[Senate Hearing 112-785]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-785
 
THE NEED FOR PRIVACY PROTECTIONS: IS INDUSTRY SELF-REGULATION ADEQUATE? 

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 28, 2012

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation

                         U.S. GOVERNMENT PRINTING OFFICE 

81-711 PDF                       WASHINGTON : 2013 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 




       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas, 
JOHN F. KERRY, Massachusetts             Ranking
BARBARA BOXER, California            OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida                 JIM DeMINT, South Carolina
MARIA CANTWELL, Washington           JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey      ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas                 JOHNNY ISAKSON, Georgia
CLAIRE McCASKILL, Missouri           ROY BLUNT, Missouri
AMY KLOBUCHAR, Minnesota             JOHN BOOZMAN, Arkansas
TOM UDALL, New Mexico                PATRICK J. TOOMEY, Pennsylvania
MARK WARNER, Virginia                MARCO RUBIO, Florida
MARK BEGICH, Alaska                  KELLY AYOTTE, New Hampshire
                                     DEAN HELLER, Nevada
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                     John Williams, General Counsel
             Richard M. Russell, Republican Staff Director
            David Quinalty, Republican Deputy Staff Director
   Rebecca Seidel, Republican General Counsel and Chief Investigator



                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 28, 2012....................................     1
Statement of Senator Klobuchar...................................     1
Statement of Senator Ayotte......................................     2
Statement of Senator Rockefeller.................................    45
Statement of Senator Thune.......................................    48

                               Witnesses

Bob Liodice, President and CEO, Association of National 
  Advertisers, Inc. on Behalf of The Digital Advertising Alliance     3
    Prepared statement...........................................     5
Alex Fowler, Chief Privacy Officer, Mozilla......................    12
    Prepared statement...........................................    14
Peter Swire, C. William O'Neill Professor of Law, The Ohio State 
  University.....................................................    19
    Prepared statement...........................................    21
Berin Szoka, President, TechFreedom..............................    29
    Prepared statement...........................................    31

                                Appendix

Statement of Computer & Communications Industry Association......    55


THE NEED FOR PRIVACY PROTECTIONS: IS INDUSTRY SELF-REGULATION ADEQUATE?

                              ----------                              


                        THURSDAY, JUNE 28, 2012

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m. in room 
SR-253, Russell Senate Office Building, Hon. Amy Klobuchar, 
presiding.

           OPENING STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Call the hearing to order. Thank you, 
everyone, for being here. There are a few other things going on 
in Washington, so Senator Ayotte and I are chairing this 
hearing. I wonder why.
    [Laughter.]
    Senator Klobuchar. But I know Chairman Rockefeller will be 
here soon. And I think you all know this is a very important 
subject to this committee. I see that Senator Thune is also 
here with us.
    This is an important issue for the future of commerce in 
the U.S., and more and more of our daily lives, as we all know, 
as I checked Twitter and Facebook already this morning, more 
and more of our daily lives are connected to the Internet.
    I believe that consumers need to have a larger voice when 
it comes to their online experience and their data, and that is 
why Chairman Rockefeller has worked with the FTC to create 
Federal policy that protects consumers' data online. And I hope 
that this committee will continue to work together to find the 
appropriate legislative balance.
    I'm also pleased to see the efforts of the industry to 
self-regulate its practices regarding data collection and 
tracking. And I believe that industry actions are moving this 
privacy conversation forward in a positive way.
    I hope we'll be able to work together in the Commerce 
Committee on consumer data privacy legislation going forward. 
And I would also like to commend the FTC and the Department of 
Commerce for keeping these issues in the forefront this year.
    We always have to be as sophisticated as those that are 
trying to play around with some of the rules. And I think that 
we have tried to track that, but, most importantly, we've also 
worked with the industry to track that.
    So, with that, Senator Ayotte, would you like to say a few 
words?

                STATEMENT OF HON. KELLY AYOTTE, 
                U.S. SENATOR FROM NEW HAMPSHIRE

    Senator Ayotte. I would. Thank you, Madam Chair.
    Last month, in this committee, we had the opportunity to 
hear from the FTC on privacy, so I look forward to hearing an 
additional perspective from the witnesses that are here before 
us today. So thank you for being here with us, including 
representatives from the technology and advertising industries 
and experts from the academic community.
    This debate centers on how online information is legally 
collected and disseminated for commercial usage. It's critical 
that we first understand this process before we begin to debate 
how privacy should be regulated or legislated.
    This field is evolving so rapidly that we must proceed 
cautiously and carefully before diving into any legislation. It 
is imperative that any legislation we consider guarantees that 
usage of collected data is not hampered by overly restrictive 
and burdensome Federal and regulatory policies.
    As we all know, e-Commerce is a vibrant, thriving sector of 
the global economy. The Information Technology and Innovation 
Foundation estimated that the annual global economic benefit of 
the commercial Internet is $1.5 trillion. This is more than 
medicine, investment in renewable energy, and government 
investment in R&D combined.
    The Internet generates at least $300 billion of economic 
activity annually, accounting for an astonishing 2 percent of 
the United States GDP.
    The Kelsey Group estimates that Internet advertising, which 
was $45 billion in 2007, is expected to grow to $147 billion by 
the end of 2012. These statistics are just the tip of the 
iceberg and will continue to grow exponentially.
    However, we are not here today to talk about statistics. 
The broader point here is that we are seeing the online world 
flourish, and that reality dictates that we find the proper 
balance between ensuring e-commerce has the tools it needs to 
thrive, innovate, and create jobs, and making sure our 
regulatory climate is one that provides adequate consumer 
safeguards.
    As we all know, Microsoft set off quite a firestorm when it 
announced Internet Explorer 10 will have its ``do not track'' 
component default set to opt out of tracking. Whether or not 
this is the best policy shouldn't be up to Congress to 
determine.
    The beauty of living in a free enterprise society is that 
the market has a way of determining what works and what does 
not, and what is popular with consumers and what is not. And at 
the end of the day, there is enough competition in the 
marketplace for consumers to have the opportunity to decide 
what works best for them without congressional interference.
    Last, we must also acknowledge that there are certain 
benefits to data collection for consumers. For instance, we all 
enjoy free e-mail, countless free streaming videos, and free 
news services, just to name a few of the free online benefits 
that consumers enjoy. This is all possible because the 
collection of data leads to targeted advertising to pay for 
these services, and, more importantly, consumers choose to use 
these services because they value them.
    I know that some members of this committee are aggressively 
calling for stringent privacy legislation. But as I mentioned, 
we must not act too quickly or haphazardly, and we need to be 
thoughtful in our approach in striking a proper balance.
    This is a fast-moving field, and I'm concerned that hastily 
written legislation could be outdated by the time the ink dries 
and it becomes law.
    I look forward to a robust discussion today with our 
distinguished panel. And I yield back the balance of my time. 
Thank you, Madam Chair.
    Senator Klobuchar. Thank you very much.
    Now we're going to hear from our panel of witnesses. I will 
introduce them all and then have them give their opening 
statement.
    First, Mr. Bob Liodice, who is the President and CEO of the 
Association of National Advertisers.
    Second, Mr. Alex Fowler, who is the Global Privacy and 
Policy Leader with Mozilla.
    Third, Mr. Peter Swire, who is the C. William O'Neill 
Professor of Law with Ohio State University.
    And then, fourth, Mr. Berin Szoka, who is the President of 
TechFreedom.
    Thank you all for being here, and we will begin with Mr. 
Liodice. Thank you.

          STATEMENT OF BOB LIODICE, PRESIDENT AND CEO,

  ASSOCIATION OF NATIONAL ADVERTISERS, INC. ON BEHALF OF THE 
                  DIGITAL ADVERTISING ALLIANCE

    Mr. Liodice. Good morning, Senators. Thank you for the 
opportunity to be here, and thank you for your opening remarks.
    My name is Bob Liodice. I am President and Chief Executive 
Officer of the Association of National Advertisers, also known 
as the ANA. We were founded in 1910, and our membership 
includes 460 member companies that represent over 10,000 brands 
that collectively spend over $250 billion every year in 
marketing, communications, and advertising.
    Today, I am pleased to testify on behalf of the Digital 
Advertising Alliance, also known as the DAA. The DAA is a 
nonprofit organization of leading companies and trade 
associations, including the ANA, the American Association of 
Advertising Agencies, the Direct Marketing Association, the 
Interactive Advertising Bureau, the American Advertising 
Federation, and the Network Advertising Initiative. 
Collectively, these associations represent over 5,000 
corporations.
    And my written testimony provides greater detail, but 
please let me highlight a few key points.
    Let me begin by stating very clearly: our self-regulatory 
system works.
    I've learned a long time ago not to confuse effort with 
results. Senators, we have results that few, if any, can claim. 
We have built and implemented a system that is operating and is 
effective.
    Four years ago, we began this journey when 5,000 companies 
came together, recognizing the enormity and complexity of the 
challenge. We agreed that the pathway to success was through a 
highly perfected and enormously effective self-regulatory body.
    It was created in 1971. It's administered by the Council of 
Better Business Bureaus. It is heralded by many Federal Trade 
Commission chairs as one of the best self-regulatory processes 
in the U.S. It's dynamic. It's fluid. It's evolutionary. And 
it's respected. And it is beyond reproach and without peer.
    The DAA was built from this self-regulatory body to tackle 
the challenges and complexities of interest-based advertising, 
and to address the concerns that you all expressed through 
legislators, agencies, privacy groups, and consumers.
    And we have succeeded. Our business system was created from 
a disciplined, seven-prong strategy that has had significant 
marketplace impact that has been enormously successful in a 
very short span of time.
    Those seven planks are principles that were crafted and 
approved in July 2009, which includes consumer education, 
enhanced notice, innovative choice mechanisms, data security, 
sensitive data protection, consent for policy changes, and, 
most importantly, enforcement.
    The second plank is monitoring. And that required an 
investment to ensure compliance with our principles that were 
established in 2009.
    Importantly, the third plank is reporting to ensure that we 
can provide the necessary information to enforcement bodies.
    And then following that is accountability, to ensure that 
those people who are with our program are absolutely compliant.
    We've created the fifth plank, which is enforcement.
    Sixth is education, which I will talk about in just a 
moment.
    And then, seventh, and something that we don't always give 
a lot of credence to: it's evolutionary. To address the point 
that you made about technology before, this is continuing to 
evolve. And we have to be on our game to keep up with the pace 
of changes that are taking place.
    As I said at the beginning, I've learned a long time ago 
not to confuse effort with results, but we have both. The 
system is operational. It works and works well. Our 
effectiveness is rapidly growing. And we're structured to 
evolve to address new challenges.
    Let me address some of the progress that we've made. The 
existing DAA program clearly shows the merits of self-
regulation. It is easy for consumers, and it works. As this 
committee is aware, the cornerstone of the DAA program is our 
ubiquitous advertising icon, which appears right in the chart 
over here.
    Consumers can click on this icon to access more information 
in a simple, universal tool for existing choice, as shown here. 
Through this choice tool, consumers can opt out for all 
participating companies with a single click or can opt out for 
specific companies.
    All the DAA's self-regulatory principles are backed by 
robust enforcement mechanisms through the Council of Better 
Business Bureaus and the Direct Marketing Association.
    Several key milestones: The icon is licensed by hundreds of 
companies and served in over a trillion ad impressions each 
month. We believe that virtually all U.S. consumers are being 
exposed to the icon and offered choice.
    More than 1 million consumer opt-outs have been registered 
under the DAA principle since January 2011, which clearly shows 
that the program is enabling consumers to exercise their 
individual choices.
    Next, the DAA's release tools have enabled persistent 
consumer choices in Chrome, Firefox, and Internet Explorer 
browsers, and these tools respond to concerns that consumers 
could unintentionally change their preferences by erasing 
cookies.
    And last, we believe that consumers need to be educated 
about the program. So in January 2012, the DAA launched a major 
consumer education program, designed by McCann Erickson 
Worldwide, with a brand new website at www.YourAdChoices.com 
that features educational videos and access to DAA's uniform 
choice mechanism. This website is averaging over 1 million 
visitors each month.
    We've done a lot. We've accomplished a lot. And a lot of 
that is embodied in the recognition that we received from the 
White House and the FTC in a ceremony here in February.
    Thank you for inviting me to testify before the Committee. 
And I look forward to any questions you may have.
    [The prepared statement of Mr. Liodice follows:]

 Prepared Statement of Bob Liodice, President and CEO, Association of 
    National Advertisers, Inc. on Behalf of The Digital Advertising 
                                Alliance
    Chairman Rockefeller, Ranking Member Hutchison, and Members of the 
Committee, good morning and thank you for the opportunity to speak at 
this important hearing.
    My name is Bob Liodice. I am President and Chief Executive Officer 
of the Association of National Advertisers (``ANA''). Founded in 1910, 
ANA's membership includes 457 companies with 10,000 brands that 
collectively spend over $250 billion every year in marketing 
communications and advertising. ANA strives to communicate marketing 
best practices; lead industry initiatives; influence industry 
practices; manage industry affairs; and advance, promote, and protect 
all advertisers and marketers. Today, I am pleased to testify on behalf 
of the Digital Advertising Alliance (``DAA'') and to report to the 
Committee on the substantial progress of our Self-Regulatory Program.
    The DAA is a non-profit organization of leading companies and trade 
associations including the Association of National Advertisers (ANA), 
the American Association of Advertising Agencies (4A's), The Direct 
Marketing Association (DMA), the Interactive Advertising Bureau (IAB), 
the American Advertising Federation (AAF) and the Network Advertising 
Initiative (NAI). The DAA was formed to administer and promote the 
Self-Regulatory Principles for online data collection. The ANA has 
played a leading role in these efforts since their inception.
    My testimony today will describe how the online advertising 
industry has successfully worked to give consumers transparency about 
online data collection practices and to create easy, uniform, and 
effective tools for consumers to control online data collection. DAA 
participating companies recognize that consumers may have different 
preferences about online advertising and data collection in general, 
and want to build consumer trust in the online experience by ensuring 
that consumers have meaningful choices about how data is collected and 
used.
    The DAA appreciates the Committee's interest in exploring how 
consumer privacy concerns should be balanced with consumers' desire for 
innovative products and services. We believe that industry self-
regulation, coupled with consumer education, is the best way to strike 
this balance. Our standards support both privacy and innovation by 
enabling consumers to make intentional choices about online data 
collection and use. Industry self-regulation is flexible and can adapt 
to rapid changes in technology and consumer expectations, whereas 
legislation and government regulation, particularly in such a rapidly-
developing area, can stifle innovation. The business community has a 
strong incentive to enforce self-regulation against participating 
companies and I will be explaining how accountability is built into our 
Self-Regulatory Program.
Benefits of Online Advertising
    The Internet is a tremendous engine of economic growth. It has 
become the focus and a symbol of the United States' famed innovation, 
ingenuity, inventiveness, and entrepreneurial spirit, as well as the 
venture funding that flows from these enormously productive and 
positive efforts. Simply put: the Internet economy and the interactive 
advertising industry create jobs. A 2009 study found that more than 
three million Americans are employed due to the advertising-supported 
Internet, contributing an estimated $300 billion, or approximately 2 
percent, to our country's GDP.\1\ There is employment generated by this 
Internet activity in every single congressional district.\2\
---------------------------------------------------------------------------
    \1\ Hamilton Consultants, Inc. with Professors John Deighton and 
John Quelch, Economic Value of the Advertising-Supported Internet 
Ecosystem, at 4 (June 10, 2009), available at http://www.iab.net/media/
file/Economic-Value-Report.pdf.
    \2\ Id. at 53.
---------------------------------------------------------------------------
    Advertising fuels the Internet economic engine. The support 
provided by online advertising is substantial and growing despite the 
difficult economic times we are presently facing. In 2011, Internet 
advertising revenues reached a new high of $31 billion, an impressive 
22 percent higher than 2010s full-year number.\3\
---------------------------------------------------------------------------
    \3\ Interactive Advertising Bureau Press Release, ``Internet Ad 
Revenues Hit $31 Billion in 2011, Historic High Up 22 percent Over 2010 
Record-Breaking Numbers'' (April 18, 2012) (reporting results of 
PricewaterhouseCoopers study).
---------------------------------------------------------------------------
    Because of this advertising support, consumers can access a wealth 
of online resources at low or no cost. Revenues from online advertising 
facilitate e-commerce and subsidize the cost of content and services 
that consumers value, such as online newspapers, blogs, social 
networking sites, mobile applications, e-mail, and phone services. 
These advertising-supported resources have transformed our daily lives.
    Interest-based advertising is an essential form of online 
advertising. As the Committee knows, interest-based advertising, also 
called online behavioral advertising (``OBA''), is delivered based on 
consumer preferences or interests as inferred from data about Internet 
activities. Consumers are likely to find interest-based advertisements 
more relevant to them, and advertisers are more likely to attract 
consumers that want their products and services. Websites also benefit 
because interest-based advertising garners better responses, allowing 
websites to earn more revenue--and support more content and services--
with fewer advertisements. Advertisers have demonstrated that they 
believe that interest-based advertising is particularly effective by 
paying higher rates for such ads.
    Interest-based advertising is especially vital for small businesses 
because it is efficient. Smaller advertisers can stretch their 
marketing budgets to reach consumers who may be interested in their 
offerings. Smaller website publishers that cannot afford to employ 
sales personnel to sell their advertising space, and may be less 
attractive to large brand-name advertising campaigns, can increase 
their revenue by featuring advertising that is more relevant to their 
users. In turn, advertising-supported resources help other small 
businesses to grow. Small businesses can use free or low-cost online 
tools, such as travel booking, long-distance calling, and networking 
services, to help them run their companies.
    Recent research highlights the importance of interest-based 
advertising. In a recent congressional hearing on ``Internet Privacy: 
The Impact and Burden of EU Regulation,'' Professor Catherine Tucker of 
the MIT Sloan School of Management testified about the effect on 
advertising performance of the European Union's e-Privacy Directive, 
which limits the ability of companies to collect and use behavioral 
data to deliver relevant advertising. Professor Tucker's research study 
found that the e-Privacy Directive was associated with a 65 percent 
drop in advertising performance, measured as the percent of people 
expressing interest in purchasing an advertised product. The study also 
found that the adverse effect of such regulation was greatest for 
websites with content that did not relate obviously to any commercial 
product, such as general news websites. We believe that by creating a 
worldwide marketplace of relevant and timely advertising, competition 
and innovation are also enhanced.
    In general, the data used for interest-based advertising is not 
personally identifiable, except when consumers choose to provide 
personally identifiable information. Nevertheless, the industry 
recognizes and respects that some consumers may prefer not to receive 
such advertising or to have data collected about their Web browsing 
even on an anonymous basis. I will be updating the Committee on our 
industry's tremendous efforts to make sure that consumers have 
transparency about online data collection and can exercise control over 
their preferences--including opting out, if they so desire.
II. Browser-Based Choice Mechanisms
    Over the last three and a half years, the DAA has worked with a 
broad set of stakeholders with significant input from businesses, 
consumers, and policy makers to develop a program governing the 
responsible collection and use of Web viewing data. The DAA has 
championed a balanced approach that both accommodates consumers' 
privacy expectations and supports the ability of companies to deliver 
services and continue innovating. This balance is essential to allow 
consumers to continue to enjoy the diverse range of websites and 
services subsidized by relevant advertising. Recognizing that DAA 
members must also provide consumers with appropriate transparency and 
choices, industry has spearheaded the self-regulatory process with the 
support of leading companies.
    The DAA's work led to an event in February at the White House where 
the Chairman of the Federal Trade Commission, the Secretary of Commerce 
and White House officials publicly praised the DAA's cross-industry 
initiative. The White House recognized our Self-Regulatory Program as 
``an example of the value of industry leadership as a critical part of 
privacy protection going forward.'' \4\ At that event, the DAA 
committed to honor browser settings that enable the use of data to 
continue to benefit consumers and the economy, while at the same time 
providing consumers with the ability to make their own choices about 
the collection and use of Web browsing data.
---------------------------------------------------------------------------
    \4\ Speech by Danny Weitzner, We Can't Wait: Obama Administration 
Calls for A Consumer Privacy Bill of Rights for the Digital Age 
(February 23, 2012), available at http://www.whitehouse
.gov/blog/2012/02/23/we-can-t-wait-obama-administration-calls-consumer-
privacy-bill-rights-di
gital-age (last visited March 16, 2012).
---------------------------------------------------------------------------
    However, a recent technology announcement from Microsoft includes 
requirements that are inconsistent with the consensus achieved over the 
appropriate standards for collecting and using Web viewing data. The 
DAA is concerned that this unilateral decision by one browser maker may 
ultimately significantly narrow the scope of consumer choices, undercut 
thriving business models, and reduce the availability and diversity of 
the Internet products and services that millions of American consumers 
currently enjoy and use at no charge. The resulting marketplace 
confusion will not benefit consumers, and will profoundly adversely 
impact the broad array of advertising-supported services they currently 
widely use. In fact, as we will now detail, it is only the DAA program 
that provides a comprehensive set of interest-based privacy choices to 
consumers, greater consumer education and information, enforcement 
activities, and true consumer empowerment in the area of OBA privacy.
III. Industry Self-Regulation of Online Data Practices
A. Implementation Update on DAA's Self-Regulatory Principles
    The DAA's Self-Regulatory Program for online data collection amply 
demonstrates the merits of industry self-regulation. The DAA, as noted, 
is comprised of the six leading advertising and marketing trade 
associations: the ANA, the 4A's, the DMA, the IAB, the AAF and the NAI. 
Collectively, these trades represent more than 5,000 U.S. corporations 
across the full spectrum of businesses that have shaped and participate 
in today's media landscape.
    Our trade associations, along with leading companies, released the 
Self-Regulatory Principles for Online Behavioral Advertising (``OBA 
Principles'') \5\ in July 2009. The OBA Principles are a set of 
consumer-friendly standards that apply across the entire online 
advertising ecosystem. They address all of the key elements called for 
by the Federal Trade Commission in its 2009 Staff Report on interest-
based advertising,\6\ namely: (1) consumer education, (2) enhanced 
notice of data practices, (3) innovative choice mechanisms, (4) data 
security, (5) sensitive data protection, (6) consent for retroactive 
material policy changes, and (7) enforcement. The Principles are 
designed to apply broadly to the diverse set of actors that work 
interdependently to deliver relevant advertising intended to enrich the 
consumer online experience. Together, these Principles aim to increase 
consumers' trust and confidence in how information is gathered from 
them online and how it is used to deliver advertisements based on their 
interests. Let me briefly review how the Principles work from a 
consumer's perspective:
---------------------------------------------------------------------------
    \5\ DAA Self-Regulatory Principles for Online Behavioral 
Advertising (July 2009), available at http://www.aboutads.info/
resource/download/seven-principles-07-01-09.pdf.
    \6\ Federal Trade Commission Staff Report, Self-Regulatory 
Principles for Online Behavioral Advertising (February 2009), available 
at http://www.ftc.gov/os/2009/02/P085400behavad
report.pdf.

   First, an advertisement covered by the Principles is 
        identified with the distinctive Advertising Option Icon 
        (``Icon'') (Attachment 1), which appears in the advertisement 
        right where the consumer will notice it. Launched in 2010, this 
        Icon is now a familiar sight across the Internet as a means for 
---------------------------------------------------------------------------
        uniformly providing consumers with transparency and control.

   Clicking the Icon brings up a brief statement about online 
        behavioral advertising, with a link to more information and 
        opt-out choices.

   Interested consumers can click this link to visit 
        AboutAds.info, an industry-sponsored website that provides 
        consumer education and, most importantly, consumer choice. 
        Through this mechanism, a consumer can learn, in real time, 
        which participating companies are currently tailoring 
        advertising to their browser.

