[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]


 
 NEW TECHNOLOGIES AND INNOVATIONS IN THE MOBILE AND ONLINE SPACE, AND 
                   THE IMPLICATIONS FOR PUBLIC POLICY

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INTELLECTUAL PROPERTY,
                     COMPETITION, AND THE INTERNET

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 19, 2012

                               __________

                           Serial No. 112-116

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov


                  U.S. GOVERNMENT PRINTING OFFICE
74-641                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                       COMMITTEE ON THE JUDICIARY

                      LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina         JERROLD NADLER, New York
ELTON GALLEGLY, California           ROBERT C. ``BOBBY'' SCOTT, 
BOB GOODLATTE, Virginia                  Virginia
DANIEL E. LUNGREN, California        MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio                   ZOE LOFGREN, California
DARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana                  MAXINE WATERS, California
J. RANDY FORBES, Virginia            STEVE COHEN, Tennessee
STEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona                  Georgia
LOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio                     MIKE QUIGLEY, Illinois
TED POE, Texas                       JUDY CHU, California
JASON CHAFFETZ, Utah                 TED DEUTCH, Florida
TIM GRIFFIN, Arkansas                LINDA T. SANCHEZ, California
TOM MARINO, Pennsylvania             JARED POLIS, Colorado
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona
MARK AMODEI, Nevada

           Richard Hertling, Staff Director and Chief Counsel
       Perry Apelbaum, Minority Staff Director and Chief Counsel
                                 ------                                

  Subcommittee on Intellectual Property, Competition, and the Internet

                   BOB GOODLATTE, Virginia, Chairman

                   BEN QUAYLE, Arizona, Vice-Chairman

F. JAMES SENSENBRENNER, Jr.,         MELVIN L. WATT, North Carolina
Wisconsin                            JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina         HOWARD L. BERMAN, California
STEVE CHABOT, Ohio                   JUDY CHU, California
DARRELL E. ISSA, California          TED DEUTCH, Florida
MIKE PENCE, Indiana                  LINDA T. SANCHEZ, California
JIM JORDAN, Ohio                     JERROLD NADLER, New York
TED POE, Texas                       ZOE LOFGREN, California
JASON CHAFFETZ, Utah                 SHEILA JACKSON LEE, Texas
TIM GRIFFIN, Arkansas                MAXINE WATERS, California
TOM MARINO, Pennsylvania             HENRY C. ``HANK'' JOHNSON, Jr.,
SANDY ADAMS, Florida                   Georgia
MARK AMODEI, Nevada

                     Blaine Merritt, Chief Counsel

                   Stephanie Moore, Minority Counsel


                            C O N T E N T S

                              ----------                              

                             JUNE 19, 2012

                                                                   Page

                           OPENING STATEMENTS

The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Subcommittee on 
  Intellectual Property, Competition, and the Internet...........     1

The Honorable Melvin L. Watt, a Representative in Congress from 
  the State of North Carolina, and Ranking Member, Subcommittee 
  on Intellectual Property, Competition, and the Internet........     2

The Honorable Lamar Smith, a Representative in Congress from the 
  State of Texas, and Chairman, Committee on the Judiciary.......     4

The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, and Ranking Member, Committee on 
  the Judiciary, and Member, Subcommittee on Intellectual 
  Property, Competition, and the Internet........................     5

                               WITNESSES

Scott R. Shipman, Associate General Counsel, Global Privacy 
  Leader, eBay Inc.
  Oral Testimony.................................................     8
  Prepared Statement.............................................    10

Morgan Reed, Executive Director, Association for Competitive 
  Technology
  Oral Testimony.................................................    19
  Prepared Statement.............................................    22

Chris Babel, Chief Executive Officer, TRUSTe
  Oral Testimony.................................................    33
  Prepared Statement.............................................    35

James Grimmelmann, Associate Professor of Law, New York Law 
  School
  Oral Testimony.................................................    62
  Prepared Statement.............................................    65

                                APPENDIX
               Material Submitted for the Hearing Record

Response to Post-Hearing Questions from Scott R. Shipman, 
  Associate General Counsel, Global Privacy Leader, eBay Inc.....    98

Response to Post-Hearing Questions from Chris Babel, Chief 
  Executive Officer, TRUSTe......................................   100

Response to Post-Hearing Questions from James Grimmelmann, 
  Associate Professor of Law, New York Law School................   103

Prepared Statement of the Consumer Electronics Association (CEA).   104
                        OFFICIAL HEARING RECORD
      Material Submitted for the Hearing Record but not Reprinted

February 2012 White House green paper entitled Consumer Data Privacy in 
    a Networked World: A Framework for Protecting Privacy and Promoting 
    Innovation in the Global Digital Economy. This paper is on file at 
    the Subcommittee and can be accessed at: http://www.whitehouse.gov/
    sites/default/files/privacy-final.pdf

March 2012 FTC report entitled Protecting Consumer Privacy in an Era of 
    Rapid Change, Recommendations for Businesses and Policymakers. This 
    report is on 
    file at the Subcommittee and can be accessed at: http://
    www.ftc.gov/os/2012/03/120326privacyreport.pdf

March 2012 report, a project of the Pew Research Center, entitled 
    Search Engine Use 2012. This report is on file at the Subcommittee 
    and can be accessed at: http://pewinternet.org//media//Files/
    Reports/2012/PIP_Search_Engine_Use_
    2012.pdf


 NEW TECHNOLOGIES AND INNOVATIONS IN THE MOBILE AND ONLINE SPACE, AND 
                   THE IMPLICATIONS FOR PUBLIC POLICY

