. OK. I got you.
    Mr. Genachowski. The parental control is a powerful 
principle.
    Mr. Markey. OK. But the technology is there to shut it off 
for all other purposes other than a parent. That is what I am 
saying, big mother and big father. Do you agree with that, Ms. 
Ramirez?
    Ms. Ramirez. I do believe that parents should be able to 
have control over that.
    Mr. Markey. OK. Good. And finally, on the targeting of 
marketing, you know, by these companies to children and minors, 
do you agree that there should be a prohibition on targeting 
minors? We don't let people advertise on children's 
programming, you know, the kind of products we don't think 
should be there with little kids. Do you agree as well that we 
should have prohibitions on the targeting of minors when it 
comes to, you know, these Internet- and Web-based services that 
are out there? Ms. Ramirez?
    Ms. Ramirez. I believe that, again, parents should have 
control over it and should be able to provide----
    Mr. Markey. And there should be a technology that makes it 
possible?
    Ms. Ramirez. That is right.
    Mr. Markey. Yes. Good. Mr. Genachowski?
    Mr. Genachowski. Basically, yes. There is a long history, 
as you know, in the television area and I think borrowing from 
what we have learned that that has worked makes sense.
    Mr. Markey. OK. Thank you. Mr. Strickling?
    Mr. Strickling. I would agree with the comments already 
expressed.
    Mr. Markey. Thank you. Thank you, Madam Chair.
    Mrs. Bono Mack. Thank you. The gentleman's time has 
expired. The chair recognizes Mr. Latta for 5 minutes.
    Mr. Latta. Well, thank you very much, Madam Chair, and to 
our panel, thanks very much for being here to discuss this 
issue with us today.
    And Mr. Strickling, if I could start, on page 1 of your 
testimony, you noted that the Department of Commerce has been 
working with the Internet Policy Task Force and the White House 
to conduct a broad assessment of how well our current consumer 
data privacy policy framework serves the consumers, businesses, 
and other participants in the Internet community. Can you talk 
a little bit about how the recently announced National Strategy 
for Trusted Identities in Cyberspace fits in with that 
assessment?
    Mr. Strickling. Certainly. That is an effort, again, a 
voluntary effort to allow industry to develop ways that people 
can operate in the Internet environment with a trusted identity 
that can replace passwords and otherwise improve the security 
any individual might have transacting business on the Internet. 
Totally voluntary, the goal is to have industry develop these 
tools with government serving as a facilitator or convener. It 
is very much part of our overall multi-stakeholder approach to 
how to deal with these Internet policy issues.
    Mr. Latta. OK. And just to follow up on that because as we 
have been talking--you know, the whole discussion is with the 
privacy and if individuals are to participate in the identity 
management system, what protections would be in place to ensure 
the privacy of the information that they turn over to their 
credential provider.
    Mr. Strickling. Well, keep in mind that our role in this 
will be to work with industry to have them develop these sort 
of trusted identify mechanisms. It is not a program that we are 
going out to the public with to get people in the public to 
sign up for these. The idea, though, is to create what the 
market and what consumers would find to be a preferred approach 
to operating and transacting business on the Internet than the 
current system, the passwords, which in many ways is quite 
insecure for people.
    Mr. Latta. Well, have you in your discussions with the 
folks out there that might be developing this, have they given 
you any indication how it might work then and to protect that?
    Mr. Strickling. This effort is actually headed up by NIST 
at the Department of Commerce, so I have not had any of those 
conversations with industry about how they would go about this. 
But the folks at NIST are leading this effort.
    Mr. Latta. If I could, could I ask if you might be able to 
ask them if they could provide us with information of what they 
might have at this time on that? That would be greatly 
appreciated.
    Mr. Strickling. Certainly.
    Mr. Latta. And if I could go on, I have heard there are 
certain allegations out there that certain foreign nations have 
more onerous privacy laws on the books than we have here in the 
United States, but they seem to apply those laws mainly only to 
American businesses. What is the administration doing to ensure 
that privacy protections aren't being used as a means of 
preventing American companies from competing in the global 
market?
    Mr. Strickling. I will take that one. We are involved in a 
lot of discussions internationally with the goal of trying to 
reach some interoperability of privacy rules around the world. 
We think it is absolutely critical for American business to be 
able to operate in other countries. And while those countries 
certainly have valid and legitimate interests in protecting the 
privacy of their citizens, we think it is in everyone's 
interest to find a regime or set of regimes that are 
interoperable with each other.
    I would mention that our emphasis on the creation of these 
codes of conduct by industry working with other stakeholders 
may be a way to bridge some of those differences between the 
privacy protections in our country as compared to those that 
might be employed in other countries, the idea being that if we 
can get the various of these other countries to recognize codes 
of conduct as an appropriate response to the privacy 
imperatives of that nation or set of nations, that gives 
industry an opportunity to create one operating approach that 
meets the obligations of many different countries.