   Consumers can elect to opt out from all participating 
        companies through a prominent, single-click button or select 
        individually the companies they want to tailor advertising to 
        their browser. This approach empowers consumers, if they wish, 
        to make an informed and intentional choice to stop collection 
        of information that will provide them with relevant tailored 
        advertising.

    Over the past year, the DAA has achieved several significant 
milestones in its implementation of the Self-Regulatory Program:

   The Icon is being served in over one trillion ad impressions 
        per month.

   We estimate that the DAA program now covers over 90 percent 
        of the online behavioral advertising being delivered, based on 
        the participation of the top 15 U.S. ad networks.

   More than 100 companies are providing choice to consumers 
        via the DAA's universal choice mechanism.

   More than one million consumer opt outs have been registered 
        under the DAA Principles since January 2011.

   Participation in the Program has quadrupled over the last 
        year. Hundreds of companies are licensed to use the Icon 
        (including leading global advertisers like American Express, 
        AT&T, Disney, General Motors and Kraft Foods). Not only is the 
        DAA working directly with large publishers, it has also forged 
        innovative partnerships to enable small business publishers to 
        display the Icon on their websites for free.

   The DAA's AboutAds website (www.aboutads.info) provides 
        consumers with information about online advertising and 
        provides an easy-to-use opt out mechanism. There have been over 
        8 million page views at AboutAds.info since its inception in 
        the fall of 2010, and traffic to the website has increased in 
        recent months as the Icon is more widely adopted.

   In November 2011, the CBBB announced its first enforcement 
        cases. In June 2012, the CBBB announced another round of 
        enforcement cases.

   In December 2011, the DAA began to offer tools that enable 
        persistent consumer opt outs in Chrome and Firefox browsers. 
        The DAA released a persistency tool for users of Internet 
        Explorer in March 2012. These tools respond to concerns that 
        consumers could unintentionally change their opt-out 
        preferences by erasing cookies from their browsers.

   In January 2012, the DAA launched an education campaign to 
        inform consumers about interest-based advertising and how to 
        take greater control of their online privacy. This multi-phase 
        online campaign, designed by McCann Erickson Worldwide, 
        includes banner advertising that directs consumers to the DAA's 
        Icon and links to a new, informational website, 
        www.youradchoices.com, which features three educational videos 
        and a user-friendly consumer choice mechanism. The website has 
        already had over 7.6 million visitors since its launch. With an 
        average of more than a million visitors each month, this is a 
        very promising start. To continue driving traffic to this 
        website, the DAA has already secured over 3 billion donated ad 
        impressions from companies participating in the Program.
B. Evolution of the Self-Regulatory Principles
    Alongside these implementation efforts, the Self-Regulatory 
Principles have continued to evolve in response to emerging policy 
issues. In November 2011, the DAA extended the OBA Principles 
significantly with the release of the Self-Regulatory Principles for 
Multi-Site Data (``MSD Principles''). The MSD Principles establish 
comprehensive self-regulatory standards governing the collection and 
use of ``multi-site data,'' defined as data collected from a particular 
computer or device regarding Web viewing over time and across non-
affiliated websites. This principle applies control beyond opting 
consumers out of receiving targeted ads, and empowers consumers to 
control the collection and use of Web viewing data for other purposes.
    The MSD Principles strike an appropriate balance by targeting 
specific concerns while maintaining the flow of information for 
legitimate uses. For instance, some policymakers have raised concerns 
that data collected for advertising purposes could be used as a basis 
for employment, credit, health care treatment, or insurance eligibility 
decisions. In fact, these are hypothetical concerns that do not reflect 
actual business practices. Nevertheless, industry has stepped forward 
to address these concerns by expanding our guidelines via the MSD 
Principles to clarify and ensure that such practices are prohibited and 
will never occur. This prohibition will help to ensure that consumers' 
browsing histories will not be used against them when applying for a 
mortgage, job, or insurance, or when seeking health care.
    The DAA's record of success demonstrates why industry self-
regulation is so successful. The business community is in the best 
position to craft standards, like the MSD Principles, that respond to 
specific, articulated concerns while allowing beneficial uses of data 
to continue. As recognized by the Federal Trade Commission, limitations 
on collection, often misleadingly referred to as ``Do Not Track'', 
should not be a flat restriction on all collection of all data in all 
contexts.\7\ We agree. We designed the MSD Principles to provide 
consumers with control with respect to their Web viewing data while 
preserving commonly-recognized uses of data, including for operational 
purposes such as fraud prevention, intellectual property protection, 
compliance with law, authentication and verification purposes, billing, 
and product or service fulfillment. The MSD Principles also permit the 
use of data that has gone or will within a reasonable period of time 
from collection go through a de-identification process, or that is used 
for market research or product development. This approach helps ensure 
the continued flow of data that is vital to the workings of the 
Internet and to the consumer online experience.
---------------------------------------------------------------------------
    \7\ FTC Report at 53, available at http://www.ftc.gov/os/2012/03/
120326privacyreport.pdf.
---------------------------------------------------------------------------
    Data collected pursuant to the exceptions listed above provides a 
grand array of consumer benefits. Data supports robust consumer safety 
mechanisms, ranging from fraud detection in financial services to 
prevention of online threats. In addition, the use of data leads to 
continued innovation, which has the potential to offer consumers untold 
benefits. For example, data can be leveraged to provide web-enabled 
smart grid services that enable consumers to obtain actionable 
information that saves them money and lowers energy consumption. The 
MSD Principles also allow companies to use data for market research and 
product development, so that we can keep building tomorrow's Internet. 
Market research and product development actively rely on consumer data, 
not to market directly back to consumers, but to gain broad insight 
about consumers' collective preferences and needs so that businesses 
can better serve their customers.
    We expect that the DAA Self-Regulatory Program will continue to 
adapt over time to respond to changes in technology and consumer 
concerns. Currently, the DAA has convened a subcommittee of its 
Principles and Communications Advisory Committee that is working to 
extend the Principles to the mobile ecosystem. This effort has already 
made significant progress with the active participation of stakeholders 
representing all major elements of the mobile ecosystem.
C. Commitment to Accountability
    For the past 40 years, the advertising industry has distinguished 
itself through its self-regulatory system for independent oversight of 
compliance and public reporting of enforcement actions. In keeping with 
this tradition, a key feature of the DAA Self-Regulatory Program is 
accountability. All of our Self-Regulatory Principles are backed by the 
robust enforcement programs administered by the Council of Better 
Business Bureaus (``CBBB'') and the DMA.
    The CBBB accountability program builds on the successful track 
records of the National Advertising Division, operating since 1971; the 
Children's Advertising Review Unit, operating since 1974; and the 
Electronic Retailing Self-Regulation Program, operating since 2004. 
These programs feature public reporting of decisions and referral to 
government agencies, often to the Federal Trade Commission, of any 
uncorrected non-compliance. They have extremely high voluntary 
compliance rates. In fact, over 90 percent of companies voluntarily 
adopt the recommendations of these programs. Those that do not or 
choose not to participate are referred to the appropriate government 
agency for further review.
    The CBBB administers its Interest-Based Advertising Accountability 
Program under the Advertising Self-Regulatory Council's (``ASRC'') 
self-regulatory procedures. Like other ASRC programs, the CBBB 
Accountability Program generates cases through monitoring, consumer 
complaints and review of news stories and technical reports from 
academics and advocacy groups. The CBBB Accountability Program receives 
weekly reports on technical monitoring of various compliance 
requirements of the Principles. The CBBB Accountability Program's 
technical staff analyzes this data, independently performs further 
research and, where there is a potential compliance issue, initiates 
formal inquiries.
    The CBBB's Accountability Program has brought over a dozen cases 
since November 2011, and has the enviable track record of 100 percent 
industry compliance. The CBBB Accountability Program has focused its 
inquiries on the key concepts of transparency and choice under the 
DAA's Self-Regulatory Principles. In its initial round of cases, the 
Accountability Program investigated whether companies were correctly 
and reliably providing consumers with an effective choice mechanism. 
Cases involved defective links to opt-out mechanisms and opt outs that 
failed to meet the OBA Principles' five-year minimum opt-out period.
    The CBBB Accountability Program's recent decisions provided 
companies with guidance on a range of important compliance issues 
involving the DAA's Transparency and Consumer Control Principles. For 
example, in a case in which a newly-established company was unaware of 
the Principles and therefore out of compliance, the CBBB Accountability 
Program made clear that the Principles cover the entire advertising 
ecosystem and that all companies are expected to comply with these 
requirements.
    The DMA's enforcement program likewise builds on a long history of 
proactive and robust self-regulatory oversight. The DMA's longstanding 
Guidelines for Ethical Business Practice (``Guidelines'') set out 
comprehensive standards for marketing practices, which all DMA members 
must follow as a condition of membership. The DAA Self-Regulatory 
Principles are incorporated into these Guidelines.
    The DMA's Committee on Ethical Business Practice examines practices 
that may violate DMA Guidelines. To date, the DMA Guidelines have been 
applied to hundreds of marketing cases on a variety of issues such as 
deception, unfair business practices, personal information protection, 
and online behavioral advertising. In order to educate marketing 
professionals on acceptable marketing practices, a case report is 
regularly issued which summarizes questioned direct marketing 
promotions and how cases were administered. The report also is used to 
educate regulators and others interested in consumer protection issues 
about DMA Guidelines and how they are implemented.
    The Committee works with both member and non-member companies to 
gain voluntary cooperation in adhering to the guidelines and to 
increase good business practices for direct marketers. The DMA 
Corporate Responsibility team and Ethics Operating Committee receive 
matters for review in a number of ways: from consumers, member 
companies, non-members, or, sometimes, consumer protection agencies. 
Complaints are reviewed against the Guidelines and Committee members 
determine how to proceed. If a potential violation is found to exist, 
the company will be contacted and advised on how it can come into full 
compliance.
    Most companies work with the Committees to cease or change the 
questioned practice. However, if a member company does not cooperate 
and the Committee believes there are ongoing guidelines violations, the 
Committee can recommend that action be taken by the Board of Directors 
and can make case results public. Board action could include censure, 
suspension or expulsion from membership, and the Board may also make 
its actions public. If a non-member or a member company does not 
cooperate with the Committees and the Committees believe violations of 
law may also have occurred, the case is referred to Federal and/or 
state law enforcement authorities for their review.
    The CBBB and DMA programs illustrate how effectively self-
regulation is working and its many benefits, including its ability to 
evolve to meet new challenges.
D. Benefits of Industry Self-Regulation
    The DAA's commitment to self-regulation has put us at the forefront 
of new consumer protection initiatives. The DAA believes that self-
regulation is the appropriate approach for addressing the interplay of 
online privacy and online advertising practices. We appreciate the 
positive recognition of the White House and the Federal Trade 
Commission for our efforts. We believe that our approach has been 
successful in addressing consumer concerns while ensuring that the U.S. 
Internet economy remains vibrant. Self-regulation provides industry 
with a nimble way of responding to new challenges presented by the 
evolving Internet ecosystem. For our information-driven economy to 
thrive and continue as an engine of job creation, self-regulation led 
by industry codes of conduct is the ideal way to balance privacy and 
innovation.
    Based on the DAA's commitment to advancing industry self-
regulation, we are concerned about some of the proposals put forward by 
the Administration and the Federal Trade Commission in their respective 
consumer data privacy frameworks.\8\ In particular, both the 
Administration and the Federal Trade Commission have called for 
comprehensive legislation in the area of consumer data privacy. The DAA 
does not believe that such new legislation is needed at this time. 
There has been no demonstration that legislation is necessary, nor has 
there been any evaluation of the likely impact that legislation would 
have on this leading area of American job creation. The DAA is 
concerned that laws and regulations are inflexible and can quickly 
become outdated in the face of extraordinarily rapidly-evolving 
technologies. When this occurs, legislation thwarts innovation and 
hinders economic growth.
---------------------------------------------------------------------------
    \8\ The White House, Consumer Data Privacy in a Networked World: A 
Framework for Protecting Privacy and Promoting Innovation in the Global 
Digital Economy (February 2012); Federal Trade Commission, Protecting 
Consumer Privacy in an Era of Rapid Change: Recommendations for 
Businesses and Policymakers (March 2012).
---------------------------------------------------------------------------
    Formal rules can also serve as a disincentive to the marketplace to 
innovate in the area of privacy. Companies are increasingly offering 
consumers new privacy features and tools such as sophisticated 
preference managers, persistent opt outs, universal choice mechanisms, 
and shortened data retention policies. These developments demonstrate 
that companies are responsive to consumers and that companies are 
focusing on privacy as a means to distinguish themselves in the 
marketplace. The DAA believes that this impressive competition and 
innovation should be encouraged. New laws or rules could impede future 
developments or discourage companies from continuing to compete over 
privacy features. We believe that the DAA program, which industry has 
already invested millions of dollars to develop, is clearly one of the 
most successful and fastest-developing self-regulatory systems in U.S. 
history and should be allowed to continue to flourish without unneeded 
governmental intervention or legislation at this time.
    Thank you again for inviting me to testify before the Committee. I 
look forward to answering any questions the Committee may have.
                 Attachment 1: Advertising Option Icon

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Senator Klobuchar. Mr. Fowler?

    STATEMENT OF ALEX FOWLER, CHIEF PRIVACY OFFICER, MOZILLA

    Mr. Fowler. Thank you, Chairman Rockefeller and 
distinguished members of the Committee, for the opportunity to 
testify today.
    I am Alex Fowler. I oversee privacy for Mozilla and lead 
our work on Internet-related policy issues.
    Mozilla is an independent global community of people who 
have been working together since 1998 to build a better 
Internet. We're dedicated to promoting openness, innovation, 
and opportunity online.
    Mozilla does not own or operate a search or advertising 
business. Our most popular product is the Firefox Web browser 
used by more than 500 million people.
    As a core principle, we believe the Internet is a public 
resource that must be improved and protected. We also believe 
enabling and maintaining an economic ecosystem is an important 
component of a robust and healthy Internet.
    However, we do not believe that the commercial imperative 
and choice and control are mutually exclusive. They can and 
must coexist through a combination of technical capabilities 
and user-centric business and data practices.
    The public is increasingly uneasy about the extent to which 
their online lives are invisibly profiled, analyzed, packaged, 
sold, and reused to target advertising content and services. 
This is leading a growing number of users to want to understand 
and take measures to control the collection and use of data 
about them.
    We have an opportunity to work together to develop 
innovative mechanisms that address real business challenges and 
empower people to engage in an ecosystem that's both 
sustainable and fair.
    Mr. Chairman, the remainder of my statement briefly touches 
on industry self-regulation, our ``do not track'' feature in 
Firefox, and the ability for industry to provide meaningful 
privacy choices.
    Regarding self-regulation, it's unclear whether industry 
self-regulation by itself is a viable way to allow users to 
understand and control data collected and used about them.
    Consider the following three examples.
    First, industry self-regulation focused on notice and 
choice as a way to inform people to make decisions about which 
sites and services meet their privacy values. Unfortunately, as 
I outline in my written statement, privacy policies have not 
worked to inform or empower users.
    Seals and trust marks are a second example of a self-
regulatory effort to improve transparency online. Research has 
shown that users don't know what trust marks mean, and they 
don't help them distinguish between data practices of different 
businesses.
    Last, we commend the DAA for its considerable work bringing 
together the online advertising industry into its self-
regulatory initiative. While its Ad Choices icon program is an 
important effort, research has shown it still remains unclear 
to users. Many believe that clicking on the icon will trigger 
pop-up ads or invite more advertising. And many more think it's 
related to purchasing advertising space.
    The ad industry's own research shows the number of users 
who use the icon is below four-hundredths of a percent.
    If the consumer wants to opt out, she must first see the 
icon, understand it, and then click on it, and then go to a 
site that offers the chance to find and set opt-out cookies.
    Opt-out cookies are not persistent and can easily be 
deleted by accident or by following recommended security 
practices. And different companies interpret their opt-outs 
differently, rendering them ambiguous in the end.
    My point here is that without input and commitments from 
stakeholders outside of any one industry group, self-regulatory 
efforts that brought us policy, seals, and icons have not 
established public trust and engagement and still invite 
regulation and all the risks of unintended consequences that go 
with it.
    Not all hope is lost from our perspective. We're seeing an 
important shift in self-regulatory efforts away from closed-
door, industry-led efforts to open multi-stakeholder 
approaches. By broadening self-regulation into forums that 
involve all relevant parties, we can hopefully address past 
misses and avoid the need for regulation.
    We need to give this approach time to mature. But in the 
event that multi-stakeholder processes are unsuccessful, then 
it may be necessary to explore regulatory measures.
    Turning my attention to the current state of the ``do not 
track'' feature in Firefox, Mozilla was the first browser to 
implement ``do not track'' in March of last year. ``Do not 
track'' is a signal sent and transmitted by the user via the 
browser to websites. Nine percent of our users have turned on 
``do not track'' in Firefox and 18 percent have it on in our 
mobile browser. Numerous companies already honor ``do not 
track,'' including Twitter, the Associated Press, Jumptap, and 
more are on the way.
    ``Do not track'' does not enforce, break, control, disable, 
or impair any online tracking or personalization technology. To 
make it effective, recipients must breathe life into the signal 
by honoring the user's intent.
    The crucial questions, therefore, become what does the user 
intend by the ``do not track'' signal? What should a site do 
when it receives a signal? These questions are the subject of a 
consensus-driven, multi-stakeholder effort currently underway 
at the World Wide Web Consortium.
    The W3C's tracking protection group includes, among others, 
over 35 leading advertisers, publishers, and technology 
companies. While the group has agreement on most of the 
technical requirements, there are still two competing views on 
what ``do not track'' should mean.
    One is that ``do not track'' means literally what it says--
no third-party tracking of users, whether it's for targeted ads 
or other purposes. The other is that ``do not track'' means no 
targeting, but allows some tracking and collection. Currently, 
the working group is pursuing a middle ground, so stay tuned.
    Last--I only have a little time left--I wanted to share a 
quick point about the value of privacy tools. As long as there 
are incentives for companies to collect lots of user 
information, scale-up, and then bolt on privacy protections 
after the fact, we are unlikely to see users satisfied with the 
promise of privacy tools.
    Instead, privacy by design is a crucial concept for the 
Committee to champion. Privacy by design is an approach that 
addresses user data and privacy implications from the outset. 
And I'd be pleased to come back another time to share more 
about this approach and how it works in the context of the 
technical marketplace.
    In conclusion, Mozilla strives to ensure privacy and 
security innovations support consumers in their everyday 
activities online. But the key for us, and the key for users on 
the Internet, is that it's informed and reasonable choice 
enabled through transparency.
    Thank you, again, for the opportunity to participate today.
    [The prepared statement of Mr. Fowler follows:]

   Prepared Statement of Alex Fowler, Chief Privacy Officer, Mozilla
    Chairman Rockefeller, Ranking Member Hutchison, and Members of the 
Committee, thank you for the opportunity to testify today on the need 
for privacy protections, the status of self--regulation, and Do Not 
Track.
    I am Alex Fowler; I oversee privacy for Mozilla and lead our work 
on Internet--related policy issues. I've spent the last twenty years 
working on privacy as a technology policy analyst here in Washington, a 
consumer advocate, in a start--up developing privacy software tools and 
as a Big 4 consultant advising leading banks, healthcare and technology 
companies.
    Mozilla is a global community of people who have been working 
together since 1998 to build a better Internet.\1\ As an independent 
organization, we are dedicated to promoting openness, innovation, and 
opportunity online.\2\ Mozilla does not own or operate a search or 
advertising business. Our mission is to pursue the interests of users, 
developers and the Web as a whole. Mozilla and its contributors advance 
our goals by making free, open source technologies for consumers and 
developers that reflect these values. Our most popular product is the 
Firefox Web browser used by more than 500 million people worldwide. As 
a core principle, we believe that the Internet, as the most significant 
social and technological development of our time, is a precious public 
resource that must be improved and protected.
---------------------------------------------------------------------------
    \1\ See http://www.mozilla.org for more information about Mozilla, 
its mission and many initiatives.
    \2\ The Mozilla Manifesto is available at http://www.mozilla.org/
about/manifesto.en.html.
---------------------------------------------------------------------------
    We also believe that commerce is a vital and beneficial Internet 
activity. Enabling and maintaining economic ecosystems online is an 
important component of a robust and healthy Internet. However, we do 
not believe that the commercial imperative and user choice/control are 
mutually exclusive. They can and must coexist through a combination of 
technical capabilities and user-centric business and data practices.
    As a privacy professional, I see the Web ecosystem as increasingly 
relying on a guesswork economy. Many of our best and brightest 
engineering minds are hard at work on new technologies to predict and 
deliver what the user wants at just the right moment. They use content 
delivery networks, profiling, tracking, social graphs, and data 
analytics to grasp at tiny clues about us and piece them together to 
guess who we are, where we live, and what we like or want. Just 
recently it was reported that Orbitz presents higher priced hotels 
based in part on the operating system of the user. Apparently Mac users 
spend more on hotels, so Orbitz lists higher-priced rooms for them.\3\ 
These results represent impressive feats of business and technological 
prowess, and the industry reports record growth,\4\ yet they have not 
led to a Web ecosystem where the user is an active and informed 
participant.
---------------------------------------------------------------------------
    \3\ Mattioli, Dana. On Orbitz, Mac Users Steered to Pricier Hotels. 
The Wall Street Journal (June 26, 2012). .
    \4\ Ha, Lyons. Internet Ad Revenue Reaches $31B In 2011, Mobile Up 
149 Percent (IAB Report). TechCrunch (April 18, 2012). .
---------------------------------------------------------------------------
    The public is increasingly uneasy about the extent to which their 
online lives are invisibly profiled, analyzed, packaged, sold, and 
reused to personalize advertising, content and services.\5\ \6\ This 
unease leads many users to want to understand and control the 
collection and use of data about them. We see new online privacy 
protecting services launching every month and privacy browser add-ons 
are growing in popularity. Many of the most popular approaches disrupt 
and are in direct conflict with common business models. Some of the 
tools block interactions between users and sites, third party 
advertising or data brokers.\7\ \8\ This pattern has been likened to an 
``arms race,'' with industry and Web users locked in opposition to one 
another.
---------------------------------------------------------------------------
    \5\ TRUSTe. 2008 study: Consumer attitudes about behavioral 
targeting. (March 2008). .
    \6\ Turow, J. et al., Americans Reject Tailored Advertising and 
Three Activities That Enable It (September 29, 2009). .
    \7\ Lyons, Sean. Privacy Concerns Spark Innovations Among 
Companies, Startups. International Association of Privacy Professionals 
(May 11, 2012). .