                              ----------                              


                         TUESDAY, JUNE 19, 2012

              House of Representatives,    
         Subcommittee on Intellectual Property,    
                     Competition, and the Internet,
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to call, at 10:07 a.m., in 
room 2141, Rayburn House Office Building, the Honorable Bob 
Goodlatte (Chairman of the Subcommittee) presiding.
    Present: Representatives Goodlatte, Smith, Chabot, Poe, 
Chaffetz, Marino, Watt, Conyers, Chu, Deutch, Lofgren, Jackson 
Lee, and Johnson.
    Staff Present: (Majority) Vishal Amin, Counsel; Olivia Lee, 
Clerk; and (Minority) Stephanie Moore, Subcommittee Chief 
Counsel.
    Mr. Goodlatte. Good morning. This hearing of the 
Subcommittee on Intellectual Property, Competition, and the 
Internet will come to order, and I will recognize myself for an 
opening statement.
    Today we are holding a hearing to examine the public policy 
issues raised by new technologies in the mobile and online 
spaces. It is clear that some of the central policy issues for 
both consumers and companies are the issues of privacy and data 
collection. Privacy continues to take on greater importance as 
more Americans not only use the Internet and mobile devices, 
but also share their personal information with companies on the 
Web. Privacy policies and the technological safeguards that 
companies implement will help guide consumers on what they 
should expect from those who handle their personal information 
and set expectations for companies that use personal data.
    As Congress continues to look at privacy issues online, it 
is important to have a firm understanding of what the industry 
practices are. Today's hearing will explore what mechanisms the 
private sector is currently employing to protect Internet and 
mobile users. It will also highlight the technological 
innovation and development that has occurred in this space.
    There have been astonishing advancements in the delivery of 
products and services online, and as a result there are privacy 
implications for a variety of new technologies, some of which 
were not even in existence a few years ago. Many in the private 
sector already have policies and procedures in place to police 
themselves to ensure they are following best practices. Groups 
like TRUSTe, the Association for Competitive Technology, the 
Application Developers Alliance, the advertising industry 
through its AdChoices program and others already help to 
provide best practices, independent analyses of privacy 
policies, and recommendations for enhancements. We will learn 
more about how some of these groups work in the field today.
    As Congress begins to look into these issues, we need to 
realize that the technologies that we are discussing did not 
even exist a few years ago, and some have only come to the 
forefront in the past few months. And with any new technology, 
it is important that as we think about how best to protect the 
interests of consumers and the Internet user community, we 
continue to encourage and not stifle innovation.
    One of the most important things private-sector companies 
can do to self-regulate and innovate when it comes to privacy 
is to make their notices and privacy policies easy to 
understand. If the consumer understands the trade-off he makes 
when he accepts an app program or service, then the consumer 
will make an informed decision.
    The easier it is for consumers to understand all privacy 
notices and policies, the easier it is for companies to compete 
on the basis of their privacy policies, and the easier it is 
for consumers to vote with their wallets.
    I look forward to hearing from all of our witnesses on the 
efforts that they have taken to help build in privacy 
protections. As they develop their products to safeguard 
consumer information about what more can be done to increase 
transparency and ensure that as American companies seek to 
operate abroad in markets like Europe and Asia, innovation is 
not impeded by undue regulatory burdens or barriers to market 
access.
    And with that it is my pleasure to recognize the Ranking 
Member of the Subcommittee, the gentleman from North Carolina, 
Mr. Watt.
    Mr. Watt. Thank you, Mr. Chairman. I appreciate you holding 
this hearing.
    I believe that privacy is one of the most fundamental 
values of the American tradition, yet today even a majority of 
the Justices of the Supreme Court posit that as a society we 
are faced with novel challenges in determining the, quote, 
``new normal,'' close quote, for privacy expectations in the 
digital age.
    There is little doubt that the digital environment has 
created opportunities for society that often come at little or 
no financial cost to the user, but I believe it is 
inappropriate to classify these opportunities and services as 
free. Information is currency, and users are, without 
exception, required to surrender incredible amounts of personal 
information in exchange for the services they enjoy.
    While Internet users have some responsibility to self-
censor and restrict the intimate information they share on 
various platforms, the reality is that many online users have a 
false sense of privacy because they don't understand the 
lengthy and complex privacy policies they are compelled to 
agree to in order to use the service. As a result, online users 
often share lots of personal information unknowingly and to 
unintended audiences.
    Their personal information has been marshaled, analyzed and 
monetized in ways consumers have come to resent. A March 2012 
study by the Pew Research Center found that two-thirds of 
Internet users have negative views about search engines 
collecting information about them to produce personalized 
search results. Two-thirds of Internet users also report that 
they, quote, ``are not okay with targeted advertising because 
they do not like having their online behavior tracked and 
analyzed.''
    I am further concerned that this type of consumer profiling 
may limit, rather than enhance, the experience and the horizons 
of distinct groups based on race, ethnicity, religion and other 
factors that we are probably not even aware of yet. If users 
are constantly fed products and facts in areas in which they or 
someone like them have already expressed an interest, their 
intellectual curiosity and development may be stunted.
    Earlier this year both the Department of Commerce and the 
Federal Trade Commission completed reports following 
stakeholder participation to address mounting concern about 
consumer privacy. The White House Green Paper enumerated seven 
broad principles that it urges be enacted into law as flexible 
baseline standards governing consumer privacy.
    The Green Paper recommends that industry leaders develop 
specific codes of conduct to implement for consumer privacy 
principles. The FTC's report takes the additional step of 
identifying best practices that could, and I believe should, 
serve as a guide for industry in developing the codes of 
conduct.
    The Administration has determined that the first round of 
stakeholder meetings will center on mobile applications which 
raise serious questions about the security of data concerning 
children and geolocation information concerning all users. 
Parents must be able to feel secure that the apps they download 
to educate or entertain their children aren't secretly 
collecting or sharing private data or location information from 
the host device.
    Although some industry actors have been giving lip service 
to and others have been really working to establish privacy 
standards and to provide users with a better understanding of 
the ways in which their information is used, it seems clear to 
me that consumers remain in a vulnerable position in which they 
are required to place an enormous amount of blind trust in 
online companies and app developers.
    Just last week the FTC announced an $800,000 settlement 
with Spokeo, a data broker that compiles vast amounts of 
information on consumers from both online and offline sources. 
In the first FTC case to address the sale of data from the 
Internet and social media sites in the employment context, the 
FTC charged that Spokeo violated the Fair Credit Reporting Act 
by marketing consumer profiles to recruiters and human resource 
professionals without regard to the accuracy of information and 
without advising the users how their information would be used. 
The FTC was empowered to act because of the protections 
contained in the Fair Credit Reporting Act.
    The FTC settlement was announced just as President Obama 
signed an Executive Order to let the morass of Federal policies 
and practices that impede broadband deployment on Federal 
lands. The Executive Order will not only lower the cost of 
broadband Internet access, it will also speed the delivery of 
connectivity to communities, businesses and schools. President 
Obama said in his statement, quote, ``By connecting every 
corner of our country to the digital age, we can help our 
businesses become more competitive, and our students become 
more informed, and our citizens become more engaged,'' close 
quote.
    With greater access comes the responsibility to ensure that 
our citizens enjoy an online experience that is safe, reliable 
and respectful of personal information. So I support the 
direction the Administration is taking us, and continue to 
believe that Congress should enact baseline privacy legislation 
that will provide certainty to both consumers and companies, 
and promote a healthy online economy.
    Justice Thurgood Marshall wrote years ago that, quote, 
``Privacy is not a discrete commodity possessed absolutely or 
not at all,'' close quote. The devil is always in the details, 
but I hope that the witnesses will be able to address some of 
the best practices recommended by the FTC.
    Finally, I am also concerned that without a baseline set of 
principles with the force of law, privacy policies may be used 
by larger players in an anticompetitive manner to drive smaller 
players and start-ups from the market to the detriment of 
online consumers. I look forward to hearing from our witnesses 
about how we can embrace new technologies without discarding or 
abandoning the right to privacy.
    And I yield back, Mr. Chairman.
    Mr. Goodlatte. The Chair thanks the gentleman and is 
pleased to recognize the Chairman of the Judiciary Committee, 
the gentleman from Texas, Mr. Smith.
    Mr. Smith. Thank you, Mr. Chairman.
    America's economic success has been built on innovation. 
Ten years ago there was no such thing as Facebook or Twitter. 
Just 5 years ago there was no such thing as an iPhone or an app 
store. Today, mobile apps number in the hundreds of thousands 
and are largely developed by individual innovators and small 
businesses.
    As new technologies have emerged, like mobile apps, social 
media, online advertising and data analytics, the cost for new 
business entry have come down. But as new Web sites and apps 
are developed, companies must work to ensure that they maintain 
the trust of their customers.
    Trust is the essential element for consumers to adopt new 
apps or technologies. When we hear about privacy breaches, like 
what happened when Google collected large amounts of private 
data over Wi-Fi networks, we have to be concerned. With every 
overcollection of privacy data, the first excuse is that the 
engineers or programmers went beyond what they were told to do. 
That excuse may fly once, but ultimately it is neither the 
engineers' fault nor the programmers' fault, it is the 
company's.
    In the Internet economy, online services are generally 
provided to consumers at little or no cost, and behind these 
online services are hundreds or thousands of employees and 
millions of dollars in hardware and equipment. The Internet 
economy runs on data. There is an implicit bargain between an 
Internet service and the consumer that includes an exchange of 
information or data instead of cash. When a consumer receives a 
free email account or a cloud storage space, or uses a search 
engine, social media Web site or app, there is a collection of 
data that allows a company to construct their service and 
provide targeted advertising or related data-analytic services 
to the consumer.
    As Internet companies have developed new technologies, 
their privacy policies have had to evolve. Many companies now 
institute privacy by design, where privacy protections are 
built directly into their software and hardware products from 
the beginning.
    Incorporation of the best practices for privacy is 
essential as new products are developed online. For example, I 
read that Google and Apple are building even more detailed maps 
that rival defense satellite imagery. Though this ensures that 
we will never get lost if we drive or walk through a new city, 
we also need to ensure that when images are taken in 
residential areas or in people's backyards, that their privacy 
is protected. This is another place where privacy concerns 
should not have to be raised by Congress or the media. They 
should be addressed before the products are even announced.
    The growth in smartphone use and mobile apps has created an 
entirely new business sector, from Instagram to new mobile apps 
for established online Web sites and companies. This new 
business sector is composed mostly of small businesses and 
individual programmers. As we will hear from our witnesses 
today, many of these small businesses are just a couple of 
software programmers, not two programmers and a lawyer, and so 
they often need assistance from more established players as 
they work to incorporate privacy protections into their 
software.
    The mobile and Internet playing field is broad, and the 
specific technological protections may be unique to particular 
technologies, but as companies incorporate privacy protections 
into their services, it is important for them to provide 
privacy policies that are understandable and reasonable. This 
way it is clear to the consumer what the bargain is that they 
enter into when they use a Web site or mobile app.
    I look forward to hearing from all of our witnesses today, 
and I hope their testimony allows the Subcommittee to learn how 
the technology industry works to incorporate balanced privacy 
protections that will inform and protect consumers.
    Thank you, Mr. Chairman. I yield back.
    Mr. Goodlatte. Thank you, Mr. Chairman.
    I am now pleased to recognize the gentleman from Michigan, 
the Ranking Member of the Judiciary Committee, Mr. Conyers.
    Mr. Conyers. Thank you, Chairman Goodlatte and Ranking 
Member Watt.
    This is a very important hearing, and there are new 
services being offered online and through smartphones and other 
devices that largely depend on the continued gathering and use 
of personal information which is ultimately turned into a 
product for sale. And this hearing is going to devolve, I 
think, into an issue of whether we get the self-regulation 
theory advanced, we will all be good and trust this Committee, 
or whether we are going to go along and develop the Consumer 
Privacy Bill of Rights. And that is where we are going to end 
up, because there is an explosion of the collection, 
dissemination of personal information, and therefore these 
organizations have an incentive to collect as much data as 
possible about Internet users.
    And what I think should come out of this hearing is the 
notion that consumers deserve to know how their data and 
privacy are being impacted by mobile and online platforms. 
Today we don't know that. And that is why this hearing by this 
Subcommittee is extremely important.
    The size and power of online companies allow them to obtain 
and aggregate many types of personal information. Otherwise why 
would Facebook be valued at a worth of over $100 billion? Well, 
the answer in large part is because of the treasure trove of 
personal information that they collect, much of which, like 
other companies, we don't know much about.
    Now, we have been dealing with the size and power of online 
companies that allows them to obtain and aggregate all this 
personal information about users. Google recently has had to 
change its privacy policies, and there is concern about its 
ability to obtain information through an individual's use of 
various products the company offers. There are so many 
different ways to get this information out there, that when 
they get it together, they have far more information than is 
generally recognized.
    And so I, for one, am interested in learning how we can 
increase the authority and the power of the Federal Trade 
Commission to take action against privacy violations. The FTC, 
in my view, needs direct enforcement authority so that it may 
take action against those who violate consumer privacy even if 
a company doesn't violate its own published private policy.
    And while companies should develop online guidelines, we 
must remember that enforcement is critical to consumer 
protection. The FTC has the responsibility to ensure that 
competitors are not allowed to play by different rules.
    And so, Mr. Chairman, thank you for allowing me to add my 
comment before the witnesses begin.
    Mr. Goodlatte. I thank the gentleman for his comments.
    Without objection, other Members' opening statements will 
be made a part of the record.
    We have a very distinguished panel of witnesses today. Each 
of the witnesses' written statements will be entered into the 
record in its entirety, and I ask that each witness summarize 
his testimony in 5 minutes or less.
    To help you stay within that time, there is a timing light 
on your table. When the light switches from green to yellow, 
you have 1 minute to conclude your testimony; and when the 
light turns red, well, that is it. It signals the witness' time 
has expired.
    Before I introduce our witnesses, I would like them to 
stand and be sworn, as is the custom of this Committee.
    [Witnesses sworn.]
    Mr. Goodlatte. Thank you very much, and please be seated.
    Our first witness is from the district of the gentlewoman 
from California, Ms. Lofgren. And so it is my pleasure to yield 
to her for the purpose of introducing Mr. Shipman.
    Ms. Lofgren. Well, I thank you, Mr. Chairman, for your 
courtesy in allowing me to introduce the Associate General 
Counsel of eBay that is, in fact, located in the 16th 
Congressional District. Scott Shipman has been with eBay from 
the beginning. In fact, he started at eBay when he was a law 
student. And the one lawyer there was absolutely overwhelmed, 
and so he was there at the beginning to deal with the privacy 
policies of eBay, and he is here to tell us about those 
successful policies. As he said at our collective law school, 
he had done the right things without even knowing it back as a 
law student.
    He now has firsthand experience with the privacy compliance 
and risk assessments at eBay; the cross-border data transfers, 
including the EU; the personal information transfers through 
corporate mergers and acquisitions; and all the other privacy-
related issues that this major corporation faces.
    He teaches international data protection at Santa Clara 
University School of Law as a lecturer, and he serves along 
with me on the high-tech law advisory board at our mutual alma 
mater Santa Clara Law School. He coordinates the legal high-
technology internship program at eBay in connection with Santa 
Clara Law School, and he is a board member of the Consumer 
Privacy Law Forum. He is a member of the International 
Association of Privacy Professionals, a member of the Chief 
Privacy Officers Council, on Conference Board, as well as, of 
course, being admitted to the California State Bar. I am so 
glad he is here to share his expertise with us.
    And it is good to welcome you here, Scott, from the Valley 
and to D.C.
    Thank you, Mr. Chairman, for allowing me to introduce 
Scott.
    Mr. Goodlatte. Thank you, Ms. Lofgren.
    And I have had the pleasure of speaking at the State of the 
Net West Conference, which has been hosted at the Santa Clara 
University School of Law on a number of occasions.
    So, Mr. Shipman, welcome.
    Our second witness is Mr. Morgan Reed, Executive Director 
of the Association for Competitive Technology. Mr. Reed 
specializes in technology issues and has been working closely 
with mobile app developers and companies on privacy issues for 
years.
    Mr. Reed previously worked for a Taiwan-based trading 
company handling North American sales operations. He received 
his B.A. in Political Science from Arizona State University, 
and did graduate research in Chinese at the University of Utah 
and the Shi Ta University in Taiwan. I hope I have that 
pronounced correctly.
    Mr. Reed. Close enough.
    Mr. Goodlatte. Our third witness, Mr. Chris Babel, is the 
CEO of TRUSTe, a leading company and authority on Internet 
trust and privacy. Previously Mr. Babel served as Senior Vice 
President and General Manager of VeriSign's worldwide 
authentication services business, where he was responsible for 
strategy, sales, marketing, product and support. He also 
managed VeriSign's SSL and Managed Security Services business. 
Earlier in his career he worked at Morgan Stanley in their M&A 
and Corporate Finance group. Mr. Babel received his B.A. in 
Mathematical Methods in Social Sciences and Economics from 
Northwestern University.
    And our fourth witness is Mr. James Grimmelmann, professor 
of law at New York Law School. Professor Grimmelmann studies 
technology issues relating to IP, virtual worlds, search 
engines, online privacy and other topics. Prior to law school 
he worked as a programmer for Microsoft. He received his J.D. 
from Yale Law School and his A.B. in Computer Science from 
Harvard College.
    Welcome to you all. And we will begin with Mr. Shipman.

   TESTIMONY OF SCOTT R. SHIPMAN, ASSOCIATE GENERAL COUNSEL, 
                GLOBAL PRIVACY LEADER, eBAY INC.