    So very specifically, in Europe, they are in the process of 
rewriting the European Union Privacy Directive, and we have had 
a number of conversations with the folks at the EU to talk to 
them about making sure that they have a role for codes of 
conduct as a way to meet these obligations. We see that as a 
fast way to achieve the interoperability our businesses need to 
be able to thrive internationally.
    Mr. Genachowski. If I could just echo the--this is a very 
important effort. The threat to American businesses, our 
economy if this doesn't succeed is very significant. And the 
opportunity to make progress internationally on a set of 
principles that can be complied with across multiple 
jurisdictions is a window that is closing because if many 
countries go ahead and adopt inconsistent regulations, ones 
that make it extremely difficult, expensive, impossible for 
American companies to comply with, reversing that will be much 
more difficult than working now, as the Commerce Department is 
doing--we are and others--to establish a level playing field 
internationally from the start of this very important growing 
industry.
    Mr. Latta. Thank you very much. And Madam Chair, I see my 
time has expired. I yield back.
    Mrs. Bono Mack. I thank the gentleman and now recognize the 
gentlelady from California, Ms. Matsui, for her 5 minutes.
    Ms. Matsui. Thank you very much, Madam Chair.
    As I have said previously, in today's economy, information 
is everything to everyone even though we might think our 
personal information is not that important on various things. 
We might throw things away but it is important to somebody. And 
with ever-changing technologies and applications emerging, it 
is essential that we properly protect the private and personal 
information of consumers. We must do it in such a way that 
doesn't stifle innovation. And as I said before, I know this is 
a delicate balance. But how do we find that delicate balance to 
ensure consumers are aware of what information is being 
collected and the scope of it while not stifling innovation?
    Why don't you start off, Ms. Ramirez?
    Ms. Ramirez. Yes. The approach that the FTC has taken has 
been precisely to solicit input on these complicated questions 
to ensure that we do undertake a balanced approach. And the 
framework that has been proposed preliminarily in staff's 
report issued last December is precisely an approach that we 
believe balances the need for consumer protection here as well 
as the needs of industry.
    Mr. Genachowski. And I would answer that. The process that 
our various agencies have undergone and the process that 
Congress has undergone through the hearings on this topic, they 
actually led to growing consensus around some core ideas: 
focusing on consumer choice, transparency, and real data 
security. Obviously, there are a lot of issues in 
implementation, but I think where we are now collectively as 
compared to where we were a year ago reflects real progress. 
Obviously, now, the difficult task of converting that into 
rules where necessary at agencies--or not because I think to 
the point Mr. Strickling made before, industry-led efforts here 
can have particular benefits if they move and if they put those 
measures in place.
    Ms. Matsui. Do you have anything further to add, Mr. 
Strickling?
    Mr. Strickling. Certainly. I will make it easy for you. 
Pass legislation along the lines of what we recommend. Baseline 
principles allow industry working with all stakeholders to 
develop codes of conduct and give the FTC the enforcement power 
it needs to enforce the baseline principles. I think that is 
exactly the balance we want to have. It gives industry the 
flexibility to craft specific rules of behavior that meet their 
needs and allow them to continue to innovate, but at the same 
time, it is based on a bedrock set of a bill of rights of 
privacy that ensure that everyone gets a basic amount of 
protection.
    Ms. Matsui. OK. Thank you.
    And as you know, OMB is implementing a cloud computing 
initiative to improve government efficiency while saving 
taxpayers money. And I do support an initiative like this.
    Now, Chairman Genachowski, do you support cloud initiatives 
and what kind of impact do you think it will have on our 
economy? And how can we ensure any potential privacy concerns 
with a cloud are properly met?
    Mr. Genachowski. I strongly support these cloud 
initiatives. On the part of both government, large businesses, 
small business, they are efficiency-enhancing, productivity-
enhancing, they will save money. They are new areas of 
tremendous growth for our economy. It is an example of a new 
technology that has extraordinary opportunities that also 
presents challenges. And there is no question that data 
security and privacy are some of the challenges. I would not 
tackle that by slowing down cloud computing. I would tackle 
that by working diligently hard with industry to make sure that 
security is fully protected and taking advantage of the 
extraordinary technological expertise that we have in this 
country to make sure that that happens.
    Ms. Matsui. OK. Thank you.
    As we all know, often these policies that we are talking 
about are drafted in complicated legal language. And more 
importantly, even if a consumer is able to understand a privacy 
policy of one company, the policies can't easily be compared 
from company to company. Thus, there is no means for consumers 
to comparison shop for privacy in any meaningful way. What can 
industry to do to improve privacy policies and set some 
standards so that privacy practices can be compared from 
company to company? Ms. Ramirez?
    Ms. Ramirez. I first want to say that I agree that privacy 
policies--the way they have developed poses significant 
challenges. This is particularly acute in the mobile arena when 
you have a very small screen and sometimes you have to scroll 
through 100 screens to read a single privacy policy. So one of 
the key elements of what the FTC has proposed in its framework 
is that there be simplified consumer notice and choice. And 
that is an essential feature of the framework that we are 
proposing.