    \8\ Several of the most popular add-ons for Firefox are aimed at 
blocking advertising and tracking, including Adblock Plus, Ghostery and 
NoScript. Adblock Plus alone has been downloaded 160 million times, and 
has almost 14 million daily users.
---------------------------------------------------------------------------
    We have an opportunity to break this cycle by working together with 
industry to develop innovative mechanisms that address real business 
and technical challenges and empower people to engage in an online 
ecosystem that's both sustainable and fair.
    Mr. Chairman, the remainder of my statement focuses on the three 
areas you requested in your invitation on the current state of: 
industry self-regulation; our Do Not Track feature in Firefox; and the 
ability for industry to provide meaningful privacy tools.
The Current State of Industry Self-Regulation
    It is unclear whether industry self-regulation, by itself, is a 
viable way to allow users to manage and control data collected and used 
about them by third parties. Any process that does not represent the 
users' interest is unlikely to be successful. Outside of the processes 
undertaken many years ago to develop fair information practices in the 
1980s \9\ and Website privacy policies in the 1990s,\10\ we have tried 
to address current privacy issues either through narrowly construed, 
industry-led efforts or a patchwork of state, Federal and international 
privacy laws.
---------------------------------------------------------------------------
    \9\ OECD Guidelines on the Protection of Privacy and Transborder 
Flows of Personal Data. Organisation for Economic Co-operation and 
Development (OECD) .
    \10\ Privacy Online: A Report to Congress. Federal Trade Commission 
(June 1998). .
---------------------------------------------------------------------------
    In particular, industry promoted the notice and choice model as a 
way to harness the power of the free market to provide the transparency 
needed for people to make individual decisions about which sites and 
services meet their privacy needs. This is an important goal: it is 
clear that different people have very different privacy preferences, so 
ideally they would have the tools they need to make informed choices 
for themselves and their families. Unfortunately, the notice and choice 
approach has some flaws, which have led to failure in the market. Under 
our current model, choice was supposed to be enabled by consumers using 
the sites, services and applications with the privacy notices that best 
reflect their values. Yet privacy notices are a mix of legal and 
technical jargon, impenetrable to all but the most sophisticated. 
Privacy policies are not going away, however. They are required under 
California law. We continue to see new best practices emerge, and the 
process of developing privacy notices for mobile may lead to some new 
innovations. But the original idea that people would read multiple 
privacy policies to decide which sites to visit or buy from has not 
happened. Today, the privacy practices are indistinguishable across 
sites. Privacy policies have not worked to inform or empower users.
    Seals and trust marks are another form of notice that have only 
partially improved privacy online. The Better Business Bureau (BBB) 
offers a seal program.\11\ TRUSTe, which does so, too, has weathered 
some rough years, with findings that the business practices of TRUSTe 
customers are less privacy protective than average.\12\ BBB's and 
TRUSTe's work has been valuable in helping companies clarify their 
privacy practices. However, seals are an approach by business for 
business that has not measured up to the high hopes of empowering 
users' online privacy choices.
---------------------------------------------------------------------------
    \11\ BBB Accredited Business Seal for the Web .
    \12\ Vila, T., Greenstadt, R., and Molnar, D. Why we can't be 
bothered to read privacy policies models of privacy economics as a 
lemons market. In ICEC 2003 Proceedings of the 5th International 
Conference on Electronic Commerce (2003) Pages 403-407.
---------------------------------------------------------------------------
    One of the more recent and visible industry self-regulation efforts 
has focused on online behavioral advertising.\13\ We join many others 
in commending the Digital Advertising Alliance (DAA) for its work to 
bring together the online advertising industry, and the growth of its 
ad-based icon. While the icon program is a good step, it suffers from 
material implementation hurdles \14\ and technological limitations that 
cause it to fall short.\15\ Despite the advertising industry's 
extensive expertise on succinctly communicating complex messages, the 
advertising option icon is incredibly unclear to users.\16\ Many 
believe that clicking on it will trigger pop-up ads or invite more 
advertising, and many more expect that it is related to purchasing 
advertising space.\17\ According to the industry's own research, the 
number of users who use the icon is low: 0.0035 percent click, and only 
1 in 20 of those actually opt out.\18\
---------------------------------------------------------------------------
    \13\ Kaye, Kate. Icon War? Two Behavioral Ad Notice Icons Could 
Confuse. ClickZ (January, 2010). 
    \14\ For example, ``These results suggest that the icons and 
tagline are failing to effectively communicate their purpose to users'' 
in Cranor, Lorrie F. Can Users Control Online Behavioral Advertising 
Effectively? Security and Privacy Economics (March/April 2012).
    \15\ Five technical hurdles described in Mayer, Jonathan R. and 
Mitchell, John C. Third-Party Web Tracking: Policy and Technology. In 
IEEE Symposium on Security and Privacy (2012), page 422.
    \16\ Leon, P. et al., What Do Online Behavioral Advertising 
Disclosures Communicate to Users? (April 13, 2012). 
    \17\ Ibid.
    \18\ Consumer Interactions with Ad Notice. Evidon (2011). 
---------------------------------------------------------------------------
    Since the icon is just a gateway to the industry's current cookie-
based opt-outs, it suffers from drawbacks and fragility. One 
significant challenge is that the mechanism is not persistent because 
it is cookie-based. Users who routinely clear their cookies for 
security or to limit tracking also inadvertently remove their opt-out 
cookies under the current industry self-regulatory program. The Ad 
Choice interface also does not work on all platforms, leaving Mac users 
without a way to opt-out. Opt-outs are also ambiguous: different 
companies interpret their opt-out cookies differently. Some stop 
collecting info about users, while others continue collecting info, but 
stop customizing content and advertising, making their data collection 
practices invisible to users. Finally, opt-out cookies are not a 
scalable option for users. Even if a user requests opt-out cookies for 
all advertisers today, that choice is not extended for new advertising 
companies tomorrow. With this mechanism, users have to keep a vigilant 
eye out for new companies.
    My primary point here is that without input and commitments from 
stakeholders outside of the ad industry, industry efforts like seals 
and the one led by DAA will remain insufficient. They do not establish 
the public trust and engagement needed for success. Such options invite 
stronger measures like regulation and all the risks of unintended 
consequences that go with it.
    We are seeing an important shift in self-regulation away from 
closed-door, industry-led efforts to multi-stakeholder approaches where 
industry, users, academics, service providers, browser providers and 
consumer advocates come together to develop holistic frameworks and 
standards for the protection of privacy.\19\ This is different from 
what has happened in the past where a single industry adopted its own 
unilateral scheme. It is precisely this broadening of self-regulation 
to deliberately involve all relevant stakeholders, combined with FTC 
and Administration support, that will increase chances of success and 
potentially avoid the need for regulation.
---------------------------------------------------------------------------
    \19\ See the NTIA's Multistakeholder Process to Develop Consumer 
Data Privacy Codes of Conduct , as well as Mozilla's comments to the 
National Technology and Information Administration, .
---------------------------------------------------------------------------
    Many of these new discussions are occurring in the World Wide Web 
Consortium (W3C) Tracking Protection Working Group.\20\ Despite 
dialogue that could sometimes be characterized as atypically aggressive 
(for standards working groups) and even personal at times, the process 
has been open, transparent, and inclusive. The group consists of over 
35 leading companies,\21\ including advertisers, publishers, and 
Internet companies, together with consumer advocates, industry trade 
associations, academics from the U.S. and Europe, and independent 
experts. The discussions have been productive so far. The group is 
committed to following a consensus-based approach to achieve a protocol 
that everyone can live with.
---------------------------------------------------------------------------
    \20\ See the Tracking Protection Working Group page .
    \21\ See the Tracking Protection Working Group participants list 
.
---------------------------------------------------------------------------
    As a member of the W3C group, we remain optimistic that the process 
will produce a meaningful standard that ultimately provides people with 
more choice and control related to targeted ads and user tracking by 
3rd parties. Together with the Administration's multi-stakeholder 
process to develop a code of conduct that promotes transparent 
disclosures to consumers concerning mobile apps' treatment of personal 
data,\22\ we are hopeful that a more representative cadre of concerns 
will produce effective self-regulatory practices without the need for 
legislation. However in the event that an open, multi-stakeholder 
process is not successful it may be necessary to explore regulatory 
measures.
---------------------------------------------------------------------------
    \22\ United States Department of Commerce. First Privacy 
Multistakeholder Meeting: July 12, 2012. National Telecommunications & 
Information Administration (June 15, 2012). 
---------------------------------------------------------------------------
The Current State of the Do Not Track Feature in Firefox
    Mozilla was the first browser to implement Do Not Track in March 
2011 inspired by innovations from privacy and security researchers 
Christopher Soghoian and Dan Kaminsky.\23\ When we first announced it, 
the ad industry was critical and Microsoft publicly ridiculed the 
feature,\24\ but the FTC strongly supported it and our users wanted it. 
Today 9 percent of our users have turned on DNT in the desktop version 
of Firefox and 18 percent have turned on DNT in the mobile version. 
Microsoft has announced it will ship IE with DNT turned on by default 
in Internet Explorer 10, and soon it will be possible for users to turn 
on DNT in all major browsers. Numerous companies already honor the DNT 
signal, including social networks like Twitter, publishers like the 
Associated Press, and mobile advertisers like Jumptap, AdTruth, and 
more are on the way. We are building DNT into Thunderbird, our e-mail 
client, and our mobile operating system, code named Boot2Gecko, where 
the user's DNT signal will be available to every app on the device. In 
addition to our engineering contributions, a Mozilla engineer submitted 
the first standards proposal for Do Not Track, and a member of our 
community is co-chair of the W3C standards effort.
---------------------------------------------------------------------------
    \23\ Soghoian, C. The History of the Do Not Track Header (January 
21, 2011). 
    \24\ Mullin, J. Microsoft: It's Naive To Trust Tracking Sites To 
Obey Anti-Tracking Orders. paidContent (February 10, 2011). 
---------------------------------------------------------------------------
    Do Not Track is a simple, digital signal sent by the user via the 
browser to websites. As a signal, Do Not Track does not enforce, break, 
control, disable or impair any online tracking or personalization 
technology. It is a signal that is sent along with Internet traffic, 
indicating that the user sitting behind the keyboard would like their 
privacy to be respected more strongly than might otherwise be the case. 
To make it effective, the recipients--websites and ad networks--must 
breathe life into the signal by honoring the user's intent. The crucial 
questions therefore become:

   What does the user intend by the DNT signal?

   What should a site do when it receives this signal?

    These questions are the subject of a consensus driven multi-
stakeholder effort currently underway at the W3C, as I mentioned a 
moment ago. The Do Not Track working group is chartered \25\ to develop 
a robust self-regulatory framework for user choice and control on the 
Web. While the group has agreement on most of the technical 
requirements of the protocol, there are still two competing views on 
what DNT should mean. One is that DNT means what it says, no 3rd party 
tracking of users whether its targeted ads or for other purposes. The 
other position is that DNT means no targeting, but tracking and 
collection are still acceptable. Currently, the working group is 
perusing a middle ground. The participants are collaborating in an open 
process to determine both the technical and compliance requirements for 
a Do Not Track system.
---------------------------------------------------------------------------
    \25\ See the Tracking Protection Working Group charter .
---------------------------------------------------------------------------
    No single party can address privacy related to personalization and 
tracking on their own. The ecosystem is so diverse and specialized that 
there is no one entity who knows exactly which data is going where. 
Publishers can't predict which ads will show up on their sites after an 
auction. Advertisers can't predict which sites their ads will land 
upon. There is no single place for users to go to find out: ``Where did 
my data end up?''
    There is likewise no party that can build a complete solution on 
their own. Browsers have many options to provide strong choices and 
controls to their users.\26\ However, browsers' technical measures risk 
being overly blunt, and disabling some features as well as protecting 
against privacy threats. As noted earlier, the cookie-based opt-outs 
provided by advertisers and analytics engines are ambiguous, do not 
scale, are not persistent, and do not truly address many users' privacy 
concerns. Advertising self-regulatory groups do not include social 
networks like Facebook or Twitter. Users are concerned about being 
followed across the Web whether or not there is advertising involved. 
In contrast, DNT sends a signal with every request--whether to a 
publisher, advertiser, or social network--with no need to worry about 
new businesses or new business models. DNT is a protocol that can 
address users' concerns and augment existing systems and initiatives.
---------------------------------------------------------------------------
    \26\ Lowenthal, T. Browser Vendors: fight for your users (April 29, 
2011). .
---------------------------------------------------------------------------
    Research shows that some users want personalization, many favor 
privacy, but the majority will make up their minds based on whether 
they see value to them or not.\27\ Tracking, in and of itself, is not 
necessarily a problem when users can participate in the decision and 
understand how they benefit. Issues arise when users are unable to 
control their browsing experience, or worse, loose confidence that they 
are an active participant in how information about them is collected, 
used and shared among sites and apps.
---------------------------------------------------------------------------
    \27\ McDonald, Aleecia M. and Cranor, Lorrie F. Beliefs and 
Behaviors: Internet Users' Understanding of Behavioral Advertising. In 
38th Research Conference on Communication, Information and Internet 
Policy (Telecommunications Policy Research Conference) (October 2, 
2010).
---------------------------------------------------------------------------
    DNT is narrowly-tailored to give users choice and control in a 
persistent, accessible way without preventing the customization and 
valuable advertising that powers our rapidly-growing Web economy. 
Innovative and transparent ways for users to obtain personalized 
content in a manner that respects user choice are both desirable and 
good for the Web. The DNT standard also envisions ways for users to 
request personalization and offers new opportunities for compelling 
user engagement and trusted relationships. In addition, unlike the Do 
Not Call list and the Ad Choices program, DNT is free to advertisers. 
There are no annual subscriptions to lists or fees to use icons. There 
is no cost to the taxpayer.
    It will take more time for stakeholders to agree and best practices 
to emerge, as Do Not Track is a unique multi-party, client-server 
approach to addressing privacy. We will also need a period to educate 
users and listen to their feedback so that we can match the DNT system 
with their expectations and produce a compelling experience.
    A DNT signal is not the beginning or the end of the privacy 
conversation, nor the only way user data is protected. Websites, 
service providers, ad networks play an essential role, and have much to 
offer by their own data practices and policies.
III. Industry's Ability to Provide Users With Tools to Adequately 
        Protect Their Personal Information Online
    Privacy by Design is a crucial concept for the Committee to 
champion. As long as the Web economy provides incentives for companies 
to start collecting lots of user information, scale up, and then bolt 
on privacy protections after the fact, we are unlikely to see users 
satisfied with the promise of the available privacy tools and services. 
Privacy by design is an approach that addresses user data and privacy 
implications of new products and services from the outset. There are 
many successful examples of traditional and nontraditional companies 
that have built fully scalable and commercially viable products and 
services on the Web based on this approach. For example, one Web search 
engine never collects any logs \28\ that can be associated with a 
particular person while still capturing all the information they need 
to build a powerful and viable service. And the GMAT switched to a 
less-intrusive method of verifying test-takers' identities as it 
balanced important business needs with student privacy concerns.\29\
---------------------------------------------------------------------------
    \28\ DuckDuckGo Privacy, .
    \29\ Hill, Kashmir. Why'Privacy By Design' Is The New Corporate 
Hotness. Forbes (July 28, 2011). 
---------------------------------------------------------------------------
    For years, the Internet worked on the model that anyone on the same 
mainframe was a co-worker, not a threat, and networking meant sending 
text files over modems. Worms, malware, and phishing attacks 
highlighted how much had changed in a short time. Since then, security 
has become a priority for companies. Microsoft famously retooled their 
operating system and software development process to address security 
problems. Now we are finding a similar crisis with the privacy 
dimensions of user choice and control. It is not just users who lack a 
complete privacy picture. Companies are starting to realize they do not 
know what cookies they set, how they use data, and where it flows 
internally or externally. As an industry, we are going to need efforts 
to figure that out, plus ensure we design with privacy in mind.
    We often talk about ``personal information,'' but we are beginning 
to understand that even data that does not include someone's name, e-
mail address, or social security number can have real privacy impacts. 
For example, Netflix viewing history--which on its face appears not to 
be personally identifiable at all--has been used to identify specific 
people's sexual orientation and medical conditions.\30\ The truth is 
that it's incredibly hard to predict how several pieces of apparently 
unrelated information can be combined to produce uncomfortably personal 
insights. We already have the technology to implement much of the Web 
ecosystem while leaving users in control of even this sort of 
information.
---------------------------------------------------------------------------
    \30\ Narayanan, A. and V. Shmatikov. Robust De-anonymization of 
Large Sparse Datasets (2008). 
---------------------------------------------------------------------------
    In conclusion, data sharing, control, security, and management are 
critical consideration for Mozilla. It is embraced in the products and 
services we create, and derives from a core belief that people should 
have the ability to maintain control over their entire Web experience, 
including how their information is collected, used and shared with 
other parties. We strive to ensure privacy and security innovations 
support consumers in their everyday activities whether they are sharing 
information, conducting commercial transactions, engaging in social 
activities, or browsing the Web, but the key is informed and reasonable 
choice enabled by transparency. Mozilla is pleased to be part of a 
vibrant user data landscape that is rapidly evolving to a future that 
will give people more choice and more control to participate fully in 
their online experience.
    Thank you, again, Senator Rockefeller and members of the Committee 
for the opportunity to join you today.

    Senator Klobuchar. Thank you very much, Mr. Fowler.
    Mr. Swire?

STATEMENT OF PETER SWIRE, C. WILLIAM O'NEILL PROFESSOR OF LAW, 
                   THE OHIO STATE UNIVERSITY

    Mr. Swire. Thank you, Madam Chair, Senator Rockefeller, and 
other distinguished members of the Committee. It's a pleasure 
to testify here today on ``The Need for Privacy Protections: Is 
Industry Self-Regulation Adequate?''
    I come here as a law professor and also as a former 
government official. I started working on privacy and self-
regulation in the mid-1990s, and was Chief Counselor for 
Privacy under President Clinton. I was the White House lead for 
the HIPAA and Gramm-Leach-Bliley medical rules, and have worked 
on numerous self-regulatory rules, in the room negotiating 
these.
    So it's with that background that the Committee asked me to 
talk about this history of what we've seen here, and, 
specifically, to look at the DAA's exceptions in some of their 
things that we'll get to. And that's what I'll focus my remarks 
on.
    My testimony has four sections. The first is when does 
privacy and self-regulation work? And the big theme here is, 
when you look at it, is that industry works a lot harder at 
this when government is paying attention. When industry thinks 
the government is not focused on it, the temptation is to say, 
``You know, we could do this, but we don't have to. And it's 
hard, and it's a lot of work, and it might cost us money. We're 
really not sure we want to do that.''
    But when you're paying attention, when the White House is 
paying attention, the FTC is paying attention, the conversation 
is entirely different. The conversation then is, ``You know, if 
we don't do it, they're going to do it for us. So we have to 
come up with something good.''
    And I think we saw that in the 1990s when industry stepped 
forward in a lot of ways. We're seeing industry digging in and 
doing a lot of things right now.
    But in between, there was a period when the attention 
wasn't here. And so the second point is, what have we seen from 
the history?
    The history is, in the late 1990s, as the first Internet 
was ramping up, a lot of people were paying attention to 
privacy. It was the dot-com boom. Privacy policies were going 
up on websites.
    And then after 2000, things changed. The attacks of 2001 
made privacy not nearly the same issue. A lot of other things 
were changing. So we have studies by academics on what happened 
to self-regulation after 2001.
    Most of the self-regulatory organizations in privacy 
disappeared. The others shrank drastically. That's the history.
    Now there are some reasons for that. Part of it is the 
Internet economy changed. So the advertising economy went down 
and effort went down.
    But if you look at the history, the history is, the 
pressure came off, and self-regulation dismantled to a very 
large extent.
    Now, some of the self-regulatory things continued. The ones 
that did tended to be when they were working together with 
government efforts, like under the Children's Online Privacy 
Protection and CAN-SPAM.
    My third point, after the sort of theory and history is, 
what do we see right now with the Digital Advertising Alliance 
and, specifically, the exceptions for market research and 
product development?
    The testimony goes through these in detail, looks at these 
market research and product development exceptions. They're 
part of something in the report of the DAA that are called 
limitations on collection of multi-site data. The problem is, 
when you read them, there is no limitations on collection that 
I think are enforceable by the FTC.
    If a company makes these promises, I can't figure out what 
they actually could be held to. And I came to DAA and talked to 
counsel in preparation for this hearing. We went through the 
language. And after that conversation, the DAA counsel 
specifically said that they are now willing to meet and discuss 
on market research and product development, and see what 
concrete changes can be made here.
    So industry once again is saying, ``We're going to work 
harder on this.'' And I think this hearing helped to prompt 
attention to that, and I thank the Committee for that.
    Briefly, the fourth point before I conclude is, there is an 
area for win/win when it comes to the Internet and privacy, how 
to build that. And that's the area of anonymization or de-
identification.
    I think what happens here is, if we can do a better 
technical job of de-identifying, so that your name or your 
devices aren't linked to what you're doing, then that way we 
can use the data intensively, and we can have privacy 
protections.
    I'm involved in a research project on that with the Future 
of Privacy Forum. Some of the proposed statutes talk about this 
issue of anonymization. I think it's an area for future work.
    So, in summary, we're in a period right now where there's 
strong interest in this from Congress, from the press, the 
White House, the Federal Trade Commission, on ``do not track'' 
and related issues. There are many intelligent people of good 
will working hard on these issues.
    This is a time when it is time to lock in some of the 
progress that's being made. Issues come and go. This is the 
time when this issue is in people's attention.
    I think this hearing and the effort you're doing can really 
help to make progress for better privacy and also for a better 
Internet going forward.
    Thank you and I look forward to any questions.
    [The prepared statement of Mr. Swire follows:]

Prepared Statement of Peter Swire, C. William O'Neill Professor of Law, 
            Moritz College of Law, The Ohio State University
    Chairman Rockefeller, Ranking Member Hutchison, and distinguished 
Committee Members, thank you for inviting me to testify on ``The Need 
for Privacy Protections: Is Industry Self-Regulation Adequate?''
    I am the C. William O'Neill Professor of Law at the Moritz College 
of Law of the Ohio State University. I began working on privacy and 
self-regulation in the mid-1990s. In 1999 I was named Chief Counselor 
for Privacy, in the U.S. Office of Management and Budget. In that role, 
I was the first (and thus far the only) person to have government-wide 
responsibility for privacy policy. As Chief Counselor for Privacy, I 
worked on both government regulation and self-regulation initiatives to 
protect privacy while meeting other societal goals. Since then, I have 
continued to write and speak extensively on privacy and security 
issues.
    For this testimony, Committee Staff requested that I provide 
historical context about self-regulation and privacy. I was also asked 
to discuss the Digital Advertising Alliance's recent announcements with 
respect to Do Not Track, including the exceptions included in the DAA 
approach. In preparing this testimony, I have spoken at length with 
industry leaders, privacy advocates, and technologists. This testimony 
reflects my personal views as a law professor, a former government 
official, and a person who tries to help develop effective privacy 
practices in the U.S. and globally.
    This testimony has four sections, with the key points set forth in 
the introduction:

  (1)  The threat of government regulation spurs the adoption of self-
        regulation. In 1997 I presented a paper on privacy and self-
        regulation at a conference hosted by the U.S. Department of 
        Commerce in which I explained that self-regulation works best 
        when there is a credible threat that government will step in if 
        industry does not do a good job. Simply put, the industry 
        dynamic around self-regulation is entirely transformed when 
        there is a credible threat of government intervention.

  (2)  The history of self-regulation after the 1990s shows that self-
        regulation declined when the credible threat of government 
        action eroded. When public policy attention shifted away from 
        privacy after the first wave of effort in the 1990s, there was 
        little new progress in self-regulation to match technological 
        change. Indeed, critics who have examined the history have 
        found greatly reduced effort in self-regulation. Some self-
        regulatory efforts continued, and initiatives that were linked 
        with ongoing government involvement seem to have endured more 
        than others.

  (3)  The current wave of attention to online privacy has produced 
        progress on Do Not Track, but with broad exceptions to the 
        announced collection limits. The Digital Advertising Alliance's 
        recent announcement that members would honor a Do Not Track 
        header is potentially important to providing users with choice 
        about their privacy online. However, the current exceptions for 
        market research and product development swallow the Do Not 
        Track rule. In addition, counsel for the DAA has informed me 
        that they are open to concrete discussion about how to further 
        improve these definitions in practice.

  (4)  We should focus more attention on technical and administrative 
        measures for de-identification in online privacy. The testimony 
        concludes with a brief discussion of an area for possible win/
        win scenarios when it comes to privacy and beneficial uses of 
        data online. The idea is simple--technical and administrative 
        safeguards can help ensure data is collected and used in ways 
        that are not linked to the individual.