    Mr. Shipman. Chairman Goodlatte, Ranking Member Watt and 
Members of the Subcommittee, thank you for the opportunity to 
testify today about eBay Inc., and what we are doing to enable 
commerce and engender trust through the use of innovative 
consumer privacy protections. My name is Scott Shipman, and I 
am the associate general counsel and global privacy leader for 
eBay Inc.
    eBay empowers and connects millions of buyers and sellers 
throughout the globe through eBay marketplaces, Paypal, GSI and 
other mobile technology-based businesses; therefore, many 
people associate eBay and Paypal with enabling e-commerce. 
However, it is important to note that eBay is not just about e-
commerce. We are about commerce.
    The traditional boundaries of offline and online retail are 
blurring. We recognize that retailers and sellers of all sizes 
need a partner who will help them succeed in this rapidly 
changing, consumer-driven environment. We want them to succeed, 
and we are that partner.
    Over the years we have learned one of the keys to success 
is engendering consumer trust and confidence. A critical 
component of that trust is privacy. It is hard to build 
consumer trust when you are not respectful of their personal 
information. To foster that trust we have had to meet customer 
privacy expectations with every product we offer. I would like 
to take the next few minutes to highlight some of the 
successful privacy-related programs and products that have led 
to eBay being rated one of the most trusted companies for 
consumer privacy.
    Since eBay's inception our core privacy commitment is eBay 
will not sell the personal information of our customers to 
third parties for marketing purposes. However, we also 
recognize consumers need more meaningful choices on how their 
data was used for behavioral-targeted advertising; therefore, 
eBay developed and implemented a program called AdChoice.
    The AdChoice program works as follows. Third-party 
advertisements on and off eBay have an AdChoice link. When eBay 
users click on the link, they see a pop-up window that gives 
them the ability to specify their advertising preferences. eBay 
users can also opt out of receiving third-party behaviorally 
targeted ads and read our privacy policy through that link.
    eBay's AdChoice program offers a server-based mechanism, 
not their traditional cookie-based mechanism. This means 
choices and preferences are permanently stored and not erased 
when a user clears their cookies.
    Paypal and its ``shop without sharing'' design is another 
perfect example of innovative technology that encourages 
consumer privacy and consumer control. The beauty of Paypal is 
it allows consumers to pay for a good or service without ever 
having to expose their credit card or bank account information 
to merchants. Not only does this privacy-enhancing technology 
allow consumers to fully enjoy the convenience of online and 
mobile commerce, but it also allows merchants to receive 
payments without the cost and potential liability associated 
with processing and securing financial information. It is a 
win-win for both consumers and merchants.
    Looking now at the exciting mobile space, mobile 
applications and technology continue to grow in popularity and 
importance. Through the launch of several new and exciting 
mobile applications, eBay has experienced rapid growth in the 
mobile arena. However, being a leader in mobile and geolocation 
technology is more than just offering cool new services; it is 
also about balancing the needs and wants of the consumer 
against the creep factor that is sometimes associated with the 
collection and use of geolocation and mobile data.
    eBay is building mobile applications that offer the same 
transparency, choice and level of privacy protection as our 
traditional Internet services. eBay has made it a policy that 
all consumers must opt in to turn on geolocation for all eBay 
Inc., mobile applications, and we give consumers the ability to 
decide what communications and notifications they want to 
receive and how.
    A perfect example of an eBay mobile application that 
encapsulates the privacy by design philosophy is WHERE. WHERE 
provides personalized hyperlocal recommendations, offers and 
deals to millions of mobile consumers. WHERE does not associate 
personally identifiable information with location data without 
explicit consent. Finally, WHERE does not collect, maintain or 
track a consumer's location history.
    I have talked a lot about technology, but my last example 
focuses on best practices and compliance. In addition to eBay's 
privacy principles and the practices described in our privacy 
policies, eBay has established a set of corporate rules 
approved by the Luxembourg National Data Commission. These 
corporate rules are a commitment by eBay to protect our users' 
personal information regardless of where the data resides.
    Our corporate rules do not just protect the personally 
identifiable information of our European users, but of all eBay 
Inc. customers and employees globally. eBay was actually the 
first e-commerce company to receive this approval and the first 
company to receive approval for employee and customer rules.
    To conclude, we recognize that privacy is a key component 
of our customers' experience and the trust they place with us. 
As technology changes, as the world changes, expectations will 
continue to change. eBay's role is not to guarantee absolute 
privacy in a vacuum, but to build a relationship based on 
trust. It is our hope that in the years to come, the trust 
within that relationship will only grow stronger, and our 
customers will know and trust that we will get it done right.
    I sincerely appreciate the opportunity to testify before 
the Committee today, and I look forward to your questions.
    Mr. Goodlatte. Thank you, Mr. Shipman.
    [The prepared statement of Mr. Shipman follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    


                               __________
    Mr. Goodlatte. Mr. Reed, welcome.

 TESTIMONY OF MORGAN REED, EXECUTIVE DIRECTOR, ASSOCIATION FOR 
                     COMPETITIVE TECHNOLOGY

    Mr. Reed. Thank you.
    Chairman Goodlatte, Ranking Member Watt, Members of the 
Committee, my name is Morgan Reed, and I want to thank you for 
having today's hearing on New Technologies and Innovations in 
the Mobile and Online space and the Implications for Public 
Policy.
    My organization, the Association for Competitive 
Technology, is an international trade association representing 
more than 5,000 app developers. We make the cool apps that run 
on your smartphone, and your iPads, and, hopefully, the new 
Microsoft tablet and the next device after that. I am a 
licensed developer, too, having worked on network protocols and 
debugging games, so I have actually dug into the nitty-gritty 
of how you build software programs.
    Here is the great news: Our industry is showing amazing 
growth. We have hit more than $20 billion today on an expected 
path to $100 billion by 2015. Apps are expanding into new 
markets, including enterprise and mobile health, which will 
help make Americans more efficient at work and healthier at 
home. And while Americans own more than 350 million mobile 
devices, developers are seeing real potential in foreign 
markets. China's largest telecommunications company has more 
than 800 million subscribers; the number 2, 200 million; the 
number 3, 100 million. With adequate intellectual property 
protection, those subscribers could become customers for our 
American developers.
    Now, I understand this Committee would like to spend some 
time today talking about consumer data privacy and how we make 
it work in this new, more mobile world. What we have learned in 
working through several multi-stakeholder efforts is that we 
need to address privacy in a comprehensive way, not one that 
creates siloed solutions for each technology, especially since 
those silos are disappearing every day.
    The biggest revolution in our industry is happening right 
now, and it is called responsive design. Technology is giving 
us the tools to make one app that will look good on a mobile 
device and will also look good on a television, and it will do 
so seamlessly.
    Everyone in the technology industry has to take part and be 
responsible for improving the state of privacy security and 
transparency across all of these industries and devices. Our 
app developers are no different, and we are committed to 
working this out with government, industry, civil society and, 
most importantly, our customers.
    During the past year ACT has reached out to our membership 
and other developer organizations throughout America to discuss 
the importance of data privacy. We have gone coast to coast and 
have reached hundreds of thousands of developers. Our message 
has been simple: know what data you are collecting, know who 
you are sharing that data with, and be transparent with your 
customers.
    We have also been participating in multi-stakeholder 
efforts, including the California AG's work on mobile platforms 
and the White House's NTIA multi-stakeholder effort.
    But throughout all this talk about stakeholders, I realize 
that this can easily be seen to imply large, faceless 
corporations. I wanted you to remember today that the 
incredible innovation happening is being driven by thousands of 
small businesses working to build applications that educate, 
motivate and enrich people's lives. Therefore, I thought I 
would take a minute to introduce you to some of the 
stakeholders whose voices we are working to have heard 
throughout these efforts.
    Chairman Goodlatte, in your district Vision Studios 
produced TextGauge. It is an app for parents to prevent teens 
from texting while driving.
    Congressman Watt, in your district we have got Monster 
Physics. It is a great app that makes physics fun and is 
available for adults as well as kids.
    Congressman Conyers, in your district JacAPPS is building 
the app for the Detroit International Jazz Festival. It is an 
amazing application.
    Congressman Smith, in your district My Patient Solutions 
helps patients navigate the health care system by giving them 
tools to better understand diagnosis and treatment options.
    Congressman Marino, we have social meetup apps done by 
MeetMe! in your district.
    Congressman Quayle, in your district we have a brand new 
entrant. ABN just won the contract for the 2012 PGA Phoenix 
Open, and that will have location-based technology to allow you 
to go on-the-ground navigation with the spectators.
    Congressman Deutch, in your district one of our members, 
Dave Noderer, built an app for Big Brothers and Big Sisters 
that allows Bigs to know activities that they should be looking 
at doing with their Littles.
    Congressman Griffin has OrderPath. It allows medical 
personnel to display in-patient and observation data to help 
streamline patient care, and it is aimed at rural districts.
    Congresswoman Chu, in your district Awesome App; it is for 
electricians and engineers that helps them do their job more 
efficiently and, importantly, more safely.
    Congressman Chaffetz, you have got one of the biggest dogs 
in the fight. Infinity Blade II is built in your district, 
millions of downloads, and it is built by a very small company 
right in your district.
    Congresswoman Lofgren, we have got a great app in Pinger. 
It allows people to send free text messages all across the 
world without having to necessarily have a specific text plan.
    Congressman Poe has got iTaxable that provides answers to 
your tax filing questions and an extensive database of 
information.
    Congressman Jordan, you have got Ranch Rush. It is a game 
that puts a farm in your pocket, allowing users to harvest 
fresh produce, gather eggs from ostriches, collect honey from 
bees, and whip up ketchup from tomatoes.
    Congressman Nadler has got one that helps you sign your 
signature on your iPad instead of having to find a fax machine.
    So I think as we think about today's questions about 
stakeholders, you need to remember that in every single one of 
your districts, and in every district here in Congress, there 
is a small business stakeholder whose voices we need to have 
heard as part of this privacy discussion.
    Thank you for your time, and I look forward to your 
questions.
    Mr. Goodlatte. Thank you, Mr. Reed.
    [The prepared statement of Mr. Reed follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    


                               __________
    Mr. Goodlatte. Mr. Babel, welcome.

                   TESTIMONY OF CHRIS BABEL, 
                CHIEF EXECUTIVE OFFICER, TRUSTe

    Mr. Babel. Thank you.
    Chairman Goodlatte, Ranking Member Watt and distinguished 
Members of the Subcommittee, my name is Chris Babel, and I am 
the Chief Executive Officer of TRUSTe, a leading provider of 
privacy technology and certification solutions to online 
companies. Based in San Francisco, TRUSTe offers a suite of 
privacy solutions to help businesses increase consumer trust 
and engagement across their Web sites, mobile applications, 
online advertising and cloud-based services. Over 5,000 
companies, such as Apple, AT&T, Disney, eBay and Yelp, rely on 
TRUSTe to ensure compliance with evolving and complex privacy 
requirements and to build trust with consumers.
    I would like to highlight three topics in my remarks before 
the Subcommittee today: first, the consumer privacy 
perspective; second, new privacy challenges and the 
technologies TRUSTe and others offer to address them; third, 
why we think that self-regulation has been successful in 
protecting consumers online.
    First, through consumer research we submitted in the 
written testimony, we know that consumers are concerned about 
privacy online on both their PC and mobile devices. Take 
mobile, for example, where 74 percent of consumers believe it 
is very or extremely important to understand what personal 
information a mobile application collects. Eighty-five percent 
want to be able to opt in or opt out of targeted mobile ads. 
These concerns are causing the consumer to become more engaged 
in their privacy decisions and more likely to take control of 
when and how their data is collected and used.
    Research also highlighted that 59 percent of consumers 
generally trust that Web sites are protecting their privacy 
online, showing that businesses can build trust and alleviate 
privacy concerns through investments in privacy best practice 
and privacy technologies.
    Second, there is explosive growth in privacy services 
offered to consumers. In TRUSTe's first 12 years in existence 
through 2009, we grew it from offering one to four services 
focused on Web site privacy only. In the past 2\1/2\ years we 
have launched over 10 new services spanning Web sites, mobile 
applications, online advertising and cloud services.
    Taking mobile as an example, since all of you carry mobile 
devices, the challenges are that less than one-third of mobile 
applications have a privacy policy today, and when they do, 
they are difficult to read and need to handle sensitive topics 
like location information.
    TRUSTe offers application providers a free mobile privacy 
generator, as well as paid services to certify that mobile 
applications have strong privacy, as well as notice and choice 
mechanisms for consumers regarding mobile ad targeting.
    There have also been entirely new industry efforts, like 
the Digital Advertising Alliance that have been formed to 
provide consumers notice and choice around online targeted 
advertising. TRUSTe is the largest independent provider of 
services for the DAA. We have also partnered with the 
Application Developers Alliance to educate mobile developers on 
important privacy issues as part of a countrywide educational 
road show. Technology is evolving more rapidly than ever, and 
solutions for consumer privacy protection are keeping pace.
    Third, self-regulation is a critical component to online 
privacy, and TRUSTe has helped thousands of companies self-
regulate their online privacy for 15 years. Self-regulation is 
valuable in that it helps companies facilitate global best 
practices, which simplifies the management and cost of these 
programs while increasing accountability. Self-regulation can 
also evolve with technology changes to meet the ongoing needs 
of consumers. And finally, through safe harbors and due 
process, self-regulation can provide strong incentives for 
compliance.
    Looking forward, it is clear that consumers are becoming 
ever more aware of how their personal data is collected and 
used online, which is important as technology changes, like the 
decreased cost of bandwidth, computer processing and storage 
allow for the analysis and use of vast databases of 
information. Self-regulation provides a flexible privacy 
protection framework that can quickly adapt to these rapidly 
changing technologies.
    Today, industry has made great progress in self-regulating 
their privacy practices, and though there is much work to be 
done, we are confident that the goal of protecting consumers 
while continuing to innovate will be achieved.
    Thank you for the opportunity to testify today. I look 
forward to your questions.
    Mr. Goodlatte. Thank you, Mr. Babel.
    [The prepared statement of Mr. Babel follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                               ATTACHMENT









































                               __________

    Mr. Goodlatte. And, Professor Grimmelmann, you get the last 
word.