    Ms. Matsui. OK. I see my time is running out. Can you two 
just comment quickly on this, too?
    Mr. Genachowski. I agree. I think the importance of 
industry-led efforts to ensure compliance with these principles 
that I think there is broad agreement on choice, transparency, 
real security is an important part of what we all need to be 
going forward.
    Ms. Matsui. Thank you. And Mr. Strickling?
    Mr. Strickling. We totally subscribe to transparency and 
more simplicity.
    Ms. Matsui. OK. Thank you.
    Thank you very much, Madam Chair.
    Mrs. Bono Mack. Thank you. The chair recognizes Mr. Scalise 
for 5 minutes.
    Mr. Scalise. Thank you, Madam Chair.
    And I know as we are all struggling with the balance 
between protecting privacy while also making sure that as 
people use the Internet, one of the great things about the 
Internet is that for the most part there are so many things you 
can do free where there are services that are provided but at 
the same time in many cases you are not necessarily paying for 
some of those services. And of course the hook comes in is that 
in many cases the things that you are doing on the Internet, 
there is some tracking that goes on and ultimately it is sold 
to advertisers, and the advertising money that those companies 
make allows them to provide the service for free. So you have 
got to weigh that balance and make sure that we can protect 
privacy and then also allow for that ability for consumers who 
do want to participate in that transaction to be able to still 
have those services offered if they so choose. And I guess that 
is where we really get into the policy side is how best to make 
sure that framework gives the consumer, the online user the 
choice.
    I want to first just get your take on something. There was 
an article I read. It was called ``You're Not Google's 
Customer--You're the Product.'' And it kind of lays out an 
interesting scenario of who is the product, who is the 
customer. And in many cases you are a customer if you walk into 
a store and you pay for something, you are the customer. And it 
seems like in some cases some of these companies--not just 
Google but all of the companies that have this kind of business 
model--are you really the customer if you are really not paying 
for anything but in fact your actions on their Web site is what 
is used for them to then go and sell advertising and in essence 
would then the advertiser be the customer and not you? And then 
how does that relationship all come down to how you as 
regulators treat those various entities? And so if I could just 
get each of your takes on that, that business model and how you 
really view--where is the user of the service in that 
transaction?
    Mr. Strickling. I will give my first impression. I haven't 
seen the article so I am not sure exactly the context in 
which----
    Mr. Scalise. I ask unanimous consent to enter this into the 
record and make it available to the witnesses as well.
    Mrs. Bono Mack. No objection.
    [The information follows:]





    Mr. Strickling. That would be great, but I think I can 
answer your question, which is that what is key here is if you 
are collecting information about people, so I think there is 
nothing to be gained by a distinction between a customer and a 
non-customer or a product or whatever. The issue is information 
about you being collected by this particular entity when you go 
online to their Web site. And it needs to be made very 
transparent and in clear language, you know, to you in whatever 
capacity you are coming to that Web site, what that information 
is and how it is going to be used. But I don't think the 
distinction is important. The question really is are you 
collecting information about this individual when they visit 
your Web site?
    Mr. Scalise. Chairman Genachowski?
    Mr. Genachowski. I would add this. We are in a period now 
in this country of tremendous and technological and business 
model innovation and that is a really good thing. It is part of 
what makes our country great. It is part of what will 
ultimately make our economy sound and strong. And we wouldn't 
want to be seeing this happen in other countries and not here. 
Now, new technologies, new business models gives rise to new 
concerns, and it is appropriate that we are having this 
discussion, this debate involving industry, involving agencies, 
involving Congress to identify core principles that should be 
protected even as we encourage world-leading business model and 
technological innovation. And so it is what I keep coming back 
to and I think Mr. Strickling--we all do--core principles that 
can help provide guidance even as we make sure we are 
encouraging world-leading innovation and technology in business 
models.
    Mr. Scalise. Thanks. Commissioner Ramirez?
    Ms. Ramirez. We also recognize that consumer information is 
becoming a commodity. We do believe that you can craft 
standards that take into account the benefits provided to 
consumers while at the same time providing protection. And to 
me, the core issue is, again, providing transparency, providing 
information to consumers so that they can exercise choice. And 
let me just use the example of the Do Not Track mechanism that 
I believe should be implemented. I believe there can be an 
intermediate approach that can be used where consumers can 
select what type of advertising they are willing to receive and 
what type of information about them can be collected so that in 
that fashion advertising would continue. But, for instance, if 
a consumer doesn't want to receive advertising relating to 
health information, that would not be done, but they could 
receive advertising----
    Mr. Scalise. OK. Thanks. And I have got just a few seconds. 
One last--Chairman Genachowski, in relation to a question that 
I think Congresswoman Blackburn had asked, I am not sure if you 
implied it, but it seemed like you might have been referring to 
the Internet as a telecommunications service. I mean, I 
wouldn't consider it a telecommunications service in that 
sense. Was that your intention or----
    Mr. Genachowski. I am not sure I used that phrase. I may 
have referred to it as a communications network and I think it 
clearly is.