    In summary, there is currently strong attention on the part of 
Congress, the White House, and the Federal Trade Commission to Do Not 
Track and privacy issues for online advertising. With this public 
attention, now is the best opportunity to craft a good regime. When Do 
Not Track and related efforts are completed, there will be a temptation 
for policy makers to move onto other issues. That is why it is so 
important for the current Do Not Track standards and other current 
initiatives to be as well thought out as possible.
The Threat of Government Regulation Spurs the Adoption of Self-
        Regulation
    In 1997 Secretary of Commerce William Daley and the National 
Telecommunications and Information Administration hosted a conference 
on ``Privacy and Self Regulation in the Information Age.'' My paper for 
that conference, entitled ``Markets, Self-Regulation, and Government 
Enforcement in the Protection of Personal Information,'' \1\ emphasized 
that self-regulation works best when there is a credible threat that 
government will step in if industry does not do a good job. Simply put, 
the threat of government regulation is what spurs the adoption of self-
regulation. As discussed in the next section, this conclusion matches 
the historical experience in privacy self-regulation.
---------------------------------------------------------------------------
    \1\ http://ssrn.com/abstract=11472.
---------------------------------------------------------------------------
    Self-regulation in privacy is a potentially useful approach where 
there are significant market failures as well as governmental failures. 
The 1997 paper highlighted a market failure that still applies to 
today's online advertising market: ``A chief failure of the market 
approach is that customers find it costly or impossible to monitor how 
companies use personal information. When consumers cannot monitor 
effectively, companies have an incentive to over-use personal 
information: the companies get the full benefit of the use (in terms of 
their own marketing or the fee they receive from third parties), but do 
not suffer for the costs of disclosure (the privacy loss to 
consumers).''
    The challenge for consumers to monitor online collection of data 
today in many ways is greater than it was for consumers in 1997. During 
that period, the Internet was dominated by first-party sites, where the 
user decided to surf at a particular website that might collect data. 
Today, collection by third parties is famously complex.\2\ News stories 
in the Wall Street Journal ``What They Know'' series and elsewhere have 
shown that even the savviest users find it difficult to opt out of 
online tracking in a world where cookies respawn and a typical web page 
can send data to literally dozens of different companies.
---------------------------------------------------------------------------
    \2\ A chart of the complex display advertising ecosystem is at page 
4 of Comments of the World Privacy Forum regarding the Federal Trade 
Commission Preliminary Staff Report ``Protecting Consumer Privacy in an 
Era of Rapid Change,'' (2011), at http://www.ftc.gov/os/comments/
privacyreportframework/00376-58005.pdf.
---------------------------------------------------------------------------
    Along with these market imperfections, we know that government 
solutions are imperfect as well. Statutes and regulations are often 
slow to update to changed circumstances. Needed statutes sometimes face 
gridlock. Rules can be over-broad (prohibiting net beneficial uses) and 
under-broad (permitting uses that consumers would object to in the 
market if they knew about them).
    These imperfections in market and regulatory approaches have 
repeatedly led those in the privacy debate to search for a third way, 
often called ``self-regulation.'' There are circumstances where self-
regulation may be better than the alternative approaches. For instance, 
self-regulation is more tempting the greater the market and government 
regulatory failures. Some other factors that tend to favor self-
regulation include:

   Industry expertise that leads to better-informed rules;

   Use for technical standards where many participants benefit 
        from cooperation (i.e., network effects from adoption of 
        standards for inter-connection or other purposes);

   Protections against using self-regulation for cartel or 
        other anticompetitive purposes;

   Incentives for the industry to enhance its reputation by 
        adopting and complying with a self-regulatory regime; and

   Effective mechanisms for enforcement through legal, 
        reputational, or other means.

    We must also be realistic about the limits of self-regulation. 
Sometimes self-regulation has been chosen where those involved believed 
a statute or regulation would do a better job--even much-needed bills 
are often difficult to get through the legislative process, and the 
Federal Trade Commission lacks Administrative Procedure Act rulemaking 
authority for most privacy issues. Where obstacles to a law are serious 
enough, self-regulation may be the second best option.
    A credible threat of government action is often the single greatest 
impetus to self-regulatory codes. Government action shapes the agenda, 
as we see today with this Senate hearing, and as the White House and 
FTC have shown on Do Not Track and other recent privacy issues. The 
threat of government action also transforms the dialogue inside 
industry meetings. When government is not interested, the person 
proposing the self-regulatory effort says: ``Nothing is forcing us to 
do this, but the right thing would be to adopt a binding code of 
conduct.'' When legislation and regulation are looming, the industry 
discussion is entirely different: ``If we don't do this ourselves, they 
will do it for us. We'll be stuck with compliance for years to come, so 
we better have something good to say on this issue.''
When the Credible Threat of Government Action Erodes so Do Self-
        Regulatory Programs
    The United States had a ``first wave'' of privacy policy activity 
related to the Internet from roughly 1996 to 2000.\3\ Internet privacy 
then became a less prominent issue, especially after the attacks of 
September 11, 2001 focused national attention on uses of data to fight 
terrorism. We are now in a ``second wave'' of major attention to 
Internet privacy. This section of the testimony discusses lessons 
learned from what happened after the first wave subsided. When the 
credible threat of government action eroded, new self-regulatory 
activity essentially ceased and many self-regulatory programs eroded as 
well.
---------------------------------------------------------------------------
    \3\ Peter Swire, Why Privacy Legislation is Hot Now, Thehill.com, 
June 23, 2011, at http://thehill.com/component/content/article/72-
opinion/168267-why-privacy-legislation-is-hot-now.
---------------------------------------------------------------------------
    This pattern matches the classic analysis of the ``issue-attention 
cycle'' by political scientist Anthony Downs, who wrote: ``American 
public attention rarely remains sharply focused upon any one domestic 
issue for very long--even if it involves a continuing problem of 
crucial importance to society.'' \4\ Downs emphasized that we should 
expect interest in an issue to wax and wane. Downs' discussion is 
consistent with the thrust of my 1997 paper: ``Over time, however, the 
legislative threat might ease. Agency attention may be directed 
elsewhere. As the threat of government action subsides, we might expect 
that self-regulatory efforts would also become more lax.''
---------------------------------------------------------------------------
    \4\ Anthony Downs, Up and Down with Ecology--the ``Issue-Attention 
Cycle,'' 28 Public Interest (Summer 1972), at 38.
---------------------------------------------------------------------------
    Examining the history of self-regulation after 2000, even defenders 
of self-regulation would agree that there was little new progress to 
match technological change, while critics are far harsher. Some self-
regulatory efforts continued, and initiatives that were linked with 
ongoing government involvement seem to have lasted longer than others.
    The World Privacy Forum has written detailed reports about the 
failings of self-regulation after 2000.\5\ Here are some key 
conclusions:
---------------------------------------------------------------------------
    \5\ Robert Gellman & Pam Dixon, Many Failures: A Brief History of 
Privacy Self-Regulation in the United States, (2011), at http://
www.worldprivacyforum.org/pdf/WPFselfregulationhis
tory.pdf; World Privacy Forum, The Network Advertising Initiative: 
Failing at Consumer Protection and Self Regulation, (2007), http://
www.worldprivacyforum.org/pdf/WPF_NAI_
report_Nov2_2007fs.pdf.

   ``We now have repetitive, specific, tangible examples of 
        failed self regulation in the area of privacy. These examples 
        are not mere anecdotes--these were significant national efforts 
---------------------------------------------------------------------------
        that regulators took seriously.''

   ``Privacy self-regulation organizations were loudly promoted 
        despite their limited scope and substance.''

   ``Privacy self-regulation organizations were structurally 
        weak, lacking meaningful ability to enforce their own rules or 
        maintain memberships. Those who subscribed to self-regulation 
        were usually free to drop out at any time.''

    Similar conclusions come from Chris Hoofnagle, a law professor at 
the University of California, Berkeley and co-chair of the annual 
Privacy Law Scholars Conference. Based on his extensive experience with 
self-regulation, Hoofnagle wrote the following in 2011: ``Self-
regulatory groups in the privacy field often form in reaction to the 
threat of regulation. They create protections that largely affirm their 
current and prospective business practices. The consumer rights created 
are narrow. They do not update their standards in response to changes, 
until the regulatory spotlight returns. Nor do they address new actors 
that raise similar concerns but fall outside of the self-regulatory 
regime.'' \6\ Just this week, Professor Hoofnagle released a study of 
the 100 most popular websites, finding that 21 of them placed 100 or 
more cookies onto users' computers, with 84 percent of the cookies 
placed by third parties.\7\
---------------------------------------------------------------------------
    \6\ Chris Hoofnagle, Can Privacy Self-Regulation Work for 
Consumers?, Jan. 26, 2011, http://www.techpolicy.com/CanPrivacySelf-
RegulationWork-Hoofnagle.aspx.
    \7\ James Temple, Web Privacy Census Shows Tracking Pervasive, 
SFGate, June 26, 2012, at http://www.sfgate.com/default/article/Web-
Privacy-Census-shows-tracking-pervasive-3663642.php.
---------------------------------------------------------------------------
    The World Privacy Forum highlights five prominent examples of self-
regulation from the first wave.\8\ I quote these important examples 
verbatim, and then offer observations:
---------------------------------------------------------------------------
    \8\ Gellman & Dixon, supra.

  1.  ``The Individual Reference Services Group (IRSG) was announced in 
        1997 as a self-regulatory organization for companies that 
        provide information that identifies or locates individuals. The 
        group terminated in 2001, deceptively citing a newly passed 
        regulatory law that made self-regulation unnecessary. However, 
---------------------------------------------------------------------------
        that law did not cover IRSG companies.''

  2.  ``The Privacy Leadership Initiative began in 2000 to promote self 
        regulation and to support privacy educational activities for 
        business and for consumers. The organization lasted about two 
        years.''

  3.  ``The Online Privacy Alliance began in 1998 with an interest in 
        promoting industry self regulation for privacy. OPA's last 
        reported activity appears to have taken place in 2001, although 
        its website continues to exist and shows signs of an update in 
        2011.''

  4.  ``The Network Advertising Initiative had its origins in 1999, 
        when the Federal Trade Commission showed interest in the 
        privacy effects of online behavioral targeting. By 2003, when 
        FTC interest in privacy regulation had evaporated, the NAI had 
        only two members. Enforcement and audit activity lapsed as 
        well. NAI did nothing to fulfill its promises or keep its 
        standards up to date with current technology until 2008, when 
        FTC interest increased.''

  5.  ``The BBBOnline Privacy Program began in 1998, with a substantive 
        operation that included verification, monitoring and review, 
        consumer dispute resolution, a compliance seal, enforcement 
        mechanisms and an educational component. Several hundred 
        companies participated in the early years, but interest did not 
        continue and BBBOnline stopped accepting applications in 
        2007.''

    Based on my own experience and some interviews conducted in the 
days leading up to this hearing, I offer the following observations on 
these five prominent examples. These observations are subject to the 
disclaimer about the limited time I have had to double-check each 
factual situation:

  1.  Individual References Services Group: A lawyer who worked with 
        the IRSG said that passage of Gramm-Leach-Bliley was indeed the 
        key reason for the group's demise. That law did set new limits 
        on sales by financial institutions to data brokers. It did not, 
        however, directly cover most activities of the data brokers who 
        were members of IRSG. My impression is that the data broker 
        industry felt the political pressure was off by the time the 
        group terminated. FTC Commissioner Julie Brill has recently 
        emphasized the need for new privacy initiatives concerning data 
        brokers.

  2.  Privacy Leadership Initiative: According to published reports at 
        the time of its creation in 2000, the PLI planned to spend $30 
        to $40 million to support self-regulation rather than have 
        online privacy legislation. Because political attention to the 
        issue soon faded, the sponsors apparently believed there was 
        little reason to continue that level of effort after 2002.

  3.  Online Privacy Alliance: The OPA was highly visible during the 
        privacy debates in 1998-2000. If the online privacy issue had 
        remained prominent, I think it is likely that the OPA would 
        have remained much more active for considerably longer.

  4.  Network Advertising Initiative: A senior person who worked with 
        the NAI confirmed the low membership number (two) by 2002, 
        after the considerable fanfare accompanying negotiation of the 
        NAI code in 1999 and 2000. This source gave a different reason, 
        however, for this decline: the collapse of the online 
        advertising market when the dot.com bubble burst.

  5.  BBBOnline Privacy Program. One source explained its demise this 
        way: ``Its business model didn't work.'' It is unclear what 
        combination of factors contributed to its demise. However, 
        factors likely included a poor fundraising structure along with 
        decreased demand for privacy services and a lack of political 
        pressure for privacy protection.

    As with any description of recent history, different observers are 
likely to emphasize different aspects of this record. My own view, 
however, is that the most optimistic reasonable view of privacy self-
regulation after 2000 was that there was little progress until privacy 
began to get ``hot'' again in the last few years. These five prominent 
self-regulatory examples are consistent with the view that self-
regulatory effort fades as the credible threat of government 
intervention fades. All of these programs garnered headlines when there 
was political focus on protecting privacy. All of these programs also 
disappeared or shrunk substantially when political attention focused 
elsewhere.
    With that said, it is useful to examine areas of self-regulation 
that persisted after 2000:

  1.  Website privacy policies. I have previously written about the 
        effectiveness of the government efforts in the late 1990s to 
        encourage commercial websites to post privacy policies.\9\ 
        Within three years, the portion of commercial sites with 
        privacy policies rose from only 12 percent to a resounding 90 
        percent, without legislation. Commercial websites 
        overwhelmingly continued to post privacy policies through the 
        2000s, encouraged in part by a 2003 California statute that 
        requires such polices for companies targeting consumers there. 
        The existence of these policies is central to the FTC's ability 
        to bring enforcement actions for deceptive trade practices. It 
        is true, of course, that the quality of privacy policies is 
        variable and often low. But this ``self regulatory'' practice 
        of having privacy policies has remained in effect, and is now 
        extending to the mobile application space.
---------------------------------------------------------------------------
    \9\ Peter Swire, Trustwrap: The Importance of Legal Rules to 
Electronic Commerce and Internet Privacy, 52 Hastings L.J. 847 (2003), 
at http://ssrn.com/abstract=424167.

  2.  CAN-SPAM. In the late 1990s and early 2000s, responsible 
        companies sending commercial e-mail developed codes of good 
        practice. A fundamental element of these practices was to 
        permit consumer choice about receiving commercial e-mail from a 
        particular company. Congress passed the CAN-SPAM Act in 2003. 
        The law is subject to many criticisms, notably that (as with 
        any law) it does not create a technological blockade against 
        malicious spammers. With that said, I submit that the law has 
        been very successful in a core aspect of consumer choice--CAN-
        SPAM requires companies to include an easy unsubscribe feature 
        in each e-mail. I personally use this feature regularly, and 
        legitimate companies stop sending me e-mail when I unsubscribe. 
        In this instance, a self-regulatory effort was essentially 
        incorporated into statute, and the unsubscribe feature 
        continues to work. The Direct Marketing Association has also 
        continued with its E-mail Preference Service, going beyond CAN-
        SPAM minimum requirements.\10\
---------------------------------------------------------------------------
    \10\ http://www.dmaconsumers.org/consumers/optoutform_emps.shtml.

  3.  Safe Harbor. The U.S.-E.U. Safe Harbor was negotiated in 2000. 
        Companies become subject to the Safe Harbor if they certify 
        their membership to the Department of Commerce, and 
        participants are considered to have ``adequate'' privacy 
        protections under the E.U. Data Protection Directive. Self-
        regulation is a prominent part of the Safe Harbor because 
        participants must establish an independent recourse mechanism--
        must select a self-regulatory program--to investigate 
        unresolved complaints.\11\ Views about the effectiveness of the 
        Safe Harbor vary widely. My own view is that there was a slow 
        start initially for adoption of the Safe Harbor, but thousands 
        of companies have entered it over time, and its principles are 
        widely used even by companies that have not formally certified. 
        The Safe Harbor has endured fairly well in contrast to the 
        purely private-sector self-regulatory efforts; its official 
        nature, furthermore, has created a helpful framework for 
        ongoing discussions and conferences for the relevant U.S. and 
        E.U. officials and other stakeholders.
---------------------------------------------------------------------------
    \11\ See http://export.gov/safeharbor/eu/eg_main_018495.asp.

    These three examples all feature a mixed model of self-regulation, 
where self-regulatory codes are a precursor to or component of 
government action. This mixed model is sometimes called ``co-
regulation,'' to emphasize the explicit role the government plays along 
with industry and other stakeholders. Historical evidence from the 
first wave of Internet privacy, however, suggests that co-regulatory 
efforts survived better through the highs and lows of the issue-
attention cycle than did pure self-regulatory approaches.
The current wave of attention to online privacy has produced progress 
        on Do Not Track, but with broad exceptions to the announced 
        collection limits.
    In the last few years, online privacy has become a hot issue again. 
Three major industry trends are driving this process: the rise of 
Facebook and other social media sites; the rapid growth in mobile 
devices, with their implications for location privacy; and the online 
advertising issues that are the subject of this hearing.\12\ These 
industry trends have been extensively covered in the press. These 
technological and market changes have prompted political leaders to 
respond. The E.U. has promulgated a directive limiting use of online 
cookies and now its draft omnibus Data Protection Regulation. The 
Administration issued its Green Paper and now its Consumer Online 
Privacy Bill of Rights. The FTC has been very active on privacy, and 
has focused public attention on Do Not Track. Congress has devoted much 
more time to privacy, including today's hearing.
---------------------------------------------------------------------------
    \12\ Peter Swire, Why Privacy Legislation is Hot Now, Thehill.com, 
June 23, 2011, at http://thehill.com/component/content/article/72-
opinion/168267-why-privacy-legislation-is-hot-now.
---------------------------------------------------------------------------
    The issue-attention cycle has returned to online privacy. 
Predictably, so has self-regulation. The Network Advertising Initiative 
has recovered from its slump in the early 2000s to reach a record 
membership and level of activity. The Digital Advertising Alliance has 
spent an enormous number of hours bringing to the table a wide range of 
players who have never before worked in such detail on privacy issues. 
Later this month, the Commerce Department will convene a 
multistakeholder process to address mobile application privacy issues.
    Committee Staff have specifically asked me to discuss the Digital 
Advertising Alliance's recent announcements with respect to Do Not 
Track, including the exceptions included in the DAA approach. In my 
view, the DAA's announcement to honor a Do Not Track header is 
potentially important to providing users with choice about their 
privacy online. In their current form, however, the exceptions for 
market research and product development swallow the Do Not Track rule. 
In addition, counsel for the DAA has informed me that they are open to 
concrete discussion about how to further improve these definitions in 
practice.
    The DAA is a coalition of online advertising organizations, 
including the Association of National Advertisers, whose President, Bob 
Liodice, is testifying here today. In 2009, the DAA released ``Self-
Regulatory Principles for Online Behavioral Advertising,'' which 
contained principles on education, transparency, consumer control, data 
security, material changes, sensitive data, and accountability.\13\ In 
November 2011, the DAA released ``Self-Regulatory Principles for Multi-
Site Data,'' which extended the 2009 principles beyond online 
behavioral advertising and also defined a number of important 
exceptions. In connection with the White House privacy event in 
February, the DAA agreed that its members would comply when consumers 
selected Do Not Track in their browsers, with enforcement by the 
FTC.\14\
---------------------------------------------------------------------------
    \13\ http://www.aboutads.info/resource/download/seven-principles-
07-01-09.pdf
    \14\ The White House, We Can't Wait: Obama Administration Unveils 
Blueprint for a ``Privacy Bill of Rights'' to Protect Consumers Online, 
Feb. 23, 2012, at http://www.whitehouse.gov/the-press-office/2012/02/
23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-
rights.
---------------------------------------------------------------------------
    These actions by the DAA have accompanied lengthy negotiations on a 
standard for Do Not Track in the World Wide Web Consortium (W3C). The 
W3C is a respected organization that has been instrumental to 
promulgation of many of the technical standards at the core of the 
modern Internet. The W3C process has involved privacy advocates, 
technologists, and industry leaders, including members of the DAA. I 
have not personally attended the W3C meetings, but I have stayed in 
close contact with participants from all the major perspectives. The 
W3C working group met for three days last week in Seattle. Although 
there has been important progress toward consensus on some issues, the 
scope of the exceptions has remained controversial, including but not 
limited to the exceptions for market research and product placement.
    To place these exceptions in context, the consumer control part of 
the 2009 DAA principles enables ``users of websites at which data is 
collected for online behavioral advertising purposes the ability to 
choose whether data is collected and used or transferred to a non-
affiliate for such purposes.'' The 2011 DAA principles go further by 
saying that third parties and service providers ``should provide 
consumers with transparency and consumer control'' for purposes other 
than online behavioral advertising. Along with these limits on 
collection of multi-site data, the 2011 principles restrict the use of 
multi-site data for eligibility for employment, credit, health care, or 
insurance.
    The 2011 principles contain important exceptions to the general 
rule of transparency and consumer control. One category of exceptions 
is for ``operations and system management purposes.'' Those purposes 
appear quite broad: ``intellectual property protection; compliance, 
public purpose and consumer safety; authentication, verification, fraud 
prevention and security; billing or product or service fulfillment; or 
Reporting or Delivery.'' There is also an exception for data that will 
go through a de-identification process, as discussed further below.
    I will focus my remarks on the remarkably broad exceptions in the 
2011 DAA principles, ``for market research or product development.'' 
These exceptions are so open-ended that I have not been able to discern 
any limits on collection under them. Market research includes 
``research about consumers.'' \15\ That would seem to include keeping 
track of every click made by a consumer. Market research also includes 
analysis of ``consumer preferences and behaviors.'' Again, if I were an 
FTC enforcer, I don't know what lies outside the scope of the 
exception. The definition of product development is similarly broad. It 
includes analysis of ``the characteristics of a market or group of 
consumers.'' To analyze a ``group of consumers'' would seemingly permit 
collecting each click made by those consumers. Similarly, product 
development includes analysis of ``the performance of a product, 
service, or feature.''
---------------------------------------------------------------------------
    \15\ ``Market Research means the analysis of: market segmentation 
or trends; consumer preferences and behaviors; research about 
consumers, products, or services; or the effectiveness of marketing or 
advertising. A key characteristic of market research is that the data 
is not re-identified to market directly back to, or otherwise re-
contact a specific computer or device. Thus, the term ``market 
research'' does not include sales, promotional, or marketing activities 
directed at a specific computer or device.''
---------------------------------------------------------------------------
    The 2011 DAA principles place one limit on information collected 
under the market research and product development exceptions. They 
state that the terms do not ``include sales, promotional, or marketing 
activities directed at a specific computer or device.'' Thus, companies 
should not collect information from Alice or Bob under the exceptions, 
and then use their specific knowledge about Alice or Bob to target 
their computers or other devices. The scope of this consumer 
protection, however, is currently unclear. The principles do permit any 
contact back to the computer of Alice or Bob ``based on an aggregate 
use of data.'' The current principles do not offer further guidance on 
what is permitted based on that aggregate use of data.
    After reading the text of these exceptions to prepare this 
testimony, I then spoke about experts from both industry and the 
advocacy community to test the accuracy of my reading. My 
understanding, under the 2011 DAA principles, is that under the market 
research and product development exceptions:

   Companies have no transparency requirement;

   Companies have no consumer choice requirement;

   Companies can keep the data indefinitely;

   Companies can identify data that is collected without the 
        user's name, and combine it with identified data;

   Companies can combine their data with data from other 
        sources, to build up a more detailed profile; and

   Companies can share data with other third parties so long as 
        it is not used to market back to the specific computer or 
        device.

