b'<html>\n<title> - NEW TECHNOLOGIES AND INNOVATIONS IN THE MOBILE AND ONLINE SPACE, AND THE IMPLICATIONS FOR PUBLIC POLICY</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n NEW TECHNOLOGIES AND INNOVATIONS IN THE MOBILE AND ONLINE SPACE, AND \n                   THE IMPLICATIONS FOR PUBLIC POLICY\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INTELLECTUAL PROPERTY,\n                     COMPETITION, AND THE INTERNET\n\n                                 OF THE\n\n                       COMMITTEE ON THE JUDICIARY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 19, 2012\n\n                               __________\n\n                           Serial No. 112-116\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n      Available via the World Wide Web: http://judiciary.house.gov\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n74-641                    WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a0c7d0cfe0c3d5d3d4c8c5ccd08ec3cfcd8e">[email&#160;protected]</a>  \n\n\n                       COMMITTEE ON THE JUDICIARY\n\n                      LAMAR SMITH, Texas, Chairman\nF. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan\n    Wisconsin                        HOWARD L. BERMAN, California\nHOWARD COBLE, North Carolina         JERROLD NADLER, New York\nELTON GALLEGLY, California           ROBERT C. ``BOBBY\'\' SCOTT, \nBOB GOODLATTE, Virginia                  Virginia\nDANIEL E. LUNGREN, California        MELVIN L. WATT, North Carolina\nSTEVE CHABOT, Ohio                   ZOE LOFGREN, California\nDARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas\nMIKE PENCE, Indiana                  MAXINE WATERS, California\nJ. RANDY FORBES, Virginia            STEVE COHEN, Tennessee\nSTEVE KING, Iowa                     HENRY C. ``HANK\'\' JOHNSON, Jr.,\nTRENT FRANKS, Arizona                  Georgia\nLOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico\nJIM JORDAN, Ohio                     MIKE QUIGLEY, Illinois\nTED POE, Texas                       JUDY CHU, California\nJASON CHAFFETZ, Utah                 TED DEUTCH, Florida\nTIM GRIFFIN, Arkansas                LINDA T. SANCHEZ, California\nTOM MARINO, Pennsylvania             JARED POLIS, Colorado\nTREY GOWDY, South Carolina\nDENNIS ROSS, Florida\nSANDY ADAMS, Florida\nBEN QUAYLE, Arizona\nMARK AMODEI, Nevada\n\n           Richard Hertling, Staff Director and Chief Counsel\n       Perry Apelbaum, Minority Staff Director and Chief Counsel\n                                 ------                                \n\n  Subcommittee on Intellectual Property, Competition, and the Internet\n\n                   BOB GOODLATTE, Virginia, Chairman\n\n                   BEN QUAYLE, Arizona, Vice-Chairman\n\nF. JAMES SENSENBRENNER, Jr.,         MELVIN L. WATT, North Carolina\nWisconsin                            JOHN CONYERS, Jr., Michigan\nHOWARD COBLE, North Carolina         HOWARD L. BERMAN, California\nSTEVE CHABOT, Ohio                   JUDY CHU, California\nDARRELL E. ISSA, California          TED DEUTCH, Florida\nMIKE PENCE, Indiana                  LINDA T. SANCHEZ, California\nJIM JORDAN, Ohio                     JERROLD NADLER, New York\nTED POE, Texas                       ZOE LOFGREN, California\nJASON CHAFFETZ, Utah                 SHEILA JACKSON LEE, Texas\nTIM GRIFFIN, Arkansas                MAXINE WATERS, California\nTOM MARINO, Pennsylvania             HENRY C. ``HANK\'\' JOHNSON, Jr.,\nSANDY ADAMS, Florida                   Georgia\nMARK AMODEI, Nevada\n\n                     Blaine Merritt, Chief Counsel\n\n                   Stephanie Moore, Minority Counsel\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                             JUNE 19, 2012\n\n                                                                   Page\n\n                           OPENING STATEMENTS\n\nThe Honorable Bob Goodlatte, a Representative in Congress from \n  the State of Virginia, and Chairman, Subcommittee on \n  Intellectual Property, Competition, and the Internet...........     1\n\nThe Honorable Melvin L. Watt, a Representative in Congress from \n  the State of North Carolina, and Ranking Member, Subcommittee \n  on Intellectual Property, Competition, and the Internet........     2\n\nThe Honorable Lamar Smith, a Representative in Congress from the \n  State of Texas, and Chairman, Committee on the Judiciary.......     4\n\nThe Honorable John Conyers, Jr., a Representative in Congress \n  from the State of Michigan, and Ranking Member, Committee on \n  the Judiciary, and Member, Subcommittee on Intellectual \n  Property, Competition, and the Internet........................     5\n\n                               WITNESSES\n\nScott R. Shipman, Associate General Counsel, Global Privacy \n  Leader, eBay Inc.\n  Oral Testimony.................................................     8\n  Prepared Statement.............................................    10\n\nMorgan Reed, Executive Director, Association for Competitive \n  Technology\n  Oral Testimony.................................................    19\n  Prepared Statement.............................................    22\n\nChris Babel, Chief Executive Officer, TRUSTe\n  Oral Testimony.................................................    33\n  Prepared Statement.............................................    35\n\nJames Grimmelmann, Associate Professor of Law, New York Law \n  School\n  Oral Testimony.................................................    62\n  Prepared Statement.............................................    65\n\n                                APPENDIX\n               Material Submitted for the Hearing Record\n\nResponse to Post-Hearing Questions from Scott R. Shipman, \n  Associate General Counsel, Global Privacy Leader, eBay Inc.....    98\n\nResponse to Post-Hearing Questions from Chris Babel, Chief \n  Executive Officer, TRUSTe......................................   100\n\nResponse to Post-Hearing Questions from James Grimmelmann, \n  Associate Professor of Law, New York Law School................   103\n\nPrepared Statement of the Consumer Electronics Association (CEA).   104\n                        OFFICIAL HEARING RECORD\n      Material Submitted for the Hearing Record but not Reprinted\n\nFebruary 2012 White House green paper entitled Consumer Data Privacy in \n    a Networked World: A Framework for Protecting Privacy and Promoting \n    Innovation in the Global Digital Economy. This paper is on file at \n    the Subcommittee and can be accessed at: http://www.whitehouse.gov/\n    sites/default/files/privacy-final.pdf\n\nMarch 2012 FTC report entitled Protecting Consumer Privacy in an Era of \n    Rapid Change, Recommendations for Businesses and Policymakers. This \n    report is on \n    file at the Subcommittee and can be accessed at: http://\n    www.ftc.gov/os/2012/03/120326privacyreport.pdf\n\nMarch 2012 report, a project of the Pew Research Center, entitled \n    Search Engine Use 2012. This report is on file at the Subcommittee \n    and can be accessed at: http://pewinternet.org/\x08/media//Files/\n    Reports/2012/PIP_Search_Engine_Use_\n    2012.pdf\n\n\n NEW TECHNOLOGIES AND INNOVATIONS IN THE MOBILE AND ONLINE SPACE, AND \n                   THE IMPLICATIONS FOR PUBLIC POLICY\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 19, 2012\n\n              House of Representatives,    \n         Subcommittee on Intellectual Property,    \n                     Competition, and the Internet,\n                                Committee on the Judiciary,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to call, at 10:07 a.m., in \nroom 2141, Rayburn House Office Building, the Honorable Bob \nGoodlatte (Chairman of the Subcommittee) presiding.\n    Present: Representatives Goodlatte, Smith, Chabot, Poe, \nChaffetz, Marino, Watt, Conyers, Chu, Deutch, Lofgren, Jackson \nLee, and Johnson.\n    Staff Present: (Majority) Vishal Amin, Counsel; Olivia Lee, \nClerk; and (Minority) Stephanie Moore, Subcommittee Chief \nCounsel.\n    Mr. Goodlatte. Good morning. This hearing of the \nSubcommittee on Intellectual Property, Competition, and the \nInternet will come to order, and I will recognize myself for an \nopening statement.\n    Today we are holding a hearing to examine the public policy \nissues raised by new technologies in the mobile and online \nspaces. It is clear that some of the central policy issues for \nboth consumers and companies are the issues of privacy and data \ncollection. Privacy continues to take on greater importance as \nmore Americans not only use the Internet and mobile devices, \nbut also share their personal information with companies on the \nWeb. Privacy policies and the technological safeguards that \ncompanies implement will help guide consumers on what they \nshould expect from those who handle their personal information \nand set expectations for companies that use personal data.\n    As Congress continues to look at privacy issues online, it \nis important to have a firm understanding of what the industry \npractices are. Today\'s hearing will explore what mechanisms the \nprivate sector is currently employing to protect Internet and \nmobile users. It will also highlight the technological \ninnovation and development that has occurred in this space.\n    There have been astonishing advancements in the delivery of \nproducts and services online, and as a result there are privacy \nimplications for a variety of new technologies, some of which \nwere not even in existence a few years ago. Many in the private \nsector already have policies and procedures in place to police \nthemselves to ensure they are following best practices. Groups \nlike TRUSTe, the Association for Competitive Technology, the \nApplication Developers Alliance, the advertising industry \nthrough its AdChoices program and others already help to \nprovide best practices, independent analyses of privacy \npolicies, and recommendations for enhancements. We will learn \nmore about how some of these groups work in the field today.\n    As Congress begins to look into these issues, we need to \nrealize that the technologies that we are discussing did not \neven exist a few years ago, and some have only come to the \nforefront in the past few months. And with any new technology, \nit is important that as we think about how best to protect the \ninterests of consumers and the Internet user community, we \ncontinue to encourage and not stifle innovation.\n    One of the most important things private-sector companies \ncan do to self-regulate and innovate when it comes to privacy \nis to make their notices and privacy policies easy to \nunderstand. If the consumer understands the trade-off he makes \nwhen he accepts an app program or service, then the consumer \nwill make an informed decision.\n    The easier it is for consumers to understand all privacy \nnotices and policies, the easier it is for companies to compete \non the basis of their privacy policies, and the easier it is \nfor consumers to vote with their wallets.\n    I look forward to hearing from all of our witnesses on the \nefforts that they have taken to help build in privacy \nprotections. As they develop their products to safeguard \nconsumer information about what more can be done to increase \ntransparency and ensure that as American companies seek to \noperate abroad in markets like Europe and Asia, innovation is \nnot impeded by undue regulatory burdens or barriers to market \naccess.\n    And with that it is my pleasure to recognize the Ranking \nMember of the Subcommittee, the gentleman from North Carolina, \nMr. Watt.\n    Mr. Watt. Thank you, Mr. Chairman. I appreciate you holding \nthis hearing.\n    I believe that privacy is one of the most fundamental \nvalues of the American tradition, yet today even a majority of \nthe Justices of the Supreme Court posit that as a society we \nare faced with novel challenges in determining the, quote, \n``new normal,\'\' close quote, for privacy expectations in the \ndigital age.\n    There is little doubt that the digital environment has \ncreated opportunities for society that often come at little or \nno financial cost to the user, but I believe it is \ninappropriate to classify these opportunities and services as \nfree. Information is currency, and users are, without \nexception, required to surrender incredible amounts of personal \ninformation in exchange for the services they enjoy.\n    While Internet users have some responsibility to self-\ncensor and restrict the intimate information they share on \nvarious platforms, the reality is that many online users have a \nfalse sense of privacy because they don\'t understand the \nlengthy and complex privacy policies they are compelled to \nagree to in order to use the service. As a result, online users \noften share lots of personal information unknowingly and to \nunintended audiences.\n    Their personal information has been marshaled, analyzed and \nmonetized in ways consumers have come to resent. A March 2012 \nstudy by the Pew Research Center found that two-thirds of \nInternet users have negative views about search engines \ncollecting information about them to produce personalized \nsearch results. Two-thirds of Internet users also report that \nthey, quote, ``are not okay with targeted advertising because \nthey do not like having their online behavior tracked and \nanalyzed.\'\'\n    I am further concerned that this type of consumer profiling \nmay limit, rather than enhance, the experience and the horizons \nof distinct groups based on race, ethnicity, religion and other \nfactors that we are probably not even aware of yet. If users \nare constantly fed products and facts in areas in which they or \nsomeone like them have already expressed an interest, their \nintellectual curiosity and development may be stunted.\n    Earlier this year both the Department of Commerce and the \nFederal Trade Commission completed reports following \nstakeholder participation to address mounting concern about \nconsumer privacy. The White House Green Paper enumerated seven \nbroad principles that it urges be enacted into law as flexible \nbaseline standards governing consumer privacy.\n    The Green Paper recommends that industry leaders develop \nspecific codes of conduct to implement for consumer privacy \nprinciples. The FTC\'s report takes the additional step of \nidentifying best practices that could, and I believe should, \nserve as a guide for industry in developing the codes of \nconduct.\n    The Administration has determined that the first round of \nstakeholder meetings will center on mobile applications which \nraise serious questions about the security of data concerning \nchildren and geolocation information concerning all users. \nParents must be able to feel secure that the apps they download \nto educate or entertain their children aren\'t secretly \ncollecting or sharing private data or location information from \nthe host device.\n    Although some industry actors have been giving lip service \nto and others have been really working to establish privacy \nstandards and to provide users with a better understanding of \nthe ways in which their information is used, it seems clear to \nme that consumers remain in a vulnerable position in which they \nare required to place an enormous amount of blind trust in \nonline companies and app developers.