    Mr. Scalise. But not a telecommunications service because 
that would in terms of classification----
    Mr. Genachowski. Which I didn't intend to raise.
    Mr. Scalise. Great. No, I appreciate it. Well, thank you 
all for your answers and I yield back.
    Mrs. Bono Mack. I thank the gentleman and recognize Mr. 
Rush for 5 minutes.
    Mr. Rush. Thank you, Madam Chair. And Madam Chair, I 
certainly want to thank you and all the other very important 
people who have put together this hearing. And I want to thank 
all of the witnesses for appearing before us today. I know they 
are quite busy but to come over and share with us their 
opinions and their conclusions.
    Commissioner Ramirez stated correctly, I believe, that 
individuals can and do have varying privacy tolerance 
thresholds, and these thresholds can and do turn on several 
variables, including who has their personal information and 
what that information--which is personal in nature--what it 
represents. And I introduced a bill in the last Congress and 
reintroduced it in this Congress. It is called the Best 
Practices Act, H.R. 611, which would require covered entities 
to obtain express consent from consumers for collection, use, 
or disclosure of particularly sensitive information or 
comprehensive online data collection. Among other things, it 
would give the FTC APA rulemaking authority to further modify 
the definition of ``sensitive information.'' Given how complex 
a person's decision-making process and all the dependencies 
that are involved, I would like to ask each of the witnesses 
today--and especially you, Commissioner Ramirez--your opinion 
on whether such a grant of authority is prudent and would it 
make for a good public policy?
    Ms. Ramirez. Again, let me just say that the FTC has not 
taken a formal position on legislation but I will note that in 
the privacy report that was issued in December, the staff does 
recommend that sensitive information be provided, both 
additional data security protections and that consumers be 
given an opportunity to provide express affirmative consent for 
the use of that information. I also do believe that if 
legislation were to be enacted, it would be beneficial to 
accord the agency APA rulemaking authority to make 
modifications should that prove necessary with regard to the 
types of sensitive information that would be protected.
    Mr. Rush. Chairman Genachowski?
    Mr. Genachowski. Let me just add that the less clear and 
more confusing disclosures are about how information is being 
used, the stronger the argument for an opt-in requirement. The 
more clear, easy-to-understand, transparent disclosures are, 
the weaker the argument is. And so it is an area where the 
industry can step up, provide disclosures about how they are 
using information, what they are collecting that are so clear 
that make it so easy for consumers to choose that there would 
be no need to have an opt-in/opt-out debate. If the industry 
doesn't do that and the disclosures are less clear/more 
confusing, I imagine we will continue to hear from consumers 
saying we don't understand this. We need some defaults.
    Mr. Rush. Mr. Strickling?
    Mr. Strickling. I guess I would like to take your question 
up just one level because it could be raised about any number 
of things and again point out, you know, our concern about 
getting too detailed and too regulatory in terms of specific 
prohibitions and the mechanisms that are used to implement 
them. What is important we can all agree is that there be 
meaningful consent. None of us can predict today what 
technology might be available in 2 or 3 years by which 
meaningful consent could be obtained from a consumer. And 
therefore, we are quite concerned about incorporating into 
legislative language or in rulemakings that by themselves will 
take quite some time to conduct, you know, very specific 
approaches. To preserve the ability for business to innovate, 
we think this is a perfect example of where you set the 
principle and then ask industry working with all stakeholders, 
civil society and other folks that are interested in this to 
devise the rules of behavior that would actually be engaged in 
and which can be changed on a regular basis to accommodate----
    Mr. Rush. I want to move on. Commissioner Ramirez also 
stated that some consumers may be more predisposed than others 
to be taken advantage of, including consumers who are put on 
marketing sucker lists based on their past behavior. This may 
beg additional question as to what could be deemed to be 
sensitive information. Along that line of logic, how sensitive 
would you say other forms of compulsive disorder-related 
personal information about consumers such as drugs, sex, 
gambling addiction, for example? How sensitive would those 
particular areas and other areas be to you?
    Ms. Ramirez. And again, I will turn to the recommendations 
that were made in our privacy report to identify certain 
categories such as health information, financial information, 
geo-location information. So those I would classify as being 
sensitive.
    Mr. Rush. Commissioner?
    Mr. Genachowski. I would agree with that.
    Mr. Strickling. In our legislative proposal on data breach 
in May, we provided a list of what the administration would 
believe to be sensitive personal information. And I would refer 
to that list.
    Mr. Rush. I yield back.
    Mrs. Bono Mack. I thank the gentleman and recognize Dr. 
Cassidy for 5 minutes.
    Mr. Cassidy. Commissioner Ramirez, you helped me last time 
understand what HIPAA applies to and what it does not. Now, 
your opening statement was kind of like a good Hemingway story. 
That first sentence kind of grabbed me and took me off with 
you. So when I go to CVS and I buy my Advil for my bad knee, is 
that HIPAA-protected that I just purchased Advil over the 
counter or can CVS integrate that with other bits of data so 
now I start getting advertisements for Advil or other non-
steroidals on my side bar as I do the net.