                TESTIMONY OF JAMES GRIMMELMANN, 
        ASSOCIATE PROFESSOR OF LAW, NEW YORK LAW SCHOOL

    Mr. Grimmelmann. I would like to thank Chairman Goodlatte, 
and Ranking Member Watt, and all the Members of the 
Subcommittee for inviting me to testify today. My name is James 
Grimmelmann, and I am a professor at New York Law School. 
Although I am happy to respond to any of the Subcommittee's 
questions on any of its topics, my testimony today will focus 
on privacy.
    The central goal for privacy policy online and on mobile 
devices must be empowered consumer choice. Good privacy 
technologies and good privacy laws enable people to choose 
whether, when and how open they want to be about their lives.
    I would like to endorse three essential principles for 
making real consumer choice a reality. The first is usability. 
A choice that consumers do not know about, cannot find, or 
cannot understand is no choice at all. The second is 
reliability. A consumer who has expressed a choice is entitled 
to expect that it will be respected. And the third is 
innovation for privacy. Users benefit from good tools to help 
them manage their privacy.
    A good example of these principles in action is social 
networks. Their value depends on controlled access. Everything 
from a private email from a mother with advice to her daughter 
in college to a confidential discussion group for recovering 
alcoholics requires sharing with some people, but not with 
others.
    The proliferation of social networks with different 
technical models of sharing represents innovation for privacy 
in action, but that privacy must also be usable and reliable. 
People have lost jobs, been stalked and been splashed across 
the tabloids because privacy settings on social networks were 
too confusing for them to understand.
    I am particularly concerned about what I have called 
privacy lurches; sudden and unexpected shifts in a social 
network's information-sharing practices. For example, Google 
mishandled the launch of its Buzz social network in 2010. 
Without clear warning Google exposed the names of users' email 
contacts to the world. This made Google Buzz, in one reporter's 
words, a danger zone for reporters, psychiatrists, lawyers, and 
everyone else for whom confidentiality is essential to their 
job.
    The Buzz rollout violated the principle of reliability. It 
changed Gmail's privacy practices in a way that users could not 
have anticipated and that was capable of causing significant 
harm to them. A Federal Trade Commission investigation resulted 
in a settlement designed to prevent similar mistakes from 
happening again. And I have also suggested that privacy lurches 
may expose companies to legal liability for distributing an 
unreasonably dangerous product.
    Another example of the principles is online behavioral 
advertising; the use of unique identifiers known as cookies to 
track users and to customize the ads they see. Some users 
appreciate receiving relevant advertising; others find the 
tracking creepy. Industry participants recognize this 
difference in opinions and offer users a choice of whether to 
be tracked.
    One of the best ways to ensure that these choices are 
usable and reliable is through innovation for privacy promoting 
the development of tools that users can use to manage their 
tracking preferences and express them clearly to Web sites and 
advertisers. The best innovation here has come from Web 
browsers, antivirus software, and plug-ins that help users 
block and delete unwanted cookies. And the current consensus 
process to develop a ``do not track'' standard is another 
encouraging step.
    All of these innovations can succeed only if they are 
respected by Web sites and advertisers. The Federal Trade 
Commission has taken important action against companies that 
circumvent users' privacy-protecting technologies, and the FTC 
and Congress should ensure that Web sites are not permitted to 
second guess users' expressed privacy preferences.
    Thank you for the opportunity to speak with you today, and 
I look forward to your questions.
    Mr. Goodlatte. Thank you, Professor Grimmelmann.
    [The prepared statement of Mr. Grimmelmann follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                               __________

    Mr. Goodlatte. I will now begin the questioning of the 
witnesses.
    I believe that consumers have the relevant information 
about--if they have the relevant information about privacy 
policies, they will make informed decisions about how to allow 
their information to be used, and will choose what services to 
use in part based on their comfort level with those privacy 
policies. I would like to ask each of you what your 
organization is doing specifically to make privacy policies 
more transparent and easier for consumers to understand. And we 
will start with you, Mr. Shipman.
    Mr. Shipman. Sure. Thank you.
    The expectations in managing privacy with consumers is a 
never-ending battle. It is not something that you can simply 
come out with a particular policy and say, ``Okay, we have 
written this as clearly as possible, and we can rest on our 
laurels.'' So this is something that continues to evolve.
    From the inception of eBay's privacy program, we have 
actually created in 1998 a chart, and at the time it was fairly 
simple, because you could have a chart with three or four 
classifications or groups of entities that you share 
information with.
    Mr. Goodlatte. I am going to have to get you to get to the 
point because I have got several questions and several 
witnesses to answer. So tell us what you are doing right now 
and prospectively.
    Mr. Shipman. Absolutely. The focus right now is around 
bringing icons, bringing specific logos or vignettes, whether 
it is via video or other types of embracing new technology, to 
be able to answer questions the customers have. AdChoice is a 
perfect example where we have links there embedded into 
advertising and through other types of things like that.
    Mr. Goodlatte. Excellent.
    Mr. Reed?
    Mr. Reed. So we have an interesting situation in that we 
represent the developers. And so we have been trying to give 
developers tools. We have run a series of privacy boot camps 
where we spend the entire day focusing on getting a developer 
from walking in the door, saying, ``Okay, I need this privacy 
policy,'' to when they walk out the door not only having 
privacy, but understanding the tools they need to have to have 
a narrative with their customers.
    And very specifically, one of the ones I would like to 
highlight is our work with Moms With Apps, where we have 
created a set of icons that have been adopted by some of the 
privacy policy generators, including Privacy Choice, and in 
talks with TRUSTe as well, so the developer can select the 
icons immediately when they build their privacy policy so when 
it shows up for the user, bam, they can see it. It doesn't 
collect information, it doesn't link to the Web, or it does.
    So, one, we have to empower developers; and, two, we are 
working on building tools to inform our customers what those 
privacy policies mean.
    Mr. Goodlatte. Thank you.
    Mr. Babel.
    Mr. Babel. Sure.
    So TRUSTe helps Web sites through a privacy policy 
generator generate their first privacy policy. Big companies 
might have attorneys that do that; small companies, start-ups, 
three people in their garage need help. Particularly around 
mobile applications we find that is critical. As I mentioned in 
the testimony, about a third of mobile applications even have a 
privacy policy today, so we are really trying to help people 
start by having a privacy policy.
    The second thing we do is once people have privacy 
policies, we help make certain that they are good, of high 
quality, clear, transparent, easy to read, easy to understand, 
and that is where we help the company have a certified privacy 
policy where we say it meets a good high bar, and that the 
company is following and actually doing what their privacy 
policy states.
    Mr. Goodlatte. Thank you.
    Mr. Reed, many Internet services are free and are monetized 
through targeted ads and data collection. How much would app 
prices go up, or what would it cost to use a search engine or 
social media Web site if companies were restricted from the 
data that they could collect?
    Mr. Reed. Well, I think we have to look at two sets of 
numbers: One, what is the change in the way that we develop 
apps; and, two, when it comes to the actual impact on the 
industry. If you remove all ads altogether, I think you would 
see some enormous impacts. If you remove strictly ads that use 
information, and you just do context-based ads, the estimates 
run about 20 percent, a loss of about 20 percent of income for 
those that are ad supported.
    The reality is that the model right now, we are looking at 
trying to make sure that we get apps that we get paid directly 
and supplement through advertising. So it probably would cost 
us about 20 percent of revenue.
    Mr. Goodlatte. Mr. Babel.
    Mr. Babel. I think one of the key unique factors in mobile 
versus Web sites, just to point out quickly, is that mobile 
actually has a monetization mechanism where you can go back to 
the extent that someone were to opt out of ad targeting and go 
back and say, I am limiting the features of this mobile app and 
pushing you to a charged version. In the Web site version of 
the world in that ecosystem, 15 years ago we started giving out 
free content online, and it would be very hard to go back to 
that paywall.
    As we have read industry research, although I haven't done 
it ourselves, we have seen similar numbers to those that Morgan 
has proposed in terms of the drop-off in advertising, but it is 
not something that we have tracked and have estimated directly.
    Mr. Goodlatte. Let me ask the three of you what your 
greatest concerns are about the European Union's recent efforts 
to impose a regulatory regime in Europe.
    Mr. Shipman.
    Mr. Shipman. I think the challenge within the EU is 
certainly that we are looking for standards that create 
international operability, and so any change in one particular 
region for a global company destabilizes that operability. And 
while we certainly have received approval through the binding 
corporate rules for operations in Europe and used that as our 
global standard, changes in that and more restrictions in that 
certainly make that much more difficult for us.
    Mr. Reed. We are short on time, so I am going to echo 
Chairman Smith when he said the problem we have with it is just 
the same. We are not two developers in a garage--we are two 
developers in a garage, not two developers and a lawyer. The 
difference between us and Europe will create a lot of 
difficulties for our developers.
    Mr. Goodlatte. Mr. Babel.
    Mr. Babel. Yes. Our clients, whether they be domestic 
clients or international clients, are challenged by the fact 
that there are just different requirements by country. And when 
you are a big company and trying to manage your portfolio of 
Web sites across users from each different region, it is 
challenging to implement technologies to address that. It is a 
lot of hard work; it is a lot of hard work up front.
    And to be honest with you, most companies have not met the 
deadline for the U.K. Cookie Audit Compliance that was May 25. 
In fact, most government agencies in the U.K. have not met that 
deadline as well. So it gives you a sense for the challenges 
that are involved with this policy implementation.
    Mr. Goodlatte. Mr. Grimmelmann.
    Mr. Grimmelmann. As the others have mentioned, the lack of 
harmony across many countries is a significant problem, and it 
leads to situations in which especially the small players have 
difficulty even finding out all the laws they need to comply 
with.
    Mr. Goodlatte. Thank you.
    The gentleman from North Carolina Mr. Watt is recognized.
    Mr. Watt. Thank you, Mr. Chairman.
    The Ranking Member of the full Committee Mr. Conyers raised 
a difficult issue that I want to ask some questions in here 
relating to legislation versus self-regulation. The 
Administration's blueprint contemplates baseline legislation 
complemented by a self-regulatory model to implement the 
Consumer's Bill of Rights. So let me ask a couple of questions 
in this area.
    Do we, in fact, need a Federal Consumer Bill of Rights or 
something maybe not called that, but some Federal baseline in 
this area to deal with privacy? And if not, two questions 
arise. Wouldn't that leave it open in this Internet thing, 
which clearly is across State borders, for State by State by 
State to enact legislation? And wouldn't that leave it open for 
self-regulation, which is okay if people behave, but is not all 
that enforceable if people do not behave, I guess is the 
question?
    So Mr. Shipman, Mr. Reed, Mr. Babel, and Professor, if you 
can address those couple of questions in there, I would be 
appreciative to you.
    Mr. Shipman. Absolutely. And thank you for the question.
    I think the challenge, as you highlight, is, with self-
regulation, it leaves customers with uncertainty. eBay has long 
supported a Federal omnibus privacy bill, and the key reasons 
for that are largely to provide the small and large businesses 
that we do business with to provide that level of certainty.
    Mr. Watt. So you think there should be a Federal standard 
of some kind.
    Mr. Shipman. Yes, we do.
    Mr. Watt. Yeah. Okay.
    Go ahead.
    Mr. Reed. Yes, we have been active supporters of the NTIA 
effort. And I do think, as we get through this, we should talk 
about ways that the government can enforce bad behavior. I 
definitely think that is something where, from in particular a 
small business, it is very important to see the government step 
in and bring harsh actions against companies that do violate 
people's privacy, because nothing gets the message clearer to 
our members.
    Mr. Watt. Of course, the first step is to have a clear set 
of rules about what the standards are.
    Mr. Reed. Yes, exactly.
    Mr. Watt. Okay.
    Mr. Reed. And so, yes on that, good on enforcement.
    Mr. Watt. Okay.
    Mr. Babel. I think we have seen at TRUSTe self-regulation 
work, and work effectively. And, in particular, over the last 
few years, with the beginnings of the DAA effort around 
AdChoices, you have seen self-regulation accelerate quite 
rapidly in the last few years to reach out and touch consumers 
and give them----
    Mr. Watt. So what happens in self-regulation if you have 
self-regulation and you or your members or your customers or 
clients don't live up to what they agreed? What remedies do I 
have to enforce that, or who enforces those standards?
    Mr. Babel. Sure. So, in TRUSTe's case, where we certify 
companies for good privacy, the first thing we do if there is 
an issue with one of those clients is help them get back into 
alignment with our guidelines for----
    Mr. Watt. Got that, but----
    Mr. Babel. If----
    Mr. Watt [continuing]. My data is already out there at that 
point. So how do I get a remedy?
    Mr. Babel. The second thing we do is eliminate them from 
the program. And, in fact, last year we eliminated----
    Mr. Watt. That still doesn't give me a remedy.
    Mr. Babel. The third remedy that we have put in place to 
the extent that there is egregious behavior, is we have, in 
fact, referred people to the FTC. And the FTC has taken action 
in some----
    Mr. Watt. So there has to be a Federal standard.
    Mr. Babel. There has--yes, we have----
    Mr. Watt. Okay. All right. Okay. I am----
    Mr. Babel [continuing]. Refer to it----
    Mr. Watt. We are back there. All right.
    Go ahead, Professor.
    Mr. Grimmelmann. A Federal baseline would first bring 
important clarity to the area. And, in addition, all of the 
processes of consumer choice and bargaining, where Web sites 
offer bargains to users and explain the tradeoffs, only work if 
the consumers have an entitlement to their privacy to begin 
with. If we don't have a baseline, then they don't need to 
respect it.
    Mr. Watt. All right.
    Now, is there anybody out there in the industry that is 
advocating for no Federal baseline? Are there any voices out 
there, or do you all represent pretty much the standard belief? 
If so, it seems to me we can quit vexing about whether we need 
a baseline and start vexing about what we put in the baseline. 
Is that right? Anybody out there got a different opinion about 
this, I mean, I guess is the question.
    Mr. Reed. I guess the only nuance that I would add is that 
the good partabout what NTI is doing--and it will be a lot of 
work--is that it is being built bottom-up as a multi-
stakeholder effort, where we are going through long, intense 
meetings talking about the meanings of words and the 
definitions. So it is actually working from the standpoint of 
what technology is capable of doing and gives us the option to 
change it as we become capable of doing new things.
    So I think it is important that it not be a government-
imposed, top-down pressure, but it be developed by 
technologists as a way to handle when we change our stuff.
    Mr. Watt. In the meantime, are the laws that are already 
out there--I mean, I assume there are gaps. Are there laws that 
are already out there that provide some kind of protection?
    Mr. Reed. I would say it's more than some.
    Mr. Watt. Yeah.
    Mr. Reed. I think the Federal Trade Commission has already 
shown that it has some teeth. We obviously have regulation on 
HIPAA. We have regulation Gramm-Leach-Bliley. So, depending on 
what kind of data you have, there are more than a fair number 
of regulations.
    Beyond that, this Committee knows we also have antitrust 
laws to deal with companies that are large players that 
cavalierly disregard people's privacy time and time again. So 
if you can't curb behavior through FTC, you can always go and 
look at antitrust as well.
    Mr. Watt. Mr. Chairman, my time has expired, but, as I told 
the Chairman, I am going to have to leave to go over and hear 
Jamie Dimon testify in my other Committee. So let me make a 
unanimous consent request before I leave, Mr. Chairman, to 
offer into the record the February 2012 White House green 
paper, ``Commercial Data Privacy and Innovation in the Internet 
Economy: Dynamic Policy Framework;'' number two, a March 2012 
FTC proposal, whatever, report, ``Protecting Consumer Privacy 
in an Era of Rapid Change: Recommendations for Businesses and 
Policymakers;'' and a March 2012 report, ``Search Engine Use 
2012,'' a project of the Pew Research Center.*
---------------------------------------------------------------------------
    *The submissions referred to are not reprinted in this record but 
are on file with the Subcommittee and can be accessed at:

---------------------------------------------------------------------------
http://www.whitehouse.gov/sites/default/files/privacy-final.pdf;

http://www.ftc.gov/os/2012/03/120326privacyreport.pdf; and

http://pewinternet.org//media//Files/Reports/2012/
PIP_Search_Engine_Use_2012.pdf
    Mr. Goodlatte. Without objection, those will be entered 
into the record.
    And I will turn the Chair over to the Chairman of the 
Committee.
    Mr. Smith [presiding]. Mr. Babel, let me address my first 
question to you. Actually, you have already answered my initial 
question in response to a question by Mr. Watt, but I wanted to 
follow up on the idea of how enforcement worked when it came to 
individual online businesses that might violate the best 
practices. And you responded to Mr. Watt and said, ultimately, 
if there was a clear violation and there wasn't any response, 
you would refer online businesses to the Federal Trade 
Commission, I think. Have you ever had occasion to do that?
    Mr. Babel. Yes, we have.
    Mr. Smith. In how many instances?
    Mr. Babel. There has been one instance that is in my 
knowledge, one instance in 2008 of a company called Classic 
Closeouts, which----
    Mr. Smith. And what did the FTC do?
    Mr. Babel. They took action. It was settled I think late 
last year with a $2-million-plus finding.
    Mr. Smith. Okay. And how many online businesses, in your 
judgment, have violated the best practices that you have 
endorsed?
    Mr. Babel. So, last year in our written testimony we 
provided something we call the transparency report, where we 
walk through number of customers and number of certifications.
    Mr. Smith. Right.
    Mr. Babel. And each year I think there is two important 
data points. One is the number of companies that come to us for 
certification and never get certified because they don't pass 
the standard to begin with. And that is about 8 to 10 percent 
of all the clients that are approaching us for certification 
never meet the bar. The second thing is that, in last year, 11 
companies violated, kind of, what we think are best practices--
--
    Mr. Smith. Okay. And of those 11, you referred 1 to the 
FTC?
    Mr. Babel. Not last year. The referral to the FTC was in a 
prior year.
    Mr. Smith. Right. Okay. Thank you, Mr. Babel.
    Mr. Shipman, let me address a question to you and perhaps 
to Professor Grimmelmann as well. And it is this: We have 
heard, I think, from all witnesses today about the need for 
online businesses to protect consumer data. My question goes a 
little bit farther. Should consumers be able to find out what 
personal data has been gathered about them?
    Mr. Shipman. Absolutely. And, in fact, within our corporate 
standards that we have had approved through Luxembourg, that is 
a requirement that we meet.
    Mr. Smith. Okay.
    Do any of the witnesses today feel that consumers should 
not or do not have a right to know what personal information 
has been gathered about them?
    Okay.
    Next question is, should consumers be able to opt out of 
the process that gathers that personal information about them?
    Mr. Shipman, what do you think?
    Mr. Shipman. I am going to give you a multipart answer on 
that one.
    Mr. Smith. Okay.
    Mr. Shipman. There are certain components of collection 
that are required. eBay certainly has financially related 
institutions.
    Mr. Smith. Uh-huh.
    Mr. Shipman. We process financial transactions as well as 
all kinds of e-commerce transactions and commerce.
    Data that is essential for the safety, security, antifraud, 
in that area, we cannot allow consumers to opt out of. 
Certainly, for marketing purposes and other types of secondary 
uses, we can allow----
    Mr. Smith. You would allow them to opt out. Okay. Thank 
you.
    Professor Grimmelmann, do you have an opinion on that?
    Mr. Grimmelmann. In the context of first-party collection, 
where the consumer is dealing with a Web site----
    Mr. Smith. Yes.
    Mr. Grimmelmann.--Mr. Shipman expresses a very clear and 
correct view.
    Mr. Smith. And you agree with him. Okay.
    That concludes my questions. The gentleman from Michigan, 
the Ranking Member of the full Committee, is recognized for his 
questions.
    Mr. Conyers. Thank you, Chairman.
    Mr. Reed, we have heard a lot about self-regulation here--
too much, as far as I am concerned. I don't know what you think 
this Committee--what others, not you, think, that we make 
rules, we make laws, we have court decisions, and now we come 
up with a ``let's go for self-regulation.'' We have been 
hauling--all of the big tech companies have been in and out of 
court repeatedly.
    And so, can you give me a little more confidence about this 
whole notion of self-regulating?
    Mr. Reed. Well, I think the first thing we have to look at 
is, does the FTC have enough resources? We start with that. But 
I think you also have to look at continued behavior. There is 
carrot and stick, right? Industry self-reg is a carrot; do 
this, and you won't get the stick.
    I think that for small companies, we are usually dependent 
on platforms, and we are incredibly responsive to our 
customers. Why? Because we are scared of losing them. I think 
one of the things that concerns us very much that has been 
happening in the privacy space is that some of the violations 
have been actually done by big companies and one in particular. 
You know, the Chairman brought up Wi-Spy. That trickles down 
into the sentiment of the regular citizenry.
    So, yes, I think it is critical that the resources are at 
the FTC and that the DOJ is willing to step up and go after 
those who don't respond to carrot and don't respond to stick.
    Mr. Conyers. Yeah. But, Mr. Reed, a lot of this privacy--we 
don't even know what is being collected, and we don't have any 
way of getting at it. I mean, I see a huge problem still out 
here, don't you?
    Mr. Reed. Well, I think the question of what is being 
collected, I think we can actually figure out what is being 
collected. The larger question is, what happens to it after it 
is collected? What is it combined with? Does that create 
problems, and are people selling it in a way that is damaging 
or causes harm to people's privacy? Does it make it hard for 
them to get a job? Does it make it hard for them to buy a 
house?
    That is really the question. It is not what is collected; 
it is what is done with the collection of that information 
after, how it is assembled. And those are areas where I think 
that there can be questions and we should find good answers.
    Mr. Conyers. Thank you very much.
    Well, we know what is being collected. Everything. Is there 
anything that they--I mean, that is the nature of the problem. 
I----
    Mr. Reed. But I think it is worth noting that the Sears 
catalog had information on people in the 1900's. They knew what 
we were buying. And it is really about what is done to harm 
people afterwards. That is really the kicker. Because, you 
know, we all had the Sears catalog as a kid in our house, and 
you would read it. Sears knew what you bought. They kept a 
record of what you bought. That was a good thing. Do you know 
if what they did with that information prevented you from 
buying a house or prevented you from getting a job or prevented 
you from getting insurance?
    Mr. Conyers. Or hurting your credit.
    Mr. Reed. Exactly.
    Mr. Conyers. Let me turn to Professor Grimmelmann for a 
continuation of this discussion. I mean, this is a very nice 
conversation we are having here with four experts, but, I mean, 
there is a certain element here of ``let's trust everybody to 
do the right thing.'' The FTC is underfunded. Leibowitz, Jon 
Leibowitz, the Chair, comes before us every year and makes the 
case that they need more resources.
    How do you see this discussion of giving benefit of the 
doubt to these huge companies that are collecting what we don't 
even--well, from my point of view, it is everything. We go back 
to Sears in 1900. Well, guess what they are doing now, if you 
think that was something.
    Mr. Grimmelmann. I would like to say that some huge 
companies can play an important role in building tools that 
stop other huge companies from gathering lots of data. So, for 
example, Apple puts significant restrictions in the iPhone that 
limit the data that apps can collect so that the apps can't 
gather location data without the user's express permission. And 
Microsoft, in its most recent version of the Internet Explorer, 
will be turning on the ``do not track'' header by default to 
tell Web sites they should not collect data about users.
    We can find ways to exploit the competitive process in the 
industry, to have companies recognize privacy is an advantage 
and help consumers keep personal data from other companies.
    Mr. Conyers. But there are some that are disregarding the 
tracking instructions of their consumers. You know that.
    Mr. Grimmelmann. So, the advantage of that is that the 
company that disregards the tracking request has now done 
something that is explicitly deceiving the consumer and failing 
to respond to the request, rather than just taking advantage of 
their ignorance, which gives the FTC a surer basis for action.
    Mr. Conyers. Thank you, Mr. Chairman.
    Mr. Smith. Thank you, Mr. Conyers.
    The gentleman from Pennsylvania, Mr. Marino, is recognized 
for his questions.
    Mr. Marino. Thank you, Mr. Chairman.
    I am going to start with Mr. Shipman. And let's back the 
bus up here a little bit, if you would, please. And if anyone 
has anything to add to it, just chime in.
    Let's start back with the scenario, a parent is having a 
personal conversation with their son or daughter who is off to 
college; or one corporation is having a confidential exchange 
of information with another corporation concerning, let's say, 
a merger. Once I hit that send button, let's educate the people 
of where does that go and how many people or how many entities 
have access to that even when I hit the delete and the other 
side hits the delete? Do you understand my question?
    Mr. Shipman. Yeah, sure. Basically, your question, just to 
quickly summarize, is, when you hit send on an email, how many 
different entities could it possibly end up with.
    Mr. Marino. Even after I delete it.
    Mr. Shipman. Sure, sure.
    To me, the biggest challenge here--I mean, there are many 
challenges. eBay is not an ISP; we actually don't provide 
email, but I am knowledgeable enough to be able to provide a 
few comments.
    One of the toughest components here is access where you 
have other governmental agencies or law enforcement or other 
requests where the consumer may have no knowledge of that 
information being requested. Beyond the technology components, 
it had been deleted within the systems, within service 
providers, within a custodial relationship----
    Mr. Marino. Okay, I understand the law enforcement aspect 
of it. I have been a part of it for 19 years. So just give me 
your best estimate on how many entities would have that 
information.
    Mr. Shipman. Go ahead.
    Mr. Reed. I think, let's break it into two camps. Is your 
service a cloud-based, or are you just going from my company to 
your company? If you are going company to company, not too many 
entities in between will hold on to it.
    But he raises the key point, which is a part of ECPA reform 
in these questions, is that law enforcement has stepped in to 
place collection points in the process----
    Mr. Marino. Okay, let's exclude law enforcement for a 
moment.
    Mr. Reed. If you exclude law enforcement, company to 
company, not much. If it is company to cloud provider and back, 
then the cloud provider does have access to that information at 
a certain level. Most----
    Mr. Marino. Okay. Now, if several entities, even if it is 
company to company, how long does that individual or that 
entity have that information? Until they just delete it?
    Mr. Shipman. So, once an email or other piece of data is 
received, it is within that--if it is a responsible company, 
they have a data classification and data retention policy. So, 
depending on the classification of that data, it may be 7 days, 
it may be 7 years.
    Mr. Marino. All right, I am going to jump to the next one 
then. Who best can answer this: What would prevent an employee 
from obtaining that information and sharing it?
    Mr. Reed. It depends on their status in the corporation. 
Somebody who has the keys to the kingdom, so to speak, the 
network nerd in the closet, he is going to have all of it.
    Mr. Marino. So my point is----
    Mr. Reed. Right.
    Mr. Marino [continuing]. People have access to it and can 
use it nefariously, correct?
    Mr. Reed. Yes. And that is--yes.
    Mr. Shipman. There is an important consideration here, 
which is, there are tools that certain companies, certainly 
eBay being one of them, deploys which do monitor and track 
access to information within the organization. So not only are 
employees based on permission have access or don't have access 
to information, but also if there is anomalous activity, it is 
detected, reported, and prevented.
    Mr. Marino. Mr. Babel and then Professor, maybe you can 
give me a quick answer on this. I am an individual that 
questions ``do we want the Federal Government involved?'' In 
fact, I take the position that the Federal Government spends 
too much time in our lives to begin with.