\n    Just last week the FTC announced an $800,000 settlement \nwith Spokeo, a data broker that compiles vast amounts of \ninformation on consumers from both online and offline sources. \nIn the first FTC case to address the sale of data from the \nInternet and social media sites in the employment context, the \nFTC charged that Spokeo violated the Fair Credit Reporting Act \nby marketing consumer profiles to recruiters and human resource \nprofessionals without regard to the accuracy of information and \nwithout advising the users how their information would be used. \nThe FTC was empowered to act because of the protections \ncontained in the Fair Credit Reporting Act.\n    The FTC settlement was announced just as President Obama \nsigned an Executive Order to let the morass of Federal policies \nand practices that impede broadband deployment on Federal \nlands. The Executive Order will not only lower the cost of \nbroadband Internet access, it will also speed the delivery of \nconnectivity to communities, businesses and schools. President \nObama said in his statement, quote, ``By connecting every \ncorner of our country to the digital age, we can help our \nbusinesses become more competitive, and our students become \nmore informed, and our citizens become more engaged,\'\' close \nquote.\n    With greater access comes the responsibility to ensure that \nour citizens enjoy an online experience that is safe, reliable \nand respectful of personal information. So I support the \ndirection the Administration is taking us, and continue to \nbelieve that Congress should enact baseline privacy legislation \nthat will provide certainty to both consumers and companies, \nand promote a healthy online economy.\n    Justice Thurgood Marshall wrote years ago that, quote, \n``Privacy is not a discrete commodity possessed absolutely or \nnot at all,\'\' close quote. The devil is always in the details, \nbut I hope that the witnesses will be able to address some of \nthe best practices recommended by the FTC.\n    Finally, I am also concerned that without a baseline set of \nprinciples with the force of law, privacy policies may be used \nby larger players in an anticompetitive manner to drive smaller \nplayers and start-ups from the market to the detriment of \nonline consumers. I look forward to hearing from our witnesses \nabout how we can embrace new technologies without discarding or \nabandoning the right to privacy.\n    And I yield back, Mr. Chairman.\n    Mr. Goodlatte. The Chair thanks the gentleman and is \npleased to recognize the Chairman of the Judiciary Committee, \nthe gentleman from Texas, Mr. Smith.\n    Mr. Smith. Thank you, Mr. Chairman.\n    America\'s economic success has been built on innovation. \nTen years ago there was no such thing as Facebook or Twitter. \nJust 5 years ago there was no such thing as an iPhone or an app \nstore. Today, mobile apps number in the hundreds of thousands \nand are largely developed by individual innovators and small \nbusinesses.\n    As new technologies have emerged, like mobile apps, social \nmedia, online advertising and data analytics, the cost for new \nbusiness entry have come down. But as new Web sites and apps \nare developed, companies must work to ensure that they maintain \nthe trust of their customers.\n    Trust is the essential element for consumers to adopt new \napps or technologies. When we hear about privacy breaches, like \nwhat happened when Google collected large amounts of private \ndata over Wi-Fi networks, we have to be concerned. With every \novercollection of privacy data, the first excuse is that the \nengineers or programmers went beyond what they were told to do. \nThat excuse may fly once, but ultimately it is neither the \nengineers\' fault nor the programmers\' fault, it is the \ncompany\'s.\n    In the Internet economy, online services are generally \nprovided to consumers at little or no cost, and behind these \nonline services are hundreds or thousands of employees and \nmillions of dollars in hardware and equipment. The Internet \neconomy runs on data. There is an implicit bargain between an \nInternet service and the consumer that includes an exchange of \ninformation or data instead of cash. When a consumer receives a \nfree email account or a cloud storage space, or uses a search \nengine, social media Web site or app, there is a collection of \ndata that allows a company to construct their service and \nprovide targeted advertising or related data-analytic services \nto the consumer.\n    As Internet companies have developed new technologies, \ntheir privacy policies have had to evolve. Many companies now \ninstitute privacy by design, where privacy protections are \nbuilt directly into their software and hardware products from \nthe beginning.\n    Incorporation of the best practices for privacy is \nessential as new products are developed online. For example, I \nread that Google and Apple are building even more detailed maps \nthat rival defense satellite imagery. Though this ensures that \nwe will never get lost if we drive or walk through a new city, \nwe also need to ensure that when images are taken in \nresidential areas or in people\'s backyards, that their privacy \nis protected. This is another place where privacy concerns \nshould not have to be raised by Congress or the media. They \nshould be addressed before the products are even announced.\n    The growth in smartphone use and mobile apps has created an \nentirely new business sector, from Instagram to new mobile apps \nfor established online Web sites and companies. This new \nbusiness sector is composed mostly of small businesses and \nindividual programmers. As we will hear from our witnesses \ntoday, many of these small businesses are just a couple of \nsoftware programmers, not two programmers and a lawyer, and so \nthey often need assistance from more established players as \nthey work to incorporate privacy protections into their \nsoftware.\n    The mobile and Internet playing field is broad, and the \nspecific technological protections may be unique to particular \ntechnologies, but as companies incorporate privacy protections \ninto their services, it is important for them to provide \nprivacy policies that are understandable and reasonable. This \nway it is clear to the consumer what the bargain is that they \nenter into when they use a Web site or mobile app.\n    I look forward to hearing from all of our witnesses today, \nand I hope their testimony allows the Subcommittee to learn how \nthe technology industry works to incorporate balanced privacy \nprotections that will inform and protect consumers.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Goodlatte. Thank you, Mr. Chairman.\n    I am now pleased to recognize the gentleman from Michigan, \nthe Ranking Member of the Judiciary Committee, Mr. Conyers.\n    Mr. Conyers. Thank you, Chairman Goodlatte and Ranking \nMember Watt.\n    This is a very important hearing, and there are new \nservices being offered online and through smartphones and other \ndevices that largely depend on the continued gathering and use \nof personal information which is ultimately turned into a \nproduct for sale. And this hearing is going to devolve, I \nthink, into an issue of whether we get the self-regulation \ntheory advanced, we will all be good and trust this Committee, \nor whether we are going to go along and develop the Consumer \nPrivacy Bill of Rights. And that is where we are going to end \nup, because there is an explosion of the collection, \ndissemination of personal information, and therefore these \norganizations have an incentive to collect as much data as \npossible about Internet users.\n    And what I think should come out of this hearing is the \nnotion that consumers deserve to know how their data and \nprivacy are being impacted by mobile and online platforms. \nToday we don\'t know that. And that is why this hearing by this \nSubcommittee is extremely important.\n    The size and power of online companies allow them to obtain \nand aggregate many types of personal information. Otherwise why \nwould Facebook be valued at a worth of over $100 billion? Well, \nthe answer in large part is because of the treasure trove of \npersonal information that they collect, much of which, like \nother companies, we don\'t know much about.\n    Now, we have been dealing with the size and power of online \ncompanies that allows them to obtain and aggregate all this \npersonal information about users. Google recently has had to \nchange its privacy policies, and there is concern about its \nability to obtain information through an individual\'s use of \nvarious products the company offers. There are so many \ndifferent ways to get this information out there, that when \nthey get it together, they have far more information than is \ngenerally recognized.\n    And so I, for one, am interested in learning how we can \nincrease the authority and the power of the Federal Trade \nCommission to take action against privacy violations. The FTC, \nin my view, needs direct enforcement authority so that it may \ntake action against those who violate consumer privacy even if \na company doesn\'t violate its own published private policy.\n    And while companies should develop online guidelines, we \nmust remember that enforcement is critical to consumer \nprotection. The FTC has the responsibility to ensure that \ncompetitors are not allowed to play by different rules.\n    And so, Mr. Chairman, thank you for allowing me to add my \ncomment before the witnesses begin.\n    Mr. Goodlatte. I thank the gentleman for his comments.\n    Without objection, other Members\' opening statements will \nbe made a part of the record.\n    We have a very distinguished panel of witnesses today. Each \nof the witnesses\' written statements will be entered into the \nrecord in its entirety, and I ask that each witness summarize \nhis testimony in 5 minutes or less.\n    To help you stay within that time, there is a timing light \non your table. When the light switches from green to yellow, \nyou have 1 minute to conclude your testimony; and when the \nlight turns red, well, that is it. It signals the witness\' time \nhas expired.\n    Before I introduce our witnesses, I would like them to \nstand and be sworn, as is the custom of this Committee.\n    [Witnesses sworn.]\n    Mr. Goodlatte. Thank you very much, and please be seated.\n    Our first witness is from the district of the gentlewoman \nfrom California, Ms. Lofgren. And so it is my pleasure to yield \nto her for the purpose of introducing Mr. Shipman.\n    Ms. Lofgren. Well, I thank you, Mr. Chairman, for your \ncourtesy in allowing me to introduce the Associate General \nCounsel of eBay that is, in fact, located in the 16th \nCongressional District. Scott Shipman has been with eBay from \nthe beginning. In fact, he started at eBay when he was a law \nstudent. And the one lawyer there was absolutely overwhelmed, \nand so he was there at the beginning to deal with the privacy \npolicies of eBay, and he is here to tell us about those \nsuccessful policies. As he said at our collective law school, \nhe had done the right things without even knowing it back as a \nlaw student.\n    He now has firsthand experience with the privacy compliance \nand risk assessments at eBay; the cross-border data transfers, \nincluding the EU; the personal information transfers through \ncorporate mergers and acquisitions; and all the other privacy-\nrelated issues that this major corporation faces.\n    He teaches international data protection at Santa Clara \nUniversity School of Law as a lecturer, and he serves along \nwith me on the high-tech law advisory board at our mutual alma \nmater Santa Clara Law School. He coordinates the legal high-\ntechnology internship program at eBay in connection with Santa \nClara Law School, and he is a board member of the Consumer \nPrivacy Law Forum. He is a member of the International \nAssociation of Privacy Professionals, a member of the Chief \nPrivacy Officers Council, on Conference Board, as well as, of \ncourse, being admitted to the California State Bar. I am so \nglad he is here to share his expertise with us.\n    And it is good to welcome you here, Scott, from the Valley \nand to D.C.\n    Thank you, Mr. Chairman, for allowing me to introduce \nScott.\n    Mr. Goodlatte. Thank you, Ms. Lofgren.\n    And I have had the pleasure of speaking at the State of the \nNet West Conference, which has been hosted at the Santa Clara \nUniversity School of Law on a number of occasions.\n    So, Mr. Shipman, welcome.\n    Our second witness is Mr. Morgan Reed, Executive Director \nof the Association for Competitive Technology. Mr. Reed \nspecializes in technology issues and has been working closely \nwith mobile app developers and companies on privacy issues for \nyears.\n    Mr. Reed previously worked for a Taiwan-based trading \ncompany handling North American sales operations. He received \nhis B.A. in Political Science from Arizona State University, \nand did graduate research in Chinese at the University of Utah \nand the Shi Ta University in Taiwan. I hope I have that \npronounced correctly.\n    Mr. Reed. Close enough.\n    Mr. Goodlatte. Our third witness, Mr. Chris Babel, is the \nCEO of TRUSTe, a leading company and authority on Internet \ntrust and privacy. Previously Mr. Babel served as Senior Vice \nPresident and General Manager of VeriSign\'s worldwide \nauthentication services business, where he was responsible for \nstrategy, sales, marketing, product and support. He also \nmanaged VeriSign\'s SSL and Managed Security Services business. \nEarlier in his career he worked at Morgan Stanley in their M&A \nand Corporate Finance group. Mr. Babel received his B.A. in \nMathematical Methods in Social Sciences and Economics from \nNorthwestern University.\n    And our fourth witness is Mr. James Grimmelmann, professor \nof law at New York Law School. Professor Grimmelmann studies \ntechnology issues relating to IP, virtual worlds, search \nengines, online privacy and other topics. Prior to law school \nhe worked as a programmer for Microsoft. He received his J.D. \nfrom Yale Law School and his A.B. in Computer Science from \nHarvard College.\n    Welcome to you all. And we will begin with Mr. Shipman.\n\n   TESTIMONY OF SCOTT R. SHIPMAN, ASSOCIATE GENERAL COUNSEL, \n                GLOBAL PRIVACY LEADER, eBAY INC.\n\n    Mr. Shipman. Chairman Goodlatte, Ranking Member Watt and \nMembers of the Subcommittee, thank you for the opportunity to \ntestify today about eBay Inc., and what we are doing to enable \ncommerce and engender trust through the use of innovative \nconsumer privacy protections. My name is Scott Shipman, and I \nam the associate general counsel and global privacy leader for \neBay Inc.\n    eBay empowers and connects millions of buyers and sellers \nthroughout the globe through eBay marketplaces, Paypal, GSI and \nother mobile technology-based businesses; therefore, many \npeople associate eBay and Paypal with enabling e-commerce. \nHowever, it is important to note that eBay is not just about e-\ncommerce. We are about commerce.