    To summarize, the 2011 DAA principles have a section called 
``Limitations on the Collection of Multi-Site Data.'' The market 
research and product development exceptions are part of that section. 
As drafted, it is difficult to see what limitations on collection could 
be enforced given the breadth of the exceptions.
    What should be done in light of these findings? The counsel for the 
DAA, has informed me that they are open to concrete discussions about 
how to further improve these definitions in practice. Counsel 
specifically understood that I would state that in this testimony.
    My view is that considerably more work needs to be done in defining 
the market research and product development exceptions. As one person, 
I don't presume to know the answers to these complex questions. I do 
believe, however, that participants can get helpful insights from the 
way that market research and research generally have been handled in 
other contexts that implicate privacy. For instance, telephone market 
research has existed for decades. My understanding is that there are 
well-developed practices, and perhaps codes of conduct, for protecting 
confidentiality in telephone market research. To my knowledge, there 
have not been recent scandals about whether Gallup or some other 
research firm has re-identified an individual's response to a telephone 
survey. Based on discussions with participants in the W3C process, 
these offline market research precedents have not been discussed at the 
W3C. Perhaps the online community can learn from the historical 
practice for offline market research.
    Similarly, we have extensive experience on how to define and 
conduct research in other settings. Many Federal agencies gather data 
for statistical research, from the Census to economic statistics and 
many other purposes. These agencies have years of experience of how to 
get needed statistical information while preserving confidentiality, 
and the current online advertising debates should draw on that 
expertise.\16\ Under the HIPAA medical privacy rule, there are at least 
four methods for conducting research on protected health information: 
(1) individual consent; (2) de-identification of the data; (3) with 
authorization from an Institutional Review Board or Privacy Board; or 
(4) on limited data sets, where the researchers agree to comply with 
confidentiality conditions in order to get the data.
---------------------------------------------------------------------------
    \16\ For a history of confidentiality and Federal statistics, see 
Douglas J. Sylvester & Sharon Lohr, Counting on Confidentiality: Legal 
and Statistical Approaches to Federal Privacy Law After the USA PATRIOT 
Act, 2005 Wisc. L. Rev. 1033.
---------------------------------------------------------------------------
    I am not saying that the rules for medical research should apply 
online; instead, the point is that researchers have used data 
intensively in many settings other than online advertising. The online 
advertising debates should be better informed by the institutional 
options that have been developed in areas such as offline market 
research, government statistics, and medical research.
Improve & Employ Technical and Administrative Measures for 
        De-Identification in Online Privacy
    Before concluding, I will briefly discuss an area where there may 
be important win/win outcomes both for privacy and beneficial uses of 
data about online activities. With the Future of Privacy Forum, I am 
conducting a research project on de-identification in the online 
advertising space. We have received expressions of interest from 
industry, privacy advocates, and technologists.
    The idea is simple--we should employ technical and administrative 
safeguards so that data is collected and used in ways that are not 
linked to the individual. If we can build effective safeguards, then 
data can be used more intensively while protecting against privacy 
problems.
    Doing de-identification well is a challenging problem, but I 
believe we are now in a time when more work is needed about how to do 
it online. In its recent report, the FTC proposed a promising approach 
to de-identification, which includes technical measures as well as 
public statements from companies that they will not re-identify 
individuals, with those statements being enforceable under the FTC 
Act.\17\ The 2011 DAA principles contemplate greater use of de-
identification, where ``an entity has taken reasonable steps to ensure 
that the data cannot reasonably be re-associated or connected to an 
individual.'' I have started to write on this topic,\18\ and recently 
submitted comments to the Department of Commerce about how de-
identification could be a candidate for a multi-stakeholder 
process.\19\
---------------------------------------------------------------------------
    \17\ Federal Trade Commission, Protecting Consumer Privacy in an 
Era of Rapid Change (2012), at http://ftc.gov/os/2012/03/
120326privacyreport.pdf.
    \18\ http://www.peterswire.net/psspeeches2011.htm.
    \19\ http://www.ntia.doc.gov/federal-register-notice/2012/comments-
multistakeholder-process.
---------------------------------------------------------------------------
    Due to its highly technical nature, it is difficult to craft a 
statute that states specifically how to achieve de-identification. To 
date, there has not been enough work to understand what mix of 
technical and administrative safeguards will best protect privacy while 
also enabling beneficial uses of information. I hope that many parties 
will focus more attention on how to build de-identification more 
effectively into our Internet practices.
Conclusion
    In conclusion, let me state my optimism about the intelligence, 
good faith, and willingness to work hard on these issues in industry, 
the privacy advocacy community, and among technologists. The online 
advertising eco-system today is much more complex than in the 1990s. 
There are major institutional challenges in understanding the 
technology and market forces, and coordinating a response.
    In making progress on such issues, we should be informed by the 
history. When Congress and agencies focus on an issue, the attention 
often brings out the best in industry. The public attention empowers 
technologists and other privacy experts within companies and industry 
groups to convince their colleagues to take effective measures to 
protect privacy. By contrast, if the pressure is off, the privacy 
experts within industry find it more difficult to get their colleagues 
to protect personal information.
    Getting online privacy right is important for each of us as 
Americans. In testimony last fall before the House Energy & Commerce 
Committee, I explained that a ``we don't care about privacy'' approach 
from the United States would create risks for American jobs, exports, 
and businesses.\20\
---------------------------------------------------------------------------
    \20\ Peter Swire, Internet Privacy: The Impact and Burden of EU 
Regulation, Statement before the House Energy & Commerce Committee, 
Sept. 15, 2011, at http://www.americanprogress
action.org/issues/2011/09/swire_testimony.html.
---------------------------------------------------------------------------
    More simply, I personally would not like to have an Internet where 
I believed that each moment of my browsing might easily be breached and 
shown to the entire world. For you and your families, it would reduce 
the quality of the Internet if you thought that any page you visited 
needed to be treated like something that might be released to the 
public. That is not the experience we have today. However, if we do not 
foster good practices, then we risk losing confidence in our use of the 
Internet.
    Thank you once again for the invitation to testify today. I am 
happy to respond to your questions.
Biographical Information
    Peter Swire is the C. William O'Neill Professor of Law at the 
Moritz College of Law of the Ohio State University. He began working on 
privacy and self-regulation in the mid-1990s. In 1998, he was the lead 
author, with Robert Litan, of ``None of Your Business: World Data 
Flows, Electronic Commerce, and the European Privacy Directive,'' 
published by the Brookings Institution. In 1999, he was named Chief 
Counselor for Privacy, in the U.S. Office of Management and Budget. In 
that role, he was the first (and thus far the only) person to have 
government-wide responsibility for privacy policy.
    As Chief Counselor for Privacy, he worked on both government 
regulation and self-regulation initiatives to protect privacy while 
meeting other societal goals. On the government regulation side, he was 
the White House lead on the HIPAA medical privacy rule and on the 
financial privacy rules implementing the Gramm-Leach-Bliley Act. For 
self-regulation, he worked extensively in connection with the Network 
Advertising Initiative code of 2000, and helped negotiate the Safe 
Harbor agreement for data flows between the E.U. and the U.S., 
including a major role under the Safe Harbor for self-regulatory 
associations.
    In 2001, Swire returned to law teaching. He has since continued to 
write and speak extensively on privacy and security issues, with 
publications and speeches available at www.peterswire.net. In 2009 and 
2010 he was Special Assistant to the President for Economic Policy, 
serving in the National Economic Council under Dr. Lawrence Summers. In 
2010, he once again returned to law teaching at The Ohio State 
University. He lives in the D.C. area.

    Senator Klobuchar. Thank you very much.
    Mr. Szoka?

        STATEMENT OF BERIN SZOKA, PRESIDENT, TechFreedom

    Mr. Szoka. Chairman Rockefeller, members of the Committee, 
thank you again for inviting me here to testify about privacy 
today.
    First, at the Progress and Freedom Foundation and now at 
TechFreedom, I've worked for over 4 years to articulate from 
the think-tank world an alternative perspective on privacy that 
stresses the enormous value created by data, while recognizing 
the need to prevent its abuse.
    While we're all here engaged in fixing the problems, we 
mustn't lose sight of the forest for the trees. The benefits of 
collection and the use of data to date have dramatically 
outstripped its costs of the relatively few abuses.
    So in considering how to address abuses, I agree: self-
regulation is not enough. So-called baseline legislation is, 
indeed, necessary.
    But such a baseline already exists. Section V empowers the 
FTC to prohibit as unfair uses of data that do more harm than 
good and that consumers themselves cannot reasonably avoid. 
Further, the act empowers the FTC to enforce self-regulation by 
holding companies to their promises.
    Above this baseline, we've built a layered approach to 
privacy protection, including narrow legislation to address 
particularly thorny problems. But the genius of American law is 
our largely evolutionary, common-law model, addressing problems 
as they arise, and learning from past successes and failures, 
rather than attempting to design a comprehensive regulatory 
scheme wholesale.
    Our system is what Richard Epstein famously called ``Simple 
Rules for a Complex World.''
    The FTC's effectiveness should be measured not by counting 
settled cases but in development of a quasi-common law of 
privacy. Yet today, companies have only FTC complaints and 
consent decrees with little analysis to guide them.
    I suggest the agency take four steps. First, explain its 
analysis and consent decrees. Second, issue no-action letters 
when deciding not to sue. Third, issue advisory opinions upon 
request to guide industry on how the agency might evaluate new 
privacy practices. And fourth, issue guidelines explaining how 
the agency has applied unfairness and deception in past cases 
and how it plans to do so in the future, in particular, 
clarifying the boundaries of privacy harm.
    Congress should encourage the FTC to do these things and 
ensure that they have the resources necessary to do these 
things and to keep pace with technological change. But 
policymakers and, I hasten to add, everyone else necessarily 
lack the expertise and foresight to freeze in place today fair 
information practices. The technologies involved are simply 
evolving too rapidly and the tradeoffs are too complex.
    This is why the White House stressed the flexibility, 
speed, and decentralization that only self-regulation can 
provide.
    Congress should, however, carefully scrutinize how the FTC 
has used soft power to influence self-regulation, and how that 
power has reinforced incumbents' market power. Nowhere is this 
more true or potentially more dangerous than in W3C's ``do not 
track'' process.
    As FTC Commissioner Tom Rosch has noted, the major browser 
firms' interest in developing ``do not track'' mechanisms begs 
the question of whether and to what extent these major browser 
firms might act strategically and opportunistically.
    The W3C process has rested on the principle of user choice. 
Microsoft breached this consensus when it decided in its new IE 
10 browser that it would set ``do not track'' headers by 
default. Default ``do not track'' on doesn't empower users any 
more than would setting ad blocking by default. Default ``do 
not track'' on simply empowers browser makers to force 
fundamental changes in the Internet's ecosystem.
    From today's low friction, flat ecosystem of independent 
sites and services, funded by generally impersonal data 
collection, default ``do not track'' on could take us to an 
Internet with fewer players who collect more data with less 
transparency.
    In the worst case, opt-in dystopia, consumers could be made 
significantly worse off in three ways.
    First, if publishers have to rely on micropayments or 
subscriptions, their revenues will likely drop.
    Ironically, second, in the name of privacy, we could 
actually increase user tracking, because those sites and 
services that do obtain opt-ins will likely collect more 
personal data.
    And third, few publishers in data-driven companies will be 
able to obtain opt-in exceptions to ``do not track.'' This will 
force unprecedented consolidation in the Internet ecosystem. 
And thus, with the best of intentions, we may be blithely 
heading toward reshaping the Internet.
    But even more troubling is the way we're doing it. This 
isn't the result of a bottom-up evolutionary process. It's more 
like collusion between government and powerful market players. 
It is not self-regulation but co-regulation.
    It is the European model, where governments steer by extra 
legal threats, and the industry merely rows; where government 
encourages powerful incumbents who use market power to serve 
their own agendas with government's blessing.
    Given the FTC's heavy involvement in the W3C process, 
Congress should ask the FTC to explain what exactly its role 
has been, especially in Microsoft's decision to defy W3C's 
principle of user choice.
    No one would deny that regulatory agencies play a 
significant role in encouraging self-regulation. But with due 
respect to my friend and colleague, Peter, the extra legal 
intimidation that he and Tim Wu have endorsed is deeply 
dangerous.
    If government can regulate the Internet without statutory 
authority or judicial review simply because its goals seem 
noble, the rule of law does not exist online.
    The better way for the FTC to encourage self-regulation is 
through the legal means I have suggested--building a quasi-
common law subject to clear standards and subject to review, if 
not by the courts than by Congress.
    Again, thank you for inviting me here today. And I look 
forward to your questions.
    [The prepared statement of Mr. Szoka follows:]

     Prepared Statement of Berin Szoka, President, TechFreedom \1\
---------------------------------------------------------------------------
    \1\ Berin Szoka (@BerinSzoka) is President of TechFreedom, a non-
profit, non-partisan technology policy think tank. He has written and 
commented extensively on consumer privacy. In particular, he testified 
on Balancing Privacy and Innovation before the House Energy & Commerce 
Committee, Subcommittee on Commerce, Manufacturing, and Trade on March 
29, 2012, available at http://tch.fm/KCrz8k, (``Szoka Testimony'').
---------------------------------------------------------------------------
I. Introduction
    Chairman Rockefeller, Ranking Member Hutchison--thank you for 
inviting me to testify about privacy again before your Committee. As 
President of TechFreedom, a non-profit think tank, and before that, as 
Director of the Center for Internet Freedom at The Progress & Freedom 
Foundation, I have worked for over four years to articulate an 
alternative perspective on privacy that recognizes both the enormous 
value created by data and the need to prevent abuses of data. The 
debate thus far has systematically underestimated the benefits to 
consumers from the use of personal data to tailor advertising, develop 
new products, and conduct research, while overstating the dangers of 
data, which remain largely conjectural.
    With the best of intentions, we are heading towards reshaping the 
fundamentals of the Internet--in ways that may have serious negative 
unintended consequences for privacy, the sites and services consumers 
enjoy, and the health of the ecosystem. But the way we're doing it may 
be even more troubling. This is not the result of a bottom-up 
evolutionary process, but of collusion between government and powerful 
market players. We are heading for opt-in dystopias.
II. The American Layered Approach to Privacy
    I agree that self-regulation is not enough, that so-called 
``baseline'' legislation is, indeed, necessary. I disagree, however, 
that new baseline legislation is needed. We already have baseline 
consumer protection legislation: Section V of the Federal Trade 
Commission Act \2\ empowers the FTC not only to enforce self-regulation 
by holding companies to their promises, but also to prohibit as 
``unfair'' uses of personal data that do more harm than good and that 
consumers themselves cannot reasonably avoid. States have similar 
legislation, empowering Attorneys General to act,\3\ and class action 
lawsuits also deter privacy violations.\4\
---------------------------------------------------------------------------
    \2\ 15 U.S.C. Sec. 45 (2006).
    \3\ Henry N. Butler & Joshua D. Wright, Are State Consumer 
Protection Acts Really Little-FTC Acts?, 63 Fla. L. Rev. 163, 165 
(2011) (discussing state laws empowering attorneys general to ``combat 
consumer fraud and other deceptive practices'').
    \4\ Glenn G. Lammi, ``Thanks, Google Buzz: Class Action Lawyers 
Celebrate Impending Fees,'' Forbes,Nov. 3, 2010, available at http://
www.forbes.com/sites/docket/2010/11/03/thanks-google-buzz-class-action-
lawyers-celebrate-impending-fees/.
---------------------------------------------------------------------------
    On top of this baseline, we have built a layered approach to 
privacy protection. Where the FTC's authority has proven inadequate, 
Congress has enacted legislation to address specific problems, such as 
the Children's Online Privacy Protection Act \5\ and the Fair Credit 
Reporting Act.\6\ But in general, American law follows a common law 
model, addressing problems on a case by case basis rather than 
attempting to design a comprehensive regulatory scheme adequate for 
both present and future. This is what Richard Epstein famously called 
``Simple Rules for a Complex World.'' \7\ The Electronic Frontier 
Foundation's Mike Godwin put it best in 1998 when he said: ``It's 
easier to learn from history than it is to learn from the future. 
Almost always, the time-tested laws and legal principles we already 
have in place are more than adequate to address the new medium.'' \8\
---------------------------------------------------------------------------
    \5\ Children's Online Privacy Protection Act of 1998, Pub. L. No. 
105-277, 112 Stat. 2581-728 (codified in 15 U.S.C. Sec. Sec. 6501-
6506).
    \6\ Fair Credit Reporting Act of 1970, Pub. L. 91-508; 84 Stat. 
1128 (codified in 15 U.S.C. Sec. 1681).
    \7\ Richard A. Epstein, Simple Rules for a Complex World (1995).
    \8\ Quoted in Virginia Postrel, The Future and Its Enemies: The 
Growing Conflict Over Creativity, Enterprise, and Progress at 48 
(Touchstone 1998).
---------------------------------------------------------------------------
    Applying baseline principles of consumer protection is the best way 
to address new privacy challenges, given the ever-changing nature of 
the technologies involved and the inevitable trade-offs among competing 
conceptions of privacy, and between privacy and other values--such as:

   Funding for innovative media and services that would not 
        otherwise be available;

   The diversity and competitiveness of an Internet ecosystem 
        with low barriers to entry;

   The ease of use for consumers of an Internet that is not 
        divided by checkpoints asking for consent or payment as users 
        cross domain name boundaries;

   The innovation driven by discoveries made possible by 
        analyzing what some have pejoratively labeled ``Big Data,'' and 
        so on.

    Policymakers simply do not have the expertise or foresight to make 
complex rules to decide these trade-offs--or the time to become experts 
in complex technologies. So it is here that self-regulation plays a 
critical role in our layered approach to privacy. As the White House 
privacy report acknowledged, self-regulation alone ``can provide the 
flexibility, speed, and decentralization necessary to address Internet 
policy challenges.'' \9\
---------------------------------------------------------------------------
    \9\ The White House, Consumer Data Privacy in a Networked World: A 
Framework for Protecting Privacy and Promoting Innovation in the Global 
Digital Economy at 23, http://www.whitehouse.gov/sites/default/files/
privacy-final.pdf.
---------------------------------------------------------------------------
    In short, self-regulation is necessary, but not sufficient. It must 
work in tandem with the enforcement of existing laws--which I believe 
can be enhanced significantly without new legislation. But we must also 
understand that self-regulation is merely one part of a broader process 
by which market forces discipline corporations in how they collect, 
process, use and distribute personal data about us. Together, this 
layered approach is the best way to maximize the enormous benefits 
offered by the use of personal data while minimizing its occasional 
abuse.
III. Market Regulation of Privacy
    Companies do not operate in a vacuum. They compete not just for 
customers, but to protect their good name in the eyes of business 
partners, shareholders, media watchdogs, potential employees, and 
citizens themselves. Nowhere in the economy is this more true than 
online, where companies compete both for consumers' attention and for 
the trust of business partners, especially advertisers.
    The social media revolution has made it possible for anyone 
concerned about online privacy to blow the whistle on true privacy 
violations. That whistle may not always be loud enough to be heard, but 
it's more likely in this sector than any other. Traditional media 
sources like the Wall Street Journal have played a critical role in 
attracting attention to corporate privacy policies through ``What They 
Know'' series,\10\ which has been popularized using social media tools. 
Reporters like Julia Angwin may rightly lament the failure of self-
regulation in any particular case, but the very act of their criticism 
is essential for market regulation to function, because they are 
powerful actors in the marketplaces of ideas and reputation.
---------------------------------------------------------------------------
    \10\ See generally What They Know, Wall St. J., 2012, http://
blogs.wsj.com/wtk/.
---------------------------------------------------------------------------
    Earlier this year, social media tools were directed at Congress--to 
great effect--to express grassroots concern about the impact of 
proposed copyright legislation. While some Internet companies certainly 
helped to promote these messages, even were it not for their 
involvement, this experience would demonstrate how effective social 
media activism can be. There is no reason why such techniques cannot be 
used effectively against major Internet companies themselves, just as 
Facebook users have used Facebook itself to rally opposition to 
Facebook on privacy concerns such as its Beacon ad targeting 
system.\11\ ``The herd will be heard,'' as Bob Garfield memorably put 
it in his 2009 book, The Chaos Scenario: Amid the Ruins of Mass 
Media.\12\ The Choice for Business Is Stark: Listen or Perish. Among 
the most important factors driving companies to participate 
constructively in the multi-stakeholder process, to forge meaningful 
privacy protections, and to abide by them is the fear of a Wall Street 
Journal article, a social media frenzy, or organized campaign demanding 
action on a particular privacy problem.
---------------------------------------------------------------------------
    \11\ See, e.g., Kirsten E. Marti, Facebook (A): Beacon and Privacy 
3 (2010), available at http://www.darden.virginia.edu/corporate-ethics/
pdf/Facebook%20_A_business_ethics-case_bri-1006a.pdf (``The online 
community responded immediately to this intrusion. MoveOn.org created a 
Facebook group ``Petition: Facebook, stop invading my privacy!'' that 
stated: ``Sites like Facebook must respect my privacy. They should not 
tell my friends what I buy on other sites--or let companies use my name 
to endorse their products--without my explicit permission.'' The 
Facebook group and petition had 2,000 members within the first 24 hours 
and eventually grew to over 80,000 names.'' [internal citations 
omitted]).
    \12\ James Cherkoff, ``The Joy of a Gated Community,'' The Chaos 
Scenario, June 1, 2010, http://thechaosscenario.net/.
---------------------------------------------------------------------------
    As Wayne Crews of Competitive Enterprise Institute put it in 
testimony before this committee in 2008:

        Businesses are disciplined by responses of their competitors. 
        Political regulation is premature; but ``self-regulation'' like 
        that described in the FTC principles is a misnomer; it is 
        competitive discipline that market processes impose on vendors. 
        Nobody in a free market is so fortunate as to be able to ``self 
        regulate.'' Apart from the consumer rejection just noted, firms 
        are regulated by the competitive threats posed by rivals, by 
        Wall Street and intolerant investors, indeed by computer 
        science itself.\13\
---------------------------------------------------------------------------
    \13\ Wayne Crews, Testimony Before the Senate Committee on 
Commerce, July 9, 2008, available at http://cei.org/sites/default/
files/Wayne%20Crews%20-%20Senate%20Commerce%20Test
imony%20-%20Online%20Advertising,%20July%209%202008.pdf.
---------------------------------------------------------------------------
IV. Enhancing the American Layered Approach to Privacy
    As I argued in March in testimony before the House Energy & 
Commerce Committee's Subcommittee on Commerce & Manufacturing,\14\ the 
FTC could do much more with its existing authority to build an 
effective quasi-common law of privacy in three ways.
---------------------------------------------------------------------------
    \14\ Berin Szoka, Testimony Before the House Energy & Commerce 
Committee, Subcommittee on Commerce, Manufacturing, and Trade, 
``Balancing Privacy and Innovation: Does the President's Proposal Tip 
the Scale?'', Mar. 29, 2012, available at http://techfreedom.org/sites/
default/files/
Szoka%20Privacy%20Testimony%20to%20CMT%203.29.12%20v3%20(final)_0.pdf.
---------------------------------------------------------------------------
    First, Congress should assess whether the FTC has adequate 
institutional resources and expertise. If the FTC had heeded my fellow 
panelist Peter Swire's call for the FTC to build a an office of 
information technology five years ago,\15\ our layered privacy approach 
would today be far more effective in protecting consumers and ensuring 
their trust, and less easily dismissed as inadequate by foreign privacy 
regulators. Chairman Leibowitz deserves credit for appointing the 
agency's first Chief Technologist. But even with someone as talented as 
Ed Felten in that position, the FTC is still way behind the curve: His 
title is not Chief Technology Officer because there is no office behind 
him.
---------------------------------------------------------------------------
    \15\ Peter Swire, Funding the FTC: Globalization and New 
Information Technologies Necessitate an Appropriations Boost, Feb. 26, 
2007, http://www.americanprogress.org/issues/2007/02/ftc.html.
---------------------------------------------------------------------------
    The FTC needs a clear strategic plan outlining (a) how to build the 
in-house technical expertise it needs (beyond basic IT infrastructure) 
to identify enforcement actions, support successful litigation, monitor 
compliance, and conduct long-term planning and policy work, and (b) the 
resources necessary to achieve that goal through a combination of re-
prioritizing current agency spending and additional appropriations. 
Importantly, this organization should function as a cohesive team that 
meets the needs for technical expertise of all the FTC's bureaus and 
offices (including the Bureau of Competition). A stand-alone 
organization could, like the Bureau of Economics, better attract and 
retain talent.
    Second, the clearer privacy promises are, the more easily the FTC 
will be able to enforce them. One important way to achieve this goal 
would be for the FTC to promote the use of ``smart disclosure''--the 
term used by Cass Sunstein, director of the Office of Information and 
Regulatory Affairs and a close advisor to President Obama, and a widely 
respected thinker in law, policy and technology. Smart disclosure can 
empower consumers by letting software do the work for them of reading 
privacy policies--and then implement their privacy preferences.
    For example, users could subscribe to the privacy recommendations 
of, say, Consumer Reports, or any privacy advocacy group, which in turn 
could set their phone to warn them if they install an app that does not 
meet the privacy practices those trusted third parties deem adequate. 
Or, more simply, such a system could work for communicating whether a 
site, service or app acedes to a particular self-regulatory code of 
conduct--and phone privacy controls could be set by default to provide 
special notices when users attempt to install apps that do not certify 
compliance with self-regulatory codes of conduct. As the FTC Privacy 
Report notes, smart disclosure could also ``give consumers the ability 
to compare privacy practices among different companies.'' \16\ An app 
store might illustrate how such comparisons could work, allowing users 
trying to choose between several competing apps to compare their 
privacy practices side by side.
---------------------------------------------------------------------------
    \16\ Federal Trade Commission, Protecting Consumer Privacy in an 
Era of Rapid Change: Recommendations for Businesses and Policymakers 62 
(``FTC Report''), http://www.ftc.gov/os/2012/03/
120326privacyreport.pdf.
---------------------------------------------------------------------------
    While it would be preferable for smart disclosure to arise through 
self-regulation, especially given the complexity of crafting disclosure 
formats, mandating disclosure of privacy practices would generally be a 
better way for government to address demonstrated market failures than 
by dictating what constitutes fair information practices--and thus 
might be an appropriate area for Congress to explore legislation at 
some point.
    Third, the proper measure of the FTC's effectiveness is not how 
many suits it successfully settles, but how well it contributes to the 
development of a quasi-common law of privacy that can guide companies 
pushing the envelope with new data-driven technologies--without 
stifling innovation that ultimately serves consumers. The chief problem 
today is that companies have only FTC complaints and consent decrees to 
guide in predicting the course of the law. These documents offer very 
little explanation of how the facts of a particular case satisfy the 
FTC's Policy Statements on unfairness and deception. And these summary 
assertions are never tested in court, both because of the cost of 
litigation relative to settlement, and because of the cost to a 
defendant company of bad publicity from being perceived as anti-privacy 
exceed the benefits of taking the FTC to court--even when they would 
likely prevail given the FTC's overreach. While this should reassure us 
that reputation markets exert far greater pressure to discipline 
companies on privacy than is commonly appreciated, it also means that 
we lack the key ingredient for building a true common law: judicial 
scrutiny in an adversarial process.
    The forces that keep privacy adjudication out of the courts and 
prevent development of privacy common law by judges are not likely to 
be easily overcome by FTC--or even Congressional--action. So we need to 
find alternative ways to replicate the adversarial process of careful 
analysis by which courts build upon simple rules to address the 
challenges of a complex world. I suggest the following six possible 
ways for the FTC to make better use of its existing authority to build 
a quasi common law:

  1.  The Commission (or individual Commissioners) should provide 
        greater analysis of its rationale under its Unfairness and 
        Deception Policy Statements for issuing each consent decree.

  2.  The FTC should, when it closes an investigation by deciding not 
        to bring a complaint, issue a ``no action'' letter explaining 
        why it decided the practice at issue was lawful under Section 
        V.\17\ Such letters, issued by other agencies like the 
        Securities and Exchange Commission, provide an invaluable 
        source of guidance to innovators. Congress should even consider 
        whether the FTC should be required to issue such letters.
---------------------------------------------------------------------------
    \17\ See, e.g., Jodie Bernstein, Re: Petition Requesting 
Investigation of, and Enforcement Action Against SpectraCom, Inc., 
http://www.ftc.gov/os/1997/07/cenmed.htm.

  3.  The FTC should consider how it could use advisory opinions more 
        effectively to provide guidance to industry on how the agency 
        might evaluate new privacy practices--especially for companies 
        working on the cutting edge of technology, which are often 
        small. The FTC issues such letters on a wide range of 
        topics,\18\ yet does not appear to have issued advisory 
        opinions regarding the application of Section V to privacy.
---------------------------------------------------------------------------
    \18\ 16 C.F.R Sec. 1.1 (2012) (``Any person, partnership, or 
corporation may request advice from the Commission with respect to a 
course of action which the requesting party proposes to pursue. The 
Commission will consider such requests for advice and inform the 
requesting party of the Commission's views, where practicable, under 
the following circumstances . . . (1) The matter involves a substantial 
or novel question of fact or law and there is no clear Commission or 
court precedent; or (2) The subject matter of the request and 
consequent publication of Commission advice is of significant public 
interest.''); see also Judith A. Moreland, Overview of the Advisory 
Opinion Process at the Federal Trade Commission, available at http://
www.ftc.gov/bc/speech2.shtm.

  4.  Congress should reassert the vital oversight it exercised in 1980 
        and 1983 when it ordered the agency to issue the Policy 
        Statements on Unfairness and Deception. At a minimum, the FTC 
        should be required to explain, in detailed analysis, how it has 
        applied those venerable standards in past privacy enforcement 
        cases, and how it plans to do so in the future--again, because 
        it is ``easier to learn from history than it is to learn from 
        the future.'' \19\ Such guidelines are routine in other areas, 
        and provided for in the Commission's current procedures.\20\ 
        Indeed, the antitrust guidelines issued by the FTC and DOJ form 
        a key element of the American common law of competition. The 
        FTC has issued a number of Guides \21\ to explain its approach 
        to consumer protection--but none for consumer privacy.\22\ The 
        FTC's recently issued privacy report is no substitute for such 
        a Guide--indeed, it has little grounding in the twin Policy 
        Statements that are supposed to be the FTC's lodestars. To 
        replicate some of the adversarial nature of actual litigation, 
        the process must be the result of a substantive dialogue with 
        affected stakeholders, and it must be subject to involved 
        oversight from the full Commission and from Congress.
---------------------------------------------------------------------------
    \19\ See supra note 9.
    \20\ Federal Trade Comm'n, FTC Operating Manual Sec. 8, available 
at http://www.ftc.gov/foia/ch08industryguidance.pdf.
    \21\ Federal Trade Comm'n, FTC Bureau of Consumer Protection--
Resources: Guidance Documents, http://ftc.gov/bcp/menus/resources/
guidance.shtm (last visited June 26, 2012).
    \22\ Federal Trade Comm'n, Legal Resources/BCP Business Center, 
http://business.ftc.gov/legal-resources/48/33 (last visited June 26, 
2012).

  5.  In particular, the FTC must clarify the boundaries of privacy 
        harm under the Unfairness Doctrine. The FTC's leadership seems 
        to to be trying to have it both ways: playing down publicly 
        what they can do with their existing legal authority (to 
        support their argument for new statutory authority) while, at 
        the same time, making bold claims about the scope of harm in 
        their enforcement actions. If the concept of harm is stretched 
        too far, the Unfairness Doctrine will become again, as it was 
        in the 1970s, a blank check for the FTC to become a second 
        national legislature.\23\ I explain my concerns about the 
        potential for the unfairness doctrine to be abused, but also my 
        belief that the doctrine should be used to the greatest extent 
        degree with the 1980 Policy Statement, in my March testimony 
        before the House Energy & Commerce Committee.\24\
---------------------------------------------------------------------------
    \23\ See generally, Howard Beales, III, The FTC's Use of Unfairness 
Authority: Its Rise, Fall, and Resurrection, Sec. III, http://
www.ftc.gov/speeches/beales/unfair0603.shtm [hereinafter Beales 
Paper]).
    \24\ See Szoka, supra at 15.

  6.  Congress should ensure the FTC has the resources adequate to 
        engage in this detailed analysis. To dismiss the current legal 
        model as inadequate simply because it has not been fully 
        utilized, and to adopt instead a new legislative framework 
        whose true costs are unknown, would be truly ``penny wise, 
        pound foolish.'' Given the clear need to reduce Federal 
        spending across the board, and the decidedly mixed record of 
        antitrust law in actually serving consumers, Congress could 
        simply reallocate funding from the FTC's Bureau of 
        Competition--or, more dramatically, consolidate antitrust 
        enforcement at the DOJ and allocate the cost savings from 
        streamlining to the FTC's Bureau of Consumer Protection.\25\
---------------------------------------------------------------------------
    \25\ See William E. Kovacic, The Institutions of Antitrust Law: How 
Structure Shapes Substance, 110 Mich. L. Rev. 1019, 1034 (2012) 
(identifying several problems with Federal duality of antitrust 
jurisdiction).

    If Congress wants to improve upon the American layered approach to 
privacy, these suggestions offer concrete steps that could be taken 
today. Just as Silicon Valley's motto is ``Iterate, iterate, iterate,'' 
the same approach is needed for improving our existing framework.
    Only by using the current framework to its fullest capacity will we 
actually know if there are real gaps the FTC cannot address using its 
existing authority. In particular, the process of issuing guidelines 
could identify problems as candidates for appropriately narrow 
legislation that could build on top of the current baseline as part of 
an effective layered approach--or for self-regulatory processes akin to 
those called for by the NTIA. If there are some forms of harm that 
require government intervention but that cannot fit within an 
appropriately limited conception of harm under unfairness, it may be 
better for Congress to address these through carefully tailored 
legislation, rather than shoehorning them into unfairness. For example, 
such legislation might be appropriate to prevent employers from 
pressuring employees into sharing their passwords to Facebook and other 
social networking sites.
V. The DAA: A Self-Regulatory Success Story
    The Digital Advertising Alliance has demonstrated how self-
regulation can evolve to provide ``the flexibility, speed, and 
decentralization necessary to address Internet policy challenges''--not 
perfectly, but better than government. Since my fellow witness Bob 
Liodice, is representing the DAA today, let me just highlight four 
areas in which I think DAA has demonstrated the value of self-
regulation beyond its additional principles:

   Transparency: In April 2010, the industry began including an 
        icon inside targeted ads to raise awareness of the practice and 
        offer consumers an easy opt-out from tailored advertising. That 
        icon is now shown in over a trillion ad impressions each month.

   Education: Last January, DAA launched an unprecedented 
        public awareness campaign called ``Your AdChoices'' to further 
        increase public awareness of the AdChoices Icon, and consumers' 
        ability to opt-out.

   Evolving commitments: In November 2011, the DAA updated its 
        principles to bar data collected for advertising purposes from 
        being used for employment, credit, health care treatment, or 
        insurance eligibility decisions.\26\
---------------------------------------------------------------------------
    \26\ Digital Advertising Alliance, Self-Regulatory Principles for 
Multi-Site Data, Nov. 2011, http://www.aboutads.info/resource/download/
Multi-Site-Data-Principles.pdf.

   Enforcement: The Better Business Bureau, which administers 
        enforcement of the DAA principles, and has done so for other 
        self-regulatory programs since 1971, has brought a number of 
        enforcement actions,\27\ demonstrating that it is far from 
        toothless.
---------------------------------------------------------------------------
    \27\ See Better Business Bureau, Case Decisions, http://
www.bbb.org/us/interest-based-advertising/decisions/ (last visited June 
26, 2012).

   Do Not Track: In February, the DAA committed \28\ to respect 
        Do Not Track (DNT) headers sent by browsers when users visit 
        websites as a (potentially) more consumer-friendly way of 
        implementing DAA's existing privacy opt-out.
---------------------------------------------------------------------------
    \28\ Digital Advertising Alliance, DAA Position on Browser Based 
Choice Mechanism, Feb. 22, 2012, http://www.aboutads.info/resource/
download/DAA_Commitment.pdf.
---------------------------------------------------------------------------
VI. Concerns about Self-Regulatory Processes
    The DAA is a good example of self-regulation evolving. But not all 
self-regulation is created equal. I have previously outlined my 
concerns about the self-regulatory process the NTIA has proposed to 
facilitate.\29\ Chief among those concerns was the role government play 
in steering the process through the exercise of ``soft power.'' My 
participation in the World Wide Web Consortium (W3C) process as an 
invited expert (for the last six weeks) has increased that concern 
dramatically, given the looming presence of the FTC, and to a lesser 
extent, European governments, behind that process. In particular, I 
fear that an artificial deadline imposed by the FTC and other global 
regulators may shape the outcome of the process in ways that prove 
counter-productive.
---------------------------------------------------------------------------
    \29\ Berin Szoka, Comments to the National Telecommunications and 
Information Administration on the Multistakeholder Process to Develop 
Consumer Data Privacy Codes of Conduct, April 2, 2012, http://
techfreedom.org/sites/default/files/Comments%20to%20NTIA%20on%20
Self-Regulatory%20Process%204.2.12.pdf.
---------------------------------------------------------------------------
    More generally, despite my general skepticism of antitrust and 
belief that market power is best combated with market power, my 
experience with W3C has made me appreciate better the concerns raised 
by FCC Commissioner Tom Rosch about manipulation of the self-regulatory 
process by powerful players--especially where market power is 
essentially piggybacking on the soft power of government. In his 
dissent from the FTC's 2012 privacy report, Rosch asked: ``the major 
browser firms' interest in developing Do Not Track mechanisms begs the 
question of whether and to what extent those major browser firms will 
act strategically and opportunistically (to use privacy to protect 
their own entrenched interests).'' \30\ And in his concurrence to the 
draft version of that report released in December 2010, Rosch noted: 
``the self-regulation that is championed in this area may constitute a 
way for a powerful, well-entrenched competitor to raise the bar so as 
to create an entry barrier to a rival that may constrain the exercise 
of undue power.'' \31\
---------------------------------------------------------------------------
    \30\ Dissenting Statement of Commissioner J. Thomas Rosch, Issuance 
of Federal Trade Commission Report, Protecting Consumer Privacy in an 
Era of Rapid Change: Recommendations for Businesses and Policymakers, 
Mar. 26, 2012, at 6, available at http://www.ftc.gov/speeches/rosch/
120326privacyreport.pdf.
    \31\ Concurring Statement of Commissioner J. Thomas Rosch, Issuance 
of Preliminary FTC Staff Report, Protecting Consumer Privacy in an Era 
of Rapid Change: A Proposed Framework for Businesses and Policymakers, 
Dec. 1, 2010, at E-3, available at http://www.ftc.gov/os/2010/12/
101201privacyreport.pdf.
---------------------------------------------------------------------------
    These concerns about power are heightened by concerns about 
process. The W3C is highly respected as a standard-setting body, but it 
is not a policy-making body. Its first and only other policy-heavy 
process--to produce the Protocol for Privacy Preferences (P3P), a 
laudable but highly complex form of smart disclosure--was roundly 
criticized and never achieved widespread adoption.
    Many key players are simply not represented--most notably the 
publishers, smaller advertising companies and data processors. All of 
these have a great deal to lose and could be put out of business, or 
forced to consolidate with larger players, in a Default DNT-On world. 
In large part, this reflects the high cost of participation, not just 
in terms of W3C membership,\32\ but in terms of committing at least one 
person to engage in the weekly teleconference, the deluge of e-mails on 
the discussion list and the face-to-face meetings, which run 2.5 days.
---------------------------------------------------------------------------
    \32\ A U.S. company with over $50 million in annual revenue must 
pay $68,500/year, while smaller companies must pay $7900, and startups 
with fewer than ten employees and $3 million in annual revenue pay 
$2250. W3C, Membership Fees, http://www.w3.org/Consortium/
fees?country=United+States&quarter=04-01&year=2012#results (last 
visited June 26, 2012).
---------------------------------------------------------------------------
    It is also possible that the W3C Tracking Protection Working Group, 
while composed of talented, well-meaning and dedicated people, may 
simply not reflect the right mix of backgrounds, even among the 
companies represented. Significantly under-represented are those who 
could speak with authority to the real world trade-offs inherent in the 
many complicated decisions being made by the group--not enough business 
experts, no economists, and too many privacy advocates full of good 
intentions but lacking in real-world grounding. The stakes could 
scarcely be higher, with regulator standing ready to implement the 
outcome of the process, regardless of whether it is well-suited to the 
problems at hand.
    Further, the process has proven highly unwieldy, given the large 
number of people involved and the large policy implications of the 
questions being debated--which were amplified considerably by 
Microsoft's decision to switch to Default DNT-On.
    Still, for all its flaws, it may prove--to paraphrase Winston 
Churchill on democracy--that the W3C process is the worst possible 
process--except for all the others. Certainly, it is a better option 
than having the FTC design a DNT mechanism on its own, as has been 
proposed in pending legislation.\33\
---------------------------------------------------------------------------
    \33\ H.R. 654, Do Not Track Me Online Act, available at http://
hdl.loc.gov/loc.uscongress/legislation.112hr654.
---------------------------------------------------------------------------
    I explain all these concerns in more detail below.
VII. The Dangers of Default DNT-On
    Default DNT-On is supposed to empower users but in fact, it simply 
empowers browser makers to force a fundamental change in the Internet 
ecosystem, from today's low-friction, flat ecosystem of independent 
sites and services funded by impersonal data collection to one with 
fewer players who collect more data--''opt-in dystopias.''
    Since last September, the W3C has been developing a technical 
standard for Do Not Track (DNT) headers that would ``allow a user to 
express their personal preference regarding cross-site tracking.'' The 
W3C process was based on the idea that the DNT mechanism ``must reflect 
the user's preference.'' Similarly, the DAA commitment was premised on 
the idea that the user has ``affirmatively chosen to exercise a uniform 
choice with the browser based tool.'' \34\ Simply put, users, not 
browsers, should choose to opt-out of the data collection that creates 
so much value for consumers.
---------------------------------------------------------------------------
    \34\ Digital Advertising Alliance, supra note 27.
---------------------------------------------------------------------------
    Microsoft breached this consensus on user choice when it announced 
last month that its new IE10 browser would send DNT:1 headers by 
default. This risks derailing the entire W3C process. Just the day 
before Microsoft's announcement, at the weekly W3C teleconference, 
privacy researcher Lauren Gelman attempted to allay industry concerns 
that the spec might go too far by saying: ``realistically, majority 
default DNT is not the world this standard will exist in. DNT is going 
to be a 10 percent solution'' \35\--a view overwhelmingly shared by 
participants.
---------------------------------------------------------------------------
    \35\ See Lauren Gelman, ``Re: tracking-ISSUE-150: DNT conflicts 
from multiple user agents [Tracking Definitions and Compliance]'', 
[email protected] mailing list, May 30, 2012, http://lists.w3.org/
Archives/Public/public-tracking/2012May/0341.html.
---------------------------------------------------------------------------
    While Microsoft's stated commitment to user empowerment is 
laudable, Default DNT-On doesn't empower users any more than turning on 
ad blocking by default would. Anyone who cares can quite easily choose 
to make that choice. Below a certain threshold of DNT adoption, few 
sites will find it worthwhile to charge, block or negotiate with those 
privacy-sensitive users who turn on DNT. But no-cost opt-outs and 
implicit quid pro quos don't scale: beyond a certain point, sites will 
have to make quid pro quos explicit to gain opt-ins (technically, 
exceptions to DNT). In other words, a significantly higher DNT adoption 
rate will take us past a tipping point to an opt-in world.
    Some downplay the significance of this change, arguing that Default 
DNT-On will simply force negotiations between sites and users over 
granting exceptions \36\--a key part of the DNT spec. But as I 
explained in my comments on the draft FTC privacy report in February 
2011, such negotiations are not costless; they introduce considerable 
transactions costs (``friction'') into an ecosystem that currently 
works because it generated tiny amounts of value from enormous volumes 
of transactions. Economic theory suggests that forcing today's implicit 
quid pro quo to become explicit (by switching to DNT Default-On) could 
produce dramatically different outcomes. As I explained:
---------------------------------------------------------------------------
    \36\ Jonathan Mayer, ``Do Not Track Is No Threat to Ad-Supported 
Businesses,'' Jan. 20, 2011, http://cyberlaw.stanford.edu/node/6592.

        Much as I enjoy the rich irony of seeing those who are rarely 
        thought of as free-marketeers essentially asserting that 
        ``markets'' will simply, and quickly, ``figure it out,'' I am 
        less sanguine. The hallmark of a true free-marketeer is not a 
        belief that markets work perfectly; indeed, it is precisely the 
        opposite: an understanding that ``failure'' occurs all the 
        time, but that government failure is generally worse, in terms 
        of its full consequences, than ``market'' failure.\37\
---------------------------------------------------------------------------
    \37\ Comments of Berin Szoka, on ``Protecting Consumer Privacy in 
an Era of Rapid Change: A Proposed Framework for Businesses and 
Policymakers, A Preliminary FTC Staff Report of the Bureau of Consumer 
Protection, Federal Trade Commission, February 18, 2011, http://
techfreedom.org/sites/default/files/TechFreedom%20FTC%20filing%202011-
02-18.pdf.

    The first part of that lesson comes especially from the work of the 
economist Ronald Coase. . . who won his Nobel Prize for explaining that 
the way property rights are allocated and markets are structured 
determines the outcome of marketplace transactions.\38\ For example, a 
rule that farmers bear the cost of stopping rancher's cattle from 
grazing on their farms by constructing fences will produce different 
outcomes--not merely different allocations of costs--from the opposite 
rule.
---------------------------------------------------------------------------
    \38\ Ronald A. Coase, The Problem of Social Cost, 3 J.L. & Econ. 1 
(1960).
---------------------------------------------------------------------------
    Coase's key insight was that, in a perfectly efficient market, the 
outcome would not depend upon such rules: To put this in terms of the 
privacy debate, the choice between, say, an opt-out rule and an opt-in 
rule for the collection or use of a particular kind of data 
(essentially a property right) would have no consequence because the 
parties to the transaction (say, website users and website owners) 
would express their ``true'' preferences perfectly, effortlessly and 
costlessly. But, of course, such frictionless nirvanas do not exist. 
The real world is defined by what Coase called ``transactions costs'': 
search and information costs, bargaining and decision costs, policing 
and enforcement costs.
    The transaction costs of implementing a ``Do Not Track'' mechanism 
above an acceptable loss threshold of adoption--where sites must create 
architectures of negotiation--are considerable: someone must design 
interfaces that make it clear to the user what their choice means, the 
user must consume that information and make a choice about tracking, 
websites must decide how to respond to various possible choices and be 
able to respond to users in various ways through an interface that is 
intelligible to users, and so on--all for what might seem like a 
``simple'' negotiation to take place.
    These problems are certainly not insurmountable--and, again, with 
the right engineering and thoughtful user interface design a ``Do Not 
Track'' mechanism could well prove a useful tool for expressing user 
choice. But when we look at the world through Coase's eyes, we begin to 
understand how mechanism design can radically alter outcomes (in this 
case, funding for websites).
    Put simply, Default DNT-On could take us from a world in which 
users can freely browse content and services offered by a thriving 
ecosystem of publishers to a bordered Internet. Users will either have 
to pay or opt-in to tracking. In this worst-case opt-in ``dystopia,'' 
consumers could be made significantly worse off in three primary ways.
    First, to the extent publishers have to rely on micropayments or 
subscriptions, their revenues will likely drop. Information goods have 
a marginal cost of zero, and therefore competition tends to drive their 
marginal cost to zero. Put more simply: unless you have a unique good 
protected by copyright, it's hard to charge for it (and charging for 
many small transactions itself creates high transactions costs). 
Advertising has always solved this problem by monetizing attention, but 
advertising online is worth three or more times more when it is 
tailored to users' interests.\39\ Many sites that rely on this revenue 
will simply disappear, or be consolidated into larger media companies. 
Consumers will have fewer, poorer choices.
---------------------------------------------------------------------------
    \39\ See, Howard Beales, The Value of Behavioral Targeting, March 
2010, http://www.networkadvertising.org/pdfs/Beales_NAI_Study.pdf.
---------------------------------------------------------------------------
    Second, those sites and data companies that are able to obtain opt-
ins will likely collect more data in ways that are more personal than 
today. While opt-ins sound great in theory, they simply do not protect 
privacy in the real world. As Betsy Masiello and Nicklas Lundblad 
explained in their seminal paper about ``Opt-In Dystopias'':

        opt-in regimes . . . are invasive and costly for the user and 
        can encourage service providers to minimise the number of times 
        opt-in is requested. This can have at least two adverse 
        effects.