    So give me, Mr. Babel, if you can, please, give me your 
opinion based on the fact that--can the industry police itself? 
I have a little problem with the fox setting rules and 
regulations for the henhouse. But give me a scenario, if you 
would, contrast them, policing itself and needing Federal 
regulations.
    So if you both could answer that, please. Mr. Babel?
    Mr. Babel. Sure. So I think that it is--you know, TRUSTe 
has self-regulatory programs. The key asset that we have is our 
band of consumers. So if we aren't living up to the standard of 
making certain that people who no longer follow the standards 
are out, like, for us, it is the whole company we are betting. 
Our credibility is the key, meaning the program and its 
credibility.
    I think when it comes to legislation, one of the things 
that I am concerned about is just, you know, what are the 
unintended consequences of legislation? If you look at 
something like CAN-SPAM, even that was a law that was well-
written, well-adopted, but at the end of the day, 90 percent of 
email is still spam. It is not the law that eliminated the spam 
in your inbox, it is technology.
    Mr. Marino. I am running out of time here.
    Professor?
    Mr. Grimmelmann. I think that the companies you are most 
going to want Federal intervention for are the ones who are not 
TRUSTe members who are engaged in shady, gray-area marketing, 
that conceal their tracks, click fraud, all kinds of shady 
deals that are trying to rip consumers off.
    Mr. Marino. Okay. Thank you.
    I yield back. Thank you.
    Mr. Goodlatte [presiding]. I thank the gentleman.
    The gentleman from Florida, Mr. Deutch, is recognized for 5 
minutes.
    Mr. Deutch. Thank you, Mr. Chairman.
    Mr. Babel, you said that 59 percent of people believe that 
their information is protected. You touted that number. Four in 
10 people are concerned that their information is not 
protected, I presume is the balance of that analysis, the 
balance of that polling.
    I just want to talk about the self-regulation piece of 
this, which a number of you had talked about. You have a 
program, a privacy program, which, if I understand what you are 
saying correctly, if a company adopts it, then they receive 
your certification. Is that right?
    Mr. Babel. Correct.
    Mr. Deutch. And has that certification been given to the 
largest companies? And what Mr. Shipman described sounds like a 
really terrific privacy policy, which I will ask about in a 
minute. But do they have your certification on their privacy 
policy?
    Mr. Babel. They are our client, yes.
    Mr. Deutch. And do all of the--I mean, do the biggest, just 
thinking about those companies with market dominance, does 
Google have a certification, does Facebook have a certification 
from you for their privacy policies?
    Mr. Babel. One of the things we look at is the top 100 Web 
sites listed by a company called Alexa that is based on 
consumer traffic. And we have about 50 percent of those top 100 
clients. So we have good penetration but certainly not all----
    Mr. Deutch. All right. So just again, thinking about the 
ones that we use most often, does Google have a certification 
and does Facebook have--for their privacy policy.
    Mr. Babel. Google is not a certified client of TRUSTe, and 
neither is Facebook. We do work with them in some different 
areas, but they are not certified clients of our program.
    Mr. Deutch. And, Mr. Reed, when you talked about the 
information to be collected, you said we should know what data 
is being collected, who we are sharing it with, and being 
transparent with customers.
    Mr. Babel, is that a part of your certification? Do you 
look at each of those?
    Mr. Babel. Yeah, if we were to think of the highest three 
levels of the certification, the business needs to first be 
transparent, meaning tell people what they are collecting, you 
know, if they are sharing it, how long they are holding onto 
it. They need to give choice; would you like to not have that 
data being collected? And they need to be accountable to that 
choice.
    So, yes, the tenets of what Morgan outlined are what----
    Mr. Deutch. And I am sorry, I don't--unfortunately, I don't 
know--I am learning a lot today, but I don't know well enough 
the relationship between TRUSTe and some of the other 
companies. What is it? I mean, when you say you have worked 
with some of these other companies but they don't have the 
certification, do you suggest to them what is missing? Or when 
it comes to those three items that we just discussed, when you 
look at a company with real market dominance, like Google, for 
example, or like Facebook, is there one of those three that 
they might be missing? Are there certain things that we ought 
to be considering?
    Mr. Babel. Think of it as, it is a totally different effort 
that we are working on with them. I will give you the example 
with Google. They have a business-to-business app marketplace, 
where a business owner using Gmail can download an application. 
We certify those applications, but it is in a partnership with 
Google. So it is not related to, kind of, the three core 
tenets. We don't work with them in our core certification 
business. It is kind of a separate, adjacent thing.
    Mr. Deutch. So I guess what I am really getting at is, when 
you talk about self-regulation and the success of self-
regulation, for a company, any company that has real market 
dominance, is that sufficient to rely on? Do the 40 percent of 
consumers who are concerned their information is not kept 
private, should they be satisfied with the privacy policies 
established in a self-regulatory environment, if not every 
company regulates themselves the same way?
    Mr. Reed, you look like you want to jump in.
    Mr. Reed. Well, I think you have to look at behavior. You 
know, eBay is sitting here. They have a pretty good track 
record so far on privacy. A lot of our developers use their 
PayPal system to enable app purchases. It has worked out pretty 
well. We haven't had those.
    So I think your question about the size of the company is 
not the first test. The first test is, what are they doing? And 
if a company with dominance has the power to take it and kind 
of thumb their noses at consumers, well, then, yes, I think 
that is the kind of time where you have to start taking a look 
and you have to start asking harder questions.
    So it is not the size as much as it is the behavior that 
really triggers this.
    Mr. Deutch. Well, Mr. Reed, I mean, you are more familiar 
with the industry than I am. Are there any companies that you 
think are thumbing their nose at these privacy issues?
    Mr. Reed. Well, I mean, I think we have heard the name 
several times; everybody has been talking about it. I think 
Google has--Google's privacy violations to date have certainly 
raised a lot of concern. I think it is the ironic; you know, it 
got so bad that the Jon Stewart show, ``The Daily Show,'' 
actually made fun of it on WiFi. So that----
    Mr. Deutch. Mr. Reed----
    Mr. Reed [continuing]. Harms all of us.
    Mr. Deutch. Mr. Reed, I am almost out of time. Of the three 
things that you point out--know the data being collected, who 
it is being shared with, and being transparent with those 
customers--which of those three do you think is most often 
being ignored by any company that might be thumbing their nose 
at these privacy issues?
    Mr. Reed. I think in the case of Google, I think the 
problem is that they haven't been transparent with what they 
were doing. I think that was very clear onWi-Spy. It was clear 
on the Buzz settlement. They haven't been transparent. And I 
think that is an area that they need to improve or regulators 
need to step in.
    Mr. Deutch. All right. Thank you.
    Thank you, Mr. Chairman. I yield back.
    Mr. Goodlatte. I thank the gentleman.
    The gentleman from Utah, Mr. Chaffetz, is recognized for 5 
minutes.
    Mr. Chaffetz. Thank you. Thanks, Mr. Chairman.
    And thank you for all for being here. I appreciate it.
    I wanted to highlight the idea that the Internet, the tech 
sector is actually something in our economy that is working. 
You are looking at growth in jobs and expansion of our economy, 
this is one sector that is thriving.
    One of my concerns is, while we have these deep-seated 
needs to make sure that privacy is protected, that we are 
protecting consumers, I think, Mr. Chairman, we also need to be 
ultra-careful in making sure that we don't convolute the 
process to a point where young entrepreneurs, new startups, 
aren't able to start because there is such a mass of regulation 
and uncertainty.
    I do question the notion that the FTC is the right 
organization. I wonder--we talk a lot about the teeth of the 
FTC, but we can probably count on one hand where they have 
actually taken action. And so I think that begs the question 
of, should this be done in part by statute so that we can use 
Article III Courts, as opposed to the FTC, which would be much 
more readily available to a consumer or an individual. It is 
just something, Mr. Chairman, that I think we need to continue 
to explore, because I am not convinced the FTC is the end-all, 
be-all.
    I am also concerned that if we have multiple jurisdictions 
here--the Consumer Financial Protection Board, for instance--
you are going to end up much like in the financial sector where 
you have conflicting rules and regulations.
    I think it is also important that the Congress stand up for 
itself and not allow an Administration--I don't care which 
party it is involved with--allow just simple rulemaking to push 
through the process and not allow the back and forth and the 
discussion that would happen in Congress. I think we have been 
failing on that front in general.
    There are a couple other areas that I would like you to 
address. And our time is so short here, but, Mr. Chairman, I 
think one of the things we have to further explore if we are 
going to truly look at privacy is how do we deal with minors. 
You know, my 11-year-old arguably knows more about using the 
apps and the Internet than most people three, four, five times 
her age.
    We are going to also have to deal with the national versus 
the international aspect and scope, which is obviously for the 
need and the genesis of SOPA. That issue has not gone away. We 
are still losing billions of dollars overseas, and we are going 
to have to deal with that.
    The other area that I am really trying to focus on and I 
would like you to address--I didn't come to just give a big 
speech--I would like you to actually address is, I think 
Americans have a reasonable expectation of privacy. But how do 
we define that? One of the things that I think we have to look 
at is airspace. It is reasonable that if somebody walked down 
your front yard, they could look at your front yard and see 
your mailbox and your shrubs and whatnot. As we expand out and 
start to use drones and satellites and other types of who knows 
what kind of technology, what is the reasonable expectation of 
privacy, say, in your backyard or on your private property?
    And along with that is geolocation. I have sponsored a bill 
on this. I think it is going to continue to go on.
    Would anybody care to address, what is the proper balance 
of airspace? You know, law enforcement use helicopters, right? 
We have allowed that for a long time; we think that is a good 
thing. But fuel is expensive. It is hard to get a helicopter. 
Law enforcement can only keep it up for so long. But if you 
have a drone that is up 24-7 or somebody that is going to--
where is that balance? Where is that line?
    Anybody care to take a stab at that one?
    Mr. Grimmelmann. I can say a little bit about that.
    One of the encouraging things about the Supreme Court's 
decision in United States v. Jones is that the Court endorsed 
two different kinds of rationales for protecting privacy.
    One of them, based in the majority, is rooted in the 
historic law of trespass. And there, that might signal a 
reinvigoration of the idea that the airspace closely above your 
home is actually yours and not to be invaded. We have long 
accepted that commercial airlines can fly far overhead, but 
this might signal an attitude that we should protect your 
sovereignty over your own space close to the ground.
    And the second, coming from the concurrences, is the so-
called mosaic theory that continuous observation over a long 
period of time can ultimately build such a complete portrait 
that it does invade one's expectation of privacy.
    Mr. Chaffetz. And I guess that is one of the challenges, 
Mr. Chairman, we face. Because he is right; in the Jones case, 
which is in large part what our legislation is modeled after, 
is this idea that there is a toggling between an individual's 
movements on private property and out in the public space.
    Look, technology can be great. It can be so useful and make 
people's lives better. But how do we actually craft something 
without ruining the industry? That is the fundamental question.
    I don't know if the other three care to jump in here.
    Mr. Reed. We have a phrase in the office. We say, ``nobody 
wants technology at the speed of government.'' And that is the 
problem that the question that you point out raises.
    You know, I speak as me, not as ACT. I would be totally 
creeped out having a drone fly above my house all the time, 24/