\n    The traditional boundaries of offline and online retail are \nblurring. We recognize that retailers and sellers of all sizes \nneed a partner who will help them succeed in this rapidly \nchanging, consumer-driven environment. We want them to succeed, \nand we are that partner.\n    Over the years we have learned one of the keys to success \nis engendering consumer trust and confidence. A critical \ncomponent of that trust is privacy. It is hard to build \nconsumer trust when you are not respectful of their personal \ninformation. To foster that trust we have had to meet customer \nprivacy expectations with every product we offer. I would like \nto take the next few minutes to highlight some of the \nsuccessful privacy-related programs and products that have led \nto eBay being rated one of the most trusted companies for \nconsumer privacy.\n    Since eBay\'s inception our core privacy commitment is eBay \nwill not sell the personal information of our customers to \nthird parties for marketing purposes. However, we also \nrecognize consumers need more meaningful choices on how their \ndata was used for behavioral-targeted advertising; therefore, \neBay developed and implemented a program called AdChoice.\n    The AdChoice program works as follows. Third-party \nadvertisements on and off eBay have an AdChoice link. When eBay \nusers click on the link, they see a pop-up window that gives \nthem the ability to specify their advertising preferences. eBay \nusers can also opt out of receiving third-party behaviorally \ntargeted ads and read our privacy policy through that link.\n    eBay\'s AdChoice program offers a server-based mechanism, \nnot their traditional cookie-based mechanism. This means \nchoices and preferences are permanently stored and not erased \nwhen a user clears their cookies.\n    Paypal and its ``shop without sharing\'\' design is another \nperfect example of innovative technology that encourages \nconsumer privacy and consumer control. The beauty of Paypal is \nit allows consumers to pay for a good or service without ever \nhaving to expose their credit card or bank account information \nto merchants. Not only does this privacy-enhancing technology \nallow consumers to fully enjoy the convenience of online and \nmobile commerce, but it also allows merchants to receive \npayments without the cost and potential liability associated \nwith processing and securing financial information. It is a \nwin-win for both consumers and merchants.\n    Looking now at the exciting mobile space, mobile \napplications and technology continue to grow in popularity and \nimportance. Through the launch of several new and exciting \nmobile applications, eBay has experienced rapid growth in the \nmobile arena. However, being a leader in mobile and geolocation \ntechnology is more than just offering cool new services; it is \nalso about balancing the needs and wants of the consumer \nagainst the creep factor that is sometimes associated with the \ncollection and use of geolocation and mobile data.\n    eBay is building mobile applications that offer the same \ntransparency, choice and level of privacy protection as our \ntraditional Internet services. eBay has made it a policy that \nall consumers must opt in to turn on geolocation for all eBay \nInc., mobile applications, and we give consumers the ability to \ndecide what communications and notifications they want to \nreceive and how.\n    A perfect example of an eBay mobile application that \nencapsulates the privacy by design philosophy is WHERE. WHERE \nprovides personalized hyperlocal recommendations, offers and \ndeals to millions of mobile consumers. WHERE does not associate \npersonally identifiable information with location data without \nexplicit consent. Finally, WHERE does not collect, maintain or \ntrack a consumer\'s location history.\n    I have talked a lot about technology, but my last example \nfocuses on best practices and compliance. In addition to eBay\'s \nprivacy principles and the practices described in our privacy \npolicies, eBay has established a set of corporate rules \napproved by the Luxembourg National Data Commission. These \ncorporate rules are a commitment by eBay to protect our users\' \npersonal information regardless of where the data resides.\n    Our corporate rules do not just protect the personally \nidentifiable information of our European users, but of all eBay \nInc. customers and employees globally. eBay was actually the \nfirst e-commerce company to receive this approval and the first \ncompany to receive approval for employee and customer rules.\n    To conclude, we recognize that privacy is a key component \nof our customers\' experience and the trust they place with us. \nAs technology changes, as the world changes, expectations will \ncontinue to change. eBay\'s role is not to guarantee absolute \nprivacy in a vacuum, but to build a relationship based on \ntrust. It is our hope that in the years to come, the trust \nwithin that relationship will only grow stronger, and our \ncustomers will know and trust that we will get it done right.\n    I sincerely appreciate the opportunity to testify before \nthe Committee today, and I look forward to your questions.\n    Mr. Goodlatte. Thank you, Mr. Shipman.\n    [The prepared statement of Mr. Shipman follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n\n\n                               __________\n    Mr. Goodlatte. Mr. Reed, welcome.\n\n TESTIMONY OF MORGAN REED, EXECUTIVE DIRECTOR, ASSOCIATION FOR \n                     COMPETITIVE TECHNOLOGY\n\n    Mr. Reed. Thank you.\n    Chairman Goodlatte, Ranking Member Watt, Members of the \nCommittee, my name is Morgan Reed, and I want to thank you for \nhaving today\'s hearing on New Technologies and Innovations in \nthe Mobile and Online space and the Implications for Public \nPolicy.\n    My organization, the Association for Competitive \nTechnology, is an international trade association representing \nmore than 5,000 app developers. We make the cool apps that run \non your smartphone, and your iPads, and, hopefully, the new \nMicrosoft tablet and the next device after that. I am a \nlicensed developer, too, having worked on network protocols and \ndebugging games, so I have actually dug into the nitty-gritty \nof how you build software programs.\n    Here is the great news: Our industry is showing amazing \ngrowth. We have hit more than $20 billion today on an expected \npath to $100 billion by 2015. Apps are expanding into new \nmarkets, including enterprise and mobile health, which will \nhelp make Americans more efficient at work and healthier at \nhome. And while Americans own more than 350 million mobile \ndevices, developers are seeing real potential in foreign \nmarkets. China\'s largest telecommunications company has more \nthan 800 million subscribers; the number 2, 200 million; the \nnumber 3, 100 million. With adequate intellectual property \nprotection, those subscribers could become customers for our \nAmerican developers.\n    Now, I understand this Committee would like to spend some \ntime today talking about consumer data privacy and how we make \nit work in this new, more mobile world. What we have learned in \nworking through several multi-stakeholder efforts is that we \nneed to address privacy in a comprehensive way, not one that \ncreates siloed solutions for each technology, especially since \nthose silos are disappearing every day.\n    The biggest revolution in our industry is happening right \nnow, and it is called responsive design. Technology is giving \nus the tools to make one app that will look good on a mobile \ndevice and will also look good on a television, and it will do \nso seamlessly.\n    Everyone in the technology industry has to take part and be \nresponsible for improving the state of privacy security and \ntransparency across all of these industries and devices. Our \napp developers are no different, and we are committed to \nworking this out with government, industry, civil society and, \nmost importantly, our customers.\n    During the past year ACT has reached out to our membership \nand other developer organizations throughout America to discuss \nthe importance of data privacy. We have gone coast to coast and \nhave reached hundreds of thousands of developers. Our message \nhas been simple: know what data you are collecting, know who \nyou are sharing that data with, and be transparent with your \ncustomers.\n    We have also been participating in multi-stakeholder \nefforts, including the California AG\'s work on mobile platforms \nand the White House\'s NTIA multi-stakeholder effort.\n    But throughout all this talk about stakeholders, I realize \nthat this can easily be seen to imply large, faceless \ncorporations. I wanted you to remember today that the \nincredible innovation happening is being driven by thousands of \nsmall businesses working to build applications that educate, \nmotivate and enrich people\'s lives. Therefore, I thought I \nwould take a minute to introduce you to some of the \nstakeholders whose voices we are working to have heard \nthroughout these efforts.\n    Chairman Goodlatte, in your district Vision Studios \nproduced TextGauge. It is an app for parents to prevent teens \nfrom texting while driving.\n    Congressman Watt, in your district we have got Monster \nPhysics. It is a great app that makes physics fun and is \navailable for adults as well as kids.\n    Congressman Conyers, in your district JacAPPS is building \nthe app for the Detroit International Jazz Festival. It is an \namazing application.\n    Congressman Smith, in your district My Patient Solutions \nhelps patients navigate the health care system by giving them \ntools to better understand diagnosis and treatment options.\n    Congressman Marino, we have social meetup apps done by \nMeetMe! in your district.\n    Congressman Quayle, in your district we have a brand new \nentrant. ABN just won the contract for the 2012 PGA Phoenix \nOpen, and that will have location-based technology to allow you \nto go on-the-ground navigation with the spectators.\n    Congressman Deutch, in your district one of our members, \nDave Noderer, built an app for Big Brothers and Big Sisters \nthat allows Bigs to know activities that they should be looking \nat doing with their Littles.\n    Congressman Griffin has OrderPath. It allows medical \npersonnel to display in-patient and observation data to help \nstreamline patient care, and it is aimed at rural districts.\n    Congresswoman Chu, in your district Awesome App; it is for \nelectricians and engineers that helps them do their job more \nefficiently and, importantly, more safely.\n    Congressman Chaffetz, you have got one of the biggest dogs \nin the fight. Infinity Blade II is built in your district, \nmillions of downloads, and it is built by a very small company \nright in your district.\n    Congresswoman Lofgren, we have got a great app in Pinger. \nIt allows people to send free text messages all across the \nworld without having to necessarily have a specific text plan.\n    Congressman Poe has got iTaxable that provides answers to \nyour tax filing questions and an extensive database of \ninformation.\n    Congressman Jordan, you have got Ranch Rush. It is a game \nthat puts a farm in your pocket, allowing users to harvest \nfresh produce, gather eggs from ostriches, collect honey from \nbees, and whip up ketchup from tomatoes.\n    Congressman Nadler has got one that helps you sign your \nsignature on your iPad instead of having to find a fax machine.\n    So I think as we think about today\'s questions about \nstakeholders, you need to remember that in every single one of \nyour districts, and in every district here in Congress, there \nis a small business stakeholder whose voices we need to have \nheard as part of this privacy discussion.\n    Thank you for your time, and I look forward to your \nquestions.\n    Mr. Goodlatte. Thank you, Mr. Reed.\n    [The prepared statement of Mr. Reed follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n\n\n                               __________\n    Mr. Goodlatte. Mr. Babel, welcome.\n\n                   TESTIMONY OF CHRIS BABEL, \n                CHIEF EXECUTIVE OFFICER, TRUSTe\n\n    Mr. Babel. Thank you.\n    Chairman Goodlatte, Ranking Member Watt and distinguished \nMembers of the Subcommittee, my name is Chris Babel, and I am \nthe Chief Executive Officer of TRUSTe, a leading provider of \nprivacy technology and certification solutions to online \ncompanies. Based in San Francisco, TRUSTe offers a suite of \nprivacy solutions to help businesses increase consumer trust \nand engagement across their Web sites, mobile applications, \nonline advertising and cloud-based services. Over 5,000 \ncompanies, such as Apple, AT&T, Disney, eBay and Yelp, rely on \nTRUSTe to ensure compliance with evolving and complex privacy \nrequirements and to build trust with consumers.\n    I would like to highlight three topics in my remarks before \nthe Subcommittee today: first, the consumer privacy \nperspective; second, new privacy challenges and the \ntechnologies TRUSTe and others offer to address them; third, \nwhy we think that self-regulation has been successful in \nprotecting consumers online.\n    First, through consumer research we submitted in the \nwritten testimony, we know that consumers are concerned about \nprivacy online on both their PC and mobile devices. Take \nmobile, for example, where 74 percent of consumers believe it \nis very or extremely important to understand what personal \ninformation a mobile application collects. Eighty-five percent \nwant to be able to opt in or opt out of targeted mobile ads. \nThese concerns are causing the consumer to become more engaged \nin their privacy decisions and more likely to take control of \nwhen and how their data is collected and used.\n    Research also highlighted that 59 percent of consumers \ngenerally trust that Web sites are protecting their privacy \nonline, showing that businesses can build trust and alleviate \nprivacy concerns through investments in privacy best practice \nand privacy technologies.\n    Second, there is explosive growth in privacy services \noffered to consumers. In TRUSTe\'s first 12 years in existence \nthrough 2009, we grew it from offering one to four services \nfocused on Web site privacy only. In the past 2\\1/2\\ years we \nhave launched over 10 new services spanning Web sites, mobile \napplications, online advertising and cloud services.\n    Taking mobile as an example, since all of you carry mobile \ndevices, the challenges are that less than one-third of mobile \napplications have a privacy policy today, and when they do, \nthey are difficult to read and need to handle sensitive topics \nlike location information.\n    TRUSTe offers application providers a free mobile privacy \ngenerator, as well as paid services to certify that mobile \napplications have strong privacy, as well as notice and choice \nmechanisms for consumers regarding mobile ad targeting.\n    There have also been entirely new industry efforts, like \nthe Digital Advertising Alliance that have been formed to \nprovide consumers notice and choice around online targeted \nadvertising. TRUSTe is the largest independent provider of \nservices for the DAA. We have also partnered with the \nApplication Developers Alliance to educate mobile developers on \nimportant privacy issues as part of a countrywide educational \nroad show. Technology is evolving more rapidly than ever, and \nsolutions for consumer privacy protection are keeping pace.