        The first is that service providers may attempt to maximise 
        data collection in every instance that they are forced to use 
        an opt-in framework; once a user consents to data collection, 
        why not collect as much as possible? And the increased 
        transaction costs associated with opt-in will lead service 
        providers to minimise the number of times they request opt-in 
        consent. In combination these two behaviours are likely to lead 
        to an excessive scope for opt-in agreements. In turn, users 
        will face more complex decisions as they decide whether or not 
        to participate. \40\
---------------------------------------------------------------------------
    \40\ N Lundblad and B Masiello, ``Opt-in Dystopias'', (2010) 7:1 
SCRIPTed 155, http://www.law.ed.ac.uk/ahrc/scripted/vol7-1/
lundblad.asp.

    The DNT spec allows sites to negotiate with users to grant 
exceptions to DNT as an explicit quid pro quo for access to content or 
services. But this could rapidly become complex given the need for 
---------------------------------------------------------------------------
users to manage exceptions for multiple sites and services:

        As this happens we are likely to see demand rise for single 
        identity systems. . . . It is possible that emerging social web 
        services could comply by setting up the opt-in as a part of the 
        account registration process, as discussed earlier. Users have 
        an incentive to opt-in because they want to evaluate the 
        service; after opting-in, a user is able to make an evaluation 
        of the service, but by that point has already completed the 
        negotiation. The service, having already acquired the mandatory 
        opt-in consent, has no incentive to enable users to renegotiate 
        their choice.

        The data collection in this instance would all be tied to a 
        central identity and would be likely to have excessive scope 
        and deep use conditions. One unintended consequence of a 
        mandatory opt-in regime might be the emergence of tethered 
        identities, whereby a user's identity is tightly coupled with a 
        particular social platform or service. . . .

        From a privacy point of view, tethered identities present many 
        challenges. The concept suggests that all behaviour is tied to 
        a single entry in a database. The ease of executing an overly 
        broad law enforcement request would be far greater than in a 
        regime of fragmented and unauthenticated data collection. The 
        degree of behaviour upon which an advertisement might be 
        targeted would also be far greater. And the threat of exposure 
        posed by a security breach would also increase.

    Third, few publishers and data-driven companies will be able to 
obtain opt-in exceptions to DNT. This will force unprecedented 
consolidation in the Internet ecosystem, both among publishers and 
among companies that use and process data for advertising, research and 
other purposes. As Masiello and Lundblad explain:

        A worst-case consequence of widespread opt-in models would be 
        the balkanisation of the web. As already discussed, some degree 
        of data collection is necessary to run many of today's leading 
        web services. Those that require account registration, such as 
        social web services, enjoy an easy mechanism for securing opt-
        in consent and would be likely to benefit disproportionately 
        from a mandatory opt-in policy.

        If we believe that mandatory opt-in policies would 
        disproportionately benefit authenticated services, we might 
        also expect balkanisation of these services to occur. When 
        information services are open and based on opt-out, there are 
        incentives to provide users the best experience possible or 
        they will take their information elsewhere. When these services 
        are closed and based on opt-in, there are incentives to induce 
        lock-in to prevent users from switching services. Users might 
        be reluctant to leave a service they have evaluated and 
        invested in; the more investment made the more likely a user is 
        to stay with the current provider. We might expect mobility to 
        decrease, with negative effects for competition and consumer 
        value

    Simply put, Default DNT-On is likely to drive the adoption of 
federated content networks, and the evolution of highly decentralized 
websites and services towards an apps based model--such as on mobile 
phones and such as Microsoft is introducing in Windows 8--in which 
advertising is delivered by the app platform operator. This might or 
might be a good thing on net, but again, the point is that no one 
really knows, even as we tumble blindly down this path.
    With the best of intentions, we are heading towards reshaping the 
fundamentals of the Internet--in ways that may have serious negative 
unintended consequences for privacy, the sites and services consumers 
enjoy, and the health of the ecosystem. But the way we're doing it may 
be even more troubling. This is not the result of a bottom-up 
evolutionary process, but of collusion between government and powerful 
market players. In the name of self-regulation, we are essentially 
moving toward the European model of co-regulation: where governments 
steer and industry rows, and where powerful incumbents use market power 
to serve their own agendas, with the blessing of government.
    The Federal Trade Commission called for a Do Not Track mechanism in 
its draft privacy report, issued in December 2010. Chairman Leibowitz 
and David Vladeck, Director of the FTC's Bureau of Consumer Protection, 
have taken credit for pressuring industry to come to the table on 
DNT.\41\ The agency has played an active role in the W3C process. FTC 
Chief Technologist Ed Felten opened day two of the most recent W3C 
meeting by telling participants what the FTC wanted. Chairman Leibowitz 
and Commissioner Julie Brill delivered keynote addresses at the two 
prior meetings. Commissioner Brill, in particular, has pushed the W3C 
process to change the nature of the DNT spec to limit not just how data 
can be used, but what data can be collected in the first place. 
Representatives Ed Markey and Joe Barton have gone even further, 
sending a letter to the W3C Tracking Protection Working Group during 
its last meeting urging not only heavy restrictions on collection, but 
also that DNT:1 be turned on default.\42\
---------------------------------------------------------------------------
    \41\ Federal Trade Commission, FTC Testifies on Do Not Track 
Legislation, Dec. 2, 2010, http://www.ftc.gov/opa/2010/12/
dnttestimony.shtm.
    \42\ Letter from Congressmen Edward J. Markey and Joe Barton to 
World Wide Web Consortium Tracking Protection Working Group, June 19, 
2012, available at http://markey.house.gov/sites/markey.house.gov/
files/documents/%206-19-12%20Letter%20from%20Rep%20Markey%20
and%20Barton%20-%20W3C%20.pdf.
---------------------------------------------------------------------------
    The FTC has clearly been turning the screws on companies to agree 
to comply with DNT--even before a standard exists. The FTC showed its 
hand in Twitter's agreement to recognize DNT in May,\43\ when FTC Chief 
Technologist Ed Felten announced the deal himself even before Twitter 
could do so. Faced with the FTC's open antitrust investigation, and the 
agency's essentially unchecked ability to bring privacy complaints 
against the company, at a real cost to its reputation, it's not hard to 
see why Twitter might be susceptible to . . . encouragement from the 
well-meaning folks at the FTC.
---------------------------------------------------------------------------
    \43\ Michelle Maltais, ``Twitter supports `do not track' '', Los 
Angeles Times, May 17, 2012, available at http://articles.latimes.com/
2012/may/17/business/la-fi-tn-twitter-do-not-track-2012
0517.
---------------------------------------------------------------------------
    So one has to wonder what role Chairman Leibowitz, and members of 
Congress like Representatives Barton and Markey, might have had in 
convincing Microsoft to break ranks from the W3C process--even if that 
risked derailing the process itself.
    This is, of course, speculative--but not without any basis. At the 
very least, Congress should ask the FTC to explain exactly what its 
role has been throughout this process. Further, Congress should call on 
the agency's leadership to repudiate the disturbing argument made by 
Tim Wu in defense of ``agency threats'' as a valid form of extra-legal 
regulation.
VIII. Conclusion
    There are no silver bullets. Neither self-regulation nor relying on 
Section V is without pitfalls. But together, and working in conjunction 
with market forces like reputation, with targeted legislative 
solutions, and with technological change itself, they form a layered 
approach to dealing with privacy that is more likely to protect us from 
true privacy harms without killing the goose that laid the golden egg.

    Senator Klobuchar. Thank you very much, Mr. Szoka.
    Thank you, all of you.
    And I just want to clarify something after listening to Mr. 
Szoka's testimony, maybe with you, Mr. Liodice.
    The FTC isn't actually regulating this right now. Is that 
correct? I mean, what is happening? Because it's my impression 
that they are allowing the industry to engage in some of this 
self-regulation and put a policy forward. Could you give me 
your views on that?
    Mr. Liodice. Sure, yes. Thank you.
    We've had many collaborations with the FTC over the past 
few years. In fact, the FTC has essentially provided the 
information necessary as to certain directions that we have 
needed to head in.
    So it has been an ongoing collaboration with the FTC. And 
our self-regulatory mechanisms have evolved appropriately with 
the encouragement of the FTC.
    There admittedly had been times where there has been 
dissatisfaction. And through their encouragement, we continue 
to press on, build the technologies, and to complete the system 
to the current capability that we currently have.
    Senator Klobuchar. OK. And I understand that some in the 
online advertising and technology industry, particularly those 
who have been negotiating at the WC3, believe that industry 
self-regulation is possible and that the industry can coalesce 
around an opt-in regime. What do you think the chances are of 
stakeholders coming together without congressional or FTC 
action to develop an opt-in regime?
    Mr. Liodice. To develop an opt-in regime we think is 
against the interest of commerce. We believe that the current 
opt-out philosophy that we are currently structured around and 
succeeding with is the right way to go.
    We have demonstrated that the industry can come together. 
We represent a consortium of 5,000 corporations with many 
different interests, with many different focal points. And to 
be able to bring that level of the business community together 
to create a system that, in fact, is working, not only for 
business but, most importantly, for consumers, is something 
that this industry is extraordinarily proud of.
    Senator Klobuchar. Mr. Fowler, both the FTC and the White 
House reports mention the possibility of privacy practice 
becoming a consideration actually for consumers deciding 
between devices and services. And I think that the Microsoft 
announcement and other things would demonstrate that.
    Have you seen significant data suggesting consumers already 
choose services, particularly online, based on privacy 
practices?
    Mr. Fowler. I think there is a lot of data that shows that 
consumers do make decisions based on data practices. I think 
within our own user base, we are just in the process of 
completing an analysis of a survey that we did, where we had 
10,000 of our users provide input on what they thought about 
``do not track'' and privacy and the types of tools that are 
available to them.
    And what we found was very interesting. And we will be 
happy to share the results of that analysis once we've done our 
write-up.
    But consumers do take privacy seriously. And they do feel 
that this is an important consideration for them as they browse 
the Internet, as they use services and applications.
    And we found in the context of ``do not track'' that 
service providers, browsers, software manufacturers that 
provide ``do not track'' features actually lead to greater 
trust by the consumers who use it.
    Senator Klobuchar. Very good.
    Privacy policies are important, but I think we all know 
that consumers don't necessarily read them all. What efforts 
are being made to make them more accessible and easier to 
understand?
    Maybe, Mr. Swire, you'd like to answer this as well?
    Mr. Swire. Well, so privacy policies have another purpose 
besides the consumers, which is it lays out for all the 
employees, it lays out for the enforcers, it lays out for the 
rest of the world, what the privacy rules are going to be. And 
they also become the basis for how the Federal Trade Commission 
and the State AGs can step in if they're breaking their 
promises.
    The financial regulators had a good process to come up with 
a standard simplified privacy notice for Gramm-Leach-Bliley, 
much more like the kind of thing you see on the side of a soup 
can. And I think trying to find ways to have more standardized 
notices is something that everyone really supports.
    Senator Klobuchar. What about considerations for mobile 
devices that collect data, like smart phones and tablets?
    Mr. Swire. Well, you know, it's limited real estate on the 
smart phone. And I think that for mobile apps, people are 
really struggling with how to somehow convey it. Maybe over 
time we'll see icons used a lot more. Maybe there will be video 
notice--I mean, audio notices. But I think that's really 
something that needs a lot more work.
    And they're talking about mobile privacy as part of the 
mobile stakeholder process. We need more progress there.
    Mr. Liodice. If I may add to that, Senator?
    We are moving very aggressively to adapt or identify 
principles for mobile. We clearly will need this in the future. 
We need it now. And so we're moving aggressively to ensure that 
the principles that we've established for the Internet will 
extend to the mobile world and ensure that we have absolute 
enforcement mechanisms in the same way that we currently have 
in the Internet self-regulatory sphere.
    Senator Klobuchar. So you would find some way to extend the 
opt-out principles and give the same options to those that have 
the small screens, such as tablets or smart phones----
    Mr. Liodice. Absolutely. Absolutely.
    Senator Klobuchar.--as they have on a typical computer?
    Mr. Liodice. There is no question that we're heading in 
that direction. We have processes underway to make sure that 
that happens. We will not rest until that does happen.
    Senator Klobuchar. OK.
    Could anyone fill me in on how that's going to happen, just 
how you physically do that?
    Mr. Liodice. The technology?
    Senator Klobuchar. Yes.
    Mr. Liodice. We haven't developed it at this point in time, 
but we have developed a group that is examining this in a real-
time basis.
    The first step, as we did in the self-regulatory process 
that was established, is to ensure that the principles are 
appropriately constructed to meet the mobile platform, which is 
somewhat different than the current Internet digital platform.
    Once those principles are established, we will leverage our 
technology partners that we've used to create the current 
monitoring, reporting, and accountability systems that will be 
moving into the unit that is eventually monitored by the 
Council of Better Business Bureaus.
    Senator Klobuchar. One last thing, Mr. Swire, and then I'm 
going to turn it over to Senate Ayotte.
    Mr. Swire. So it does show on the mobile how hard it would 
be to opt out of every single company that maybe places an ad. 
It's just an awful lot of thumb work.
    And having a more simple one way to do it, ``do not track'' 
or other expression of preference, becomes even more important, 
I think, in the mobile space.
    Senator Klobuchar. Thank you very much.
    Senator Ayotte, and then we're going to Chairman 
Rockefeller, and then Senator Thune.
    Senator Ayotte. Thank you, Senator Klobuchar.
    I wanted to ask Mr. Liodice, and I would like to hear all 
of your comments on this, certainly, in other contexts before 
this committee, I have expressed concern about how the FTC 
interprets its authority under Section V. That said, one thing 
I would like to hear from each of you on is, can you give me an 
example of a harm that has taken place regarding privacy that 
can't be adequately addressed by Section V by the FTC?
    And how do you view the current law under Section V, in 
terms of using that as a mechanism of regulation, rather than 
creating all new legislation here?
    So can you help me on that?
    Mr. Liodice. Sure.
    Senator Ayotte. What is it that Section V isn't protecting 
now?
    Mr. Szoka. May I jump in, Senator?
    Senator Ayotte. Sure.
    Mr. Szoka. First of all, thank you for your question. This 
does not get enough attention.
    The entire debate, as I emphasize in my testimony, goes on 
as if we don't already have baseline consumer protection. And 
as I argue, the trick here is using Section V to its fullest 
extent and not beyond that.
    And the problem, if I may say today, as you'll see if you 
look at any sort of privacy textbook, is, ultimately, you can 
look at what the FTC has done. You come up with what my 
colleague Charlie Kennedy summarizes as saying the list of 
``dos and don'ts'' tell us which practices the FTC has 
challenged in the past, but does not provide a way of 
identifying those practices that might be challenged in the 
future. To me, that's the central problem.
    Right now, the problem is not doctrine. It is the fact that 
the FTC is never challenged in court. And because of that, 
there are no courts to develop doctrine, and it falls 
ultimately upon the agency itself to explain its analysis to 
guide us. And that is precisely what I describe in my testimony 
as quasi-common law.
    Now, to answer your question, I think there are cases that 
couldn't be dealt with adequately by unfairness, or at least 
that would stretch unfairness too far.
    And just to give you one example, there's talk right now on 
the Hill of passing legislation that would bar employers from 
insisting that their employees give them their passwords to 
their Facebook accounts. I think that's the sort of thing that 
could actually make a good target for narrow legislation, 
something I would encourage this committee to look into.
    I'm not saying that everything can or should be shoehorned 
into the unfairness doctrine, but I think unfairness can 
actually be used to do more today than it is being used without 
turning unfairness into what it was in the 1970s, which 
essentially was a blank check for the FTC to become a second 
national legislature.
    Senator Ayotte. Do other members of the panel have comments 
on that?
    And certainly, Mr. Szoka, that's an issue that I've been 
concerned about in the past, of a blanket view of Section V.
    Mr. Swire. Well, the simple point is, if it's not in the 
privacy policy, there's no deception claim. So a company says, 
``A, B, and C,'' and it leaves out the rest of the alphabet. 
They can do anything with the rest of the alphabet.
    And there's no Administrative Procedure Act rulemaking 
authority in this area, so there's not a chance to get public 
comments and to have on the record an idea of what the rule 
should be or not be.
    In the absence of that, the FTC, without rulemaking 
authority, has to go case-by-case, and they have no help on the 
rest of the alphabet after A, B, and C, if that's all the 
privacy policy says.
    Mr. Fowler. And if I could just build on that a little bit. 
I mean, we have a Ford Foundation grant that is a research 
project looking at first- and third-party tracking online.
    The project includes a special add-on for Firefox browser 
called Collusion. I would encourage you to check out by going 
to www.mozilla.org/collusion. You or your staff can install it 
and look at your own webpages to see what kinds of tracking 
practices are in place.
    And what we've found, without fail, is that a lot of 
organizations really don't have a clear picture of the types of 
data practices that their sites and applications are engaged 
in.
    And so if you think about this question of Section V and 
what you've disclosed in your privacy policy, what we're 
finding is that those privacy policies remain static for too 
long. They don't reflect necessarily the day-to-day changes 
that happen in today's dynamic webpage and application 
environment.
    Mr. Liodice. And if I may build on that, I had to check 
with counsel, since I'm not a lawyer, to ensure my 
understanding of it as well.
    Part of the beauty of what the self-regulatory mechanism 
provides is the flexibility to be able to track case-by-case 
and to be able to link that up with the principles that our 
marketers have to ascribe to. And if, in fact, they deviate 
from that, our reporting mechanisms provide the identification 
to our accountability mechanisms and our self-enforcement 
mechanism. And if, in fact, those changes or those violations 
of those principles don't occur, then we reference them back to 
the FTC.
    But with the system that we have, we are able to get at 
cases and violations of principles that may have escaped the 
FTC's purview.
    Mr. Szoka. Senator, may I briefly add to that?
    Everyone here likes to diminish the importance of case-by-
case rulemaking. And I would agree that case-by-case rulemaking 
doesn't work if you don't explain your analysis. And that is 
precisely the world we live in today.
    All we have is consent decrees that are essentially bald 
assertions that a company has does something unfair or 
deceptive. It would be a very simple matter for the FTC to 
simply do more in its analysis to explain that. If they don't 
have the resources, I, as somebody who believes in limited 
government and cutting spending probably more than anybody in 
this room, would be delighted to give them more funding to do 
that.
    It is pennywise, pound foolish to give up on the existing 
model simply because the FTC doesn't have the time to explain 
to us what unfairness means. You could have a meaningful 
unfairness doctrine to deal with cases beyond what companies 
have promised if you simply did that.
    And I've laid out four ways the FTC could do that. And I 
think that would be the best thing that this Congress could do 
to help the agency reach its full potential.
    Senator Ayotte. My time has expired. Appreciate it.
    Senator Klobuchar. Thank you. Chairman Rockefeller.

           STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
                U.S. SENATOR FROM WEST VIRGINIA

    The Chairman [presiding]. Thank you, Madam Chair.
    This isn't a question. Mr. Szoka, I have to admit a vast 
admiration for you. But I have a question at the end.
    You're in love with the law. And I think you're in love 
with yourself. You declare yourself the most conservative 
person in the room, and I certainly would not argue that.
    My question to you is, when you go through your complex 
legal machinations, for which I'm sure you're very well paid, 
do you ever think about the effect on consumers? You have not 
used the word ``consumer'' once, ``user'' once.
    All you talk about is what works for corporations, what is 
unfair about FTC.
    It's all about legal practices. There's nothing about 
people. I'm just really curious.
    I'm not quite sure how you got on this panel, but you 
obviously slid by me.
    Mr. Szoka. Sir, I believe that the rule of law protects 
citizens. It is the bedrock of a free country, and that 
ultimately having agencies follow the law and work through 
legal means is something that protects consumers.
    I also have explained today that what I admire, what I am 
in love with, is the idea that we use the law in consumer 
protection, that we have legal doctrines that do precisely what 
you're getting at, which is allow us to address real harm to 
consumers and weigh costs and benefits. That's well-established 
doctrine. I didn't make that up. The FTC did.
    The Chairman. Thank you.
    This is to Mr. Liodice and Mr. Swire. We had a May hearing, 
and I asked Chairman Leibowitz about the Digital Advertising 
Alliance's new self-regulatory initiative. And you know, going 
back to automobiles and all kinds of things, self-regulation is 
a matter of interest to this committee, because if it doesn't 
work, then we want to do something about it, at least some of 
us do.
    And the alliances pledged to address the ``do not track'' 
request from Web browsers. And he made it very clear, that's 
Leibowitz, that if the alliance is going to honor a consumer's 
``do not track'' request in a meaningful way, they'll have to 
stop collecting consumer information, period, except for some 
limited exceptions.
    And I'm going to get into those limited exceptions in this 
or the next question.
    In other words, what Leibowitz was saying was, it made it 
very clear that you had to do a ``do not track,'' and it should 
mean ``do not collect''--do not collect, do not track.
    In other words, don't start. Don't get to the hundred 
different, you know, exercises of 5,000 different exercises 
with your thumbs that you have to do to get to what you want.
    How do you respond to that?
    Mr. Liodice. Mr. Chairman, the Internet operates on some 
collection of data. And if a consumer opts out of any kind of 
information-gathering, there are necessary exceptions in order 
to be able to ensure that fraud protection, crime prevention, 
other systems that currently operate on the Internet need to 
continue to ensure that those law enforcement capabilities 
continue to exist.
    The areas of exception that were noted in terms of market 
research are those that we had talked to the chairman about 
before. And his staff and he believed that that was the right 
direction to go at that stage.
    The one thing that I can say about self-regulation----
    The Chairman. However, I don't think he--he said that these 
could be expanded almost to the point where the rule would be 
swallowed up.
    Mr. Liodice. Of course.
    The Chairman. In other words, the definition is so broad, 
so inexplicably wide, that anything could fit in. So that he 
liked the concept of it, but there was a large ``but''----
    Mr. Liodice. Right.
    The Chairman.--which you have not referred to.
    Mr. Liodice. We would agree that boundaries need to be 
placed in this arena, because consumers need boundaries in 
order to understand exactly what their rights are, what their 
privileges are, and what their decisions need to be based upon.
    And that's the reason why we've established the mechanisms 
for what we already are currently doing. If something is not 
working or not working as effectively, part of the word that I 
used before about our system is ``evolutionary.'' We've 
continued to evolve to address concerns from the very beginning 
of our development of the Digital Advertising Alliance self-
regulatory system.
    For example, on multisite data and mobile, we are evolving, 
based upon the concerns that have been addressed by legislators 
or the FTC or others.
    The Chairman. But you would agree, would you not, that if 
Leibowitz's side concern--and that is that these two phrases 
could be used to sort of swallow up the whole intent of the 
rule--that it's better not to fiddle around with that?
    Mr. Liodice. No, what we would do is try to establish----
    The Chairman. You would be----
    Mr. Liodice.--boundaries.
    The Chairman. You're at DAA----
    Mr. Liodice. Yes.
    The Chairman.--with 5,000 people who you say represent all 
kinds of different interests.
    Mr. Liodice. That's correct.
    The Chairman. You've corralled them, like cats. But at some 
point, don't you, therefore, have to have something that says 
``do not track''?
    Mr. Liodice. No, I do not believe that that's the case, 
sir.
    The Chairman. Why is that? Because that would put you out 
of business?
    Mr. Liodice. No.
    The Chairman. I'm being a little cynical, but I'm being 
serious.
    Mr. Liodice. No, I understand. Exactly.
    The key here is a question of how we approach limitations 
on that collection that is responsible, that addresses consumer 
interests. And as I mentioned before, one of the core interests 
that we have, in terms of ``do not track,'' is cybersecurity.
    We cannot turn our backs on cybersecurity as an issue, 
because if, in fact, we do not track completely, and totally 
stop any type of information-gathering whatsoever, we run into 
serious problems in the way the Internet is managed.
    The Chairman. I may want to explore that with you. My time 
is up.
    Thank you, Madam Chair.
    Senator Klobuchar [presiding]. Thank you.
    Senator Thune?