7, watching my backyard. That is me; I am not speaking on 
behalf of our members.
    But by the same token, a plane flying overhead isn't the 
problem. So we have to look at the behavior question, really. 
The plane flying overhead has an intent. It is going from point 
A to point B. It doesn't intend to be looking in my backyard. 
The drone positioned over my house watching everything that 
happened and whether or not I mowed the lawn on Sunday has the 
intent of watching what I am doing.
    So I think that part of what--part of how we need to look 
at what technology empowers is, what is the intent of the 
person who is putting that technology in place? What do they 
want out of it? And that helps us guide the question of what is 
appropriate airspace in certain aspects that allows for 
wireless transmission to happen without impeding it with a lot 
of government regulation.
    Mr. Shipman. Yeah, if I could just add, I think, you know, 
the work that eBay and a number of other organizations have 
done in really framing what should Federal omnibus privacy law 
look like really focuses--and Mr. Reed used the word 
``intent''--it is use, it is use-based obligations.
    With data, there is an intended use and there is an 
obligation that needs to come with that intended use. And you 
can look at each type of use: Is it fulfillment? Is it 
providing a service? Is it flying from point A to point B? And 
with that data collection and use comes obligation.
    Mr. Chaffetz. Mr. Chairman, with all due respect--my time 
is well past gone--I would appreciate the industry continuing 
to look at this, because I think it is an incomplete answer. It 
is not sufficient enough to say that is the intent, because 
what does a celebrity, for instance, in southern California do? 
You can see TMZ putting drones up trying to follow celebrities 
in their 10-mile zone--that is what ``TMZ'' stands for, 
right?--24-7.
    So intent is not sufficient enough. I think the industry 
has also got to catch up on how to help us define that, because 
Congress has the ability to ruin people's lives, and I would 
rather not see that happen.
    I yield back.
    Mr. Goodlatte. I thank the gentleman.
    The gentlewoman from California, Ms. Lofgren, is recognized 
for 5 minutes.
    Ms. Lofgren. Thank you, Mr. Chairman.
    And as Mr. Chaffetz has indicated, I have some reluctance 
to see Congress weigh in on these issues in a heavy regulatory 
manner because we don't work at Internet speed, we work at a 
different speed. And, you know, that is a good thing. I mean, 
we can't make mistakes quickly. But, certainly, the technology 
will move much faster than we can. And so I have been 
interested in how industry might establish standards that 
prevent a heavy regulatory load.
    And along those lines, I am wondering how this process is 
working relative to the recent decision on Internet Explorer to 
make the default ``do not track.'' I understand that there--
and, certainly, Microsoft has the right to do that. Has that 
had an impact on the industry-wide effort to reach consensus on 
``do not track'' or not?
    Professor, could you answer that question?
    Mr. Grimmelmann. So, the decision has been discussed within 
the working group that is building the standard. Some of the 
participants in that group, including representatives from 
Google, Yahoo, and Adobe, have taken the position that Internet 
Explorer should be defined to be noncompliant such that Web 
sites could say, I think you are using Internet Explorer, 
therefore I am not going to honor your ``do not track'' 
request. And I think this is simply an attempt to sabotage the 
standard. It won't work if Web sites can second-guess the 
user's statement, I don't want to be tracked.
    Ms. Lofgren. Well, the question, I guess, is for me, what 
is the default? What kind of transparency is available to the 
user? And, also, what kind of accountability is there if the 
user's choice is, in fact, not honored by the person 
representing the choice?
    And I guess the question is, who owns this data? Maybe that 
is something that does need to be established in law, that the 
individual has an opportunity to enforce their own choices. Do 
you think that is an approach that would be helpful for 
Congress to take?
    Mr. Grimmelmann. The default right now is that Web sites 
collect but offer the user an opportunity to opt out. I think 
users should have the opportunity to choose tools that protect 
their privacy by saying, ``Do not collect,'' and if Web sites 
disagree with that choice, they can communicate with the user 
and say, ``Here are the benefits we could offer you if you 
turned tracking on.''
    Ms. Lofgren. Right. And that is--for example, I use 
Firefox. I don't know why, but I have always used it. And I 
have ``do not track'' turned on in my Firefox because that is a 
choice I want to make. But it means that there are some things 
I can't do on Firefox, which is a decision I have made.
    Isn't it just--wouldn't it solve our problem in the 
Internet world if we were just transparent to users and gave 
them enforceable choices?
    Mr. Grimmelmann. Yes.
    Ms. Lofgren. Now, let me ask about the--you know, Mr. 
Chaffetz, great minds think alike. I was also thinking about 
the drone issue. And I am told that in August the FAA is 
actually going to do some rulemaking on what drones can 
collect, which is kind of an odd regulatory role.
    Recently, the FTC had a workshop on the use of facial 
recognition technology. Because this isn't just an online 
phenomenon. I mean, you go into every store in America, 
practically, and there is a camera that is taking pictures of 
the shoppers. And with facial recognition technology, you can 
now aggregate data about individuals, who they are. And, I 
mean, that is an immense amount of data that we I don't think 
have any rules about.
    What are your thoughts on that?
    Mr. Reed. Well, the good news is that technology industries 
have actually been thinking on that. There are actually trade 
association efforts to develop best practices. And probably the 
best example I have seen to date on this is, strangely enough, 
Connect by Microsoft. They put together an incredibly 
comprehensive program prior to putting the Connect in your 
house. And you would say, well, why would that matter? But you 
realize, they are essentially facing a camera from the 
television at you. And so they did an entire privacy-by-design 
prior to launching Connect strictly on the question of facial 
recognition.
    So the good news is smart people are starting the day 
saying, ``how do we deal with this?''
    Ms. Lofgren. Well, but the issue is--and we have plenty of 
Fourth Amendment rules for the government, and that is 
important, I mean, obviously. But what we are talking about 
here is not the government but the private sector----
    Mr. Reed. Right.
    Ms. Lofgren [continuing]. Which we celebrate. I mean, the 
private sector is the job creator of our country, the engine of 
economic growth. And yet, the capacity to know everything about 
individuals because of technology that has been deployed, and 
yet individuals may not even be aware that their picture is 
being taken with facial recognition technology. They may have 
absolutely no privacy.
    And I don't think we have any standards that are set for 
that use of big data. I mean, correct me if I am wrong.
    Mr. Shipman. No, actually, I think in that regard the 
online and mobile spaces are arguably doing a better job----
    Ms. Lofgren. Yes.
    Mr. Shipman [continuing]. At communicating what information 
is collected and how it is used. And I think that, as we see 
these technologies move into retail, that certainly companies 
like eBay that work with retail partners can form that 
partnership and can educate and help them with their use and 
their need to know their customer and how to balance that 
appropriately.
    Ms. Lofgren. I know my time is up, but I would just say 
that, you know, we need to have rules--individuals have to have 
the ability to enforce their understandings, either through the 
FTC or through private rights of action. But we have not really 
looked at all to the non-online issues that may be even more 
severe than what people are paying attention to. Because 
everybody who goes online knows it is an issue. Nobody knows 
that the drone is in the sky or that the corner grocery is 
collecting their data.
    Mr. Reed. No, you are exactly right. And we all saw in the 
retail space that Target knew a young lady was pregnant before 
she had been able to tell her family. And that was not the 
online data collection at all; that was strictly from the 
retail store. So you are exactly right.
    Ms. Lofgren. Thank you, Mr. Chairman. My time is up.
    Mr. Goodlatte. I thank the gentlewoman.
    The gentlewoman from Texas, Ms. Jackson Lee, is recognized 
for 5 minutes.
    Ms. Jackson Lee. I thank the Chairman very much.
    And I thank all the witnesses for their testimony.
    And I follow my colleague from California with the same 
quizzical concern about the extensiveness, the vastness of the 
issues dealing with Internet use and the concerns that we now 
have facing the American public or the world public. And so I 
want to raise some questions on that issue.
    But before I do that, Mr. Reed, do you know the apps that 
are from Houston?
    Mr. Reed. I do. We have more than a few. From your 
district, we actually have--oh, there is a great app built by 
an African-American woman in your district who actually won the 
challenge grant from challenge.gov that helps people look up 
the average pay for the jobs they are applying for and helps 
them negotiate in their favor, because it tells them the public 
data, what the average rate of pay is. And it is an app, so you 
walk into your job interview and you know----
    Ms. Jackson Lee. And you are well-informed. Do you have 
some others that you can either refer us to or print out for 
us?
    Mr. Reed. Absolutely. But that one in particular was one 
that was really remarkable.
    Ms. Jackson Lee. It is remarkable and probably gives 
shockwaves to future employers. But I appreciate that.
    Let me stay on the line of reasoning of my questions about 
privacy and use. Two examples. First, on the front page of the 
Web site CNET, there is a moving story of a paralyzed man who 
uses his eyes to tweet. This story demonstrates the enormous 
potential of the Internet.
    How can this man be secure in knowing that when he uses a 
Web browser like Internet Explorer and chooses ``do not track'' 
that his instructions will be followed and not ignored?
    Who wants to take that question? Professor?
    Mr. Grimmelmann. The important part there is that once ``do 
not track'' is standardized, I hope that Congress and the FTC 
will see fit to treat that as an enforceable practice, either 
under the principles of contract law or as a deceptive trade 
practice. A consumer's request not to be tracked should be 
honored.
    Ms. Jackson Lee. And how long--or what should we do to move 
that standardization forward in terms of the industry, to move 
forward on the standardized practice?
    Mr. Grimmelmann. Fortunately, the working group that is 
discussing it has an active and aggressive schedule. As long as 
they are aware that Washington is watching and hoping for them 
to succeed and waiting for the results, I think that is the 
most important thing you can do now.
    Ms. Jackson Lee. So you would say contract law, and what 
would be the other enforcement?
    Mr. Grimmelmann. The FTC's ability to prohibit unfair and 
deceptive trade practices.
    Ms. Jackson Lee. And my concern would be, what are we doing 
now? But I appreciate what you are saying is that we are on the 
right track.
    Let me also add this question. I appeared this morning 
discussing another topic, which is immigration reform, on C-
SPAN, but a question was raised before I came on. In a Google 
official report by Dr. Dorothy Chou on the alarming number of 
requests for government censorship, the United States was 
number one.
    But the question is, the government has a special role and 
responsibility. What should Congress' role be in monitoring, 
permitting or opposing censorship by the government? I will go 
to the professor, but I would like some others to chip in.
    Mr. Grimmelmann. So, law enforcement requests come from a 
wide variety of sources, government both in the United States 
and abroad. And so the role of Congress there is, in part, to 
monitor the requests coming from the United States entities 
and, in part, also to work with U.S. companies over the 
pressure they are receiving from foreign governments to censor 
and to help give them the protection and reassurance of the 
United States Government that we support free expression around 
the world.
    Ms. Jackson Lee. But are you saying we make statements? I 
mean, because it is--we are asking to protect what we are 
transmitting. So the point is that the government is making 
these points that they need to, in essence, protect what they 
have.
    Mr. Grimmelmann. There was a conversation that has been 
going on for a number of years over global Internet freedom 
principles, and part of that is in a discussion about possibly 
legislating responsibilities for United States companies to be 
transparent about their degree of compliance or resistance to 
foreign censorship attempts. Google's transparency about 
requests it receives was actually quite helpful in 