    Ms. Ramirez. If you go to a retailer, that would not be 
protected under HIPAA. HIPAA only covers things like hospitals, 
medical providers. So retailers would be able to use that 
information.
    Mr. Cassidy. Well, I buy glucosamine chondroitin just to 
tell you more about myself than you care to know.
    Ms. Ramirez. I am sorry. Say that one----
    Mr. Cassidy. I buy something for osteoarthritis and it is 
non-protected. It is over-the-counter. And they can integrate 
that with other things known about me since I have a little 
kind of rewards card, and that can go into this database that 
says here is Bill Cassidy. Let us tag the son of a gun.
    Ms. Ramirez. That can be done, yes.
    Mr. Cassidy. Now, what if it is a prescription medication?
    Ms. Ramirez. Prescription medication would have other 
protections, but again if, for example, one does research 
online, it is conceivable that certain personal health 
information could then be part of a profile that is compiled 
digitally.
    Mr. Cassidy. Well, I go to PubMed, the National Institute 
of Health Web site--I am a physician--regarding medical 
information. I may look up anything I want to there. I am a 
physician. So I look up hepatitis. Now, that I don't see things 
on the sidebar about hepatitis. So clearly it is possible to 
keep that even if I start off--but let me ask you if I go to 
Google and just put in hepatitis and I come up with Wikipedia 
and I come up with PubMed and I go to PubMed, the very fact 
that I put it into Google means that now Google knows I am 
interested in hepatitis, correct?
    Ms. Ramirez. Correct.
    Mr. Cassidy. But what about my credit card company? If my 
credit card company I am purchasing airplane tickets to come to 
Washington, D.C., does American Express or U.S. Air or Visa 
integrate that into my overall profile?
    Ms. Ramirez. I would note that the Agency doesn't have 
jurisdiction over banks so there are certain safeguards that 
apply to financial information that might be more strict. So 
there is a difference there.
    Mr. Cassidy. Got you. The other thing I am noticing that is 
in my inbox now, I will get an email from somebody suggesting 
that I have requested information from them and I happen to 
know that I have not. It is almost a form of phishing. Is this 
something that is common now that some bank will say you need 
to update your records? We see there has been a recent change 
and so our--not a bank because you don't have banks but some 
other company that basically entices me to go to their Web site 
to update my records even though I haven't used that service?
    Ms. Ramirez. There are a number of scams that we are aware 
of where fraudulent operators may try to get confidential 
information from consumers----
    Mr. Cassidy. I see. So that may be the company or that may 
be a scam?
    Ms. Ramirez. So consumers need to be careful about that, 
certainly.
    Mr. Cassidy. Yes, I got you. And now the children's aspect 
of this, Commissioner--and I guess it is you--I have a daughter 
who is 9 and she just kind of whizzes past. She accepts 
everything, oK? I am struck that some of these do-you-accept 
are so long that unless you are an obsessive compulsive 
attorney you are just never going to read it. So is it possible 
to surely make me fully aware of this but I am not fully aware 
of it because it is somewhere on line 47 of paragraph 42? Do 
you follow where I am going with that? To put it differently, 
when we ask someone to opt in or opt out, an effective 
technique would be to bury it within long contract language. Is 
there currently any rule that would make the companies say 
listen, if you are going to have them opt in/opt out or agree 
to a certain type of advertising, it has to be understandable 
and not buried deep within a contract? Does that make sense? 
You are looking at me blankly so was I----
    Ms. Ramirez. I am sorry. I wasn't sure if you were speaking 
to----
    Mr. Cassidy. To whoever is the person----
    Ms. Ramirez. I will take this. Again, we do have concerns 
about long privacy policies. One of the key elements of the 
FTC's recommendations is that notice and choice be provided in 
a simple, understandable manner. There is no current 
requirement that that be done, but we believe as a best 
practice, companies ought to do that.
    Mr. Cassidy. Got you. OK. I yield back. Thank you.
    Mrs. Bono Mack. Thank you, Dr. Cassidy. And the chair 
recognizes Mr. Harper for 5 minutes.
    Mr. Harper. Thank you, Chairman Bono Mack.
    Commissioner Ramirez, I want to follow up on some questions 
or an area that Mrs. Bono Mack had done regarding harm to 
consumers. And does the Commission or can the Commission 
provide specific examples of actual harm or we talking more of 
hypotheticals?
    Ms. Ramirez. The harms that we are concerned about are not 
speculation. We have heard public reports of activities along 
the lines of the hypothetical that I used in my opening 
statement as actually happening. Insurance companies, for 
instance, today are developing models by which they can 
assemble information that is available to them through this 
aggregation of data that we have been discussing as a means of 
substituting what formerly would be more complicated 
underwriting analyses. So the potential is clearly there. There 
are public reports that these things are happening today.
    Mr. Harper. Are you able to provide to us evidence or 
documentation of those specific harms?