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    Senator Thune. Thank you, Madam Chair.
    And I want to thank our panelists today. I know I always 
welcome different perspectives. And divergence of opinions is a 
good thing. I think that benefits all of us as we try to make 
good and informed decisions, so thank you all for being here 
today.
    Our most innovative companies of all kinds use data to 
improve their products, gain understanding of their customers, 
and make better and more informed decisionmaking. Data is 
behind all sorts of customization, innovation, that benefits 
consumers.
    There was a report commissioned by Interactive Advertising 
Bureau recently that concluded that the Internet accounted for 
15 percent of total U.S. GDP growth. And if the Internet were a 
national economy, by 2016, it would rank as the fifth largest 
economy in the world.
    The advertisement-supported Internet contributes $300 
billion to the U.S. economy and has created about 3 million 
American jobs. At a time when we have sustained grim economic 
news, it has remained a very bright spot in the U.S. economy, 
and that trend continues.
    And my concern is that if we try to rush a quick fix on the 
issue of privacy, rather than very thoughtfully and carefully 
dealing with the issue, we could stifle the very important 
economic advantage that we have in the United States.
    My question is a fairly broad one, but I'd like to get your 
reaction to it. And that is, what are the risks if Congress 
adopts an overly restrictive European-type approach that 
stifles U.S. innovation?
    Mr. Liodice. If I may start, Senator Thune, that is, 
essentially, the core fear, that we lock in place what we 
currently have and not leave ourselves open to the evolution of 
technology.
    Creativity and innovation is the basis for the Internet. 
And we recognize that, as part of our self-regulatory 
principles, we have to allow enough room and flexibility to 
adopt to a changing economy and rapidly changing technologies.
    If we lock ourselves in place too rigidly, we may choke off 
the kind of innovation and creativity which is the basis for 
our dynamic U.S. economy, which, in the end, may cost jobs here 
in the United States and around the world, if, in fact, we 
don't have that flexible and open society.
    Mr. Szoka. Senator, while Senator Rockefeller might dislike 
my mentioning another law, let me mention the law of unintended 
consequences. And that is to say that what you are putting your 
finger on is that there are many competing values here for 
consumers.
    We can do things that seem to be good for privacy that, in 
fact, end up hurting privacy, that hurt other values.
    And as I explain in my written testimony, that fear is not 
only in the case of legislation such as you describe, but also 
in what Congress and the FTC have been doing to push the ``do 
not track'' mechanism to be something other than what it was 
when it started.
    In other words, as Senator Klobuchar suggested, if Congress 
sits here, and the FTC does, push it toward being an opt-in 
mechanism, you fundamentally change the nature of the Internet.
    ``Do not track'' was intended to be a solution for people 
who felt privacy sensitive, who were concerned about that, and 
wanted to make that tradeoff.
    Below a certain threshold, say 10 percent, that can be done 
for free. No one is going to bother changing mechanisms to 
negotiate with users.
    Above a certain threshold--and that's where we're heading 
now, given Microsoft's decision--you start to put in place a 
dynamic that changes what we have today. You start to create, 
instead of today's ecosystem where you browse the Internet, you 
go anywhere you want, and there are no pay walls, there are no 
pop-ups, you instead have a system of opt-in consent.
    And I think if you look at my testimony and if you look at 
the paper called ``Opt-in Dystopias,'' you see that, in fact, 
that's a very bad world for consumers. It's one in which 
there's likely to be, ironically, more data collected.
    Even though we're intending to reduce data collection, you 
could have more collected by fewer parties in a less 
transparent way, while at the same time making the entire 
ecosystem worse off.
    So, yes, I actually care very deeply about consumers. And I 
worry that we risk all of those things when either we pass 
legislation that is in the European model or we extort 
concessions from the private sector, as the FTC and others may 
be doing. They're clearly pressuring companies to do things 
that they never intended to do, and, as Mr. Liodice is saying, 
have those unintended consequences.
    Mr. Swire. Senator, last fall I testified in the House 
Energy and Commerce Committee on the European Union and U.S. 
and where jobs go. And my testimony concluded that a ``we don't 
care about privacy'' approach, that if the U.S. says we're not 
going to do it, that puts a lot of U.S. jobs and global 
leadership in this area at risk, because we get a risk being 
treated as locked out from a lot of markets around the world.
    India now has privacy rules on the book. Most of Asia does. 
All of Europe does. And if the U.S. is considered a non-player, 
we could have U.S. companies shut out of a lot of markets. So 
we have to face in an international trade setting the reality 
that if we have a pretty good, credible system here that we can 
live with, we'll also have a much better export system. And we 
have to figure that into the mix.
    Mr. Fowler. If I could just add, as a global software 
organization with consumers around the world, including Europe, 
the reality for compliance, the reality for establishing trust, 
is that we have to address the privacy compliance 
jurisdictional requirements that exist wherever we do business.
    So while we're not ready to say that we should have a 
European-style data protection regime in the U.S., we have one 
anyway, in the sense that we have to comply with that and 
respect those difference from a legal and cultural perspective 
when we're interacting with European customers. And that's true 
for all the leading Internet companies today.
    Senator Thune. I see my time has expired.
    Thanks, Mr. Chairman.
    The Chairman [presiding]. Thank you.
    Senator Ayotte?
    Senator Ayotte. I wanted to follow up briefly--thank you, 
Mr. Chairman--on this idea, Mr. Liodice, that you mentioned 
about cybersecurity concerns. And if you could describe more 
where you see those concerns arising, if we were to legislate 
on the ``do not track'' issue.
    Mr. Liodice. Sure. It starts with the fundamental fact that 
the Internet operates on collecting data. And in order to be 
able to leverage the various components of our economy, of 
cybersecurity, of the effective management of the Internet, 
there needs to be appropriate data collection.
    Now, the self-regulatory program that we're talking about 
essentially provides choice for the limitation of data with 
respect to advertising. But if we are not careful about how far 
that we extend the reach through legislation of limitations on 
data, there are law enforcement agencies that currently rely 
upon data that is collected currently over the Internet.
    If we block or limit that ability, the unintended 
consequences may be the inability to prosecute fraud or not 
have as robust cybersecurity protections as we have currently 
at this moment in time.
    So the point was that, if in fact legislation does come 
about, it needs to be done with great care to ensure that the 
data collection that currently exists for global opportunities, 
such as cybersecurity, fraud protection, et cetera, must be 
kept in place, if not become more robust.
    Senator Ayotte. As I hear it, and before I served in the 
Senate, I was a State attorney general, that you're referring 
to areas, for example, of sexual predators, identity theft. Are 
these the areas that you're--you know, when we think about--or 
are there other broader areas that you're concerned that law 
enforcement wouldn't be able to access data, because, 
obviously, in that regard----
    Mr. Liodice. Right.
    Senator Ayotte. I mean, I've worked on those cases. I've 
worked with the police on those cases. I understand the type of 
information that is used to hold individuals accountable that 
are misusing the Internet to commit crimes. And, certainly, 
that would not be a good consequence, if we were to legislate 
in that area, so law enforcement couldn't get access or that 
information wasn't somehow retained.
    Mr. Swire?
    Mr. Swire. So this issue of cybersecurity and information-
sharing has been a great big issue in the cybersecurity 
legislation that this committee and others have been working 
on.
    I had an op-ed in The Hill on this subject. And one of the 
concerns from the privacy side is that definitions are so broad 
of what counts as cybersecurity that this could be basically 
all clicks go to government. And some of the proposed language 
has even been, notwithstanding all other laws, if it's related 
to cybersecurity, it goes to the government.
    And I think that that's a very broad potential idea of what 
counts as cybersecurity. And it raises issues about government 
access to data that are really quite substantial.
    Mr. Szoka. And if I may also respond to this, I've joined 
forces with groups on the left--the ACLU, the Electronic 
Frontier Foundation--raising those very concerns about such 
cybersecurity legislation.
    And once again, my concern is that the real harm here comes 
from government itself. And the way to deal with that is not to 
cripple law enforcement's access, nor to give it every piece of 
information it wants.
    The solution, as is often the case here, is to ensure the 
rule of law, which is to say, we have the Fourth Amendment. We 
have a system for ensuring when government gets access to data, 
and we should respect that. Those are the values that, 
unfortunately, get left out of these conversations far too 
often.
    We far too often focus on companies as vehicles for 
collecting data, fearing the government will get access to it, 
while doing nothing at all to ensure that government gets 
access through constitutional procedures.
    Mr. Fowler. If I could just add, I think that before we get 
too far into this, I think it's important to clarify that in 
the context of ``do not track,'' in behavioral advertising, 
we're not talking about security. We're talking about security 
of the data related to serving impressions, right? So it's a 
different type of data. And the security exemptions that are 
being discussed by the W3C and the DAA are specific and narrow 
to that type of data.
    Senator Ayotte. One of the concerns that I worry about, 
regardless of what your view is, whether to legislate or not to 
legislate in this area, is how we get it right, in the sense 
that, with the evolving technology. And as I said in my opening 
statement, as soon as we come up with something that we think 
solves the problem with the evolving of the technology, you 
know, that's what I worry so much about. That if we do it, 
certainly, if we legislate in this area, if we decide to 
legislate in this area, how do we get it right, so that it 
doesn't impede our economy or also make it worse for consumers?
    Mr. Liodice. If I may comment on that?
    Senator Ayotte. Thank you, Mr. Chair.
    Mr. Liodice. I'm sorry.
    Senator Ayotte. I think my time is up, so I certainly don't 
want to----
    The Chairman. Go ahead.
    Senator Ayotte. I'm all set. Thank you.
    The Chairman. OK. Thank you very much.
    I just want to sort of declare the cybersecurity argument a 
total red herring. It has absolutely nothing to do with any of 
this. And the original cybersecurity bill, it was written by 
Olympia Snowe and myself and this committee. And that was 3 
years ago. It's been negotiated and on and on and on.
    The FTC, there are exceptions made that cover any 
cybersecurity matters, so that any use of that as an argument 
against ``do not track'' or whatever else is just off the wall, 
from my point of view.
    Mr. Swire, your written testimony mentions a recent study 
of the 100 most popular websites that was conducted by 
researchers at Berkeley. The study found that these websites 
are collecting an astounding amount of information about their 
customers.
    According to the researchers, 21 of the 100 top websites 
placed 100 or more cookies--this gets right to you--on users' 
computers. That means that when an individual visits one of 
those websites, 100 or more different companies start to 
collect information about that person. Therefore, if you have 
to opt out, you have to do it 100 times. Therefore, why not 
just ``do not track.''
    Mr. Swire, do you believe that most consumers know how much 
information is being collected about them when they visit 
popular websites?
    Mr. Swire. We have survey result studies that show that 
they don't know, that if you ask them what they think is 
happening and then you sit them down and tell them, they're 
quite surprised by how much more is being collected.
    The Chairman. Wouldn't it be your view, and maybe yours, 
too, Mr. Fowler, that the whole history--I mean, we do this 
with cramming and telephone companies, they all start out--I 
mean, United Healthcare has now announced grandly that they're 
going to continue many of their policies.
    Well, their policies happened to have created something 
called ``Ingenix,'' which would sort of sets the random market 
for how much healthcare costs all across the country. And they 
paid a $350 million fine in New York State court, which is like 
admitting they were guilty. It's a rather bad company. We've 
spent a lot of hearings and have spent a lot of time on them.
    In other words, they say they're going to continue, but you 
know they're not. It's great PR.
    Companies say they're going to crack down. Yes, they do for 
a period of time. But then as you indicated, at some point, it 
comes up against their own self-interest. And at that point, 
they usually crack, in my judgment.
    Mr. Swire, tell me why I'm either right or wrong on that, 
or if I'm close.
    Mr. Swire. Well, Senator, I'm in a hearing and you're 
right. But seriously, the history has been that when you and 
the government are paying attention to these issues, and the 
press pays attention to these issues, that companies upgrade 
their efforts and pay more attention to enforcement.
    And then when some different issue becomes the center of 
attention, these don't get as much attention. And if you 
don't----
    The Chairman. And so answer that in terms of--what we're 
talking about is that you don't sort of have an off and on 
switch. You do something called legislate ``do not track.''
    Mr. Swire. And that's what, for instance, has happened for 
CAN-SPAM and for the Children's Online Privacy. The Federal 
Trade Commission got the ability to write rules and everybody 
got a right to comment on them. And both of those regimes have 
been pretty steady. Those haven't been huge flashpoints. We 
have COPPA. We have CAN-SPAM. They do what they do, and it's 
been working reasonably well.
    The Chairman. Reasonably well. On the other hand, Facebook, 
which is, as I understand, a fairly profitable company, has a 
rule in which they say that no kid under the age of 13 can be 
allowed to expose themselves and, you know, all the bullying, 
sometimes leading to suicides, all kinds of things have 
happened. On the other hand, they don't stop it.
    Mr. Swire. Well, then so that's a reason to revisit things. 
That was a 1998 statute, and so then, periodically, you come 
back to these things, as you do in lots and lots of other 
issues.
    But if you don't come back ever, then what we've seen is 
that the level of effort from industry really has fallen down 
in the periods when attention was elsewhere.
    The Chairman. Yes, sir?
    Mr. Fowler. So if I might add, I think from our perspective 
and as we look more into consumer values as it relates to 
personalization, interest-based ads, and so forth, I don't 
think we're at the point yet where we have the same kind of 
consumer or public backlash that we've had with CAN-SPAM and Do 
Not Call. I think there's still an opportunity here.
    And some research backs this up, that we have a polarized 
set of consumers on both ends that are very surprised and 
uncomfortable by tracking online, and others who are very 
excited about engaging in personalized content and services. 
And we have a much larger, in fact, the bulk of the consumer 
market, that's somewhere in the middle, and, ultimately, will 
decide based on the value they receive and how transparent 
those mechanisms are.
    So I think we're at a point where the discussions that 
we're having with the W3C, we have an opportunity to address 
this through technology and changes in industry practices that 
create more transparency.
    The Chairman. And then how would you handle the small-print 
problem?
    Mr. Fowler. Maybe if you could say a little bit more, so I 
understand exactly the nature of the question?
    The Chairman. You know, people don't read it.
    Mr. Fowler. Oh, small print. OK.
    The Chairman. They don't have the time to read it. And if 
they read it, they can't understand it.
    Mr. Fowler. Right. In my written----
    The Chairman. If they can see it.
    Mr. Fowler. Yes. In my written testimony, I talk about some 
of the failures related to the notice and choice model. Again, 
I feel that there is a lot of innovation that's yet to happen.
    From a Mozilla perspective, we're doing a lot of investment 
in mobile and application notices, looking at in-context 
notices, as opposed to small print that the consumer has to 
find and try to understand.
    The first time they start to interact with a new feature or 
they see a particular kind of behavior or conduct happening at 
a site is, from our perspective, an opportunity to reinforce 
what choices they have, how to configure the tools that are 
available to them, and what to ask for from the sites.
    So I think that we still have more room for innovation. And 
I think there's still opportunity to educate consumers. And 
hopefully, mobile and applications will give us a platform to 
really see some of that happen.
    The Chairman. This committee really works very hard on 
consumer protection. I mean, I'm very open about that. It used 
to be a little bit different. Now it's very clear in its 
direction.
    So naturally, that colors the way we approach things. We 
really bear in on consumers. What are they capable of doing? 
What are they capable of understanding? What's beyond their 
reach? What's not fair? Et cetera, et cetera.
    And my sort of favorite example, which we're actually 
working on quite hard, is moving companies. You decide to move, 
and you don't particularly look--you just sign a piece paper 
that says that you accept their contract. But it's kind of a 
low bid. And because you're not wealthy, you take that low bid 
because, after all, furniture on a truck trucked to the next 
destination is not very hard. But what happens so often is that 
the trucks just stop halfway through and say, if you want your 
furniture, you've got to pay us another $2,000.
    That's, Mr. Szoka, what I mean when I say that our concern 
is about consumers.
    You have to sometimes go a far piece to make sure that they 
get the help that they flat out deserve--their lives are far 
too miserable and difficult these days to possibly figure out 
for themselves how to protect themselves.
    So it does become the role of government. It's like 
children that are in extreme hunger. There are millions of them 
across this country. Should the government stay away from that 
until the free market can sort it out? Or should the government 
actually say, no, this is something that is not good, this 
affects the way our future brains will develop and all the rest 
of that, and we do something about it.
    And we have a little bit of that bent in this committee, at 
least, on this side, a little less on the other side, but 
surprisingly on the other side, happily on the other side, 
also.
    So let me just thank you all for taking the time to come.
    Mr. Szoka, I was very rude to you, and I'll write you a 
letter of apology, if you wish. I really will.
    Mr. Szoka. Could I just say one final thing, Senator?
    The Chairman. No.
    [Laughter.]
    The Chairman. And I'll write a letter of apology for that, 
too.
    [Laughter.]
    The Chairman. But thank you for taking the time, very, very 
much. We're all sort of focused on what the Supreme Court has 
just done, which you're all aware of, right?
    So this hearing is adjourned. Thank you.
    [Whereupon, at 11:10 a.m., the hearing was adjourned.]
                            A P P E N D I X

      Statement of Computer & Communications Industry Association
    Self-regulation is a vital part of consumer privacy protection, and 
the World Wide Web Consortium's current work on a Do Not Track 
standard, along with the Digital Advertising Alliance's agreement to 
honor a DNT header, are good examples of the power of this method. The 
Computer and Communications Industry is a 40 year-old international 
non-profit trade association dedicated to open markets, open systems, 
and open networks. CCIA members participate in many sectors of the 
computer, information technology, and telecommunications industries and 
range in size from small entrepreneurial firms to some of the largest 
in the industry. CCIA members employ nearly half a million workers and 
generate approximately a quarter of a trillion dollars in annual 
revenue.\1\ Our members produce web browsers, operate search engines 
and e-commerce websites, are Internet advertisers, and offer free web 
services of many kinds.
---------------------------------------------------------------------------
    \1\ For a full CCIA member list, please see http://www.ccianet.org/
index.asp?bid=11.
---------------------------------------------------------------------------
    Consumer choice regarding the use of personal data is of the utmost 
importance. Users should have the ability to opt-out of systems that 
impact their privacy if they're uncomfortable. This is important not 
just for reasons of pure privacy protection, but also because trust is 
so essential to the online marketplace. Users who don't trust an online 
service have many other competitors to choose from and can always take 
their business to another, more privacy protecting, website.
    Do Not Track options are an important part of consumer choice. 
These options allow users to indicate their preferences with regard to 
online tracking through a simple browser mechanism that is easy to set, 
universal, and permanent. A broad coalition of advertisers, brought 
together by government acting as a convener has agreed to honor the Do 
Not Track header. The World Wide Web Consortium (W3C), a multi-
stakeholder body responsible for Web-wide technical protocols, is in 
the process of developing the specifications that will underpin the DNT 
header. This past week the W3C conducted a number of days of meetings 
surrounding the DNT header, and made progress on some of the remaining 
issues. A few outstanding questions remain to be answered before the 
specification is finalized.
    As such, the W3C process is an example of a successful self-
regulatory program. There are many different voices in the room there, 
each with strong opinions, but progress is being made and while the 
outcome is not yet certain, there is some confidence that an eventual 
agreement may be reached. There may be parties on all sides who are not 
entirely happy with the final result, but on the whole it will be a 
product of compromise and be a great step forward for privacy on the 
Internet.
    In a parallel self-regulatory effort, a group of advertisers has 
come together called the Digital Advertising Alliance (DAA). The DAA 
has worked with government conveners to reach an agreement, backed by 
Section 5 of the FTC Act, to respect the DNT header. Self-regulation is 
alive and well in the tracking space, with companies, government, and 
civil society all collaborating to develop workable frameworks that 
protect users.
    CCIA has two areas in which we wish to highlight concerns about the 
Do Not Track conversation. While the ongoing W3C process is a positive 
one, there are still a few areas where uncertainty remains, and where a 
wrong decision could have unintended consequences. By mentioning these 
areas, we hope to help avoid those consequences.
    First is the question of exceptions to Do Not Track. The setting of 
a Do Not Track header, while it is an important consumer protection 
tool, cannot be a universal sign that a user will never have some 
traces kept surrounding their use of websites. There are important 
business reasons to monitor customer use of websites that should not be 
preempted by a Do Not Track header. For example, a lot of users' 
actions on websites are stored in order to combat fraud or cheating. 
Financial websites as well as essentially any online merchant must keep 
track of a certain amount of information about visitors in order to 
protect the entirety of their users.
    For another example, the vast majority of websites anonymously 
track how users move around their own website in order to study their 
layout and usage statistics. We all reap the benefits of this tracking 
in the form of better website design and navigation, and website 
operators can improve their businesses by making sure visitors are 
finding the pages they need easily and quickly. This can be analogized 
to a retail store studying how anonymous visitors move through the 
store in order to decide if any changes need to be made to the layout 
of the products.
    The second important aspect of Do Not Track is in user education. 
Do Not Track's focus is on the privacy implications of what can be 
collected on the Web while a user browses. That information is of 
course important to a user and should be a subject of education without 
a doubt. The problem here stems from what is not being adequately 
explained to users, and that is the value that comes from anonymized 
data. Advertising targeted toward what a person likes and enjoys pays 
for a huge amount of content and services on the World Wide Web that 
are offered for free to users. Without that source of revenue, 
innovation in online services would be much harder to come by as the 
price of starting up a new service and gaining customers willing to pay 
would be drastically higher.
    Data isn't just important for advertising purposes. Collecting 
large amounts of anonymized data can open up worlds of research that 
users are not aware of. A famous example is Google's Flu Trends, in 
computers analyze live queries coming from distinct geographical areas, 
highlighting people who are searching the Internet for flu symptoms. In 
this manner, Google can often predict flu outbreaks before even the 
Centers for Disease Control. Amazon and Netflix each do similar 
analysis when they help each of us find new books, movies, and music we 
might like, based on what thousands of other people have also enjoyed. 
This sort of data collection and analysis poses no real privacy threat, 
yet provides an invaluable public service.
    Users today, however, are not presented with this side of data 
collection and are making decisions about privacy protection without 
understand this inherent tradeoff. If a user is fully educated and then 
makes a decision to remove herself from data ecosystem, that is a 
choice that should be respected, but the education must come first so 
that decision is informed.

                                  