understanding the pressure that governments put on our 
companies to do their dirty work.
    Ms. Jackson Lee. I think that is a very sensitive question 
that is appropriate for a congressional review.
    Let me go to Mr. Babel to talk of the challenges of privacy 
as you established your company.
    Mr. Babel. Sure. The challenges are really in helping 
companies and consumers kind of meet that best practice of 
where there is trust by consumers that the companies are doing 
the right thing. So our kind of sole role for existence is 
helping clients, customers understand what best practices 
around privacy really are and helping them prove to consumers 
that they are doing the right thing with their, you know, 
personal information. So that is what TRUSTe is really there in 
helping the ecosystem know and understand and balance that 
trust relationship between business and entities.
    Ms. Jackson Lee. Are your customers bankers or banks?
    Mr. Babel. There are a few banks, but it is really more 
focused on more online companies and technology companies. And 
we assist banks with other regulations that they have.
    Mr. Goodlatte. Thank you. The time of the gentlewoman has 
expired.
    Ms. Jackson Lee. I yield back.
    Mr. Goodlatte. The gentleman from Georgia is recognized for 
5 minutes, Mr. Johnson.
    Mr. Johnson. Thank you, Mr. Chairman.
    And I must admit that I was just a little disturbed, Mr. 
Reed, when you kind of left me out of the equation. I am 
sitting here right in front of you, closest to you; we could 
almost breathe on each other. And you didn't mention any apps 
from----
    Mr. Reed. I can talk about your app. It is good. I will 
give you it right now. It is a great app that allows you to pay 
for your parking spot with your mobile phone. It is actually 
one that a lot of us already use. It is called Parkmobile. It 
is a great app. Lets you pay for parking with your mobile 
phone. There you go.
    Mr. Johnson. Oh, I tell you, thank you.
    I also found one from Decatur, which is where I represent, 
Ping, a subsidiary of Ping Media Group, Incorporated. It is a 
provider of mobile coupons and promotions which enable 
retailers and vendors to communicate directly with their 
customers via mobile phones.
    And then I got another one. A young man, 17 years old, his 
name is Albert Renshaw, out of Gwinnett County, which I also 
represent. He has developed Apps4Life--A-P-P-S-4, the number, 
L-I-F-E--which offers WiFi texting without a wireless 
connection. And I thought those were pretty good.
    But I will now get into the meat of my concern. A breach in 
security protocol by a company such as eBay that exposes 
private customer information to the public could result in 
death or grievous bodily injury to a customer whose private 
information was divulged wrongfully. The consumer certainly has 
a right to recover damages for his or her injury, or their next 
of kin for their death. I am sure you all would not disagree 
with that. And they have a right to seek a recovery in a court 
of law. But one of the--and that is one of a consumer's basic 
rights.
    But that right is being chipped away at with these 
mandatory pre-dispute arbitration--mandatory arbitration 
clauses in these consumer agreements, which prohibit the 
individual, the aggrieved party, from being able to sue in 
court. Instead, they are forced into mandatory arbitration 
where the arbitrator is selected by the company. The arbitrator 
may or may not be a lawyer. The arbitrator does not operate in 
a public courtroom, but it is a private, secret proceeding, 
maybe held miles away, hundreds and thousands of miles away, 
from where the aggrieved party actually lives.
    There are no rules of Federal procedure, rules of civil 
procedure, rules of evidence, and no jury trial. You know, the 
arbitrator decides the issue, and then once the arbitrator 
does, there is no right to an appeal. This is a private system 
of adjudicating disputes which consumers sign up for a consumer 
agreement without any knowledge of the gravity of what they are 
giving up.
    Mr. Shipman, what do you think about that? Does your 
company have to sue sometimes other competitors for various 
things in a court of law? And do you think that it is important 
that consumers have the right to take their matter to court as 
well?
    Mr. Shipman. So, certainly the scenario you paint is an 
awful and terrible scenario for that family and one that I 
would hope that we never encounter.
    I think there are two important points here. The first is, 
what are the terms that the company has with a customer? And--
--
    Mr. Johnson. What does?
    Mr. Shipman. What are the terms. Is there an arbitration 
provision or not.
    Mr. Johnson. Yeah.
    Mr. Shipman. And----
    Mr. Johnson. Do you know whether or not you have that in 
eBay?
    Mr. Shipman. In the case of eBay, we actually have a number 
of choices for our customers, depending on the size of the 
claim. If it is a financial-related claim, it may be available 
to small claims action. If it is a larger claim, then certainly 
you can bring that case. We don't have that arbitration 
provision that would prevent someone from being able to be 
heard and, you know, have their day in court.
    The second theme that you talk about is information 
security and the protection of information. And, certainly, you 
know, a responsible company has thousands of people devoted to 
making sure that the information that is entrusted with us is 
taken care of appropriately. Because the last thing we want, 
certainly, is that scenario that you paint, because that is 
awful for not only our business but also for our customers.
    Mr. Johnson. Well, certainly. And it is not that the 
company would intend for any harm to come to one of its 
customers because of a breach. It could happen, though, pretty 
easily given the fact that this marketplace is in its earliest 
stage of development and growth and mistakes can be made along 
the way with various applications. Something may have a bug 
that needs to be worked out. And it is definitely possible for 
someone--let's say, a woman whose husband or boyfriend, you 
know, wants to do some damage to them and, due to a breach of 
information, is able to follow through with that, either, you 
know, character-wise or reputation-wise or either coming to the 
house and cutting her up into a million pieces. You know, it 
could happen.
    And if it does happen, then if eBay decides that, okay, 
this claim is not worth that much, then it will go through a 
certain procedure, and if it is deemed by eBay to be larger 
than that, then it goes into--then the person has a right to go 
to court. Is that what we are talking about?
    Mr. Shipman. Well, you know, again, I mean, very awful 
scenarios that you are painting. But----
    Mr. Johnson. But, I mean, it is true. Anything might 
happen.
    Mr. Shipman. Nonetheless--and, certainly, we can follow up 
with you afterwards. We would love to work with you.
    You know, our clause allows consumers to decide what the 
remedy--you know, what avenue they have available to them. We 
don't limit all claims to arbitration. So I think that is, you 
know, the salient piece.
    Mr. Johnson. Okay.
    Mr. Shipman. The second thing is, on this issue of a 
security breach, what we have seen to date--and I can't 
summarize and you don't want me to summarize all of the 
legislation and the caselaw--but what we have seen to date is, 
where there is a harm--and in the cases that you are providing, 
there are clear harms--then it is likely, I believe, that you 
would see damages be appropriate. Where we have seen no harm--
no financial identity theft, no physical harm--the cases that 
we have seen generally tend to say that there is not liability 
in that regard.
    Mr. Johnson. I understand.
    Professor Grimmelmann, your response, sir, or insight?
    Mr. Grimmelmann. I agree with him that where there is 
physical harm to the individual who has been hurt as a result 
of the breach, then, yes, the courts are available, and they 
have been willing to hear those suits.
    I am concerned somewhat that the breaches that do not 
result in immediate provable harm but nonetheless reduce the 
information security for all of us by leaking financial 
information on many consumers that can lead to acts of identity 
theft that can't specifically be tracked back to that one 
individual breach have resulted in harm not provable in a court 
of law, and so, therefore, there is no redress against it.
    This is why data-breach notification laws and other efforts 
to shine a light on this and enforce basic information security 
practices against industry participants are important.
    Mr. Johnson. Uh-huh. Class action litigation could play a 
part in deterring willful misconduct that could ensue.
    Mr. Goodlatte. The time of the gentleman has expired.
    Mr. Johnson. I noticed that red button has been on ever 
since I started talking, so I don't know how long I have gone, 
Mr. Chairman. But it doesn't seem like 5 minutes, though.
    Mr. Goodlatte. Without objection, the gentleman will be 
recognized for 1 additional minute to sum up his ideas.
    Mr. Johnson. Thank you.
    Yeah, class action litigation, where a number of people 
have suffered just a small amount of harm, but the class action 
litigation, which can result in a verdict of some importance in 
terms of the amount, could act as a deterrent and is good for 
public policy, in my opinion.
    What would be your response to that, Professor Grimmelmann? 
Because I don't want to--I don't want to personalize this with 
eBay. eBay is no different than all of the other entities out 
there that are very popular with consumers. So I will ask you, 
Professor.
    Well, I will ask Mr. Reed. What do you think?
    Mr. Grimmelmann. This is an area----
    Mr. Johnson. Go ahead. Go ahead.
    Mr. Grimmelmann. This is an area in which you are concerned 
about arbitration, which is extremely important, and this is 
also an area in which class-action litigation has been 
important for privacy. Facebook has recently settled a lawsuit 
over its marketing a commercial product using individuals' 
pictures to say, ``James just watched `WALL-E.' Don't you want 
to watch it, too?'' to their friends. And a class-action 
lawsuit resulted in a $10 million settlement.
    Mr. Johnson. Thank you.
    Mr. Goodlatte. The time of the gentleman has expired again.
    Mr. Johnson. Thank you, Mr. Chairman.
    Mr. Goodlatte. And having allotted him 10\1/2\ minutes on 
his 5 minutes of time, I am going to take the privilege of 
asking a clarifying question for the witnesses.
    To me, self-regulation means companies publish their 
policies, and then if they engage in deceptive practices by not 
following those policies, then under existing law the Federal 
Trade Commission would have the authority to take action for 
false advertising or whatever the case might be.
    What I want to know for sure here is, does anyone here 
believe that the Federal Government should impose a one-size-
fits-all regulatory approach or that the Federal Government 
should proscribe specific privacy policies to specific 
companies or in general?
    Mr. Shipman?
    Mr. Shipman. No, I don't think the government should draft 
specific privacy policies. I think we should leave that to 
industry and those that are innovating the services and 
technology.
    Mr. Goodlatte. Thank you.
    Mr. Reed?
    Mr. Reed. Exactly the same. I agree completely. That is not 
the position the government should be in.
    Mr. Goodlatte. Mr. Babel?
    Mr. Babel. I would agree, and also agree with your view 
that self-regulation with, kind of, a proper backdrop with the 
FTC is a good program to continue.
    Mr. Goodlatte. Mr. Grimmelmann?
    Mr. Grimmelmann. I agree that government should not 
regulate specific privacy policies. It should make sure that 
consumers have effective notice of what those policies are and 
have enforcement when those promises are broken.
    Mr. Goodlatte. Thank you very much. That definitely is 
clarifying information from all of you.
    I would like to thank all of our witnesses for their 
testimony today. This has been a very informative hearing.
    And, without objection, all Members will have 5 legislative 
days to submit to the Chair additional written questions for 
the witnesses, which we will forward and ask the witnesses to 
respond as promptly as they can so that their answers may be 
made part of the record.
    And, without objection, all Members will have 5 legislative 
days to submit any additional materials for inclusion in the 
record.
    And, with that, I again thank all of our distinguished 
witnesses.
    And the hearing is adjourned.
    [Whereupon, at 12:02 p.m., the Subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

       Response to Post-Hearing Questions from Scott R. Shipman, 
      Associate General Counsel, Global Privacy Leader, eBay Inc.







                                

         Response to Post-Hearing Questions from Chris Babel, 
                    Chief Executive Officer, TRUSTe









                                

      Response to Post-Hearing Questions from James Grimmelmann, 
            Associate Professor of Law, New York Law School





                                

    Prepared Statement of the Consumer Electronics Association (CEA)






                                 