\n    Third, self-regulation is a critical component to online \nprivacy, and TRUSTe has helped thousands of companies self-\nregulate their online privacy for 15 years. Self-regulation is \nvaluable in that it helps companies facilitate global best \npractices, which simplifies the management and cost of these \nprograms while increasing accountability. Self-regulation can \nalso evolve with technology changes to meet the ongoing needs \nof consumers. And finally, through safe harbors and due \nprocess, self-regulation can provide strong incentives for \ncompliance.\n    Looking forward, it is clear that consumers are becoming \never more aware of how their personal data is collected and \nused online, which is important as technology changes, like the \ndecreased cost of bandwidth, computer processing and storage \nallow for the analysis and use of vast databases of \ninformation. Self-regulation provides a flexible privacy \nprotection framework that can quickly adapt to these rapidly \nchanging technologies.\n    Today, industry has made great progress in self-regulating \ntheir privacy practices, and though there is much work to be \ndone, we are confident that the goal of protecting consumers \nwhile continuing to innovate will be achieved.\n    Thank you for the opportunity to testify today. I look \nforward to your questions.\n    Mr. Goodlatte. Thank you, Mr. Babel.\n    [The prepared statement of Mr. Babel follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n                               ATTACHMENT\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                               __________\n\n    Mr. Goodlatte. And, Professor Grimmelmann, you get the last \nword.\n\n                TESTIMONY OF JAMES GRIMMELMANN, \n        ASSOCIATE PROFESSOR OF LAW, NEW YORK LAW SCHOOL\n\n    Mr. Grimmelmann. I would like to thank Chairman Goodlatte, \nand Ranking Member Watt, and all the Members of the \nSubcommittee for inviting me to testify today. My name is James \nGrimmelmann, and I am a professor at New York Law School. \nAlthough I am happy to respond to any of the Subcommittee\'s \nquestions on any of its topics, my testimony today will focus \non privacy.\n    The central goal for privacy policy online and on mobile \ndevices must be empowered consumer choice. Good privacy \ntechnologies and good privacy laws enable people to choose \nwhether, when and how open they want to be about their lives.\n    I would like to endorse three essential principles for \nmaking real consumer choice a reality. The first is usability. \nA choice that consumers do not know about, cannot find, or \ncannot understand is no choice at all. The second is \nreliability. A consumer who has expressed a choice is entitled \nto expect that it will be respected. And the third is \ninnovation for privacy. Users benefit from good tools to help \nthem manage their privacy.\n    A good example of these principles in action is social \nnetworks. Their value depends on controlled access. Everything \nfrom a private email from a mother with advice to her daughter \nin college to a confidential discussion group for recovering \nalcoholics requires sharing with some people, but not with \nothers.\n    The proliferation of social networks with different \ntechnical models of sharing represents innovation for privacy \nin action, but that privacy must also be usable and reliable. \nPeople have lost jobs, been stalked and been splashed across \nthe tabloids because privacy settings on social networks were \ntoo confusing for them to understand.\n    I am particularly concerned about what I have called \nprivacy lurches; sudden and unexpected shifts in a social \nnetwork\'s information-sharing practices. For example, Google \nmishandled the launch of its Buzz social network in 2010. \nWithout clear warning Google exposed the names of users\' email \ncontacts to the world. This made Google Buzz, in one reporter\'s \nwords, a danger zone for reporters, psychiatrists, lawyers, and \neveryone else for whom confidentiality is essential to their \njob.\n    The Buzz rollout violated the principle of reliability. It \nchanged Gmail\'s privacy practices in a way that users could not \nhave anticipated and that was capable of causing significant \nharm to them. A Federal Trade Commission investigation resulted \nin a settlement designed to prevent similar mistakes from \nhappening again. And I have also suggested that privacy lurches \nmay expose companies to legal liability for distributing an \nunreasonably dangerous product.\n    Another example of the principles is online behavioral \nadvertising; the use of unique identifiers known as cookies to \ntrack users and to customize the ads they see. Some users \nappreciate receiving relevant advertising; others find the \ntracking creepy. Industry participants recognize this \ndifference in opinions and offer users a choice of whether to \nbe tracked.\n    One of the best ways to ensure that these choices are \nusable and reliable is through innovation for privacy promoting \nthe development of tools that users can use to manage their \ntracking preferences and express them clearly to Web sites and \nadvertisers. The best innovation here has come from Web \nbrowsers, antivirus software, and plug-ins that help users \nblock and delete unwanted cookies. And the current consensus \nprocess to develop a ``do not track\'\' standard is another \nencouraging step.\n    All of these innovations can succeed only if they are \nrespected by Web sites and advertisers. The Federal Trade \nCommission has taken important action against companies that \ncircumvent users\' privacy-protecting technologies, and the FTC \nand Congress should ensure that Web sites are not permitted to \nsecond guess users\' expressed privacy preferences.\n    Thank you for the opportunity to speak with you today, and \nI look forward to your questions.\n    Mr. Goodlatte. Thank you, Professor Grimmelmann.\n    [The prepared statement of Mr. Grimmelmann follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n                               __________\n\n    Mr. Goodlatte. I will now begin the questioning of the \nwitnesses.\n    I believe that consumers have the relevant information \nabout--if they have the relevant information about privacy \npolicies, they will make informed decisions about how to allow \ntheir information to be used, and will choose what services to \nuse in part based on their comfort level with those privacy \npolicies. I would like to ask each of you what your \norganization is doing specifically to make privacy policies \nmore transparent and easier for consumers to understand. And we \nwill start with you, Mr. Shipman.\n    Mr. Shipman. Sure. Thank you.\n    The expectations in managing privacy with consumers is a \nnever-ending battle. It is not something that you can simply \ncome out with a particular policy and say, ``Okay, we have \nwritten this as clearly as possible, and we can rest on our \nlaurels.\'\' So this is something that continues to evolve.\n    From the inception of eBay\'s privacy program, we have \nactually created in 1998 a chart, and at the time it was fairly \nsimple, because you could have a chart with three or four \nclassifications or groups of entities that you share \ninformation with.\n    Mr. Goodlatte. I am going to have to get you to get to the \npoint because I have got several questions and several \nwitnesses to answer. So tell us what you are doing right now \nand prospectively.\n    Mr. Shipman. Absolutely. The focus right now is around \nbringing icons, bringing specific logos or vignettes, whether \nit is via video or other types of embracing new technology, to \nbe able to answer questions the customers have. AdChoice is a \nperfect example where we have links there embedded into \nadvertising and through other types of things like that.\n    Mr. Goodlatte. Excellent.\n    Mr. Reed?\n    Mr. Reed. So we have an interesting situation in that we \nrepresent the developers. And so we have been trying to give \ndevelopers tools. We have run a series of privacy boot camps \nwhere we spend the entire day focusing on getting a developer \nfrom walking in the door, saying, ``Okay, I need this privacy \npolicy,\'\' to when they walk out the door not only having \nprivacy, but understanding the tools they need to have to have \na narrative with their customers.\n    And very specifically, one of the ones I would like to \nhighlight is our work with Moms With Apps, where we have \ncreated a set of icons that have been adopted by some of the \nprivacy policy generators, including Privacy Choice, and in \ntalks with TRUSTe as well, so the developer can select the \nicons immediately when they build their privacy policy so when \nit shows up for the user, bam, they can see it. It doesn\'t \ncollect information, it doesn\'t link to the Web, or it does.\n    So, one, we have to empower developers; and, two, we are \nworking on building tools to inform our customers what those \nprivacy policies mean.\n    Mr. Goodlatte. Thank you.\n    Mr. Babel.\n    Mr. Babel. Sure.\n    So TRUSTe helps Web sites through a privacy policy \ngenerator generate their first privacy policy. Big companies \nmight have attorneys that do that; small companies, start-ups, \nthree people in their garage need help. Particularly around \nmobile applications we find that is critical. As I mentioned in \nthe testimony, about a third of mobile applications even have a \nprivacy policy today, so we are really trying to help people \nstart by having a privacy policy.\n    The second thing we do is once people have privacy \npolicies, we help make certain that they are good, of high \nquality, clear, transparent, easy to read, easy to understand, \nand that is where we help the company have a certified privacy \npolicy where we say it meets a good high bar, and that the \ncompany is following and actually doing what their privacy \npolicy states.\n    Mr. Goodlatte. Thank you.\n    Mr. Reed, many Internet services are free and are monetized \nthrough targeted ads and data collection. How much would app \nprices go up, or what would it cost to use a search engine or \nsocial media Web site if companies were restricted from the \ndata that they could collect?\n    Mr. Reed. Well, I think we have to look at two sets of \nnumbers: One, what is the change in the way that we develop \napps; and, two, when it comes to the actual impact on the \nindustry. If you remove all ads altogether, I think you would \nsee some enormous impacts. If you remove strictly ads that use \ninformation, and you just do context-based ads, the estimates \nrun about 20 percent, a loss of about 20 percent of income for \nthose that are ad supported.\n    The reality is that the model right now, we are looking at \ntrying to make sure that we get apps that we get paid directly \nand supplement through advertising. So it probably would cost \nus about 20 percent of revenue.\n    Mr. Goodlatte. Mr. Babel.\n    Mr. Babel. I think one of the key unique factors in mobile \nversus Web sites, just to point out quickly, is that mobile \nactually has a monetization mechanism where you can go back to \nthe extent that someone were to opt out of ad targeting and go \nback and say, I am limiting the features of this mobile app and \npushing you to a charged version. In the Web site version of \nthe world in that ecosystem, 15 years ago we started giving out \nfree content online, and it would be very hard to go back to \nthat paywall.\n    As we have read industry research, although I haven\'t done \nit ourselves, we have seen similar numbers to those that Morgan \nhas proposed in terms of the drop-off in advertising, but it is \nnot something that we have tracked and have estimated directly.\n    Mr. Goodlatte. Let me ask the three of you what your \ngreatest concerns are about the European Union\'s recent efforts \nto impose a regulatory regime in Europe.\n    Mr. Shipman.\n    Mr. Shipman. I think the challenge within the EU is \ncertainly that we are looking for standards that create \ninternational operability, and so any change in one particular \nregion for a global company destabilizes that operability. And \nwhile we certainly have received approval through the binding \ncorporate rules for operations in Europe and used that as our \nglobal standard, changes in that and more restrictions in that \ncertainly make that much more difficult for us.\n    Mr. Reed. We are short on time, so I am going to echo \nChairman Smith when he said the problem we have with it is just \nthe same. We are not two developers in a garage--we are two \ndevelopers in a garage, not two developers and a lawyer. The \ndifference between us and Europe will create a lot of \ndifficulties for our developers.\n    Mr. Goodlatte. Mr. Babel.\n    Mr. Babel. Yes. Our clients, whether they be domestic \nclients or international clients, are challenged by the fact \nthat there are just different requirements by country. And when \nyou are a big company and trying to manage your portfolio of \nWeb sites across users from each different region, it is \nchallenging to implement technologies to address that. It is a \nlot of hard work; it is a lot of hard work up front.\n    And to be honest with you, most companies have not met the \ndeadline for the U.K. Cookie Audit Compliance that was May 25. \nIn fact, most government agencies in the U.K. have not met that \ndeadline as well. So it gives you a sense for the challenges \nthat are involved with this policy implementation.\n    Mr. Goodlatte. Mr. Grimmelmann.\n    Mr. Grimmelmann. As the others have mentioned, the lack of \nharmony across many countries is a significant problem, and it \nleads to situations in which especially the small players have \ndifficulty even finding out all the laws they need to comply \nwith.\n    Mr. Goodlatte. Thank you.\n    The gentleman from North Carolina Mr. Watt is recognized.\n    Mr. Watt. Thank you, Mr. Chairman.\n    The Ranking Member of the full Committee Mr. Conyers raised \na difficult issue that I want to ask some questions in here \nrelating to legislation versus self-regulation. The \nAdministration\'s blueprint contemplates baseline legislation \ncomplemented by a self-regulatory model to implement the \nConsumer\'s Bill of Rights. So let me ask a couple of questions \nin this area.\n    Do we, in fact, need a Federal Consumer Bill of Rights or \nsomething maybe not called that, but some Federal baseline in \nthis area to deal with privacy? And if not, two questions \narise. Wouldn\'t that leave it open in this Internet thing, \nwhich clearly is across State borders, for State by State by \nState to enact legislation? And wouldn\'t that leave it open for \nself-regulation, which is okay if people behave, but is not all \nthat enforceable if people do not behave, I guess is the \nquestion?\n    So Mr. Shipman, Mr. Reed, Mr. Babel, and Professor, if you \ncan address those couple of questions in there, I would be \nappreciative to you.\n    Mr. Shipman. Absolutely. And thank you for the question.