    Ms. Ramirez. The FTC, we are certainly happy to work with 
you to provide more details and information about those harms.
    Mr. Harper. All right. As we look at this, before we look 
at additional regulations or we look at information, should the 
Federal Government be required to show what significant 
consumer harm exists to justify the type of additional costs 
that we could be talking about when it comes to market 
regulation on privacy or Do Not Track legislation that that 
might impose upon businesses?
    Ms. Ramirez. I believe that if Congress decides to move 
forward with legislation, certainly, one has to take into 
account the implications for all relevant stakeholders, yes.
    Mr. Harper. Have you done any analysis of that potential 
cost, the cost to businesses for that?
    Ms. Ramirez. Again, we have solicited comments and have 
received over 450 comments from industry, consumers, and other 
stakeholders. We do have a Bureau of Economics that is involved 
in our review and we will be putting out recommendations later 
this year.
    Mr. Harper. OK. And do you have a time frame? Later this 
year----
    Ms. Ramirez. Later this year.
    Mr. Harper [continuing]. When you think that might be?
    Ms. Ramirez. I am afraid I can't be more specific.
    Mr. Harper. OK. We will give you that much wiggle room.
    Ms. Ramirez. I appreciate it.
    Mr. Harper. Can you tell me how much we know about what 
information Internet sites collect about users and how much do 
we know about the sharing of that information? I know we have 
covered that some in this hearing, but can you enlighten us?
    Ms. Ramirez. I am afraid that I can't quantify the scope. 
What I can tell you is that there is clearly a need for the 
principles that we are advocating. There is clearly a need for 
greater transparency. There is a greater need for companies to 
take into account privacy protections when they provide 
services and products to consumers and a greater need for 
simplified choice.
    Mr. Harper. You know, some critics have expressed concern 
that self-regulatory schemes could constitute a barrier to 
entry, perhaps erected by, you know, more powerful market 
participants against smaller and newer companies. How do we 
guard against such a result as that?
    Ms. Ramirez. I do think it is a concern and that one has to 
take into consideration the impact on small- and medium-sized 
businesses. It is an issue that the Agency is looking at very 
closely and we do intend to address the issue in our final 
report.
    Mr. Harper. And what would be the best alternative to self-
regulation? Is that going to work?
    Ms. Ramirez. Well, that is an issue that I think you will 
have to ultimately decide as to whether or not legislation is 
needed. But if one is to rely on self-regulation, what I will 
say is that is very important that there be an enforcement 
element. There has to be accountability, and I think the FTC 
ought to play a role in enforcement.
    Mr. Harper. Thank you, Madam Chairman. I yield back.
    Mrs. Bono Mack. Thank you. The chair recognizes Mr. Olson 
for 5 minutes.
    Mr. Olson. I thank the chair. I would like to welcome the 
witnesses again and thank you all for coming and giving us your 
expertise and your time.
    And my first questions are for you, Commissioner Ramirez. I 
want to kind of follow up on the line of questioning from my 
colleague from Mississippi, Mr. Harper, was pursuing.
    In December of 2010, the FTC issued a preliminary staff 
privacy report to open up discussion on consumer privacy issues 
and in that report advanced the concept of Do Not Track. This 
concept has been compared by the FTC and others to the national 
Do Not Call Registry already managed by the Commission, but in 
reality, they are very different. Do Not Call, as you know, was 
created because people being bothered by unsolicited 
telemarketing calls particularly during their dinner hours. But 
online advertising is not invasive in that way the way 
telemarketing calls are, and consumers can simply ignore ads 
online when they come up. You know, in my experience, none of 
my friends has slammed their computer on the floor for online 
advertising, but I have seen many of them slam the phones on 
the floor because of repeated calls from telemarketers.
    And so there are many benefits to targeted ads online such 
as giving consumers information about products and services 
they might actually be interested in. This type of advertising 
also has great value to consumers because this advertising 
revenue funds the free online content and service consumers 
enjoy. But I ask you, do you concur that Do Not Track is 
analogous to the Do Not Call Registry?
    Ms. Ramirez. I do not. I agree with you that there are 
significant differences. First of all, the Do Not Track system 
would not call for the creation of any kind of national 
registry. It is also not something that has to be implemented 
necessarily by government. So what the Agency has advocated is 
we have put out a description of various elements that we feel 
would be important, but again, the key feature of it would be 
that it is a universal mechanism to allow the consumers that do 
have a concern about online collection and use of information 
to have greater choice and control over how their data is being 
used.
    Mr. Olson. Is Do Not Track feasible now, ma'am?
    Ms. Ramirez. Yes, it is. We have a distinguished team of 
technologists at the FTC and a number of companies do agree, 
there is consensus that it is feasible.
    Mr. Olson. You can kind of take in my colleague from 
Mississippi's line of questioning. Since you say it is 
feasible, have you performed any economic analysis of adopting 
a Do Not Track on our businesses?
    Ms. Ramirez. No, we have not. And again, what we have done 
so far is to simply identify the elements that we think are 
important to a Do Not Track system but we are not advocated a 
particular mechanism.