\n    I think the challenge, as you highlight, is, with self-\nregulation, it leaves customers with uncertainty. eBay has long \nsupported a Federal omnibus privacy bill, and the key reasons \nfor that are largely to provide the small and large businesses \nthat we do business with to provide that level of certainty.\n    Mr. Watt. So you think there should be a Federal standard \nof some kind.\n    Mr. Shipman. Yes, we do.\n    Mr. Watt. Yeah. Okay.\n    Go ahead.\n    Mr. Reed. Yes, we have been active supporters of the NTIA \neffort. And I do think, as we get through this, we should talk \nabout ways that the government can enforce bad behavior. I \ndefinitely think that is something where, from in particular a \nsmall business, it is very important to see the government step \nin and bring harsh actions against companies that do violate \npeople\'s privacy, because nothing gets the message clearer to \nour members.\n    Mr. Watt. Of course, the first step is to have a clear set \nof rules about what the standards are.\n    Mr. Reed. Yes, exactly.\n    Mr. Watt. Okay.\n    Mr. Reed. And so, yes on that, good on enforcement.\n    Mr. Watt. Okay.\n    Mr. Babel. I think we have seen at TRUSTe self-regulation \nwork, and work effectively. And, in particular, over the last \nfew years, with the beginnings of the DAA effort around \nAdChoices, you have seen self-regulation accelerate quite \nrapidly in the last few years to reach out and touch consumers \nand give them----\n    Mr. Watt. So what happens in self-regulation if you have \nself-regulation and you or your members or your customers or \nclients don\'t live up to what they agreed? What remedies do I \nhave to enforce that, or who enforces those standards?\n    Mr. Babel. Sure. So, in TRUSTe\'s case, where we certify \ncompanies for good privacy, the first thing we do if there is \nan issue with one of those clients is help them get back into \nalignment with our guidelines for----\n    Mr. Watt. Got that, but----\n    Mr. Babel. If----\n    Mr. Watt [continuing]. My data is already out there at that \npoint. So how do I get a remedy?\n    Mr. Babel. The second thing we do is eliminate them from \nthe program. And, in fact, last year we eliminated----\n    Mr. Watt. That still doesn\'t give me a remedy.\n    Mr. Babel. The third remedy that we have put in place to \nthe extent that there is egregious behavior, is we have, in \nfact, referred people to the FTC. And the FTC has taken action \nin some----\n    Mr. Watt. So there has to be a Federal standard.\n    Mr. Babel. There has--yes, we have----\n    Mr. Watt. Okay. All right. Okay. I am----\n    Mr. Babel [continuing]. Refer to it----\n    Mr. Watt. We are back there. All right.\n    Go ahead, Professor.\n    Mr. Grimmelmann. A Federal baseline would first bring \nimportant clarity to the area. And, in addition, all of the \nprocesses of consumer choice and bargaining, where Web sites \noffer bargains to users and explain the tradeoffs, only work if \nthe consumers have an entitlement to their privacy to begin \nwith. If we don\'t have a baseline, then they don\'t need to \nrespect it.\n    Mr. Watt. All right.\n    Now, is there anybody out there in the industry that is \nadvocating for no Federal baseline? Are there any voices out \nthere, or do you all represent pretty much the standard belief? \nIf so, it seems to me we can quit vexing about whether we need \na baseline and start vexing about what we put in the baseline. \nIs that right? Anybody out there got a different opinion about \nthis, I mean, I guess is the question.\n    Mr. Reed. I guess the only nuance that I would add is that \nthe good partabout what NTI is doing--and it will be a lot of \nwork--is that it is being built bottom-up as a multi-\nstakeholder effort, where we are going through long, intense \nmeetings talking about the meanings of words and the \ndefinitions. So it is actually working from the standpoint of \nwhat technology is capable of doing and gives us the option to \nchange it as we become capable of doing new things.\n    So I think it is important that it not be a government-\nimposed, top-down pressure, but it be developed by \ntechnologists as a way to handle when we change our stuff.\n    Mr. Watt. In the meantime, are the laws that are already \nout there--I mean, I assume there are gaps. Are there laws that \nare already out there that provide some kind of protection?\n    Mr. Reed. I would say it\'s more than some.\n    Mr. Watt. Yeah.\n    Mr. Reed. I think the Federal Trade Commission has already \nshown that it has some teeth. We obviously have regulation on \nHIPAA. We have regulation Gramm-Leach-Bliley. So, depending on \nwhat kind of data you have, there are more than a fair number \nof regulations.\n    Beyond that, this Committee knows we also have antitrust \nlaws to deal with companies that are large players that \ncavalierly disregard people\'s privacy time and time again. So \nif you can\'t curb behavior through FTC, you can always go and \nlook at antitrust as well.\n    Mr. Watt. Mr. Chairman, my time has expired, but, as I told \nthe Chairman, I am going to have to leave to go over and hear \nJamie Dimon testify in my other Committee. So let me make a \nunanimous consent request before I leave, Mr. Chairman, to \noffer into the record the February 2012 White House green \npaper, ``Commercial Data Privacy and Innovation in the Internet \nEconomy: Dynamic Policy Framework;\'\' number two, a March 2012 \nFTC proposal, whatever, report, ``Protecting Consumer Privacy \nin an Era of Rapid Change: Recommendations for Businesses and \nPolicymakers;\'\' and a March 2012 report, ``Search Engine Use \n2012,\'\' a project of the Pew Research Center.*\n---------------------------------------------------------------------------\n    *The submissions referred to are not reprinted in this record but \nare on file with the Subcommittee and can be accessed at:\n\n---------------------------------------------------------------------------\nhttp://www.whitehouse.gov/sites/default/files/privacy-final.pdf;\n\nhttp://www.ftc.gov/os/2012/03/120326privacyreport.pdf; and\n\nhttp://pewinternet.org/\x08/media//Files/Reports/2012/\nPIP_Search_Engine_Use_2012.pdf\n    Mr. Goodlatte. Without objection, those will be entered \ninto the record.\n    And I will turn the Chair over to the Chairman of the \nCommittee.\n    Mr. Smith [presiding]. Mr. Babel, let me address my first \nquestion to you. Actually, you have already answered my initial \nquestion in response to a question by Mr. Watt, but I wanted to \nfollow up on the idea of how enforcement worked when it came to \nindividual online businesses that might violate the best \npractices. And you responded to Mr. Watt and said, ultimately, \nif there was a clear violation and there wasn\'t any response, \nyou would refer online businesses to the Federal Trade \nCommission, I think. Have you ever had occasion to do that?\n    Mr. Babel. Yes, we have.\n    Mr. Smith. In how many instances?\n    Mr. Babel. There has been one instance that is in my \nknowledge, one instance in 2008 of a company called Classic \nCloseouts, which----\n    Mr. Smith. And what did the FTC do?\n    Mr. Babel. They took action. It was settled I think late \nlast year with a $2-million-plus finding.\n    Mr. Smith. Okay. And how many online businesses, in your \njudgment, have violated the best practices that you have \nendorsed?\n    Mr. Babel. So, last year in our written testimony we \nprovided something we call the transparency report, where we \nwalk through number of customers and number of certifications.\n    Mr. Smith. Right.\n    Mr. Babel. And each year I think there is two important \ndata points. One is the number of companies that come to us for \ncertification and never get certified because they don\'t pass \nthe standard to begin with. And that is about 8 to 10 percent \nof all the clients that are approaching us for certification \nnever meet the bar. The second thing is that, in last year, 11 \ncompanies violated, kind of, what we think are best practices--\n--\n    Mr. Smith. Okay. And of those 11, you referred 1 to the \nFTC?\n    Mr. Babel. Not last year. The referral to the FTC was in a \nprior year.\n    Mr. Smith. Right. Okay. Thank you, Mr. Babel.\n    Mr. Shipman, let me address a question to you and perhaps \nto Professor Grimmelmann as well. And it is this: We have \nheard, I think, from all witnesses today about the need for \nonline businesses to protect consumer data. My question goes a \nlittle bit farther. Should consumers be able to find out what \npersonal data has been gathered about them?\n    Mr. Shipman. Absolutely. And, in fact, within our corporate \nstandards that we have had approved through Luxembourg, that is \na requirement that we meet.\n    Mr. Smith. Okay.\n    Do any of the witnesses today feel that consumers should \nnot or do not have a right to know what personal information \nhas been gathered about them?\n    Okay.\n    Next question is, should consumers be able to opt out of \nthe process that gathers that personal information about them?\n    Mr. Shipman, what do you think?\n    Mr. Shipman. I am going to give you a multipart answer on \nthat one.\n    Mr. Smith. Okay.\n    Mr. Shipman. There are certain components of collection \nthat are required. eBay certainly has financially related \ninstitutions.\n    Mr. Smith. Uh-huh.\n    Mr. Shipman. We process financial transactions as well as \nall kinds of e-commerce transactions and commerce.\n    Data that is essential for the safety, security, antifraud, \nin that area, we cannot allow consumers to opt out of. \nCertainly, for marketing purposes and other types of secondary \nuses, we can allow----\n    Mr. Smith. You would allow them to opt out. Okay. Thank \nyou.\n    Professor Grimmelmann, do you have an opinion on that?\n    Mr. Grimmelmann. In the context of first-party collection, \nwhere the consumer is dealing with a Web site----\n    Mr. Smith. Yes.\n    Mr. Grimmelmann.--Mr. Shipman expresses a very clear and \ncorrect view.\n    Mr. Smith. And you agree with him. Okay.\n    That concludes my questions. The gentleman from Michigan, \nthe Ranking Member of the full Committee, is recognized for his \nquestions.\n    Mr. Conyers. Thank you, Chairman.\n    Mr. Reed, we have heard a lot about self-regulation here--\ntoo much, as far as I am concerned. I don\'t know what you think \nthis Committee--what others, not you, think, that we make \nrules, we make laws, we have court decisions, and now we come \nup with a ``let\'s go for self-regulation.\'\' We have been \nhauling--all of the big tech companies have been in and out of \ncourt repeatedly.\n    And so, can you give me a little more confidence about this \nwhole notion of self-regulating?\n    Mr. Reed. Well, I think the first thing we have to look at \nis, does the FTC have enough resources? We start with that. But \nI think you also have to look at continued behavior. There is \ncarrot and stick, right? Industry self-reg is a carrot; do \nthis, and you won\'t get the stick.\n    I think that for small companies, we are usually dependent \non platforms, and we are incredibly responsive to our \ncustomers. Why? Because we are scared of losing them. I think \none of the things that concerns us very much that has been \nhappening in the privacy space is that some of the violations \nhave been actually done by big companies and one in particular. \nYou know, the Chairman brought up Wi-Spy. That trickles down \ninto the sentiment of the regular citizenry.\n    So, yes, I think it is critical that the resources are at \nthe FTC and that the DOJ is willing to step up and go after \nthose who don\'t respond to carrot and don\'t respond to stick.\n    Mr. Conyers. Yeah. But, Mr. Reed, a lot of this privacy--we \ndon\'t even know what is being collected, and we don\'t have any \nway of getting at it. I mean, I see a huge problem still out \nhere, don\'t you?\n    Mr. Reed. Well, I think the question of what is being \ncollected, I think we can actually figure out what is being \ncollected. The larger question is, what happens to it after it \nis collected? What is it combined with? Does that create \nproblems, and are people selling it in a way that is damaging \nor causes harm to people\'s privacy? Does it make it hard for \nthem to get a job? Does it make it hard for them to buy a \nhouse?\n    That is really the question. It is not what is collected; \nit is what is done with the collection of that information \nafter, how it is assembled. And those are areas where I think \nthat there can be questions and we should find good answers.\n    Mr. Conyers. Thank you very much.\n    Well, we know what is being collected. Everything. Is there \nanything that they--I mean, that is the nature of the problem. \nI----\n    Mr. Reed. But I think it is worth noting that the Sears \ncatalog had information on people in the 1900\'s. They knew what \nwe were buying. And it is really about what is done to harm \npeople afterwards. That is really the kicker. Because, you \nknow, we all had the Sears catalog as a kid in our house, and \nyou would read it. Sears knew what you bought. They kept a \nrecord of what you bought. That was a good thing. Do you know \nif what they did with that information prevented you from \nbuying a house or prevented you from getting a job or prevented \nyou from getting insurance?\n    Mr. Conyers. Or hurting your credit.\n    Mr. Reed. Exactly.\n    Mr. Conyers. Let me turn to Professor Grimmelmann for a \ncontinuation of this discussion. I mean, this is a very nice \nconversation we are having here with four experts, but, I mean, \nthere is a certain element here of ``let\'s trust everybody to \ndo the right thing.\'\' The FTC is underfunded. Leibowitz, Jon \nLeibowitz, the Chair, comes before us every year and makes the \ncase that they need more resources.\n    How do you see this discussion of giving benefit of the \ndoubt to these huge companies that are collecting what we don\'t \neven--well, from my point of view, it is everything. We go back \nto Sears in 1900. Well, guess what they are doing now, if you \nthink that was something.\n    Mr. Grimmelmann. I would like to say that some huge \ncompanies can play an important role in building tools that \nstop other huge companies from gathering lots of data. So, for \nexample, Apple puts significant restrictions in the iPhone that \nlimit the data that apps can collect so that the apps can\'t \ngather location data without the user\'s express permission. And \nMicrosoft, in its most recent version of the Internet Explorer, \nwill be turning on the ``do not track\'\' header by default to \ntell Web sites they should not collect data about users.\n    We can find ways to exploit the competitive process in the \nindustry, to have companies recognize privacy is an advantage \nand help consumers keep personal data from other companies.\n    Mr. Conyers. But there are some that are disregarding the \ntracking instructions of their consumers. You know that.\n    Mr. Grimmelmann. So, the advantage of that is that the \ncompany that disregards the tracking request has now done \nsomething that is explicitly deceiving the consumer and failing \nto respond to the request, rather than just taking advantage of \ntheir ignorance, which gives the FTC a surer basis for action.