    Mr. Olson. Are you planning on doing those?
    Ms. Ramirez. We will be issuing final recommendations at 
the end of the year.
    Mr. Olson. And those will include the impacts of the 
economic impact?
    Ms. Ramirez. I can't comment on the details but what I can 
tell you, as I mentioned before, is that we certainly 
understand the importance of taking into account the impact on 
business and we think that a carefully crafted standard can be 
adopted that will both help restore confidence in the online 
marketplace and I think businesses themselves recognize that 
consumer trust is vital.
    Mr. Olson. Yes, ma'am. And I have heard from some companies 
that legislation is needed to create an online privacy 
framework that is technologically neutral based on industry 
self-regulation and enforced exclusively by the FTC. And with 
respect to technological neutrality, is it true today that the 
FTC and FCC would have jurisdiction over the download of a 
video on demand from a cable company but only the FTC would 
have jurisdiction over the download of a video from an over-
the-top provider like Netflix? Anybody can chime in there. You 
are the experts.
    Mr. Genachowski. I think that is probably a correct 
description of the current framework.
    Mr. Olson. So can we come up with a proposition where we 
can have some common system where there is one regulator?
    Mr. Genachowski. I am not sure that that is the answer. The 
FCC and the FTC have worked very well together over more than 
20 years in areas of complementary jurisdiction to make sure 
that the expertise and experience that are different that each 
agency brings to the table informs solutions that get the 
balance right between taking in the account of impact on our 
economy and protecting basic values like privacy.
    Mr. Olson. OK. Thank you. And again, with respect to 
industry self-regulation--and this is mainly for you, 
Commissioner Ramirez--can you please advise the committee 
whether the FTC uses industry self-regulation in other contexts 
to protect consumers and what role the FTC believes industry 
self-regulation should have in protecting customers' online 
privacy?
    Ms. Ramirez. Yes. We believe that self-regulation can play 
a key role. In fact, the FTC alone cannot undertake the effort 
that is necessary here to ensure that consumers have basic 
protections. So we think self-regulation is vital but again 
provided that there is an accountability mechanism, an 
enforcement mechanism and we believe that the FTC ought to 
provide that.
    Mr. Olson. Thanks to the answers to the questions. I see 
that the clock is going up and that means I will yield back the 
balance of my time.
    Mrs. Bono Mack. Thank you, Mr. Olson. The chair recognizes 
Mr. Kinzinger for 5 minutes.
    Mr. Kinzinger. Thank you. And thank you, Madam Chairman, 
and thank you----
    Mrs. Bono Mack. Excuse me. Can you check your microphone?
    Mr. Kinzinger. Yes, it is on.
    Mrs. Bono Mack. Probably the one next--yes. Thank you.
    Mr. Kinzinger. Well, thank you. Thank you for coming out. I 
appreciate it.
    The explosive expansion we have seen in online marketing 
and tracking over the past few years has been unprecedented. 
From 2010 to 2014, the industry is projected to grow to about 
$2.6 billion from $1.3 billion in 2010. As a consumer who uses 
free services that have been made available by the Internet, I 
understand the value of behavior advertising and the effect it 
is having on this country's economic growth and job creation. 
Any privacy legislation that this committee considers must 
fully contend with the implications of what slower growth will 
have on both our economy and the services provided to the 
consumer.
    It is estimated that privacy legislation could cost the 
industry as much as $623 million in growth if the legislation 
imposes limits on online tracking. I am also keenly aware that 
the decisions we make in this committee will profoundly impact 
the question of whether or not privacy is still a right in this 
country. The accelerated accumulation of aggregated data over 
the past few years is troubling for many consumers. I believe 
one important action this committee should take is determine 
what type of information is aggregated. Do a few companies 
control both sensitive health information and my shoe size? And 
as a consumer, am I allowed to know what information is stored 
about me? These are all important issues that I believe we need 
to consider when drafting privacy legislation.
    So while some of these may have been asked in a different 
way, I will ask the first question to Commissioner Ramirez. 
What impact do you think Do Not Track legislation will have 
specifically on free Internet service itself?
    Ms. Ramirez. Well, I think it all depends on how a Do Not 
Track mechanism is implemented. And of course, that is the key 
question. What the FTC has done is to outline what it considers 
to be the core elements that any such mechanism ought to have 
in order to assure basic protections for consumers and to allow 
them to have choice. And again, the emphasis here is on choice. 
I personally believe that a mechanism can be constructed that I 
would call an intermediate option that would allow consumers to 
have granular choice about what type of advertising to receive. 
And I think such a system would benefit both consumers and 
industry.
    Mr. Kinzinger. OK. And I guess to all three of you, do you 
believe consumers have a right to know as far as what 
information is obtained and--on them both in the online and in 
the offline space and how do we determine what information is 
private and what is not? Again, this may have been addressed 
but I am curious as to--you know, do consumers have the right 
to know? And then also how do we determine what should be 
private and what should not, just generally? Mr. Strickling, go 
ahead.