\n    Mr. Conyers. Thank you, Mr. Chairman.\n    Mr. Smith. Thank you, Mr. Conyers.\n    The gentleman from Pennsylvania, Mr. Marino, is recognized \nfor his questions.\n    Mr. Marino. Thank you, Mr. Chairman.\n    I am going to start with Mr. Shipman. And let\'s back the \nbus up here a little bit, if you would, please. And if anyone \nhas anything to add to it, just chime in.\n    Let\'s start back with the scenario, a parent is having a \npersonal conversation with their son or daughter who is off to \ncollege; or one corporation is having a confidential exchange \nof information with another corporation concerning, let\'s say, \na merger. Once I hit that send button, let\'s educate the people \nof where does that go and how many people or how many entities \nhave access to that even when I hit the delete and the other \nside hits the delete? Do you understand my question?\n    Mr. Shipman. Yeah, sure. Basically, your question, just to \nquickly summarize, is, when you hit send on an email, how many \ndifferent entities could it possibly end up with.\n    Mr. Marino. Even after I delete it.\n    Mr. Shipman. Sure, sure.\n    To me, the biggest challenge here--I mean, there are many \nchallenges. eBay is not an ISP; we actually don\'t provide \nemail, but I am knowledgeable enough to be able to provide a \nfew comments.\n    One of the toughest components here is access where you \nhave other governmental agencies or law enforcement or other \nrequests where the consumer may have no knowledge of that \ninformation being requested. Beyond the technology components, \nit had been deleted within the systems, within service \nproviders, within a custodial relationship----\n    Mr. Marino. Okay, I understand the law enforcement aspect \nof it. I have been a part of it for 19 years. So just give me \nyour best estimate on how many entities would have that \ninformation.\n    Mr. Shipman. Go ahead.\n    Mr. Reed. I think, let\'s break it into two camps. Is your \nservice a cloud-based, or are you just going from my company to \nyour company? If you are going company to company, not too many \nentities in between will hold on to it.\n    But he raises the key point, which is a part of ECPA reform \nin these questions, is that law enforcement has stepped in to \nplace collection points in the process----\n    Mr. Marino. Okay, let\'s exclude law enforcement for a \nmoment.\n    Mr. Reed. If you exclude law enforcement, company to \ncompany, not much. If it is company to cloud provider and back, \nthen the cloud provider does have access to that information at \na certain level. Most----\n    Mr. Marino. Okay. Now, if several entities, even if it is \ncompany to company, how long does that individual or that \nentity have that information? Until they just delete it?\n    Mr. Shipman. So, once an email or other piece of data is \nreceived, it is within that--if it is a responsible company, \nthey have a data classification and data retention policy. So, \ndepending on the classification of that data, it may be 7 days, \nit may be 7 years.\n    Mr. Marino. All right, I am going to jump to the next one \nthen. Who best can answer this: What would prevent an employee \nfrom obtaining that information and sharing it?\n    Mr. Reed. It depends on their status in the corporation. \nSomebody who has the keys to the kingdom, so to speak, the \nnetwork nerd in the closet, he is going to have all of it.\n    Mr. Marino. So my point is----\n    Mr. Reed. Right.\n    Mr. Marino [continuing]. People have access to it and can \nuse it nefariously, correct?\n    Mr. Reed. Yes. And that is--yes.\n    Mr. Shipman. There is an important consideration here, \nwhich is, there are tools that certain companies, certainly \neBay being one of them, deploys which do monitor and track \naccess to information within the organization. So not only are \nemployees based on permission have access or don\'t have access \nto information, but also if there is anomalous activity, it is \ndetected, reported, and prevented.\n    Mr. Marino. Mr. Babel and then Professor, maybe you can \ngive me a quick answer on this. I am an individual that \nquestions ``do we want the Federal Government involved?\'\' In \nfact, I take the position that the Federal Government spends \ntoo much time in our lives to begin with.\n    So give me, Mr. Babel, if you can, please, give me your \nopinion based on the fact that--can the industry police itself? \nI have a little problem with the fox setting rules and \nregulations for the henhouse. But give me a scenario, if you \nwould, contrast them, policing itself and needing Federal \nregulations.\n    So if you both could answer that, please. Mr. Babel?\n    Mr. Babel. Sure. So I think that it is--you know, TRUSTe \nhas self-regulatory programs. The key asset that we have is our \nband of consumers. So if we aren\'t living up to the standard of \nmaking certain that people who no longer follow the standards \nare out, like, for us, it is the whole company we are betting. \nOur credibility is the key, meaning the program and its \ncredibility.\n    I think when it comes to legislation, one of the things \nthat I am concerned about is just, you know, what are the \nunintended consequences of legislation? If you look at \nsomething like CAN-SPAM, even that was a law that was well-\nwritten, well-adopted, but at the end of the day, 90 percent of \nemail is still spam. It is not the law that eliminated the spam \nin your inbox, it is technology.\n    Mr. Marino. I am running out of time here.\n    Professor?\n    Mr. Grimmelmann. I think that the companies you are most \ngoing to want Federal intervention for are the ones who are not \nTRUSTe members who are engaged in shady, gray-area marketing, \nthat conceal their tracks, click fraud, all kinds of shady \ndeals that are trying to rip consumers off.\n    Mr. Marino. Okay. Thank you.\n    I yield back. Thank you.\n    Mr. Goodlatte [presiding]. I thank the gentleman.\n    The gentleman from Florida, Mr. Deutch, is recognized for 5 \nminutes.\n    Mr. Deutch. Thank you, Mr. Chairman.\n    Mr. Babel, you said that 59 percent of people believe that \ntheir information is protected. You touted that number. Four in \n10 people are concerned that their information is not \nprotected, I presume is the balance of that analysis, the \nbalance of that polling.\n    I just want to talk about the self-regulation piece of \nthis, which a number of you had talked about. You have a \nprogram, a privacy program, which, if I understand what you are \nsaying correctly, if a company adopts it, then they receive \nyour certification. Is that right?\n    Mr. Babel. Correct.\n    Mr. Deutch. And has that certification been given to the \nlargest companies? And what Mr. Shipman described sounds like a \nreally terrific privacy policy, which I will ask about in a \nminute. But do they have your certification on their privacy \npolicy?\n    Mr. Babel. They are our client, yes.\n    Mr. Deutch. And do all of the--I mean, do the biggest, just \nthinking about those companies with market dominance, does \nGoogle have a certification, does Facebook have a certification \nfrom you for their privacy policies?\n    Mr. Babel. One of the things we look at is the top 100 Web \nsites listed by a company called Alexa that is based on \nconsumer traffic. And we have about 50 percent of those top 100 \nclients. So we have good penetration but certainly not all----\n    Mr. Deutch. All right. So just again, thinking about the \nones that we use most often, does Google have a certification \nand does Facebook have--for their privacy policy.\n    Mr. Babel. Google is not a certified client of TRUSTe, and \nneither is Facebook. We do work with them in some different \nareas, but they are not certified clients of our program.\n    Mr. Deutch. And, Mr. Reed, when you talked about the \ninformation to be collected, you said we should know what data \nis being collected, who we are sharing it with, and being \ntransparent with customers.\n    Mr. Babel, is that a part of your certification? Do you \nlook at each of those?\n    Mr. Babel. Yeah, if we were to think of the highest three \nlevels of the certification, the business needs to first be \ntransparent, meaning tell people what they are collecting, you \nknow, if they are sharing it, how long they are holding onto \nit. They need to give choice; would you like to not have that \ndata being collected? And they need to be accountable to that \nchoice.\n    So, yes, the tenets of what Morgan outlined are what----\n    Mr. Deutch. And I am sorry, I don\'t--unfortunately, I don\'t \nknow--I am learning a lot today, but I don\'t know well enough \nthe relationship between TRUSTe and some of the other \ncompanies. What is it? I mean, when you say you have worked \nwith some of these other companies but they don\'t have the \ncertification, do you suggest to them what is missing? Or when \nit comes to those three items that we just discussed, when you \nlook at a company with real market dominance, like Google, for \nexample, or like Facebook, is there one of those three that \nthey might be missing? Are there certain things that we ought \nto be considering?\n    Mr. Babel. Think of it as, it is a totally different effort \nthat we are working on with them. I will give you the example \nwith Google. They have a business-to-business app marketplace, \nwhere a business owner using Gmail can download an application. \nWe certify those applications, but it is in a partnership with \nGoogle. So it is not related to, kind of, the three core \ntenets. We don\'t work with them in our core certification \nbusiness. It is kind of a separate, adjacent thing.\n    Mr. Deutch. So I guess what I am really getting at is, when \nyou talk about self-regulation and the success of self-\nregulation, for a company, any company that has real market \ndominance, is that sufficient to rely on? Do the 40 percent of \nconsumers who are concerned their information is not kept \nprivate, should they be satisfied with the privacy policies \nestablished in a self-regulatory environment, if not every \ncompany regulates themselves the same way?\n    Mr. Reed, you look like you want to jump in.\n    Mr. Reed. Well, I think you have to look at behavior. You \nknow, eBay is sitting here. They have a pretty good track \nrecord so far on privacy. A lot of our developers use their \nPayPal system to enable app purchases. It has worked out pretty \nwell. We haven\'t had those.\n    So I think your question about the size of the company is \nnot the first test. The first test is, what are they doing? And \nif a company with dominance has the power to take it and kind \nof thumb their noses at consumers, well, then, yes, I think \nthat is the kind of time where you have to start taking a look \nand you have to start asking harder questions.\n    So it is not the size as much as it is the behavior that \nreally triggers this.\n    Mr. Deutch. Well, Mr. Reed, I mean, you are more familiar \nwith the industry than I am. Are there any companies that you \nthink are thumbing their nose at these privacy issues?\n    Mr. Reed. Well, I mean, I think we have heard the name \nseveral times; everybody has been talking about it. I think \nGoogle has--Google\'s privacy violations to date have certainly \nraised a lot of concern. I think it is the ironic; you know, it \ngot so bad that the Jon Stewart show, ``The Daily Show,\'\' \nactually made fun of it on WiFi. So that----\n    Mr. Deutch. Mr. Reed----\n    Mr. Reed [continuing]. Harms all of us.\n    Mr. Deutch. Mr. Reed, I am almost out of time. Of the three \nthings that you point out--know the data being collected, who \nit is being shared with, and being transparent with those \ncustomers--which of those three do you think is most often \nbeing ignored by any company that might be thumbing their nose \nat these privacy issues?\n    Mr. Reed. I think in the case of Google, I think the \nproblem is that they haven\'t been transparent with what they \nwere doing. I think that was very clear onWi-Spy. It was clear \non the Buzz settlement. They haven\'t been transparent. And I \nthink that is an area that they need to improve or regulators \nneed to step in.\n    Mr. Deutch. All right. Thank you.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Goodlatte. I thank the gentleman.\n    The gentleman from Utah, Mr. Chaffetz, is recognized for 5 \nminutes.\n    Mr. Chaffetz. Thank you. Thanks, Mr. Chairman.\n    And thank you for all for being here. I appreciate it.\n    I wanted to highlight the idea that the Internet, the tech \nsector is actually something in our economy that is working. \nYou are looking at growth in jobs and expansion of our economy, \nthis is one sector that is thriving.\n    One of my concerns is, while we have these deep-seated \nneeds to make sure that privacy is protected, that we are \nprotecting consumers, I think, Mr. Chairman, we also need to be \nultra-careful in making sure that we don\'t convolute the \nprocess to a point where young entrepreneurs, new startups, \naren\'t able to start because there is such a mass of regulation \nand uncertainty.\n    I do question the notion that the FTC is the right \norganization. I wonder--we talk a lot about the teeth of the \nFTC, but we can probably count on one hand where they have \nactually taken action. And so I think that begs the question \nof, should this be done in part by statute so that we can use \nArticle III Courts, as opposed to the FTC, which would be much \nmore readily available to a consumer or an individual. It is \njust something, Mr. Chairman, that I think we need to continue \nto explore, because I am not convinced the FTC is the end-all, \nbe-all.\n    I am also concerned that if we have multiple jurisdictions \nhere--the Consumer Financial Protection Board, for instance--\nyou are going to end up much like in the financial sector where \nyou have conflicting rules and regulations.\n    I think it is also important that the Congress stand up for \nitself and not allow an Administration--I don\'t care which \nparty it is involved with--allow just simple rulemaking to push \nthrough the process and not allow the back and forth and the \ndiscussion that would happen in Congress. I think we have been \nfailing on that front in general.\n    There are a couple other areas that I would like you to \naddress. And our time is so short here, but, Mr. Chairman, I \nthink one of the things we have to further explore if we are \ngoing to truly look at privacy is how do we deal with minors. \nYou know, my 11-year-old arguably knows more about using the \napps and the Internet than most people three, four, five times \nher age.\n    We are going to also have to deal with the national versus \nthe international aspect and scope, which is obviously for the \nneed and the genesis of SOPA. That issue has not gone away. We \nare still losing billions of dollars overseas, and we are going \nto have to deal with that.\n    The other area that I am really trying to focus on and I \nwould like you to address--I didn\'t come to just give a big \nspeech--I would like you to actually address is, I think \nAmericans have a reasonable expectation of privacy. But how do \nwe define that? One of the things that I think we have to look \nat is airspace. It is reasonable that if somebody walked down \nyour front yard, they could look at your front yard and see \nyour mailbox and your shrubs and whatnot. As we expand out and \nstart to use drones and satellites and other types of who knows \nwhat kind of technology, what is the reasonable expectation of \nprivacy, say, in your backyard or on your private property?\n    And along with that is geolocation. I have sponsored a bill \non this. I think it is going to continue to go on.\n    Would anybody care to address, what is the proper balance \nof airspace? You know, law enforcement use helicopters, right? \nWe have allowed that for a long time; we think that is a good \nthing. But fuel is expensive. It is hard to get a helicopter. \nLaw enforcement can only keep it up for so long. But if you \nhave a drone that is up 24-7 or somebody that is going to--\nwhere is that balance? Where is that line?\n    Anybody care to take a stab at that one?\n    Mr. Grimmelmann. I can say a little bit about that.\n    One of the encouraging things about the Supreme Court\'s \ndecision in United States v. Jones is that the Court endorsed \ntwo different kinds of rationales for protecting privacy.\n    One of them, based in the majority, is rooted in the \nhistoric law of trespass. And there, that might signal a \nreinvigoration of the idea that the airspace closely above your \nhome is actually yours and not to be invaded. We have long \naccepted that commercial airlines can fly far overhead, but \nthis might signal an attitude that we should protect your \nsovereignty over your own space close to the ground.\n    And the second, coming from the concurrences, is the so-\ncalled mosaic theory that continuous observation over a long \nperiod of time can ultimately build such a complete portrait \nthat it does invade one\'s expectation of privacy.\n    Mr. Chaffetz. And I guess that is one of the challenges, \nMr. Chairman, we face. Because he is right; in the Jones case, \nwhich is in large part what our legislation is modeled after, \nis this idea that there is a toggling between an individual\'s \nmovements on private property and out in the public space.\n    Look, technology can be great. It can be so useful and make \npeople\'s lives better. But how do we actually craft something \nwithout ruining the industry? That is the fundamental question.\n    I don\'t know if the other three care to jump in here.\n    Mr. Reed. We have a phrase in the office. We say, ``nobody \nwants technology at the speed of government.\'\' And that is the \nproblem that the question that you point out raises.\n    You know, I speak as me, not as ACT. I would be totally \ncreeped out having a drone fly above my house all the time, 24/\n7, watching my backyard. That is me; I am not speaking on \nbehalf of our members.\n    But by the same token, a plane flying overhead isn\'t the \nproblem. So we have to look at the behavior question, really. \nThe plane flying overhead has an intent. It is going from point \nA to point B. It doesn\'t intend to be looking in my backyard. \nThe drone positioned over my house watching everything that \nhappened and whether or not I mowed the lawn on Sunday has the \nintent of watching what I am doing.\n    So I think that part of what--part of how we need to look \nat what technology empowers is, what is the intent of the \nperson who is putting that technology in place? What do they \nwant out of it? And that helps us guide the question of what is \nappropriate airspace in certain aspects that allows for \nwireless transmission to happen without impeding it with a lot \nof government regulation.\n    Mr. Shipman. Yeah, if I could just add, I think, you know, \nthe work that eBay and a number of other organizations have \ndone in really framing what should Federal omnibus privacy law \nlook like really focuses--and Mr. Reed used the word \n``intent\'\'--it is use, it is use-based obligations.\n    With data, there is an intended use and there is an \nobligation that needs to come with that intended use. And you \ncan look at each type of use: Is it fulfillment? Is it \nproviding a service? Is it flying from point A to point B? And \nwith that data collection and use comes obligation.\n    Mr. Chaffetz. Mr. Chairman, with all due respect--my time \nis well past gone--I would appreciate the industry continuing \nto look at this, because I think it is an incomplete answer. It \nis not sufficient enough to say that is the intent, because \nwhat does a celebrity, for instance, in southern California do? \nYou can see TMZ putting drones up trying to follow celebrities \nin their 10-mile zone--that is what ``TMZ\'\' stands for, \nright?--24-7.\n    So intent is not sufficient enough. I think the industry \nhas also got to catch up on how to help us define that, because \nCongress has the ability to ruin people\'s lives, and I would \nrather not see that happen.\n    I yield back.\n    Mr. Goodlatte. I thank the gentleman.\n    The gentlewoman from California, Ms. Lofgren, is recognized \nfor 5 minutes.\n    Ms. Lofgren. Thank you, Mr. Chairman.\n    And as Mr. Chaffetz has indicated, I have some reluctance \nto see Congress weigh in on these issues in a heavy regulatory \nmanner because we don\'t work at Internet speed, we work at a \ndifferent speed. And, you know, that is a good thing. I mean, \nwe can\'t make mistakes quickly. But, certainly, the technology \nwill move much faster than we can. And so I have been \ninterested in how industry might establish standards that \nprevent a heavy regulatory load.\n    And along those lines, I am wondering how this process is \nworking relative to the recent decision on Internet Explorer to \nmake the default ``do not track.\'\' I understand that there--\nand, certainly, Microsoft has the right to do that. Has that \nhad an impact on the industry-wide effort to reach consensus on \n``do not track\'\' or not?\n    Professor, could you answer that question?\n    Mr. Grimmelmann. So, the decision has been discussed within \nthe working group that is building the standard. Some of the \nparticipants in that group, including representatives from \nGoogle, Yahoo, and Adobe, have taken the position that Internet \nExplorer should be defined to be noncompliant such that Web \nsites could say, I think you are using Internet Explorer, \ntherefore I am not going to honor your ``do not track\'\' \nrequest. And I think this is simply an attempt to sabotage the \nstandard. It won\'t work if Web sites can second-guess the \nuser\'s statement, I don\'t want to be tracked.\n    Ms. Lofgren. Well, the question, I guess, is for me, what \nis the default? What kind of transparency is available to the \nuser? And, also, what kind of accountability is there if the \nuser\'s choice is, in fact, not honored by the person \nrepresenting the choice?\n    And I guess the question is, who owns this data? Maybe that \nis something that does need to be established in law, that the \nindividual has an opportunity to enforce their own choices. Do \nyou think that is an approach that would be helpful for \nCongress to take?\n    Mr. Grimmelmann. The default right now is that Web sites \ncollect but offer the user an opportunity to opt out. I think \nusers should have the opportunity to choose tools that protect \ntheir privacy by saying, ``Do not collect,\'\' and if Web sites \ndisagree with that choice, they can communicate with the user \nand say, ``Here are the benefits we could offer you if you \nturned tracking on.\'\'\n    Ms. Lofgren. Right. And that is--for example, I use \nFirefox. I don\'t know why, but I have always used it. And I \nhave ``do not track\'\' turned on in my Firefox because that is a \nchoice I want to make. But it means that there are some things \nI can\'t do on Firefox, which is a decision I have made.\n    Isn\'t it just--wouldn\'t it solve our problem in the \nInternet world if we were just transparent to users and gave \nthem enforceable choices?\n    Mr. Grimmelmann. Yes.\n    Ms. Lofgren. Now, let me ask about the--you know, Mr. \nChaffetz, great minds think alike. I was also thinking about \nthe drone issue. And I am told that in August the FAA is \nactually going to do some rulemaking on what drones can \ncollect, which is kind of an odd regulatory role.\n    Recently, the FTC had a workshop on the use of facial \nrecognition technology. Because this isn\'t just an online \nphenomenon. I mean, you go into every store in America, \npractically, and there is a camera that is taking pictures of \nthe shoppers. And with facial recognition technology, you can \nnow aggregate data about individuals, who they are. And, I \nmean, that is an immense amount of data that we I don\'t think \nhave any rules about.\n    What are your thoughts on that?\n    Mr. Reed. Well, the good news is that technology industries \nhave actually been thinking on that. There are actually trade \nassociation efforts to develop best practices. And probably the \nbest example I have seen to date on this is, strangely enough, \nConnect by Microsoft. They put together an incredibly \ncomprehensive program prior to putting the Connect in your \nhouse. And you would say, well, why would that matter? But you \nrealize, they are essentially facing a camera from the \ntelevision at you. And so they did an entire privacy-by-design \nprior to launching Connect strictly on the question of facial \nrecognition.\n    So the good news is smart people are starting the day \nsaying, ``how do we deal with this?\'\'\n    Ms. Lofgren. Well, but the issue is--and we have plenty of \nFourth Amendment rules for the government, and that is \nimportant, I mean, obviously. But what we are talking about \nhere is not the government but the private sector----\n    Mr. Reed. Right.\n    Ms. Lofgren [continuing]. Which we celebrate. I mean, the \nprivate sector is the job creator of our country, the engine of \neconomic growth. And yet, the capacity to know everything about \nindividuals because of technology that has been deployed, and \nyet individuals may not even be aware that their picture is \nbeing taken with facial recognition technology. They may have \nabsolutely no privacy.\n    And I don\'t think we have any standards that are set for \nthat use of big data. I mean, correct me if I am wrong.\n    Mr. Shipman. No, actually, I think in that regard the \nonline and mobile spaces are arguably doing a better job----\n    Ms. Lofgren. Yes.\n    Mr. Shipman [continuing]. At communicating what information \nis collected and how it is used. And I think that, as we see \nthese technologies move into retail, that certainly companies \nlike eBay that work with retail partners can form that \npartnership and can educate and help them with their use and \ntheir need to know their customer and how to balance that \nappropriately.\n    Ms. Lofgren. I know my time is up, but I would just say \nthat, you know, we need to have rules--individuals have to have \nthe ability to enforce their understandings, either through the \nFTC or through private rights of action. But we have not really \nlooked at all to the non-online issues that may be even more \nsevere than what people are paying attention to. Because \neverybody who goes online knows it is an issue. Nobody knows \nthat the drone is in the sky or that the corner grocery is \ncollecting their data.\n    Mr. Reed. No, you are exactly right. And we all saw in the \nretail space that Target knew a young lady was pregnant before \nshe had been able to tell her family. And that was not the \nonline data collection at all; that was strictly from the \nretail store. So you are exactly right.\n    Ms. Lofgren. Thank you, Mr. Chairman. My time is up.\n    Mr. Goodlatte. I thank the gentlewoman.\n    The gentlewoman from Texas, Ms. Jackson Lee, is recognized \nfor 5 minutes.\n    Ms. Jackson Lee. I thank the Chairman very much.\n    And I thank all the witnesses for their testimony.\n    And I follow my colleague from California with the same \nquizzical concern about the extensiveness, the vastness of the \nissues dealing with Internet use and the concerns that we now \nhave facing the American public or the world public. And so I \nwant to raise some questions on that issue.\n    But before I do that, Mr. Reed, do you know the apps that \nare from Houston?\n    Mr. Reed. I do. We have more than a few. From your \ndistrict, we actually have--oh, there is a great app built by \nan African-American woman in your district who actually won the \nchallenge grant from challenge.gov that helps people look up \nthe average pay for the jobs they are applying for and helps \nthem negotiate in their favor, because it tells them the public \ndata, what the average rate of pay is. And it is an app, so you \nwalk into your job interview and you know----\n    Ms. Jackson Lee. And you are well-informed. Do you have \nsome others that you can either refer us to or print out for \nus?\n    Mr. Reed. Absolutely. But that one in particular was one \nthat was really remarkable.\n    Ms. Jackson Lee. It is remarkable and probably gives \nshockwaves to future employers. But I appreciate that.\n    Let me stay on the line of reasoning of my questions about \nprivacy and use. Two examples. First, on the front page of the \nWeb site CNET, there is a moving story of a paralyzed man who \nuses his eyes to tweet. This story demonstrates the enormous \npotential of the Internet.\n    How can this man be secure in knowing that when he uses a \nWeb browser like Internet Explorer and chooses ``do not track\'\' \nthat his instructions will be followed and not ignored?\n    Who wants to take that question? Professor?\n    Mr. Grimmelmann. The important part there is that once ``do \nnot track\'\' is standardized, I hope that Congress and the FTC \nwill see fit to treat that as an enforceable practice, either \nunder the principles of contract law or as a deceptive trade \npractice. A consumer\'s request not to be tracked should be \nhonored.\n    Ms. Jackson Lee. And how long--or what should we do to move \nthat standardization forward in terms of the industry, to move \nforward on the standardized practice?\n    Mr. Grimmelmann. Fortunately, the working group that is \ndiscussing it has an active and aggressive schedule. As long as \nthey are aware that Washington is watching and hoping for them \nto succeed and waiting for the results, I think that is the \nmost important thing you can do now.\n    Ms. Jackson Lee. So you would say contract law, and what \nwould be the other enforcement?\n    Mr. Grimmelmann. The FTC\'s ability to prohibit unfair and \ndeceptive trade practices.\n    Ms. Jackson Lee. And my concern would be, what are we doing \nnow? But I appreciate what you are saying is that we are on the \nright track.\n    Let me also add this question. I appeared this morning \ndiscussing another topic, which is immigration reform, on C-\nSPAN, but a question was raised before I came on. In a Google \nofficial report by Dr. Dorothy Chou on the alarming number of \nrequests for government censorship, the United States was \nnumber one.