    Mr. Strickling. Yes, we think one of the fair information 
practices should incorporate this notion of the consumers 
knowing what is being collected about them and how it is going 
to be used. As a broader point, though, I would just say that 
the specific regulation about how that be done is not something 
we propose either Congress or a regulatory agency do. Again, we 
see the benefits. And this goes to your question about the 
costs that legislation and regulation impose on businesses. We 
think it is vitally important that we give industry the 
opportunity to take the principles and then create the 
voluntary codes of conduct that they will commit to live by 
without sacrificing innovation, without costing them the 
dollars that perhaps a less-well-crafted regulation might 
impose on them.
    Mr. Kinzinger. OK. Sir?
    Mr. Genachowski. I agree.
    Mr. Kinzinger. We are all in agreement? Great. That is 
easy. Those are easy questions. No, I am kidding.
    All right. Do we know the amount of data that companies are 
collecting specifically and do we know how that is being 
collected, bought, and sold? I know that is pretty basic, too.
    Ms. Ramirez. I am sorry. Could you again--I didn't quite 
hear----
    Mr. Kinzinger. Yes, do we know the amount of data that 
companies are actually collecting on consumers and do we know 
how that is bought and sold?
    Ms. Ramirez. As I mentioned before, I can't quantify 
exactly what is taking place. What we do know is that 
information is being compiled and that there are very 
significant concerns. Again, the hypothetical that I used in my 
opening statement highlights how this information can be used. 
And again, this is not speculation. That is happening today.
    Mr. Kinzinger. Sure. Well, I appreciate everybody's 
patience and everybody coming in and spending some time with 
us, and I look forward to continuing to tackle this problem.
    And I yield back.
    Mrs. Bono Mack. Thank you very much.
    And Mr. Rush has asked for a second round of a single 
question and the ranking member and I have agreed to allow Mr. 
Rush to ask one more question before we conclude.
    Mr. Rush. I really want to thank you, Madam Chair, and the 
ranking member for your kind indulgence. I also thank the 
witnesses.
    This morning and this afternoon, you have been asked over 
and over what is the harm if a consumer Web site, social 
network, or supermarket knows about my personal habits and my 
private life? And today's testimony references have been made 
to broadband's possible effects on job creation and 
productivity. Assuming Americans are unemployed and searching 
for work, are there some issues that we may be overlooking 
regarding privacy safeguards that may be making it more 
difficult for Americans to obtain employment? Specifically, 
Commissioner Ramirez, has the FTC heard complaints from the 
public suggesting that their efforts to obtain jobs have 
somehow been hampered or harmed due to any privacy-related 
abuses?
    Ms. Ramirez. Yes. And I think a number of the enforcement 
matters that the Agency has brought, I think it shows that 
there is a failing sometimes with regard to basic privacy 
protections. And those are highlighted in the written testimony 
that I have submitted.
    But in addition to that, there is survey after survey that 
shows that consumers increasingly are very concerned about how 
their information is being used. So I think there is evidence 
that supports the idea that additional privacy protection is 
needed.
    Mr. Rush. Mr. Genachowski, do you want to comment on this 
particular matter?
    Mr. Genachowski. I think that the relationship between what 
happens in the privacy arena and achieving the economic and 
job-creation potential of the Internet really are related. And 
so being very thoughtful about that is important. I mentioned 
in my opening statement the relationship between trust of the 
Internet and increases in broadband adoption in a world where 
almost all job postings are online. So I think you are raising 
a very important set of sensitivities that need to be very 
carefully considered in this area.
    Mr. Rush. Thank you. I yield back.
    Mrs. Bono Mack. I thank the gentleman. And on his point I 
want to again reiterate that his question was a terrific one 
while we are here and the extensive deliberations and thought 
we need to put into all of this as we move forward. And as you 
know, this is a first in a series of privacy hearings that we 
will be holding this year, and I look forward to our continued 
discussions and our work together on how we can best balance 
these needs that everybody has brought up today. And it is 
clear to me anyway that personal data truly is a gold rush of 
our time.
    And I would like to say Commissioner Ramirez, in her 
written testimony, referred to a statement by her fellow 
Commissioner Rosch with his separate views on Internet privacy 
and it has been shared with minority staff. And with unanimous 
consent, it will be included in the record. And without 
objection, so ordered.
    [The information follows:]





    Mrs. Bono Mack. And I would like to thank my colleagues for 
their participation today. I would like to thank the ranking 
members on both subcommittees as well as Chairman Walden. I 
would like to wish Joe Barton good luck tonight in the 
congressional baseball game and remind you all to attend if you 
are interested and remind members that they have 10 business 
days to submit questions for the record. I ask witnesses to 
please respond promptly to any questions they receive. And 
again, I thank our panelists very much for your time today. And 
the hearing is now adjourned.
    [Whereupon, at 1:33 p.m., the subcommittees were 
adjourned.]
    [Material submitted for inclusion in the record follows:]






                                 