\n    But the question is, the government has a special role and \nresponsibility. What should Congress\' role be in monitoring, \npermitting or opposing censorship by the government? I will go \nto the professor, but I would like some others to chip in.\n    Mr. Grimmelmann. So, law enforcement requests come from a \nwide variety of sources, government both in the United States \nand abroad. And so the role of Congress there is, in part, to \nmonitor the requests coming from the United States entities \nand, in part, also to work with U.S. companies over the \npressure they are receiving from foreign governments to censor \nand to help give them the protection and reassurance of the \nUnited States Government that we support free expression around \nthe world.\n    Ms. Jackson Lee. But are you saying we make statements? I \nmean, because it is--we are asking to protect what we are \ntransmitting. So the point is that the government is making \nthese points that they need to, in essence, protect what they \nhave.\n    Mr. Grimmelmann. There was a conversation that has been \ngoing on for a number of years over global Internet freedom \nprinciples, and part of that is in a discussion about possibly \nlegislating responsibilities for United States companies to be \ntransparent about their degree of compliance or resistance to \nforeign censorship attempts. Google\'s transparency about \nrequests it receives was actually quite helpful in \nunderstanding the pressure that governments put on our \ncompanies to do their dirty work.\n    Ms. Jackson Lee. I think that is a very sensitive question \nthat is appropriate for a congressional review.\n    Let me go to Mr. Babel to talk of the challenges of privacy \nas you established your company.\n    Mr. Babel. Sure. The challenges are really in helping \ncompanies and consumers kind of meet that best practice of \nwhere there is trust by consumers that the companies are doing \nthe right thing. So our kind of sole role for existence is \nhelping clients, customers understand what best practices \naround privacy really are and helping them prove to consumers \nthat they are doing the right thing with their, you know, \npersonal information. So that is what TRUSTe is really there in \nhelping the ecosystem know and understand and balance that \ntrust relationship between business and entities.\n    Ms. Jackson Lee. Are your customers bankers or banks?\n    Mr. Babel. There are a few banks, but it is really more \nfocused on more online companies and technology companies. And \nwe assist banks with other regulations that they have.\n    Mr. Goodlatte. Thank you. The time of the gentlewoman has \nexpired.\n    Ms. Jackson Lee. I yield back.\n    Mr. Goodlatte. The gentleman from Georgia is recognized for \n5 minutes, Mr. Johnson.\n    Mr. Johnson. Thank you, Mr. Chairman.\n    And I must admit that I was just a little disturbed, Mr. \nReed, when you kind of left me out of the equation. I am \nsitting here right in front of you, closest to you; we could \nalmost breathe on each other. And you didn\'t mention any apps \nfrom----\n    Mr. Reed. I can talk about your app. It is good. I will \ngive you it right now. It is a great app that allows you to pay \nfor your parking spot with your mobile phone. It is actually \none that a lot of us already use. It is called Parkmobile. It \nis a great app. Lets you pay for parking with your mobile \nphone. There you go.\n    Mr. Johnson. Oh, I tell you, thank you.\n    I also found one from Decatur, which is where I represent, \nPing, a subsidiary of Ping Media Group, Incorporated. It is a \nprovider of mobile coupons and promotions which enable \nretailers and vendors to communicate directly with their \ncustomers via mobile phones.\n    And then I got another one. A young man, 17 years old, his \nname is Albert Renshaw, out of Gwinnett County, which I also \nrepresent. He has developed Apps4Life--A-P-P-S-4, the number, \nL-I-F-E--which offers WiFi texting without a wireless \nconnection. And I thought those were pretty good.\n    But I will now get into the meat of my concern. A breach in \nsecurity protocol by a company such as eBay that exposes \nprivate customer information to the public could result in \ndeath or grievous bodily injury to a customer whose private \ninformation was divulged wrongfully. The consumer certainly has \na right to recover damages for his or her injury, or their next \nof kin for their death. I am sure you all would not disagree \nwith that. And they have a right to seek a recovery in a court \nof law. But one of the--and that is one of a consumer\'s basic \nrights.\n    But that right is being chipped away at with these \nmandatory pre-dispute arbitration--mandatory arbitration \nclauses in these consumer agreements, which prohibit the \nindividual, the aggrieved party, from being able to sue in \ncourt. Instead, they are forced into mandatory arbitration \nwhere the arbitrator is selected by the company. The arbitrator \nmay or may not be a lawyer. The arbitrator does not operate in \na public courtroom, but it is a private, secret proceeding, \nmaybe held miles away, hundreds and thousands of miles away, \nfrom where the aggrieved party actually lives.\n    There are no rules of Federal procedure, rules of civil \nprocedure, rules of evidence, and no jury trial. You know, the \narbitrator decides the issue, and then once the arbitrator \ndoes, there is no right to an appeal. This is a private system \nof adjudicating disputes which consumers sign up for a consumer \nagreement without any knowledge of the gravity of what they are \ngiving up.\n    Mr. Shipman, what do you think about that? Does your \ncompany have to sue sometimes other competitors for various \nthings in a court of law? And do you think that it is important \nthat consumers have the right to take their matter to court as \nwell?\n    Mr. Shipman. So, certainly the scenario you paint is an \nawful and terrible scenario for that family and one that I \nwould hope that we never encounter.\n    I think there are two important points here. The first is, \nwhat are the terms that the company has with a customer? And--\n--\n    Mr. Johnson. What does?\n    Mr. Shipman. What are the terms. Is there an arbitration \nprovision or not.\n    Mr. Johnson. Yeah.\n    Mr. Shipman. And----\n    Mr. Johnson. Do you know whether or not you have that in \neBay?\n    Mr. Shipman. In the case of eBay, we actually have a number \nof choices for our customers, depending on the size of the \nclaim. If it is a financial-related claim, it may be available \nto small claims action. If it is a larger claim, then certainly \nyou can bring that case. We don\'t have that arbitration \nprovision that would prevent someone from being able to be \nheard and, you know, have their day in court.\n    The second theme that you talk about is information \nsecurity and the protection of information. And, certainly, you \nknow, a responsible company has thousands of people devoted to \nmaking sure that the information that is entrusted with us is \ntaken care of appropriately. Because the last thing we want, \ncertainly, is that scenario that you paint, because that is \nawful for not only our business but also for our customers.\n    Mr. Johnson. Well, certainly. And it is not that the \ncompany would intend for any harm to come to one of its \ncustomers because of a breach. It could happen, though, pretty \neasily given the fact that this marketplace is in its earliest \nstage of development and growth and mistakes can be made along \nthe way with various applications. Something may have a bug \nthat needs to be worked out. And it is definitely possible for \nsomeone--let\'s say, a woman whose husband or boyfriend, you \nknow, wants to do some damage to them and, due to a breach of \ninformation, is able to follow through with that, either, you \nknow, character-wise or reputation-wise or either coming to the \nhouse and cutting her up into a million pieces. You know, it \ncould happen.\n    And if it does happen, then if eBay decides that, okay, \nthis claim is not worth that much, then it will go through a \ncertain procedure, and if it is deemed by eBay to be larger \nthan that, then it goes into--then the person has a right to go \nto court. Is that what we are talking about?\n    Mr. Shipman. Well, you know, again, I mean, very awful \nscenarios that you are painting. But----\n    Mr. Johnson. But, I mean, it is true. Anything might \nhappen.\n    Mr. Shipman. Nonetheless--and, certainly, we can follow up \nwith you afterwards. We would love to work with you.\n    You know, our clause allows consumers to decide what the \nremedy--you know, what avenue they have available to them. We \ndon\'t limit all claims to arbitration. So I think that is, you \nknow, the salient piece.\n    Mr. Johnson. Okay.\n    Mr. Shipman. The second thing is, on this issue of a \nsecurity breach, what we have seen to date--and I can\'t \nsummarize and you don\'t want me to summarize all of the \nlegislation and the caselaw--but what we have seen to date is, \nwhere there is a harm--and in the cases that you are providing, \nthere are clear harms--then it is likely, I believe, that you \nwould see damages be appropriate. Where we have seen no harm--\nno financial identity theft, no physical harm--the cases that \nwe have seen generally tend to say that there is not liability \nin that regard.\n    Mr. Johnson. I understand.\n    Professor Grimmelmann, your response, sir, or insight?\n    Mr. Grimmelmann. I agree with him that where there is \nphysical harm to the individual who has been hurt as a result \nof the breach, then, yes, the courts are available, and they \nhave been willing to hear those suits.\n    I am concerned somewhat that the breaches that do not \nresult in immediate provable harm but nonetheless reduce the \ninformation security for all of us by leaking financial \ninformation on many consumers that can lead to acts of identity \ntheft that can\'t specifically be tracked back to that one \nindividual breach have resulted in harm not provable in a court \nof law, and so, therefore, there is no redress against it.\n    This is why data-breach notification laws and other efforts \nto shine a light on this and enforce basic information security \npractices against industry participants are important.\n    Mr. Johnson. Uh-huh. Class action litigation could play a \npart in deterring willful misconduct that could ensue.\n    Mr. Goodlatte. The time of the gentleman has expired.\n    Mr. Johnson. I noticed that red button has been on ever \nsince I started talking, so I don\'t know how long I have gone, \nMr. Chairman. But it doesn\'t seem like 5 minutes, though.\n    Mr. Goodlatte. Without objection, the gentleman will be \nrecognized for 1 additional minute to sum up his ideas.\n    Mr. Johnson. Thank you.\n    Yeah, class action litigation, where a number of people \nhave suffered just a small amount of harm, but the class action \nlitigation, which can result in a verdict of some importance in \nterms of the amount, could act as a deterrent and is good for \npublic policy, in my opinion.\n    What would be your response to that, Professor Grimmelmann? \nBecause I don\'t want to--I don\'t want to personalize this with \neBay. eBay is no different than all of the other entities out \nthere that are very popular with consumers. So I will ask you, \nProfessor.\n    Well, I will ask Mr. Reed. What do you think?\n    Mr. Grimmelmann. This is an area----\n    Mr. Johnson. Go ahead. Go ahead.\n    Mr. Grimmelmann. This is an area in which you are concerned \nabout arbitration, which is extremely important, and this is \nalso an area in which class-action litigation has been \nimportant for privacy. Facebook has recently settled a lawsuit \nover its marketing a commercial product using individuals\' \npictures to say, ``James just watched `WALL-E.\' Don\'t you want \nto watch it, too?\'\' to their friends. And a class-action \nlawsuit resulted in a $10 million settlement.\n    Mr. Johnson. Thank you.\n    Mr. Goodlatte. The time of the gentleman has expired again.\n    Mr. Johnson. Thank you, Mr. Chairman.\n    Mr. Goodlatte. And having allotted him 10\\1/2\\ minutes on \nhis 5 minutes of time, I am going to take the privilege of \nasking a clarifying question for the witnesses.\n    To me, self-regulation means companies publish their \npolicies, and then if they engage in deceptive practices by not \nfollowing those policies, then under existing law the Federal \nTrade Commission would have the authority to take action for \nfalse advertising or whatever the case might be.\n    What I want to know for sure here is, does anyone here \nbelieve that the Federal Government should impose a one-size-\nfits-all regulatory approach or that the Federal Government \nshould proscribe specific privacy policies to specific \ncompanies or in general?\n    Mr. Shipman?\n    Mr. Shipman. No, I don\'t think the government should draft \nspecific privacy policies. I think we should leave that to \nindustry and those that are innovating the services and \ntechnology.\n    Mr. Goodlatte. Thank you.\n    Mr. Reed?\n    Mr. Reed. Exactly the same. I agree completely. That is not \nthe position the government should be in.\n    Mr. Goodlatte. Mr. Babel?\n    Mr. Babel. I would agree, and also agree with your view \nthat self-regulation with, kind of, a proper backdrop with the \nFTC is a good program to continue.\n    Mr. Goodlatte. Mr. Grimmelmann?\n    Mr. Grimmelmann. I agree that government should not \nregulate specific privacy policies. It should make sure that \nconsumers have effective notice of what those policies are and \nhave enforcement when those promises are broken.\n    Mr. Goodlatte. Thank you very much. That definitely is \nclarifying information from all of you.\n    I would like to thank all of our witnesses for their \ntestimony today. This has been a very informative hearing.\n    And, without objection, all Members will have 5 legislative \ndays to submit to the Chair additional written questions for \nthe witnesses, which we will forward and ask the witnesses to \nrespond as promptly as they can so that their answers may be \nmade part of the record.\n    And, without objection, all Members will have 5 legislative \ndays to submit any additional materials for inclusion in the \nrecord.\n    And, with that, I again thank all of our distinguished \nwitnesses.\n    And the hearing is adjourned.\n    [Whereupon, at 12:02 p.m., the Subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n       Response to Post-Hearing Questions from Scott R. Shipman, \n      Associate General Counsel, Global Privacy Leader, eBay Inc.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n                                <F-dash>\n\n         Response to Post-Hearing Questions from Chris Babel, \n                    Chief Executive Officer, TRUSTe\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n                                <F-dash>\n\n      Response to Post-Hearing Questions from James Grimmelmann, \n            Associate Professor of Law, New York Law School\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n                                <F-dash>\n\n    Prepared Statement of the Consumer Electronics Association (CEA)\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'